Security-Plus on it-learn.io | IT, Networking & Cybersecurity Blog

CVE-2026-32202 & CVE-2026-41940: Vulnerability Analysis for CySA+ Study

Mon, 18 May 2026 00:00:00 +0000

You are studying for CompTIA CySA+ (CS0-003). Two CVEs land the same week. One scores 4.3 — the yellow squiggle scanners tuck below the fold. The other scores a perfect 10.0. Which do you patch first?

If your answer was “the 10.0,” you got the trick question wrong. The right answer is both, immediately — and the reason is exactly what CySA+ tests on vulnerability prioritization.

CVE-2026-32202 (Windows Shell zero-day, CVSS 4.3) and CVE-2026-41940 (cPanel auth bypass, CVSS 10.0) are both being actively exploited and both on CISA’s KEV catalog. The CVSS gap between them is the best teaching moment in 2026 for why CVSS alone is not a prioritization framework — it is one input into one.

MFA Fatigue Attacks: Palo Alto Unit 42 Analysis for Security+ Students

Thu, 14 May 2026 00:00:00 +0000

CompTIA Security+ candidates memorize a clean definition for multi-factor authentication: something you know, something you have, something you are. The exam rewards you for that mnemonic. The threat landscape does not. Vendor research from Palo Alto Networks Unit 42, Mandiant, and Microsoft’s MSTIC has published the same finding for four years running — when modern intrusion sets bypass MFA, they almost never break the cryptography. They wait for a tired human to tap Approve.

Cortex XDR vs CrowdStrike Falcon: EDR Comparison for Security+ Students

Mon, 11 May 2026 00:00:00 +0000

“Cortex XDR vs CrowdStrike for Security+” hides a real anxiety: SY0-701 tests EDR as a category, but study guides and hiring managers speak in vendor terms. You need both. Pass the test, then walk into the interview without freezing when someone says “we run Falcon.”

This post compares Palo Alto Cortex XDR and CrowdStrike Falcon through the lens of Security+ SY0-701. It maps each platform to the generic EDR concepts CompTIA tests, calls out where vendor reality diverges from the textbook, and gives a hands-on plan on a student budget. For the broader category view including Sentinel, start with XDR Explained: Cortex vs CrowdStrike vs Sentinel.

QR Code Phishing (Quishing): That Parking Meter QR Code Is Malicious

Tue, 05 May 2026 00:00:00 +0000

Parking meters in major US cities started growing tumors in 2022 — small stickers placed over legitimate QR codes, redirecting drivers from official city payment systems to credential-harvesting sites. The FBI issued a formal warning. Cities pulled and replaced signage. The stickers cost a few cents to print.

QR code phishing — commonly called quishing — exploits the same gap that has always made social engineering effective: the gap between what something appears to be and what it actually is. A QR code on a parking meter, a conference badge, a restaurant table, or an email attachment carries no visible indication of its destination. And for much of the history of enterprise email security, it carried that destination invisibly past every security scanner.

Prompt Injection: Making AI Do Things It Shouldn't

Mon, 04 May 2026 00:00:00 +0000

Prompt injection is the SQL injection of the AI era. Just as early web developers discovered that user-supplied strings could be interpreted as SQL commands rather than data, AI application developers are learning the same lesson about natural language: text that flows through an LLM is both content and potential instruction. An attacker who can influence any text the model processes can influence what the model does.

The stakes have risen significantly as LLMs have gained agency — the ability to call APIs, browse the web, send emails, execute code, and interact with databases. An injection that simply made a chatbot say something embarrassing has evolved into an injection that exfiltrates data, sends unauthorized emails, or compromises entire multi-agent pipelines.

Deepfake CEO Fraud: The Voice on the Call Isn't Your Boss

Sun, 03 May 2026 00:00:00 +0000

In 2019, attackers called the CEO of a UK-based energy company’s subsidiary. The voice on the line was indistinguishable from the parent company’s chief executive — same accent, same cadence, same conversational rhythm. The caller instructed the subsidiary CEO to urgently wire €220,000 (approximately $243,000 USD) to a Hungarian supplier. The wire went through. The voice was AI-generated.

That incident was the opening shot of a category of fraud that has since grown into a multi-billion-dollar threat. In 2024, a Hong Kong finance employee watched a video call in which his CFO and several colleagues authorized a $25.6 million transfer. Every person on that call was a deepfake. The money was gone within hours.

Incident Response Plan Template for Mid-Market Customers

Sun, 03 May 2026 00:00:00 +0000

Ask a mid-market customer if they have an incident response plan. The most common answers:

“Our MSP handles that.” (The MSP handles monitoring and alerting. They do not make business decisions about whether to shut down production systems, who to notify, or when to call the lawyers.)

“We have cyber insurance.” (The insurance policy pays for breach costs after the fact. It does not tell the IT team what to do at 2 AM when ransomware is encrypting file shares and the CEO is calling.)

OAuth Token Theft: Hijacking App Permissions Without Stealing Passwords

Sat, 25 Apr 2026 00:00:00 +0000

OAuth 2.0 was designed to solve a real problem: letting users grant third-party applications access to their resources without sharing their passwords. The protocol achieved that goal. What it did not anticipate was an ecosystem of high-value cloud identities, loosely governed application registrations, and attackers sophisticated enough to abuse the delegation model itself.

OAuth token theft attacks do not require stealing a password. They do not require bypassing MFA. In the most effective variants, they use Microsoft’s own legitimate infrastructure — devicelogin.microsoft.com — as the delivery mechanism. Understanding these attacks means understanding how OAuth’s trust model can be inverted.

MFA Fatigue Attack: Spamming Push Notifications Until You Tap Approve

Fri, 24 Apr 2026 00:00:00 +0000

The promise of multi-factor authentication was simple: even if an attacker steals your password, they cannot log in without the second factor. That promise holds true against automated credential stuffing. It does not hold against an attacker willing to pick up the phone.

MFA fatigue attacks — also called push bombing or push spam — expose the human layer of authentication. They require no malware, no CVE, no zero-day. They require only valid credentials, a flood of push notifications, and occasionally a phone call. In 2022, this technique helped breach Uber, Cisco, and multiple other major organizations. Understanding how it works, how to detect it, and how to eliminate the attack surface is essential for any organization relying on push-based MFA.

Golden Ticket Attack: Forging Kerberos Tickets for Unlimited Domain Access

Thu, 23 Apr 2026 00:00:00 +0000

When an attacker extracts the KRBTGT hash from a domain controller, they no longer need credentials, valid accounts, or even network connectivity to the KDC to authenticate as anyone in the domain. They become, effectively, the Kerberos authority itself — able to issue their own tickets for any identity, any group membership, any privilege level, with expiration dates set a decade into the future. This is the Golden Ticket attack.

The SE's Guide to Reading a Vulnerability Report (CVE, CVSS, EPSS)

Sun, 19 Apr 2026 00:00:00 +0000

A customer sends you a Slack message at 3 PM: “Hey, have you seen CVE-2025-XXXXX? Our CISO is asking how your product handles this. Can you get back to me by EOD?”

You have two options. Option one: panic, forward it to your product team, and wait hours for a response while the customer’s confidence in you erodes. Option two: open the CVE, read it in 5 minutes, assess the severity, understand the attack vector, and respond with a clear, informed answer within 30 minutes.

Security Compliance Cheat Sheet: NIST, ISO 27001, SOC 2, PCI DSS

Fri, 17 Apr 2026 00:00:00 +0000

Compliance comes up in nearly every enterprise security deal. The customer mentions SOC 2 during discovery. The RFP has a section on NIST controls. The CISO asks how your product helps with ISO 27001 certification. The IT director needs to know about PCI DSS 4.0 changes.

If you fumble these conversations, you look like a product specialist who does not understand the business context. If you handle them confidently, you position yourself as someone who understands not just the technology but the regulatory landscape that drives purchasing decisions.

MITRE ATT&CK Framework Explained for Solutions Engineers

Wed, 15 Apr 2026 00:00:00 +0000

Every Solutions Engineer in cybersecurity will eventually sit across from a customer who says some version of this: “Show me how your product maps to MITRE ATT&CK.” If you stumble through that moment, you lose credibility that is very hard to recover. If you handle it well, you establish yourself as someone who understands threats at a technical level — not just someone who demos software.

MITRE ATT&CK has become the de facto common language between security vendors, SOC teams, threat intelligence analysts, and CISOs. It is referenced in RFPs, used in product evaluations, and increasingly required in compliance frameworks. As an SE, you do not need to be a threat researcher. But you do need to understand the framework well enough to use it naturally in conversation, map it to your product’s capabilities, and leverage it to differentiate your solution.

Pass-the-Hash: Why Stealing the Hash Is Just as Good as the Password

Wed, 15 Apr 2026 00:00:00 +0000

Pass-the-Hash (PtH) is arguably the most impactful lateral movement technique in Windows environments. It transforms credential access into network-wide compromise without requiring password cracking, works across the majority of enterprise network services, and has been a core component of some of the most destructive cyberattacks in history — including NotPetya and numerous ransomware operations. Understanding its mechanics is prerequisite to understanding why so many Active Directory environments remain vulnerable despite years of awareness.

Kerberoasting: Stealing Service Tickets to Crack Passwords Offline

Tue, 14 Apr 2026 00:00:00 +0000

Kerberoasting is one of the most reliably effective Active Directory attack techniques: it requires only a valid domain account, leaves minimal traces by default, and yields plaintext service account credentials that often grant significant lateral movement opportunities. Unlike many AD attacks that require elevated access or interaction with specific hosts, Kerberoasting operates entirely through legitimate Kerberos protocol requests — making it difficult to block without fundamentally changing service account management practices.

Watering Hole Attack: They Compromised the Site You Trust

Sun, 12 Apr 2026 00:00:00 +0000

In February 2017, a bank’s security team was reviewing the JavaScript source code of the Polish Financial Supervision Authority (KNF) website — a regulatory portal they were required to visit regularly. They found something unexpected: an obfuscated JavaScript snippet that fingerprinted visitors and selectively redirected specific targets to an exploit kit landing page. The KNF site had been compromised. The attackers had turned the regulator’s own website into a trap for the banks it supervised.

Living Off the Land — How Attackers Abuse LOLBins

Sat, 11 Apr 2026 00:00:00 +0000

APT29 did not land on the DNC network in 2016 with custom malware. They used PowerShell Empire — a framework built entirely on Windows’ own scripting infrastructure. The SolarWinds attackers deployed TEARDROP as a memory-only shellcode loader. Carbanak stole over $1 billion from banks using WMI and PowerShell for persistence and lateral movement without dropping traditional malware files.

Living Off the Land (LOTL) attacks are not a niche technique — they are the standard operating procedure for every serious threat actor today. The fundamental insight is elegant: if you use the operating system’s own tools, your activity looks like the operating system’s own activity.

Ransomware Double Extortion: They Encrypt AND Leak Your Data

Fri, 10 Apr 2026 00:00:00 +0000

In 2019, the Maze ransomware group made a strategic decision that fundamentally changed the ransomware threat landscape: they began stealing data before encrypting it. The extortion pressure was no longer just “pay or lose your files” — it became “pay or we publish your files.” When Maze shut down in late 2020, they shared their playbook with other groups. By 2021, double extortion was the industry standard.

This post covers the full technical attack chain — from initial access through exfiltration and encryption — along with the detection logic and defensive controls that create meaningful friction for modern ransomware groups.

Ransomware, Viruses & Malware Types: Detection Guide

Fri, 10 Apr 2026 00:00:00 +0000

🎙️ This post was auto-generated from the Tech Updates podcast episode.

Malware isn’t just “a virus”—it’s a complex ecosystem of weaponized tools designed to damage systems, steal data, and extort organizations. In 2026, the threat landscape is more sophisticated than ever, and understanding the differences between malware types is critical for any IT or security professional. This episode breaks down the major malware categories, how they infiltrate networks, and the multi-layered defense strategies you need to protect your infrastructure.

SolarWinds Supply Chain Attack — SUNBURST Explained

Wed, 08 Apr 2026 00:00:00 +0000

The SolarWinds attack did not begin with a phishing email or a misconfigured firewall. It began inside a build server — the trusted forge where software is assembled, signed, and shipped. By the time 18,000 organizations downloaded the trojaned Orion update in the spring of 2020, the attackers had already achieved something far more dangerous than a network intrusion: they had weaponized trust itself.

This post dissects the technical mechanics of the SUNBURST backdoor, the Orion build pipeline compromise, DGA-based command and control, and the detection and defense strategies that can limit your exposure to this class of attack.

Security+ SY0-701: Study Ideas and Home Labs You Can Build Today

Tue, 17 Mar 2026 00:00:00 +0000

The CompTIA Security+ SY0-701 is one of the most recognized entry-level cybersecurity certifications in the industry. It’s DoD-approved, vendor-neutral, and validates that you understand the real threats and controls organizations deal with every day.

But here’s the truth: you can’t just read your way to passing Security+. The exam tests scenario-based thinking. You need to understand why a control exists, how an attack works, and what you would do when something goes wrong.