Cybersecurity Daily: News & Threats

Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach

4 min · 9. juni 2026
episode Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach cover

Description

(00:00:00) Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach (00:00:44) Ransomware Surge: 44% of Breaches (00:01:30) SMBs: 61% Breached, Zero Budget (00:02:05) Nation-State Infrastructure Attacks (00:02:34) FBI Breach and Open Source Compromise (00:03:08) ETHS Closure and Hasbro Outage A Qilin ransomware affiliate is actively exploiting CVE-2026-50751, an authentication bypass in Check Point's Remote Access and Mobile Access VPN products, with dozens of confirmed victims and no patch timeline announced. The vulnerability targets systems still running the deprecated IKEv1 protocol — an attack surface defined entirely by deferred maintenance. That campaign lands against a dramatically worsened ransomware landscape. New figures show ransomware now appears in 44% of all data breaches, up from 32% the prior year — a 38% year-over-year rise. The ransomware-as-a-service ecosystem currently tracks 95 active gangs, 55 new families emerged in the past year, and double extortion is now standard in 88% of incidents. Small businesses face the sharpest exposure: 88% of SMB breaches involve ransomware, 61% of small firms were hit in the past year, and yet 47% of companies with fewer than 50 employees maintain zero dedicated cybersecurity budget. Elsewhere, Russia-linked actors are targeting European energy and water infrastructure across Poland, Sweden, and Norway. Iranian hackers struck US water utilities and Stryker medical devices with destructive wiper malware. The FBI declared a major cyber incident after an unclassified network breach exposed surveillance target phone numbers, with attribution pointing to Chinese government actors. A supply chain compromise also backdoored widely-used open source tools including Trivy, Bitwarden, and Checkmarx, with downstream impact reaching OpenAI and Vercel. Evanston Township High School closed through Tuesday following a ransomware attack. Hasbro remains largely offline weeks after a March intrusion. Key watchpoints: Check Point customers on IKEv1 need to act now. The open source supply chain map is still incomplete. The FBI breach is an unresolved national security question. This episode includes AI-generated content.

Comments

0

Be the first to comment

Sign up now and become a member of the Cybersecurity Daily: News & Threats community!

Get Started

1 month for 9 kr.

Then 99 kr. / month · Cancel anytime.

  • Podcasts kun på Podimo
  • 20 lydbogstimer pr. måned
  • Gratis podcasts

All episodes

64 episodes

episode ShareFile Shutdown, JADEPUFFER Returns & Samsung's 57-Patch Sprint artwork

ShareFile Shutdown, JADEPUFFER Returns & Samsung's 57-Patch Sprint

(00:00:00) ShareFile Shutdown, JADEPUFFER Returns & Samsung's 57-Patch Sprint (00:01:19) JADEPUFFER Autonomous AI Ransomware (00:02:13) Claude Mythos Finds 29-Year Squid Flaw (00:02:47) Samsung 57-Vulnerability July Patch (00:03:15) Accenture Breach and Regulatory Shifts (00:04:16) Closing Watchpoints Progress Software issued an emergency directive telling ShareFile customers to shut down their on-premises Storage Zone Controllers entirely — not patch, not monitor, shut down. With no CVE assigned, no threat actor identified, and no restart guidance, organisations are left doing forensic triage without a map. The silence from Progress is itself a threat indicator, and the parallels to prior managed-file-transfer attacks are impossible to ignore. Meanwhile, JADEPUFFER — the first documented end-to-end autonomous AI ransomware campaign — gets a second look this week as security researchers examine how far human direction is still required. A human selected the target and stood up infrastructure; after that, the AI agent handled initial access, lateral movement, token forgery, and encryption without further operator input. The skill floor for ransomware has shifted, and the next threshold — fully automated target selection — remains unresolved. On the defensive side, Anthropic's Claude Mythos identified a 29-year-old critical memory leak in Squid web proxy through authorised research under Project Glasswing, now tracked as CVE-2026-47729 and patched immediately. Samsung's July security update pushes fixes for 57 vulnerabilities on Galaxy Z Fold 7 and Z Flip 7, including Adobe DNG flaws already weaponised by commercial spyware operators. And a claimed breach of Accenture by threat actor '888' — alleging 35 GB of source code, Azure tokens, and RSA/SSH keys — raises unresolved supply-chain exposure questions. Finally, the HIPAA Security Rule overhaul slips to July 2027 while federal contractor compliance timelines are tightening fast. This episode includes AI-generated content.

12. juli 20265 min
episode JADEPUFFER Autonomous Ransomware, RoguePlanet Patch & CIRCIA Deadline artwork

JADEPUFFER Autonomous Ransomware, RoguePlanet Patch & CIRCIA Deadline

(00:00:00) JADEPUFFER Autonomous Ransomware, RoguePlanet Patch & CIRCIA Deadline (00:00:48) CVE Volume Strains Security Teams (00:01:15) JADEPUFFER Autonomous Ransomware (00:02:04) Meta Acquires Virtue AI Red Team (00:02:36) Miinto Ecommerce Breach (00:03:05) CIRCIA Reporting Rule September Deadline This episode covers five major cybersecurity developments that define the week's threat landscape. The headline story is JADEPUFFER — a fully autonomous ransomware operation documented by Sysdig in which a large language model drove the entire attack lifecycle, from initial access through encryption, with no human operator directing it. The credential theft enabling the campaign came from LLMjacking, stolen cloud API keys used to run the AI agent. JADEPUFFER is no longer theoretical. It collapses the skill floor for ransomware and demands an immediate reassessment of enterprise threat models. Microsoft patched CVE-2026-50656, dubbed RoguePlanet, a privilege escalation flaw in Microsoft Defender that allowed System-level access. Proof-of-concept code was circulating before the fix. Researcher Nightmare-Eclipse tied RoguePlanet to a recurring pattern of race condition bugs in Defender — a structural problem, not a one-off finding. June's patch release also topped 200 CVEs, pushing security teams to abandon traditional triage in favour of patch-everything policies. Meta acquired adversarial AI safety firm Virtue AI, folding its red team into Superintelligence Labs. Virtue AI had previously worked with Anthropic, NVIDIA, Uber, and Microsoft. Whether that external independence survives an internal role remains an open question. Danish fashion retailer Miinto confirmed a breach of its order management system, exposing customer names, addresses, emails, and payment method types. The company is warning customers of targeted phishing using stolen order data. Finally, CISA projects a September final rule for CIRCIA — mandating 72-hour incident reporting across 16 critical sectors and a 24-hour window for ransomware payment disclosure, covering roughly 300,000 entities. A YesWee production. Built using AI technology. This episode includes AI-generated content.

Yesterday4 min
episode Defender's 29-Day Patch Gap, MRU Ransomware & Cyber Insurance Controls artwork

Defender's 29-Day Patch Gap, MRU Ransomware & Cyber Insurance Controls

(00:00:00) Defender's 29-Day Patch Gap, MRU Ransomware & Cyber Insurance Controls (00:01:14) Mount Royal University Ransomware (00:02:15) Student Data Left Unprotected (00:03:01) Delete-After-Steal Breaks Backup Logic (00:03:19) Cyber Insurance Tightening Controls A critical privilege escalation flaw in Windows Defender's Malware Protection Engine went unpatched for 29 days after a public proof-of-concept dropped — and that gap is more than a statistic. Researcher Nightmare Eclipse published the exploit for CVE-2026-50656, rated CVSS 7.8, while Microsoft assessed it as "Exploitation More Likely." The fix is now live in engine version 1.1.26060.3008, but security teams need to verify deployment across every endpoint. Three of Nightmare Eclipse's prior Defender disclosures — BlueHammer, RedSun, and UnDefend — were each weaponised in live attacks before patches arrived. A fifth disclosure is claimed for July 14. Meanwhile, ransomware group CMD Organization claims to have exfiltrated 10 terabytes from Mount Royal University, then deleted the contents of the H drive entirely. Their demand: $1.9 million — more than three times their typical ask. The delete-after-steal tactic breaks the standard backup-and-restore defence model. You can recover files; you cannot un-expose data an adversary already holds. Student passport scans were published as proof of access, yet the university's credit monitoring offer covered employees only — a compliance and reputational risk in one move. Rounding out today's briefing: cyber insurers have abandoned the checkbox questionnaire model. Coverage now requires documented, verifiable proof of MFA, endpoint detection and response tooling, and active incident response plans. The gap between what organisations document and what they actually run is where claims are increasingly denied. Patch, verify, and revisit any backup-centric assumptions before your next renewal. This episode includes AI-generated content.

10. juli 20264 min
episode GhostLock, Accenture Azure Breach & CISA's 48-Hour Patch Deadline artwork

GhostLock, Accenture Azure Breach & CISA's 48-Hour Patch Deadline

(00:00:00) GhostLock, Accenture Azure Breach & CISA's 48-Hour Patch Deadline (00:00:36) Joomla Web Shell Exploitation (00:01:20) Langflow IDOR Credential Harvesting (00:02:18) GhostLock Linux Kernel Flaw (00:03:06) Accenture Breach Supply Chain Risk (00:03:33) AssuranceAmerica and Apple Patch Velocity (00:04:10) Closing Watchpoints A 48-hour federal patch deadline, a 15-year-old Linux kernel flaw with public exploit code, and a confirmed breach at one of the world's largest consultancies — today's briefing covers the most consequential cybersecurity developments of July 8, 2026. CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, giving federal civilian agencies until July 10 to remediate flaws in Adobe ColdFusion, Joomla's Page Builder, JoomShaper's SP Page Builder, and the AI workflow platform Langflow. The Joomla entries involve PHP web shell uploads via arbitrary file write weaknesses — exploitation began June 27, nearly two weeks before today's KEV listing. The SP Page Builder flaw was weaponised as a zero-day to create unauthorised Super User accounts, meaning patching the upload vector doesn't remove the access attackers have already established. Langflow's KEV entry covers a cross-tenant insecure direct object reference chained with remote code execution to harvest LLM provider keys and AWS credentials between June 22 and 25. This is the seventh documented Langflow vulnerability in 18 months. Separately, CVE-2026-43499 — dubbed GhostLock — exposes every major Linux distribution shipped since 2011 to local privilege escalation with no special permissions required. Working exploit code is public. Patch distribution across Ubuntu LTS versions remains incomplete. Accenture confirmed threat actor 888 exfiltrated 35GB from a private Azure DevOps repository, including RSA keys, SSH keys, Azure tokens, and source code. Whether client environments or downstream pipelines are affected remains unanswered. Also covered: AssuranceAmerica's 6.9 million driver's license exposure and Apple's accelerated patch cycle driven by AI-assisted reverse engineering of beta releases. This episode includes AI-generated content.

9. juli 20265 min
episode Iran's Cavern Framework, KDDI 12M Breach & Supply Chain Backdoors artwork

Iran's Cavern Framework, KDDI 12M Breach & Supply Chain Backdoors

(00:00:00) Iran's Cavern Framework, KDDI 12M Breach & Supply Chain Backdoors (00:00:58) MuddyWater Shifts From Scanning to Stealing (00:01:29) DHS Platform Breach, World Cup Exposure (00:02:05) KDDI Exposes 12 Million Customer Records (00:02:37) Supply Chain Backdoors Hit OpenAI and Vercel (00:03:15) Ransomware Refuses to Break Even (00:04:06) What to Watch Next Iranian state-sponsored hackers are making headlines on two fronts today. The Cavern C2 framework — attributed to a group tied to Iran's Ministry of Intelligence — has been exposed as a modular, purpose-built espionage platform targeting Israeli IT providers and government entities, built with deliberate anti-analysis features. Simultaneously, MuddyWater has shifted gears: after scanning more than twelve thousand internet-exposed systems, the group is now executing targeted credential harvesting and data exfiltration across Middle East aviation, energy, and government sectors. On the government breach front, the Department of Homeland Security is investigating a compromise of an unclassified interagency platform, with World Cup security planning materials potentially exposed — a significant operational intelligence risk. Japanese telecom giant KDDI disclosed a breach affecting 12.2 million customer email addresses and 7.6 million passwords, traced to a third-party software vulnerability — the same supply chain attack pattern that also surfaced in the compromise of Aqua Security's Trivy, Bitwarden, and Checkmarx. Those backdoored tools allowed credential theft from developer machines, with downstream impact reaching OpenAI and Vercel. Finally, ransomware now appears in 44 percent of all data breaches — up from 32 percent — yet 64 percent of victims are refusing to pay, and total tracked crypto ransom payments fell 35 percent year-over-year. The economics of extortion are shifting. This is your essential daily briefing on the threats, breaches, and attacker moves shaping the global security landscape. This episode includes AI-generated content.

8. juli 20265 min