Daily Drop (1320)
06-19-26
Friday, Jun 19, 2026 // Buy Bob a Coffee // Ghostwire
China Issues New Network Data Security Risk Assessment Rules: Annual Assessments Required for Important Data Processors
Bottom Line Up Front (BLUF): China's Cyberspace Administration (CAC), Ministry of Industry and Information Technology (MIIT), and Ministry of Public Security (MPS) jointly issued the Measures for Risk Assessment of Network Data Security (网络数据安全风险评估办法) on June 18, 2026, with implementation beginning August 20, 2026. The measures establish a nationwide framework for network data security risk assessments, mandate annual risk assessments for processors of important data, and grant regulators expanded authority to inspect assessments, order remediation, and suspend important data processing activities that pose risks to national security or the public interest.
Analyst Comments: According to the Cyberspace Administration of China, all network data security risk assessments conducted within China must comply with the new measures beginning August 20, 2026. The rules require important data processors to conduct annual risk assessments, with additional assessments required whenever significant security changes occur. Organizations processing general data are encouraged to conduct assessments at least every three years. Risk assessments may be performed internally or by third-party assessment agencies, which are encouraged to obtain official certification and must promptly notify organizations of significant data security risks. Relevant government authorities may inspect assessment reports, require the use of certified assessors, and order rectification or suspension of important data processing activities if national security or public interests are at risk.
READ THE STORY: CAC.GOV.CN
Bulgaria Licensed Surveillance Exports to Rights Violators Despite EU Human Rights Safeguards
Bottom Line Up Front (BLUF): Human Rights Watch revealed that Bulgaria approved export licenses between 2018 and 2023 for commercial surveillance technologies destined for countries with documented histories of using spyware and interception tools against journalists, activists, and political dissidents. The licenses involved products from Bulgarian-based surveillance firm Circles, raising renewed concerns that EU export controls for dual-use cyber capabilities are failing to prevent technologies from reaching authoritarian governments.
Analyst Comments: This is another example of the persistent gap between cyber export regulations and their enforcement. The issue is not whether surveillance technology can be abused—that has been demonstrated repeatedly with NSO Group, Intellexa, and similar vendors. The concern is that European governments continue approving exports to destinations with established records of digital repression while maintaining that adequate due diligence was performed.
READ THE STORY: HRW // The Record
UK Cyber Chief Warns Hostile States Behind Majority of Critical Infrastructure Attacks
Bottom Line Up Front (BLUF): The UK’s National Cyber Security Centre (NCSC) says approximately 75% of cyber incidents affecting British critical national infrastructure (CNI) are linked to hostile states. NCSC Director Richard Horne warned that adversaries are increasingly prepositioning inside critical infrastructure networks, establishing footholds that could be leveraged for disruptive operations during future geopolitical crises or conflicts. The warning comes as the UK advances new cyber resilience legislation and prepares for AI-driven increases in attacks against aging infrastructure.
Analyst Comments: The NCSC is effectively saying that many nation-state actors are no longer focused solely on espionage. They are establishing persistent access within critical infrastructure environments, creating options for future disruption if geopolitical tensions escalate. The reference to Volt Typhoon is particularly telling. That campaign demonstrated how state-linked actors can quietly embed themselves within critical systems for extended periods, avoiding immediate disruption while preserving operational access for future contingencies. The same playbook is increasingly being observed globally: gain access, establish persistence, remain dormant, and wait for strategic utility.
READ THE STORY: CISO Whisper
Critical Oracle Solaris Vulnerabilities Include CVSS 10.0 Flaw in Remote Administration Daemon
Bottom Line Up Front (BLUF): The Cyber Security Agency of Singapore (CSA) has warned of multiple vulnerabilities affecting Oracle Solaris 11.4, including CVE-2026-46978, a critical CVSS 10.0 vulnerability in the Remote Administration Daemon (RAD) that can be exploited remotely over HTTPS by an unauthenticated attacker. Additional flaws in the Filesystem and Libraries components could allow low-privileged attackers to access sensitive data and cause denial-of-service conditions. Organizations running Oracle Solaris 11.4 should prioritize patching immediately.
Analyst Comments: While Oracle Solaris has a smaller market share than Linux and Windows, it remains widely deployed in telecommunications, financial services, government, and legacy enterprise environments, where systems often support high-value applications and may not be patched as quickly as mainstream platforms. These environments can also have extended maintenance windows, creating opportunities for threat actors to target unpatched systems.
READ THE STORY: CAC.GOV.CN
Fortinet Confirms Active Exploitation of Critical FortiSandbox Flaws: Unauthenticated RCE and Privilege Escalation Under Attack
Bottom Line Up Front (BLUF): Threat intelligence firm Defused reports active exploitation of multiple critical vulnerabilities affecting Fortinet FortiSandbox, including CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. The vulnerabilities allow unauthenticated attackers to perform remote code execution (RCE) and privilege escalation through low-complexity command injection attacks requiring no user interaction. Organizations running vulnerable FortiSandbox deployments should treat this as an immediate patching priority.
Analyst Comments: The most concerning aspect is the attack chain's accessibility: no authentication, low complexity, and no user interaction required. Those characteristics make these vulnerabilities highly attractive for mass exploitation campaigns and rapid weaponization. Defused has already observed exploitation attempts against CVE-2026-39813 and CVE-2026-39808, while activity involving CVE-2026-25089 appears to involve potentially faulty or incomplete exploit code, suggesting attackers are actively experimenting with exploitation techniques.
READ THE STORY: Bleeping Computer
Cisco Patches Exploited SD-WAN Zero-Day Allowing Root-Level Privilege Escalation
Bottom Line Up Front (BLUF): Cisco patched CVE-2026-20262, a zero-day vulnerability in Catalyst SD-WAN Manager that has already been exploited in limited real-world attacks. The flaw lets an authenticated attacker with write access send crafted HTTP requests to a vulnerable API, create or overwrite arbitrary files, and potentially escalate privileges to root.
Analyst Comments: Compromise of that console can give attackers broad visibility and influence over routing, device management, and enterprise connectivity. The bug does require a valid account, but that should not make defenders comfortable. In real intrusions, attackers often obtain credentials first and then use flaws like this to escalate access and fully take over management infrastructure. Cisco SD-WAN has also had repeated exploitation this year, which means attackers are clearly paying attention to this product line.
READ THE STORY: Xakep (RU)
Critical Splunk AI Toolkit Vulnerability Enables OS Command Execution: CVE-2026-20266 Earns CVSS 9.1
Bottom Line Up Front (BLUF): Splunk disclosed a critical OS command injection vulnerability (CVE-2026-20266) affecting all versions of the Splunk AI Toolkit prior to v5.7.4. The flaw, rated CVSS 9.1, allows authenticated administrators to execute arbitrary system commands on the underlying host, potentially leading to full compromise of Splunk environments and broader enterprise security infrastructure. The vulnerability resides within the AI Toolkit’s btool configuration helper, highlighting the growing security risks introduced by AI-enabled enterprise components.
Analyst Comments: Administrative accounts for SIEM platforms are among the most sought-after targets in an attack chain because they provide visibility into and control over an organization’s entire security apparatus. The more concerning aspect is where the vulnerability resides: an AI component rather than the core platform. As vendors rapidly integrate LLMs, copilots, and autonomous agents into security products, they are expanding the attack surface with components that frequently execute scripts, invoke external tools, and interact with high-privilege system resources. CVE-2026-20266 demonstrates that traditional vulnerabilities such as command injection have not disappeared—they have simply migrated into AI-enabled functionality.
READ THE STORY: Anquanke
Novo Nordisk Breach Highlights Software Supply Chain Risk: Single GitHub Token Led to Alleged 1.3TB Data Theft
Bottom Line Up Front (BLUF): Pharmaceutical giant Novo Nordisk disclosed a cyber incident after attackers reportedly gained initial access using a single exposed GitHub personal access token. Threat group FulcrumSec claims it spent more than two months inside the company’s environment, exfiltrating approximately 700,000 files totaling 1.3TB, including source code, clinical research data, proprietary drug information, manufacturing records, and internal AI models. The incident underscores how exposed machine credentials and development environments have become prime targets for software supply chain attacks.
Analyst Comments: The attackers did not exploit a zero-day or bypass sophisticated defenses—they reportedly found a high-privileged GitHub token embedded in client-side JavaScript, authenticated as a trusted user, and pivoted from there. Development environments are now among the highest-value targets in an organization. Source repositories contain far more than code; they often include infrastructure definitions, deployment pipelines, API credentials, and documentation that effectively serves as a roadmap to the enterprise. Once an attacker gains authenticated access to a repository, traditional security controls such as code reviews and branch protections become largely irrelevant.
READ THE STORY: DR
Miasma Supply Chain Worm Compromises 73 Microsoft Repositories, Targets AI Coding Tools and Developer Credentials
Bottom Line Up Front (BLUF): A variant of the Miasma (Mini Shai-Hulud) supply chain worm compromised 73 Microsoft GitHub repositories, primarily within the Azure organization, temporarily disrupting CI/CD pipelines worldwide and exposing a new attack vector aimed at AI-assisted development tools. The malware targeted credentials associated with Claude Code, Gemini CLI, Cursor, and Visual Studio Code, using malicious configuration files to automatically execute payloads when developers opened compromised repositories. The incident highlights how threat actors are increasingly exploiting trusted development environments and AI coding ecosystems as software supply chain attack surfaces.
Analyst Comments: Previous supply chain compromises largely focused on package registries like npm and PyPI. Miasma deliberately bypassed those controls and moved to a less-monitored surface: configuration files used by AI coding agents and developer tooling. The attackers did not need to modify source code or poison package dependencies. Instead, they weaponized trust relationships between developers and AI-assisted coding environments. Once a compromised repository was opened in an affected IDE or AI coding tool, credentials could be harvested automatically and used to propagate the worm further. That’s a dangerous shift because most organizations have not yet built security controls around AI coding agent configurations.
READ THE STORY: DR
Klue OAuth Breach Fuels ‘Icarus’ Extortion Campaign: Stolen Tokens Used to Exfiltrate Salesforce Data
Bottom Line Up Front (BLUF): Market intelligence platform Klue suffered a breach that allowed threat actors associated with the emerging Icarus extortion group to steal OAuth tokens and access Salesforce environments belonging to multiple customers. Attackers used compromised service accounts and stolen OAuth credentials to systematically query and exfiltrate CRM data, leading Salesforce to disable the Klue Battlecards integration while the investigation continues.
Analyst Comments: Once an attacker obtains a valid OAuth token, they effectively inherit the permissions of the application integration and can operate as a trusted service. The attack also reinforces the growing risk posed by third-party SaaS integrations. Organizations tend to focus security efforts on user accounts while overlooking service-to-service trust relationships. In this case, attackers reportedly compromised Klue’s backend environment, deployed malicious code to harvest customer tokens, and then directly accessed connected Salesforce environments without needing to breach each customer individually.
READ THE STORY: Bleeping Computer
Salesforce Disables Klue Integration After OAuth Token Theft Enables Customer Data Breaches
Bottom Line Up Front (BLUF): Salesforce has disabled the Klue Battlecards integration after threat actors compromised Klue’s infrastructure, stole customer OAuth tokens, and accessed Salesforce environments belonging to multiple organizations. The campaign, attributed to the emerging Icarus extortion group, resulted in the exfiltration of CRM data, including business contacts, price quotes, and sales communications. The incident highlights the growing security risks posed by third-party SaaS integrations and non-human identities.
Analyst Comments: Once attackers obtained Klue’s OAuth tokens, they were able to operate as trusted integrations and directly query customer Salesforce environments without exploiting any vulnerability in Salesforce itself. The attack also demonstrates the dangers of legacy credentials and forgotten integrations. According to Klue and Huntress, the initial compromise stemmed from a long-unused but still active credential created for a prototype integration that was later abandoned. This is a recurring issue in cloud environments: organizations frequently decommission applications but fail to retire associated service accounts, API keys, and OAuth credentials.
READ THE STORY: THN
Hive0117 Targets Accountants in Russia and CIS With DarkWatchman Malware
Bottom Line Up Front (BLUF): The Hive0117 group is running a renewed phishing campaign against accountants in Russia and CIS countries, using password-protected RAR archives to deliver DarkWatchman malware. Once inside, attackers steal banking access, monitor cryptographic token use, deploy remote access tools, and abuse corporate remote banking systems to move funds through fake payroll registries.
Analyst Comments: Accountants are the right target because they sit closest to payment workflows, banking portals, and hardware or cryptographic tokens used for corporate transfers. The use of payroll registries is the key shift. Instead of obvious one-off transfers, attackers are blending theft into normal salary-payment activity, which may evade weaker fraud checks. DarkWatchman’s fileless behavior, keylogging, clipboard monitoring, and token tracking also make it well suited for quietly waiting until the victim connects banking credentials or signing devices.
READ THE STORY: Xakep (RU)
Microsoft Uncovers ‘Crypto Clipper’ Worm: USB-Propagated Malware Steals Crypto Wallets and Uses Tor for Stealth
Bottom Line Up Front (BLUF): Microsoft has identified a new self-propagating malware family, dubbed Crypto Clipper, that spreads via infected USB drives, steals cryptocurrency wallet credentials and seed phrases, and communicates with attacker infrastructure over Tor. The malware combines clipboard hijacking, screenshot capture, and remote code execution (RCE), effectively functioning as both a cryptocurrency stealer and a lightweight backdoor capable of maintaining persistent access to compromised systems.
Analyst Comments: Crypto Clipper is notable because it blends old-school worm propagation techniques with modern operational security. USB-based malware has largely fallen out of favor in enterprise environments, but it remains effective in air-gapped networks, industrial environments, and organizations with poor removable media controls. The use of a portable Tor client and local SOCKS5 proxy eliminates the need for traditional command-and-control (C2) infrastructure, complicating detection and attribution efforts.
READ THE STORY: arsTECHNICA
China Issues Warning on ‘VoidLink’ Malware: Advanced Linux Threat Targets Cloud and Container Environments
Bottom Line Up Front (BLUF): China's Ministry of Industry and Information Technology (MIIT), through its Cybersecurity Threat and Vulnerability Information Sharing Platform (CSTIS), issued a warning regarding VoidLink, a highly modular malware framework targeting Linux servers in cloud and container environments. First observed in late 2025, VoidLink leverages supply chain compromise, cloud misconfigurations, and container escape techniques to gain initial access, while employing kernel-level rootkit capabilities and multi-channel command-and-control (C2) communications to establish stealthy, persistent control over compromised systems.
Analyst Comments: VoidLink exhibits characteristics increasingly associated with modern cloud-focused advanced threats: environment awareness, modular architecture, rootkit-based stealth, and resilient C2 mechanisms. While public attribution remains unavailable, the tradecraft described by CSTIS suggests a mature threat actor with significant expertise in Linux internals and cloud-native infrastructure. The malware's initial access methods are particularly concerning because they exploit issues many organizations still struggle to address—unsigned container images, leaked credentials, and software supply chain contamination. These weaknesses continue to represent some of the most effective attack paths into cloud environments because they bypass traditional perimeter controls and exploit trusted workflows.
READ THE STORY: CNR (CN)
Steam Workshop Malware Campaign Uses Wallpaper Engine to Steal Accounts and Deploy Backdoors
Bottom Line Up Front (BLUF): Attackers are abusing Wallpaper Engine and the Steam Workshop to distribute malicious wallpapers disguised as images of attractive women, game themes, and utility tools. The campaign, first observed in late 2025 and documented by Kaspersky, uses malicious EXEs, DLLs, scripts, and encrypted archives to install backdoors that steal Steam credentials and, in some cases, deploy cryptocurrency miners. Victims are overwhelmingly concentrated in China (89%), with additional infections reported in Russia and other regions.
Analyst Comments: The use of Wallpaper Engine is particularly effective because it occupies a trusted position within the Steam ecosystem and supports community-generated content. Users often assume that content hosted on Steam Workshop has undergone some level of vetting, lowering their guard when downloading and executing files. The attackers further increase success rates by using borderline or suggestive content as lures, exploiting curiosity and reducing user scrutiny. The campaign’s persistence mechanism is also noteworthy. Stolen Steam accounts are allegedly used to publish additional malicious Workshop content, creating a self-sustaining distribution ecosystem. Even if individual accounts are banned, compromised accounts can continue propagating malicious themes and harvesting additional victims.
READ THE STORY: Tools (CN)
Operation Endgame Disrupts SocGholish Malware Network Tied to Evil Corp Ransomware Operations
Bottom Line Up Front (BLUF): International law enforcement agencies have disrupted the SocGholish malware infrastructure as part of Operation Endgame, remediating approximately 15,000 compromised websites and dismantling portions of a botnet frequently used by the Russia-based cybercrime group Evil Corp. Authorities also seized 106 servers and domains associated with the operation, targeting one of the most prolific malware delivery mechanisms used to facilitate ransomware and other cyberattacks.
Analyst Comments: This takedown is significant because SocGholish is not merely another malware family—it is a malware distribution service that has repeatedly served as an initial access mechanism for ransomware operators, including Evil Corp. By compromising legitimate WordPress sites and using fake browser or software update prompts, SocGholish has been able to infect users at scale and provide downstream access to a variety of criminal groups. The operation demonstrates a growing trend in law enforcement strategy: targeting cybercrime enablers rather than focusing solely on ransomware payloads themselves. Disrupting malware distribution infrastructure can have a multiplier effect, depriving multiple threat actors of a reliable initial access channel.
READ THE STORY: INFO MAG
Sohu Publishes Profile of China's Most Influential Early Hackers and Patriotic Hacking Figures
Bottom Line Up Front (BLUF): A Sohu article revisits the history of China's early hacker community, profiling many of the country's most prominent first-generation hackers and founders of influential groups such as the Green Army, China Hacker Alliance, China Eagle Alliance, and Red Hacker Alliance. The article highlights individuals associated with the 1999–2001 era of patriotic hacking, including participants in the 2001 Sino-U.S. hacker conflict, and details their subsequent transitions into cybersecurity consulting, government support roles, and commercial security leadership positions.
Analyst Comments: The Sohu article profiles numerous well-known figures from China's early hacker scene, including KING (Tan Xuwu), founder of the China Hacker Alliance and a participant in the 2001 Sino-U.S. hacker conflict; goodwell (Gong Wei) and coldface (Zhou Shuai) of the Green Army; chinaeagle (Wan Tao), founder of the China Eagle Alliance; and Lion (Lin Yong), founder of the Red Hacker Alliance. The article describes many of these individuals as pioneers in network security research, exploit development, Unix and Linux security, vulnerability research, and anti-intrusion technologies. Several are noted as later serving as consultants to government agencies, public security organizations, and cybersecurity companies.
READ THE STORY: Sohu (CN)
Kanxue Highlights Evidence-Driven Mobile Security: Single Indicators Insufficient for Android and iOS Trust Decisions
Bottom Line Up Front (BLUF): Kanxue (看雪) Security Community argues that mobile application security should be built around evidence-based trust models rather than relying on single indicators such as app signature verification, bootloader status, or App Attest results. The paper advocates for collecting and correlating runtime evidence, device posture, server-side verification, and application integrity signals to make risk decisions across Android and iOS environments.
Analyst Comments: Many mobile security controls still rely heavily on single signals—such as whether an APK signature validates, whether a device is rooted, or whether App Attest succeeds. The authors argue these approaches create blind spots because attackers can patch individual controls or manipulate isolated trust indicators. Instead, the article proposes building chains of evidence that combine package lineage, runtime behavior, attestation status, device configuration, and backend verification. The emphasis on server-side interpretation is particularly notable. The paper repeatedly stresses that mobile applications should report evidence, while final business decisions—such as permitting logins, payments, or data exports—should remain on the backend to avoid creating fixed patch points or exposing sensitive verification logic.
READ THE STORY: Kanxue
Items of interest
AI-Powered Cyberattacks Outpace Traditional Defenses as Security Vendors Shift Toward Small, Specialized Models
Bottom Line Up Front (BLUF): AI is dramatically accelerating cyber offense, reducing attack timelines from days to minutes and enabling threat actors to automate vulnerability discovery, malware generation, and credential attacks at unprecedented scale. In response, NSFOCUS is advocating and actively developing a hybrid AI defense architecture that combines frontier models with smaller, specialized models capable of operating at the edge, arguing that large general-purpose models alone cannot meet the speed, cost, and deployment requirements of modern cybersecurity operations.
Analyst Comments: While much of the market narrative centers on deploying ever-larger security models, NSFOCUS is positioning itself around a different thesis—that effective cyber defense will require an ecosystem of specialized small models working in conjunction with larger reasoning engines. The company says it is continuously designing and deploying small, scenario-specific models that filter legitimate traffic, establish customer-specific behavioral baselines, and escalate only uncertain events for deeper analysis by larger models. This architecture mirrors a teacher-student model increasingly seen across the industry, where frontier models provide reasoning capabilities while distilled, task-specific models perform frontline detection and triage. The approach also addresses operational realities such as latency requirements, data residency restrictions, and the high costs of processing massive volumes of benign traffic. Despite advances in automation, NSFOCUS emphasizes that human expertise remains indispensable for managing false positives, handling edge cases, and making strategic decisions in rapidly evolving threat environments.
READ THE STORY: NSFOCUS
Knowledge Distillation: How LLMs train each other (Video)
FROM THE MEDIA: In this video, we break down knowledge distillation, the technique that powers models like Gemma 3, LLaMA 4 Scout & Maverick, and DeepSeek-R1. Distillation was prominently discussed at LlamaCon 2025.
What is LLM Distillation?(Video)
FROM THE MEDIA: What is LLM Distillation ? Large Language Model (LLM) Distillation is revolutionizing how we make AI models smaller, faster, and more efficient—without losing their power! In this video, we’ll break down what LLM distillation is, why it matters, and how it works. You’ll learn how researchers take massive AI models, like GPT and LLaMA, and distill their knowledge into lighter, more cost-effective versions that can run efficiently on edge devices and enterprise applications.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don’t hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.