CyberNews: 01/07/2026 Edition
Today’s roundup
Summary
The U.S. CISA has issued a warning that the BlueHammer flaw (CVE-2026-33825), a local privilege escalation vulnerability in Microsoft Defender, is now actively exploited in ransomware attacks. This flaw grants attackers SYSTEM-level access, allowing them to disable security tools and deploy further malware. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on April 22 and updated it to reflect ransomware use, following observations of exploitation since April 10, 2026.
CISA has added a critical authentication bypass vulnerability, CVE-2026-48558 (CVSS 10.0), in the SimpleHelp remote support and access platform to its Known Exploited Vulnerabilities catalog. The flaw affects SimpleHelp versions 5.5.15 and earlier, and 6.0 pre-release, when OIDC authentication is enabled, allowing unauthenticated attackers to forge tokens, gain technician sessions, and bypass multi-factor authentication. Exploitation has been observed in the wild by BlackPoint researchers, who reported malware delivery, including TaskWeaver and Djinn Stealer.
Aflac Japan disclosed a data breach impacting 4.38 million customers and agents. Hackers accessed systems between June 15 and June 25, 2026, compromising policy and coverage details, personal information, and bank account data from its customer-only website, "Aflac Yoriso Net." The company has contained the breach, confirmed no impact on U.S. operations, and is notifying affected individuals and relevant authorities.
New research by Adversa AI has unveiled "GuardFall," a universal shell injection vulnerability affecting 10 out of 11 popular open-source AI coding and computer-use agents, including Hermes, opencode, and Open Interpreter. The flaw exploits a fundamental mismatch between how AI agents filter command strings and how Bash executes them, allowing attackers to bypass security guards and gain full account authority. Only the "Continue" agent demonstrated robust defenses.
Researchers at QiAnXin's XLab are tracking RustDuck, an evolving DDoS botnet that is migrating its codebase from C to Rust. Active since February 2026, RustDuck hijacks routers, IP cameras, Android boxes, and poorly secured servers by exploiting weak credentials and known IoT vulnerabilities, including CVE-2025-29635 and CVE-2017-17215. The botnet employs sophisticated encryption, multi-stage infection, and anti-analysis techniques, making it challenging to detect and analyze.
French and Ukrainian police, in coordination with Europol (Operation Ratatouille), arrested the alleged administrator of XSS.is, a prominent Russian-language cybercrime forum, on July 22, 2025. The forum, which had over 50,000 members and facilitated the trade of malware, exploits, and initial access, provided an escrow service crucial to the underground economy. While the takedown inflicted a loss of trust, similar markets continue to operate, with initial access broker activity shifting to other platforms.
Threat actors are actively exploiting a critical unauthenticated remote code execution (RCE) vulnerability, CVE-2026-33017 (CVSS 9.3), in Langflow. Attackers are scanning and targeting exposed artificial intelligence (AI) application endpoints to deploy Monero cryptocurrency miners. This activity highlights the risks associated with misconfigured or unpatched AI development platforms.
A China-linked threat group has compromised at least 10 organizations in Southeast Asia, including two state-owned entities. The campaign involves the deployment of a new backdoor and targets critical systems, indicating a sophisticated and persistent threat actor focused on espionage or disruption within the region.
Palo Alto Networks' Unit 42 has identified a new attack technique called "phantom squatting." Attackers are registering web domains that large language models (LLMs) hallucinate as real, then hosting phishing pages on these made-up domains. This allows them to capture traffic directed by AI tools, posing a novel threat for phishing and malware delivery.
Cybersecurity researchers have reported a massive, ongoing automated password spray attack targeting Microsoft's Azure command-line interface (CLI). Between June 12 and June 26, the campaign, originating from an IPv6 address range controlled by LSHIY LLC, resulted in the compromise of at least 78 Microsoft accounts out of over 81 million attempts.
Want to dig deeper?
Vulnerabilities
| CVE-2026-33825 | High |
| CVE-2026-48558 | Critical |
| CVE-2025-29635 | High |
| CVE-2017-17215 | High |
| CVE-2026-33017 | Critical |