Cybersecurity Daily: News & Threats

INC Ransomware Hits 830 Victims, FortiBleed & Oracle 245-Patch CPU

(00:00:00) INC Ransomware Hits 830 Victims, FortiBleed & Oracle 245-Patch CPU (00:01:11) Veeam Backup Credential Dumper (00:01:38) RoguePlanet Defender Zero-Day (00:02:20) FortiBleed — 30K Firewalls Compromised (00:03:00) FortiSandbox Active Exploitation (00:03:22) Oracle Patches and Closing Watch Points INC ransomware has rewritten its encryptors in Rust — and the operational implications are significant. With over 830 victims since August 2023 and more than 120 incidents in Q1 2026 alone, INC now ranks fourth among the most prolific ransomware operations globally. The Rust rewrite delivers cross-platform capability and binary hardening that makes reverse engineering substantially harder. Critically, INC's updated credential dumper now bypasses salted DPAPI encryption in newer Veeam backup deployments — eliminating what many defenders considered a last line of recovery. Microsoft has confirmed a fourth zero-day in the Malware Protection Engine attributed to the same researcher, Chaotic Eclipse. CVE-2026-50656 carries a CVSS of 7.8 and enables privilege escalation. A public proof-of-concept is already live, with no patch timeline disclosed — a window of real exposure for every unpatched Windows environment. Fortinet is facing pressure on two fronts simultaneously. The FortiBleed campaign has compromised 30,791 firewalls across 194 countries using credential reuse and SSL-VPN interception, backed by over 1.16 billion password-spray attempts attributed to a Russian-speaking threat actor. Separately, three FortiSandbox vulnerabilities — all CVSS 9.1 — are under active exploitation, with one showing signs of AI-assisted exploit development. Oracle's June Critical Patch Update covers 245 vulnerabilities, with 106 patches for Fusion Middleware alone — 53 of them remotely exploitable without credentials. For security teams, prioritisation is not optional this cycle. All stories are sourced from public disclosures, vendor advisories, and threat intelligence reporting from the past 24 hours. This episode includes AI-generated content.

ShinyHunters' Kodak Deadline, 24B Credential Dump & Vertex AI Patch

(00:00:00) ShinyHunters' Kodak Deadline, 24B Credential Dump & Vertex AI Patch (00:01:01) Kodak ShinyHunters June Deadline (00:01:58) 24 Billion Record Mega-Dump (00:02:44) ICAI Exam Portal Allegations (00:03:30) Key Watchpoints Going Forward Three high-stakes cybersecurity stories dominate today's briefing — and one of them is on a countdown clock. ShinyHunters has set a June 18 deadline for Kodak to make contact or face publication of 2.2 million customer records. Kodak has confirmed unauthorised access but characterises it as limited, while ShinyHunters has yet to release a proof sample. That ambiguity is deliberate. The group has followed through on publication threats before — most recently after 7-Eleven negotiations stalled — and with 64% of organisations now refusing ransom payment, Kodak's response will serve as a live benchmark for corporate extortion posture. Separately, researchers uncovered an exposed Elasticsearch cluster containing roughly 24 billion credentials aggregated from 36 sources. The alarming detail is composition: a substantial portion originates from fresh infostealer logs harvesting plaintext passwords and session tokens from active infections today — not just historical breach archives. The cluster has been taken offline, but the data's onward movement is likely already in progress. On the vulnerability side, Google patched a race-condition flaw in the Vertex AI SDK (version 1.148.0, released April 15) that allowed attackers to intercept ML models mid-upload via predictable staging bucket names. The exploit window was approximately 2.5 seconds — enough to swap in pickle- or joblib-serialised payloads and harvest cross-tenant OAuth tokens. This is the second predictable-bucket-name flaw patched in Vertex AI this year, suggesting a systemic design pattern rather than an isolated bug. Finally, unverified social media claims allege a threat actor obtained superadmin access to India's ICAI chartered accountancy exam portal hours before results were due. No technical evidence has been published. Track it — don't act on it yet. A YesWee production. This episode includes AI-generated content.

PeopleSoft CVE-2026-35273 Exploited, Healthcare Costs Hit $11M & Ransomware at 44%

(00:00:00) PeopleSoft CVE-2026-35273 Exploited, Healthcare Costs Hit $11M & Ransomware at 44% (00:00:57) University of Nottingham Breach Confirmed (00:01:53) Healthcare Breach Costs Hit Record (00:02:37) Ransomware Now 44% of All Breaches (00:03:05) North Korean Developer Supply Chain Campaign (00:03:36) Samsung Patch and CISA Restructure (00:04:15) What to Watch Next A CVSS 9.8 zero-day in Oracle PeopleSoft — CVE-2026-35273 — is being actively exploited with no permanent patch in sight, making it one of the most urgent enterprise vulnerabilities in circulation right now. The ShinyHunters threat group claims 300 compromised instances; independent verification puts confirmed victims above 100, with federal agencies already past their remediation deadline. Oracle's emergency mitigation guidance is all organizations have to work with for now. Among the confirmed victims, the University of Nottingham has disclosed a breach affecting 454,600 student records — personal data, academic records, billing, and financial aid. The university declined the ransom demand, triggering public disclosure. It's the right call structurally, even if costly: 80% of organizations that pay are attacked again within 12 months. The broader breach landscape is shifting. Ransomware now accounts for 44% of all data breaches, up from 32% the prior year. Double extortion is standard practice. Meanwhile, healthcare breach costs have reached a record $11.2 million per incident — 2.5 times the global average — driven by high-value medical records, HIPAA penalties, and legacy system exposure windows averaging 241 days. Elsewhere, a North Korean-linked supply chain campaign is targeting developers via fake LinkedIn recruiters and malicious npm packages with post-install backdoors. Samsung's June update patches 45 vulnerabilities across Galaxy devices. And CISA has appointed Scott Breor to lead its Infrastructure Security Division as the agency enters a workforce expansion phase. Key watchpoints: Oracle's patch timeline for CVE-2026-35273, and whether the ShinyHunters victim count climbs as forensic reviews complete. This episode includes AI-generated content.

4 Zero-Days Live: Chrome V8, RoguePlanet, UniFi Root Chain & Splunk RCE

(00:00:00) 4 Zero-Days Live: Chrome V8, RoguePlanet, UniFi Root Chain & Splunk RCE (00:00:48) Microsoft Defender RoguePlanet Zero-Day (00:01:34) UniFi OS Three-CVE Root Access Chain (00:02:17) Splunk Enterprise Unauthenticated Code Execution (00:02:43) Arch Linux AUR Supply Chain Compromise (00:03:15) Breach Costs and AI Attack Adoption (00:04:05) Closing Watchpoints Four critical zero-days are being exploited in the wild at the same time — and today's briefing breaks down every one of them. Chrome's CVE-2026-11645 lives in the V8 JavaScript engine and enables code execution in the browser process. Active exploitation is confirmed. Microsoft's Defender carries a privilege-escalation zero-day dubbed RoguePlanet, granting SYSTEM-level access on fully patched Windows machines — a sobering failure of the last defensive layer. Three chained vulnerabilities in UniFi OS (CVE-2026-34908, 34909, 34910) deliver unauthenticated root access across enterprise networking hardware, with confirmed malware deployments already in the wild. And Splunk Enterprise, the backbone of many security operations centres, has an unauthenticated remote code execution flaw — CVE-2026-20253 — turning threat-detection infrastructure into an attack surface. Elsewhere, over 400 packages in the Arch Linux AUR were hijacked to push infostealer malware and an eBPF rootkit into developer environments, extending a supply-chain attack trend that has doubled year-over-year. The economic picture sharpens the urgency. US data breach costs have hit an all-time high of $10.22 million on average — more than double the global figure. AI-generated phishing is now involved in 37% of breaches. Organisations using AI for detection close the gap in 51 days versus the global average of 241, a difference worth $1.9 million per incident. Patching is not optional today. Prioritise Chrome, Defender, UniFi, and Splunk — in any order, as fast as your change windows allow. This episode includes AI-generated content.

5 Zero-Days Live, Wormable RDP & AUR Supply-Chain Compromise

(00:00:00) 5 Zero-Days Live, Wormable RDP & AUR Supply-Chain Compromise (00:00:49) AI Features Introduce New Zero-Days (00:01:32) Patch Overload and Regression Risk (00:02:07) BitLocker Under Pressure (00:02:48) Atomic Arch AUR Supply-Chain Attack (00:03:38) Supply-Chain Trust as the Real Target Microsoft has shipped the largest Patch Tuesday in its history: roughly 200 security fixes in a single cycle, five of them already under active exploitation at the moment of disclosure. Today's episode breaks down what actually matters in this release and what enterprises need to act on first. The two critical vulnerabilities demanding immediate attention are CVE-2026-4341, a no-auth, no-interaction remote code execution flaw in the Common Log File System spreadable via malicious SMB shares, and CVE-2026-4245, a wormable unauthenticated RDP vulnerability capable of cross-domain propagation. Both are precisely the primitives ransomware operators weaponise at scale. Two of June's zero-days trace not to legacy code but to Microsoft Copilot and Recall — AI features that introduced new kernel interfaces shipped under competitive pressure and without full hardening cycles. This pattern signals an expanding attack surface with every AI feature release. The sheer volume of 200 fixes also creates regression risk. Documented side effects this cycle include Intel 12th and 13th-gen performance drops, EDR false positives, and BitLocker recovery loops on Surface devices. Separately, CVE-2026-4402 confirms a physical-access BitLocker key extraction via TPM, requiring TPM firmware updates and full drive re-encryption across fleets. Finally, a Sonatype-tracked supply-chain campaign dubbed Atomic Arch has compromised over 400 Arch Linux AUR packages by hijacking the legitimate orphaned-package adoption process, injecting malicious build scripts, and deploying an eBPF rootkit that evades standard process inspection tools. Targeted credentials include GitHub tokens, npm tokens, and Slack session data exfiltrated via Tor. A YesWee production. Built using AI technology. This episode includes AI-generated content.