FEHBlog

From the Project Glasswing front,

• Politico reports on June 18,
  • “The White House and Anthropic are working on a framework that would assess the severity of security flaws in new AI models and guide potential government intervention, according to a senior White House official and an administration official familiar with the matter granted anonymity to discuss it.
  • “The effort comes after the White House imposed export controls on Anthropic, which forced the company to suspend access for all users to Fable 5 and Mythos 5, its latest powerful AI models over a perceived security flaw, known in the industry as a jailbreak.
  • Administration officials and Anthropic CEO Dario Amodei disagreed over the severity of the jailbreak, POLITICO previously reported, but the technology has outpaced the government infrastructure to define and assess such disputes.
  • “The attempt to create a standardized method to evaluate this and future such incidents underscores how the administration is racing to establish guardrails for new and powerful models that some fear can, if left unchecked, threaten economic and national security.
  • “The negotiations between Anthropic and the administration also reflect an understanding that no AI model can be completely immune to hacking — part of Anthropic’s initial defense of its model — and that government should lay out the rules for companies to measure security risks by, a sentiment relayed by other leading AI companies and country leaders at G7 meetings earlier this week in France.”

• Bloomberg adds also on June 18,
  • “Some firms have preserved their access to a preview version of the Mythos AI model through Project Glasswing, despite a US government order.
  • “Businesses including banks and technology firms are accessing Mythos Preview to hunt for cyber vulnerabilities, with companies like Dragos Inc. and Cisco Systems Inc. confirming they have access.
  • “The US government order led to the shutdown of other versions of the Mythos AI model, but it didn’t explicitly address the Preview version, and Anthropic hasn’t directly addressed its availability.”

• Cyberscoop points out,
  • “While Washington D.C. frets over the potential impact of Anthropic’s Claude Fable 5, security researchers continue to track how the integration of frontier AI tools are transforming the digital security landscape for malicious hackers and defenders alike.
  • “The breakneck speed of model releases may be creating short, silent security gaps for developers who must choose between performance and security, according to a new report.”

• Cybersecurity Dive notes
  • “More than one-fifth of organizations running macOS networks have lost money or experienced a cyberattack because of their use of AI tools, according to a report that network management vendor Jamf released on Tuesday.
  • “Roughly six in 10 macOS-based organizations expect an AI-related incident in the near future, the survey found.
  • “The report, based on interviews with 687 IT and security leaders managing MacOS network environments, also describes system administrators’ AI implementation priorities, the largest areas of risk they face and Jamf’s recommendations for mitigating those risks.”

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “U.S. cybersecurity resilience in the face of sophisticated threats from China and other adversaries will increasingly depend on critical infrastructure’s ability to weather major disruptions, a top U.S. cyber official said Wednesday.
  • “Each and every one of us is operating right now on the front lines of a war that is never going to be cleared,” Nick Andersen, the acting director of the Cybersecurity and Infrastructure Security Agency (CISA), said at ICS Village and the Institute for Security and Technology’s Critical Effect conference.
  • “We are going to see an adversarial disruption of our critical infrastructure,” Andersen said. “It’s going to have significant not just technical impact, it’s going to have a significant psychological impact on the safety of the American people. … We need to start operating like that’s the reality of where we’re at — that we’re not going to be able to keep everything persistently online and available as much as we would like.”
  • “CISA’s emphasis on resilience marks a shift from earlier government cybersecurity doctrines that focused on preventing intrusions. In recent years, advanced nation-state hacking campaigns — especially Beijing’s Volt Typhoon espionage operation — have increasingly convinced government and industry strategists that their primary goal should be ensuring that infrastructure can continue operating during an attack.”

• Federal News Network adds,
  • “A new White House memo aims to strengthen the cybersecurity of sensitive government systems by centralizing oversight of those systems, while also setting aggressive deadlines for updating incident response procedures and other policies.
  • “In a national security presidential memorandum signed out Friday, President Donald Trump re-establishes and updates the Committee on National Security Systems (CNSS), a decades-old interagency body that sets security policies for military and intelligence systems, as well as systems that process classified information. It charges the committee with leading a policy aimed at fostering “a proactive, adaptive, and resilient cybersecurity ecosystem for all NSS to better safeguard the nation against persistent cyber threats from sophisticated adversaries.”
  • “The memo gives the committee the power to establish “baseline cybersecurity requirements” for all national security systems. It formalizes the director of the National Security Agency’s role as the “national manager” for national security systems. That role involves identifying emerging threats and providing minimum security protections, including through emergency directives.
  • “The memo includes the federal chief information officer on the reconstituted CNSS body, along with the deputy national manager at the NSA and the CIOs at the Defense Department and the intelligence community, respectively.
  • “It also mandates that national security systems should meet or exceed the level of cybersecurity standards issued by the National Institute of Standards and Technology.”
    
• Cyberscoop relates,
  • “Authorities on Thursday [June 18] disrupted a botnet, a malware framework and seized infrastructure that Evil Corp and other cybercrime groups used to steal data and break into various networks.
  • “The globally coordinated effort targeted SocGholish, multi-stage malware that has compromised websites, redirected users to traffic distribution systems (TDS) and slipped malware into their networks since 2017.
  • “The malware establishes an initial foothold into victim computers, collectively known as a botnet, and is then used by threat actors for further targeting with ransomware campaigns and espionage,” the FBI’s cyber division said in a statement. 
  • “Cybersecurity firms, researchers and officials from the United States, Canada, Germany, the Netherlands and Europol took down 106 servers and remediated nearly 15,000 sites that were infected with the malware. Officials also disabled the botnet and notified victims.
  • “Sites infected with SocGholish, which are primarily hosted on WordPress, were widespread and provided everyday services including restaurants and auto repair shops, according to the Dutch National Police. 
  • “The botnet, also known as “FakeUpdates,” is linked to the Russian cybercrime group Evil Corp. It also provided initial access to other ransomware variants, including DoppelPaymer, WastedLoocker, Hades Ransomware, LockBit, RansomHub and others, according to Infoblox, which participated in the takedown.” 

• Per an HHS news release,
  • “The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) today announced a settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans (the Plan), the employer-sponsored group health plan of Spencer Gifts LLC, a national retail company, over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.” * * *
  • “The settlement resolves an investigation that OCR initiated after the Plan filed a breach report on January 24, 2022. The Plan had received employee complaints that employees were unable to connect to the virtual private network. The Plan discovered that in November 2021, an unauthorized actor accessed the company’s network and deployed ransomware, encrypting data on the company’s systems, including servers storing the Plan’s PHI, and demanding a ransom. The PHI of 10,023 individuals was potentially affected by the breach, including health plan members’ names, addresses, zip codes, phone numbers, email addresses, and Social Security numbers.” * * *
  • “The resolution agreement and corrective action plan can be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-spencer.pdf [PDF, 654 KB].”

• Security Week tells us,
  • “A Ukrainian national pleaded guilty in a US court to his role in the notorious Conti ransomware group, the Department of Justice announced.
  • “The man, Oleksii Oleksiyovych Lytvynenko, 44, of Cork, Ireland, was arrested in Ireland in 2023 and was extradited to the US in October 2025 to face Conti-related charges.
  • “Lytvynenko admitted in court to joining the Conti operation in September 2021 and working on the development of a malware loader for the group. He also admitted to possessing data from 12 victims, including eight in the US.
  • “Authorities in the US believe that the Ukrainian national continued to engage in cybercriminal activities after the Conti operation shut down.
  • “Lytvynenko pleaded guilty to wire fraud conspiracy and faces up to 20 years in prison. He is scheduled for sentencing on September 10, 2026.
  • “One of the most prolific ransomware groups half a decade ago, Conti was used in attacks against over 1,000 organizations in the US and abroad between 2020 and 2022.”

From the cybersecurity breaches and vulnerabilities front,

• Tech Target identifies the largest healthcare data breaches so far reported to HHS OCR this year.

• Dark Reading reports,
  • “A recent — and likely massive — breach at Novo Nordisk, where attackers reportedly gained an initial foothold using a single GitHub access token, underscores how code repositories and developer environments have become ground zero for attackers seeking intellectual property, credentials, and software supply chain assets.
  • “Novo Nordisk, the Danish pharmaceutical giant behind blockbuster drugs Ozempic and Wegovy, disclosed the breach June 11 after detecting unauthorized access to what it claimed were a “limited number of its internal IT systems.” 

• Bleeping Computer relates on June 19,
  • “The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals.
  • “The Texas Cyber Command discovered the intrusion and launched an investigation to determine the extent and impact of the unauthorized access. The state authority found that Social Security Numbers (SSNs), dates of birth, or any financial information, such as credit cards, have not been impacted.
  • “However, the threat actor may have obtained personally identifiable information that includes the data types [identified in the article] associated with 3,087,721 Texas hunting and fishing license customers,
• and
  • “The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure their devices after nearly 74,000 firewall and VPN credentials were exposed in a data leak dubbed “FortiBleed.”
  • “This warning comes after threat actors used compromised credentials to target internet-accessible Fortinet devices across government and private-sector organizations worldwide.
  • “CISA is aware of global reports that malicious cyber actors have targeted internet-accessible Fortinet devices across government and private sector organizations using compromised credentials,” it said.
  • “This activity, referred to as FortiBleed, involves the exposure of leaked credentials associated with approximately 74,000 Fortinet devices, including firewalls and virtual private network (VPN) gateways.”
  • ‘The agency called on affected FortiGate appliance owners to terminate all SSL VPN and administrative sessions, reset all VPN and administrative passwords, enable phishing-resistant multifactor authentication, and review logs for signs of unauthorized access or lateral movement.
  • “CISA also advised Fortinet customers to store admin credentials using the modern Password-Based Key Derivation Function 2 (PBKDF2) hashing algorithm, and to restrict firewall management interfaces from public internet access and remove any unauthorized accounts to reduce the attack surface as much as possible.”

• CISA added four known exploited vulnerabilities to its catalog this week.
  • June 15, 2026
    • CVE-2026-20262 Cisco Catalyst SD-WAN Manager Directory or Path Traversal Vulnerability
    • CVE-2026-54420 LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability
      • Security Affairs discusses these KVE here.
  • June 16, 2026
    • CVE-2026-48907 Widget Factory Joomla Content Editor Improper Access Control Vulnerability
      • Bleeping Computer discusses this “patch by Sunday June 21” KVE here.
  • June 18, 2026
    • CVE-2026-20253 Splunk Enterprise Missing Authentication for Critical Function Vulnerability
      • Bleeping Computer discusses this “patch by Sunday June 21” KVE here.

• Security Week informs us,
  • Microsoft on Wednesday published an advisory acknowledging the public disclosure of a vulnerability in Defender that could lead to privilege escalation.
  • The security defect, now tracked as CVE-2026-50656 (CVSS score of 7.8), was dropped last week by security researcher Nightmare Eclipse (also known as Chaotic Eclipse).
  • “Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ‘RoguePlanet’,” the tech giant’s advisory reads.
  • “We are working to provide a high-quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available,” Microsoft adds.
  • RoguePlanet, Nightmare Eclipse explained last week, targets a race condition in Microsoft Defender and allows attackers to gain System privileges.
  • The researcher released a proof-of-concept (PoC) exploit that demonstrates local privilege escalation (LPE) on Windows 11 and Windows 10 systems with the June 2026 patches installed.
• and
  • “Cybersecurity firms Huntress and Recorded Future have disclosed the impact of a supply chain attack that hit market intelligence platform Klue.
  • “The attack started on June 11 and affected systems associated with software platform integrations. The hackers connected to Klue’s backend servers and executed unauthorized commands, pushing a code update to harvest OAuth tokens for customers’ Klue integrations.
  • “Klue notified customers of the incident on June 12, warning that it had deactivated OAuth tokens for all customers and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
  • According to ReliaQuest, the hackers abused the Salesforce REST API to exfiltrate large volumes of customer relationship management (CRM) data over a 24-hour window, “including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours”. * * *
  • “On Thursday [June 18], both Huntress and Recorded Future confirmed that they were among the companies affected by the supply chain attack.”

• The Wall Street Journal reports,
  • “Millions of digital home devices in the U.S. have pre-installed backdoor software, creating residential proxy networks used by nation-state hackers to mask cyberattacks.
  • “Government agencies from nine countries warned that Chinese state-sponsored hackers use these networks to conduct operations, making attribution challenging.
  • “Midnight Blizzard, a Russian hacking group that broke into Microsoft, used residential proxy networks to steal Microsoft 365 credentials by logging in from U.S. home networks.” * * *
  • “This is a bigger problem because of the sheer numbers,” said Noopur Davis, Comcast’s head of information security. It is one of the most worrying problems the telecommunications company has seen, she said.
  • “[This story explains how to protect yourself from a sneaky back door that can let hackers into your home.]”

From the ransomware front,

• Industrial Cyber reports,
  • “CYFIRMA reported that healthcare organizations are facing an increasingly hostile cyber threat environment, with ransomware emerging as the sector’s most significant risk. Over the past 90 days, healthcare accounted for 216 verified ransomware victims, representing 9.05% of ransomware victims globally and ranking the sector third among 14 industries. The report found that ransomware attacks against healthcare increased 8.5% quarter over quarter, with April alone recording 90 victims, well above the sector’s previous six-month average. 
  • “In a new report, CYFIRMA identified healthcare victims in 42 countries, up from 33 in the prior period, while 50 of 81 active ransomware gangs targeted healthcare organizations, highlighting broad criminal interest in hospitals, pharmaceutical firms, and specialized medicine providers. The report also warned that nation-state activity and supply chain risks are compounding the threat landscape. Healthcare organizations appeared in 10 of 33 observed advanced persistent threat (APT) campaigns, up from three of 19 campaigns in the previous reporting period. North Korea-linked Lazarus Group led observed activity, while Russia-, China-, and Iran-linked actors also targeted the sector. 
  • “The researchers further noted that web applications, operating systems, web portals, and access management platforms remain key targets as attackers pursue credential theft and patient data. The company further identified supply chain concentration as a defining structural risk, warning that breaches involving specialized healthcare IT providers can cascade across multiple hospitals and healthcare networks simultaneously, amplifying operational disruption and cyber exposure.” 

• Security Week relates,
  • “Commercial printing and imaging technologies company Kodak has confirmed suffering a data breach after the ShinyHunters cybercrime group claimed to have stolen information from its systems. 
  • “Kodak was named on the ShinyHunters website on June 15, with the hackers claiming to have obtained more than 2.2 million records of customer personal information and other corporate data. 
  • “The hackers threatened to leak the stolen data on June 18 unless the company pays a ransom.
  • Contacted by SecurityWeek, Kodak said it’s conducting an investigation with the aid of external cybersecurity experts and promised to share additional information “as appropriate”.
  • “Kodak recently discovered that an unauthorized third party illegally gained access to a limited amount of company data,” said a spokesperson for Kodak.
  • “Although our investigation is ongoing, we are confident the incident was limited in scope and has been contained and that there is no threat to our systems or operations as a result of the incident,” the spokesperson added. “We have also notified law enforcement and are continuing to support their investigation.”

• Dark Reading tells us,
  • “INC is a ransomware group that has excelled in the ransomware-as-a-service (RaaS) space through doing the basics effectively — alongside a bit of good timing.
  • “Researchers with security vendor Acronis today published a blog post covering RaaS gang INC, a group that emerged in 2023 and has claimed more than 800 victims to date. INC is a ransomware actor that greatly benefited from the shutdown of ALPHV/BlackCat and the disruption of LockBit; this is an attribute shared with other ascendant gangs, such as The Gentlemen.”
  • “And according to the Acronis Threat Research Unit (TRU), the group is one of the most active of its kind right now. On the surface, INC doesn’t stand out so much. It’s a double extortion ransomware actor (meaning it uses encryptionand data leaking to get victims to pay up), drawing victims from manufacturing, legal services, healthcare, technology, construction, and educational sectors, among others. The group appears to have a certain preference for organizations with especially sensitive data to add extra extortion pressure.” 
     
• Bleeping Computer adds,
  • “The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
  • “The gang employs a collection of EDR-killing tools, most notably a utility that researchers dubbed GentleKiller. The tool has at least eight variants and impersonates various legitimate security products, including Kaspersky, Valorant, Javelin, and WatchDog.
  • “The gang is using a suite of EDR killers, the most frequently used being a custom tool that researchers named GentleKiller, which has at least eight variants impersonating various legitimate products.
  • The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks.
  • “An EDR killer is typically used to disable defenses in the early phases of an attack, and in ransomware incidents, they ensure that data theft or encryption processes run unencumbered.
  • “These tools work by leveraging the ‘bring your own vulnerable driver’ (BYOVD) technique to elevate privileges and disable security engines.”
• and
  • “DragonForce ransomware used a custom malware named ‘Backdoor.Turn’ to hide command-and-control traffic inside Microsoft Teams relay infrastructure.
  • “The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).
  • “DragonForce is a ransomware operation active since at least 2023, that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “Accenture announced Thursday it would acquire a majority stake in industrial cybersecurity firm Dragos for $3.25 billion and purchase two smaller security companies outright, essentially making a $4.18 billion bet that defending the IT networks of power grids, pipelines, factories and critical infrastructure sectors will become one of the defining challenges of the AI era.
  • “The deals — which also include two Austin, Texas-based companies, runZero and NetRise —  represent a significant strategic pivot for Accenture toward operational technology (OT) security,  a segment of the cybersecurity market that has long been underfunded relative to traditional IT defenses. The announcement comes as the consulting giant faces pressure on its core business from the same AI tools reshaping the threat environment it is now moving to address.”

• HIPAA Journal adds,
  • “Compliancy Group has acquired Healthicity in a deal that combines two healthcare compliance software companies and expands Compliancy Group’s platform to include healthcare compliance, workforce compliance, risk assessment, third-party risk management, incident management, provider auditing, coding auditing, and documentation auditing.
  • “The acquisition was announced on June 17, 2026. Financial terms of the transaction were not disclosed. Compliancy Group said the combined organization will serve more than 3,000 healthcare organizations across the United States and selected global markets.”

• Dark Reading advises,
  • “Get Out of Security Debt by Tackling the Exposure Problem.
    • “Teams digging out of security debt need to answer only two simple questions: Which vulnerabilities in our systems are exposed, and how long should they stay that way?”

• Tech Target adds,
  • “It’s time to update incident response for the AI era”
  • “Your latest cybersecurity incident might not be a threat actor, but an internal AI agent doing what it’s authorized to do. Incident response must evolve to accommodate AI.”

• ZDNet offers
  • “10 signs that someone is monitoring or accessing your accounts – how to stop them
    • “Learn how to spot the signs of account monitoring and compromise – and take back control.”
• and
  • “5 steps to ensure HIPAA compliance on mobile devices
    • “HIPAA compliance on mobile devices depends on governing access to PHI across both managed and personal endpoints. Here are five steps to achieving compliance in clinical settings.”

• Security Week lets us know about
  • “AI and Cybersecurity – Everything You Wanted to Know, But Were Afraid to Ask
    • “From defending networks to enabling attacks, artificial intelligence is changing every aspect of cybersecurity. Here’s what dozens of experts say security leaders need to understand now.”

• Here’s a link to Dark Readings’s CISO Corner.

From the Project Glasswing front,

• Tech Crunch reports,
  • “The U.S. government on Friday ordered Anthropic to immediately shut off access to two of its most powerful AI models — Claude Fable 5 and Claude Mythos 5 — citing national security concerns. Anthropic announced on X that it has complied, but it made clear it thinks the government got this one wrong.
  • “The directive, which Anthropic said it received on Friday [June 12] at 5:21 pm ET, forces the company to disable both models for all users worldwide — not just the foreign nationals the government’s export control order was nominally aimed at. Access to Anthropic’s other models isn’t affected.” * * *
  • “Fable 5, released just three days ago, was Anthropic’s answer to the obvious commercial pressure: a version of Mythos fitted with guardrails that block responses in high-risk areas like cybersecurity and biology, making it safe enough for general release, the company argued. It was immediately the most capable AI model available to the public, according to benchmark tests from Vals AI, a company that tracks AI tech performance.” * * *
  • “Anthropic is widely expected to pursue an IPO this year and has staked much of its public identity on being the safety-conscious alternative to its rivals. The irony isn’t lost on observers that the very caution Anthropic displayed in restricting Mythos — which it promoted as a model so dangerous it couldn’t be released publicly — has now apparently attracted exactly the kind of government scrutiny that could disrupt its business most.”

From the cybersecurity policy and law enforcement front,

• Federal News Network reminds us,
  • “The Cybersecurity and Infrastructure Security Agency is restarting public engagements on delayed cyber incident reporting rules that will likely cover tens of thousands of critical infrastructure organizations.
  • “The meetings come as CISA faces pressure to issue the final regulations quickly, while some lawmakers and industry groups also want the agency to amend the draft rules to be less broad and burdensome.
  • “Starting Monday, CISA will host a series of virtual town halls to get feedback on the draft regulations to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The meetings will run through Wednesday.”

• Cyberscoop reports,
  • “The Cybersecurity and Infrastructure Security Agency on Wednesday [June 10] ordered federal agencies to prioritize vulnerabilities based on four criteria, as part of push to “patch smarter, not harder.”
  • “Federal agencies should emphasize patches for vulnerabilities that affect a publicly exposed asset, allow an attacker to fully automate exploitation, give attackers the ability to take over control of a system or relate to evidence of active, real-world exploitation, CISA declared.
  • “CISA acting director Nick Andersen previewed the binding operational directive (BOD) Tuesday [June 9], framing it as a rethinking of vulnerability management more broadly.” * * *
  • “BOD 26-04 sets forth timelines for how quickly agencies must fix a vulnerability based on how many of the four criteria it meets. If it meets all four, for example, agencies need to fix it within three days and carry out a “forensic triage” to assess whether their systems were compromised. 
  • “More generally, agencies must immediately update their vulnerability management policies, including establishing a process for ongoing remediation of known, exploited vulnerabilities (KEVs) on CISA’s “must-patch” list. Within 60 days, agencies need to update their processes for remediating common vulnerabilities, and within 180 days, agencies must meet the order’s remediation timelines.
  • “The directive is motivated in part by how artificial intelligence is shifting the window from vulnerability discovery to weaponization, and CISA said it reflects priorities in an executive order on AI that President Donald Trump signed last week.”
• and
  • “The FBI, along with Google and Lumen Technologies, took down a major cybercrime network based in China that was responsible for an estimated $1.9 billion in losses, officials said Friday. 
  • “Outsider, which provided phishing kits and hosted infrastructure for cybercriminals since July 2023, facilitated a wave of phishing attacks against people and businesses in 55 countries, including the United States, the FBI said in a LinkedIn post.
  • “The jointly coordinated effort dubbed “Operation Ghost Hook” netted the seizure of several domains of the group’s core admin servers, a Shopify storefront, roughly $100,000 from Outsider payment wallets and thousands of domains registered through U.S.-based providers, officials said.
  • “The FBI said it also used an Outsider Telegram bot to access information on the cybercrime network’s customers.”
• and
  • “A longtime former member of Conti, a ransomware group that attacked more than 1,000 organizations globally before it disbanded in 2022, pleaded guilty to participating in some of those attacks in federal court Wednesday [June 10], the Justice Department said.
  • “Oleksii Oleksiyovych Lytvynenko, also known as Alexsey Alexseevich Litvinenko, admitted he joined the prolific cybercrime group in September 2021 and held data on 12 victims, including eight based in the United States. The 44-year-old told the court he developed malware that Conti used in some of its attacks, according to officials.” 

• Bleeping Computer adds,
  • “Law enforcement has dismantled the “AudiA6” cryptocurrency service allegedly used by ransomware actors and other cybercriminals to launder more than $380 million.
  • “Europol says that the service has been linked to more than 15 distinct international investigations of ransomware attacks.
  • “It is believed that the platform acted as a central money laundering hub between 2022 and 2025.”

From the cybersecurity breaches and vulnerabilities front,

• Bleeping Computer reports,
  • “Danish pharmaceutical giant Novo Nordisk, the world’s largest producer of insulin, disclosed a data breach affecting patient information from some clinical trials.
  • “Founded in 1923, Novo Nordisk now employs around 67,900 people across 80 offices worldwide and is the maker of viral GLP-1 receptor agonist drugs Wegovy and Ozempic.
  • “The company revealed on Thursday [June 11] that attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs (random alphanumeric strings) and information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors (e.g., smoking, alcohol use, BMI).
  • “However, Novo Nordisk said that this data was pseudonymized and that the attackers can’t use it to identify any affected patients by name.
  • “While our investigation and response are ongoing, we have discovered that certain non-public data, including personal data, was copied externally without authorisation. We are informing the impacted parties as appropriate,” the company said.”

• HIPAA Journal tells us,
  • “Episource, a provider of medical coding, risk adjustment services, and software solutions, experienced a cyberattack in early 2025, in which files containing patient data were exfiltrated from its network. In June 2025, the forensic investigation had progressed, and it was confirmed that 5.4 million individuals had been affected.
  • “The investigation has since revealed the data breach was more extensive, involving unauthorized access to the electronic protected health information of 6,725,572 individuals, according to updated figures provided to the HHS’ Office for Civil Rights. With more than 6.7 million affected individuals, the data breach currently ranks as the third-largest healthcare data breach of 2025, behind the 13.9 million-record data breach at Aflac and the 62.2 million-record data breach at Conduent Business Services, and ranks as the 16th-largest healthcare data breach of all time. The threat group behind the incident remains unknown.”

• Industrial Cyber relates,
  • “Global cyberattack activity eased in May 2026 following April’s sharp rebound, but the broader threat landscape remained volatile, according to research from Check Point Research. Organizations experienced an average of 2,055 weekly cyberattacks during the month, representing a 2% increase year-over-year despite a 7% decline from April. Education remained the most targeted sector, averaging 4,641 weekly attacks per organization, while government and telecommunications also continued to face elevated attack volumes. 
  • “The report noted notable year-over-year increases in attacks targeting agriculture, hospitality, travel, recreation, and construction sectors as digitalization expands across these industries. The most significant trend was a sharp rise in ransomware activity. Check Point recorded 698 ransomware attacks globally in May, a 48% increase compared to the same month last year and the highest year-over-year growth rate recorded in 2026. Business services accounted for 35% of all ransomware victims, while consumer goods and industrial manufacturing also experienced substantial increases. 
  • “The report found that ransomware activity has become increasingly fragmented, with 61 active groups operating during the month. Qilin emerged as the most active ransomware group, responsible for 14% of published attacks, followed by The Gentlemen and DragonForce.”

• Dark Reading adds,
  • “Phishing attacks are down across most industries, yet researchers argue the phishing threat is higher today than ever, as the fewer attacks that are perpetrated are becoming more dangerous.
  • “In its 2026 annual phishing report, Zscaler researchers framed the trend not as a drop but as a “rebalancing” — threat actors moving from wide spray-and-pray campaigns to more focused attacks with higher conversion rates.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • June 8, 2026
    • CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability
    • CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability
      • Infosec discusses the BerriAI KVE here.
      • Cybersecurity Dive discusses the Check Point KVE here.
  • June 9, 2026
    • CVE-2026-7473 Arista Extensible Operating System Incomplete Comparison with Missing Factors Vulnerability
    • CVE-2026-11645 Google Chromium V8 Out-of-Bounds Read and Write Vulnerability
    • CVE-2026-20245 Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output Vulnerability
      • Scorifya discusses the Arista KVE here.
      • Cybersecurity News discusses the Google KVE here.
      • Cybersecurity Dive discusses the Cisco KVE here.
  • June 11, 2026
    • CVE-2026-10520. Ivanti Sentry OS Command Injection Vulnerability
      • Dark Reading discusses this KVE here.
  • June 12, 2026
    • CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function Vulnerability
      • Cybersscoop discusses this KVE here.

• Info Security Magazine informs us,
  • “Cybersecurity software regularly fails to detect and prevent the cyber-attacks they are designed to protect organizations from, especially within the bowser layer, research by Menlo Security has warned.
  • “Published on June 9, Menlo Security’s 2026 Browser Threat Report found that one in five phishing attacks which target the enterprise browser users go completely undetected by the tools which are supposed to protect the network and its users from attacks.
  • “Based on platform telemetry across millions of active browser sessions in enterprise customer environments between January 1 and March 31 2026, the research warned that threat actors are gaining entry to enterprise environments through the browser session layer.
  • “The problem, the paper said, is that attacks via the browser target areas which many traditional enterprise cybersecurity products are not designed to identify or prevent suspicious activity in.

• Cybersecurity Dive points out,
  • “Financial services organizations are widely using AI agents for common business operations, but many of them aren’t sure whether their AI tools have opened the door for hackers, according to a new report.
  • “Sixty-two percent of financial services firms have deployed AI agents, and 93% of those firms have given them some level of autonomy, the Cloud Security Alliance (CSA) said in its Tuesday report.
  • “The report’s authors said the main conclusion from their survey, which consisted of interviews with 340 global IT and security professionals between Jan. 15 and March 1, is that “financial institutions have deployed AI faster than they have secured it.”

• Per Security Week,
  • “Palo Alto Networks drew attention to a high-severity security flaw in the Cortex XSOAR and Cortex XSIAM platforms that could allow attackers to access and modify restricted resources.
  • “Tracked as CVE-2026-0274, the issue is described as the improper validation of credentials in the CommvaultSecurityIQ integration of the affected products and does not require a special configuration to be triggered.
  • “The company also rolled out patches for eight medium and low-severity security defects in PAN-OS, Prisma Access Agent, Cortex XSOAR, and GlobalProtect App.
  • “Palo Alto Networks says it is not aware of any of these vulnerabilities being exploited in the wild.
  • “On Wednesday [June 10], Splunk published a dozen advisories detailing security weaknesses in its products and third-party libraries they use.”

From the ransomware front,

• Health Exec reports,
  • “A health system in Mississippi has revealed a December 2025 data breach of its network resulted in records on 53,888 patients being stolen by hackers. Meanwhile an infamous cybercrime cell has claimed credit for the attack, posting proof on the dark web.
  • “Last month Singing River Health System reported official numbers from the incident to the U.S. Department of Health and Human Services’ Office for Civil Rights, which operates a data breach tracker. This came after an investigation into what it called a “cybersecurity incident” that staff at Singing River discovered a few days after cybercriminals were already inside its network.
  • “According to the health system, which said it worked with a third-party cybersecurity firm on its investigation, its network was compromised from Dec. 19 to 21, 2025, before the unauthorized access was discovered and containment protocols were deployed.” * * *
  • “Researchers at Comparitech released a report last week showing that Anubis—a cybercrime syndicate known for its ransomware attacks against healthcare entities—had claimed credit for the data breach in a post on its own dark web leak site.
  • “The group claims to have 293 GB of data from Singing River, much of it containing sensitive patient information. It posted samples to prove it had the goods, including what Comparitech described as “intimate images of surgeries and injuries.”

• The Hacker News relates,
  • “A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
  • “According to a detailed report published by PRODAFT, the group, which it tracks as Phantom Mantis, is led by a Russian-speaking cybercriminal it calls LARVA-368, who goes by the online aliases hastalamuerte, ArmCorp, zeta88, nobody0, and santamuerte. The Gentlemen is known to be active since March 2025, claiming a total of 478 victims to date, per data from Ransomware.Live.”

• Cybersecurity Insiders tells us,
  • “In recent years, ransomware has evolved from simple file-encrypting malware into highly sophisticated cyber weapons capable of disrupting entire organizations. Among these emerging threats, Time Bomb Ransomware has gained significant attention due to its ability to remain dormant within systems before launching a coordinated attack. This delayed-execution strategy makes it particularly dangerous for backup engines, which serve as the last line of defense against data loss and cyber incidents.
  • “Time Bomb Ransomware operates by infiltrating an organization’s network and remaining undetected for an extended period. Instead of immediately encrypting files, the malware silently spreads across systems, identifies critical assets, and waits for a predetermined trigger date or condition. 
  • “During this dormant phase, it can infect data backup repositories, storage servers, and disaster recovery environments without raising suspicion. As a result, organizations may unknowingly back up infected data for weeks or even months- depending on the backup engine configuration that can range on weekly to monthly time intervals.
  • “The primary danger lies in the ransomware’s ability to compromise backup engines before activating its payload. Traditional backup solutions are designed to create multiple copies of data to ensure business continuity. However, when ransomware infiltrates these backup systems, it can encrypt, corrupt, or delete backup copies along with the primary data. Consequently, organizations lose their ability to recover information, forcing them to either pay the ransom or suffer significant operational disruptions.”

From the Cybersecurity defenses front,

• The Wall Street Journal reports,
  • “Frontier artificial intelligence models, like Anthropic’s Mythos, are forcing organizations to rethink cybersecurity by rapidly identifying attack chains.
  • “Visa developed a “Mean Time to Adapt” metric and the VVAH framework to automate vulnerability fixing and testing.
  • “Mean Time to Adapt,” measures how quickly an organization identifies, triages and fixes vulnerabilities once discovered.
  • “The rapid AI-driven discovery of flaws creates pressure on organizations, especially smaller vendors and the public sector, to automate defenses.”

• JP Morgan Chase suggests ten actions to take now for AI-ready cyber resilience.
  • Run the Latest Software Versions
  • Manage Assets and Software Components with Reference Data
  • Build and Operate a Robust Vulnerability Management Program
  • Stress Test Incident Response and Resiliency Plans
  • Know Your Major SaaS and Outsourced Dependencies
  • Optimize Change Management for Speed
  • Aggressively Filter Outbound Traffic from Production Systems
  • Remove Standing Privileges from Employee Entitlements
  • Manage Remote Access and Segment Where Possible
  • Embed Security into the AI Development and Deployment Lifecycle

• Bleeping Computer adds,
  • “AI is transforming the speed and scale of cybercrime in ways traditional security operations were never designed to handle.
  • “Gartner predicts AI agents will cut the time it takes to exploit account exposures by 50% by 2027. Phishing campaigns that once took days to craft can now be generated in minutes, free of the telltale errors that once gave them away, while vulnerabilities that once required manual reconnaissance can now be identified and exploited automatically.
  • “For MSPs, the stakes are clear. Those still relying on a fragmented security stack will not just be slower to respond but will also struggle to prove to clients that their environments are fully protected.
  • “Keeping pace with AI-driven threats requires a more unified, AI-powered approach that strengthens security, simplifies operations and delivers greater value without putting additional pressure on margins.’

• CSO raises “15 tough cybersecurity questions every CISO must answer.”

• Here is a link to Dark Reading’s CISO Corner.