< ciso
brief />

Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

Massive Microsoft 365 password spray attack exposed

🔒 Microsoft users experienced a large-scale automated password spray campaign that targeted accounts indiscriminately, including clients of security firm Huntress. Huntress reported 81 million login attempts against its customers between June 12 and 26, with at least 78 successful compromises. Attack traffic originated from an IPv6 range tied to LSHIY LLC, which has since cut service to the offending customer. The attackers abused the OAuth ROPC flow to replay valid credentials, bypassing protections where MFA was not enforced for all cloud apps or all user groups.
read more →

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more →

Adobe adds second monthly Patch Tuesday cycle

🛡️ Adobe will publish security updates twice each month to address faster vulnerability discovery and exploitation. The company will keep its existing second-Tuesday schedule and add a fourth-Tuesday release starting July, applying to advisories with CVEs needing customer action. Adobe cited increased threats and investment in vulnerability discovery as drivers for the new cadence. The change mirrors industry trends toward more frequent patching.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

Qilin Emerges as Dominant Ransomware Operation

🛡️ Check Point and Sophos research shows Qilin has consolidated a large share of the ransomware market after disruption of rival groups. Active since 2022, Qilin lists the most victims and attracts affiliates with high payouts, mature infrastructure and AI-enabled tools. Rival groups like The Gentlemen have resurged, while increased prominence raises the likelihood of law enforcement action.
read more →

Citrix NetScaler memory overread patched, exploits spotted

🔒 Citrix patched a new NetScaler memory overread, CVE-2026-8451, similar to prior CitrixBleed issues; researchers from watchTowr disclosed that malformed unauthenticated requests can leak protected process memory. While this flaw leaks smaller data fragments than earlier CitrixBleed faults, it still poses risk for chaining with memory-write exploits. Citrix also fixed additional high-severity memory overflows and an HTTP/2 DoS; customers are urged to upgrade and apply configuration mitigations.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

Flock’s Vehicle Fingerprinting Enables Plateless Surveillance

🚨 A 2024 company presentation reveals that Flock uses a so-called “Vehicle Fingerprint” combining decals, bumper stickers, racks and temporary tags to identify cars when license plates are incomplete or absent. The system enables officers to search that dataset, perform multi-geo queries and locate vehicles believed to be traveling together. Bruce Schneier notes this capability echoes older surveillance practices and warns that similar outcomes are possible with broad access to cell phone location data.
read more →

FBI and Google Disrupt Major NetNut Proxy Network

🛡️ In a coordinated international action, the FBI and Google's Threat Intelligence Group disrupted NetNut, a large commercial residential proxy network built on the Popa botnet. The operation targeted infrastructure, seized domains and worked with partners like Lumen and the IRS to degrade the service. Google disabled accounts, updated Play Protect and removed compromised apps to reduce the pool of infected devices by millions. The takedown exposed ties between the botnet and reseller programs and prompted debate after some NetNut domains remained temporarily active.
read more →

PamStealer macOS stealer uses fake Maccy sites

🛡️ Cybersecurity researchers have identified PamStealer, a macOS information stealer distributed as a compiled AppleScript masquerading as the open-source clipboard manager Maccy. The dropper fetches a Rust-based Mach-O stealer that harvests browsers, wallet extensions, iCloud Keychain, and clipboard data, then exfiltrates it to attacker infrastructure. The malware also coerces victims into entering their system password and validates it via PAM before capturing it.
read more →

Anthropic: Claude Fable 5 will return to subscriptions

📰 Anthropic says access to Claude Fable 5 is being moved off standard subscriptions after July 7 and shifted to usage-based billing due to unpredictable high demand. The model remains available globally via the Claude API and consumption-based Enterprise plans, while subscription access is being rolled out conservatively. Anthropic expects to restore Fable 5 to subscriptions once sufficient capacity is available, clarifying the change is not intended to be permanent.
read more →

Claude Fable relaunch disappoints users

🤖 Anthropic's Claude Fable has been restored for all users, including Max subscribers, but comes with strict usage caps and degraded behavior. Users report frequent fallbacks to Opus 4.8 and tighter guardrails that block or reduce performance on security‑adjacent and systems‑level prompts. The model will shift to a pay‑to‑play usage credits system after July 7, further limiting access.
read more →

WebAuthn Redirection Added to Browser RDP Clients

🔒 Prisma Browser added WebAuthn redirection to its in-browser RDP client, becoming the first non-Windows client to support Microsoft’s MS-RDPEWA protocol. The team found gaps in the spec, reverse-engineered undocumented Windows server behavior, and created a custom Chromium extension API to accept precomputed clientDataHash values. This approach reuses Chromium’s FIDO2 stack to support USB keys, Touch ID, Windows Hello and phone-as-authenticator transports.
read more →

SageMaker Unified Studio now supports Terraform

🔧 Amazon SageMaker Unified Studio now supports Terraform provisioning via the open-source terraform-aws-sagemaker-unified-studio module. Platform teams can deploy domains through version-controlled templates and integrate SageMaker Unified Studio into existing infrastructure-as-code pipelines. The module manages domain infrastructure and IAM roles, includes sub-modules for blueprints and projects, and uses the Terraform AWS Cloud Control Provider.
read more →

Amazon EC2 X8i instances expand to Asia regions

🚀 Amazon EC2 X8i instances are now available in Asia Pacific (Seoul), Asia Pacific (Malaysia) and Asia Pacific (Tokyo). These instances use custom Intel Xeon 6 processors exclusive to AWS and are SAP-certified, offering up to 43% higher performance, 1.5x more memory (up to 6TB) and 3.3x more memory bandwidth versus prior X2i instances. They target memory-intensive workloads such as SAP HANA, large databases, analytics, and EDA, and come in 14 sizes including bare metal options. Purchase options include Savings Plans, On-Demand, and Spot.
read more →

Google Disrupts NetNut Residential Proxy Network

🛡️ Google says its Threat Intelligence Group, working with FBI and industry partners, has degraded NetNut (aka Popa), a large residential proxy network that turns home devices into rented relays. GTIG estimates NetNut controlled at least 2 million devices, including smart TVs and streaming boxes, which can be used to route criminals' traffic through private home connections. NetNut is linked to publicly traded Alarum Technologies, which denies wrongdoing and says its software provides consented bandwidth sharing. Researchers found many apps did not show consent prompts, and Google warns the network is resilient through reseller arrangements and may reappear under different brands.
read more →

Board Games Sharpen Cybersecurity Intuition

🎲 The Threat Source newsletter draws a connection between learning board games and developing cybersecurity skills, arguing that games sharpen pattern recognition, intuition, and adaptive thinking. The piece highlights how diverse games—from Ticket to Ride to Go—teach strategy, breaking habits, and embracing failure as a learning tool. It also summarizes Talos research on the ARToken phishing-as-a-service panel and recent threat trends affecting Microsoft 365, AI agents, and RMM vulnerabilities.
read more →

EC2 Dedicated Hosts Now Support AMD SEV‑SNP

🔒 Amazon EC2 now supports AMD Secure Encrypted Virtualization‑Secure Nested Paging (SEV‑SNP) on Dedicated Hosts, allowing confidential computing workloads to run on physical servers dedicated to a single customer. Customers can allocate a Dedicated Host with SEV‑SNP enabled and launch compliant instances while retaining control over instance placement and host affinity. The host is provisioned with AMD security firmware at allocation to keep confidential environments current. Dedicated Host SEV‑SNP is available in all AWS commercial Regions with AMD instances.
read more →