In partnership with
|
Fact
|
FIRST forecasts roughly 66,000 CVEs will be published in 2026, up from around 40,000 in 2024, driven largely by AI tools autonomously discovering software flaws at a scale no human team could match. (FIRST via Help Net Security, June 2026)
|
|
This edition is about what happens when the guardrails come off. The spy law expired. The spyware company is defying a court order. The ransom was never demanded. All three of those sentences are true at the same time.
PS — Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
In this edition
|
|
|
| | 🏛️ Privacy, Power & Policy |
|
|
|
|
|
Surveillance
Section 702 Expires for the First Time Since 2008
Background
Section 702 of FISA, the legal authority underpinning warrantless surveillance of foreigners who communicate with Americans, expired on June 12, 2026. It is the first lapse in the law's history since it was passed in 2008.
What Happened
Congress failed to reauthorize before the deadline after a political standoff over Trump's choice to lead the intelligence community, which the Senate rejected. Active surveillance operations continue under a prior FISA court certification valid through March 2027, so the immediate intelligence impact is limited. But new targeting collection is legally murky, and Congress votes again on June 23.
Why It Matters
Section 702 is the backbone of programs like PRISM, used to collect the emails, messages, and calls of foreign intelligence targets who communicate with Americans. A gap in authorization creates legal uncertainty across the entire intelligence posture and gives adversaries a window to exploit the confusion.
The Other Side
Privacy advocates are celebrating. EFF called it a victory. Critics have argued for years that Section 702 sweeps in massive amounts of Americans' communications without individual warrants, and this lapse is the first real structural pressure to fix that.
| | 👉 Takeaway Watch June 23. If Congress doesn't reauthorize, the intelligence community starts working from a shrinking legal foundation, and the lobbying pressure will get very loud very fast. |
TL;DR: The US spy law expired for the first time in 18 years. Congress has until June 23 to decide whether that matters.
|
| |
Data breach
ShinyHunters claimed on June 15 to have stolen 429,000 documents from the Council of Europe, the intergovernmental body that oversees the European Court of Human Rights for 47 member states. The alleged take includes 409,000 payslips spanning 2011 to 2026, 14,000 CVs, and 3,700 personnel files, with data said to include salaries, bank account details, medical records, and Social Security numbers for over 10,000 staff. The Council of Europe said it was investigating and had no further comment. ShinyHunters' deadline to leak the data was June 16.
→ The institution that sets human rights standards for an entire continent just leaked the medical and financial records of everyone who works there. The irony is doing a lot of work on this one.
|
| |
Espionage
ESET published research on June 16 revealing that FishMonger, a Chinese contractor-run cyberespionage group, quietly upgraded its SprySOCKS backdoor from Linux to Windows with a kernel driver that hides the malware's processes, files, network connections, and registry keys from standard detection. A second variant adds passive TCP backdoor capability that conceals the listening port from network traffic entirely. FishMonger has targeted government organizations in Taiwan, Honduras, Thailand, and Pakistan, with ESET noting early signs of a UEFI bootkit component in some attack chains. The Windows port significantly expands the group's operational footprint.
→ When a nation-state APT adds kernel-level stealth to a cross-platform backdoor, dwell times are about to get longer and detection is about to get harder.
|
| |
Extortion
Kodak confirmed it is investigating a security incident after ShinyHunters claimed to have stolen 2.2 million records of customer PII and corporate data, setting a June 18 deadline for Kodak to respond before the data is published. Kodak says the breach is "limited in scope" and has engaged external forensic experts and law enforcement, but has not said how attackers got in. No proof of stolen data has been published yet, which fits the standard ShinyHunters playbook: claim, threaten, pressure, and wait. ShinyHunters has now claimed the Council of Europe, Oracle PeopleSoft, and Kodak in the span of a few weeks.
→ This is a systematic extortion campaign running at scale, not one-off attacks. ShinyHunters is operating a deadline-driven pressure machine across multiple major targets simultaneously.
|
|
The ones showing up in LLMs convert 3× better than Google
They optimized for LLMs, not just Google.
FAQs. Comparison pages. Transparent pricing. LinkedIn presence. These aren't vanity plays. They're what gets you cited in ChatGPT, Gemini, and Claude when your buyers are researching, your investors are looking, and your future hires are deciding where to work.
| |
Vulnerability
FIRST is now forecasting approximately 66,000 CVEs for 2026, a sharp jump from around 40,000 in 2024, with AI vulnerability discovery tools driving the surge. Mozilla's Firefox 150 alone had 271 bugs found by Anthropic's Project Glasswing. The catch: the fraction of truly critical, patch-now vulnerabilities isn't growing at the same rate. Most AI-found bugs are real but low-priority. AI-generated throwaway code is also creating vulnerabilities that never get formal CVE numbers, building a shadow exposure surface outside the tracking systems defenders rely on.
→ More CVEs does not mean more insight. It means more triage work, and your patch queue is about to get longer before AI helps you shorten it.
|
| |
Zero-day
CVE-2026-5027, a high-severity path traversal in Langflow, the popular open-source AI application builder, allows unauthenticated attackers to write arbitrary files to exposed servers with a single request. No credentials required: Langflow ships with auto-login enabled by default. Censys found roughly 7,000 publicly exposed instances. Active exploitation is confirmed. Fix: upgrade to Langflow 1.10.0 immediately. If you have Langflow running anywhere internet-facing, assume compromise and work backward.
→ "Popular AI dev tool, exposed to the internet by default, unauthenticated RCE confirmed" is exactly the sentence that should send you to your instance inventory right now.
|
|
| 🏛️ Privacy, Power & Policy |
|
| |
Spyware
Meta filed a contempt of court complaint alleging NSO Group violated a 2021 injunction that barred the company from using WhatsApp's infrastructure to deliver Pegasus spyware. Meta claims NSO continued operating Pegasus attacks against WhatsApp users after the court order. The complaint escalates a civil case NSO has been losing steadily: a judge already ruled last year that NSO must disclose its client list. NSO has denied the allegations. If the contempt motion succeeds, the company faces sanctions or further disclosure requirements in US court, which is exactly what it has been fighting to avoid for years.
→ The most important thing about this filing isn't the contempt charge. It's the pressure to name the clients. Spyware accountability runs through the customer list.
|
| |
Policy
Binding Operational Directive 26-04 replaces CVSS-severity-driven patch timelines with a four-factor risk model: Is the asset internet-facing? Is the flaw on the KEV list? Can it be automated by low-skilled attackers? Does it enable lateral movement or privilege escalation? Vulnerabilities meeting all four criteria get a three-day patch mandate. The directive applies to federal agencies, but the model is immediately useful for any organization trying to triage an overwhelming patch queue without the resources to fix everything at once.
→ If your org still prioritizes by CVSS score alone, you're fixing the wrong things first. BOD 26-04's four-factor model is worth borrowing even if you're not a federal agency.
|
|
| |
Practical play
Chainguard's Athena coalition pools open-source vulnerability findings across member organizations and patches them under coordinated embargo before public disclosure, preventing the usual race between when a fix drops and when exploitation begins. In roughly one month, the coalition shipped 2,000 patches across 500 open-source projects. The model is a direct answer to AI-accelerated vulnerability discovery: if AI tools are finding bugs faster than individuals can responsibly disclose them, coordinated pooling is the only way to keep the patch window from collapsing to zero.
→ Worth watching if you maintain open-source dependencies or work in software supply chain security.
|
|
Wall Street is shifting billions into a select group of stocks, and MarketBeat’s updated 10 Best Stocks to Own in 2026 report reveals exactly which ones. Get the 10 names attracting fresh capital before the crowd catches on. Send My Free Report
|
Strange but real
Ransomware Hit a Sugar Mill and Left the Crops in the Field
Intro
Most ransomware operators want money. The Gentlemen, apparently, just want chaos.
What Happened
The Gentlemen ransomware gang hit Mackay Sugar, Australia's second-largest sugar producer, knocking two of three mills to severely limited capacity. The company told growers to halt their harvests immediately. The problem is that sugar cane must be processed within 48 hours of being cut or the yield degrades significantly. Farmers were left watching their crops sit in the ground. Railway transport of cane was also disrupted. The Gentlemen claimed the attack publicly but posted no ransom demand, no extortion threat, and no data theft claim.
Why It Matters
Critical infrastructure ransomware that targets food and agriculture production chains is not hypothetical risk. When a mill goes offline at harvest time, the damage isn't limited to the company's systems. It cascades upstream to the farmers who can't harvest and downstream to the processors who can't receive.
The Other Side
Mackay Sugar reported "significant progress" restoring operations within a few days. The gang's lack of a ransom note may mean this was an affiliate running a playbook the operators didn't sanction, a pattern The Gentlemen have dealt with before publicly.
| |
👉 Takeaway
A ransomware group with no ransom demand targeting a sugar mill during harvest season is genuinely weird. It's also a clear preview of what critical infrastructure disruption looks like when the goal is operational damage, not extortion.
|
TL;DR: Ransomware knocked out Australia's sugar supply chain during harvest, farmers couldn't cut their crops, and the gang never asked for anything.
|
AI is in 60% of engineering work, but only 20% can be handed off without someone babysitting the output. Join this live webinar on June 24 (free) to see how top teams are using a context engine to level up.
