A high-severity code injection flaw in Apache ActiveMQ is being exploited in the wild with over 6,400 internet-facing instances confirmed exposed. Separately, CISA added eight actively exploited vulnerabilities to the KEV catalog — including three Cisco SD-WAN bugs embedded in enterprise branch architectures — and Cisco Talos published detailed research on macOS living-off-the-land techniques that bypass the majority of enterprise EDR deployments.

In the News

ActiveMQ Code Injection Under Active Attack, 6,400 Servers Exposed

Apache ActiveMQ, the open-source message broker widely deployed for enterprise application integration, event-driven architectures, and microservice communication, has a high-severity code injection vulnerability under active exploitation. Over 6,400 instances are directly reachable from the internet, and attackers are leveraging the flaw for unauthenticated remote code execution.

ActiveMQ sits in a particularly dangerous position in enterprise environments. It is middleware — connecting applications, processing queues, and brokering events between business-critical systems. A compromised ActiveMQ instance gives an attacker a pivot point with network visibility into every system that sends or receives messages through the broker. That is often the application tier, the database tier, and the identity tier simultaneously.

The core issue is a code injection flaw that allows an unauthenticated remote attacker to execute arbitrary code on the server. No credentials required, no user interaction needed. The attack surface is the message broker’s network listener itself — if it is reachable, it is exploitable.

The 6,400 exposed instance count comes from internet-facing scans, but the real exposure is likely larger. Many organizations run ActiveMQ internally without realizing instances are reachable through misconfigured load balancers, cloud security groups, or VPN split-tunnel configurations.

What defenders should do: Patch immediately. If patching requires a maintenance window, restrict network access to ActiveMQ listeners to only the systems that need to communicate with the broker — no internet exposure, no broad subnet access. Run an asset discovery scan specifically targeting ActiveMQ’s default ports (61616, 8161) to identify instances the security team may not know about.

Source: BleepingComputer

CISA Adds 8 Exploited Flaws to KEV, Including 3 Cisco SD-WAN Bugs

CISA added eight vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, all with confirmed active exploitation. The additions include three Cisco SD-WAN flaws, the PaperCut authentication bypass (CVE-2023-27351, CVSS 8.2), and vulnerabilities in Kentico CMS and Zimbra Collaboration.

The Cisco SD-WAN entries are particularly significant for enterprise environments. SD-WAN is the backbone of modern branch office connectivity — routing, security policy enforcement, and WAN optimization in a single platform. The three Cisco flaws being actively exploited means attackers are targeting the network fabric itself, not just endpoints behind it. A compromised SD-WAN edge device gives an attacker control over traffic routing, the ability to intercept unencrypted traffic, and a foothold that most EDR solutions cannot see because it sits below the OS layer.

Federal agencies face remediation deadlines in April and May 2026 under Binding Operational Directive 22-01. Private organizations are not bound by BOD 22-01, but the KEV catalog is the closest thing the U.S. government publishes to a “you will be breached if you do not patch this” list. Every entry has confirmed exploitation — this is not theoretical risk.

The PaperCut improper authentication vulnerability (CVE-2023-27351) is also worth flagging for any organization running PaperCut print management. Print servers are frequently overlooked in patch cycles because they are perceived as low-value targets, but they often run with elevated privileges and sit on management VLANs with broad network reach.

What defenders should do: Cross-reference the eight new KEV entries against your asset inventory. Prioritize Cisco SD-WAN devices for immediate patching or compensating controls (ACLs restricting management plane access). For PaperCut, verify whether your deployment is exposed and patch or isolate. Treat KEV additions as the highest priority in your vulnerability management queue regardless of CVSS score — active exploitation trumps severity math.

Source: SecurityWeek

Cisco Talos Documents macOS Living-off-the-Land Techniques as Enterprise Adoption Hits 45%

Cisco Talos published research titled “Bad Apples” documenting how attackers weaponize native macOS primitives for lateral movement and execution in enterprise environments. The techniques include abuse of Remote Apple Events (RAS), metadata staging via extended file attributes (xattr), and protocol pivots that bypass endpoint detection and response (EDR) tools overwhelmingly tuned for Windows-centric living-off-the-land binaries (LOLBins).

Enterprise macOS adoption has reached approximately 45%, but the detection engineering gap is stark. On Windows, the security industry has spent two decades building detection for LOLBin abuse — PowerShell, WMI, MSHTA, certutil, rundll32. On macOS, the equivalent native primitives — osascript, Remote Apple Events, AppleScript, the open command, xattr metadata staging — have a fraction of the detection rule coverage in commercial EDR products.

The Talos research specifically documents:

  • Remote Apple Events (RAS) abuse: An attacker on a compromised Mac can send Apple Events to other Macs on the network, triggering script execution remotely. This is analogous to WMI lateral movement on Windows, but most macOS EDR agents do not generate telemetry for inbound Apple Events.
  • Extended attribute (xattr) staging: Payloads stored in file metadata rather than file content bypass most file-scanning controls. The payload is invisible in Finder and most security tools — it exists only in the resource fork or custom xattr namespace.
  • Protocol pivots: Using native macOS network protocols (Bonjour/mDNS, AirDrop’s AWDL) to move laterally in ways that do not generate the TCP/445 or WinRM traffic that network detection tools watch for.

The operational implication is straightforward: if your organization has macOS endpoints and your detection stack was built for Windows, you have a blind spot that is now documented and will be exploited.

What defenders should do: Audit your EDR’s macOS detection coverage — specifically test whether it alerts on osascript execution from non-user context, inbound Remote Apple Events, and xattr-based payload staging. Ensure your device management platform enforces disabling Remote Apple Events on all macOS endpoints where it is not required (System Settings → General → Sharing → Remote Apple Events). Build detection for the xattr command writing to non-standard attribute namespaces.

Source: Cisco Talos Blog

KelpDAO Loses $290 Million in Lazarus-Linked Heist via Cross-Chain Verification Compromise

KelpDAO, a decentralized finance (DeFi) platform, lost approximately $290 million in a heist linked to North Korea’s Lazarus Group. The attack chain was multi-layered: attackers first compromised a LayerZero Decentralized Verifier Node (DVN), then poisoned Remote Procedure Call (RPC) endpoints, and finally used a distributed denial-of-service (DDoS) attack to force the platform’s infrastructure to fail over to attacker-controlled nodes.

This is a supply chain attack against cross-chain infrastructure. LayerZero DVNs are the trust anchors for cross-chain message verification — compromising one allowed the attackers to validate fraudulent transactions. The RPC poisoning ensured that the platform’s own infrastructure returned attacker-controlled data when querying blockchain state. The DDoS was the trigger mechanism — by taking down legitimate infrastructure, the attackers forced automated failover to the poisoned endpoints they had prepared.

The Lazarus Group attribution comes from blockchain analysis and operational pattern matching with prior North Korean cryptocurrency operations. Lazarus has been linked to the $625 million Ronin Bridge theft (2022), the $100 million Harmony Horizon Bridge theft (2022), and the $1.5 billion Bybit theft (2025). The KelpDAO operation demonstrates continued evolution in their targeting of cross-chain bridge and verification infrastructure.

What defenders should do: For organizations operating in DeFi or blockchain infrastructure — audit DVN trust relationships, implement multi-source RPC verification (never rely on a single RPC endpoint), and stress-test failover paths to confirm they do not route to unvalidated infrastructure. For traditional enterprise security teams, this incident is a case study in how supply chain attacks against trust anchors (whether DVNs or certificate authorities or DNS resolvers) can cascade through dependent systems.

Source: BleepingComputer

Today’s Deep Dive — macOS Living-off-the-Land: The Detection Gap Enterprise Security Missed

Enterprise security architectures were built for Windows. That statement was accurate in 2010 and remains operationally true in 2026, even as macOS now accounts for 45% of enterprise endpoints. The Cisco Talos “Bad Apples” research published this week is not introducing new vulnerabilities — it is documenting the detection engineering debt that has accumulated as macOS adoption outpaced macOS security investment.

The Core Problem: Detection Parity Does Not Exist

On Windows, the industry has mature detection for living-off-the-land techniques. Sysmon provides deep process creation, network connection, and file creation telemetry. EDR agents hook into ETW (Event Tracing for Windows) and AMSI (Antimalware Scan Interface). Detection engineering teams have years of Sigma rules, YARA signatures, and behavioral analytics tuned for PowerShell, WMI, MSHTA, and certutil abuse.

On macOS, the equivalent telemetry sources are immature or absent. Apple’s Endpoint Security Framework (ESF) provides process and file event telemetry, but many commercial EDR agents do not consume the full ESF event set. The Unified Logging System (log stream) captures Apple Events, but most SIEM integrations do not ingest macOS unified logs at the granularity needed for detection. There is no macOS equivalent of AMSI for script content inspection.

The result: the same classes of LOTL techniques that would generate high-fidelity alerts on Windows — script execution from unexpected contexts, remote command execution via native protocols, payload staging in non-obvious file locations — generate no telemetry and no alerts on macOS.

MITRE ATT&CK Mapping

The Talos-documented techniques map to well-known ATT&CK entries, but with macOS-specific implementations that most detection stacks miss:

  • T1059.002 (Command and Scripting Interpreter: AppleScript) — osascript execution for local and remote script execution
  • T1021.005 (Remote Services: VNC) — abusing Apple Remote Events and Screen Sharing for lateral movement
  • T1564.004 (Hide Artifacts: NTFS File Attributes) — the macOS equivalent uses extended attributes (xattr) and resource forks to stage payloads invisibly
  • T1570 (Lateral Tool Transfer) — using AirDrop/AWDL or Bonjour-discovered services to move tools between endpoints without touching monitored network paths

What to Build Now

Detection teams should prioritize three high-value signals:

  1. osascript execution from non-interactive sessions — any osascript invocation where the parent process is not a user shell (Terminal, iTerm) or a known automation tool (Jamf, Munki) warrants investigation
  2. Inbound Remote Apple Events — monitor for eppc:// connections. In most enterprise environments, Remote Apple Events should be disabled entirely. Any observed connection is suspicious.
  3. xattr writes to non-standard namespaces — the com.apple.metadata and com.apple.quarantine namespaces are expected. Custom namespaces or com.apple.ResourceFork writes to executable files are staging indicators.

Detection Spotlight

Detect osascript execution from non-user-interactive parent processes on macOS endpoints. This query targets the scenario where a remote attacker or automated tool executes AppleScript outside of a normal user terminal session — a strong indicator of LOTL abuse documented in the Talos research. Tune the exclusion list for your environment’s legitimate automation tools (Jamf, Munki, management agents).

Splunk SPL (macOS process telemetry via CrowdStrike, SentinelOne, or osquery):

index=edr sourcetype=macos_process_creation process_name="osascript"
| eval parent=coalesce(parent_process_name, parent_image_file_name)
| where NOT match(parent, "(?i)(Terminal|iTerm|bash|zsh|fish|jamf|munki|mdmclient)")
| stats count by host, user, parent, process_command_line, _time
| where count > 0
| sort -_time

This query returns any osascript invocation where the parent process is not a standard interactive shell or known management agent. In a well-configured environment, this should return near-zero results. Any hit warrants immediate investigation — particularly if the parent process is a web browser, a document editor, or a system daemon.

False positive rate: Low in environments where macOS automation is managed through known tools. Higher in development environments where custom scripts invoke osascript — add your development toolchain to the exclusion regex.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.