Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

June 20, 2026

Prinz Eugen ransomware targets recent files first

🛡️ Threatdown and Malwarebytes researchers detail a new hands-on-keyboard ransomware called Prinz Eugen that prioritizes recently modified files for encryption and leaves no ransom note on compromised systems. Initial access is likely via stolen RDP credentials, with attackers manually deploying a payload named servertool.exe and sometimes using legitimate RMM tools like RemotePC for persistence. The Go-based malware encrypts files recursively without exclusions, uses ChaCha20-Poly1305 and Argon2id-derived keys, and self-deletes while overwriting keys to hinder recovery and forensics.

Ransomware Malware Threat Research

June 20, 2026

Gravity SMTP flaw exposes API keys and system data

🔒 A recently patched information disclosure flaw in the Gravity SMTP WordPress plugin (CVE-2026-4020) allows unauthenticated attackers to retrieve sensitive configuration data and API credentials via a misconfigured REST API endpoint. Wordfence observed exploit attempts beginning in May 2026 and blocking over 17 million requests, with activity spiking in early June. Site owners should update to version 2.1.5, rotate exposed credentials, and review logs for suspicious access from listed IPs.

Secret Exposure API Authorization Flaw Active Exploitation

June 20, 2026

Large-Scale Credential Attacks Targeting Edge Devices

🔐 Unit 42 observed a large-scale password spraying and credential theft campaign (dubbed “FortiBleed”) targeting Fortinet devices, with additional attempts seen against MSSQL and reports of Sophos targeting. The actors use curated password lists derived from prior breaches and vulnerabilities, then perform configuration extraction and offline cracking to escalate privileges and persist. Unit 42 urges auditing remote access logs, applying hardening guidance, requiring MFA, and keeping systems patched to mitigate risk.

Unit 42 Fortinet Sophos Password Spraying

June 19, 2026

Klue OAuth breach expands as Icarus claims attack

🔒 Klue confirmed an incident on June 12 in which attackers used a compromised legacy credential to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce. The company says customer content stored in Klue was not impacted and that the breach was limited to integrations; affected credentials and tokens were revoked and CrowdStrike engaged. Cybersecurity firms ReliaQuest and Huntress reported extensive Salesforce data exfiltration, and the Icarus extortion group has publicly claimed responsibility.

Salesforce OAuth App Abuse Data Exfiltration Data Breach

June 19, 2026

Unauthenticated info disclosure in Gravity SMTP plugin

🔒 Threat actors are exploiting an unauthenticated information-disclosure vulnerability in the WordPress plugin Gravity SMTP, present on about 100,000 sites. Tracked as CVE-2026-4020 and rated medium, the flaw affects versions 2.1.4 and older and was fixed in 2.1.5 (released March 17). Wordfence reports millions of blocked attempts and recommends admins patch and monitor requests to the exposed REST endpoint.

Information Disclosure Vulnerability Disclosure

June 19, 2026

RaaS group equips affiliates with EDR-killing toolkit

🔍 New research from ESET reveals that The Gentlemen ransomware-as-a-service platform now supplies affiliates with an advanced EDR killer framework called GentleKiller, alongside third-party tools like HexKiller, ThrottleBlood and HavocKiller. The leak shows affiliates can deploy bring-your-own vulnerable driver (BYOVD) techniques to gain kernel privileges and disable hundreds of EDR processes across many vendors. ESET warns this lowers the bar for less skilled attackers and urges organizations to enforce protections such as HVCI and KMCI, apply strict driver allow/block policies, and regularly audit drivers.

Ransomware Gang Exploit Defense Evasion

June 19, 2026

Unpatchable usbliter8 exploit breaks SecureROM

🔒 Security researchers at Paradigm Shift published a working exploit called usbliter8 that achieves arbitrary code execution inside the SecureROM of Apple A12 and A13 SoCs. The flaw is a hardware bug in the Synopsys DWC2 USB controller and cannot be fixed by software updates, making affected devices permanently vulnerable. Exploitation requires physical possession, DFU mode, and a dedicated microcontroller; the public proof-of-concept and write-up were released on June 18, 2026 following coordinated disclosure.

Zero-Day Exploitation Research

June 19, 2026

Gentlemen RaaS standardizes EDR-killer suite

🛡️ ESET researchers say the Gentlemen ransomware-as-a-service (RaaS) operation supplies affiliates with a standardized suite of EDR killers, centered on a framework named GentleKiller, to disable security tooling prior to encryption. The tooling mimics legitimate security products and leverages abused vulnerable drivers through a BYOVD technique, incorporating third-party killers like HexKiller and ThrottleBlood. The group rapidly operationalizes public proof-of-concept exploits, and ESET also found a Rust-based credential stealer called OxideHarvest in use.

Ransomware Gang Malware Threat Report

June 19, 2026

Analysis of Reported Credential Compromise of FortiGate

🔐 Fortinet has observed malicious actors harvesting FortiGate credentials in an activity labeled "FortiBleed." Their initial analysis indicates attackers are reusing credentials from prior incidents and leveraging brute-force techniques against devices lacking strong passwords and multi-factor authentication. This is not a new Fortinet vulnerability and is unrelated to recent advisories. Fortinet is investigating, notifying impacted customers, and recommending immediate defensive actions and hardening.

Fortinet Credential Dumping Brute Force Threat Report

June 19, 2026

Texas license vendor breach exposes 3M+ records

🔒 The Texas Parks and Wildlife Department disclosed a breach at its external license system vendor that exposed personal information for 3,087,721 hunting and fishing license customers. The Texas Cyber Command discovered the intrusion and confirmed no Social Security numbers, dates of birth, or financial data were affected. Exposed fields may include driver’s license data, passport numbers, emails, phone numbers, and residential addresses. TPWD is working with the vendor on enhanced safeguards and offering affected individuals one year of free credit monitoring.

Data Breach Breach

June 19, 2026

Apple change to Hide My Email raises privacy concerns

🔒 Apple is changing the domain used for newly generated Hide My Email aliases from "@icloud.com" to "@private.icloud.com", a tweak that has drawn criticism from privacy-minded users. The shift makes generated addresses identifiable as aliases, potentially allowing sites to block anonymous sign-ups. Existing aliases will continue to function, while new ones will be issued on the new domain later this summer. Users warned this could reduce the feature's effectiveness for anonymity.

Privacy Engineering Security Misconfiguration

June 19, 2026

AutoJack exploit chains AI agent to local code execution

🔒 Microsoft researchers disclosed AutoJack, an exploit chain that lets an AI browsing agent load a malicious web page which then reaches a privileged local service and spawns processes on the host. The issue resides in AutoGen Studio's MCP WebSocket handler, present only in two pre-release PyPI builds (0.4.3.dev1 and dev2). A vanilla pip install (0.4.2.2) is not affected; fixes are merged to GitHub main but not yet released on PyPI.

AutoGen Agent Hijacking Remote Code Execution MCP Security

June 19, 2026

Windows update breaks some Office OLE automations

🛠️ Microsoft’s June update has caused Office apps like Word and Excel to fail when launched via third-party software that relies on OLE automation. Affected integrations include CCH Engagement, Workpaper Manager, Zotero and dental systems such as Dentrix and Softdent, with users reporting files won’t open and no clear error is shown. Microsoft acknowledged the issue and is working on a fix, and also noted a separate cosmetic Recycle Bin filename display problem stemming from the same update.

Microsoft Patch Release

June 19, 2026

CISA Warns Fortinet Customers Amid FortiBleed Campaign

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure FortiGate appliances after a large-scale campaign, dubbed FortiBleed, compromised 86,644 devices as of June 19, 2026. The campaign, attributed to Russian-speaking actors, used mass scanning and credential spraying against internet-facing VPN and firewall endpoints, leveraging leaked and reused credentials. Telecom, government, and education sectors were heavily affected, prompting guidance to reset passwords, enable MFA, and move to PBKDF2 hashing for admin credentials.

Fortinet FortiGate Russia-nexus Password Spraying

June 19, 2026

Prime Day 2026: Surge in Amazon-Themed Scams

🛡️ Check Point Research warns that Amazon Prime Day (June 23–26, 2026) is generating a large pre-event surge in phishing, fake storefronts, and domain-squatting operations. Between December 2025 and May 2026, thousands of Amazon-themed domains were registered, with many already flagged as malicious. Attackers are building multi-TLD campaigns, regional IDN spoofs, and convincing counterfeit product pages to steal credentials and payments.

Check Point Phishing Domain Impersonation Credential Stuffing

June 19, 2026

Cloudflare introduces temporary agent accounts

⚙️ Today Cloudflare announced Temporary Cloudflare Accounts for AI agents, enabling agents to run wrangler deploy --temporary to deploy Workers instantly without human sign-up. Temporary deployments remain live for 60 minutes and can be claimed by a user to become permanent; unclaimed accounts expire automatically. The feature integrates with Wrangler, which now informs agents about the --temporary flag, letting agent-driven development iterate quickly through deploy, verify, and redeploy cycles.

Cloudflare Agentic AI Product Launch

June 19, 2026

Microsoft confirms Recycle Bin filename display bug

🛠️ Microsoft acknowledged a bug that causes the Recycle Bin confirmation dialog to show internal filenames (for example, $Rxxxxx.ext) instead of the original filename when permanently deleting a single item. The Recycle Bin view and restore operations continue to use the original filename. The issue affects all supported client and server Windows releases after installing the June 2026 security updates, and a fix is planned for a future update. Businesses can request a temporary workaround via Microsoft's Business Support.

Microsoft Security Misconfiguration

June 19, 2026

Anthropic’s Fable and the State of AI Safety

📰 On June 9, Anthropic released the Fable model; days later the US classified it as a dangerous munition and used export controls to block foreign access, prompting Anthropic to cut access entirely. Fable is a constrained variant of Mythos and reportedly excels at finding and exploiting vulnerabilities, but similar capabilities have been replicated using smaller models with improved harnesses. The core issue is not a single model but rising general AI capability and the lack of collective, global governance to manage associated risks.

Anthropic AI Safety AI Governance