Cybersecurity Daily: News & Threats

PoC Exploits, Anonymous Dump & Tata iPhone IP Leak

5 min · 30. juni 2026
episode PoC Exploits, Anonymous Dump & Tata iPhone IP Leak cover

Beskrivelse

(00:00:00) PoC Exploits, Anonymous Dump & Tata iPhone IP Leak (00:01:14) Anonymous Exploit Dump — 15 Products (00:02:00) PTC Windchill KEV Listing (00:02:29) Tata Electronics Breach — iPhone 18 Pro IP (00:03:03) Weedhack and CountLoader — Malware at Scale (00:03:45) Amazon Q Developer Credential Risk (00:04:09) Key Watchpoints — What Comes Next A proof-of-concept exploit for CVE-2026-55200 — a CVSS 9.2 integer overflow in libssh2 — is now public, and the attack surface is enormous. Because libssh2 is statically linked into curl, Git, PHP, firmware updaters, and embedded appliances, distro patches won't reach most affected deployments. The same class of bug hit libssh2 in 2019. Seven years later, the exposure is wider than ever. A researcher known as "bikini" compounded the problem by dropping an unvetted exploit archive targeting 15 products — including Gitea, Splunk, RustDesk, VLC, and OpenVPN — with zero vendor notice. Two entries are confirmed high-impact: libssh2 and Gitea (CVE-2026-20896), the latter already exploited in the wild. The coordinated disclosure model is under pressure. CISA added CVE-2026-12569 in PTC Windchill to its Known Exploited Vulnerabilities catalog. The unauthenticated RCE flaw, used to deploy JSP webshells, has had a patch available since June 18 — making the exploitation gap the headline, not the vulnerability itself. The World Leaks ransomware group leaked over 200,000 files from Tata Electronics, including component maps, supplier data, and prototype photographs tied to the iPhone 18 Pro. Apple-specific IP is confirmed on the dark web, with potential overlap into TSMC and Qualcomm files. Also covered: Weedhack malware-as-a-service targeting Minecraft players across 116,000 endpoints, the CountLoader JavaScript campaign infecting 86,000 devices across three continents, and CVE-2026-12957 in Amazon Q Developer — a supply chain risk that can exfiltrate cloud credentials from untrusted repositories. This episode includes AI-generated content.

Kommentarer

0

Vær den første til at kommentere

Tilmeld dig nu og bliv en del af Cybersecurity Daily: News & Threats-fællesskabet!

Kom i gang

1 måned kun 9 kr.

Derefter 99 kr. / måned · Opsig når som helst.

  • Podcasts kun på Podimo
  • 20 lydbogstimer pr. måned
  • Gratis podcasts

Alle episoder

70 episoder

episode LegacyHive Unpatched, AI Ransomware & SharePoint Triple Exploit cover

LegacyHive Unpatched, AI Ransomware & SharePoint Triple Exploit

(00:00:00) LegacyHive Unpatched, AI Ransomware & SharePoint Triple Exploit (00:01:02) SharePoint Three-Flaw Exploitation Confirmed (00:01:35) Adobe VMware Browser Critical Patches (00:02:31) AI Ransomware Without a Ransom Demand (00:03:10) Bermuda Ransomware Payout Confirmed (00:03:42) Fairlife Production Halt (00:04:00) Key Watchpoints Going Forward A researcher going by Chaotic Eclipse released LegacyHive, an unpatched Windows User Profile Service zero-day enabling local privilege escalation on every supported Windows version — dropping hours after Microsoft's July Patch Tuesday. Three previous disclosures from the same researcher led to active exploitation, and the weaponization clock is already running on this one. CISA confirmed active exploitation of three simultaneous SharePoint Server vulnerabilities — CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 — covering remote code execution and data theft across on-premises deployments. The chaining risk makes this the most urgent item for enterprise defenders today. This Patch Tuesday also brought 88 Adobe patches, eight covering ColdFusion at CVSS 9.0–9.9; a CVSS 9.8 authentication bypass in VMware's Avi Load Balancer exposing the control plane; and critical browser patches from both Firefox and Mozilla on the same day, with public exploit code already circulating for Firefox. Sysdig documented what appears to be the first fully autonomous AI-driven ransomware operation — over 600 automated actions, no human operators, and deliberately no payment mechanism. The NotPetya parallel is hard to ignore: this looks like rehearsal or state-level operational testing, not a criminal campaign. Elsewhere, a parliamentary report confirmed Bermuda's government paid approximately $4.4 million following its 2023 ransomware attack, and Fairlife halted US dairy production after unauthorised system access — the first major food and beverage supply chain disruption of 2026. Two watchpoints going forward: whether LegacyHive gets weaponised before a patch ships, and whether the autonomous AI ransomware resurfaces with a payment mechanism attached. This episode includes AI-generated content.

18. juli 20265 min
episode LegacyHive Zero-Day, SonicWall CVSS 10.0 & Sandworm's Clickfix Pivot cover

LegacyHive Zero-Day, SonicWall CVSS 10.0 & Sandworm's Clickfix Pivot

(00:00:00) LegacyHive Zero-Day, SonicWall CVSS 10.0 & Sandworm's Clickfix Pivot (00:01:09) SonicWall CVSS Ten Zero-Days (00:02:06) Microsoft's 622-Patch Cycle (00:02:41) Romania Land Registry Breach (00:03:16) Sandworm Clickfix Ukraine Campaign (00:04:01) NuGet Abuse and Spirals Ransomware A Windows zero-day called LegacyHive dropped publicly hours after Microsoft's July 2026 Patch Tuesday cycle closed — not before, after. Researcher Chaotic Eclipse published a proof of concept targeting the Windows User Profile Service that works on every fully-patched Windows version. Three previous disclosures by the same researcher led to confirmed in-the-wild exploitation. The pattern is the story. Meanwhile, two CVSS 10.0 zero-days in SonicWall SMA 1000 appliances are already being actively chained in real intrusions. CVE-2026-15409 and CVE-2026-15410 let attackers extract credentials and MFA seeds from perimeter devices, then pivot into domain controllers. A security device becomes a persistent backdoor. Patch Tuesday itself brought 622 vulnerabilities this cycle — including a no-auth SharePoint RCE and an Active Directory Federation Services flaw both flagged by CISA for federal remediation by July 17–28. Then LegacyHive arrived the same day, unpatched. Elsewhere: Romania's national land registry ANCPI was hit on July 14 by threat actor ByteToBreach, stalling real estate transactions nationwide. Russia's Sandworm group is using Clickfix — fake CAPTCHA prompts running PowerShell — to deploy FreakyPoll and FluidLeech malware against Ukrainian targets. Eleven malicious NuGet packages were found dropping Starland RAT and WLDR implants disguised as game cheats. And a ransomware variant called Spirals is achieving full network encryption within 24 hours of initial access, outpacing most recovery assumptions. Three open questions heading into the next cycle: Will LegacyHive move from theoretical to confirmed exploitation? Will SonicWall intrusions spread to new sectors? Will Microsoft issue an out-of-band patch? This episode includes AI-generated content.

I går5 min
episode SonicWall CVSS 10.0, Record 570 Patches & LegacyHive Zero-Day cover

SonicWall CVSS 10.0, Record 570 Patches & LegacyHive Zero-Day

(00:00:00) SonicWall CVSS 10.0, Record 570 Patches & LegacyHive Zero-Day (00:00:58) Microsoft Record 570 Patches (00:02:08) SharePoint and AD FS Under Attack (00:03:05) LegacyHive Unpatched Windows PoC (00:03:57) BitLocker Bypass and Patch Risk (00:04:48) What to Watch Next This episode covers one of the most intense vulnerability weeks of the year, opening with two actively exploited zero-days in SonicWall Secure Mobile Access appliances. CVE-2026-15409, a server-side request forgery flaw rated CVSS 10.0, and CVE-2026-15410, a code injection vulnerability rated 7.2, together create a direct attack path into remote access infrastructure. Organizations running SMA 1000 series appliances should treat patching as an emergency, not a maintenance item. Microsoft's July Patch Tuesday set an industry record: more than 570 vulnerabilities fixed in a single release, with up to 63 rated critical. Microsoft attributes the spike to AI-powered vulnerability discovery — a double-edged development, since attackers are using the same acceleration to weaponize known flaws at machine speed. The patch window is now down to one to three days by Microsoft's own guidance. Two confirmed zero-days are actively exploited within the July release. CVE-2026-56164 is a missing authentication flaw in SharePoint Server enabling privilege escalation and remote code execution. CISA has mandated federal agencies patch by July 17. CVE-2026-56155 targets Active Directory Federation Services, with Microsoft's own incident responders confirming active exploitation. A third zero-day, CVE-2026-50661, bypasses BitLocker via physical access. Separately, a researcher named Chaotic Eclipse released a working privilege escalation proof-of-concept called LegacyHive — an unpatched flaw affecting every Windows version post-July patch cycle. No fix is currently available. The structural theme across every story: AI is compressing both vulnerability discovery and exploitation timelines simultaneously. That is the operating environment defenders are now in. A YesWee production. This episode includes AI-generated content.

16. juli 20266 min
episode Patch Tuesday Record: 570 Fixes, 2 Zero-Days, One July 17 Deadline cover

Patch Tuesday Record: 570 Fixes, 2 Zero-Days, One July 17 Deadline

(00:00:00) Patch Tuesday Record: 570 Fixes, 2 Zero-Days, One July 17 Deadline (00:00:36) SharePoint Zero-Day — July 17 Deadline (00:01:50) Exchange RCE and BitLocker Bypass (00:02:39) AI Running Both Sides of the Fight (00:03:32) AI Reliability Gap in Defense (00:04:01) What to Watch Next Microsoft's July 2026 Patch Tuesday is a record-breaker: 570 security fixes, 57 rated critical, and two zero-days already under active exploitation. If you run SharePoint Server or Active Directory Federation Services, this episode tells you what to patch, in what order, and why the clock is running out. The most urgent flaw is CVE-2026-56164, a privilege escalation vulnerability in SharePoint Server that requires no credentials to exploit. CISA's remediation deadline is July 17. The second actively exploited vulnerability, CVE-2026-56155 in AD FS, requires an authenticated attacker but targets the identity backbone of most enterprise environments — CISA deadline July 28. Two other high-priority CVEs round out the picture: a heap-based buffer overflow in Exchange Server that turns any low-privilege credential into a potential remote code execution vector, and a BitLocker bypass requiring physical device access. Beyond patching, this episode covers the expanding role of AI on both sides of the security fight. Microsoft attributes much of the 570-fix volume to AI-assisted vulnerability discovery. On the attacker side, criminal groups are using AI across every phase of an intrusion — one actor reportedly generated 88,000 lines of ransomware toolkit code in a single week. When Western AI platforms block malicious requests, attackers pivot to DeepSeek, Qwen, and Trae, which carry weaker content guardrails. The defensive picture is mixed. A 2026 SANS survey found 63 percent of security practitioners report significant shortcomings in AI-driven detection, and two-thirds have been misdirected by an AI tool in the past year. Human review remains the essential control layer that current AI tooling cannot replace. Key watchpoints: the July 17 SharePoint deadline, incoming proof-of-concept code for Exchange and AD FS, and ESU licensing for Exchange 2016 and 2019 environments. This episode includes AI-generated content.

15. juli 20265 min
episode Joomla CVSS 10.0 Exploits, FSB Router Campaign & DHS Breach Missed Twice cover

Joomla CVSS 10.0 Exploits, FSB Router Campaign & DHS Breach Missed Twice

(00:00:00) Joomla CVSS 10.0 Exploits, FSB Router Campaign & DHS Breach Missed Twice (00:01:19) CMS Ecosystem Under Coordinated Pressure (00:02:03) Russian FSB Router Campaign Escalates (00:02:54) DHS Breach Missed Twice (00:03:30) Treasury Targets Ransomware Enablers (00:03:59) Django and Fake VPN Threats (00:04:32) Watchpoints and Closing Two Joomla extensions—iCagenda and Balbooa Forms—are carrying CVSS 10.0 scores and are actively being exploited right now. Both CVE-2026-48939 and CVE-2026-56291 enable unauthenticated remote code execution or arbitrary file upload, and both have landed on CISA's Known Exploited Vulnerabilities catalog. Patches exist. The question is whether administrators have applied them. Zooming out, Australia's cyber agency has issued warnings about coordinated, AI-accelerated exploitation targeting file upload and remote code execution flaws across WordPress, Joomla, and other CMS platforms—compressing the window between disclosure and weaponization. On the nation-state front, an 18-nation advisory led by the NSA details sustained Russian FSB Center 16 exploitation of CVE-2018-0171, an eight-year-old Cisco Smart Install vulnerability. The targeted sectors—defense, energy, healthcare, and government—are being hit not by cutting-edge zero-days, but by basic hygiene failures: default credentials and legacy configurations left open for years. At the Department of Homeland Security, attackers breached the Homeland Security Information Network and remained undetected for weeks, with live attack activity misclassified as a false positive twice. Attribution is unconfirmed; a classified Congressional briefing is scheduled. Treasury's OFAC has sanctioned ransomware infrastructure providers 1VPNS and Silayev—targeting the obfuscation ecosystem rather than front-line operators, marking a strategic escalation in financial enforcement. Rounding out today's briefing: a Django SQL injection flaw showing organised reconnaissance, and a fake Chinese VPN distributing GoodPersonRAT via malicious MSI installer. A YesWee production, built using AI technology. This episode includes AI-generated content.

14. juli 20266 min