Hello, stay ahead with CISO Brief 🚀

🔎 The FBI, collaborating with Google and Black Lotus Labs, dismantled a China-linked phishing-as-a-service operation called Outsider Enterprise that used AI and distributed phishing kits across thousands of fraudulent websites and over a million URLs. Authorities seized administrative servers, a Shopify storefront, testing accounts, and roughly $100,000 in USDT, while redirecting many malicious domains to an FBI splash page. Google reports hundreds of thousands of affected users and has filed a civil suit against the infrastructure while coordinating with carriers to block fraudulent SMS campaigns.

🔒 A former senior IT support specialist for the Saydel Community School District in Iowa was sentenced to 21 months in prison for repeatedly accessing and sabotaging his former employer’s systems after his April 2023 departure. Prosecutors say he deleted the district’s Facebook page, stripped employees of access to educational platforms, and erased Apple School Manager and Gmail accounts, disrupting classes and causing tens of thousands in remediation costs. He pleaded guilty in January 2026 and must pay $59,668.81 in restitution and serve three years of supervised release with monitoring conditions.

🛡️ Splunk released security updates to remediate a critical unauthenticated file operation and remote code execution vulnerability (CVE-2026-20253, CVSS 9.8) affecting certain Splunk Enterprise versions. The flaw stemmed from an unauthenticated PostgreSQL sidecar service endpoint that allowed creation or truncation of arbitrary files. Splunk fixed the issue in 10.0.7 and 10.2.4; Splunk Cloud is not affected because it does not use Postgres sidecars. Users are urged to apply the updates promptly to mitigate exploitation risk.

🔒 Anthropic suspended access to its two most capable models, Fable 5 and Mythos 5, after receiving a US government export control directive on June 12 ordering it to block access by any foreign national. The order, citing national security, applies to foreign nationals inside and outside the United States and forced Anthropic to disable both models for all customers; other models such as Claude Opus 4.8 remain available. Anthropic says the directive followed a reported narrow jailbreak demo and is working to restore access while disputing the government's assessment.

🔒 Anthropic said it will "abruptly disable" its latest models, Claude Fable 5 and Mythos 5, for all users after receiving a U.S. government directive to suspend access for foreign nationals due to national security concerns. The company said it believes the order reflects a "misunderstanding" and is working to restore access while noting other models remain available. Anthropic said a demonstrated narrow jailbreak identified minor, publicly discoverable vulnerabilities, and emphasized its safety classifiers and guardrails to limit misuse. The move follows findings that Mythos-class models can rapidly convert disclosed software flaws into working exploits, raising concerns about fast weaponization of vulnerabilities.

🔎 This report details the discovery of a new macOS Tahoe 26 Biome stream, App.MenuItem, which records specific menu selections made by users across the OS. It explains the artifact's location at ~/Library/Biome/streams/restricted/App.MenuItem/local, the SEGB-encapsulated protobuf format, and recommended processing steps using ccl-segb. The article highlights how the stream reconstructs user intent and workflow, and notes limitations when menu text is non-descriptive.

🚀 Starting today, Amazon Lightsail is available in three additional AWS Regions: Asia Pacific (Hong Kong), South America (São Paulo), and Europe (Spain). This expansion delivers lower latency and improved performance for customers in these geographies while supporting local data residency requirements. The new Regions provide access to Lightsail's full feature set, including instances (general purpose, compute-optimized, memory-optimized), managed databases, container services, and load balancers with predictable pricing.

🔒 Maine has taken its public data breach reporting portal offline after fraudulent disclosures impersonating Discord and VRChat were published. The Attorney General's Office confirmed the reports were hoaxes and removed them, stating there is no evidence of actual breaches by the named companies. Public access to the database is temporarily disabled while the office reviews procedures; companies may still submit notices but the public must request disclosures directly.

🔒 Researchers discovered a 10-year-old authentication bypass in phpBB that allows logging in as any user, including administrators. The flaw affects versions 4.0.0-a2 and 3.3.16 and below and can be exploited with a single HTTP request on default configurations. Aikido reported the issue on June 2 and phpBB patched it in version 3.3.17 on June 6; 4.x users must await a safe release.

🔒Sygnia reports a China-nexus group, tracked as Velvet Ant, backdoored Linux login components including PAM and OpenSSH, embedding long-term access where routine cleanup would not reach. The actor altered trusted login programs to capture credentials, record sessions, or allow secret logins, with traces dating back to 2016. Isolation was bypassed by staging through internet-facing systems and bridging into air-gapped segments.

🔒 Check Point now integrates its Workforce AI governance with Claude’s Compliance API to close substantial visibility gaps in enterprise AI usage. The integration provides continuous, audit-grade records across web, desktop, and mobile surfaces, addressing a critical mobile blind spot that proxies, CASBs, and endpoint DLP cannot cover. It combines content-level exposure analysis, per-user adoption analytics, and unified policy enforcement to enable secure, frictionless AI adoption across the organization.

🚀 Amazon SageMaker AI now supports serverless customization for Nvidia Nemotron 3 Nano via supervised fine-tuning (SFT) and reinforcement fine-tuning (RFT). This open-weight 30B-parameter model can be deployed and adapted to specific domains and workflows directly within SageMaker. Serverless customization handles infrastructure and training orchestration, enabling teams to focus on data and evaluation while paying only for usage. The feature is available in US East (N. Virginia), US West (Oregon), Asia Pacific (Tokyo), and Europe (Ireland), and can be launched from SageMaker Studio or via the SageMaker Python SDK.

🔍 Congress failed to extend Section 702 of the Foreign Intelligence Surveillance Act, creating a short pause in warrantless monitoring of foreign communications. The extension vote was rejected, leaving surveillance put on hold until the next possible vote on June 28, and creating uncertainty about immediate intelligence collection practices. CISOs should note potential impacts on cross-border communications and legal challenges ahead.

⚙️ AWS has launched Storage optimized Amazon EC2 I7i instances in the Europe (Paris) region, powered by 5th Gen Intel Xeon processors and 3rd generation AWS Nitro SSDs. These instances deliver up to 23% better compute performance and over 10% improved price performance versus I4i, with up to 45TB NVMe storage and significant reductions in storage I/O latency and variability. I7i supports torn write prevention up to 16KB and comes in eleven sizes, including bare metal options, with up to 100Gbps network and 60Gbps EBS bandwidth.

🔒 The French government’s secure messaging platform, Tchap, was breached after an intruder took over a user account, according to DINUM. The agency blocked the compromised access and is investigating the extent of exposed information. While encryption was not broken, public chat rooms are unencrypted and the intruder reportedly accessed thousands of messages and files. DINUM reminded users that public rooms are visible to any account and should not contain sensitive content.

🔍 Fortinet highlights its role as a research partner with the MITRE Center for Threat-Informed Defense (CTID), contributing threat intelligence, operational expertise, and research to practical R&D projects. The CTID impact report (2019–2025) demonstrates collaborative efforts to map adversary behavior to detection, controls, and cloud security. Fortinet’s contributions focus on operationalizing ATT&CK-based frameworks, improving detection quality, and advancing program maturity across cloud, identity, and AI-driven workflows.

🔒 Amazon EC2 Capacity Blocks for ML is now available in AWS GovCloud (US-West) and AWS GovCloud (US-East), enabling government and regulated-industry customers to reserve GPU capacity for machine learning workloads. The service lets customers reserve GPU instances in advance for defined durations, providing assured access to accelerated compute for pre-training, fine-tuning, rapid prototyping, and surge inference. Reservations can be made up to eight weeks ahead for durations up to six months, in clusters of one to 64 instances, and can be shared across accounts using AWS Resource Access Manager.

🔎 An international law enforcement operation dismantled the AudiA6 cryptocurrency laundering service, suspected of moving more than €336m for ransomware gangs and other cybercriminals between 2022 and 2025. The probe identified an industrial-scale laundering scheme that used thousands of stolen identities and money mules to obfuscate funds. Arrests, domain seizures and frozen crypto followed coordinated actions across Europe, the US and Georgia.