This website uses cookies

Read our Privacy policy and Terms of use for more information.

The story that should not get lost in this week's 622-CVE Patch Tuesday avalanche is quieter and more unsettling. Iran didn't need a zero-day to locate U.S. military personnel in the Middle East. They used SS7 — the decades-old telephony signaling protocol with known, unfixable-by-design vulnerabilities — and ad-targeting infrastructure. The kind that serves you a shoe ad based on where you walked yesterday. Cross-referenced against known military bases and hotels, it produced location hits precise enough to enable strikes that caused injuries.

This is the threat model most organizations aren't building for, because it doesn't fit neatly into a CVE or a patch cycle. SS7 abuse is not new — telecom researchers have been documenting it since 2014. Ad-tech as a surveillance layer has been a known risk for nearly as long. What's changed is the operational willingness to combine them and act on the output. The attack surface here isn't a misconfigured server or an unpatched appliance. It's the mobile advertising ecosystem, the global telephony backbone, and the assumption that civilian infrastructure doesn't get weaponized against military targets. That assumption had a bad week.

Table of Contents

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 Ernst & Young disclosed a data breach after a third-party support ticket system used by its IT staff was hacked. Support tickets and downloaded documents may have included client tax and financial information. EY says it contained the breach, notified law enforcement, and is offering affected clients 24 months of identity monitoring.

🇺🇸 🥤 Coca-Cola said its Fairlife dairy unit was hit by ransomware and has stopped U.S. production. Operations in Canada were not affected. The company gave no timeline for restoring systems.

A new Spirals ransomware finished a full corporate breach—from webshell access to data theft and file encryption—in under 24 hours. The attacker disabled defenses, moved laterally, and deployed a Rust-based payload named bitsadmin.exe to encrypt files and drop a RECOVERY_SECTION.log ransom note. Symantec saw this one case and published indicators and hashes to help organizations defend against Spirals.

🗾 🚕 Japan's largest taxi operator, Nihon Kotsu, shut parts of its systems after a weekend cyberattack that infected internal systems with malware. Key services like dispatch, web booking, reservations, telephone dispatch, and some internal systems remain offline. The company has hired external cybersecurity experts, is investigating possible data leaks, and urges customers to avoid suspicious messages.

🇩🇪 Lidl said attackers stole customer data after a hack at a service provider for its online shop. The stolen details may include names, contact info, birthdates, and possibly passwords or payment data. Lidl warned customers to watch for phishing and notified authorities while investigating.

🇺🇸 Centers Laboratory disclosed a data breach affecting about 542,000 people — Hackers accessed systems in August 2025 and stole sensitive personal and medical information. The WorldLeaks group later published 720 GB of stolen files and listed Centers Lab on its site.

→ More breaches:

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇬🇧 🕷 Two young members of the Scattered Spider hacking group were jailed in the UK for their role in a 2024 cyberattack on Transport for London that cost £29 million. Each received five years and six months after pleading guilty. Authorities say the arrests have largely stopped the group’s criminal operations while other suspects face ongoing prosecutions.

🇳🇱 Dutch police arrested suspects in an international investment fraud ring that stole over €100 million and may have tens of thousands of victims. The group ran 20 call centers with 700+ people who used fake trading platforms and crypto transfers to take victims' money. The main suspect, a 46-year-old tech expert, was extradited from Poland and charged after investigators traced digital and financial evidence.

🇮🇷 🇺🇸 A report says Iran used known telecom flaws to find U.S. military personnel in the Middle East. They exploited SS7 protocols and ad-targeting tech to track phones at bases and hotels. Those location hits enabled strikes that caused several injuries.

🇬🇧 🇷🇺 UK authorities charged five people linked to Russian Coms, a caller ID spoofing platform used in large-scale scams. The platform helped criminals make over 1.8 million scam calls and caused tens of millions in losses to about 170,000 victims. The suspects will appear in Westminster Magistrates' Court on August 14.

🇺🇸 🇷🇺 U.S. authorities indicted three Russians for running bulletproof hosting services that helped cybercriminals attack critical infrastructure and steal at least $62 million. The services, Media Land and ML.Cloud, hosted ransomware, phishing, banking Trojans, and stolen-card sites from 2014 onward. The FBI and allies have charged the operators, imposed sanctions, and offered up to $10 million for related intelligence.

🇺🇸 🇷🇺 The U.S. Treasury sanctioned a VPN service called First VPN and two individuals for helping ransomware groups hide attacks and sell tools that evade security. First VPN was shut down after years of enabling attacks that cost U.S. businesses and infrastructure billions. The U.K., E.U., and U.S. also sanctioned Russian cyber actors and warned about state-linked groups exploiting routers and device vulnerabilities.

🇪🇸 Spanish police broke up a large cybercrime and money-laundering ring that stole about €140 million through investment fraud and CEO/BEC scams. Four suspects were arrested in Spain, Portugal, and Panama, and raids seized computers, phones, and €3 million frozen for victims. Authorities say the network of hundreds of bank accounts and many money mules has been dismantled.

🔎 Attackers tied to ShinyHunters spent a year stealing Salesforce data without exploiting platform bugs by abusing trusted OAuth connections. Microsoft mapped three paths: vishing to get users to approve malicious apps, stolen tokens from compromised vendors, and misconfigured guest access. Microsoft and Salesforce added real-time detection and governance tools to spot over‑privileged apps and suspicious OAuth activity.

🇪🇺 🇷🇺 The EU sanctioned nine Russian intelligence officers, hackers and four companies for a yearslong cyber spying campaign. The attacks targeted governments and critical infrastructure like heating and power plants in at least nine countries. The EU said the FSB ran the groups and countries including France and Poland were targeted.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇦🇲 🇷🇺 Armenia detained a Russian tourist, Aleksandr Ermakov, on a U.S. extradition request linked to REvil hacker — His lawyers say the arrested man is a different Aleksandr Ermakov and not the sanctioned hacker wanted by the U.S., Australia, and the UK. Armenian courts must now decide whether to extradite while Moscow seeks consular access.

🇪🇺 The EU used the Digital Markets Act to force Google to share search data and open Android to rival AI. Google must let competing AI platforms access system features now reserved for its Gemini. The rules are legally binding and aim to boost competition in Europe.

🇬🇧 The UK government plans an overnight social media curfew for 16- and 17-year-olds, with apps defaulting off between midnight and 06:00. Teenagers can opt out by changing settings, and the rules would also limit autoplay and infinite scroll. Critics say the measures may be ineffective or harmful and that stronger, device-level controls are needed.

🇺🇸 eThe Pentagon paused CMMC phase two set for November while it reviews the program for 60 days. Contractors still must follow phase one rules and existing cybersecurity regulations. A task force will seek industry input and recommend simpler rules to help small suppliers compete.

🇺🇸 🗳 Federal help for election security is collapsing after the Trump administration fired Election Assistance Commission leaders and curtailed agencies like CISA. States are building their own smaller, local networks to protect voting systems and share threat information. Officials worry federal actions and DOJ threats are undermining trust and making election administration harder.

🦠 MALWARE & THREATS

🇧🇷 Researchers found over 20 Brazilian government websites hijacked to deliver PhantomEnigma malware — Attackers used authenticated emails and compromised .gov.br hosts to hide a modular JavaScript backdoor that can load additional payloads. This technique lets criminals steal credentials and maintain persistent access, posing major risk to banks and public agencies.

🇷🇺 🐀 A Russian-linked group called UAT-11795 trojanized popular apps like WebEx and Zoom to install a new backdoor named Starland RAT. Starland steals browser credentials and crypto wallets, gathers system and Active Directory data, and deploys additional stealers and RATs. Cisco Talos warns users to download only from official sources and use provided IoCs to defend.

🍎 Researchers discovered CrashStealer, a new macOS info-stealer written in C++ that harvests browsers, crypto wallets, password managers, keychain items, and local files. It uses a signed and Apple-notarized disk image dropper to bypass Gatekeeper, then validates the user password, re-signs itself, and persists as a LaunchAgent. Collected data is AES-GCM encrypted, zipped, and exfiltrated to an attacker server as part of a larger campaign.

📦 Four compromised @asyncapi npm packages delivered a multi-stage botnet loader that fetches an encrypted malware payload from IPFS. The final payload, called Miasma-like, supports multiple C2 channels, persistence, credential theft, lateral movement, and a destructive dead-man switch. The attacker abused GitHub Actions to publish malicious releases with valid provenance, and the poisoned modules run when required during builds or CI.

🐀 Researchers found a new Rust-based remote access trojan called LabubaRAT that pretends to be NVIDIA software. It can profile Windows hosts, run commands, move files, take screenshots, and proxy traffic. The malware uses configurable C2 channels (HTTPS, WebView2, DNS) and may be sold as malware-as-a-service.

📦 Researchers found 148 npm packages masquerading as student web proxies that turned visitors' browsers into a DDoS botnet — The hidden code loaded remote scripts and opened many WebSocket connections to flood and crash proxy servers and a nursing school site. The packages were easy to rearm and many remain available, so admins should block attacker domains and users should clear browser data.

🔙 🚪Jscrambler's npm package was backdoored with an infostealer and downloaded ~1,500 times. The malicious releases ran a preinstall hook to steal credentials, source code, cloud keys, wallets, and browser data. Jscrambler revoked publishing credentials, deprecated the packages, and urged users to rotate secrets and update to safe versions.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

👀 🗓 Researchers say two vulnerabilities in Claude for Chrome still let malicious extensions make the AI act without real user clicks. An attacker could use this to read Gmail, Google Docs, and calendar data, especially if "Act without asking" is on. Anthropic patched ClaudeBleed earlier this year, but the reported flaws remain in recent extension versions.

Apple says a former engineer, Chang Liu, used a rare authentication bug to access and download dozens of confidential files after leaving for OpenAI. Apple alleges the files included unreleased product specs and that Liu kept an Apple laptop and did not report the bug. Apple is suing OpenAI and seeks a jury trial.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

0⃣ 🗓 Researcher Chaotic Eclipse released a limited LegacyHive PoC that can load arbitrary Windows user hives and escalate privileges. The PoC works on all supported Windows versions, including after the July 2026 Patch TuesdayMicrosoft is investigating amid broader tension with the researcher and active exploitation of several other patched vulnerabilities.

🐛 A bug called HollowByte lets attackers bloat OpenSSL server memory and cause a DoS with only an 11-byte payload. OpenSSL has quietly fixed it and backported patches to older releases. Upgrade OpenSSL now to avoid servers becoming permanently memory‑bloated.

💥 A critical SharePoint RCE bug (CVE-2026-58644) is being exploited soon after Microsoft patched it. CISA added the flaw to its Known Exploited Vulnerabilities list and told agencies to patch within three days. Other exploited bugs in SharePoint and Fortinet appliances were also noted.

🐛 A flaw in RabbitMQ’s management interface can leak the broker’s OAuth client secret (CVE-2026-5721), letting attackers impersonate the broker and get admin tokens. This affects setups using an OAuth/OIDC provider and any instance with the management port reachable by untrusted networks. Organizations should patch immediately, block or isolate exposed interfaces, and rotate secrets.

0⃣ 🗓 Progress Software says a zero-day vulnerability caused the recent ShareFile Storage Zones Controller outage and access is being restored. They released patches for versions 5.x and 6.x and urged customers to update and disconnect exposed servers. Progress reports no evidence of customer data compromise, but security experts warn to assume possible compromise and investigate further.

💥 SonicWall says two zero-day flaws in SMA 1000 appliances are being actively exploited — One flaw can let an attacker run admin commands. Customers must apply patches now and check for compromise indicators.

🛰️ ICS, OT & IoT

🩹 ICS Patch Tuesday — Siemens, Schneider Electric, and Rockwell Automation released July 2026 Patch Tuesday advisories fixing multiple critical and high-severity vulnerabilities in ICS products. The flaws could allow attackers to bypass authentication, execute code, cause DoS, or gain full control of affected systems. Other vendors and agencies (ABB, Mitsubishi, VDE CERT, CISA) also reported or distributed related advisories.

🐛 TP-Link fixed two vulnerabilities in Kasa EC70 v4 and EC71 v4 cameras that could let someone on the same local network steal sensitive data. The worst flaw is a hardcoded cryptographic key that can enable man-in-the-middle attacks; the other leaks location data via the discovery service. Update camera firmware and the Kasa app, or isolate cameras on a separate IoT network until patched.

🇷🇺 U.S. and eight allied agencies warn Russian state hackers are targeting poorly configured routers to breach critical infrastructure networks. The group (FSB Centre 16) uses weak SNMP credentials and known Cisco flaws to steal device configs and exfiltrate them. Agencies urge upgrades (SNMPv3), disabling Cisco Smart Install, strong passwords, blocking TFTP/SNMP, and patching or replacing devices.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.

Reply

Avatar

or to participate

Keep Reading