Stone-Knight Security

STONE-KNIGHT SECURITY

Morning Muster Daily cyber threat brief · CESAR feed
LIVE
Updated 2026-07-04 11:02 UTC
Articles: 96 · Sources: 8
Auto-refresh: 15m

🌍 Global Ransomware Heatmap 2189 victims · last 90d · top: US

Critical CVEs & Vulnerabilities 18 items

The Hacker News2026-07-03 19:40 UTC
A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI…
The Hacker News2026-07-02 18:30 UTC
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remote Management and Monitoring (RMM)…
CISA KEV2026-07-01 00:00 UTC
Added to KEV 2026-07-01. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-29 00:00 UTC
Added to KEV 2026-06-29. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-25 00:00 UTC
Added to KEV 2026-06-25. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-23 00:00 UTC
Added to KEV 2026-06-23. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-23 00:00 UTC
Added to KEV 2026-06-23. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-23 00:00 UTC
Added to KEV 2026-06-23. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-16 00:00 UTC
Added to KEV 2026-06-16. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-12 00:00 UTC
Added to KEV 2026-06-12. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…
CISA KEV2026-06-11 00:00 UTC
Added to KEV 2026-06-11. Required action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or…

Active Threats & Malware 16 items

The Hacker News2026-07-03 18:55 UTC
Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines credential collection, lateral movement, remote access, recovery disruption,…
Bleeping Computer2026-07-03 14:12 UTC
A new phishing-as-a-service (PhaaS) platform dubbed "ARToken" appears to operate as an affiliate of the EvilTokens phishing platform, giving researchers a glimpse into an extensive toolkit designed to compromise Microsoft 365. [...]
The Hacker News2026-07-03 13:36 UTC
A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed…
SecurityWeek2026-07-03 11:00 UTC
Attack demonstrates how LLM agents can combine known exploitation techniques with real-time reasoning to automate complex, multi-stage intrusions. The post Agentic AI Used to Conduct Ransomware Attack via Langflow appeared first on SecurityWeek .
The Hacker News2026-07-03 08:03 UTC
Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file impersonating Maccy, a legitimate open-source…
Krebs on Security2026-07-02 19:27 UTC
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity…
The Hacker News2026-07-02 15:24 UTC
This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break. It is small permissions, weak checks, open systems, and…
The Hacker News2026-07-02 13:04 UTC
The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access…
SecurityWeek2026-07-02 12:34 UTC
Researchers say credentials harvested from hundreds of thousands of FortiGate firewalls are being used to facilitate ransomware attacks by the INC and Lynx operations. The post FortiBleed Campaign Linked to INC, Lynx Ransomware Attacks appeared first on SecurityWeek .
Krebs on Security2026-06-18 17:37 UTC
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to…
Krebs on Security2026-06-10 14:03 UTC
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life…
Krebs on Security2026-05-21 21:50 UTC
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity…

Data Breaches 8 items

The Hacker News2026-07-03 20:19 UTC
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial…
The Hacker News2026-07-03 16:07 UTC
Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" mimic the legitimate…
SecurityWeek2026-07-03 10:00 UTC
In April, ShinyHunters accessed the company’s corporate IT systems and stole patients’ personal and medical information. The post Medtronic Data Breach Impacts 3.8 Million People appeared first on SecurityWeek .
Krebs on Security2026-05-22 16:34 UTC
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry…
Krebs on Security2026-05-18 20:48 UTC
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files…

Nation State Activity 1 items

Tools & Research 18 items

The Hacker News2026-07-03 11:05 UTC
A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc.…
SecurityWeek2026-07-03 09:30 UTC
Prosecutors say 19-year-old Peter Stokes was a member of Scattered Spider, the hacking group linked to more than 100 network intrusions and over $100 million in ransom payments. The post Alleged Scattered Spider Hacker Extradited to US appeared first on SecurityWeek .
SecurityWeek2026-07-03 07:57 UTC
The DuneSlide vulnerabilities enable zero-click prompt injection attacks that escape Cursor's sandbox and execute arbitrary code on the underlying operating system. The post Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution appeared first on SecurityWeek .
The Hacker News2026-07-02 18:54 UTC
Google has significantly degraded NetNut, one of the biggest networks that turns home devices into rented relays for other people's traffic. Working with the FBI, Lumen, and others, Google's Threat Intelligence Group (GTIG) said this week it had reduced the network's pool of usable devices by millions. Google…
Recorded Future2026-07-02 16:50 UTC
In a Tuesday letter, Max Schrems, the founder of the Vienna-based privacy advocacy organization noyb, told European officials he plans to sue to invalidate the EU-U.S. Data Privacy Framework (DPF) that allows for the transfer of personal data from the EU to U.S. companies.
Bleeping Computer2026-07-02 15:18 UTC
Court of Justice of the European Union (CJEU) has dismissed Google's final appeal against a €4.1 billion ($4.7 billion) antitrust fine over the company's use of Android to promote its Chrome browser and search service. [...]
SecurityWeek2026-07-02 13:15 UTC
As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. The post How to Conduct a Successful Audit of AI-Driven Software Development appeared first on SecurityWeek .

📺 NetworkChuck Cliff Notes

2026-07-02 · watch on YouTube ↗
NetworkChuck & Daniel Miessler break down high-leverage meta-prompts to run against Fable 5 (Claude's most capable model) before its free-tier window closes July 7.
  • Fable 5 (Anthropic) was briefly pulled offline by U.S. gov — free unlimited access window ends July 7, then drops to 50% usage cap
  • Core framework: treat the model like a super-intelligent alien — don't run errands, use it to rebuild foundational systems
  • Prompt 1: optimize your AI harness/system prompt architecture; Prompt 2: audit for prompt injection vulnerabilities
  • Prompt 3: full attack surface review of everything you've deployed; Prompt 4: self-model audit — clarify your actual goals and trajectory
  • Daniel Miessler's full prompt list at danielmiessler.com — prioritize work that outlasts the access window
2026-06-19 · watch on YouTube ↗
NetworkChuck exposes the risks of shadow AI — unauthorized AI tools employees use without IT/security team knowledge — and how to discover and govern them.
  • Shadow AI refers to unsanctioned AI tools (ChatGPT, Copilot plugins, etc.) used inside orgs without security oversight
  • Rogue AI usage creates data exfiltration, compliance, and IP leakage risks invisible to traditional DLP controls
  • Vanta sponsored — positioned as a tool to discover and manage shadow AI across the org's SaaS/tool footprint
  • Mitigation involves AI inventory, acceptable-use policies, and continuous monitoring of OAuth-connected apps
  • Kill chain relevance: shadow AI is a low-visibility data exfiltration vector (T1567) and insider threat amplifier
2026-06-18 · watch on YouTube ↗
NetworkChuck hosts a live 90-min AMA for Summer of CCNA, answering community certification questions on exam prep and study strategies.
  • Live Q&A format with real-time viewer questions focused on CCNA certification path and exam prep
  • Covers common pain points: cert track decisions, study strategies, and networking fundamentals
  • Community-driven session sourcing questions directly from Summer of CCNA enrollees
  • Part of NetworkChuck's structured Summer of CCNA course series via NetworkChuck Academy
  • Enroll at academy.networkchuck.com/course/premium-summer-of-ccna
2026-06-18 · watch on YouTube ↗
HTTPS encrypts traffic content but exposes visited domains via SNI in TLS handshakes and DNS queries, visible to your ISP.
  • TLS/HTTPS hides payload data but not the Server Name Indication (SNI) field — domain names leak in plaintext during handshake
  • DNS queries expose browsing destinations unless encrypted DNS (DoH or DoT) is in use
  • ISPs can log visited domains via SNI and unencrypted DNS regardless of HTTPS padlock
  • Encrypted Client Hello (ECH) is the emerging fix — wraps SNI in encryption, still not widely deployed
  • Mitigations: use DoH/DoT, enable ECH where supported, route traffic through a trusted VPN or Tor
2026-06-18 · watch on YouTube ↗
Cisco Cloud Control unifies network management into a single AI-driven platform where AI agents autonomously handle config, troubleshooting, and policy enforcement.
  • Cisco Cloud Control consolidates multi-domain network management — switches, routers, cloud fabric — into one pane of glass
  • AI agents move beyond copilot suggestions to autonomously execute network tasks, reducing manual operational overhead
  • Platform spans on-prem, cloud, and hybrid environments, eliminating tool sprawl across fragmented management consoles
  • Sponsored demo shows real-world automation workflows replacing repetitive admin tasks with agent-driven actions
  • Positions Cisco's cloud-managed networking as the next evolution beyond traditional siloed network management tools