Daily Drop (1315)

06-10-26

Wednesday, Jun 10, 2026 // Buy Bob a Coffee // Ghostwire

Iraq Imposes Nationwide Internet Shutdown During School Exams, Leaving Most of Country Offline

Bottom Line Up Front (BLUF): Network monitoring data show Iraq has again implemented a broad internet shutdown during national school examinations, disconnecting much of the country for approximately two hours. The recurring measure, which excludes parts of northern Iraq, is intended to prevent exam cheating and question-paper leaks but continues to disrupt businesses, communications, and online services nationwide.

Analyst Comments: While authorities argue the shutdowns protect exam integrity, the approach creates significant economic and operational disruption while offering only a temporary barrier against determined cheaters. The practice also highlights how internet shutdowns remain a readily available policy tool in some regions, despite growing criticism from digital rights groups and the private sector. Organizations operating in Iraq should continue to anticipate periodic connectivity disruptions during examination periods and ensure contingency plans are in place.

READ THE STORY: Telegram

Internet Society Research Shows Most Web Content Still Hosted Outside Many Countries

Bottom Line Up Front (BLUF): New Internet Society Pulse research found that web traffic locality varies dramatically by country, with the United States, Japan, Brazil, Spain, and South Africa serving most popular web content domestically, while many developing markets remain heavily dependent on foreign-hosted infrastructure. The findings underscore persistent concentration of global Internet infrastructure in a handful of countries, particularly the United States, Germany, and France.

Analyst Comments: When websites, applications, and embedded resources are hosted closer to users, networks become faster, cheaper to operate, and less vulnerable to international transit disruptions. The study also highlights a reality often overlooked in web-hosting discussions: a website may appear local while most of its actual content, including advertisements, analytics, video, and third-party services, is delivered from overseas infrastructure. South Africa's role as a regional hub for neighboring African countries demonstrates how strategic investments in data centers, CDNs, and Internet Exchange Points (IXPs) can improve resilience even when content is not hosted within a user's home country. As geopolitical tensions, submarine cable outages, and infrastructure concentration risks continue to grow, expect governments and network operators to place greater emphasis on keeping traffic local or regional.

READ THE STORY: Pulse

ICS Patch Tuesday: Siemens, Schneider Electric, and Phoenix Contact Address OT Security Flaws

Bottom Line Up Front (BLUF): June’s ICS Patch Tuesday brought a relatively light month of disclosures, with Siemens, Schneider Electric, and Phoenix Contact releasing advisories covering vulnerabilities ranging from denial-of-service (DoS) and information disclosure to authenticated command execution and credential exposure. While no major critical OT vulnerabilities dominated this cycle, organizations should prioritize patching systems that could enable remote code execution, privilege escalation, or credential compromise within industrial environments.

Analyst Comments: Credential exposure, information leakage, and authenticated command execution flaws may not generate the same attention as critical RCEs, but they frequently serve as the footholds attackers use to establish persistence and move deeper into OT networks. Of particular note is Siemens’ remediation of an OpenSSL vulnerability affecting multiple industrial product lines. The continued presence of third-party software flaws within ICS products highlights the supply chain challenge facing industrial operators, where vulnerabilities in widely used libraries can ripple across numerous operational technologies simultaneously.

READ THE STORY: Security Week

Trump AI National Security Memo Accelerates Adoption but Leaves Key Governance Questions Unanswered

Bottom Line Up Front (BLUF): President Trump's National Security Presidential Memorandum 11 (NSPM-11) directs U.S. national security agencies to rapidly expand AI adoption while rolling back portions of the Biden administration's oversight framework. The directive emphasizes military accountability, government control over deployed AI systems, and reduced dependence on individual AI vendors, but leaves unresolved questions about who ultimately determines the legal boundaries of AI use in national security operations.

Analyst Comments: The most consequential provision may not be the acceleration of AI adoption itself, but the requirement that contractors cannot unilaterally restrict or disable government use of deployed systems. That language appears aimed squarely at ongoing tensions between the Pentagon and frontier AI firms over military applications and acceptable use restrictions. While the memo stresses accountability, testing, and human oversight, its effectiveness will ultimately depend on implementation. The larger unresolved issue remains governance: who decides where lawful national security use ends and prohibited use begins—the executive branch, Congress, courts, or AI vendors themselves. That debate is far from settled and will likely define U.S. defense AI policy for years to come.

READ THE STORY: CFR

International Law Enforcement Takedown Targets VPN Service Used by Ransomware Groups

Bottom Line Up Front (BLUF): The FBI, alongside European and international law enforcement partners, has disrupted and seized infrastructure associated with First VPN Service, an anonymization provider allegedly used by at least 25 ransomware groups to conduct network reconnaissance, intrusions, and other cybercriminal activities. Authorities claim the service facilitated attacks that resulted in millions of dollars in losses to organizations worldwide and was heavily marketed within criminal underground forums.

Analyst Comments: VPN providers, bulletproof hosting companies, and anonymization services increasingly represent attractive disruption targets because they support multiple criminal ecosystems simultaneously. The allegation that First VPN was used by more than two dozen ransomware groups suggests the service functioned as a trusted component within the cybercriminal supply chain. While takedowns rarely eliminate criminal activity outright, they increase operational costs, force threat actors to migrate infrastructure, and create uncertainty about which providers may already be under law enforcement scrutiny. Organizations should expect ransomware operators to shift toward alternative VPN and proxy services in the near term.

READ THE STORY: FBI

Open-Source Miasma Worm Emerges, Expanding Supply Chain Threats Against Developers

Bottom Line Up Front (BLUF): A new open-source worm dubbed Miasma has reportedly been published online, building on the capabilities of TeamPCP's earlier Mini Shai-Hulud worm. Designed to target software development environments, Miasma steals cloud, source code, and package management credentials before self-propagating through compromised repositories and software packages. Although the repository was quickly removed and the associated GitHub account suspended, the source code may already be circulating within underground communities.

Analyst Comments: Open-sourcing self-propagating supply chain malware lowers the barrier to entry for less-skilled threat actors, allowing them to adapt proven credential theft and propagation techniques rather than building them from scratch. While most supply chain attacks require significant planning and operational maturity, publicly available worm code enables copycat campaigns that can spread rapidly through developer ecosystems. Organizations should view this as another indicator that developer credentials—GitHub tokens, cloud access keys, package repository credentials, and SSH keys—remain high-value targets. The real risk is not a single worm variant but the inevitable forks, modifications, and weaponized derivatives that follow.

READ THE STORY: Tools

KCTF 2026 Adds AI Security Category, Formally Permits AI-Assisted Competition

Bottom Line Up Front (BLUF): China's Kanxue Security Community has updated the rules for KCTF 2026, introducing a dedicated AI Security / LLM Security competition category while formally allowing both attackers and defenders to use AI tools during challenge creation and solving. The move reflects the growing role of AI in offensive security research and signals the maturation of AI security as a recognized competitive discipline.

Analyst Comments: CTF competitions have historically served as an early indicator of where security talent and research are headed. By creating dedicated AI security challenge categories, KCTF is effectively acknowledging that prompt injection, jailbreaks, RAG exploitation, agent abuse, tool-calling vulnerabilities, and AI supply chain attacks now deserve the same standing as traditional Web, PWN, Crypto, and Reverse Engineering disciplines. Equally important, organizers are embracing a reality the industry is still grappling with: AI is already being used extensively by both attackers and defenders. Rather than attempting to ban it, KCTF is treating AI as another tool while emphasizing human accountability and reproducibility.

READ THE STORY: Kanxue

Windows BitLocker Zero-Day Allows Authentication Bypass, Threatening Encrypted Devices

Bottom Line Up Front (BLUF): Microsoft has disclosed a zero-day vulnerability in Windows BitLocker, tracked as CVE-2026-50507, that could allow attackers with physical access to bypass critical authentication controls protecting encrypted drives. While exploitation requires direct access to a target device, successful attacks could compromise the confidentiality, integrity, and availability of data stored on BitLocker-protected systems.

Analyst Comments: Physical-access attacks are often dismissed because they require possession of the target device, but for many organizations, that's precisely the threat model BitLocker is designed to address. Laptops are lost, stolen, seized, or temporarily accessed every day. A flaw that weakens BitLocker's authentication enforcement undermines one of the most widely deployed endpoint data protection technologies in enterprise environments. The designation of "Proof-of-Concept" exploitation is particularly noteworthy because it suggests practical attack techniques already exist, even if Microsoft has not disclosed technical details. Organizations supporting executives, government personnel, researchers, or other high-value targets should pay close attention to this vulnerability.

READ THE STORY: GBhackers

Public “RoguePlanet” Exploit Targets Microsoft Defender, Claims SYSTEM-Level Privilege Escalation

Bottom Line Up Front (BLUF): A security researcher has publicly released a proof-of-concept exploit dubbed RoguePlanet, which allegedly abuses a race condition in Microsoft Defender to obtain NT AUTHORITY\SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. If validated, the vulnerability would provide attackers with a highly valuable local privilege escalation path capable of granting complete control over affected endpoints.

Analyst Comments: Defender has become deeply integrated into the Windows security stack, making any privilege escalation flaw within its scanning pipeline particularly concerning. However, organizations should approach initial reporting with caution. At the time of publication, details are primarily sourced from a researcher-released PoC rather than a Microsoft advisory or independently verified technical analysis. That said, public exploit availability changes the risk equation. Even moderately reliable local privilege escalation vulnerabilities are routinely incorporated into post-exploitation frameworks, ransomware playbooks, and red-team toolsets. If the exploit performs as claimed, it would be especially useful for attackers who already have limited access to a system and need to elevate privileges to disable security controls, establish persistence, or conduct lateral movement.

READ THE STORY: CSN

Meta Accuses NSO Group of Violating Court Order with New WhatsApp Spyware Campaign

Bottom Line Up Front (BLUF): Meta says it disrupted a new NSO Group spear-phishing campaign targeting WhatsApp users and has asked a U.S. court to hold the Israeli spyware vendor in contempt for allegedly violating a permanent injunction issued in 2025. The incident marks the latest escalation in the years-long legal battle between Meta and NSO and raises questions about whether sanctions and court rulings have meaningfully constrained the commercial spyware industry.

Analyst Comments: The significance here is less about the phishing campaign itself and more about what it suggests regarding NSO’s operational behavior following a major legal defeat. Meta’s allegation, if proven, indicates that one of the world’s most scrutinized spyware vendors may still be willing to target WhatsApp users despite court-imposed restrictions and U.S. sanctions. Commercial surveillance vendors have historically relied on legal ambiguity and government customers to shield themselves from accountability. This case could become an important test of whether civil litigation, sanctions, and court orders can effectively deter future spyware operations. For defenders, the takeaway remains unchanged: social engineering continues to be the preferred delivery mechanism when technical exploitation becomes more difficult or more closely monitored.

READ THE STORY: Risky Biz News

Anthropic Launches Claude Fable 5, Restricting Advanced Cyber Capabilities Behind New Safety Controls

Bottom Line Up Front (BLUF): Anthropic has released Claude Fable 5, its most capable publicly available AI model, while restricting its full cybersecurity capabilities to a separate version called Claude Mythos 5, available only to vetted security professionals and critical infrastructure operators. The move reflects growing concerns that frontier AI models are becoming capable of discovering, developing, and operationalizing software exploits at a pace that could significantly benefit both defenders and attackers.

Analyst Comments: This is one of the clearest acknowledgments yet from a major AI vendor that advanced cyber capabilities have crossed a threshold requiring access controls. Anthropic is effectively treating offensive cybersecurity expertise as a controlled capability rather than a general-purpose feature. More importantly, the company is publicly documenting a reality many security teams are already experiencing: vulnerability discovery is accelerating faster than organizations can patch. The strategic concern is no longer whether AI can find vulnerabilities—it can. The emerging challenge is whether defenders can remediate them before attackers weaponize them. That shifts the competitive advantage toward organizations with strong asset management, automated patching, and rapid response processes.

READ THE STORY: THN

Items of interest

Chinese Reverse-Engineer of FortiWeb 8.0 Firmware Protection, Recover Root Filesystem Decryption Process

Bottom Line Up Front (BLUF): A researcher published a detailed reverse-engineering analysis of Fortinet’s newer firmware protection mechanisms, claiming to have reconstructed the process used to decrypt Forti 8.0 firmware root file systems. According to the research, Fortinet replaced earlier hardcoded ChaCha20-based protection with an RSA-wrapped key release mechanism and a heavily modified RC4-like stream cipher. The author states the protections can be reversed to recover and decrypt firmware images for analysis, potentially lowering the barrier for vulnerability research and firmware auditing.

Analyst Comments: This is not a vulnerability disclosure in the traditional sense, but it is still important for defenders because firmware encryption and integrity mechanisms often serve as friction points that slow reverse engineering. When researchers publicly document how those protections work, both defenders and attackers gain the ability to analyze firmware internals more efficiently. The key takeaway is that Fortinet appears to have moved away from the older model where decryption material could allegedly be extracted directly from memory. The new design reportedly introduces RSA-based key wrapping and a customized RC4-derived algorithm intended to obscure firmware contents. According to the researcher, those changes increase complexity but do not ultimately prevent determined reverse engineering.

READ THE STORY: Kanxue

How Hackers Reverse Engineer Firmware (Video)

FROM THE MEDIA: Binwalk is a powerful reverse engineering tool used to uncover hidden files, compressed data, and embedded systems inside firmware images. In this video, I’ll show you how to scan, extract, and explore firmware like a pro. We’ll also take a look at the newer Rust-based version of Binwalk now included in Kali Linux, and how it compares to the original.

FortiWeb: Preventing the use of weak cryptographic algorithms (Video)

FROM THE MEDIA: Fortinet is deprecating and removing support for weak cryptographic algorithms in FortiWeb as part of broader efforts to strengthen platform security and align with modern cryptographic standards. Organizations running legacy SSL/TLS configurations, outdated ciphers, or older integrations should review current deployments to ensure compatibility before upgrading.

The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don’t hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.