In partnership with
|
Fact
|
98% of commercial AI agents assessed in a June 2026 study carry what researchers call the “lethal trifecta”: private data access, exposure to untrusted content, and the ability to take outbound action. Only 11% have defenses strong enough to offset the risk. (Help Net Security, June 2026)
|
|
The theme this week is systems being turned against themselves. CISA is throwing out the CVSS scoring system the industry has leaned on for two decades. Meta built an AI tool to help you recover your hacked account, and attackers used it to hijack 20,000 accounts. And a research AI worm is reading CVE advisories at runtime to find vulnerabilities its model never saw.
The lines between offense and defense keep shifting. Attackers are reasoning through networks. Security tools are being repurposed as attack vectors against the users they were built to protect. Defenders are rethinking metrics that have been broken for years. This edition covers where the gaps are widening and where they’re closing.
PS — Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
Cloud security
🔓 ServiceNow Left a Door Open and Didn’t Know It
Intro
ServiceNow patched a security incident last week that turned out to be messier than the initial disclosure suggested. An unauthenticated API endpoint, configured with requires_authentication=false, allowed anyone to query customer instance data without credentials.
What Happened
The vulnerable endpoint /api/now/related_list_edit/create could be queried without authentication, exposing table data in customer instances. ServiceNow confirmed the issue but declined to say how many customers were affected. An IP address visible in customer logs (51.159.98.241) suggests the scope extended further than the initial advisory implied.
Why It Matters
ServiceNow instances aren’t just ticketing tools. They store IT credentials, configuration data, employee records, and support history. That data is a roadmap for targeted phishing and lateral movement. The breach didn’t need to involve code execution to be dangerous.
The Other Side
ServiceNow says the issue was primarily limited to Australia-release customers and the fix was deployed before the public disclosure. No confirmed data exfiltration has been reported.
| |
👉 Takeaway
If you’re an enterprise ServiceNow customer, check your instance logs for that IP and ask your rep whether your instance was in scope.
|
TL;DR: ServiceNow’s unauthenticated API exposed customer data. Scope uncertain. Patched June 5.
|
| |
Data breach / enforcement
South Korea’s Personal Information Protection Commission issued a record 624 billion won fine (roughly $400 million) against Coupang after a breach affecting 34 million customers, representing about two-thirds of the country’s population. A former employee stole names, emails, addresses, phone numbers, and order histories over several months before the incident was discovered in December 2025. Coupang is US-headquartered, making this a clear signal that non-US privacy enforcement has real teeth against American firms. The company plans to challenge the fine.
→ The $400M figure matters because it approaches GDPR-scale enforcement. US companies that treat international data protection as a European problem should update that assumption.
|
| |
Zero-day
CVE-2026-42897 is an XSS spoofing flaw in Exchange Server 2016, 2019, and Subscription Edition. Attackers send a crafted email to an Outlook Web Access user, and arbitrary JavaScript executes in the browser without requiring any click beyond opening the message. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on May 15 with a two-week patching deadline for agencies. The permanent fix arrived in June’s Patch Tuesday, but if your organization hasn’t patched, the deadline has passed.
→ This is the 20th documented Exchange Server exploit in the wild over five years. Patch it.
|
| |
Data breach
The ShinyHunters group claimed a 40+ GB haul from the University of Nottingham’s student record system, covering current and former students at campuses in the UK, Malaysia, and China. The stolen data reportedly includes passport numbers, addresses, phone numbers, disability records, and academic enrollment details. Not just email addresses. The university confirmed the incident, notified the Information Commissioner’s Office, and is conducting a forensic investigation.
→ Universities hold some of the most sensitive personal data anywhere: passports, financial aid, health records. They routinely operate on research-grade rather than enterprise-grade security budgets. That gap shows.
|
|
Smarter browsing. Your data never leaves the room.
Most AI tools are a trade — your data for intelligence. Norton Neo breaks that deal. Powerful built-in AI, anti-fingerprinting, VPN, and ad blocking come standard. No setup. No add-ons. No compromises. Search, summarize, and write with AI that works inside your browser and stays there.
| |
AI / threat research
A team from the University of Toronto, Vector Institute, and Cambridge built a proof-of-concept worm that hijacks GPU machines to run a local LLM, then reasons about each target individually rather than following fixed attack scripts. In a 7-day test across a 33-host network, it found 31 vulnerabilities, exploited 23 hosts, and propagated to 20 of them with a 44% per-host success rate. The critical detail: the worm adapts to vulnerabilities disclosed after its training cutoff by reading public security advisories at runtime.
→ This isn’t deployed malware today. But the research closes a meaningful gap. The assumption that automated attacks require scripted playbooks is under pressure.
|
| |
AI / defense
A June 2026 assessment of 100 production AI agents found only 11% meet basic security standards. The rest carry the “lethal trifecta”: private data access, exposure to untrusted content, and the ability to take outbound action. Coding agents and computer-use agents score worst, with the widest attack surface and thinnest defenses. A single hostile document routed through a misconfigured agent can produce a full system compromise.
→ Before deploying any AI agent to production, audit its permissions. Does it need outbound access? Write access to sensitive data? If not, remove it. Most agents are over-permissioned by default.
|
|
| |
Nation-state / espionage
TA4922, previously focused on East Asian targets, has expanded to Germany, Italy, the UK, and South Africa. The new toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0. Entry vector: phishing lures impersonating payroll notices, tax audits, and government communications, with initial contact via WhatsApp and Microsoft Teams. Capabilities include keylogging, screenshots, audio recording, and webcam capture. Proofpoint tracks TA4922 as running more unique campaigns than any other cybercrime actor in their threat data. Researchers also note AI-generated code patterns, suggesting potential LLM use in malware development.
→ Payroll and tax-themed lures arriving via Teams or WhatsApp are a known TA4922 entry vector. If external contacts can reach internal channels, that path deserves a second look.
|
| |
Ransomware
Krebs traced the operator of The Gentlemen ransomware gang to Alexander Andreevich Yapaev, 36, from Izhevsk, Russia, operating as Zeta88. The group has 332+ claimed victims in 2026 and offers affiliates a 90/10 profit split, far more generous than the industry-standard 80/20, which explains their rapid growth. Entry method: edge devices (VPNs, firewalls). Time from access to encryption: hours. Yapaev’s day job: a Russian electrical products supplier.
→ The Gentlemen are the second-most-active ransomware operation by victim count this year. If you’re running perimeter devices, this group is scanning them.
|
|
| |
Practical play
Rethink Your Patch Priority Queue Before CISA Makes You
CISA’s Binding Operational Directive 26-04, issued June 10, formally kills CVSS-based patch prioritization for federal agencies. The logic applies to everyone. The new 4-factor model evaluates: Is this flaw in the KEV catalog? Is the system publicly exposed? Can the exploit be automated? What’s the actual blast radius? Under this framework, a medium-severity KEV vulnerability on an internet-facing system gets patched before a critical CVE with no exploitation evidence. The highest-risk flaws now carry a 3-day deadline. CVSS is no longer the deciding factor.
→ For organizations outside the federal mandate: review your patching SLAs. If your policy is “critical in 30 days, high in 90 days,” you are likely prioritizing the wrong things. KEV status plus public exposure is a better starting filter. CISA’s framework is available at cisa.gov.
|
|
Want to get the most out of ChatGPT?
ChatGPT is a superpower if you know how to use it correctly.
Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.
Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.
|
Strange but real
🤦 Meta Built a Help Bot for Locked-Out Instagram Users. Hackers Just Asked It for the Keys.
Intro
Meta’s HTS (Help Through Simplicity) chatbot launched in March 2026 to help users recover locked Instagram accounts. The bot had one critical flaw: it never verified that the email address a user provided actually matched the target account. Attackers discovered this in April and simply asked the bot to link their email to high-profile accounts. It worked.
What Happened
Between April 17 and May 31, attackers used the bot to hijack 20,225 accounts, including the official Obama White House Instagram and the account of the U.S. Space Force Chief Master Sergeant. The flaw was active and undetected for six weeks. Meta disabled HTS when the scope became clear. According to 404 Media, victims had no way to escalate to a human during the attack window.
Why It Matters
Meta built a tool specifically to protect accounts from unauthorized access, and the tool became the attack. The design flaw wasn’t subtle: no verification that the requesting email controlled the target account. This story is less about sophisticated attackers and more about a help desk that took requests at face value.
The Other Side
Meta moved quickly once the issue was identified, pulling the tool entirely rather than attempting a patch. The 6-week detection window is harder to explain.
| |
👉 Takeaway
Any account recovery pathway that doesn’t verify identity is a takeover pathway. Meta’s support tool had weaker identity verification than most basic IT help desk ticketing systems.
|
TL;DR: Meta’s AI account recovery chatbot never checked if you owned the account you were asking it to unlock. Twenty thousand accounts were taken, including the Obama White House Instagram.
|
Business news in 5 minutes flat. Morning Brew breaks down markets, tech, and the economy — clearly, quickly, and with serious personality. 100% free. Join 4M+ Readers.
