Cybersecurity Daily: News & Threats

YesOui
  • 0.0 (0)
  • News
  • Updated Daily

Cybersecurity Daily — daily news briefing covering the most important cybersecurity events from the past 24 hours. Data breaches, vulnerability disclosures, ransomware, nation-state attacks, zero-days, regulatory actions, and enterprise security news. 6-10 stories per episode. Factual, technical where necessary, accessible to security professionals and informed non-specialists. Global scope.

  1. 15h ago

    Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645

    (00:00:00) Space Surge, Icarus OAuth & Chrome Zero-Day CVE-2026-11645 (00:00:51) Klue Breach Hits Security Vendors (00:01:51) Bajaj Auto Ransomware Disclosed (00:02:37) FortiBleed Automated Domain Takeover (00:03:13) Five Eyes AI Warning and GPT-5.5-Cyber (00:04:13) Chrome Zero-Day CVE-2026-11645 Today's cybersecurity briefing opens with the sharpest signal in weeks: a 400% surge in cyberattacks against space infrastructure, timed to the escalation of U.S. and Israeli military operations against Iran. The attacks blend nation-state sophistication with hacktivist volume, targeting defense contractors, aerospace operators, and satellite systems in what appears to be large-scale reconnaissance — or pre-positioning for future disruption. The Icarus OAuth breach is the day's defining supply chain story. A newly attributed extortion group stole OAuth tokens via a compromised Klue-Salesforce integration, exposing CRM data at Huntress, Recorded Future, Tanium, Jamf, HackerOne, Snyk, and others. The victims are security vendors — companies whose core business is protecting others. The vector was a trusted third-party connector, not a direct attack. That's exactly what makes it so effective. India's Bajaj Auto confirmed a ransomware attack on June 23rd affecting parent systems and subsidiary BATL. Containment is ongoing; exfiltration is unconfirmed. For a manufacturer at this scale, the operational risk extends well beyond data loss into production disruption and supply chain exposure. The FortiBleed campaign demonstrates what AI-assisted exploitation looks like at scale: GPU-powered credential cracking, OpenFortiVPN pivoting, and an automated AI penetration agent achieving full domain compromise across thousands of networks. The Five Eyes alliance issued a coordinated warning the same day, flagging that frontier AI models are compressing the window from vulnerability discovery to active exploitation from years to months. Finally, a Chrome V8 zero-day — CVE-2026-11645 — is being actively exploited in the wild. Patch status is unconfirmed as of this recording. Enterprise browser policy teams should treat this as a priority item today. This episode includes AI-generated content.

    6 min

  2. 1d ago

    Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet

    (00:00:00) Icarus OAuth Attack, Council of Europe Breach & AryStinger Botnet (00:01:13) Oracle PeopleSoft Zero-Day, 100+ Victims (00:01:48) ShinyHunters Publishes Council of Europe Data (00:02:43) AryStinger Botnet Hijacks D-Link Routers (00:03:34) The Signal That Connects All Three Three major incidents dominated the past twenty-four hours, and they share a single underlying pattern: attackers exploiting the gap between trusted access and monitored access. The Icarus group compromised legacy credentials at Klue, a competitive intelligence platform, converting them into OAuth tokens that granted silent access to Salesforce data across nine cybersecurity firms — including HackerOne, Recorded Future, Snyk, and Jamf. Automated Python scripts queried the API continuously for twenty-four hours, blending into normal integration traffic. A ransom deadline of June 17th has already passed with no disclosed resolution. In a connected development, a critical Oracle PeopleSoft zero-day has been exploited across more than one hundred organisations. Attacks mimicked legitimate user sessions, bypassing anomaly detection entirely. The Council of Europe is among confirmed victims — and that breach escalated sharply when ShinyHunters published 297 gigabytes of stolen data after the Council declined to pay. The leaked files include payroll records, medical files, and bank details for approximately ten thousand employees. ShinyHunters deployed permanent torrent mirrors, explicitly framing the release as lasting until the end of time. That shift fundamentally changes the extortion calculus for every future victim: payment no longer removes the threat. Rounding out today's briefing, the AryStinger botnet has quietly compromised over 4,300 end-of-life D-Link routers — models the manufacturer abandoned — installing a Dropbear SSH backdoor for infrastructure reconnaissance rather than DDoS. Detection rates in mainstream security engines are near zero. Oracle's patch timeline remains undefined. Klue's full breach scope is unconfirmed. Affected Council of Europe employees are still awaiting notification. This is Cybersecurity Daily. This episode includes AI-generated content.

    5 min

  3. 2d ago

    208 CVEs, Qilin Hits Telecom & GentleKiller EDR Bypass

    (00:00:00) 208 CVEs, Qilin Hits Telecom & GentleKiller EDR Bypass (00:00:56) Qilin Claims Q Link Wireless (00:01:37) GentleKiller EDR Bypass Toolkit (00:02:24) Microsoft Teams Abused for C2 (00:02:53) DORA and CIRCIA Tighten Rules (00:03:37) Key Watchpoints This Cycle This episode covers six critical cybersecurity developments from the past 24 hours — from a Windows regression shipping inside Microsoft's own security patches, to ransomware hitting U.S. telecom infrastructure. Microsoft's latest Patch Tuesday addressed 208 vulnerabilities, but the same update introduced a Recycle Bin display bug exposing internal filenames across every supported Windows version — from Windows 10 through Server 2012. No rollback timeline has been issued, leaving enterprise administrators without clear remediation guidance. The Qilin ransomware group publicly claimed responsibility for breaching Q Link Wireless, a major U.S. telecom provider, in a move that signals a deliberate shift toward high-visibility critical infrastructure targets. Details on data exfiltrated and ransom demands remain undisclosed. A May 2026 internal leak exposed GentleKiller, a professionally maintained toolkit that disables over 400 EDR processes by exploiting signed but vulnerable drivers — bypassing kernel-level protections without triggering standard detection logic. The leak has made its operational details publicly available, raising urgent questions about active affiliate campaigns. A ransomware group also abused Microsoft Teams relay infrastructure between June 14–20 to hide command-and-control traffic inside legitimate enterprise application activity — a technique that defeats standard perimeter controls. On the regulatory front, EU financial regulators published their first DORA ICT incident overview, marking a shift from expectation to active enforcement. In the U.S., CISA continued public consultations to finalise the federal cyber incident reporting rule under CIRCIA. This podcast was built using AI technology. A YesWee production. This episode includes AI-generated content.

    5 min

  4. 3d ago

    Credentials Meet CVE Data, FortiBleed & SocGholish Dismantled

    (00:00:00) Credentials Meet CVE Data, FortiBleed & SocGholish Dismantled (00:01:17) FortiBleed Exposes Firewall Credentials (00:01:52) SocGholish Botnet Dismantled (00:02:42) Conti Operator Guilty Plea (00:03:13) CISA Doctrine Shift to Resilience (00:03:46) Novo Nordisk and GitHub Access Risk (00:04:10) White House AI Security Framework The cybersecurity threat landscape shifted in a meaningful way today. A 24-billion-password credential database has been indexed against known CVE data, turning opportunistic credential stuffing into a prioritised, exploit-driven attack model. Security teams managing unpatched systems face compounded risk: exposed credentials plus a flagged vulnerability in the same lookup table. Changing passwords alone is insufficient while millions of infostealer-infected machines may still be actively harvesting data. In parallel, the FortiBleed exposure has put 74,000 Fortinet firewall admin credentials into attacker hands. CISA is urging immediate incident-response-level action: terminate sessions, reset credentials, enforce phishing-resistant MFA, and restrict management interfaces to internal hosts only. On the enforcement side, the SocGholish botnet — also known as FakeUpdates — was dismantled after seven years of operation, with 15,000 compromised sites remediated and 106 servers seized. The botnet served as a primary initial-access channel for LockBit, DoppelPaymer, and RansomHub. Separately, Ukrainian national Oleksii Lytvynenko pleaded guilty to Conti ransomware development, facing up to 20 years at a September 2026 sentencing. CISA's acting director publicly shifted doctrine this week: critical infrastructure disruption by China and Russia is now treated as inevitable, with planning moving from prevention to resilience. Novo Nordisk disclosed a breach traced to a single compromised GitHub access token — a reminder that developer credentials are a systematically underprotected attack surface. And the White House and Anthropic are negotiating an AI security assessment framework following a jailbreak dispute, with no consensus yet on severity definitions or export control triggers. This episode includes AI-generated content.

    5 min

  5. 4d ago

    Splunk RCE Exploited & Icarus OAuth Attack Hit CRM Data

    (00:00:00) Splunk RCE Exploited & Icarus OAuth Attack Hit CRM Data (00:00:37) CVE-2026-20253 Exploit Chain (00:01:49) Klue OAuth Token Compromise (00:02:33) Why OAuth Tokens Bypass Defenses (00:03:06) SaaS Supply Chain Scale (00:03:27) What To Watch Now A critical Splunk Enterprise vulnerability is now confirmed under active exploitation — and the implications reach far beyond a single server. CVE-2026-20253 carries a CVSS score of 9.8 and enables unauthenticated remote code execution through an unprotected PostgreSQL sidecar service. Federal agencies face a June 21 patch deadline, but organisations running vulnerable versions before Splunk's June 10 advisory may already be compromised. Because Splunk sits at the centre of security visibility — indexing logs, feeding detection pipelines, holding credentials — a successful intrusion lets attackers see what your security team sees, erase forensic evidence, and move laterally at scale. Running in parallel, threat actor Icarus used a stolen legacy credential to compromise OAuth tokens at competitive intelligence vendor Klue. Those tokens gave Icarus legitimate, passwordless access to the Salesforce environments of Huntress, Jamf, Recorded Future, and Tanium — running automated data extraction loops for 24 hours without triggering alarms. Salesforce wasn't breached; trusted OAuth tokens were simply abused. Integration service accounts held broad permissions with no MFA, no behavioural baseline, and no rotation cadence to limit a stolen token's useful life. Together these stories illustrate the defining challenge of modern enterprise security: third-party breaches now account for 30% of all incidents, doubled year-over-year. One compromised vendor credential can simultaneously unlock multiple downstream customers. The attack surface isn't a firewall gap — it's the trusted integrations organisations rely on every day. Key indicators to hunt: unusual PostgreSQL connection parameters in Splunk, unexpected database dumps, outbound Splunk connections to unknown hosts, and unreviewed OAuth token grants across SaaS integrations. This episode includes AI-generated content.

    5 min

  6. 5d ago

    INC Ransomware Hits 830 Victims, FortiBleed & Oracle 245-Patch CPU

    (00:00:00) INC Ransomware Hits 830 Victims, FortiBleed & Oracle 245-Patch CPU (00:01:11) Veeam Backup Credential Dumper (00:01:38) RoguePlanet Defender Zero-Day (00:02:20) FortiBleed — 30K Firewalls Compromised (00:03:00) FortiSandbox Active Exploitation (00:03:22) Oracle Patches and Closing Watch Points INC ransomware has rewritten its encryptors in Rust — and the operational implications are significant. With over 830 victims since August 2023 and more than 120 incidents in Q1 2026 alone, INC now ranks fourth among the most prolific ransomware operations globally. The Rust rewrite delivers cross-platform capability and binary hardening that makes reverse engineering substantially harder. Critically, INC's updated credential dumper now bypasses salted DPAPI encryption in newer Veeam backup deployments — eliminating what many defenders considered a last line of recovery. Microsoft has confirmed a fourth zero-day in the Malware Protection Engine attributed to the same researcher, Chaotic Eclipse. CVE-2026-50656 carries a CVSS of 7.8 and enables privilege escalation. A public proof-of-concept is already live, with no patch timeline disclosed — a window of real exposure for every unpatched Windows environment. Fortinet is facing pressure on two fronts simultaneously. The FortiBleed campaign has compromised 30,791 firewalls across 194 countries using credential reuse and SSL-VPN interception, backed by over 1.16 billion password-spray attempts attributed to a Russian-speaking threat actor. Separately, three FortiSandbox vulnerabilities — all CVSS 9.1 — are under active exploitation, with one showing signs of AI-assisted exploit development. Oracle's June Critical Patch Update covers 245 vulnerabilities, with 106 patches for Fusion Middleware alone — 53 of them remotely exploitable without credentials. For security teams, prioritisation is not optional this cycle. All stories are sourced from public disclosures, vendor advisories, and threat intelligence reporting from the past 24 hours. This episode includes AI-generated content.

    5 min

  7. 6d ago

    ShinyHunters' Kodak Deadline, 24B Credential Dump & Vertex AI Patch

    (00:00:00) ShinyHunters' Kodak Deadline, 24B Credential Dump & Vertex AI Patch (00:01:01) Kodak ShinyHunters June Deadline (00:01:58) 24 Billion Record Mega-Dump (00:02:44) ICAI Exam Portal Allegations (00:03:30) Key Watchpoints Going Forward Three high-stakes cybersecurity stories dominate today's briefing — and one of them is on a countdown clock. ShinyHunters has set a June 18 deadline for Kodak to make contact or face publication of 2.2 million customer records. Kodak has confirmed unauthorised access but characterises it as limited, while ShinyHunters has yet to release a proof sample. That ambiguity is deliberate. The group has followed through on publication threats before — most recently after 7-Eleven negotiations stalled — and with 64% of organisations now refusing ransom payment, Kodak's response will serve as a live benchmark for corporate extortion posture. Separately, researchers uncovered an exposed Elasticsearch cluster containing roughly 24 billion credentials aggregated from 36 sources. The alarming detail is composition: a substantial portion originates from fresh infostealer logs harvesting plaintext passwords and session tokens from active infections today — not just historical breach archives. The cluster has been taken offline, but the data's onward movement is likely already in progress. On the vulnerability side, Google patched a race-condition flaw in the Vertex AI SDK (version 1.148.0, released April 15) that allowed attackers to intercept ML models mid-upload via predictable staging bucket names. The exploit window was approximately 2.5 seconds — enough to swap in pickle- or joblib-serialised payloads and harvest cross-tenant OAuth tokens. This is the second predictable-bucket-name flaw patched in Vertex AI this year, suggesting a systemic design pattern rather than an isolated bug. Finally, unverified social media claims allege a threat actor obtained superadmin access to India's ICAI chartered accountancy exam portal hours before results were due. No technical evidence has been published. Track it — don't act on it yet. A YesWee production. This episode includes AI-generated content.

    5 min

  8. Jun 17

    PeopleSoft CVE-2026-35273 Exploited, Healthcare Costs Hit $11M & Ransomware at 44%

    (00:00:00) PeopleSoft CVE-2026-35273 Exploited, Healthcare Costs Hit $11M & Ransomware at 44% (00:00:57) University of Nottingham Breach Confirmed (00:01:53) Healthcare Breach Costs Hit Record (00:02:37) Ransomware Now 44% of All Breaches (00:03:05) North Korean Developer Supply Chain Campaign (00:03:36) Samsung Patch and CISA Restructure (00:04:15) What to Watch Next A CVSS 9.8 zero-day in Oracle PeopleSoft — CVE-2026-35273 — is being actively exploited with no permanent patch in sight, making it one of the most urgent enterprise vulnerabilities in circulation right now. The ShinyHunters threat group claims 300 compromised instances; independent verification puts confirmed victims above 100, with federal agencies already past their remediation deadline. Oracle's emergency mitigation guidance is all organizations have to work with for now. Among the confirmed victims, the University of Nottingham has disclosed a breach affecting 454,600 student records — personal data, academic records, billing, and financial aid. The university declined the ransom demand, triggering public disclosure. It's the right call structurally, even if costly: 80% of organizations that pay are attacked again within 12 months. The broader breach landscape is shifting. Ransomware now accounts for 44% of all data breaches, up from 32% the prior year. Double extortion is standard practice. Meanwhile, healthcare breach costs have reached a record $11.2 million per incident — 2.5 times the global average — driven by high-value medical records, HIPAA penalties, and legacy system exposure windows averaging 241 days. Elsewhere, a North Korean-linked supply chain campaign is targeting developers via fake LinkedIn recruiters and malicious npm packages with post-install backdoors. Samsung's June update patches 45 vulnerabilities across Galaxy devices. And CISA has appointed Scott Breor to lead its Infrastructure Security Division as the agency enters a workforce expansion phase. Key watchpoints: Oracle's patch timeline for CVE-2026-35273, and whether the ShinyHunters victim count climbs as forensic reviews complete. This episode includes AI-generated content.

    5 min
See All (46)

About

Cybersecurity Daily — daily news briefing covering the most important cybersecurity events from the past 24 hours. Data breaches, vulnerability disclosures, ransomware, nation-state attacks, zero-days, regulatory actions, and enterprise security news. 6-10 stories per episode. Factual, technical where necessary, accessible to security professionals and informed non-specialists. Global scope.

Information

More From YesOui