The 24-hour period ending June 25, 2026 saw significant cybersecurity activity across multiple domains. Critical infrastructure disruptions continued with the takedown of StealC and Amadey malware operations by Microsoft and Europol, targeting over 300 servers in a coordinated action against cybercrime-as-a-service infrastructure. Multiple critical vulnerabilities were disclosed affecting widely-deployed platforms including Cacti (CVE-2026-39955, CVE-2026-39938, CVE-2026-39893 with CVSS 9.8), Gogs (CVE-2026-52813 CVSS 10.0), and several components with remote code execution capabilities. Active exploitation was confirmed for Cisco SD-WAN (CVE-2026-20245) and Ubiquiti UniFi OS vulnerabilities, with attackers gaining root-level access months before public disclosure.
Ransomware activity remained elevated with Nova and Akira groups claiming multiple victims including LP Group, Miami Machine, and JIT-EX logistics. The data breach landscape saw significant developments with Madison Square Garden Sports suffering a ShinyHunters extortion campaign exposing 9.8 million records including customer service data and personal information. LastPass disclosed another breach involving customer support case data following their 2022 incident, while Tata Electronics and Bajaj Auto confirmed ransomware incidents. The period also featured a critical vulnerability in AngularJS (CVE-2026-11998) affecting Strict Contextual Escaping that could lead to widespread client-side exploitation.
Multiple critical severity vulnerabilities disclosed including pre-authentication SQL injection, remote code execution, and authentication bypass flaws across enterprise platforms
Critical severity vulnerability (CVSS 10.0) in Gogs self-hosted Git service allows organization names with path traversal sequences (../) to write repositories at arbitrary locations, enabling complete system compromise. Fixed in version 0.14.3.
Three critical CVSS 9.8 vulnerabilities in Cacti performance framework allow unauthenticated attackers to achieve SQL injection via unanchored regex validation in graph_view.php, LFI through graph_theme, and unsanitized RLIKE clauses. Versions 1.2.30 and prior affected; fixed in 1.2.31.
Mandiant reveals attackers exploited Cisco Catalyst SD-WAN vulnerability in zero-day attacks to create rogue root accounts on targeted devices. Exploitation involved rogue peering to connect to victim SD-WAN infrastructure and gain admin privileges, occurring two months before vendor disclosure.
U.S. CISA added maximum severity Ubiquiti UniFi OS vulnerabilities and Lantronix serial-to-ethernet server flaws to KEV catalog, confirming active exploitation in the wild. Organizations must prioritize patching of network infrastructure devices.
Critical CVSS 9.1 vulnerability allows unauthenticated attackers to obtain valid OAuth access tokens for arbitrary users by sending HTTP POST with MongoDB NoSQL injection payload. Affects versions prior to 8.5.0, 8.4.1, 8.3.3, and multiple legacy branches.
Several critical (CVSS 9.0-9.9) stored XSS vulnerabilities in SiYuan personal knowledge management system escalate to RCE in Electron desktop client. Flaws affect attribute-view rendering, CSS snippets, and marketplace card serialization. Fixed in version 3.7.0.
Critical CVSS 9.9 RCE vulnerability in Gogs allows authenticated users to inject --exec flag into git rebase command during pull request merge operations by crafting special branch names. Enables arbitrary command execution on server. Fixed in 0.14.3.
Two critical vulnerabilities in OpenAM enable pre-authentication remote code execution through Java deserialization in WebAuthn storage (CVSS 9.2) and user profile tampering via anonymous SOAP authentication (CVSS 9.3) in Liberty IDPP endpoints.
Flaw in AngularJS Strict Contextual Escaping logic allows bypassing SCE policies for resource URLs, leading to arbitrary JavaScript execution in victim browser sessions. Affects core AngularJS security model with widespread impact potential.
Critical FFmpeg vulnerability discovered that allows attackers to compromise systems using malicious video files. The flaw affects video processing pipelines and could be exploited through user-uploaded content.
Major law enforcement action dismantles infostealer operations while new malware campaigns targeting browser extensions and backdoors emerge
Microsoft, Europol, and international law enforcement partners disrupted infrastructure used by Amadey and StealC infostealer operations, targeting over 300 servers. Action represents coordinated attack on cybercrime-as-a-service supply chain, including loader malware and credential theft operations.
Microsoft Edge extension dubbed 'Edgecution' used in ransomware attack to escape browser sandbox and deploy Python-based backdoor. Technique abuses Native Messaging feature to bridge browser extension to native malware, representing novel attack vector.
New stealthy backdoor named Mistic observed in financially-motivated attacks targeting insurance, education, IT, and professional services sectors. Malware linked to KongTuke ransomware access broker operations, indicating initial access facilitation for ransomware deployment.
Multiple domains (deznyllcf.top, thedon1.ink) distributing malicious ConnectWise ScreenConnect client installers. Attackers leveraging legitimate remote access tool for persistent access and lateral movement capabilities.
Extensive Mirai botnet variant distribution from genddos.st domain targeting multiple architectures (x86, ARM, MIPS, PowerPC, SH4, M68K). Campaign includes Android APK droppers and ELF binaries for IoT device compromise across diverse hardware platforms.
Multiple Mozi botnet malware distribution URLs detected serving 32-bit ELF MIPS binaries. Infrastructure at IP addresses 221.15.11.0, 42.229.217.167, 27.44.145.175, 123.14.244.83, and 201.110.60.159 actively distributing IoT botnet malware targeting embedded devices.
Major breach at Madison Square Garden Sports exposes 9.8M records, while LastPass suffers another incident and multiple ransomware victims leak sensitive corporate data
Sports and entertainment company Madison Square Garden Sports targeted in ShinyHunters pay-or-leak extortion campaign. Published data includes 9,796,738 unique email addresses spanning staff and customers, along with names, phone numbers, physical addresses, and extensive customer service records. Represents significant exposure of customer and employee PII.
Password manager LastPass notifying customers of data breach involving customer support case data during compromise of third-party vendor Klue. Incident follows 2022 breach settlement and represents continued security challenges for password management platform.
Investigation reveals MSG hackers called low-level employee and tricked them into providing system access, resulting in 45GB data cache theft. Demonstrates effectiveness of social engineering against service desk personnel as initial access vector.
Portuguese construction and logistics company LP Group (lpgroup.pt) compromised by Nova ransomware group. Company has completed 1 million square meters of commercial and logistics projects since 2006. Threat actors claim to possess comprehensive data profile including sensitive business information.
Indian electronics manufacturer Tata Electronics confirmed targeted cyberattack impacting parts of IT infrastructure. Company emphasizes operations continued normally, but attackers leaked stolen data indicating successful compromise of corporate systems.
Indian automotive giant Bajaj Auto disclosed ransomware incident in regulatory filing. Company became aware Tuesday morning and implemented precautionary containment measures. Impact assessment ongoing for major manufacturing operation.
Memphis and Nashville-based trucking company JIT-EX, LLC compromised by Akira ransomware. Company specializes in regional truckload services, dedicated fleets, and crossdock solutions. Threat actors threaten to upload compromised logistics and operational data.
Miami Machine Inc., specializing in machining and fabrication for paper, power, and steel markets, targeted by Akira ransomware. Company operates 86,000 sq ft manufacturing facility with over 50 years experience. Custom machinery and equipment data at risk.
Horizon Eye Care group compromising independent optometric clinics across North America hit by Incransom ransomware. Network offers comprehensive eye examinations, surgical procedures (LASIK, cataracts), contact lens services. Patient data and medical records potentially compromised.
ShinyHunters extortion continues, BreachForums ecosystem implodes, and DraftKings hacker sentenced while ransomware groups remain highly active
Microsoft touted action against SocGholish malware infrastructure alongside StealC and Amadey takedowns. Operation targets full cybercrime supply chain including drive-by download frameworks used for initial access. Europol reports over 300 servers disrupted.
BreachForums clone at breached[.hn] listed for sale at $3k USD then rapidly shut down, citing fears of ShinyHunters threat actor group. Represents continued instability in underground forum ecosystem following original BreachForums takedown.
21-year-old using alias 'Snoopy' sentenced to 18 months in prison for role in hacking DraftKings accounts during November 2022 cyberattack. Case demonstrates law enforcement capability to identify and prosecute account takeover operations.
Social engineering targeting service desks, macOS security bypass, and malicious AI marketplace packages highlight evolving attacker methodologies
Analysis from Specops Software reveals service desks remain favored target for attackers seeking password resets, MFA changes, and corporate account access. Organizations lack adequate controls to verify caller identity before making critical security changes, enabling widespread account takeover.
Security gap in macOS enables attackers to disable security and integrated browser tools without requiring administrator privileges or kernel exploits. Vulnerability undermines endpoint protection and monitoring capabilities on Apple systems.
OpenClaw removed five packages from ClawHub skills marketplace that bypassed security checks despite containing infostealers and other threats. Incident highlights supply chain risks in AI agent marketplaces and automated skill installation mechanisms.
Calls for CISO code of ethics emerge amid concerns over self-dealing and conflicts of interest in cybersecurity leadership
Robert 'RSnake' Hansen argues for formal CISO code of ethics citing concerns over kickbacks, no-show jobs, problematic VC relationships, and shelfware purchases. Commentary highlights potential conflicts of interest that could compromise enterprise and national security.
Persistent cybercrime, social engineering, and infrastructure threats continue targeting FIFA 2026 World Cup across US, Canada, and Mexico. Large-scale sporting events present attractive targets for threat actors seeking financial gain and disruption.
New forensic techniques and methodologies published for RAID analysis, memory forensics, and vehicle location tracking
Forensic Focus publishes guidance on handling unlabeled RAID drives with no documentation during DFIR investigations. Article covers common mistakes investigators make that can compromise evidence integrity when dealing with complex storage arrays.
Latest DFIR developments include AI tools for digital investigations, SQLite forensic recovery techniques, memory forensics workflows, and vehicle location analysis methodologies. Round-up covers emerging technologies and investigative approaches.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.