In today’s cybersecurity news…
CISA sets urgent deadline to fix exploited Cisco flaw
Following up on a story we covered in early June, CISA gave federal agencies until Sunday – yesterday – to patch a vulnerability in Cisco Unified Communications Manager Server. This CVE numbered vulnerability (CVE-2026-20230) involves server-side request forgery (SSRF) and is being actively exploited. The remediation is deemed urgent. Cisco released a patch on June 3.
Chinese cybersecurity company claims it has a better-than-Mythos bug finder
This comes from Chinese cybersecurity vendor Qihoo 360. The model was revealed at the company’s 14th Beijing Cybersecurity Conference. Describing Mythos as “equivalent to a ‘cyber nuclear weapon’,” because of the USA’s ban on foreign nationals accessing the model, Qihoo CEO Zhou Hongyi said his company’s approach was rather than build on a strategy of sheer brute force, it will use alternative methods by “distilling its 20 years of experience fighting cyber-threats and colossal malware library into security-specific models and agents.” The company has put that to work in what Zhou described as a “multi-agent swarm.” The technique, named, “Tulongfeng” is apparently already finding flaws in open-source and commercial software.
Amazon Q flaw enables cloud credential theft
Researchers at Wiz have disclosed a high-severity vulnerability in the AI-powered coding assistant Amazon Q Developer extension for Visual Studio Code that could allow attackers to steal developers’ cloud credentials by luring them into opening a booby-trapped code repository. AWS learned about the issue on April 20 and released a patch on May 12. “The root cause of the vulnerability was that the extension would automatically act on configuration files embedded in a workspace without first asking the user for permission…meaning a malicious repository could quietly run attacker-controlled commands in the background the moment a developer opened it, gaining access to whatever cloud credentials and API keys were loaded in their environment at the time.”
Clean GitHub repo tricks AI coding agents into running malware
Researchers at Mozilla’s Zero Day Investigative Network are warning of an agentic coding tool “tasked with cloning and setting up a seemingly benign GitHub repository” that could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers. They demonstrated “how an attacker could plant an interactive shell on a developer’s device by using Claude Code to run a cloned project without malicious code in the repository. If successful, the attacker would obtain a shell running with the developer’s privileges, giving them access to environment variables, API keys, local configuration files, and the opportunity to establish persistence. A link to the BleepingComputer story that expands upon this proof of concept is available in the show notes to this episode.
Thanks to our episode sponsor, Silent Push
Silent Push closes this gap with its Preemptive Cyber Defense platform. Silent Push tracks adversary infrastructure and infrastructure changes across the Internet during the attack preparation phase – while attackers are still staging domains, IPs, and hosting and Silent Push turns that into Indicators of Future Attack® to defend with confidence.
For a CISO, that turns invisible risk into early warning, an average of 140 days before a campaign shows up in your environment. Time to act, and a smaller window of exposure, before a threat ever reaches your environment. Learn more at silentpush.com
FCC passes new cybersecurity rules for emergency systems, undersea cables
These rules were approved on Thursday by the FCC and are intended to “boost cybersecurity regulations for the nation’s emergency alert systems and update security rules for the nation’s undersea cables.” The rules will allow for improvements in the two national emergency systems, the Emergency Alert System (EAS) and Wireless Emergency Alerts, to better protect against hijacking attacks from malicious actors. These systems are used by state and local authorities to broadcast urgencies such as weather alerts and AMBER alerts. The WEA handles much of the same messaging via text. The FCC points out that “a compromise of either system by a foreign government, cybercriminal group or other rogue actor could be used to sow chaos and disinformation… or impede coordination efforts in the face of a genuine emergency.
Ukraine Says Russian intelligence used fake support texts to steal messaging credentials
The country’s Security Service (SSU) has said that it has been working with the FBI and have uncovered a “long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicians, and activists in Ukraine, Europe, and the U.S.” These are designed to steal sensitive military, political, and economic information as well as personal data. The technique used was to “send SMS messages that masquerade as the messaging platform’s support bot and urge users to disclose their account credentials.”
Another Russian dairy company reportedly suffers cyberattack
This attack has slowed things down for Ufagormolzavod a dairy producer in Russia’s eastern republic of Bashkortostan, forcing the company to go back to pen and paper. The company produces dairy products such as cottage cheese, butter and yogurt. No mention has been made of who is behind this attack, whether any data had been compromised, or when it expects to restore its IT systems. The incident is the latest in a series of cyber disruptions affecting Russia’s dairy sector.
Hospitality sector hit by phishing campaign using fake guest complaint emails through Calendly
A warning from Microsoft’s Threat Intelligence Group about phishing campaign targeting the hospitality sector with fake guest emails that install TonRAT using resilient persistence. This particular campaign has been running since April. The targets are specific devices within environments with names such as “reception,” “frontdesk,” and “reservations,” a technique Microsoft calls authentication laundering. Taking advantage of Calendly’s email notification system, emails arrive with the display name “Booking Manager (via Calendly)” and carry fake complaint messages about bedbug infestations, and other worrisome situations. The researchers point out that the messages in this campaign have no recipient name and no property name, suggesting a is high-volume list-driven attack rather than tailored spearphishing.