Daily Drop (1325)
06-24-26
Wednesday, Jun 24, 2026 // Buy Bob a Coffee // Ghostwire
Five Eyes Warn AI Will Transform Cyber Operations Within Months, Not Years
Bottom Line Up Front (BLUF): The Five Eyes intelligence alliance (United States, United Kingdom, Canada, Australia, and New Zealand) issued an unusually direct warning that frontier AI models are expected to fundamentally reshape cybersecurity within months rather than years. Intelligence officials believe AI will dramatically accelerate both offensive and defensive cyber capabilities, reducing the time between vulnerability discovery and active exploitation while lowering barriers for less sophisticated threat actors.
Analyst Comments: When the Five Eyes publishes a coordinated warning, it's worth paying attention. What's notable here isn't that AI will impact cybersecurity—that's already happening. The significant part is the timeline. Intelligence agencies are effectively signaling that the pace of capability development is outstripping current organizational preparedness. This aligns with recent developments across the industry: OpenAI's Daybreak vulnerability remediation initiative, Anthropic's increasingly autonomous enterprise agents, AI-assisted vulnerability discovery research, and growing evidence that threat actors are operationalizing AI for phishing, reconnaissance, malware development, and social engineering. The warning reflects a growing consensus that organizations are approaching a period where cyber operations become increasingly machine-speed rather than human-speed.
READ THE STORY: The Record
OpenAI Expands Daybreak Initiative to Automate Vulnerability Remediation and Open-Source Security
Bottom Line Up Front (BLUF): OpenAI has expanded its Daybreak cybersecurity initiative, shifting AI security efforts beyond vulnerability discovery and into automated remediation. The company announced major enhancements to Codex Security, expanded access to GPT-5.5-Cyber, launched a cyber partner ecosystem, and introduced Patch the Planet, an initiative focused on helping open-source projects identify and fix vulnerabilities. The move reflects a broader industry push toward using AI to address the growing backlog of unpatched software flaws.
Analyst Comments: Security teams are drowning in scanner results, bug bounty submissions, CVEs, and dependency alerts while developer resources remain constrained. OpenAI’s strategy directly targets this imbalance by focusing AI on validation, prioritization, and patch generation rather than simply increasing vulnerability discovery rates. If successful, this could significantly reduce remediation timelines and help organizations address one of the largest operational challenges in modern security programs. The real test, however, will be whether enterprises trust AI-generated patches in production environments. Generating a fix is one thing; deploying it safely at scale is another.
READ THE STORY: HNS
Anthropic Launches Claude Tag for Slack, Bringing Persistent AI Agents Into Enterprise Workflows
Bottom Line Up Front (BLUF): Anthropic has launched Claude Tag, a new AI agent capability for Slack that transforms Claude from a chatbot into a persistent, collaborative team member capable of executing tasks, accessing approved enterprise data, and autonomously managing workflows. Available in beta for Claude Enterprise and Team customers, the feature allows organizations to embed AI directly into operational processes, signaling a major step toward agentic AI adoption across the enterprise.
Analyst Comments: Claude Tag moves AI from an on-demand assistant model to an embedded operational role inside the collaboration platforms where work actually happens. The security implications are substantial. Organizations are no longer granting AI access to a single conversation—they are granting it persistent visibility into channels, code repositories, datasets, workflows, and business processes. While Anthropic emphasizes access controls, audit logging, and role separation, the real challenge for security teams will be governance. Every new AI identity effectively becomes a privileged service account that requires the same scrutiny applied to human users, APIs, and automation platforms. Expect competitors to accelerate similar offerings as enterprise AI shifts from productivity enhancement to workflow execution.
READ THE STORY: GBhackers
DifyTap: Four Vulnerabilities Expose Cross-Tenant Data Across 1M+ AI Applications
Bottom Line Up Front (BLUF): Researchers at Zafran Labs disclosed four vulnerabilities in the open-source AI platform Dify that could allow attackers to access private documents, AI conversations, and application data across tenant boundaries. Two flaws are rated critical (CVE-2026-41947 and CVE-2026-41948), including an unauthenticated vulnerability that enables access to internal Plugin Daemon endpoints. Dify is used by major enterprises and powers more than one million AI applications across over 60 industries, making the potential exposure significant.
Analyst Comments: The most concerning issue is the breakdown of tenant isolation, allowing one customer to potentially access another customer’s data. This is the type of failure cloud providers spend years engineering to prevent. The research also exposes a broader challenge facing AI ecosystems: platforms routinely process untrusted files, plugins, and user content while relying on complex third-party components that often receive insufficient security scrutiny. Expect threat actors to increasingly focus on AI orchestration platforms as they become embedded into enterprise operations. This is less a Dify problem and more a preview of what defenders should expect across the AI application stack.
READ THE STORY: Security Affairs
Cisco Unified CM Vulnerability Now Under Active Exploitation Following Public PoC Release
Bottom Line Up Front (BLUF): Threat actors have begun actively exploiting CVE-2026-20230, a high-severity Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME) vulnerability that enables unauthenticated attackers to abuse a Server-Side Request Forgery (SSRF) flaw to write arbitrary files to the underlying operating system. Researchers have observed exploitation attempts in the wild following publication of technical details and proof-of-concept (PoC) code. Successful exploitation can ultimately lead to root-level access on vulnerable systems.
Analyst Comments: Cisco released patches on June 3, and within weeks researchers are observing live attacks against internet-facing systems. While the current activity appears largely reconnaissance-oriented—testing whether systems are vulnerable—the publication of a functional PoC significantly raises the likelihood of broader exploitation. Unified CM sits at the heart of enterprise voice infrastructure, often integrated with Active Directory, collaboration platforms, contact centers, and critical communications systems. A compromise here isn’t just a phone system problem; it can become an enterprise access problem. Organizations running Cisco Unified CM should assume opportunistic scanning is already underway.
READ THE STORY: THN
PoC Released for Microsoft Exchange EWS SSRF Vulnerability
Bottom Line Up Front (BLUF): A proof-of-concept exploit is now available for CVE-2026-45502, a Microsoft Exchange Server SSRF flaw in the Exchange Web Services InstallApp operation. Authenticated mailbox users can abuse the ManifestUrl parameter to force Exchange servers to make HTTP requests to internal or external systems, enabling internal reconnaissance and possible attack chaining.
Analyst Comments: This is not a headline-grabbing unauthenticated Exchange bug, but defenders should not shrug it off. Exchange servers often sit in privileged network positions with visibility into internal services attackers cannot normally reach. Even a “blind” SSRF can be useful for mapping internal assets, probing metadata endpoints, and setting up follow-on exploitation. The public PoC raises the likelihood of opportunistic testing, especially against organizations slow to apply June 2026 Exchange updates.
READ THE STORY: GBhackers
Critical Jenkins Deserialization Flaw Enables User Impersonation and Potential RCE
Bottom Line Up Front (BLUF): The Centre for Cybersecurity Belgium (CCB) is warning organizations to immediately patch CVE-2026-53435, a high-severity Jenkins deserialization vulnerability affecting Jenkins versions prior to 2.567 and LTS 2.555.2. The flaw allows authenticated users to impersonate other users, execute arbitrary code, and access sensitive files, creating a significant risk for organizations that rely on Jenkins for CI/CD operations.
Analyst Comments: Jenkins remains one of the most attractive targets in enterprise environments because it often sits at the center of development pipelines with access to source code, secrets, build infrastructure, and production deployment workflows. While exploitation requires an authenticated account with specific permissions, that’s not much comfort in environments where attackers routinely gain footholds through phishing, credential theft, or compromised developer accounts. Once inside Jenkins, the ability to impersonate users and potentially access the script console can quickly turn a low-level compromise into full environment takeover. Organizations should treat this as more than a routine patch cycle item—Jenkins servers frequently hold the keys to the kingdom.
READ THE STORY: CCB
Webmin Stored XSS Flaw Allows Low-Privilege Users to Target Root Administrators
Bottom Line Up Front (BLUF): A stored cross-site scripting (XSS) vulnerability tracked as CVE-2026-22678 affects Webmin versions prior to 2.641 and allows authenticated users with limited permissions to inject malicious JavaScript into notification email templates. When a privileged administrator or root user views the modified template, the payload executes in their browser session, potentially leading to session hijacking, privilege escalation, and full system compromise.
Analyst Comments: Stored XSS vulnerabilities in administrative platforms are often underestimated because they typically require some level of authenticated access. That's a mistake. In environments where multiple administrators, operators, or delegated users access management consoles, stored XSS can become an effective privilege-escalation mechanism. In this case, a low-privilege Webmin user can potentially compromise a root-level administrator simply by planting a payload and waiting. Since Webmin frequently manages Linux servers, credentials, services, and configuration settings, successful exploitation could provide attackers with direct access to critical infrastructure. The attack path is straightforward, and organizations running Webmin should prioritize patching.
READ THE STORY: GBhackers
FortiBleed: 110 Million Credentials Harvested Through Global FortiGate Access Operation
Bottom Line Up Front (BLUF): Security researchers have uncovered FortiBleed, a large-scale credential harvesting campaign targeting more than 430,000 FortiGate firewalls worldwide and resulting in the collection of over 110 million credentials. Rather than relying on a zero-day vulnerability, the operation combines mass scanning, credential stuffing, brute forcing, configuration harvesting, password cracking, and passive credential interception to systematically build a catalog of enterprise access for monetization and downstream attacks.
Analyst Comments: FortiBleed represents the evolution of the modern Initial Access Broker (IAB) model. This is not a ransomware operation, espionage campaign, or smash-and-grab intrusion. It's industrialized access harvesting. The operators appear less interested in any single victim than in creating a scalable pipeline that continuously converts exposed perimeter devices into credentials, credentials into network access, and network access into a marketable commodity. The most concerning aspect is that the campaign reportedly does not rely on a new vulnerability. Instead, it exploits weak passwords, credential reuse, poor MFA adoption, exposed services, and operational security gaps that exist in thousands of organizations today. This is exactly the kind of campaign that demonstrates why identity has become the primary battleground in cybersecurity.
READ THE STORY: THN
LastPass Customer Data Exposed Through Klue Supply Chain Attack
Bottom Line Up Front (BLUF): LastPass disclosed that attackers leveraged compromised OAuth tokens stolen during a breach of Klue, a third-party market intelligence platform, to access customer information stored in its Salesforce environment. While password vaults, products, and core infrastructure were not affected, exposed CRM data includes customer contact information, support records, and sales-related data that could fuel targeted phishing and social engineering campaigns.
Analyst Comments: The compromise was not the result of a direct attack against LastPass but rather a trusted third-party platform holding privileged OAuth access into business systems. Threat actors continue to target these integration points because a single compromise can provide access to multiple downstream organizations. Given LastPass's history and high-profile customer base, attackers will likely weaponize the stolen data for credential harvesting, business email compromise (BEC), and impersonation campaigns. Organizations should review third-party OAuth permissions, continuously monitor connected applications, and enforce token lifecycle management to reduce exposure from similar supply chain compromises.
READ THE STORY: HNS
GhostShell Targets Ukraine’s UAV Ecosystem Using RAR Exploit and Persistent VBS Loader
Bottom Line Up Front (BLUF): Researchers identified a targeted espionage campaign against Ukraine’s unmanned aerial vehicle (UAV) sector that abuses RAR archive vulnerabilities (CVE-2025-8088 and CVE-2025-6218) to deploy a persistent Visual Basic Script (VBS) loader. The operation, attributed to a previously untracked actor dubbed GhostShell, uses drone-related decoy documents to infect military, procurement, engineering, and defense-sector personnel before delivering a multi-stage malware framework designed for intelligence collection.
Analyst Comments: Rather than pursuing financial gain, GhostShell appears focused on collecting information from Ukraine’s drone ecosystem—a strategic target given the central role UAVs play in the conflict. The operation combines social engineering, archive exploitation, persistence mechanisms, encrypted payload delivery, and custom command-and-control infrastructure. What stands out is the actor’s targeting discipline. The lure documents reference drone hardware, launch systems, charging stations, and procurement materials, suggesting reconnaissance and victim selection were conducted well before delivery. This is not opportunistic malware; it is a focused collection effort aligned with military and defense objectives.
READ THE STORY: GBhackers
Dropping Elephant Uses Fake PDF Shortcut and “GoogleErrorReport” Persistence to Deploy Memory-Resident RAT
Bottom Line Up Front (BLUF): Researchers have identified a new campaign by the Dropping Elephant threat group that uses a malicious Windows shortcut file disguised as an industrial contract document to deploy a memory-resident remote access trojan (RAT). The malware abuses legitimate Microsoft binaries, DLL side-loading, PowerShell, and a scheduled task named GoogleErrorReport to maintain persistence while evading traditional endpoint defenses.
Analyst Comments: This campaign is a textbook example of modern intrusion tradecraft: low-complexity initial access combined with sophisticated post-exploitation techniques. The initial lure—a disguised LNK file—isn't new, but what follows is more concerning. The operators leverage trusted Windows components, in-memory execution, API obfuscation, and security control tampering to avoid detection. The scheduled task named GoogleErrorReport is particularly notable because it blends into normal system activity while repeatedly relaunching the malware every minute. Defenders should view this less as a malware problem and more as a behavioral detection challenge. Organizations relying heavily on signature-based controls are likely to miss activity that never writes a traditional payload to disk.
READ THE STORY: CISO Whisperer
DOJ Seizes Huione Cloud Infrastructure Tied to $31 Billion Cybercrime Ecosystem
Bottom Line Up Front (BLUF): The U.S. Department of Justice seized a cloud computing account used by subsidiaries of Cambodia-based HuiOne Group, a key facilitator of cryptocurrency fraud, money laundering, phishing operations, and cyber-enabled scams. Authorities say the infrastructure supported Huione Guarantee (later Haowang Guarantee), a criminal marketplace that processed more than $31 billion in cryptocurrency transactions, making it the largest illicit online marketplace ever recorded.
Analyst Comments: While ransomware groups attract headlines, the industrial-scale fraud ecosystem centered in Southeast Asia has arguably become the most profitable cybercrime model globally. Huione functioned as a one-stop shop for cybercriminals, offering stolen data, phishing kits, money laundering services, fake investment platform development, deepfake technology, and even services supporting human trafficking operations tied to scam compounds. The seizure demonstrates increasing Western focus on disrupting the financial and technical infrastructure that enables large-scale fraud rather than solely pursuing individual threat actors. However, as seen after previous marketplace takedowns, criminal operators have already adapted by launching replacement platforms and migrating to proprietary communications systems. Expect continued fragmentation rather than elimination of the ecosystem.
READ THE STORY: THN // Cyberscoop
Where IT Meets OT: Railway Cybersecurity Faces Growing Risk as Legacy Systems Connect to Modern Networks
Bottom Line Up Front (BLUF): Railway operators are facing a growing cybersecurity challenge as decades-old operational technology (OT) systems become increasingly interconnected with modern IT infrastructure, cloud services, and AI-driven applications. According to DNV’s Global Head of Railway Services, Jorge Aldegunde, the traditional separation between IT and OT has effectively disappeared, expanding attack surfaces across rail networks and making cyber resilience a critical operational requirement rather than a compliance exercise.
Analyst Comments: Rail systems were originally designed for safety, reliability, and availability—not adversarial environments. As operators connect signaling systems, SCADA platforms, maintenance systems, cloud analytics, and passenger services through IP-based networks, they inherit the same cyber risks that enterprise IT environments have battled for years. The difference is that a compromised railway system can create immediate operational and public safety consequences. The most important takeaway isn't the technology discussion—it's the shift toward resilience. Railway operators increasingly accept that prevention alone is unrealistic and are instead focusing on detection, containment, and maintaining safe operations during cyber incidents.
READ THE STORY: HNS
Items of interest
Two Scattered Spider Members Plead Guilty Over Transport for London Cyberattack
Bottom Line Up Front (BLUF): Two alleged Scattered Spider members, Thalha Jubair, 20, and Owen Flowers, 18, pleaded guilty to compromising Transport for London between August 31 and September 3, 2024. The attack caused major disruption, forced password resets for roughly 28,000 employees, impacted Oyster services, and generated estimated losses of £29 million. Sentencing is expected on July 16, 2026.
Analyst Comments: Scattered Spider’s strength is not exotic malware; it is identity abuse, social engineering, credential theft, and fast coordination across collaborative platforms. The TfL case also shows why identity compromise is now critical infrastructure risk. A few operators with stolen credentials and remote access can disrupt public services, delay customer reimbursements, and force enterprise-wide resets. For defenders, the lesson is blunt: if help desk workflows, MFA recovery, and privileged access monitoring are weak, attackers do not need zero-days.
READ THE STORY: GBhackers
Scattered Spider | The Cybercrime Apex Predator (Video)
FROM THE MEDIA: Scattered Spider — the hacker collective behind massive cyber threats like the MGM Resorts shutdown and the Marks & Spencer cyberattack — is changing the cybersecurity landscape.
Inside Scattered Spider: Who They Are (Video)
FROM THE MEDIA: Scattered Spider is no ordinary threat actor.
This decentralized, English-speaking cybercrime collective has breached the likes of Twilio, DoorDash, and major financial institutions, relying not on brute force, but highly believable social engineering.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don’t hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.