#NSBCS.120 - Hacker Summer Camp Goes East
Traditional Hacker Summer Camp is in August, with back-to-back conferences of BlackHat, BSides, and DEF CON in Las Vegas USA. For the first time in 2026, the Hacker Summer Camp will replicate east to Singapore, where it is always Summer. Next week Black Hat Asia (21-24 April) and the inaugural DEF CON Singapore the week after (26-30 April), will be on show at Marina Bay Sands. Two very different conferences in style and target audience (DEF CON has a 3-2-1 rule…and it’s not for backups), but with the same mission focus: Advancing cybersecurity through the sharing of cutting-edge research, vulnerability discovery, and practical defence strategies. Conference sessions and training courses give great early indicators and takeaways on the industry and region.
BlackHat Asia briefings, talks, and trainings scheduled show some consistent themes:
1. While AI continues to be a strong topic, there is a significant shift from theoretical, to more autonomous attacks in offensive security AI. In particular with agentic workflows where AI can plan, execute and adapt to lateral movements and traditional security controls. This has significant implications on how we defend, even BlackHat training sessions such as Adversarial AI & LLM Red Teaming include a dedicated focus on defence against autonomous lateral movement.
2. A continued and renewed focus on Supply Chain. Looking beyond the recent (but still patchable) software packages like Axios, there are talks relevant to the APAC manufacturing sector, particularly on Boot ROM vulnerabilities. The supply chain is no longer just the OS and software, and considering the hardware and firmware of the device is attracting significant research attention. These hardware vulnerabilities are hard to remediate (often requiring complete hardware replacement), provide long term persistence, and often result in undetectable full compromises of the device.
DEF CON Singapore, brings the popular mini-conference “villages” concept from the USA format. While talks follow a similar theme to the BlackHat lineup, the main interest will be the Public Safety Village run by Singapore’s Home Team Science and Technology Agency (HTX). This village looks to explore how to secure and use critical IoT Infrastructure and AI-powered surveillance for real-world public safety scenarios. By having hands-on education for practitioners on the technology used by the Singapore Ministry of Home Affairs, it models the collaborative defence strategy governments are now taking with offensive security practitioners.
It’s clear from the 2026 line up and launch of the inaugural DEF CON Singapore, that the Asia-Pacific region is becoming ever more important to the global security landscape, particularly in AI and the supply chain security research. Defensible perimeters are being blurred with AI, and third-party risk is extending beyond into hardware-level supply chain security. Whether you sit on the red or blue team, executive board or a hands-on practitioner, it’s hard to ignore that Hacker Summer Camp East is setting an early industry research focus for 2026.
Summer has come early.
What we read this week
CISA Adds Multiple Known Exploited Vulnerabilities to Catalog, Including Fortinet and Microsoft Flaws — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added several actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog this week, including flaws in Fortinet, Microsoft Exchange, and Adobe software. Federal Civilian Executive Branch agencies must apply patches by 27 April 2026. The additions highlight ongoing exploitation of network security and email-related vulnerabilities, urging organisations to prioritise timely patching and vulnerability management to reduce exposure to real-world attacks.
Microsoft April 2026 Patch Tuesday Addresses SharePoint Zero-Day and 168 Other Vulnerabilities — Microsoft released updates fixing 169 security flaws, including one actively exploited zero-day in SharePoint Server (CVE-2026-32201, a spoofing vulnerability with CVSS 6.5) and numerous others across its ecosystem. CISA has since added the SharePoint flaw to its KEV catalog. Administrators should apply patches immediately, review systems for signs of compromise, and strengthen input validation and authentication controls.
Critical Authentication Bypass in nginx-ui Under Active Exploitation — Researchers have identified CVE-2026-33032 (CVSS 9.8), an authentication bypass vulnerability in the open-source nginx-ui management tool, now actively exploited in the wild. The flaw, codenamed MCPwn, allows unauthenticated attackers to take full control of NGINX servers by invoking management functions without credentials. Users of nginx-ui should apply available fixes urgently, restrict exposure of management interfaces, and monitor for unauthorised configuration changes.
Fortinet Patches Critical FortiSandbox Vulnerabilities Under Active Exploitation — Fortinet has released patches for 27 vulnerabilities across its products, including two critical flaws in FortiSandbox (CVE-2026-39813 and CVE-2026-39808). These enable authentication bypass via path traversal in the JRPC API and OS command injection, potentially allowing unauthenticated remote code execution and privilege escalation. Organisations using FortiSandbox should upgrade to the latest versions without delay, limit API exposure, and monitor for suspicious activity on sandbox environments.
Booking.com and Basic-Fit Confirm Significant Data Breaches — Booking.com disclosed that unauthorised parties accessed customer personal data, including names, email addresses, phone numbers, and booking details. Separately, European gym chain Basic-Fit confirmed a breach affecting around one million members, with stolen data including bank details. Both incidents serve as timely reminders of the persistent risks to customer data in consumer-facing services and the importance of robust access controls, firewall management, and incident response planning.
Referenceshttps://thehackernews.com/2026/04/cisa-adds-6-known-exploited-flaws-in.htmlhttps://thehackernews.com/2026/04/microsoft-issues-patches-for-sharepoint.htmlhttps://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.htmlhttps://www.securityweek.com/fortinet-patches-critical-fortisandbox-vulnerabilities/https://www.cybersecurity-review.com/booking-com-confirms-hackers-accessed-customers-data/