Connect with us

CyberSecurity

Critical Citrix NetScaler Vulnerability CVE-2026-3055 Actively Exploited

Published

on

Active Exploitation of Critical Citrix NetScaler Flaw Confirmed

Security researchers have confirmed that a critical vulnerability in Citrix’s networking products is now being actively exploited by attackers. The flaw, tracked as CVE-2026-3055, carries a severe CVSS v4.0 score of 9.3. It affects NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, formerly known as Citrix ADC and Citrix Gateway.

These enterprise-grade solutions are widely used to manage, optimize, and secure application delivery and remote access. The vulnerability stems from insufficient input validation, leading to a memory overread condition. An unauthenticated remote attacker can exploit this to leak potentially sensitive information directly from the appliance’s memory.

Which Systems Are at Risk?

Not every NetScaler deployment is vulnerable. The critical detail is that CVE-2026-3055 only impacts systems explicitly configured as a SAML Identity Provider (SAML IDP). Default or standard configurations are not affected. This significantly narrows the attack surface but leaves exposed systems in immediate danger.

The vulnerability affects specific versions of the software. If you’re running NetScaler ADC or NetScaler Gateway version 14.1 before 14.1-66.59, or version 13.1 before 13.1-62.23, you are vulnerable. The FIPS and NDcPP builds before 13.1-37.262 are also affected. Only customer-managed on-premises instances are at risk; Citrix-managed cloud instances are safe.

How can you check your configuration? Administrators need to inspect their NetScaler configuration for the string “add authentication samlIdPProfile .*.” Finding this command indicates a vulnerable SAML IDP setup.

Honeypots Capture Exploitation in Real-Time

The transition from patch release to active exploitation was alarmingly fast. Security firm watchTowr published an analysis of CVE-2026-3055 on March 28. By then, their honeypot network had already recorded exploitation attempts from known threat actor IPs starting March 27.

“This is an impressive turnaround time for a vulnerability Citrix identified internally,” the watchTowr researchers noted, highlighting the speed of modern threat actors.

In parallel, researchers at Defused observed authentication method fingerprinting activity against NetScaler systems on the same day. They confirmed this reconnaissance was “directly linked” to CVE-2026-3055. Since the flaw only impacts IDP-configured instances, this fingerprinting is likely attackers scanning for precisely those targets.

By March 29, Defused confirmed active exploitation. Attackers are sending crafted SAMLRequest payloads to the `/saml/login` endpoint, deliberately omitting the `AssertionConsumerServiceURL` field. This triggers the appliance to leak memory contents via the `NSC_TASS` cookie. Defused’s honeypot data shows exploitation using the same payload structure as the public proof-of-concept.

Urgent Patching and Mitigation Steps

The message from Citrix, security researchers, and agencies like the UK’s NCSC is unanimous: patch immediately. The updated, secure versions are NetScaler ADC and Gateway 14.1-66.59 and later, 13.1-62.23 and later for the 13.1 branch, and 13.1-FIPS/NDcPP 13.1.37.262 and later.

For organizations that cannot reboot systems immediately, Citrix offers a temporary mitigation through a feature called ‘Global Deny List,’ introduced in version 14.1.60.52. This provides an “instant-on” patch that doesn’t require a reboot. Signatures to mitigate CVE-2026-3055 are available, but only for firmware builds 14.1-60.52 and 14.1-60.57.

Citrix emphasizes that the Global Deny List is a stopgap measure. “We recommend that you adopt fully patched builds,” the company stated. “The Global Deny List feature is meant to be a method of quickly protecting your NetScaler so that upgrades can be done during a scheduled outage window.” The window for scheduled upgrades is closing fast as attackers continue to scan for and exploit this critical flaw.

CyberSecurity

New Cavern C2 Framework: Iran-Linked Hackers Zero In on Israeli IT and Government

Published

on

Cavern C2 framework

Iran’s MOIS-Linked Group Deploys Cavern in Targeted Campaign

An Iranian hacking group tied to the country’s Ministry of Intelligence and Security (MOIS) has been using a previously unknown modular command-and-control (C2) framework called Cavern — also spelled Cav3rn — to zero in on Israeli organizations. The campaign, uncovered by Check Point Research, has primarily hit IT providers and government entities.

This isn’t just another phishing spree. The attackers built a custom C2 infrastructure from scratch. Cavern is modular, meaning it can swap out components on the fly. That flexibility makes it harder to detect and even harder to shut down.

Who’s Behind Cavern? A MOIS-Linked Threat Cluster

Check Point attributes the activity to a threat cluster that operates under the umbrella of Iran’s MOIS. The group has a track record of targeting Israeli infrastructure, but Cavern marks a technical leap. It’s not a repurposed tool — it’s purpose-built for this campaign.

The victims are telling. IT providers serve as a gateway: compromise one, and you can pivot to dozens of downstream clients. Government targets offer intelligence value. The attackers seem to want both access and information.

How Cavern Works: A Modular C2 Framework

Cavern’s architecture is what makes it stand out. It uses encrypted channels to communicate with implants on compromised machines. Each module handles a specific task — data exfiltration, keylogging, lateral movement — and can be updated or replaced without redeploying the entire framework.

  • Encrypted C2 traffic: Blends in with normal HTTPS, making network monitoring harder.
  • Modular plugins: Attackers can add or remove capabilities on demand.
  • Persistence mechanisms: Uses scheduled tasks and registry modifications to survive reboots.

This modularity is a double-edged sword for defenders. It means the framework can evolve quickly. But it also means that if you spot one module, you might not see the full picture — and the next variant could look completely different.

Targeting Israeli IT Providers and Government Agencies

The campaign’s focus on IT providers is strategic. By compromising a managed service provider (MSP), the attackers can piggyback on legitimate remote administration tools to reach the provider’s clients. That’s a supply chain attack, and it’s been a rising trend globally.

Government targets are more direct: espionage. The attackers appear interested in policy documents, internal communications, and possibly diplomatic cables. Check Point’s report notes that the group used spear-phishing emails with malicious attachments to gain initial access.

Once inside, they deployed Cavern’s implants to establish a persistent foothold. From there, they could move laterally, escalate privileges, and siphon data without triggering alarms.

Technical Deep Dive: Cavern’s Implant and C2 Communication

The Cavern implant is a lightweight executable that phones home to the C2 server using HTTP or HTTPS. The C2 server itself is a PHP-based panel that manages infected machines and issues commands.

Key technical details from Check Point’s analysis:

  • Implant size: Roughly 50 KB, compiled with MinGW to avoid common antivirus signatures.
  • C2 panel: Hosted on compromised servers in multiple countries, including the Netherlands and the United States.
  • Command set: Includes file upload/download, shell execution, process listing, and screen capture.

The attackers also used a custom DNS tunneling technique to bypass network filters. That’s a newer trick: encode data in DNS queries, which many organizations don’t monitor closely.

What This Means for Israeli Cybersecurity Teams

For defenders in Israel — and anyone watching Iranian cyber activity — Cavern is a wake-up call. It shows that MOIS-linked groups are investing in bespoke tooling, not just repurposing existing malware.

Check Point recommends organizations review their network logs for unusual DNS traffic, especially to domains registered in Iran or with suspicious patterns. They also advise tightening access controls on IT provider connections — because a breach at the provider could cascade to your own network.

The Cavern C2 framework is still active, and Check Point expects more variants. This isn’t a one-off operation. It’s a sustained campaign with a dedicated toolkit.

Israeli IT providers and government agencies should treat any unusual system behavior — even seemingly minor anomalies — as a potential sign of Cavern activity. The framework’s modular nature means the attackers can adapt faster than traditional signature-based defenses can keep up.

Continue Reading

CyberSecurity

From teen hacker to Iron Dome researcher, Ocean raises $28M to fight AI phishing with agentic email security

Published

on

From teen hacker to Iron Dome researcher, Ocean raises $28M to fight AI phishing with agentic email security

Shay Shwartz knows the dark side of email phishing all too well. As a teenager, he earned money as a hacker, but after getting caught at age 16, he turned his talents toward defense. Now, his startup Ocean has emerged from stealth with $28 million in funding to combat AI phishing using an agentic email security platform.

The round was led by Lightspeed Venture Partners, with participation from Picture Capital and Cerca Partners. High-profile angel investors also joined, including Wiz co-founder and CEO Assaf Rappaport, as well as Yevgeny Dibrov and Nadir Izrael, the co-founders of Armis, which recently sold to ServiceNow for $7.75 billion.

How Ocean tackles AI phishing with agentic security

Ocean claims its AI can thoroughly analyze the context of every incoming email to detect fraud and impersonation attempts. Unlike traditional vendors like Proofpoint and Mimecast, which focus on standard phishing detection, Ocean uses a small language model tailored to quickly analyze emails, understand the sender’s intent, and evaluate it against the user’s specific organizational context.

“This is like having a guard in every door,” Shwartz said. “This is how we make the inbox a safe place with high hygiene.” The platform is already reviewing billions of emails each month for customers, including Kayak, Kingston Technology, and Headspace.

Why AI phishing requires a new defensive approach

In the past, only highly sophisticated hackers could pull off spear-phishing due to the sheer amount of time, research, and manual labor needed to launch targeted attacks. However, AI has changed the game entirely. “AI just made the entire process automatic, so the scale is much, much bigger now,” Shwartz told TechCrunch. “I can instruct LLM to go and understand exactly who you are, harvest large amount of public information, and create those phishing attacks very targeted against you.”

This means that AI-powered attacks are now accessible to a wider range of malicious actors, increasing the urgency for advanced defense mechanisms. Ocean’s approach is designed to counter this new threat landscape by providing real-time, context-aware protection.

From hacker to Iron Dome researcher: Shwartz’s journey

Shwartz’s path to founding Ocean is unconventional. After his teenage hacking stint, he spent about a decade in top-tier cybersecurity roles, leading major projects for Israel’s elite defense and intelligence units, including work connected to the Iron Dome project. He later joined Axis, the startup later acquired by HPE. All along, he had been itching to launch his own startup, and two years ago, he finally took the plunge.

This background gives Ocean a unique edge in understanding both offensive and defensive cybersecurity strategies. The company’s agentic email security platform is built to fight AI phishing attacks that traditional systems might miss.

How Ocean’s technology works

Ocean built a small language model specifically designed for email analysis. It examines the full context of each message, including the sender’s history, the content, and the recipient’s role within the organization. This allows it to detect subtle impersonation attempts and fraudulent requests that might otherwise slip through.

As a result, Ocean provides a layer of protection that adapts to each user’s unique communication patterns. Learn more about email security best practices to complement your defense strategy.

The future of email security in an AI-driven world

With the rise of generative AI, the threat landscape is evolving rapidly. Ocean’s funding round signals strong investor confidence in agentic security solutions. The startup plans to use the capital to expand its team and enhance its AI capabilities.

For businesses, the message is clear: traditional phishing defenses are no longer enough. Explore our guide to AI threat detection to understand how to stay ahead of emerging risks. Ocean’s approach represents a significant step forward in the fight against AI phishing.

In conclusion, Ocean’s emergence from stealth with $28 million marks a pivotal moment in cybersecurity. By combining the founder’s unique background with cutting-edge AI, the platform offers a promising solution to one of the most pressing digital threats today. Contact us to learn how Ocean can protect your organization.

Continue Reading

CyberSecurity

Chinese National Extradited to US Over Silk Typhoon Cyber Campaign Targeting COVID-19 Research

Published

on

Chinese National Extradited to US Over Silk Typhoon Cyber Campaign Targeting COVID-19 Research

A suspected state-linked hacker accused of targeting US organizations and stealing sensitive COVID-19 research has been extradited to the United States, the Department of Justice (DoJ) announced. This Silk Typhoon extradition marks a significant step in holding state-sponsored cybercriminals accountable.

Xu Zewei, a 34-year-old Chinese national, appeared in a federal court in Houston over the weekend. He faces charges tied to a series of intrusions carried out between February 2020 and June 2021, some of which were allegedly tied to the Silk Typhoon campaign.

Prosecutors alleged that Xu acted under the direction of China’s intelligence apparatus, specifically the Ministry of State Security (MSS) and its Shanghai branch. Court filings claimed he worked through a private contractor, Shanghai Powerock Network Co. Ltd., part of a broader ecosystem used to obscure government involvement in cyber operations.

Alleged Role in COVID-19 and Exchange Server Attacks

Investigators said early attacks focused on US universities and researchers working on pandemic-related science. In February 2020, Xu allegedly accessed a university network in Texas and was later instructed to extract emails belonging to virologists and immunologists studying COVID-19.

Authorities claimed that stolen mailbox data included sensitive research into vaccines, treatments, and testing. These activities were reportedly coordinated with MSS officers, who directed targeting priorities and received updates on compromised systems.

Later that year, the operation allegedly expanded into the exploitation of Microsoft Exchange Server vulnerabilities. These attacks formed part of the wider Silk Typhoon (also tracked as Hafnium) campaign, publicly disclosed by the tech giant in March 2021, which impacted thousands of organizations globally.

Impact on Global Organizations

The Silk Typhoon campaign affected more than 12,700 US organizations, according to the FBI. Attackers deployed web shells on compromised servers, allowing persistent remote access and data exfiltration. Even after patches were released, hundreds of systems remained exposed.

Among the alleged victims were another US university and a global law firm. Prosecutors state that attackers searched stolen emails for references to US policymakers and agencies, using terms linked to Chinese intelligence interests.

Building on this, the indictment outlines how contractor networks operated with both state direction and financial incentives. According to US officials, these groups often targeted a broad set of systems, gathering data that could be sold onward if not directly useful to government intelligence.

Legal Proceedings and Charges

Xu faces multiple charges, including wire fraud, unauthorized access to protected computers and identity theft. Each carries a potential prison sentence of 2 to 20 years. His co-defendant, Zhang Yu, remains at large.

US authorities emphasized that the allegations remain unproven, and the defendant is presumed innocent unless found guilty in court. For more on cybersecurity threats, see our guide on understanding modern cyber threat landscapes.

This extradition underscores the ongoing battle against state-sponsored cyber espionage. As a result, organizations are urged to strengthen defenses against similar attacks. Learn how to protect your network with our cybersecurity best practices checklist.

Broader Implications for Cybersecurity

This case highlights the persistent threat of state-linked hackers targeting critical research and infrastructure. The Silk Typhoon campaign serves as a stark reminder of the vulnerabilities in global digital systems.

Furthermore, the involvement of private contractors like Shanghai Powerock Network Co. Ltd. reveals how state actors use commercial entities to mask their activities. This tactic complicates attribution and enforcement efforts.

In conclusion, the Silk Typhoon extradition represents a pivotal moment in international cybercrime prosecution. It sends a clear message that such activities will not go unpunished, even when conducted under state direction.

Continue Reading

Trending