An authentication bypass in PAN-OS GlobalProtect is being exploited in the wild, a $1.9 billion phishing-as-a-service operation is off the internet, and France’s purpose-built secure messaging platform was not secure enough. Three stories, three different threat categories — all of them relevant to conversations happening in enterprise security today.

In the News

PAN-OS GlobalProtect Auth Bypass Now Exploited — CVE-2026-0257

Palo Alto Networks confirmed active exploitation of CVE-2026-0257, a CVSS 7.8 authentication bypass affecting GlobalProtect portal and gateway components in PAN-OS. The vulnerability allows an unauthenticated attacker to bypass authentication on internet-facing GlobalProtect instances — no valid credentials required, no user interaction needed.

The attack surface is straightforward: any organization exposing a GlobalProtect portal or gateway to the internet is potentially affected. This is the default deployment model for remote access VPN, which means the exposed population is large. Palo Alto has released patches across affected PAN-OS branches. CISA has not yet added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog as of this writing, but given confirmed in-the-wild exploitation, addition is expected imminently.

The operational priority here is asset inventory. Organizations running mixed-vendor firewall estates often have GlobalProtect instances in lab, DR, or branch environments that do not receive patches on the same cadence as production. Every internet-facing instance needs to be identified and patched — or access-restricted to known IP ranges as a compensating control. Authentication bypass vulnerabilities in VPN concentrators are consistently among the highest-value initial access vectors for ransomware operators and APT groups alike (MITRE ATT&CK: T1190 — Exploit Public-Facing Application).

What defenders should do: Apply the PAN-OS patch immediately. If patching requires a maintenance window, restrict GlobalProtect portal and gateway access to known IP ranges via access control lists. Audit authentication logs for anomalous successful authentications from unexpected source IPs over the past 30 days.

FBI and Google Dismantle $1.9B Outsider Enterprise PhaaS Operation

A joint FBI-Google operation dismantled Outsider Enterprise, a Chinese-operated phishing-as-a-service platform that had scaled to approximately 9,000 active phishing sites. The operation resulted in the theft of nearly 4 million credit cards and an estimated $1.9 billion in total losses across victims worldwide.

The scale is the story. Outsider Enterprise operated with the operational maturity of a legitimate SaaS platform — automated domain provisioning, templated phishing kits that mimicked enterprise login portals, and a customer base of downstream criminal operators who rented access. This is not a single threat actor running a handful of phishing pages. This is industrialized credential theft with a subscription model.

For defenders, the takeaway is layered. DNS-layer filtering catches rotating phishing domains when email security misses the initial delivery. Phishing-resistant MFA — specifically FIDO2 — ensures that stolen credentials cannot be replayed even when a user does enter them on a convincing phishing page. The combination of email security, DNS filtering, and phishing-resistant MFA addresses the PhaaS kill chain at three distinct points (MITRE ATT&CK: T1566.002 — Phishing: Spearphishing Link).

What defenders should do: Verify that email security and DNS-layer filtering are both active and logging. Audit MFA enrollment — any accounts still using SMS or push-only MFA are vulnerable to the credential replay attacks that PhaaS platforms enable. Prioritize phishing-resistant MFA for privileged accounts.

France’s Sovereign Messaging Platform Tchap Breached — 73K Accounts

A threat actor operating under the handle “Misere” breached Tchap, the French government’s purpose-built secure messaging platform, compromising 73,000 accounts. Tchap was designed specifically to replace consumer messaging apps like WhatsApp and Telegram across French government agencies — it was the sovereign, security-first alternative.

The exact attack vector has not been publicly confirmed. The threat actor claims full data exfiltration including message content, metadata, and account details. Whether the access was achieved through a vulnerability in the platform itself, compromised credentials, or a supply chain vector remains under investigation.

The lesson is architectural, not vendor-specific. A platform built for security is still an application running on infrastructure, authenticated by an identity provider, and connected to a network. If the architecture does not assume breach — if there is no segmentation between the messaging tier and the identity tier, no anomaly detection on bulk data exfiltration, no zero-trust enforcement on API access — then the “secure” label is a marketing claim, not an operational reality (MITRE ATT&CK: T1530 — Data from Cloud Storage, T1078 — Valid Accounts).

What defenders should do: Treat this as a prompt to audit segmentation around sensitive communication platforms in your own environment. Verify that bulk data export from collaboration tools triggers alerts. Review API access controls and ensure service accounts accessing messaging infrastructure enforce MFA.

Threat Pulse

ShinyHunters targets the Council of Europe. The group claims to have exfiltrated 297GB of data including employee PII from the Council of Europe. ShinyHunters continues to target international government and enterprise institutions — the same group was linked to Oracle PeopleSoft zero-day exploitation last week.

Ghostwriter pivots to personal email. The Belarus-linked APT group is now targeting personal Gmail accounts of Polish government officials and their families. The tactical shift bypasses enterprise email defenses entirely — a reminder that BYOD and personal device policies are part of the threat surface for high-value targets.

WordPress supply chain injection via CDN scripts. Attackers tampered with JavaScript CDN files for PushEngage, OptinMonster, and TrustPulse WordPress plugins, injecting code that auto-creates admin accounts when legitimate administrators log in. Another supply chain injection vector targeting the trust boundary between sites and third-party scripts.

Conti developer pleads guilty. Ukrainian national Oleksii Lytvynenko pleaded guilty in US federal court to developing the Conti ransomware loader — the first successful prosecution of a Conti gang developer. Conti’s infrastructure remains fractured across multiple successor groups including Royal and Black Basta.

Defender Action Items

  • CVE-2026-0257: Patch all PAN-OS GlobalProtect instances immediately. Restrict portal/gateway access to known IP ranges if patching requires a maintenance window. Audit authentication logs for the past 30 days.
  • PhaaS defense: Confirm DNS-layer filtering is active. Audit MFA enrollment — replace SMS and push-only MFA with phishing-resistant FIDO2 for privileged accounts.
  • Communication platform security: Review segmentation and API access controls around sensitive messaging and collaboration platforms. Ensure bulk data export triggers DLP alerts.
  • WordPress supply chain: Organizations hosting WordPress sites should verify integrity of PushEngage, OptinMonster, and TrustPulse plugin scripts against known-good hashes. Review admin account creation logs.

Detection Queries

Monitor for anomalous authentication bypass attempts on PAN-OS GlobalProtect — look for successful authentications without corresponding credential submission events:

index=pan_logs sourcetype=pan:globalprotect eventtype=auth
| where status="success" AND (isnull(user) OR user="")
| stats count by src_ip, dest_ip, _time
| where count > 3
| sort -count

For WordPress supply chain detection — monitor for unexpected admin account creation:

index=web sourcetype=wordpress
| search action="user_register" role="administrator"
| where NOT match(src_ip, "^10\.|^172\.(1[6-9]|2[0-9]|3[01])\.|^192\.168\.")
| table _time, src_ip, user, blog_url

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.