Daily Drop (1317)
06-13-26
Saturday, Jun 13, 2026 // Buy Bob a Coffee // Ghostwire
Iran-Linked Handala Breached California Water Service Via Exposed GPS Platform, Leaks 5GB of Customer Data
Bottom Line Up Front (BLUF): Iran-linked threat group Handala claimed responsibility for breaching California Water Service (Cal Water), publishing a 5GB proof-of-concept data dump containing customer billing information and exposing an internet-facing RTKBase GNSS platform used for precision GPS operations. Researchers assess the exposed GPS infrastructure likely served as the initial access vector or lateral movement point into the billing environment. While no operational technology (OT) disruption has been confirmed, Handala has a documented history of escalating from data theft to destructive attacks using custom wipers and MBR-overwriting malware.
Analyst Comments: An internet-accessible Raspberry Pi-based RTKBase deployment should never provide a pathway into customer billing systems. The exposure of plaintext administrative credentials and full NTRIP infrastructure mapping suggests basic security hygiene was lacking.The bigger issue is the threat actor. Handala has repeatedly demonstrated a “data theft first, destruction later” operating model. Their previous deployment of wipers against Stryker shows they are willing to transition from espionage and psychological operations to disruptive activity. Water utilities are increasingly attractive targets because they provide opportunities for outsized societal impact and media attention. This incident aligns closely with recent CISA warnings regarding Iranian interest in U.S. water infrastructure.
READ THE STORY: Security Affairs
Operation Ghost Hook Dismantles China-Based Phishing-as-a-Service Network Linked to $1.9 Billion in Fraud Losses
Bottom Line Up Front (BLUF): The FBI, in coordination with Google and Lumen Technologies, has disrupted Outsider, a China-based Phishing-as-a-Service (PhaaS) operation allegedly responsible for approximately $1.9 billion in losses and attacks spanning 55 countries. The operation, dubbed Operation Ghost Hook, resulted in the seizure of core infrastructure, phishing domains, payment wallets, and customer data associated with the cybercrime enterprise. The case also highlights the growing use of AI platforms to accelerate phishing operations.
Analyst Comments: This was not a single phishing gang running isolated campaigns—it was an ecosystem providing phishing infrastructure, automation, customer support, AI-assisted lure generation, and authentication bypass capabilities to a global customer base. The economics are striking. For as little as $88 per week, cybercriminals could access professionally maintained phishing kits capable of impersonating trusted brands and defeating multiple forms of authentication. This dramatically lowers the barrier to entry, enabling less sophisticated actors to conduct highly effective fraud campaigns at scale.
READ THE STORY: CyberScoop
China-Linked Velvet Ant Backdoored Linux Authentication Stack, Maintaining Covert Access for Nearly a Decade
Bottom Line Up Front (BLUF): Incident responders at Sygnia uncovered a long-running cyber espionage campaign by the China-linked threat group Velvet Ant, which modified Linux PAM and OpenSSH authentication components to establish highly resilient persistence inside an isolated network. The operation, dubbed Operation Highland, dates back to at least 2016 and demonstrates a sophisticated strategy of compromising trusted infrastructure components rather than deploying conventional malware.
Analyst Comments: Rather than deploying implants that defenders routinely hunt for, Velvet Ant compromised the very mechanisms responsible for authenticating users and managing remote access. By backdooring PAM (Pluggable Authentication Modules) and OpenSSH, the attackers effectively controlled the trust layer itself. The significance cannot be overstated. Password resets, session terminations, and standard malware remediation procedures become largely ineffective when the authentication system has been subverted. Every new credential can simply be captured again, and secret access mechanisms remain available even after apparent remediation.
READ THE STORY: THN
Russian Infrastructure Operator Tied to Kremlin-Linked Void Blizzard Cyber Espionage Campaign
Bottom Line Up Front (BLUF): U.S. authorities have charged 36-year-old Russian national Denis Obrezko in federal court in Boston for allegedly providing infrastructure support to the Kremlin-linked cyber espionage group Void Blizzard. While not accused of conducting intrusions directly, Obrezko allegedly procured and managed servers, domains, and cryptocurrency-funded infrastructure used in cyber operations targeting at least 11 U.S. organizations across government, defense, technology, healthcare, media, transportation, and NGO sectors.
Analyst Comments: Governments are increasingly targeting not just the operators conducting intrusions, but the broader ecosystem that enables them. Infrastructure brokers, bulletproof hosting providers, domain registrars, cryptocurrency facilitators, and technical support personnel have become strategic targets because they provide the logistical backbone that allows both criminal and state-sponsored campaigns to operate at scale. The allegations surrounding Void Blizzard illustrate how modern espionage operations increasingly leverage the same commercial infrastructure and financial channels used by cybercriminal groups. Virtual private servers, disposable domains, cryptocurrency payments, and illicit credential markets have created a shared support ecosystem where the boundaries between cybercrime and state activity are increasingly blurred.
READ THE STORY: DS
FCC Proposal Would Effectively End Anonymous ‘Burner Phones’ in the U.S.
Bottom Line Up Front (BLUF): The U.S. Federal Communications Commission (FCC) is considering new rules that would require telecommunications providers to collect and retain government-issued identification numbers and physical addresses for new and renewing customers. If implemented, the proposal would significantly restrict the ability to purchase anonymous or pseudonymous “burner phones” in the United States, raising concerns among privacy advocates, civil liberties groups, journalists, and domestic violence organizations.
Analyst Comments: While framed as an anti-fraud and anti-scam measure, the practical effect would be the creation of a much more comprehensive identity-to-phone-number linkage system. From a cybersecurity perspective, there are two competing realities. On one hand, anonymous phone services are routinely abused by scammers, fraud operators, and criminal networks. Better subscriber attribution could improve investigations into phishing campaigns, business email compromise (BEC), SIM swapping, and telecom-enabled fraud.
READ THE STORY: 404
CISA Revives Long-Delayed Cyber Incident Reporting Rules Amid Pressure to Finalize CIRCIA
Bottom Line Up Front (BLUF): The Cybersecurity and Infrastructure Security Agency (CISA) has resumed public consultations on implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), a regulation that could require up to 300,000 critical infrastructure entities to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. While lawmakers are urging CISA to finalize the rules quickly, industry groups continue to argue that the current draft is overly broad, ambiguous, and risks creating substantial reporting burdens.
Analyst Comments: CIRCIA represents one of the most consequential shifts in U.S. cyber regulation since the creation of CISA itself. The agency has largely operated through voluntary partnerships and information sharing since its establishment in 2018. CIRCIA changes that dynamic by introducing mandatory incident reporting requirements across sixteen critical infrastructure sectors.
READ THE STORY: FNN
U.S. Government Orders Anthropic to Restrict Fable 5 and Mythos 5 Access Over National Security Concerns
Bottom Line Up Front (BLUF): Anthropic has temporarily suspended access to its flagship Fable 5 and Mythos 5 models worldwide after receiving a U.S. government directive requiring the company to block access by all foreign nationals, including individuals inside the United States and Anthropic’s own foreign-national employees. The order reportedly stems from concerns over a potential jailbreak capability and raises significant questions about AI export controls, technological sovereignty, and the future regulation of frontier AI models.
Analyst Comments: The practical implications are enormous. The government reportedly ordered Anthropic to prohibit access by any foreign national regardless of location, a requirement so broad that the company determined it had to shut off both models globally to remain compliant. If accurate, this represents a dramatic escalation in how governments view advanced AI capabilities and their potential national security implications. The stated trigger—a reportedly narrow jailbreak allowing the model to analyze code and identify vulnerabilities—is equally notable. Anthropic argues that these capabilities already exist in other publicly available models and are routinely used by defenders. If governments begin recalling or restricting models over limited jailbreak scenarios, the industry could face substantial uncertainty around deployment standards and export compliance requirements.
READ THE STORY: Bleeping Computer // Telegram
ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Target Universities Worldwide
Bottom Line Up Front (BLUF): Google Threat Intelligence Group (GTIG) and Mandiant have confirmed that ShinyHunters (UNC6240) exploited the critical Oracle PeopleSoft zero-day CVE-2026-35273 (CVSS 9.8) to compromise more than 100 organizations globally, with 68% of identified victims belonging to the higher education sector. The campaign leveraged unauthenticated remote code execution, custom malware staging infrastructure, credential spraying, and data exfiltration techniques to steal sensitive data and extort victims.
Analyst Comments: PeopleSoft isn’t just another business application—it often serves as the central repository for HR records, payroll data, student information, financial systems, and identity information. A compromise of PeopleSoft can quickly become a compromise of the entire institution. The attackers’ methodology also stands out. Rather than directly attacking databases, ShinyHunters reportedly operated through legitimate PeopleSoft application logic and APIs, reducing the likelihood of detection by traditional database monitoring controls. This is increasingly common in modern intrusions: attackers abuse the application’s intended functionality instead of exploiting infrastructure in ways that trigger security alarms.
READ THE STORY: HACKREAD
FBI Unveils 22,000-Square-Foot “Kinetic Cyber Range” Replica Town for Cyberattack and Digital Forensics Training
Bottom Line Up Front (BLUF): The FBI disclosed details of its Kinetic Cyber Range, a 22,000-square-foot replica town in Huntsville, Alabama, designed to simulate real-world cyber incidents and train investigators in cyber response, digital forensics, and critical infrastructure investigations. The facility replicates homes, businesses, hospitals, power infrastructure, and corporate IT environments to provide hands-on training against ransomware, infrastructure attacks, and device exploitation scenarios.
Analyst Comments: The inclusion of fully functional IT environments and critical infrastructure simulations is particularly notable. Training investigators to operate in realistic conditions—including noisy data centers, interconnected systems, and time-sensitive scenarios—should improve incident response capabilities and evidence collection during major cyber events. The digital forensics component also highlights an ongoing tension in cybersecurity. Law enforcement increasingly relies on zero-day-based forensic tools capable of bypassing modern encryption and device protections. While these capabilities are often essential for criminal investigations, they also raise longstanding concerns around vulnerability disclosure and the retention of undisclosed exploits that could potentially be discovered or reused by adversaries.
READ THE STORY: TC
Tenable Launches VM-Native OT Discovery to Improve Visibility Across Converged IT and OT Environments
Bottom Line Up Front (BLUF): Tenable announced VM-Native OT Discovery, a new capability integrated into Tenable Vulnerability Management, Tenable Security Center, and the Tenable One Exposure Management Platform that provides safe, protocol-aware discovery of operational technology (OT), IoT, and cyber-physical assets without requiring specialized hardware deployments. The initiative aims to address one of the industry's biggest challenges: limited visibility into increasingly interconnected OT environments.
Analyst Comments: IT teams are increasingly inheriting responsibility for securing building management systems, industrial devices, and other cyber-physical assets but often lack the visibility and tooling needed to understand their exposure. Tenable is positioning this release as an “on-ramp” to OT security by lowering the cost and complexity traditionally associated with OT asset discovery. That’s significant because many organizations avoid OT security projects due to fears of disrupting fragile devices, the expense of deploying specialized sensors, and operational resistance to installing new infrastructure.
READ THE STORY: Security Boulevard
Linux Authentication Stack, Maintaining Covert Access for Nearly a Decade
Bottom Line Up Front (BLUF): Incident responders at Sygnia uncovered a long-running cyber espionage campaign by the China-linked threat group Velvet Ant, which modified Linux PAM and OpenSSH authentication components to establish highly resilient persistence inside an isolated network. The operation, dubbed Operation Highland, dates back to at least 2016 and demonstrates a sophisticated strategy of compromising trusted infrastructure components rather than deploying conventional malware.
Analyst Comments: Rather than deploying implants that defenders routinely hunt for, Velvet Ant compromised the very mechanisms responsible for authenticating users and managing remote access. By backdooring PAM (Pluggable Authentication Modules) and OpenSSH, the attackers effectively controlled the trust layer itself. The significance cannot be overstated. Password resets, session terminations, and standard malware remediation procedures become largely ineffective when the authentication system has been subverted. Every new credential can simply be captured again, and secret access mechanisms remain available even after apparent remediation.
READ THE STORY: THN
Researchers Reverse Engineer Apple Music’s X-Apple-ActionSignature Protection on Android, Exposing Advanced Obfuscation Techniques
Bottom Line Up Front (BLUF): A reverse engineering analysis published on the Kanxue Security Community details how Apple Music’s Android implementation of X-Apple-ActionSignature employs multiple layers of code obfuscation, including indirect branch (BR) obfuscation, mixed-boolean arithmetic (MBA), control-flow flattening, stack address encryption, white-box cryptography, and modified MT19937-based operations. The research highlights the growing complexity of mobile application protections and the increasing difficulty of analyzing modern authentication and request-signing mechanisms.
Analyst Comments: Major technology companies increasingly assume that client-side code will be reverse engineered and therefore deploy multiple, overlapping anti-analysis mechanisms designed to significantly raise the cost of reverse engineering. The reported use of indirect branch obfuscation, white-box cryptography, and encrypted stack references reflects techniques more commonly associated with DRM systems, anti-cheat technologies, and high-assurance financial applications. These protections are specifically designed to defeat static analysis, complicate dynamic tracing, and slow the extraction of sensitive algorithms such as request-signing logic and cryptographic routines.
READ THE STORY: Kanxue
New macOS Tahoe 26 Artifact Reveals User Intent Through Menu Click Tracking
Bottom Line Up Front (BLUF): Palo Alto Networks’ Unit 42 has identified a previously undocumented macOS Tahoe 26 forensic artifact, App.MenuItem, that records users’ specific menu selections across the operating system. Stored within Apple’s Biome framework, the artifact provides investigators with a detailed chronology of user actions—such as compressing files, deleting data, and emptying the trash—offering unprecedented visibility into user intent rather than merely system events.
Analyst Comments: Traditional forensic artifacts can show that a ZIP archive was created or files were deleted, but they often cannot definitively establish whether those actions were deliberate or automated. App.MenuItem introduces a behavioral layer that captures the human interaction with the operating system. For insider threat investigations, intellectual property theft cases, and incident response scenarios involving data exfiltration, the artifact could become exceptionally valuable. An analyst may now reconstruct a sequence such as: navigating to sensitive data, compressing it, moving evidence to the trash, and emptying the trash—all from explicit menu selections made by the user.
READ THE STORY: Unit42
NanoClaw Partners With JFrog to Secure AI Agent Package Downloads and Combat Supply Chain Risk
Bottom Line Up Front (BLUF): Secure agent framework NanoClaw has integrated with JFrog’s vetted package registries to reduce the risk of AI agents downloading malicious dependencies during self-improvement and tool acquisition processes. The partnership addresses a growing concern in agentic AI systems: autonomous package retrieval can expose agents to software supply chain attacks, dependency confusion, and malicious code execution. NanoClaw also introduced an AI-driven pull request (PR) review system designed to handle the surge of AI-generated code contributions while maintaining human approval for consequential actions.
Analyst Comments: Modern AI agents increasingly possess the ability to install libraries, fetch tools, generate code, and modify their own capabilities. While this dramatically improves productivity, it also creates a new attack surface where adversaries can weaponize package registries, typosquatting, dependency confusion, and malicious open-source packages to compromise agent workflows. The integration with JFrog is effectively an attempt to establish a trusted software supply chain for AI agents. Instead of allowing agents to indiscriminately pull packages from public registries such as npm, NanoClaw agents can retrieve dependencies from pre-vetted repositories that have undergone security review and provenance checks.
READ THE STORY: The Register
Anthropic’s Claude Fable 5 Jailbroken to Generate Exploit Code and Leak 120,000-Character System Prompt
Bottom Line Up Front (BLUF): Researchers claim that Anthropic’s Claude Fable 5, the flagship public model in the new Mythos series, was successfully jailbroken within days of release using multi-agent attacks, Unicode obfuscation, narrative framing, and prompt decomposition techniques. The researchers also reportedly extracted and published approximately 120,000 characters of system prompts, exposing internal safety instructions and model orchestration mechanisms. The jailbreak allegedly enabled the model to generate detailed exploit guidance, including stack buffer overflow development techniques and other prohibited technical content.
Analyst Comments: The bigger issue is what it reveals about the security assumptions behind multi-model safety architectures. According to the reporting, Fable 5 and its restricted counterpart, Claude Mythos 5, share the same underlying model but rely on a classification layer that routes high-risk requests to a less capable fallback model. This approach appears designed to preserve usability while limiting dangerous outputs. The alleged jailbreak suggests that if one component in a multi-agent pipeline can be manipulated, it may assist in bypassing controls protecting another component.
READ THE STORY: Freebuf
152 Malicious Chrome Extensions Spoof Google Search Traffic and Harvest User Telemetry
Bottom Line Up Front (BLUF): Researchers at Socket have uncovered a coordinated network of 152 malicious Chrome extensions spread across 38 Chrome Web Store publisher accounts that masqueraded as benign "live wallpaper" new-tab extensions while secretly generating fraudulent Google organic search traffic and collecting user telemetry. The campaign amassed approximately 105,000 installs and leveraged deceptive attribution techniques, anti-forensic mechanisms, and distributed infrastructure to evade detection and maximize advertising revenue.
Analyst Comments: Although the campaign did not appear to deploy credential theft or malware payloads, it demonstrates how threat actors increasingly weaponize browser ecosystems for advertising fraud, telemetry harvesting, and analytics manipulation. The most interesting aspect is the abuse of Google attribution mechanisms. By forcing browser tabs to open with utm_source=google&utm_medium=organic parameters and leveraging Google’s own redirect wrappers during uninstall events, the operators effectively manufactured fake organic search traffic that appeared indistinguishable from legitimate user behavior.
READ THE STORY: GBhackers
Items of interest
Shadow AIS Fleet Tactics Expose Maritime Sanctions Evasion Across Venezuela, Libya, and the Mediterranean
Bottom Line Up Front (BLUF): The tanker SKIPPER (IMO: 9304667) reportedly went 200 days without AIS transmissions, spoofed a location roughly 1,200 nautical miles away, and appeared off Guyana while allegedly loading at Venezuela’s San Jose terminal. Similar AIS dark activity, false positioning, and identity manipulation are now being observed along the Libyan coast and across Mediterranean smuggling routes.
Analyst Comments: The SKIPPER case matters because it shows how a vessel can create a parallel reality: one track for regulators and commercial monitoring platforms, another for the actual cargo movement. When a tanker “paints” itself hundreds or thousands of miles from its real location, standard compliance workflows can fail unless analysts correlate AIS with satellite imagery, port activity, draft changes, ownership records, and terminal schedules. The same tradecraft showing up near Libya is especially concerning. Libya’s fragmented security environment, contested oil infrastructure, and proximity to Mediterranean shipping corridors make it attractive for smuggling networks. Expect more use of AIS gaps, false destinations, name changes, flag hopping, shell ownership, and ship-to-ship transfers just outside high-visibility zones.
READ THE STORY: Codeby // OCCRP
How to track dark ships using OSINT (Video)
FROM THE MEDIA: In this OSINT deep dive, professional OSINT analyst Ray Baker joins David Bombal to explore the shadowy world of maritime cybersecurity and vessel tracking. Discover the critical differences between the dark fleet and shadow fleet, and learn the exact open-source intelligence methods used to track ships attempting to hide their identities on the open ocean. From manipulating AIS tracking data and repainting ship decks to the terrifying reality of hacking Chinese-made port cranes, this video uncovers the hidden cyber threats facing global supply chains. We also explore the tools used by professionals, such as MarineTraffic and Equasis, to investigate illicit maritime activities and track adversarial movements.
AML Expert Shadow Fleet trailer | Fighting illicit oil | Financial CPD (Video)
FROM THE MEDIA: This Expert AML module uncovers how a single tanker explosion — the Pablo — illuminated one of the fastest‑growing laundering ecosystems on earth: the global shadow fleet. Through the real story of how aging, opaque tankers move sanctioned oil through shell companies, forged documents, AIS manipulation, and digital deception, we unpack how sanctions evasion has evolved into a full‑scale value‑laundering system operating far outside the regulated maritime world.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don’t hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.