< ciso
brief />
Identity Hardening, Active Exploits, and AWS AI Updates

Identity Hardening, Active Exploits, and AWS AI Updates

Coverage: 13 Jul 2026 (UTC)

< view all daily briefs >

Identity defenses and cloud platforms took center stage as vendors pushed stronger authentication defaults and new AI capabilities, while governments coordinated sanctions and advisories amid ongoing exploitation of web platforms and network gear. Organizations face active abuse of Joomla extensions and router weaknesses, alongside evolving OAuth and phishing-as-a-service techniques targeting SaaS estates. AWS expanded access to third‑party foundation models and database compatibility, underscoring parallel tracks of rapid capability growth and security hardening.

Identity, OAuth, and SaaS Defense

Microsoft will make passkeys the default phishing-resistant method in Microsoft Entra ID starting September 1, 2026, with an automated rollout that onboards users currently using SMS or voice and prompts registration at their next MFA event, according to a Microsoft Entra ID update. Native telecom delivery for SMS and voice is scheduled for retirement on February 1, 2027, with partner configuration details due September 18, 2026 and tenant controls available by October 30, 2026. Microsoft frames the change as a response to AI‑enabled phishing, SIM swapping, and MFA bypass, and recommends early migration to passkeys or other phishing‑resistant methods using its deployment guidance.

Separately, Microsoft analyzed multiple campaigns from mid‑2025 to mid‑2026 abusing OAuth trust to access Salesforce environments, outlining new telemetry and governance features to improve detection and response in Defender for Cloud Apps, as detailed in a Microsoft analysis. The activity relied on user consent social engineering, supply‑chain compromises of SaaS integrations, and misconfigurations that made abuse appear similar to legitimate app behavior. Enhancements include Real‑Time Event Monitoring onboarding, connected‑app attribution, expanded permissions insights, and non‑human identity risk scoring to prioritize remediation.

Researchers also described an OAuth client ID spoofing technique that uses the ROPC flow and AADSTS error codes to validate credentials and evade Entra sign‑in visibility, warning defenders to scrutinize entries with missing application IDs and interpret certain errors as potential compromise signals, per an Infosecurity report. In parallel, a phishing‑as‑a‑service offering dubbed Forg365 was observed targeting Microsoft 365 tenants with device‑code phishing, AitM session theft, token vaulting, antibot checks, and a cookie‑injection browser extension to sustain access, according to The Hacker News. Recommended actions include restricting device‑code authentication, auditing mailbox artifacts and forwarding rules, and strengthening OAuth monitoring.

Web and Messaging Layers Under Active Exploitation

CISA added two Joomla extension vulnerabilities to the KEV catalog following active exploitation enabling arbitrary file uploads and remote code execution, with evidence of automated attacks before fixes were available, reported BleepingComputer. The issues affect iCagenda (CVE‑2026‑48939; patched in 4.0.8/3.9.15) and Balbooa Forms (CVE‑2026‑56291; patched in 2.4.1). Operators are urged to identify affected extensions, apply updates or compensating controls to block uploads and restrict execution, and validate protections due to the risk of web shells, data theft, and full site compromise.

Beyond Joomla, a global campaign is rapidly scanning and exploiting content management systems and plugins across platforms such as WordPress, Joomla JCE, Craft CMS, MaxSite CMS, and MetInfo CMS using 2025–2026 CVEs for unauthenticated upload, RCE, SSRF, or deserialization, according to an Infosecurity summary of an ACSC advisory. The ACSC urges immediate inspection for webshells, review of logs for suspicious activity, isolation of compromised servers, patching, removal of malicious files, and restoration from known‑good backups, alongside hardening to limit reinfection and lateral movement.

In messaging infrastructure, Miggo Security disclosed and RabbitMQ patched two access control flaws dating back to 3.13.0: CVE‑2026‑57219, an obsolete management endpoint exposing confidential OAuth client secrets to unauthenticated users, and CVE‑2026‑57221, an authorization bypass letting low‑privileged users infer queue and exchange metadata, as covered by CSO Online. Fixes in supported 3.13.x and 4.x remove the unsafe endpoint and enforce proper authorization; guidance includes immediate upgrades, rotation of exposed OAuth secrets, restricting management interfaces from untrusted networks, and isolating tenants into separate virtual hosts until patched.

State‑Linked Operations and Policy Response

The EU and UK unveiled a coordinated sanctions package against individuals and entities tied to Russian state‑linked cyber operations, publicly attributing activity to units including the FSB’s 16th Centre and citing a mix of espionage and disruptive incidents, BleepingComputer reports. Officials highlighted the role of criminal groups, hacktivists, and private firms in enabling operations, and framed the action as part of broader efforts to protect critical infrastructure and democratic processes.

Concurrently, a joint advisory from US and allied agencies warned of sustained activity by FSB Centre 16 scanning for routers with default or weak SNMP settings and exploiting long‑standing Cisco Smart Install flaws (notably CVE‑2018‑0171) to exfiltrate configurations via TFTP, with elevated risk to energy, communications, healthcare, financial services, defense, and government sectors, according to BleepingComputer. Recommended mitigations include migrating to SNMPv3, disabling Smart Install, enforcing strong unique passwords, blocking TFTP/SNMP at edge firewalls, applying updates, and replacing end‑of‑life devices.

Regional cyberespionage also continued: SentinelLabs reported China‑ and India‑linked campaigns targeting Pakistani law enforcement systems from 2024 through 2026, compromising biometric, case file, payroll, tenant registration, and complaint management systems, summarized by Infosecurity. Tools and implants included PlugX, ShadowPad, Cobalt Strike, and AsyncRAT, with variants masquerading as legitimate components and showing Chinese‑language artifacts. The incidents illustrate the concentrated intelligence value—and risk—of centralized police information systems.

AWS Platforms Expand AI and Database Capabilities

Amazon Bedrock added OpenAI’s GPT‑5.6 family—Sol, Terra, and Luna—to its next‑generation inference engine, making the models generally available via the Responses API on the bedrock‑mantle endpoint, per an AWS Bedrock update. Sol is positioned as the flagship reasoning model for agentic coding and complex problem solving; Terra targets balanced performance at roughly half the cost of GPT‑5.5; and Luna focuses on fast, cost‑efficient inference. The release emphasizes intelligence‑per‑token, introduces prompt caching with cache breakpoints to discount repeated context by about 90%, and notes pricing alignment with first‑party rates and contribution toward AWS commitments. Regional availability lists Sol in US East (N. Virginia and Ohio), with Terra and Luna also in US West (Oregon). In parallel, Amazon DocumentDB (with MongoDB compatibility) 8.0.1 adds 46 aggregation operators and cursor methods—spanning accumulators, trigonometry, bitwise, arithmetic, utility, timestamp helpers, and stages/cursor capabilities—to ease migrations and increase parity, available now in all DocumentDB regions, per the Amazon DocumentDB announcement.

Model access expanded on Amazon SageMaker JumpStart as well. Google DeepMind’s multimodal, instruction‑tuned gemma‑4‑E2B‑it is available for rapid deployment via Studio or the SDK, offering text, image, and audio inputs; built‑in reasoning mode; object detection; document parsing; UI/screen and chart understanding; OCR; video understanding; native function calling for agentic workflows; and code generation/correction, as noted in the SageMaker JumpStart update. AWS also added Qwen3 models tailored for retrieval: Qwen3‑VL‑Embedding‑2B for multimodal embeddings across over 30 languages and Qwen3‑Reranker‑4B for cross‑language relevance scoring across more than 100 languages, designed for a two‑stage recall‑then‑re‑rank pipeline, per the AWS JumpStart notice. Availability through JumpStart enables quick experimentation and production deployment on existing AWS infrastructure.

Identity Hardening, Active Exploits, and AWS AI Updates · CISO Brief