This website uses cookies

Read our Privacy policy and Terms of use for more information.

🚨 Top Signals

JADEPUFFER used an AI agent to automate a destructive intrusion

Sysdig documented JADEPUFFER, an operation in which an AI agent exploited an exposed Langflow instance, stole credentials, moved laterally, established persistence, escalated privileges, and carried out destructive database extortion. The agent adapted to failed commands and retried with corrected parameters in real time. Sysdig

💡 Key Takeaway: Treat internet-facing AI development platforms as privileged infrastructure. Enumerate exposed Langflow instances, remove embedded credentials, isolate them from production networks, and alert on agent-driven command execution and rapid retry behavior.

Google disrupted NetNut, a residential proxy network controlling at least two million devices

Google, the FBI, Lumen, and other partners disrupted NetNut, also known as Popa, a malicious residential proxy network built from compromised smart TVs, streaming devices, and Android systems. Google observed 316 distinct threat clusters using suspected NetNut exit nodes during a single week in June. Google GTIG

💡 Key Takeaway: Do not treat residential IP space as inherently low risk. Baseline authentication from consumer ISP ranges, detect password spraying distributed across many IPs, and correlate identity behavior rather than relying on source-IP reputation alone.

ARToken shows how Microsoft 365 token theft is becoming a managed service

Cisco Talos analyzed ARToken, a phishing-as-a-service panel linked to EvilTokens that exposes more than 80 API endpoints. The platform supports device-code phishing, Primary Refresh Token persistence, Outlook access, SharePoint and OneDrive exfiltration, Cloudflare-based infrastructure, and automated business-email-compromise workflows. Cisco Talos

💡 Key Takeaway: Audit device-code authentication, alert on unexpected Primary Refresh Token issuance, and require administrators to investigate token persistence even when MFA was technically completed.

🛡️ Exploited & High-Priority Vulnerabilities

Microsoft SharePoint Server CVE-2026-45659 is actively exploited

CISA added CVE-2026-45659 to the Known Exploited Vulnerabilities catalog after confirming exploitation. The vulnerability affects supported on-premises SharePoint Server versions and can allow remote code execution through unsafe deserialization. BleepingComputer

💡 Key Takeaway: Patch on-premises SharePoint immediately, inventory internet-facing farms, preserve IIS and SharePoint logs, and hunt for unexpected web-shell files, child processes, or configuration changes before declaring remediation complete.

Citrix NetScaler CVE-2026-8451 drew exploitation attempts within 24 hours

Citrix disclosed CVE-2026-8451, a pre-authentication memory-overread vulnerability affecting NetScaler ADC and Gateway systems configured as SAML identity providers. Researchers published technical analysis on June 30, and exploitation attempts were observed within a day. Citrix · watchTowr

💡 Key Takeaway: Identify whether NetScaler is operating as a SAML IdP, apply the fixed build, terminate active sessions where appropriate, and inspect authentication and appliance logs for requests consistent with memory-disclosure probing.

Oracle E-Business Suite CVE-2026-46817 is under active attack

Security researchers found more than 900 Oracle E-Business Suite instances exposed online while attackers targeted CVE-2026-46817. The critical Oracle Payments vulnerability can allow an unauthenticated attacker with HTTP access to compromise vulnerable deployments. BleepingComputer

💡 Key Takeaway: Patch Oracle EBS Payments, restrict external HTTP access, enumerate public-facing instances, and review web, application, and database activity for unusual file-transfer or payment-processing behavior.

📈 Defender Trend

Automation is collapsing the time defenders have to recognize intent

JADEPUFFER adapted to failed commands in seconds. ARToken gives affiliates a ready-made Microsoft 365 token-theft and persistence workflow. NetNut let hundreds of threat clusters spread activity across millions of residential devices. Meanwhile, Citrix NetScaler exploitation appeared within a day of public technical disclosure, while Microsoft SharePoint and Oracle E-Business Suite were already being targeted despite available fixes.

The common pattern is not simply “attackers are using AI.” It is that automation now helps attackers distribute infrastructure, retry failed actions, maintain tokens, and move from disclosure to exploitation before many organizations finish assigning ownership.

💡 Key Takeaway: Measure response time from advisory publication to confirmed ownership, exposure determination, mitigation, and hunt completion. Patch SLAs alone hide the delays that attackers are exploiting.

⚡ Other Signals

Multiple major Japanese companies disclosed unrelated cyber incidents — Aflac, Sapporo, Nidec, and KDDI reported breaches or operational impacts affecting customer data and internal systems. The Record

💡 Key Takeaway: Track incident concentration by geography and supply chain, even when attribution does not connect the events.

Google patched 382 Chrome vulnerabilities in one release — Chrome 151 included fixes for 15 critical and 67 high-severity vulnerabilities. SecurityWeek

💡 Key Takeaway: Confirm browser relaunch and version compliance; automatic update enabled is not evidence that critical browser fixes are active.

Adobe patched seven maximum-severity flaws across ColdFusion and Campaign — The release included critical issues in enterprise platforms that often sit behind public-facing applications and marketing infrastructure. BleepingComputer

💡 Key Takeaway: Scope ColdFusion and Campaign ownership separately from desktop Adobe products and verify that server teams received the advisory.

ARToken’s use of Primary Refresh Tokens expands the identity hunt — Device-code phishing can survive password changes and completed MFA when attackers establish persistent token access. Cisco Talos

💡 Key Takeaway: Include token revocation, registered-device review, mailbox rules, OAuth consent, and PRT investigation in Microsoft 365 phishing response.

⚔️ This Week’s Defensive Check

Measure your exploit-response clock

Action: Baseline the time required to move from a public vulnerability alert to verified remediation and completed threat hunting.

Who runs it: Vulnerability management coordinates; asset owners confirm exposure and remediation; the SOC performs hunting; security leadership resolves overdue ownership or business exceptions.

Check these specifically:

  • Time from advisory publication to ticket creation
  • Time to identify the accountable owner and exposed assets
  • Time to apply a patch or compensating control
  • Time to collect and review relevant logs and indicators
  • Time to document evidence, exceptions, and the next validation date

Use Microsoft SharePoint, Citrix NetScaler, and Oracle E-Business Suite as this week’s test cases.

Evidence you’re done: A report showing each affected product, owner, exposure status, ticket time, mitigation time, hunt completion time, supporting evidence, and unresolved exception.

💡 Key Takeaway: The objective is not merely to prove that a patch was deployed. It is to reveal how long the organization remains uncertain about ownership, exposure, and prior compromise.

🧠 Final Word

Attack automation is becoming operational rather than experimental. The important defender question is no longer whether attackers can use AI, token platforms, or proxy networks at scale; it is whether your organization can identify exposure and act before that scale reaches you.

Keep Reading