Detailed write-ups
1. Chrome V8 zero-day CVE-2026-11645 exploited in the wild — patch now
Google patched a V8 out-of-bounds read/write zero-day (CVE-2026-11645, CVSS 8.8) that is being actively exploited in the wild — the fifth Chrome zero-day of 2026. The fix shipped in Chrome 149 stable on June 8. This is an in-the-wild browser RCE primitive, so it’s a confirm-the-rollout item first: validate that managed fleets have moved to 149, force-restart browsers to apply the update, and don’t forget Chromium-based downstreams. Then hunt for exploitation artifacts — renderer crashes, unexpected child processes spawned from chrome.exe, and post-exploitation download/execute chains following web visits.
Read the article
Sources: The Hacker News
2. Check Point VPN zero-day exploited in Qilin ransomware attacks (CVE-2026-50751)
A critical IKEv1 authentication bypass (CVE-2026-50751, CVSS 9.3) in Check Point Remote/Mobile Access VPN has been exploited since May 7 by a Qilin ransomware affiliate. CISA added it to KEV on June 9 with a June 11 patch deadline. This is an active-exploit CVE tied directly into a ransomware intrusion chain, so treat exposed gateways as priority-zero: apply the vendor fix immediately, review remote-access logs for anomalous IKEv1 negotiations and authentications back to May 7, and assume any session established during the window is suspect. Pivot from VPN access into lateral-movement and pre-encryption staging hunts given the Qilin linkage.
Read the article
Sources: SecurityWeek
3. Cisco warns of 7th SD-WAN zero-day exploited in 2026 (CVE-2026-20245)
Cisco disclosed an actively exploited, unpatched root-privilege flaw in Catalyst SD-WAN Manager (CVE-2026-20245), reported by Mandiant, with confirmed cases of attackers pushing config changes to edge devices. This is in-the-wild network-infrastructure exploitation with no patch available — the worst combination for IR teams. Until a fix lands, restrict management-plane access, watch SD-WAN Manager for unexpected configuration deployments and template changes, and audit edge-device configs against known-good baselines. Treat any unexplained config push during the exposure window as a potential compromise and validate device integrity downstream.
Read the article
Sources: SecurityWeek
4. Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM access on patched Windows (CVE-2026-47281)
A public PoC dubbed “RoguePlanet” (CVE-2026-47281, CVSS 9.6) exploits a Microsoft Defender race condition to obtain a SYSTEM-level shell on fully patched Windows 10/11, and is reported to be actively exploited. This is an unpatched local privilege-escalation primitive that slots neatly into post-compromise chains — assume any foothold an attacker already has can be escalated to SYSTEM. Hunt for anomalous child processes and token manipulation around the Defender service, unexpected SYSTEM-context shells, and race-condition exploitation patterns. Prioritize detection on the escalation step since there is no patch to lean on yet.
Read the article
Sources: The Hacker News
5. Europol disrupts ‘AudiA6’ crypto-laundering service used by ransomware gangs
A June 10 international takedown dismantled “AudiA6,” a crypto-laundering service that moved ~€336M for cybercriminals through 6,000+ mule accounts. Two administrators were arrested in Georgia, and the service is linked to 15+ ransomware investigations. This is a law-enforcement strike against the criminal financial infrastructure that underpins ransomware monetization — cutting off cash-out capacity raises operating costs across multiple affiliates at once. For analysts, the value is in the downstream intelligence: expect investigative pivots from the seized mule-account network into the ransomware crews it serviced.
Read the article
Sources: The Hacker News
6. Ukrainian national pleads guilty to role in Conti ransomware operation
Oleksii Lytvynenko, extradited from Ireland, pleaded guilty to wire-fraud conspiracy tied to Conti attacks during 2021–2022 that affected 1,000+ systems; sentencing is set for September 10. This is a prosecution milestone against one of the most consequential ransomware operations of the era. While it doesn’t change today’s detection posture, it reinforces the attribution and tooling lineage that flowed out of Conti into successor crews — useful context when triaging TTPs that trace back to the original playbook.
Read the article
Sources: BleepingComputer
7. Miasma: supply-chain worm compromises 32 Red Hat npm packages
Wiz details Miasma, a self-propagating credential-harvesting npm worm of the Shai-Hulud lineage that compromised 32 @redhat-cloud-services packages via a preinstall hook, sweeping cloud and CI/CD secrets before republishing itself. This is an active supply-chain compromise that comes with IOCs and remediation guidance. IR teams should rotate any credentials and tokens exposed to affected build environments, audit recent @redhat-cloud-services installs across CI/CD and developer machines, block the worm’s egress, and review npm publish history on org-owned scopes for unexpected version bumps that signal recursive republishing.
Read the article
Sources: Wiz blog
8. New DriveSurge threat actor hijacks thousands of sites for ClickFix/FakeUpdate attacks
Silent Push detailed “DriveSurge,” an initial-access-broker operation using a zTDS traffic-distribution system across thousands of compromised sites to deliver ClickFix/FakeUpdates to both Windows and macOS victims. This is an active malware-delivery campaign with IAB-infrastructure analysis and TDS tradecraft analysts can hunt on. Detection focus: injected redirect/JavaScript on compromised web properties, traffic flowing through the zTDS, ClickFix fake-CAPTCHA prompts that coax users into pasting clipboard commands, and the resulting mshta/shell launches. Cross-platform targeting means macOS endpoints belong in the hunt too.
Read the article
Sources: Dark Reading
9. Global cyber-threat campaigns escalate as APT groups target critical sectors (Intel 471)
Intel 471 reports a June surge in APT operations against critical sectors, with both espionage and disruptive activity growing in scale. This is a threat-landscape framing piece that ties several active APT campaigns together rather than a single-family writeup — useful for setting hunting priorities and briefing stakeholders on where state-aligned pressure is concentrating. Pair it with the foundational APT analysis below (Screening Serpens) to map specific malware families and TTPs onto the broader trend.
Read the article
Sources: Industrial Cyber
10. Dutch police dismantle 17-million-device botnet (Asocks residential proxy) · FOUNDATIONAL
NCSC and Dutch police seized 200+ C2 servers behind a 17-million-device botnet powering the Asocks residential-proxy network used for DDoS, phishing, credential stuffing, and malware distribution. A botnet and criminal-infrastructure takedown of this scale matters to IR teams well beyond the headline: residential-proxy abuse is a recurring problem because malicious traffic blends into legitimate ISP space and defeats simple IP reputation. Use this as a prompt to revisit detections that assume datacenter-ASN signals, and to harden against credential-stuffing routed through residential exit nodes.
Read the article
Sources: SecurityWeek
11. First VPN dismantled in global takedown over use by 25 ransomware groups (Operation Saffron) · FOUNDATIONAL
A France/Netherlands-led Operation Saffron seized 33 bulletproof-VPN servers across 27 countries and arrested the administrator in Ukraine; “First VPN” had served 25+ ransomware groups since 2014. This is a law-enforcement disruption of the anonymization infrastructure central to ransomware operations — the kind of upstream takedown that degrades many crews’ OPSEC at once. For analysts, the seized server set is a likely source of attribution pivots; expect follow-on intelligence linking infrastructure to specific ransomware operations over the coming weeks.
Read the article
Sources: The Hacker News
12. Tracking Iranian APT Screening Serpens’ 2026 espionage campaigns · FOUNDATIONAL
Unit 42 details six new RAT variants (including two new families) deployed February–April 2026 against targets in the US, Israel, and UAE, using AppDomainManager hijacking and air-carrier impersonation lures. This is deep APT malware-family analysis with new RAT TTPs and IOCs ready for detection content. Build coverage around AppDomainManager hijacking (anomalous .NET config files redirecting managed processes to attacker DLLs), and feed the published RAT indicators into Sigma/YARA. Pair with the Intel 471 trend piece above to connect this family-level detail to the broader surge in APT activity against critical sectors.
Read the article
Sources: Unit 42
|