#NSBCS.123 - From Alerts to Action: Rethinking Managed Detection and Response (MDR)

We’re thrilled to launch our Managed Detection and Response (MDR) offering this week! 

Over the past few months, we’ve spent a lot of time thinking about a simple question: 

Why are organisations still experiencing serious incidents, despite having monitoring in place?

In our experience, the issue isn’t visibility. It’s timing. 

Most SOC and MDR models are built around alerts. But alerts are a lagging indicator of attacker activity. By the time they trigger, an incident may already be underway. 

So we built something different. 

Rather than waiting for alerts, we focus on identifying and disrupting threats early in the attack lifecycle. 

This is achieved through: 

• Continuous analysis of endpoint, identity, and user activity 

• AI-driven correlation and prioritisation of risk 

• Intelligence informed by real-world incidents and active threat monitoring 

• Expert-led investigation and response 

Our solution goes beyond monitoring. It is a modernised security operations model focused on reducing risk. 

If you’d like to chat to our team today, contact us here.

What we read this week

• Palo Alto Networks PAN-OS Buffer Overflow Zero-Day Under Active Exploitation (CVE-2026-0300) - Palo Alto Networks has disclosed a critical buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) service of PAN-OS software on PA-Series and VM-Series firewalls. The flaw (CVE-2026-0300, CVSS 9.3) allows unauthenticated remote attackers to execute arbitrary code with root privileges by sending specially crafted packets. Limited in-the-wild exploitation has been confirmed, with CISA adding it to the Known Exploited Vulnerabilities catalog. Patches are scheduled in phases starting around 13 May 2026, with full coverage expected later in the month. Organisations should immediately disable the Captive Portal if unused, restrict access to trusted IPs only, and monitor for exploitation attempts.

• Iranian MuddyWater APT Conducts False-Flag Ransomware Operation via Microsoft Teams Social Engineering - Rapid7 has attributed an early 2026 ransomware-like attack to the Iranian state-sponsored group MuddyWater (also known as Mango Sandstorm/Seedworm). The operation masqueraded as Chaos ransomware but prioritised credential harvesting and data exfiltration over encryption. Attackers used high-touch social engineering over Microsoft Teams, impersonating IT support with screen-sharing sessions to steal credentials and bypass MFA. This highlights the growing abuse of legitimate collaboration tools for initial access and persistence in targeted intrusions.

• Mirai-Derived xlabs_v1 Botnet Targets Exposed ADB Devices for DDoS-for-Hire Attacks - Researchers at Hunt.io have uncovered xlabs_v1, a commercial Mirai variant that exploits internet-exposed Android Debug Bridge (ADB) services on TCP port 5555. The botnet infects Android TV boxes, smart TVs, set-top boxes, and other IoT devices to launch DDoS attacks, supporting 21 flood variants (including TCP, UDP, and protocol-specific methods) aimed primarily at gaming and Minecraft servers. It is sold as a bandwidth-tiered DDoS-for-hire service. With millions of devices potentially vulnerable due to default ADB exposure, users and administrators should disable unnecessary ADB access and apply network segmentation.

• Critical cPanel & WHM Authentication Bypass Zero-Day Exploited for Months (CVE-2026-41940) - A severe authentication bypass vulnerability (CVE-2026-41940, CVSS 9.8) in cPanel, WHM, and WP Squared (versions after 11.40) has been actively exploited since at least February 2026, well before its public disclosure and patching on 28 April. The flaw, involving CRLF injection and session manipulation, allows unauthenticated remote attackers to gain administrative access. Over 40,000 servers have reportedly been compromised in ongoing campaigns involving Mirai botnets and ransomware. Hosting providers and users must apply emergency updates immediately, review logs for suspicious activity, and rotate credentials.

• Amtrak Data Breach Exposes Millions of Customer Records via ShinyHunters - ShinyHunters claimed responsibility for breaching Amtrak in April 2026, allegedly accessing Salesforce data containing up to 9.4 million records (with over 2 million unique emails independently verified). Exposed information includes names, email addresses, physical addresses, and customer support/ticket histories, heightening risks of phishing and identity theft. The group followed its typical pattern of cloud CRM compromise and ransom demands. Amtrak has not issued a detailed public statement, underscoring the need for robust third-party SaaS monitoring and credential hygiene.

References

• https://security.paloaltonetworks.com/CVE-2026-0300

• https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html

• https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html

• https://www.helpnetsecurity.com/2026/04/30/cpanel-zero-day-vulnerability-cve-2026-41940-exploited/

• https://haveibeenpwned.com/Breach/Amtrak