Daily Digest

Zero-Days in Microsoft Defender & Oracle PeopleSoft Exploited; Ransomware Hits Australian Sugar Giant

Zero-Days in Microsoft Defender & Oracle PeopleSoft Exploited; Ransomware Hits Australian Sugar Giant

June 16, 2026
14 articles (11 new, 3 updated)
42 min read

Summary

This period has been marked by the active exploitation of critical zero-day vulnerabilities, including the 'RoguePlanet' flaw in Microsoft Defender and a remote code execution bug in Oracle PeopleSoft used by ShinyHunters to breach the University of Nottingham. CISA has added actively exploited flaws in Cisco SD-WAN and LiteSpeed's cPanel plugin to its KEV catalog. Meanwhile, a ransomware attack by 'The Gentlemen' has crippled Australia's second-largest sugar producer, and a novel campaign by DragonForce ransomware was found abusing Microsoft Teams for covert communications. This highlights a trend of sophisticated attacks targeting both unpatched and seemingly secure systems.

Filter by Category

New Articles (11)

Zero-Day 'RoguePlanet' in Microsoft Defender Grants SYSTEM-Level Control

CRITICAL

Microsoft Defender Plagued by 'RoguePlanet' Zero-Day Privilege Escalation Vulnerability

A critical zero-day vulnerability dubbed 'RoguePlanet' has been discovered in Microsoft Defender, affecting fully patched Windows 10 and 11 systems. The flaw, a time-of-check-to-time-of-use (TOCTOU) race condition, allows a local attacker with standard user permissions to escalate privileges to full SYSTEM control. A public proof-of-concept exploit has been released, and as of now, no official patch is available, leaving millions of Windows endpoints exposed to this significant threat.

June 16, 2026
6 min read
Zero-DayPrivilege EscalationTOCTOURace ConditionWindows +2 more
Zero-Day 'RoguePlanet' in Microsoft Defender Grants SYSTEM-Level Control

Actively Exploited Cisco SD-WAN Flaw Added to CISA KEV Catalog

HIGH

Cisco Catalyst SD-WAN Manager Vulnerability (CVE-2026-20262) Under Active Exploitation

Cisco has confirmed that a critical path traversal vulnerability, CVE-2026-20262, in its Catalyst SD-WAN Manager is being actively exploited. The flaw allows an authenticated attacker to overwrite arbitrary files and escalate privileges to root. Affecting all deployment types, the vulnerability was added to CISA's Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by June 29, 2026. This is the second exploited SD-WAN bug from Cisco in two weeks.

June 16, 2026
5 min read
CiscoSD-WANPath TraversalKEVCISA +1 more
Actively Exploited Cisco SD-WAN Flaw Added to CISA KEV Catalog

Ransomware Attack by 'The Gentlemen' Shuts Down Major Australian Sugar Producer

HIGH

Mackay Sugar Operations Crippled by 'The Gentlemen' Ransomware Attack

Mackay Sugar, Australia's second-largest producer of raw sugar, has been forced to halt mill operations following a ransomware attack. The threat group 'The Gentlemen' (tracked as Storm-2697) has claimed responsibility, listing the company on its dark web leak site. The attack has disrupted the supply chain, forcing growers to stop harvesting and suspending cane haulage, highlighting the vulnerability of critical manufacturing and agricultural sectors to cyberattacks.

June 16, 2026
5 min read
RansomwareThe GentlemenStorm-2697Mackay SugarAustralia +4 more
Ransomware Attack by 'The Gentlemen' Shuts Down Major Australian Sugar Producer

China-Linked SprySOCKS Backdoor Adds Windows Variants with Kernel-Level Stealth

HIGH

FishMonger Group Evolves SprySOCKS Backdoor for Windows, Uses Kernel Drivers for Stealth

The China-linked espionage group 'FishMonger' (part of the Winnti umbrella) has upgraded its SprySOCKS backdoor, previously thought to be Linux-only, with two new Windows variants. The new versions, WIN_DRV and WIN_PLUS, feature significant stealth enhancements. The WIN_DRV variant uses a custom kernel driver, 'RawWNPF', to hide the malware's processes, network connections, and files from security tools, demonstrating a significant advancement in the group's capabilities for covert operations.

June 16, 2026
5 min read
SprySOCKSFishMongerWinntiCyber EspionageMalware +3 more
China-Linked SprySOCKS Backdoor Adds Windows Variants with Kernel-Level Stealth

DragonForce Ransomware Hid C2 Traffic Inside Microsoft Teams Infrastructure

HIGH

DragonForce Ransomware Abuses Microsoft Teams TURN Servers for Covert Command and Control

The DragonForce ransomware group demonstrated a novel stealth technique by compromising a major US services firm and hiding its command-and-control (C2) traffic within legitimate Microsoft Teams infrastructure. The attackers used a custom Go-based RAT and dwelled in the network for up to two months, abusing Teams' TURN relay servers to evade detection. During this time, they escalated privileges, created new user accounts, and even used a then-undocumented Huawei driver vulnerability to further mask their activity.

June 16, 2026
5 min read
DragonForceRansomwareMicrosoft TeamsC2Living off the Land +2 more
DragonForce Ransomware Hid C2 Traffic Inside Microsoft Teams Infrastructure

CISA KEV Catalog Adds Exploited LiteSpeed cPanel Plugin Flaw

HIGH

CISA Adds Actively Exploited LiteSpeed cPanel Privilege Escalation Flaw (CVE-2026-54420) to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-54420, a privilege escalation vulnerability in the LiteSpeed cPanel plugin, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw (CVSS 8.5) allows a user with basic web shell access on a shared hosting server to escalate privileges to root. The vulnerability, caused by improper handling of symbolic links, affects servers running CloudLinux or CageFS. Federal agencies are mandated to patch by June 18, 2026.

June 16, 2026
5 min read
CVE-2026-54420CISAKEVLiteSpeedcPanel +3 more
CISA KEV Catalog Adds Exploited LiteSpeed cPanel Plugin Flaw

EU Includes Ukraine in Cybersecurity Reserve for Emergency Incident Response

INFORMATIONAL

Ukraine Gains Access to EU Cybersecurity Reserve for Support Against Major Cyberattacks

The Council of the European Union has officially approved Ukraine's inclusion in the EU Cybersecurity Reserve. This strategic partnership allows Ukraine to request and receive emergency, on-the-ground support from a pool of trusted private cybersecurity providers managed by ENISA. The move is designed to bolster Ukraine's resilience against large-scale cyber incidents and strengthens the collective cyber defense posture of the EU and its partners.

June 16, 2026
3 min read
EUUkraineENISACyber Solidarity ActIncident Response +2 more
EU Includes Ukraine in Cybersecurity Reserve for Emergency Incident Response

Vast Malicious Infrastructure Found Delivering EtherRAT and Phishing Kits

MEDIUM

Researchers Uncover Sprawling Infrastructure Distributing EtherRAT Malware via Open Directories

Security researchers have discovered a large, active malicious infrastructure responsible for distributing the EtherRAT malware, phishing pages, and other malicious software. The operation utilizes a network of websites with open directories. EtherRAT, a Node.js-based remote access trojan, is notable for its unique method of retrieving its command-and-control (C2) server address from the Ethereum blockchain, making it more resilient to takedowns.

June 16, 2026
2 min read
EtherRATMalwareRATBlockchainEthereum +3 more
Vast Malicious Infrastructure Found Delivering EtherRAT and Phishing Kits

HIBP Adds 56 Million Emails from Massive Infostealer Log Compilation

MEDIUM

Have I Been Pwned Integrates 56 Million Emails from June 2026 Stealer Log Data Set

The data breach notification service Have I Been Pwned (HIBP) has absorbed a massive new dataset compiled from numerous information-stealing malware logs. This 'June 2026 Stealer Logs' collection contains 56.3 million unique email addresses and 124 million unique passwords. The data highlights the pervasive threat from infostealer malware, which harvests credentials and personal data directly from compromised computers. HIBP users can now check if their accounts were part of this significant breach.

June 16, 2026
4 min read
Have I Been PwnedHIBPData BreachInfostealerMalware +2 more
HIBP Adds 56 Million Emails from Massive Infostealer Log Compilation

Microsoft Edge Flaw CVE-2026-11645 Actively Exploited in the Wild

CRITICAL

Microsoft Edge Faces Multiple Vulnerabilities, Including Actively Exploited RCE Flaw CVE-2026-11645

Microsoft has released an urgent security update for its Edge browser to address multiple vulnerabilities, one of which, CVE-2026-11645, is being actively exploited. This critical flaw allows a remote attacker to execute arbitrary code within the browser's sandbox by luring a user to a malicious webpage. The update, version 149.0.4022.69, patches this and over 40 other bugs that could lead to information disclosure, denial of service, and privilege escalation. Users are urged to update immediately.

June 16, 2026
4 min read
Microsoft EdgeVulnerabilityCVE-2026-11645RCEActive Exploitation +2 more
Microsoft Edge Flaw CVE-2026-11645 Actively Exploited in the Wild

Pickle in the Middle: Critical RCE Flaw in Google Vertex AI Enables ML Model Hijacking

HIGH

Pickle in the Middle: Unit 42 Discovers Cross-Tenant RCE in Google Vertex AI via Model Upload Hijacking

Palo Alto Networks' Unit 42 has discovered and disclosed a high-severity vulnerability in Google Cloud's Vertex AI Python SDK that could allow an attacker to achieve remote code execution (RCE) across different customer tenants. The attack, named 'Pickle in the Middle,' exploits a predictable default bucket naming convention in the SDK, allowing for a 'bucket squatting' attack. By preemptively creating a bucket with a known name, an attacker can intercept a victim's machine learning model upload, replace it with a malicious version, and execute arbitrary code within the victim's Vertex AI infrastructure. The flaw resided in the `google-cloud-aiplatform` SDK versions 1.139.0 and 1.140.0 and was fixed by Google in version 1.148.0.

June 16, 2026
11 min read
Vertex AIGoogle CloudGCPRCEBucket Squatting +5 more
Pickle in the Middle: Critical RCE Flaw in Google Vertex AI Enables ML Model Hijacking

Updated Articles (3)

China-Linked Group UNC6508 Bypasses Defenses for Over a Year in Massive Research Data Heist

HIGH

Chinese APT UNC6508 Targets Medical, Military, and AI Research in North America in Multi-Year Campaign

Update:

The UNC6508 campaign's duration has been refined to over two years (September 2023 to November 2025), indicating a longer period of compromise. Crucially, a novel exfiltration technique was identified: the threat actor manipulated Google Workspace email forwarding rules to automatically send sensitive emails containing specific keywords to attacker-controlled Gmail accounts. This 'Living off the Trusted Service' method allowed for stealthy data theft, bypassing traditional network security controls and targeting research on molecular discovery and clinical drug trials.

June 15, 2026
Updated: June 16, 2026
6 min read
UNC6508InfiniteRedREDCapCyberespionageChina +5 more
China-Linked Group UNC6508 Bypasses Defenses for Over a Year in Massive Research Data Heist

AI-Powered Phishing Hits New Levels of Sophistication, Bypassing MFA

HIGH

New Wave of AI-Powered Phishing Campaigns Increases Sophistication and Scale

Update:

The FBI has issued a warning about 'Kali365', a new AI-powered Phishing-as-a-Service platform that automates sophisticated MFA-bypassing attacks against Microsoft 365 environments. Kali365 facilitates OAuth token theft through device code phishing, making these advanced techniques accessible to a broader range of threat actors. The new report provides critical detection guidance, including specific cyber observables for monitoring Microsoft Entra ID logs. These include looking for unusual requests to the `oauth2/v2.0/devicecode` API endpoint and auditing for suspicious application consents. This development signifies an escalation in the accessibility and sophistication of these persistent threats, requiring organizations to enhance their monitoring and mitigation strategies.

May 21, 2026
Updated: June 16, 2026
5 min read
PhishingAIGenerative AIMFADevice Code Phishing +3 more
AI-Powered Phishing Hits New Levels of Sophistication, Bypassing MFA

ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Breaching Over 100 Orgs, Primarily in Higher Education

CRITICAL

ShinyHunters Data Extortion Group Compromises Over 100 Organizations Using Oracle PeopleSoft Zero-Day Vulnerability

Update:

New reports confirm the University of Nottingham breach by ShinyHunters impacted approximately 455,000 current and former students. Attackers exfiltrated 40 GB of sensitive data, including names, addresses, and critically, passport numbers. The university has notified affected individuals and reported the incident to the UK's ICO and Action Fraud. This update provides specific impact metrics for a previously identified victim, highlighting the severe consequences of the Oracle PeopleSoft zero-day exploitation. Additionally, new hunting hints for the /PSEMHUB/ URL pattern have been identified.

June 13, 2026
Updated: June 16, 2026
5 min read
ShinyHuntersCVE-2026-35273OraclePeopleSoftZero-Day +5 more
ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Breaching Over 100 Orgs, Primarily in Higher Education

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.