Daily Drop (1324)
06-23-26
Tuesday, Jun 23, 2026 // Buy Bob a Coffee // Ghostwire
U.S. Government Domains Lead Global DNS Resilience, Australia Lags on DNSSEC Adoption
Bottom Line Up Front (BLUF): A new academic study assessing the resilience of authoritative DNS infrastructure across federal government domains in six countries found that the United States maintains the strongest overall DNS resilience, while Australia trails due to widespread lack of DNSSEC implementation. Researchers warn that weaknesses in authoritative DNS infrastructure increase the risk of service disruption, DNS manipulation, and cyberattacks against critical government services.
Analyst Comments: DNS rarely receives executive attention until something breaks, but it remains one of the most critical components of national digital infrastructure. Government services ranging from taxation and healthcare to public safety rely on authoritative DNS as the single source of truth for routing users to legitimate systems. If attackers can disrupt, manipulate, or spoof DNS responses, they can potentially redirect citizens to malicious services, conduct credential theft campaigns, or deny access to essential government functions.
READ THE STORY: Internet Society Pulse
White House Accelerates Post-Quantum Crypto Deadline Amid Growing Quantum Threat Concerns
Bottom Line Up Front (BLUF): The White House has issued a new executive order significantly accelerating the U.S. government’s transition to post-quantum cryptography (PQC). Federal high-value assets and high-impact systems must migrate to quantum-resistant key establishment mechanisms by December 31, 2030, and quantum-safe digital signatures by December 31, 2031—roughly 4-5 years earlier than many previous government timelines. The move reflects growing concerns that advances in quantum computing could enable adversaries to decrypt sensitive data collected today.
Analyst Comments: While no cryptographically relevant quantum computer exists today, recent research continues to reduce the estimated resources needed to break RSA and elliptic curve cryptography, forcing governments and major technology providers to act sooner rather than later. The bigger concern is not immediate decryption but “harvest now, decrypt later” operations. Nation-state adversaries can collect encrypted diplomatic, military, intelligence, healthcare, financial, and corporate data today and store it until quantum capabilities mature. Organizations delaying crypto modernization may discover that their most sensitive information was compromised years before the technology to decrypt it became available.
READ THE STORY: arsTECHNICA
CISA Adds Lantronix Industrial Device Vulnerability to Known Exploited Vulnerabilities Catalog
NOTE:
Many of the impacted devices—including Siemens industrial controllers, Honeywell building management systems, Trane automation platforms, EV charging infrastructure, and Lantronix network devices—sit at the intersection of IT and OT environments. As organizations continue connecting traditionally isolated operational systems to enterprise networks and cloud-based management platforms, the attack surface expands significantly.
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-67038, affecting Lantronix EDS5000 industrial networking devices, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The update elevates the risk profile for organizations operating industrial control systems (ICS), operational technology (OT), and critical infrastructure environments using affected Lantronix equipment.
Analyst Comments: For industrial environments, that distinction matters. Many ICS vulnerabilities remain difficult to exploit in practice, but KEV inclusion indicates adversaries are already using the flaw successfully. The Lantronix EDS5000 is commonly deployed as an industrial device server and connectivity platform within operational technology environments. These systems often bridge legacy industrial assets with modern IP networks, making them attractive targets for attackers seeking initial access, persistence, or lateral movement into critical infrastructure.
READ THE STORY: Cyber Canada (CA)
Iranian Cyber Groups Use AI to Increase Attacks on Space Infrastructure
Bottom Line Up Front (BLUF): Iranian-aligned threat actors are increasingly leveraging artificial intelligence to enhance cyber operations targeting military and civilian space infrastructure during the ongoing Iran conflict. Security researchers report a significant increase in attack volume, more sophisticated social engineering campaigns, and improved operational security, making attribution and detection more difficult for defenders.
Analyst Comments: The headline is not that AI is creating entirely new attack techniques—it is making existing ones faster, more scalable, and more convincing. Iranian groups historically relied heavily on phishing, credential theft, and influence operations. AI allows them to improve targeting, eliminate language barriers, automate reconnaissance, and create more persuasive impersonation campaigns. Of particular concern is the targeting of space-sector organizations. Satellites, ground stations, space logistics platforms, and supporting contractors are increasingly viewed as critical infrastructure during conflicts. Space systems provide communications, intelligence, navigation, and military support capabilities, making them attractive targets for disruption and espionage.
READ THE STORY: National Defense // FDD
Israel-Linked Cyberattack Disrupts Iranian Banking System Amid Escalating Conflict
Bottom Line Up Front (BLUF): A major cyberattack has disrupted operations at several Iranian banks, with reports indicating the attack was carried out by the pro-Israel hacktivist group Predatory Sparrow (Gonjeshke Darande). The incident temporarily impacted banking services across Iran and marks the latest cyber operation targeting critical financial infrastructure as tensions between Israel and Iran continue to escalate.
Analyst Comments: Predatory Sparrow has built a reputation for conducting some of the most sophisticated and operationally disruptive cyberattacks attributed to a pro-Israel actor. Unlike typical hacktivist groups focused on website defacements or data leaks, the group consistently targets operational systems tied to strategic Iranian infrastructure, including fuel distribution networks, steel production facilities, rail systems, and now financial institutions. The timing is notable. As kinetic and diplomatic pressure on Iran increases, cyber operations appear to be functioning as an additional layer of statecraft. Whether Predatory Sparrow operates independently or with state support remains publicly unconfirmed, but its historical targeting, technical sophistication, and strategic impact have long fueled speculation about links to Israeli interests.
READ THE STORY: The Telegraph
Tata Electronics Confirms Cyberattack After World Leaks Publishes Alleged Apple Manufacturing Data
Bottom Line Up Front (BLUF): Tata Electronics has confirmed a cyberattack affecting portions of its IT infrastructure after the World Leaks extortion group published data allegedly stolen from the company. While Tata states manufacturing operations remain unaffected, the leaked material reportedly includes Apple-related manufacturing documents, component schematics, PCB designs, and development files. The incident highlights growing espionage and extortion risks facing global technology supply chains.
Analyst Comments: If the leaked files are authentic, the incident could provide threat actors, competitors, or nation-state intelligence services with insight into manufacturing processes, component designs, and product development workflows. World Leaks’ involvement is also notable. Unlike traditional ransomware operators, the group has shifted to a pure data-extortion model, focusing on stealing sensitive information and leveraging public exposure as the primary pressure mechanism. That trend continues across the threat landscape as organizations improve recovery capabilities and reduce the effectiveness of encryption-based attacks.
READ THE STORY: Bleeping Computer
Samsung KNOX Kernel Flaw Could Enable Full Galaxy Device Compromise Across Multiple Generations
Bottom Line Up Front (BLUF): Researchers at LucidBit Labs disclosed CVE-2026-20971, a kernel-level use-after-free (UAF) vulnerability within Samsung's KNOX security framework that could allow attackers to achieve kernel memory corruption and potentially full device compromise. The flaw affects a broad range of Samsung Galaxy devices spanning Galaxy S9 through S25, including A-series devices running Android 13-16. Samsung patched the issue in its January 2026 security update.
Analyst Comments: The vulnerability resides inside Samsung’s KNOX security architecture—software specifically designed to improve device security—but ultimately introduced a new kernel attack surface. What makes this finding noteworthy is not simply the UAF itself, but the researchers’ ability to transform a narrow race condition into practical exploitation primitives despite modern mitigations such as Kernel Control Flow Integrity (KCFI). While KCFI successfully blocked some arbitrary code execution paths, researchers still identified alternate methods to achieve controlled memory corruption.
READ THE STORY: Security Affairs
OpenClaw Skill Marketplace Abused by Malware, Fraud, and AI Supply Chain Attacks
Bottom Line Up Front (BLUF): Palo Alto Networks Unit 42 identified multiple malicious skills in the OpenClaw AI ecosystem that bypassed existing security controls and abused the platform’s agentic execution model. Researchers found infostealers, defense-evasion techniques, affiliate fraud schemes, and AI-driven financial manipulation campaigns operating through ClawHub, demonstrating that AI agent marketplaces are rapidly becoming a new software supply chain attack surface.
Analyst Comments: Traditional software supply chain attacks typically focus on code execution. In contrast, malicious AI skills can weaponize trust, instructions, and agent autonomy. The most concerning finding is not the malware itself—it’s the emergence of “agentic threats” where attackers manipulate AI agents into generating affiliate revenue, promoting financial products, or participating in coordinated market activity without requiring a conventional exploit.
READ THE STORY: Unit 42
Icarus Expands Salesforce Data Theft Campaign Through Klue OAuth Breach
Bottom Line Up Front (BLUF): The scope of the Klue OAuth compromise continues to grow as multiple technology and cybersecurity firms confirm unauthorized access to Salesforce data after attackers abused OAuth tokens obtained during Klue’s breach. The extortion group Icarus has begun leaking stolen data and claims additional victims will emerge. While most impacted organizations report no compromise of core products or infrastructure, the incident demonstrates how third-party SaaS integrations can create cascading supply chain exposure across entire customer ecosystems.
Analyst Comments: The story is not Salesforce itself—it’s the trust relationship created by OAuth integrations. Once attackers obtained Klue’s access, they effectively inherited visibility into customer Salesforce environments across multiple organizations. The victim list is notable because it includes security vendors and technology companies that generally maintain mature security programs. That reinforces a recurring lesson: third-party integrations often bypass traditional security boundaries. The attack also echoes the 2025 Salesloft-related Salesforce compromises, where exposed CRM environments contained API tokens, operational data, and other sensitive business information.
READ THE STORY: DR
Cisco SD-WAN Zero-Day Campaign Highlights Growing Focus on Network Infrastructure
Bottom Line Up Front (BLUF): Federal agencies reached CISA's June 23 remediation deadline for two actively exploited network infrastructure vulnerabilities: Cisco Catalyst SD-WAN Manager CVE-2026-20245 and Arista EOS CVE-2026-7473. The Cisco flaw is particularly noteworthy because it represents the seventh actively exploited Cisco SD-WAN zero-day disclosed in 2026, reinforcing concerns that attackers are systematically targeting enterprise network management platforms rather than individual endpoints.
Analyst Comments: For years, defenders concentrated on securing servers, workstations, and identity systems. Increasingly, threat actors are targeting the infrastructure that controls everything else. Cisco SD-WAN Manager serves as the central authority for enterprise routing, traffic steering, segmentation, and policy enforcement across potentially hundreds of branch locations. A compromise at that layer gives attackers network-wide influence without needing to compromise each endpoint individually. The fact that Cisco has now disclosed seven exploited SD-WAN vulnerabilities in a single year suggests a sustained campaign against management-plane infrastructure rather than isolated vulnerability discovery.
READ THE STORY: Techtimes
Microsoft Rolls Out Point-in-Time Restore in Windows 11 Preview Update
Bottom Line Up Front (BLUF): Microsoft has released the optional Windows 11 KB5095093 preview update, introducing Point-in-Time Restore, a new recovery capability that allows users to roll back their entire system—including applications, settings, and personal files—to a previous state within minutes. The update also includes reliability improvements across networking, Bluetooth, File Explorer, Windows Update, and accessibility features.
Analyst Comments: Unlike traditional System Restore, which primarily targets system files and settings, Microsoft's new approach captures a broader system state and can restore applications and user data from snapshots taken automatically over the previous 72 hours. From a cybersecurity and operational resilience perspective, this provides organizations with a faster recovery option following failed updates, software instability, configuration errors, or limited malware incidents. While it is not a replacement for backups or disaster recovery solutions, it adds another layer to endpoint resilience and could reduce downtime for both enterprise and consumer systems. The broader trend is clear: Microsoft is increasingly building recovery and resilience features directly into Windows as ransomware and operational disruptions continue to drive demand for faster restoration capabilities.
READ THE STORY: Bleeping Computer
Critical pgAdmin 4 Flaws Enable Unauthenticated RCE and Database Credential Theft
Bottom Line Up Front (BLUF): Belgium's Centre for Cybersecurity (CCB) is warning organizations to immediately patch pgAdmin 4 versions prior to 9.16 after the disclosure of three critical vulnerabilities that can enable unauthenticated remote code execution, credential theft, database compromise, and cross-site scripting attacks. The most severe issues carry CVSS scores up to 9.3 and affect one of the most widely used PostgreSQL administration platforms.
Analyst Comments: Together, they create several viable attack chains that can result in full database administration compromise and, in certain configurations, underlying server compromise. The standout issue is CVE-2026-12046, which allows unauthenticated attackers to reach vulnerable SQL Editor endpoints that expose a pickle deserialization sink. Unauthenticated RCE in administrative software is always a high-priority event, especially for platforms that often manage production databases containing sensitive business data.
READ THE STORY: CCB
Cisco Unified CM Vulnerability Now Under Active Exploitation
Bottom Line Up Front (BLUF): A high-severity Cisco Unified Communications Manager (Unified CM) vulnerability, CVE-2026-20230 (CVSS 8.6), is now being actively exploited in the wild. The flaw allows unauthenticated attackers to abuse a Server-Side Request Forgery (SSRF) vulnerability in the WebDialer component to write arbitrary files to the underlying operating system, creating a pathway to root-level compromise. Organizations running vulnerable Unified CM or Unified CM Session Management Edition (SME) systems should prioritize patching immediately.
Analyst Comments: While current activity appears focused on reconnaissance and vulnerability validation, that window rarely stays open for long. Unified CM systems are attractive targets because they often sit at the center of enterprise voice infrastructure, maintain privileged network access, and frequently support business-critical communications. Once attackers move beyond testing payloads, defenders should expect webshell deployment, credential harvesting, persistence mechanisms, and lateral movement attempts. The fact that exploitation requires no authentication significantly raises the risk profile, especially for internet-exposed deployments.
READ THE STORY: Bleeping Computer
Items of interest
Two Scattered Spider Members Plead Guilty Over Transport for London Cyberattack
Bottom Line Up Front (BLUF): Two alleged Scattered Spider members, Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to compromising Transport for London between August 31 and September 3, 2024. The attack caused major disruption, forced password resets for roughly 28,000 employees, impacted Oyster services, and generated estimated losses of £29 million. Sentencing is expected on July 16, 2026.
Analyst Comments: Scattered Spider’s strength is not exotic malware; it is identity abuse, social engineering, credential theft, and fast coordination across collaborative platforms. The TfL case also shows why identity compromise is now critical infrastructure risk. A few operators with stolen credentials and remote access can disrupt public services, delay customer reimbursements, and force enterprise-wide resets. For defenders, the lesson is blunt: if help desk workflows, MFA recovery, and privileged access monitoring are weak, attackers do not need zero-days.
READ THE STORY: GBhackers
Scattered Spider | The Cybercrime Apex Predator (Video)
FROM THE MEDIA: Scattered Spider — the hacker collective behind massive cyber threats like the MGM Resorts shutdown and the Marks & Spencer cyberattack — is changing the cybersecurity landscape.
Inside Scattered Spider: Who They Are (Video)
FROM THE MEDIA: Scattered Spider is no ordinary threat actor.
This decentralized, English-speaking cybercrime collective has breached the likes of Twilio, DoorDash, and major financial institutions, relying not on brute force, but highly believable social engineering.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don’t hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.


