< ciso
brief />
Telegram

Hello, stay ahead with CISO Brief 🚀

Every day the cybersecurity world moves fast — new incidents, evolving AI risks, changing regulations, and critical vendor updates. We cut through the noise to deliver only what matters most for your business and security strategy.

CISO Brief brings you a daily digest of high-signal news: major breaches, hyperscaler security releases, AI and compliance shifts, and the latest threat intelligence — all in one concise update.

Built for CISOs, CTOs, and architects, our goal is to save you time, reduce distraction, and keep you always on pulse with the risks and opportunities that shape tomorrow.

👉 Join our Telegram channel for your daily update — stay informed, stay ready.

Cybersecurity News Digest — Daily Briefings

Latest News

all posts →

PirloTV sports piracy network disrupted in domain seizure

🔎 PirloTV, a network of sites embedding unauthorized live sports streams, has had 44 domains seized in a coordinated action. The Alliance for Creativity and Entertainment (ACE), UEFA, UC3, and Mexican authorities targeted domains that generated over 950 million visits annually, with heavy traffic from Mexico and Colombia. The takedown occurred ahead of the UEFA Champions League final and may affect piracy during the ongoing FIFA World Cup. Despite the seizures, some domains remain indexed and the network can quickly migrate to new domains.
News
read more →

Fortinet launches product carbon footprint calculator

🌱 Fortinet has introduced a Product Carbon Footprint (PCF) Calculator that provides greenhouse gas emissions estimates for more than 790 products. The publicly accessible, free tool uses internationally recognized standards like ISO 14040 and ISO 14067 and includes country-specific emission factors. It supports lifecycle analysis across manufacturing, use, and end-of-life stages to help customers and partners incorporate environmental data into procurement and reporting.
Fortinet
read more →

Bluekit adopts browser-in-the-middle for login theft

🛡️ The Bluekit phishing-as-a-service platform has added browser-in-the-middle (BitM) capabilities and nearly 70 new hostnames, enabling attackers to load legitimate login pages and capture valid session tokens. Netcraft found Bluekit uses the open-source rrweb library to serialize and stream page DOM data over WebSockets while fetching assets through phishing infrastructure. The kit also includes advanced anti-analysis features such as randomized CSS filters, large rotating obfuscated JavaScript bundles, custom CAPTCHAs, browser fingerprinting, and WebRTC IP-mismatch checks.
Browser-in-the-BrowserPhishingSession HijackingToken Theft
read more →

Threat Actor Exploited Cisco SD‑WAN Zero‑Day

🔒 A Google (Mandiant) report warns that a threat actor exploited a severe Cisco SD‑WAN vulnerability (CVE-2026-20245) at least two months before disclosure. The flaw, a high-severity (CVSS 7.8) privilege escalation in the CLI of Cisco Catalyst SD-WAN Controller, allowed authenticated local attackers to upload crafted files and execute commands as root. Cisco disclosed the issue on June 4 and began releasing fixes on June 10, while Mandiant detailed related unauthorized peering and credential-theft activity stretching back to late 2025.
CiscoPrivilege EscalationZero-Day ExploitationActive Exploitation
read more →

High‑Install Chrome Extension Enables Remote Script Injection

🛡️ An analysis of a widely installed Google Chrome extension, Adblock for YouTube (10M+ installs), revealed it can execute arbitrary JavaScript across websites. Researchers found a dormant, server‑controlled injection capability that could create elements without an extension update or store review. Although no evidence of active abuse was reported, the combination of all‑site access, prior ad‑injection SDKs, and related removed extensions raises significant privacy and security concerns.
GoogleSupply Chain Compromise
read more →

Cloudflare Workflows adds durable saga rollbacks

🛠️ Cloudflare Workflows now supports saga rollbacks, letting developers declare per-step compensation logic directly in step.do() calls. This feature simplifies undoing partial work when later steps fail by running rollback handlers in reverse step-start order and preserving idempotency via idempotency keys. Rollback handlers are durable, configurable with retries and timeouts, emit lifecycle events, and execute only when the Workflow fails terminally.
CloudflareProduct Update
read more →

ClickFix: New social engineering that forces execution

🛡️ The ClickFix technique tricks users into executing malicious commands themselves by presenting convincing prompts like fake CAPTCHAs, Cloudflare checks, or “browser update” notices. Attackers rely on clipboard copy and instruct victims to paste commands into the Windows Run dialog, bypassing endpoint defenses that see the activity as legitimate user action. Check Point’s ThreatCloud AI team developed the ClickFix Engine, integrated into Gateways, Email Security, and Browse Security, to detect behavioral signals in page HTML and block such attacks irrespective of domain reputation.
ClickFixCheck PointDefense Evasion
read more →

Threatsday bulletin: proxyware, exploits, and trends

🛡️ This week’s bulletin highlights a string of practical and persistent threats: privacy-preserving bot defense work from Cloudflare and browsers, six serious curl vulnerabilities fixed in 8.21.0, and a critical unauthenticated takeover in Hoppscotch. Spur Intelligence found widespread proxyware in LG and Samsung smart TV apps, while Teams-based social engineering delivered the Edgecution extension. Other items include legacy credential breaches, state-crime convergence, admin reset alerts, and macOS ClickFix campaigns.
CloudflareThreat Report
read more →

Study Finds Decline in Trust for AI Vulnerability Scanning

🛡️ The Cobalt State of Pentesting Report 2026 surveyed roughly 450 cybersecurity professionals across 2025 and 2026 and found trust in fully automated AI vulnerability testing has dropped sharply. Reliance on AI-only testing fell from 29% to 9%, while 47% now prefer a hybrid human-plus-AI model. Respondents reported that 78% of fully automated scanners missed critical vulnerabilities, and AI/LLM issues showed longer MTTR and lower fix rates.
AI Red TeamingVulnerability ManagementResearch
read more →

CISA guidance steers agencies from TIC 2.0 to SASE

đź”’ CISA has issued guidance to help federal agencies transition from perimeter-based Trusted Internet Connections (TIC) 2.0 to a more flexible TIC 3.0 using Secure Access Service Edge (SASE) technology. The guidance explains how SASE can replace legacy Managed Trusted Internet Protocol Services (MTIPS) and combines networking and security functions such as SD-WAN, secure web gateways, CASBs, next-gen firewalls and ZTNA. It is vendor-agnostic and emphasizes architecture and visibility requirements rather than specific products.
SASEZero Trust
read more →

Prompt Injection as Role Confusion in LLMs

đź“ť This post highlights a new paper that demonstrates how large language models are vulnerable to prompt injection because they learn to distinguish instruction blocks by style rather than explicit tags. The authors argue that role tags became a de facto security architecture but do not map cleanly into model representations, producing persistent role confusion. The paper warns that without genuine role perception, defenses will be reactive and brittle, and calls for deeper study of roles within the LLM stack.
Prompt Injection AttackLLM SecurityResearch
read more →

macOS XPC Flaw Lets Non‑Root Users Disable EDR/MDM

đź”’ A disclosed macOS privilege escalation allows a non-root user to abuse XPC trusted caller caching to invoke privileged helper functions without authentication, impacting multiple EDR and MDM products. XM Cyber found attackers can tamper with a legitimate app to inherit its cached trust and call sensitive methods to unload or disable security agents with minimal forensic traces. Vendors including CrowdStrike and Kandji have issued fixes and mitigations, while XM Cyber released a scanner and will present findings at Black Hat.
CrowdStrikePrivilege EscalationEndpoint Security
read more →

Ransomware Incidents Surge Across Europe in 2026

🔍 Black Kite's 2026 European Cyber Risk Report found a 55.1% year-over-year rise in ransomware incidents in the first four months of 2026, averaging 171 incidents per month. Five countries — Germany, the UK, France, Italy and Spain — accounted for 70% of attacks. The Qilin ransomware was the most prevalent, followed by Akira and regionally focused SafePay, with manufacturing the most targeted sector. Researchers highlighted supply chain compromises and third-party risk as key drivers of the increase.
RansomwareAkiraSupply Chain Compromise
read more →

Balancing AI Oversight and Rapid Enterprise Innovation

🚦CIOs face intense pressure to deploy AI quickly while managing novel risks and proving ROI. Leaders must balance speed with governance, building guardrails that enable innovation without creating bottlenecks. Organizational design — with clear separation between adopters and oversight — plus risk-based decision frameworks and vendor due diligence are essential. Practical maturity models and governed platforms help scale AI safely across the enterprise.
AI Governance
read more →

Introduction to COM Usage by Windows Threats

🧭 This post introduces Component Object Model (COM) fundamentals and explains how analysts can identify and analyze COM usage in binaries. It covers GUIDs, CLSIDs, IIDs, ProgIDs, vtables, and activation APIs such as CoCreateInstance and CoCreateInstanceEx. The article highlights DCOM and COM security concepts, common Windows examples like Task Scheduler, and practical tools (e.g., OleView.NET) and workflows for reversing COM-dependent malware.
Malware Analysis
read more →

Gaslight macOS implant uses AI prompt injection

🛡️ A new Rust-based macOS implant named Gaslight embeds a prompt-injection payload aimed at misleading AI-assisted analysis tools into aborting or refusing to analyze the sample. SentinelOne attributes the tool with high confidence to North Korea–aligned actors and notes its Telegram-based C2 implements an interactive shell with commands like shell, upload, and kill. The implant uses a LaunchAgent for persistence and includes a Base64-encoded Python stealer that harvests browser data, Terminal histories, Keychain contents, and system profiles before compressing and exfiltrating via Telegram.
SentinelOnePrompt Injection AttackNorth Korea-nexusMalware
read more →

FedRAMP 20x and the rise of GRC engineering

🔍 The author argues that much of traditional compliance has become theatrical—focused on curated, point-in-time evidence rather than continuous operational truth. FedRAMP 20x and the broader GRC engineering movement push assurance toward automation, machine-readable evidence and continuous telemetry, shifting audits from static snapshots to ongoing validation. The writer recounts their organization’s FedRAMP 20x pilot, describing early setbacks as iterative learning rather than failure.
FedRAMPGRC
read more →

Mistic backdoor linked to KongTuke access broker

🛡️ Broadcom, Symantec, and Carbon Black report a stealthy backdoor named Mistic (aka MLTBackdoor) deployed since April 2026 across insurance, education, IT, and professional services. The implant runs in memory via DLL side-loading of trusted tooling, includes a kill switch, and was dropped alongside ModeloRAT, a Python RAT tied to the KongTuke access broker. Analysts say the activity appears opportunistic and linked to ClickFix delivery chains and ransomware-related actors.
BroadcomRemote Access TrojanInitial Access BrokerDLL Sideloading
read more →