< ciso
brief />

Hello, stay ahead with CISO Brief ๐Ÿš€

Every day the cybersecurity world moves fast โ€” new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence โ€” all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

๐Ÿ‘‰ Join our Telegram channel for your daily update โ€” stay informed, stay ready.

Cybersecurity News Digest โ€” Daily Briefings

Microsoft issues Windows 10 KB5099539 security update

๐Ÿ”’ Microsoft released the Windows 10 KB5099539 extended security update, delivering the July 2026 Patch Tuesday fixes and additional security and reliability improvements for enrolled devices and LTSC editions. The update moves Windows 10 to build 19045.7548 (19044.7548 for Enterprise LTSC 2021) and addresses a record 570 vulnerabilities, including two exploited and one publicly disclosed zero-day. Administrators and eligible consumers can install it via Settings > Windows Update; several known issues and hardening changes are documented.
read more โ†’

Windows 11 July 2026 Cumulative Updates Released

๐Ÿ›ˆ Microsoft released Windows 11 cumulative updates KB5101650 and KB5099414 for 25H2/24H2 and 23H2 to deliver July 2026 Patch Tuesday fixes addressing security vulnerabilities, bug fixes, and feature refinements. The rollouts update build numbers and include notable Bluetooth pairing improvements, a quieter Widgets experience, enhanced accessibility controls, File Explorer and networking fixes, and Point-in-Time restore availability. Install via Settings > Windows Update or the Microsoft Update Catalog.
read more โ†’

Amazon WorkSpaces Personal adds DCV migration support

๐Ÿ”„ Amazon WorkSpaces Personal now offers automated rollback and support for migrating stopped WorkSpaces from PCoIP to the Amazon DCV streaming protocol. The update extends the console-based migration workflow and checkpoint snapshot support, enabling administrators to run large-scale migrations without manually starting stopped instances. These features are available in all AWS commercial and AWS GovCloud (US) Regions where WorkSpaces Personal is supported.
read more โ†’

AWS Security Hub adds AI inventory for visibility

๐Ÿ›ก๏ธ AWS Security Hub now offers an AI inventory that gives central security teams a continuously updated, organization-wide view of AI assets and their security posture. It automatically discovers AI workloads via managed-service integration, SBOM analysis for self-hosted workloads, and GuardDuty DNS telemetry for external API endpoints. Discovered assets are mapped to underlying infrastructure and correlated with security findings to help prioritize remediation. The feature is included with Security Hub Essentials at no additional cost and is available in all commercial AWS Regions where Security Hub is offered.
read more โ†’

LabubaRAT Rust RAT Masquerades as NVIDIA Runtime

๐Ÿ›ก๏ธ Cybersecurity researchers disclosed a previously undocumented Rust-based remote access trojan, LabubaRAT, which impersonates an NVIDIA runtime executable to evade detection and establish persistent access. The implant supports multiple communication channels including HTTPS, WebView2, and DNS tunneling, accepts runtime configuration via command-line arguments or Base64 payloads, and stores its settings in a local SQLite database. Once active, it profiles hosts for browsers and security products, captures screenshots, executes commands, handles files and archives, and proxies traffic via SOCKS5, enabling hands-on operations without a separate loader.
read more โ†’

Progress confirms ShareFile zeroโ€‘day behind shutdown

๐Ÿ›ก๏ธ Progress Software confirmed a highโ€‘severity zeroโ€‘day in ShareFile Storage Zone Controller that prompted an emergency shutdown of customer Windows servers. The flaw is a path traversal impacting all 5.x and 6.x releases, allowing an authenticated admin to read arbitrary files, write attackerโ€‘controlled content, or enumerate the filesystem. Progress released patches (5.12.5 and 6.0.2), reserved a CVE to be published in two weeks, and currently reports no evidence of customer data breaches.
read more โ†’

Bruce Schneier: Upcoming Speaking Engagements 2026

๐Ÿ—“๏ธ This page lists Bruce Schneier's scheduled speaking engagements for mid to late 2026, including virtual and in-person appearances. Events include the Policy-Relevant Privacy Research Workshop (Calgary) on July 20, the Boston Leadership Exchange on July 22, and several conferences in Las Vegas, Anaheim, and Vancouver with dates in August through October. Specific talk times for several events are noted as TBD and the list is maintained on this page.
read more โ†’

Claude on Google Cloud: Enterprise AI at Scale

๐Ÿค– Claude on Google Cloud pairs Anthropic's frontier models with Google Cloud's managed infrastructure, enabling enterprises to run large-scale AI in production. It provides unified IAM, VPC controls, observability, and global, regional, and multi-region endpoints to meet latency and data-residency needs. Built-in model features like prompt caching, streaming, and extended context combine with Google Cloud serving capabilities such as batch prediction and provisioned throughput for cost and performance optimization.
read more โ†’

LastPass and Bitwarden Users Targeted by Phishing Alerts

๐Ÿ”” LastPass warns of an active phishing campaign using fake corporate-style security notices that redirect recipients to fraudulent landing pages impersonating DocuSign. The emails, claiming to announce policy updates, come from addresses like hello@lastpassnewsletter.com and lead to domains such as lastpasscompliance[.]com, which have been flagged as malicious. Bitwarden users have received similar messages from hello@bitwardennewsletter.com redirecting to bitwardencompliance[.]com. LastPass confirms its systems were not breached and urges users to never share their master password and to report suspicious messages to abuse@lastpass.com.
read more โ†’

DoD Suspends CMMC Phase II Pending Reform Review

๐Ÿ›ก๏ธ The US Department of Defense has paused the rollout of CMMC Phase II, originally due November 10, 2026, while it conducts a 60-day review to reduce compliance burdens and foster innovation in the defense industrial base. The DoD will rely on NIST SP 800-171 self-assessments and select government-led checks during the interim, and has formed a CMMC Reform Task Force to realign the program with acquisition priorities.
read more โ†’

Metaโ€™s Muse Image Sparks Privacy Backlash

๐ŸŽฏ Meta launched Muse Image on July 7, 2026 โ€” an AI image generator that reasons through prompts and scrapes the web for context. Journalists found it could reference any public Instagram account without notifying creators, enabling use of othersโ€™ content without permission. Meta disabled the feature on July 10 after criticism, offering no clear commitments on future safeguards or data use policies.
read more โ†’

Authenticate Legitimate AI Agent Traffic with WAF

๐Ÿ”’ This post introduces Web Bot Authentication (WBA) in AWS WAF Bot Control, a cryptographic, standards-based method for verifying automated agent identities using HTTP Message Signatures. It explains how asymmetric signatures and IETF drafts enable tamper-proof verification, the new WAF labels (verified, invalid, expired, unknown_bot, vendor, name, account), and how verified traffic is handled by default. The article also outlines deployment steps, supported rule group versions, monitoring guidance, and future registration APIs.
read more โ†’

RabbitMQ flaws risk OAuth secret exposure

๐Ÿ”’ Cybersecurity researchers disclosed two access-control flaws in RabbitMQ that could leak OAuth client secrets and allow cross-tenant data access. Miggo's team reported one issue exposes the broker's OAuth secret to unauthenticated requests, enabling full broker takeover, while the other permits authenticated users to read other tenants' queue metadata. Affected releases begin at 3.13.0; fixes are available in recent patch releases and administrators are urged to rotate secrets and restrict management access.
read more โ†’

Cloudflare explains DNSSEC NTA and EDE 33

๐Ÿ›ก๏ธ On July 3, 2026, Albania's .AL TLD experienced a failed DNSSEC key rollover that caused widespread validation failures for validating resolvers, including Cloudflare's 1.1.1.1. Cloudflare applied a Negative Trust Anchor (NTA) to restore resolution and for the first time returned a new Extended DNS Error (EDE 33) to signal that DNSSEC validation had been bypassed. The change provides visibility into responses served under an NTA and complements EDE codes like EDE 9 to show the underlying DNSSEC failure.
read more โ†’

Microsoft Entra ID makes passkeys default by 2026

๐Ÿ” Microsoft will make passkeys the default authentication method for Entra ID starting September 2026, automatically enabling them for users currently relying on SMS and voice MFA. Those phone-based methods will be retired as native Entra capabilities on February 1, 2027, though organizations can use third-party telecom providers if needed. Users already on phishing-resistant methods like Windows Hello for Business, FIDO2 keys, or smart cards can continue using them without change.
read more โ†’

New phishing kits target Microsoft 365 and evade MFA

๐Ÿ›ก๏ธ Two new phishing kits, Jalisco and OmegaLord, are being used to target Microsoft 365 accounts and bypass multi-factor authentication. Jalisco leverages the OAuth 2.0 device-code flow to trick victims into authorizing attacker-controlled devices, while OmegaLord poses as a PDF reader to harvest credentials and phone numbers. Researchers at ReliaQuest analyzed both toolkits and found attackers quickly exfiltrate data from SaaS platforms before demanding extortion. The report recommends tightening device-registration limits and blocking device-code authentication to reduce risk.
read more โ†’

Old Microsoft-signed UEFI shims expose Secure Boot

๐Ÿ”’ Researchers found 11 Microsoft-signed UEFI shim bootloaders that can be abused to bypass Secure Boot on many systems, enabling execution of untrusted code during early boot. ESET and CERT/CC detail how outdated shims (mostly v0.9 and earlier) remained trusted because they were not revoked, allowing attackers to deploy UEFI bootkits and persist below the OS. Microsoft revoked affected certificates in June 2026 following disclosures.
read more โ†’

macOS infostealer poses as Apple crash reporter

๐Ÿ›ก๏ธ A new macOS infostealer named CrashStealer impersonates Apple's crash-reporting component to trick users into installing a password-stealing payload. Delivered via a signed, notarized disk image called "Werkbit Setup," the dropper bypasses Gatekeeper and fetches a downloader that installs the C++-based stealer. Once active, it prompts for system credentials and exfiltrates browser-stored logins, crypto wallet access and keychain data, using client-side encryption and anti-analysis techniques.
read more โ†’