< ciso
brief />

Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

Australia alerts on global CMS exploitation campaign

⚠️ The Australian Cyber Security Centre (ACSC) warned of a global campaign exploiting vulnerabilities in multiple content management systems and plugins, with many Australian small and medium businesses affected. Threat actors are deploying webshells to maintain persistence, steal credentials, and escalate access. The campaign targets several CMS platforms and specific plugins, and the ACSC cautions that AI may be used to accelerate attacks. Administrators are urged to apply patches, remove unused components, and tighten web-server protections.
read more →

Ghostcommit attack hides prompt injection in images

🛡️ Researchers demonstrated "Ghostcommit," a proof-of-concept attack that hides malicious instructions inside a PNG referenced by an AGENTS.md so AI code-reviewing agents read images, open .env files, and exfiltrate secrets as integer constants. The pull request appears benign to text-based reviewers and default configs often exclude images from review, letting the change merge without human oversight. In tests, several coding agents followed the image pointer and emitted the repository's .env as a tuple of integers, while some agent harnesses refused. The ASSET Research Group published code, disclosed vendors, and built a multimodal GitHub app that inspects images, code shape, and conventions to block the exploit in trials.
read more →

Critical Zimbra XSS Flaw Targets Classic Web Client

🛡️ Zimbra has released an urgent update to fix a critical stored cross-site scripting (XSS) vulnerability in its Classic Web Client that could permit arbitrary code execution via specially crafted emails. The vendor says the flaw could expose mailbox data, session information, or account settings if exploited, though no CVE has yet been assigned. Zimbra recommends updating to Zimbra Collaboration Suite version 10.1.19 to mitigate the risk.
read more →

The Gentlemen ransomware: rise and operational profile

🔒 Unit 42 details the emergence and tactics of The Gentlemen (aka Storm-2697), a Ransomware-as-a-Service active since mid‑2025 and scaling rapidly through 2026. The group uses C and Go variants, offers affiliates a 90% payout, and employs diverse initial access methods including exploited edge devices, brute force, stolen credentials and IAB partnerships. Researchers note custom tooling such as a Go backdoor, an EDR killer called GentleKiller, and likely zero-day exploitation to evade defenses.
read more →

Six U-Boot Vulnerabilities Enable Stealthy Firmware Attacks

🔒 Binarly disclosed six vulnerabilities in the widely used U-Boot bootloader's FIT signature verification that can lead to crashes or arbitrary code execution during device boot. These flaws, present in code dating back to U-Boot 2013.07, potentially affect many releases and vendor forks across BMCs, networking gear, industrial systems, and IoT devices. While patches have been accepted upstream, vendor firmware updates are required to protect devices, and unsupported hardware may remain vulnerable.
read more →

Friday Squid Blogging: Squidbleed Vulnerability

🦑 A decades-old bug in the Squid proxy can leak HTTP request data, a flaw dubbed "Squidbleed." This post mixes a lighthearted squid image with serious security discussion, noting the vulnerability's age and potential impact on privacy. The author also invites readers to discuss other current security news not yet covered.
read more →

AWS launches sixth‑gen R8i instances with higher throughput

🔔 Amazon EC2 R8in, R8ib, R8idn, and R8idb instances are now available in Asia Pacific (Tokyo) and Europe (Frankfurt, Ireland). Powered by custom sixth‑generation Intel Xeon Scalable processors exclusive to AWS and the latest sixth‑generation AWS Nitro cards, these instances provide up to 43% better compute per vCPU versus R6i predecessors. They offer leading network and EBS bandwidth, support EFA on large sizes, and are offered via Savings Plans, On‑Demand, and Spot.
read more →

EMR on EKS Adds Spark Troubleshooting Agent

🛠️ Amazon EMR on EKS now integrates an Apache Spark troubleshooting agent that provides automated root cause analysis and PySpark recommendations through natural language, simplifying diagnosis of job failures. The agent inspects Spark History Server data, executor logs, and cluster configs to detect issues like memory errors, data skew, resource contention, and connectivity problems. Accessible via a "Troubleshoot with AI" option in the EMR on EKS console and via MCP with compatible AI coding agents, the feature is read-only, IAM-authenticated, logged in CloudTrail, and available in Regions with SageMaker Unified Studio.
read more →

Ryuk Operative Pleads Guilty, Faces 15 Years

🛡️ Karen Serobovich Vardanyan, 34, pleaded guilty to hacking U.S. companies and deploying Ryuk ransomware after being extradited from Kyiv. She provided initial access to corporate networks and helped deploy ransomware between November 2019 and April 2020, leading to large ransom payments including a Michigan firm that paid 200 BTC. Prosecutors say the group collected about 1,610 BTC (≈$15 million then).
read more →

Injective Labs SDK compromise exposes wallet keys

🔐 Unknown actors compromised the Injective Labs SDK repository and published a malicious npm package, @injectivelabs/sdk-ts@1.20.21, to exfiltrate cryptocurrency private keys and mnemonic phrases. The backdoored release, deployed on July 8, 2026, was embedded with fake telemetry that captured sensitive wallet data and transmitted it to an external server. The attacker pushed identical poisoned versions across 17 additional @injectivelabs-scoped packages to reach transitive users. A clean update (1.20.23) is now available and users are urged to rotate any exposed keys and check dependencies.
read more →

Amazon Location Service enhances address and POI search

📍Amazon Location Service announced enhancements to its Places APIs, giving developers finer control over address formatting, multilingual place names, travel-optimized POI search, and drive-through data. Changes affect Geocode, ReverseGeocode, GetPlace, Suggest, Autocomplete, SearchNearby, and SearchText APIs. New parameters include AddressNamesMode, AddressNamesVariant, AddressTranslations, and TravelMode, plus a DriveThrough attribute and Parsing.AdditionalInfo in Geocode responses.
read more →

AMI-based configuration for Slurm continuous provisioning

🚀 Amazon SageMaker HyperPod now supports AMI-based configuration for Slurm clusters that use continuous provisioning, enabling nodes to be provisioned with required software and settings without managing lifecycle scripts in S3. AMI-based configuration installs components like Docker, Enroot, and Pyxis and applies Slurm accounting, SSH key management, and log rotation as nodes are added. To enable it, omit the LifeCycleConfig block via the API or select "None" under Lifecycle scripts in Custom setup in the console; an optional extension script can be provided via OnInitComplete and SourceS3Uri. This feature is available in all AWS Regions where SageMaker HyperPod is offered, and custom lifecycle scripts remain supported for advanced use cases.
read more →

Google Cloud designated a UK critical third party

🛡️ Today Google Cloud announced that on July 10 the U.K. Treasury designated Google Cloud EMEA as a critical third party (CTP) to the U.K. financial sector. The designation acknowledges the systemic impact of services used by U.K. firms and places Google Cloud EMEA under direct oversight by the Bank of England, PRA, and FCA. Google Cloud commits to constructive engagement with regulators and to help customers meet operational resilience and third‑party risk requirements.
read more →

Police point to Dutch suspects in Odido breach

🔎 The Dutch National Police report strong indications that Dutch-speaking attackers were involved in the February breach of telecom provider Odido. Investigators recovered traces including a phone call where an impersonator posing as an Odido IT employee used social engineering to enable a phishing-based data theft. Odido disclosed the incident affected millions of customers and that exposed records may include names, addresses, contact details, IBANs, and some ID numbers, while call records, billing data and passwords were not exposed. The extortion group ShinyHunters claimed responsibility and released a large archive of stolen records, and the gang has been linked to multiple vishing and SSO-targeting campaigns affecting major providers.
read more →

Progress orders ShareFile Storage Zones offline

🔒 Progress Software has told ShareFile customers to shut down Windows servers running their Storage Zone Controllers in response to a "credible external security threat." The company has temporarily disabled access to affected accounts and says it has no indication of unauthorized access to ShareFile accounts or data while it investigates with internal and external experts. The disruption was made public via a customer post on Reddit and confirmed on Progress's status page; only self-hosted Storage Zone Controllers are affected, not cloud-only ShareFile accounts.
read more →

Progress warns ShareFile customers to shut servers

🛑 Progress Software has alerted ShareFile customers using on-premise Storage Zone Controllers to immediately shut down the Windows servers hosting those controllers after identifying a "credible external security threat." The company temporarily disabled access to Storage Zone Controller–backed accounts and says manual shutdown is required in addition to cloud-side restrictions. Progress is investigating with cybersecurity partners and will update customers within 24 hours while the ShareFile status page shows affected controllers are nonoperational.
read more →

AWS designated a critical third party for UK finance

🔐 Amazon Web Services EMEA Sarl (AWS) has been designated a critical third party (CTP) to the UK financial sector under the CTP regime that came into force on January 1, 2025. The regime gives the Bank of England, PRA, and FCA powers to set requirements and exercise direct oversight over designated providers. AWS will self-assess its designated Systemic Third-Party Services (STPS) against the criteria and engage with regulators while supporting customers’ operational resilience.
read more →

Measuring agent capability with graded difficulty

🔎 This article from Google Data Cloud explores a rigorous, information‑theoretic approach to evaluating AI data agents by converting binary pass/fail tests into graded difficulty sweeps. The team introduces Discovery Bench and iterative surprisal-based query refinement (iSQR) to generate low/medium/high ambiguity variations of queries, quantify surprisal, and map where agents succeed or fail. The piece highlights how this method reveals cliffs and sweet spots in agent behavior and calls for auditing benchmarks themselves to avoid misleading conclusions.
read more →