In partnership with

~7 MIN READ
Fact Attackers began exploiting Adobe's new maximum severity ColdFusion flaw within two hours of the technical details going public.(BleepingComputer / KEVIntel, July 2026).
The Signal
 
This edition is about who gets caught, who apologizes, and who never has to explain themselves at all. Naming names turns out to be the thing that actually moves readers, so that's where we're pointed this week.

PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe

In this edition
  📌 Big Cyber News
  🚨 Can't Miss
  🤖 AI in Cyber
  🏛️ Privacy, Power & Policy
  🛠️ Tools & Tactics
  🧪 Strange Cyber
📌 Big Cyber News
 
Data Breach
ShinyHunters Hit Medtronic. 3.8 Million People Just Found Out.
Intro
Medtronic makes the pacemakers and insulin pumps that keep people alive. It also just spent ten weeks not telling 3.8 million of them that hackers had their Social Security numbers.
What Happened
ShinyHunters broke into Medtronic's corporate IT systems between April 13 and 19, 2026, claiming 9 million records including names, birthdates, SSNs, and health details. The group listed Medtronic on its leak site on April 18, then quietly pulled the listing, usually a sign a ransom got paid. Notification letters went out this week, confirming 3,834,294 people affected.
Why It Matters
A medical device maker just proved "our products are safe" and "your identity is safe" are separate promises, and only one held.
The Other Side
Medtronic says there's no evidence the data was posted publicly, and it's offering two years of credit monitoring, the industry's standard apology gift.
 
👉 Takeaway
If you're a Medtronic device patient, assume your SSN is out there and act accordingly, credit freeze included.
TL;DR: ShinyHunters stole health and SSN data on 3.8 million Medtronic patients in April; notifications went out in July.
Further reading: SecurityWeek
🚨 Can't Miss
 
 
Zero-Day
Adobe patched CVE-2026-48282, a maximum severity RCE flaw in ColdFusion, on June 30. Attackers were exploiting it within about two hours of the technical writeup going public. The bug lives in ColdFusion's Remote Development Services feature, off by default, but plenty of production servers leave it on.
Check whether RDS is enabled today, not Monday.
 
Remote Access
BeyondTrust disclosed CVE-2026-40138, a 9.2 severity auth bypass in its Remote Support and Privileged Remote Access appliances, the tools IT teams use to jump into other people's machines. Cloud customers got patched in April; self-hosted customers are only hearing about it now.
Self-hosted BeyondTrust admins have had an open door longer than they'd like. Patch now.
 
Phishing
Attackers built fake job-interview emails impersonating Adidas, Netflix, Coca-Cola, OpenAI, and two dozen other brands, with real recruiters' names and photos, to lure marketers into a fake Google sign-in page. The scheme has run for five months using a browser-in-the-browser trick that fakes the whole login popup in HTML and CSS.
A "recruiter" asking you to sign into Google to book a call isn't how hiring works. Close the tab.

David Joerg, Chess.com's AI/ML product manager, ran 30+ projects through Viktor in six weeks, from an AI phone-agent system to logistics and research, then onboarded six family members. Get Started for Free.

🤖 AI in Cyber
 
 
AI-Built Malware
Check Point says an Iran-linked group it calls Cavern Manticore is using a modular, likely AI-assisted C&C framework to breach Israeli government agencies and IT providers, hopping between compromised vendors to reach the real target. A human clearly finished the work, but the scaffolding has an AI model's fingerprints on it.
State-linked hacking crews are treating AI coding assistants like everyone else does: a force multiplier, not a replacement.
 
AI Arms Race
Qihoo 360 unveiled Tulongfeng, an AI vulnerability-hunting swarm it says found 3,432 flaws, positioned as China's answer to Anthropic's Claude Mythos. Unlike Anthropic and OpenAI, Qihoo 360 has published no independent benchmark, and at least one claimed discovery was actually credited to human researchers elsewhere.
A US-China arms race over who finds zero-days first is underway, and only one side is showing its work.
🏛️ Privacy, Power & Policy
 
 
Data Brokers
Gov. Mikie Sherrill signed a law making New Jersey the seventh state with a data broker statute, and the priciest: the largest brokers now owe up to $1.5 million a year to register, with a second tier kicking in at just 100,000 consumers. Selling sensitive data now carries a $50,000-per-record fine.
Data brokers just got a new reason to think twice about their New Jersey customer list.
 
Accountability
X Corp petitioned the FTC to end a 2022 consent decree requiring it to report on data practices through 2042, the result of a $150 million fine for misusing phone numbers collected for account security. EFF and allies urged the FTC to reject the petition, noting X's 2025 data breach and un-consented Grok AI training undercut its "new leadership" defense.
A name change doesn't dissolve a company's legal obligations, and EFF wants that on the record.
🛠️ Tools & Tactics
 
 
Practical play
CISA and partners are warning that threat actors are compromising internet-exposed automatic tank gauge systems, used across energy, chemical, and transportation sites, via default credentials and auth bypass flaws. Once inside, an attacker can fake sensor readings or mask a leak. The fix: get these systems off the public internet, kill default logins, and audit access logs. If your org runs tank monitoring, that's this week's homework.
Off the internet, no default logins, logs under watch: today's checklist.

What's changing in global hiring?

Global hiring is changing fast. From AI's impact on HR to evolving compliance requirements and international expansion strategies, the rules are constantly shifting.

Oyster's events bring together HR leaders, founders, operators, and global employment experts to discuss what's working now—and what's coming next.

Whether you're hiring internationally today or planning for tomorrow, you'll walk away with practical insights you can actually use.

🧪 Strange Cyber
 
Illustration of a hacker realizing his ransomware attack hit a forbidden CIS target, with a glowing map and an OOPS alert on screen
Strange but real
A Ransomware Gang Apologized to the Company It Hacked by Mistake
Intro
This one happened back in June, but it's too good to leave on the shelf. A ransomware affiliate broke the one unwritten rule every Russian-language cybercrime crew knows, and its own bosses were mortified enough to say sorry.
What Happened
An affiliate working for RAlord, via an affiliate program called Nova, hit Eriell Group, an oilfield services company headquartered in Uzbekistan with a Moscow office. Nova publicly apologized, banned the affiliate, and offered Eriell free recovery help, insisting no files were encrypted and no data would leak.
Why It Matters
The "first rule of ransomware club," don't hit anyone in the former Soviet sphere, exists because local law enforcement mostly leaves these gangs alone as long as they only rob foreigners. Break that rule and you risk the whole business model.
The Other Side
A free cleanup and a pinky promise not to leak your data is still cold comfort if you're the ops team that just lost a day to ransomware, apology or not.
 
👉 Takeaway
Ransomware crews have rules. They're just not written for your protection, they're written for the gang's.
TL;DR: A ransomware affiliate accidentally hit a company with ties to the CIS, and its own gang apologized and banned the guy responsible.
Further reading: The Register

Claude vs Gemini. OpenAI vs Anthropic. Which lab ships next? Real money on all of it. Kalshi is the CFTC-regulated prediction market for tech readers. Trade what you know.

Keep Reading