Maple Grove Report

Samsung’s free 32-inch Odyssey monitor deal is back in stock – how to qualify

Bree Lambert May 21, 2026

May 21, 2026

Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix

May 21, 2026

Cisco fixed maximum severity flaw CVE-2026-20223 in Secure Workload

May 21, 2026

Maple Grove Report Legal

Global law enforcement operation takes First VPN offline

Stephan Dorsey May 21, 2026

May 21, 2026

Attackers are bypassing MFA on SonicWall VPNs because something was wrong with previous fix

May 21, 2026

Cisco fixed maximum severity flaw CVE-2026-20223 in Secure Workload

May 21, 2026

Maple Grove Report

Global law enforcement operation takes First VPN offline

HMD, once the house of Nokia, debuts shameless iPhone 17 Pro copycat and it calls “futuristic”

AMD just saved older Radeon cards

Brett Adcock’s AI hardware startup Hark raises $700m at $6bn valuation

2 useful (and 1 fun) homelab projects to try this weekend (May 22

Samsung’s free 32-inch Odyssey monitor deal is back in stock – how to qualify

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Global law enforcement operation takes First VPN offline

Pierluigi Paganini
May 21, 2026

Police seized First VPN in a global crackdown, exposed its cybercrime users, and shut down infrastructure tied to ransomware and data theft.

A major international law enforcement operation has taken First VPN offline, a service that had become a quiet staple for ransomware crews, data thieves, and other cybercriminals trying to hide in plain sight.

“The coordinated action took place between 19 and 20 May and targeted the infrastructure behind one of the most widely used VPN services in the cybercrime underground.” reads the press release published by Europol. “The gathered intelligence exposed thousands of users linked to the cybercrime ecosystem and generated operational leads connected to ransomware attacks, fraud schemes, and other serious offences worldwide.”

Authorities seized dozens of servers across 27 countries, arrested the administrator, and carried out a search in Ukraine, cutting off an infrastructure that had been used in a wide range of serious investigations.

The service marketed itself as a privacy-first VPN with no logging and no cooperation with law enforcement, which made it appealing not just to ordinary users but also to threat actors looking to mask their activity. That’s the uncomfortable part of the VPN story: the same tools that help people protect privacy on public Wi-Fi or work securely from home are also useful for criminals who want to conceal their origin, route traffic through different regions, and make attribution harder.

“For years, the service, known as ‘First VPN’, was promoted on Russian-speaking cybercrime forums as a trusted tool for remaining beyond the reach of law enforcement. It offered users anonymous payments, hidden infrastructure, and services designed specifically for criminal use.” continues the press release. “‘First VPN’ had become deeply embedded in the cybercrime ecosystem, appearing in almost every major cybercrime investigation supported by Europol in recent years. Criminals used it to conceal their identities and infrastructure while carrying out ransomware attacks, large-scale fraud, data theft, and other serious offences.”

Europol said the service name kept resurfacing in major cybercrime cases, and Eurojust confirmed that investigators had been building the case for years through a joint effort led by French and Dutch authorities.

What seems to have made this case especially valuable for investigators is that they didn’t just shut the service down, they also got inside its infrastructure before it disappeared. That likely gave them access to user records, connection data, and other evidence that can be used to map criminal activity back to real people and devices.

Authorities dismantled cybercrime infrastructure, including 33 servers and a service based in Ukraine, and seized domains linked to the operation: 1vpns.com, 1vpns.net, 1vpns.org, plus associated onion sites. They also notified users directly and shared information on hundreds of accounts with international partners, which suggests this may lead to follow-on investigations well beyond the VPN itself.

The bigger lesson is simple: privacy tools are not the problem, but criminal operators often rely on the same infrastructure normal users trust. Once that infrastructure is compromised, dismantled, or logged, the illusion of anonymity can disappear very quickly.

“The operation has already generated significant operational results at Europol’s level:

21 Europol-supported investigations advanced through the intelligence obtained.”
83 intelligence packages disseminated;
information linked to 506 users shared internationally;

“For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong. Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement.” said Edvardas Šileris, Head of Europol’s European Cybercrime Centre

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, First VPN)

Source link

Global law enforcement operation takes First VPN offline

Legal

HMD, once the house of Nokia, debuts shameless iPhone 17 Pro copycat and it calls “futuristic”

Technology

AMD just saved older Radeon cards

Technology

Global law enforcement operation takes First VPN offline

Stephan Dorsey

May 21, 2026

Global law enforcement operation takes First VPN offline

May 21, 2026

HMD, once the house of Nokia, debuts shameless iPhone 17 Pro copycat and it calls “futuristic”

May 21, 2026

AMD just saved older Radeon cards

May 21, 2026

U.S. CISA adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog

Stephan Dorsey

May 14, 2026

U.S. CISA adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
May 14, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Cisco Catalyst SD-WAN to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in Cisco Catalyst SD-WAN, tracked as CVE-2026-20182 (CVSS score of 10.0), to its Known Exploited Vulnerabilities (KEV) catalog.

Cisco fixed CVE-2026-20182, a flaw in SD-WAN control connection handshaking and peering authentication in Catalyst SD-WAN Controller (vSmart) and Manager (vManage).

An unauthenticated remote attacker can send crafted requests to bypass authentication due to a validation failure. Successful exploitation lets the attacker gain administrative access, obtain a high-privilege internal account, use NETCONF, and modify SD-WAN network configurations across the fabric.

“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.” reads the advisory. “This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.”

In May 2026, Cisco PSIRT detected limited real-world exploitation of the vulnerability and urges customers to upgrade to a fixed software version to address the issue.

Rapid7 researchers said CVE-2026-20182 resembles the previously exploited CVE-2026-20127, another critical authentication bypass in Cisco’s SD-WAN vdaemon service over DTLS on UDP port 12346. Although researchers confirmed the new flaw is not a patch bypass, it affects a similar part of the networking stack and leads to the same result. A remote unauthenticated attacker can exploit the vulnerability to impersonate a trusted peer and perform privileged operations on the targeted appliance.

“This new authentication bypass vulnerability affects the “vdaemon” service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127. The new vulnerability is not a patch bypass of CVE-2026-20127. It is a different issue located in a similar part of the “vdaemon” networking stack.” reads the report published by Rapid7, which discovered the issue. “This impact however is the same, a remote unauthenticated attacker can leverage CVE-2026-20182 to become an authenticated peer of the target appliance, and perform privileged operations, such as injecting an attacker controlled public key into the vmanage-admin user account’s authorized SSH keys file. Once this has been performed, a remote unauthenticated attacker can login to the NETCONF service (SSH over TCP port 830) as the vmanage-admin user, and begin to issue arbitrary NETCONF commands.”

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by May 17, 2026.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)

Source link

This Oscar-nominated revenge thriller is one of the 3 best Peacock movies you should watch this weekend (May 8-10)

May 9, 2026

Perplexity’s Personal Computer can work autonomously on your Mac, and it’s now available to all

May 8, 2026

Microsoft warns of global campaign stealing auth tokens from 35K users

May 5, 2026

Recent Reviews

North Korea’s Lazarus APT stole $290M from Kelp DAO

0

Ransomware negotiator caught secretly assisting BlackCat extortion scheme

0

Venezuela energy sector targeted by highly destructive Lotus wiper

0

Copyright © 2024 All Rights Reserved.

Disclosure

Do Not Sell

Privacy Policy

About Us

Contact Us

Manage Consent

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Functional Functional Always active

The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.

Preferences Preferences

The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.

Statistics Statistics

The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.

Marketing Marketing

The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.

Manage options Manage services Manage {vendor_count} vendors Read more about these purposes

View preferences

{title} {title} {title}