Skip to content
SPECIAL

THREATS TO CRITICAL INFRASTRUCTURE IN IRAN CONFLICT

READ MORE

Cyber Briefing – July 16, 2026


Cyber Briefing

TODAY’S TOP 5

CHINA DRAWS LESSONS FROM RUSSIA’S CYBER FAILURES: Chinese analysts have closely followed Russia’s cyber offensive against Ukraine, drawing a series of lessons about how the People’s Republic of China (PRC) can better prepare for cyber warfare, Sunny Cheung writes at the Jamestown Foundation. Analysts blame Russia’s underwhelming cyber campaign at the outset of its invasion on institutional flaws. This contrasts with analysts in the West who suggest that cyber capabilities are not a decisive factor in contemporary warfare. In response, Chinese analysts advocate for a more unified command structure and enhanced civil-military fusion. Research on cyberattacks against critical infrastructure in Ukraine and, more recently, by the United States in Venezuela underscore the need to improve domestic resilience and defenses for critical infrastructure.

  • The European Union has accused China – along with Russia – of trying to “reshape the global order in line with their interests” and “fostering a return to a sphere-of-influence logic,” in an explosive new position paper that contains some of the bloc’s strongest ever official criticism of Beijing, the South China Morning Post reports. The paper, which was adopted by the EU’s 27 foreign ministers on Monday without any announcement, accuses Beijing of being both a “key enabler” and “crucial enabler” of Russia’s war on Ukraine, language previously used by Nato. In stark terms, the paper casts Russia and China as the two principal revisionist powers challenging European security and the international rules-based order.
  • China’s military procurement system has suspended or permanently barred more than a dozen of the country’s leading cybersecurity vendors since 2024, according to new research from threat intelligence group Natto Thoughts, Security Week reports. The findings, based on public notices from the military procurement network cross-referenced with corporate disclosures and Chinese media reports, identify at least 21 enforcement actions between 2021 and 2026 tied to contract bidding misconduct rather than product or technical failures. The penalties fall under a three-tier system used by the People’s Liberation Army (PLA): a private warning list for early-stage concerns, a suspension list for confirmed but limited violations, and a public blacklist reserved for serious offenses that can carry lifetime bans extending to affiliated companies and executives.

AI AND THE RISK OF STRATEGIC CYBERATTACK: Cyber weapons have long been described as strategic instruments of statecraft. In practice, they have almost always been tactical in their application. Attackers have struggled to predict the effects of their operations with confidence, overcome complex classification structures, and assemble the expert-level capacity required to execute sophisticated cyberattacks at scale. As a result, cyber operations have rarely achieved the kind of broad, sustained strategic effects that theorists, journalists and U.S. government sources have long anticipated. In a new RAND paper, Michael Sulmeyer argues that artificial intelligence — particularly agentic AI, meaning systems capable of pursuing goals with some degree of autonomy — will significantly expand the strategic potential of cyber operations. It will do so primarily by alleviating the constraint on expert-level human capacity that has most limited strategic outcomes to date. Current developments in AI are likely to reshape three key characteristics that have confined most cyber activity to tactical uses, though not equally.

• • AI will affect not just deception and vulnerability, but also relative organizational capability, complexity and uncertainty, and even the scale of blast radius achievable from an operation. The killer defensive application of AI may not be about vulnerability or deception at all, but about simplifying defensive collaboration, speeding recovery times or closing longstanding workforce shortages, Jason Healey writes at Lawfare. Still, all things being equal, academics are correct to highlight the role of deception and to predict continued difficulties for attackers at the high end of sensitive-target espionage operations. Even empowered with AI, attackers will find it hard to conduct complex operations that require extended presence to steal precise information against determined defenders.

BLIND SPOT INDICATORS FOR SPACE: The ability of the United States to fight in and through space has disproportionately magnified the effectiveness of U.S. military forces. However, this advantage has been eroding as China ramps up its investments in the space domain. The speed and scale of China’s sprint to improve its space capabilities should ring alarm bells and prompts the following question: What do current research and development efforts portend for future trends in China’s capabilities and operations that use space? Failing to understand these trends creates potential blind spots that could undermine the United States’ ability to maintain an advantage in space. A new RAND report presents methodologies for forecasting future U.S.-China space competition using open-source data and present two initial projections using these methodologies. These approaches can be used to decrease the scale and scope of future surprises and help the United States avoid falling behind in key areas of active space competition. With appropriate additional tuning, the methodologies could be extended to additional missions or research domains or matured into production-quality tools. Although it is not possible to avoid surprise entirely, forecasts such as these can help U.S. planners secure an incontrovertible advantage in space.

  • New navigation satellites in low Earth orbit could provide 100 times stronger signal strength compared to GPS and other global navigation satellite systems operating from higher orbital altitudes — enabling greater location accuracy within dense cities, under thick foliage, and even inside buildings, Ars Technica reports. Such signals would also likely prove more resilient to interference at a time when commercial flights, maritime shipping, and even various smartphone apps face increasingly widespread disruption from GPS jamming.
  • After a months-long pause, the Space Development Agency is ready to launch its next batch of satellites that will be part of the Proliferated Warfighter Space Architecture — a network of small, low Earth orbit (LEO) satellites designed to support military operations, Federal News Network reports. A SpaceX rocket will launch 21 Tranche 1 transport satellites on July 16 from Vandenberg Space Force Base, California. The launch comes after SDA faced a number of issues with the first 42 Tranche 1 Transport Layer satellites by York Space Systems and Lockheed Martin, which were launched in September and October of last year. 

DRONE FIRES LONG-RANGE MISSILE: The Air Force for the first time successfully fired an air-to-air missile from a new jet-powered combat drone built by defense startup Anduril, The Wall Street Journal reports. The recent test, the Air Force said, is an important next step in the development of what the military calls Collaborative Combat Aircraft, autonomous drones designed to fly alongside manned warplanes. “We’re one step closer to delivering capabilities to the warfighter,” Gen. Kenneth Wilsbach, the Air Force chief of staff, said in a statement Wednesday announcing the test. While the drone is designed to fly autonomously with manned combat aircraft, a human will decide whether to fire weapons, the Air Force said. 

  • The Army could award contracts for its high-profile Common Autonomous Multi-Domain Launcher (CAML) program next month, according to Lt. Gen. Frank Lozano, the service’s portfolio acquisition executive for Fires, Breaking Defense reports. Lozano also announced that the Army is currently “negotiating a contract” with AeroVironment (AV) for the service’s Enduring-High Energy Laser (E-HEL) program, the Army’s first program of record for a new family of high-energy lasers designed to take down airborne threats, primarily drones. “We’re actually just on the tail end of a number of demonstrations from vendors who are proposing the autonomous mobile platform […] and the munitions pallet capability, and a pitch on weapon system integration capability,” Lozano said of the CAML program during a Center for Strategic and International Studies event Tuesday.
  • Elevated by its new status as an official Pentagon Field Activity, the Defense Innovation Unit is maturing with funding and permanence under the leadership of its new director, Owen West, who welcomes the pressure his team is under to speedily deliver “measurable” weaponry and combat power to the U.S. military. “This could be my last job — I don’t care. I just want to make sure that we get drones in the hands of troops, and we build up a capability in space that cannot be matched for 10 years by our enemies,” West told DefenseScoop. He has set an aggressive agenda for the 11-year-old innovation hub, focusing on highly practical and quickly deployable technologies that have strong backing from service members who rely on them for real-world warfare.
  • President Donald Trump urged top defense executives ‌on Wednesday to accelerate weapons production and expand manufacturing capacity as wars in Ukraine and the Middle East strain U.S. stockpiles and expose bottlenecks in the nation’s industrial base, Reuters reports. Speaking at Pennsylvania Senator Dave McCormick’s Defense and Innovation Summit, Trump exhorted armsmakers, “We have the best quality in the world, but we need a little more speed.” Trump’s appearance underscored a broader focus by the administration on defense production as prolonged conflicts have consumed large quantities of missiles, interceptors and other weapons, while highlighting the limits of the U.S. military supply chain ⁠and production capacity.
  • Reading in between the lines of the NDAA, Madeleine Field at War on the Rocks takes a look into acquisition policy and contracting, program and portfolio management, organizational change and the industrial base, defense economics, data and software, talent and workforce development, and emerging tech policy.

AI EXECS FEAR FOR THEIR LIVES: In recent months, mounting opposition to AI has given rise to a surge of violent rhetoric, threats against people and property, and a serious attempt at harm, The Wall Street Journal reports. The phenomenon has executives at tech companies large and small reconsidering their personal security arrangements and how they talk about their products to a public that is increasingly wary of the technology and the societal changes it is ushering in. Police in San Francisco have responded to several threats against employees of Anthropic and OpenAI, according to records viewed by the Journal. The Texas man who allegedly threw an incendiary device at Altman’s house was charged with attempted murder and attempted arson. Officers found a manifesto advocating for the killing of AI CEOs and investors. He pleaded not guilty.

OSINT YOU NEED TO START YOUR DAY: The Cyber Briefing is brought to you by the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. SUBSCRIBE
WE WANT TO HEAR FROM YOU: What would you like to see in your morning briefing? Reach out to Executive Editor Bridget Johnson with your comments and suggestions

CYBER FOCUS PODCAST

(Watch on YouTube or click the player above)

National security challenges increasingly cut across technology, economic competitiveness, critical infrastructure, manufacturing and workforce development. Universities have a growing role to play not only in conducting research, but also in translating ideas into practical solutions and preparing students to confront real-world problems. Auburn University President Dr. Chris Roberts, McCrary Institute Chairman Lt. Gen. (Ret) Ron Burgess, Senior Vice President for Research Dr. Steve Taylor and Samuel Ginn College of Engineering Dean Dr. Mario Eden join Frank Cilluffo on the latest episode of Cyber Focus to discuss Auburn’s commitment to national security. The conversation explores the changing threat environment, the university’s expanding research presence in Huntsville, partnerships among academia, government and industry, and how experiential education can prepare students for jobs and technologies that do not yet exist.

SUBSCRIBE TO CYBER FOCUS: YouTube | Spotify | Apple Podcasts

CYBER AND CI UPDATES

ATTACKS AND INCIDENTS

Breaches

After KFC, cyberattack hits Japanese ice cream giant Glico

A major Japanese ice cream maker said on July 16 that it is seeing shipment delays following a cyberattack at its logistics partner that has already affected KFC and a large sushi chain. Ezaki Glico, known for popular snacks such as Pocky, said some of its ice cream products rely on refrigerated warehouses owned by Nichirei, the target of the latest hack on a Japanese firm’s computer systems. Glico declined to discuss the financial impact on its business, even as the attack hit at a time when ice cream demand surges with sweltering heat blanketing Japan. (STRAITSTIMES.COM)

23andMe reaches $18 million settlement with states for massive breach

A coalition of 42 state attorneys general on Tuesday said they reached an $18 million settlement with 23andMe for cybersecurity failings that led to a data breach exposing 6.9 million people’s information, including genetic ancestry data. The agreement also requires new data protection measures from the 23andMe Research Institute, a nonprofit founded in May 2025 by 23andMe CEO Anne Wojcicki. The institute absorbed 23andMe’s assets, including genetic data. The new requirements include undertaking risk assessments and appointing a special board to oversee data security. The settlement also requires that 23andMe customers maintain their right to throw out their genetic samples and delete personal data indefinitely. (THERECORD.MEDIA)

Romania’s land registry hit by cyberattack, data allegedly for sale

Romania’s National Agency for Cadastre and Land Registration (ANCPI) suffered a major disruption on Tuesday when its e-Terra cadastre and land registry app became unavailable to users. What was first declared to be a “major technical incident” has now been confirmed as a cyber attack. While the circumstances are still being investigated by the competent state institutions, ANCPI stated that the data administered through its IT systems has not been compromised as a result of this incident. (HELPNETSECURITY.COM)

Emergency services

Heavy smoke from wildfires blankets the U.S. Midwest and Northeast, prompting evacuations

Thousands of visitors were told to evacuate a remote Minnesota wilderness area accessible only by boat as wildfires send dangerously heavy smoke over the U.S. Midwest and Northeast this week. More than 100 wildfires are burning in Canada, where a train crew in northern Ontario filmed themselves surrounded by flames before being safely evacuated. Winds are carrying the smoke southeast. Warnings about unhealthy air conditions Wednesday extended from Minnesota through Toronto and into New York. Unusually hot summer temperatures were expected, too. (APNEWS.COM)

Government

DC Housing Authority says systems still recovering weeks after cyberattack

The D.C. Housing Authority (DCHA) said it continues to recover from a cybersecurity attack that forced it to shut down its technology systems late last month. According to DCHA, the incident was discovered on June 28, forcing the agency to take its systems offline as a precaution. Since then, its IT team has been working with cybersecurity experts and law enforcement to restore operations and investigate what happened. (WJLA.COM)

Delaware County, Pa., confirms a cyberattack caused system outages

Two and a half weeks after a cyberattack forced Delaware County to shut down its systems, most of the government’s systems have been restored, but not all, as the probe into the matter continues. On June 26, county staff became aware of “unauthorized activity” and shut down the government system, impacting phones and networks throughout the county’s operations. Since then, the county has been working to restore all of these, while continuing to serve the public, sometimes resorting to paper information and transactions. (DELCOTIMES.COM)

Transportation

Teen hackers who live streamed cyberattack on TfL jailed

Two men who carried out a cyberattack which crippled Transport For London (TfL) when they were teenagers have both been sentenced to five years and six months in prison. Owen Flowers, 18, from Walsall, and Thalha Jubair, 20, from east London, pleaded guilty in June to carrying out the hack in 2024. They were described as computer-obsessed loners who carried out the hack as part of the cyber crime collective known as Scattered Spider. (BBC.COM)

Tesla driver in fatal Texas crash pressed accelerator 100%, NTSB confirms

The National Transportation Safety Board (NTSB) said Wednesday that the driver of a Tesla who crashed into a house in June had pressed the accelerator pedal to 100%, overriding the company’s Full Self-Driving (Supervised) software. Data recovered from the Tesla showed that the vehicle was traveling more than 70 miles per hour when it struck a house in Katy, Texas, killing 76-year-old resident Martha Avila, according to the NTSB. The family of the victim has since sued the alleged driver, 44-year-old Michael Butler, and Tesla, claiming negligence. Butler has also been charged with manslaughter. (TECHCRUNCH.COM)

Qantas data breach started with a fake IT support call

On June 28, 2025, an attacker called an employee at an overseas contact center operated by a Qantas contractor. Posing as part of the airline’s IT support team, the caller directed the agent to a customer relationship management platform and described several actions as necessary to close a support ticket. Those legitimate-looking steps connected the agent’s CRM session to a data extraction tool controlled by the attacker. Qantas identified unusual login-attempt alerts two days later. It then revoked access to the affected account, began assessing the data theft and it publicly disclosed the incident on July 2. (BITDEFENDER.COM)

WATCH: White House National Cyber Director Sean Cairncross, CISA Acting Director Nick Andersen and more top leaders at the recent McCrary Cyber Summit

THREATS

Artificial intelligence

Google Gemini CLI abused as a hacking agent, malware botnet operator

A Russian-speaking threat actor known as “bandcampro” used Google’s open-source Gemini CLI AI tool as a hacking agent and to operate a small-scale botnet. The AI agent responded to the attacker’s prompts, troubleshooting problems on the fly and even proposing operational improvements at least 59 times. In more than 200 sessions between May 19 and April 21, the threat actor worked with the AI tool to deploy and operate an infrastructure that controlled eight systems in a dental clinic and to get access to the OpenDental database. (BLEEPINGCOMPUTER.COM)

Cursor zero-day flaw executes malicious git.exe from repositories without user interaction

Cursor users on Windows may be at risk of arbitrary code execution following Mindgard’s disclosure of a zero-day vulnerability. This flaw allows the AI-powered integrated development environment (IDE) to automatically execute a malicious git.exe file located at the root of an open repository. Vulnerabilityscanning tools. According to research published by Aaron Portnoy on July 14, this issue does not require any user interaction beyond loading the project in Cursor, such as clicks, prompts, or approval dialogs. (GBHACKERS.COM)

PromptFiction flaw auto-submitted hidden prompts in Claude desktop

A single click on a crafted link could cause Claude Desktop to execute attacker-written instructions without prompting the user to review or send the prompt, according to new research from Oasis  Security. The vulnerability, named PromptFiction, affected Anthropic’s Claude Desktop application and used its custom claude:// URL scheme. For context, a malicious link could open the app, submit a prepared prompt automatically, and instruct the AI agent to access sensitive information or perform actions through connected tools. Anthropic fixed the flaw after it was reported through the company’s Responsible Disclosure Program. (HACKREAD.COM

Cryptocurrency

Hackers pair stolen wallet databases with keychain passwords for offline crypto theft

A macOS-focused information stealer is combining stolen wallet databases with credentials harvested from the Apple Keychain, browsers, and Apple Notes to conduct offline cryptocurrency theft attempts. Detected by the MistEye security monitoring system, the malware appears designed for broad data collection rather than a single targeted objective. Its collection scope includes macOS Keychain files, Safari and Chromium browser data, Telegram Desktop sessions, Apple Notes, and local data from wallet applications including Electrum, Exodus, Atomic, Wasabi, Monero, Bitcoin Core, Ledger Live, and Trezor Suite. (GBHACKERS.COM)

IoT

TuxBot v3 evolution shows signs of LLM-assisted IoT botnet development

Cybersecurity researchers have disclosed details of a previously unreported Internet-of-Things (IoT) botnet framework dubbed TuxBot v3 Evolution that shows signs of being developed with assistance from a large language model (LLM), albeit with not so successful results. “While the AI complied with their request to generate botnet code, it included a safety disclaimer that the developer failed to remove before shipping,” Palo Alto Networks Unit 42 said. “Although the LLM clearly aided in constructing the botnet, several functions in the analyzed samples failed to work correctly.” The cybersecurity company said a manual code review would have resolved these errors and that it’s possible more polished iterations of the malware exist out there in the wild. (THEHACKERNEWS.COM)

Malware

OkoBot malware uses ClickFix and SeedHunter to steal Ledger and Trezor seed phrases

A newly documented malware framework dubbed OkoBot is targeting cryptocurrency users with a multi-stage intrusion chain designed to capture Ledger and Trezor recovery phrases, browser credentials, wallet files, keystrokes, screenshots, and application video recordings. Researchers first observed the activity in January 2026, although the campaign’s TookPS downloader component has been active since March 2025. The latest framework expands that activity into a modular platform containing more than 202020 payloads and implants, allowing operators to deploy capabilities through an attacker-controlled SSH infrastructure remotely. (GBHACKERS.COM)

Phishing

Phishing campaign abuses eCards to deploy RMM tools

A six-month phishing operation has been tricking Windows and macOS users into installing legitimate remote monitoring and management (RMM) software through fake electronic greeting cards (eCards). According to new research published by Forescout on July 14, the campaign, which it dubbed SeasonalInvite, has been active since at least January 2026 and was still serving payloads in late June. Its defining trait is a rotating set of lures pegged to the calendar, moving from tax and Social Security themes in winter to Valentine’s, Easter and spring invitations later on. (INFOSECURITY-MAGAZINE.COM)

Ransomware

Identity attacks overtake exploits as top ransomware cause

So long, vulnerability exploitation — identity has become the dominant root cause of ransomware, according to a recent survey. Sophos published its State of Ransomware 2026 report, covering a survey Sophos conducted with 2,158 IT and cybersecurity leaders across 17 countries who worked in organizations hit by ransomware over the past year. While there are a number of fascinating findings — 56% of ransomware attacks successfully pulled off encryption against victim networks, ransom demands and payments are down — some of the most interesting data involves identity and the ways attackers are getting in. (DARKREADING.COM)

New Spirals ransomware encrypts victim network in under 24 hours

A new ransomware actor called Spirals completed a corporate intrusion, from initial access to data theft and encryption, in less than 24 hours. The attack occurred in June and breached an IT services firm in South Asia after compromising an Internet Information Services (IIS) server exposed on the public web. Researchers at Symantec’s Threat Hunter Team say that the attacker moved quickly after obtaining initial access and uploading an ASP.NET web shell. (BLEEPINGCOMPUTER.COM)

Tactics

Security researchers find stalkers abusing Chrome’s sync feature

Cyberstalkers are increasingly exploiting a feature in Google Chrome meant for mobile phone user convenience, but can give intruders broad access to a device owner’s private information, according to researchers. Certo Software said in a blog post Tuesday that stalkers are making use of Chrome’s sync capability — meant to make it so signing into Chrome on one device makes it easier to do so on other devices, too — to spy on a phone owner’s browsing history and gain access to their stored passwords. As an illustration, Certo used the case of a pseudonymous victim, Emma, who had searched for a family lawyer and visited a domestic violence support website while her partner was sleeping, only for him to bring up to her two days later. (CYBERSCOOP.COM)

Windows bind link attacks can hide malware from EDR tools

Security researchers at Bitdefender have demonstrated three attack techniques in which Windows’ bind links can be used to evade endpoint detection and response (EDR) products. Bind links are a legitimate Windows feature implemented by bindflt.sys and used by Store apps, Windows Sandbox, and Windows containers. They are a kernel-level redirection mechanism creating a virtual path that transparently maps onto the real backing path. However, if the bind link is altered so the backing path points to a file controlled by an attacker, then that file is accessed effectively invisibly. Under certain circumstances, this could lead to loading hidden malware while all the system sees is a visible link pointing at a known innocuous file. (SECURITYWEEK.COM)

Vulnerabilities

CISA orders feds to patch actively exploited Oracle flaw by Saturday

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems by Saturday against ongoing attacks exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) financial application. Discovered in the File Transmission component of EBS’s Oracle Payments product and tracked as CVE-2026-46817, this security flaw allows unauthenticated threat actors with HTTP network access to take over vulnerable systems in low-complexity attacks. Oracle released security updates to address the security issue with its May 2026 Critical Security Patch Update, urging customers to patch their systems immediately. (BLEEPINGCOMPUTER.COM)

Researcher ‘Chaotic Eclipse’ claims RoguePlanet Defender patch may leak data and exhaust disk space

Microsoft’s patch for the RoguePlanet Windows Defender zero-day may have introduced new security and reliability concerns, according to researcher Chaotic Eclipse. The researcher claims that recent defense-in-depth changes in Microsoft Malware Protection Engine’s mpengine.dll can leak eight bytes of data in certain file-handling scenarios and can be abused to exhaust local disk space. RoguePlanet, tracked as CVE-2026-50656, is a high-severity local privilege-escalation flaw in the Microsoft Malware Protection Engine, the core component behind Microsoft Defender scanning and remediation. (CYBERSECURITYNEWS.COM)

Unpatched Shark vacuum flaw could let attackers control other vacuums region-wide

Pull the certificate off the flash of a Shark RV2320EDUS robot vacuum, and you can run root commands on other people’s Shark vacuums across the same AWS region: watch the camera, drive the robot, read the map of the house, and take the Wi-Fi password in plaintext. A researcher publishing under the handle tokay0 put the method online on Monday, having tested it only against vacuums he bought himself. The flaw was unpatched then. He says SharkNinja, the company behind the Shark and Ninja appliance brands, has had his report since March. (THEHACKERNEWS.COM)

Zoom fixes CVE-2026-53412, a critical account takeover bug

Zoom has fixed a critical Windows vulnerability, tracked as CVE-2026-53412 (CVSS score of 9.8) that could allow unauthenticated attackers to hijack user accounts. The flaw affects older versions of Workplace, the Windows VDI Client, and the Meeting SDK for Windows. “Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via network access.” reads the advisory. (SECURITYAFFAIRS.COM)

Trend Micro, Tanium, ESET and Tenable patch severe product vulnerabilities

Tenable told customers this week that it has fixed a critical-severity path traversal in the Tenable Agent. The security hole, tracked as CVE-2026-15265, may allow an attacker to achieve remote code execution. ESET informed customers on Tuesday that it has discovered and patched a high-severity local privilege escalation vulnerability in Inspect Connector for Windows. “On systems with the affected ESET product installed, an attacker could send self-crafted Advanced Local Procedure Call (ALPC) requests to the vulnerable process’ interface,” ESET explained in its advisory. (SECURITYWEEK.COM)

Forgotten bootloaders expose secure boot blind spot

Researchers recently discovered 11 vulnerable but still trusted UEFI shim bootloaders that attackers could have used to bypass Secure Boot on systems that trust Microsoft’s third-party UEFI signing certificate. The Unified Extensible Firmware Interface (UEFI) consists of motherboard software that connects that operating system and hardware. Microsoft revoked the vulnerable bootloaders in June through Secure Boot revocation updates after ESET reported the findings, but unpatched systems may continue to trust the components and remain exposed to boot-level attacks. (DARKREADING.COM)

F5 patches multiple NGINX, BIG-IP vulnerabilities

The most severe flaw is CVE-2026-42533 (CVSS score of 9.2), a critical issue in NGINX Plus and NGINX Open Source that could be exploited via crafted HTTP requests to cause a heap buffer overflow and restart the NGINX worker process. “A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map’s regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions,” F5 explains. (SECURITYWEEK.COM)

ADVERSARIES

China

Inside China’s race to overtake European supercars

Chinese electric vehicles were more dominant than ever at this year’s Goodwood Festival of Speed, a premier European auto show traditionally known for loud, fast cars from brands like McLaren and BMW. Hosted by the Duke of Richmond at his country manor, the event saw the largest stand belonging to China’s BYD, which is now taking on Europe’s storied brands on their home turf. Watch this video as Stephen Wilmot meets the Duke and automakers to discuss the intrusion of quiet Chinese EVs into the noisy world of European motor sports. (WSJ.COM)

Iran

U.S. expands strikes into northern Iran and disables ship trying to run blockade

The United States intensified its strikes on Iran early Thursday, hitting targets further north as American forces also fired into a ship the U.S. accused of trying to break its naval blockade on the Islamic Republic. Iran retaliated with missile and drone fire targeting U.S. allies in the region before dawn and warned its attacks may escalate. Days of back-and-forth strikes by the U.S. and Iran across the Middle East — and renewed threats to the Strait of Hormuz — have shredded the interim deal to end the Iran war and could tip the region back into all-out war. Already, Iranian officials say U.S. strikes have killed more than 35 people and wounded over 300 others. Strikes also reached into areas around Iran’s capital, Tehran, for the first time in this latest round of violence, showing a widening set of targets for the Americans. (APNEWS.COM)

Russia

Russia’s elite are moving billions beyond Putin’s wartime grasp

Several of Russia’s richest people including some close to President Vladimir Putin have moved billions of dollars abroad in the past year after growing concerned about the country’s economy and the government budget. High-profile asset seizures have intensified fears among members of the Russian elite that the state could confiscate their wealth or that they may lose their fortunes, according to six wealthy Russians and other people familiar with the thinking of several of the country’s billionaires. Several billionaires moved some additional assets out of Russia recently, amid concerns about the banking sector, according to some of the people and documents including corporate filings and property purchase records reviewed by Bloomberg News. (BLOOMBERG.COM)

Russian hackers trojanize WebEx, Zoom apps to push Starland malware

A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT. Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well. According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. (BLEEPINGCOMPUTER.COM)

GOVERNMENT AND INDUSTRY

Artificial intelligence

Forget the model. When it comes to cybersecurity, it’s all about the harness

As AI-enabled hacking becomes a bigger threat for cybersecurity and national security, public attention has focused on mainly a few leading frontier AI companies developing more powerful large language models. These models, and the billions of dollars behind them matter, but they’re only part of a larger shift. Enterprises are now building their own technology platforms that take these general-purpose LLMs and turn them into bespoke cybersecurity tools. Industry professionals refer to these tools as a “harness.” They control the model’s behavior, limit its risks, and connect it to internal IT systems and networks so it can work reliably at scale. (CYBERSCOOP.COM)

Despite revisions, GSA’s proposed AI acquisition rule still falls short, stakeholders say

Concerns over artificial intelligence terminology and data privacy persist in the General Services Administration’s proposed AI acquisition regulation rule, stakeholders said at a Tuesday listening session. Menaka Kalaskar, head of Palantir’s U.S. government legal and contracting team, said if the GSA proceeds with the rule as written, agencies wanting to use AI and large language models might have to look for non-GSA vehicles. The clause to set boundaries around how the GSA acquires AI was originally published in January, and changes were made to the scope, definitions and context after initial feedback. The current proposed rule was posted June 17 and public comment is open until Aug. 3. (FEDSCOOP.COM)

The AI doomsday scenario nobody talks about

On a frigid Thursday last December, 50 finance and technology experts shuffled into the International Monetary Fund’s Washington, DC, headquarters with a dire mission: to war-game how artificial intelligence might upend the global economy. For hours, a disparate cohort from organizations including Google DeepMind, Rand Corporation and the Board of Governors of the Federal Reserve System split into six groups to map and debate AI’s potential impact on tax systems, spending and gross domestic product under the secrecy of the Chatham House Rule. While the conclusions were mixed, the exercise reflected a growing realization among some of the world’s smartest thinkers that the most pressing AI doomsday scenario may not involve killer robots or sentient computers. Instead, the end of civilization as we know it will likely be caused by income tax erosion. (BLOOMBERG.COM

Is ‘Tech-xit’ imminent? UK steps up sovereignty push amid AI strife

The U.S. government’s restrictions on frontier AI models appear to have had unintended consequences across the pond. Last month, Anthropic revealed that the Trump administration issued an export control order banning foreign nationals from accessing the AI company’s Fable 5 and Mythos 5 models. The ban, which was widely criticized by the cybersecurity community, forced Anthropic to indefinitely suspend access to the models while it tried to make sense of the government’s national security concerns (details about an alleged jailbreaking flaw were not disclosed, and the US Department of Commerce never commented publicly on the ban). (DARKREADING.COM)

China wants more babies — so it’s cracking down on chatbot love affairs

Regulators in China have found unexpected common ground with their counterparts in California and New York: Humans need to stop falling in love with chatbots. But while American lawmakers nudge artificial-intelligence companies to add mental-health guardrails, Beijing is taking a heavier hand. It is policing virtual romance, in part because it wants people to stop dating machines and start having babies. On Wednesday, China enacted rules forbidding chatbots designed for companionship from encouraging emotional reliance. The regulations also ban virtual relationships with minors and require companies to alert a person’s emergency contact if they detect an emotional crisis. (WSJ.COM)

Meta now alerts parents if their teen discussed suicide or self-harm with its AI chatbot

Meta announced on Thursday that it will now notify parents if their teen discusses suicide or self-harm with the company’s Meta AI chatbot. Meta says it’s also working on the ability to contact emergency services if someone’s conversations suggest they may be at risk of self-harm. These changes arrive as Meta and other tech companies face scrutiny from regulators and parents over how AI chatbots respond to users in crisis, particularly teenagers — a liability question that’s increasingly shaping how AI companies design and market their products. (TECHCRUNCH.COM)

Cyber professionals are flocking to AI tools, but they’re getting tired of fixing mistakes and reviewing outputs

AI isn’t replacing cybersecurity roles but it is changing them, and not always for the better, according to new research. A study from ISC2 found that 65% of cybersecurity professionals who use AI in their roles are spending time deciding when to trust or act on AI-generated recommendations. Nearly two-thirds (63%) said they often find themselves reviewing and validating AI outputs. While this is basic best practice from a safety perspective, these processes are wasting valuable time. Regardless, the influx of AI tools within the profession has been welcomed by practitioners, according to the study. (ITPRO.COM)

Data centers

Data centers to add billions in power costs in 13 states

PJM, the nation’s largest electrical grid operator, on Tuesday released results of an electricity auction that would add $6.3 billion in costs to the bills of millions of households and businesses within the next three years, an increase driven by the power demands of data centers. During the annual auction, power companies supplied prices that they were willing to accept to supply electricity to PJM at times of peak demand. Those prices are then factored into the electricity rates that are eventually charged to the grid’s customers in 13 Eastern states and the District of Columbia. In a statement, PJM said data centers were increasing electricity demand throughout the region. (NYTIMES.COM)

Google buys power from record-busting solar-battery site in Arkansas

Longtime solar developer Cypress Creek Energy has not only broken ground on what could be the largest solar-plus-storage plant in the country, but also secured a blue-chip customer to pay for the clean power. Google will buy all the electricity from the first two phases of the forthcoming Steel River Energy Center in Mississippi County, Arkansas, just upriver from Memphis, Tennessee — totaling 1.6 gigawatts of solar capacity and 1.9 gigawatt-hours of battery storage. Once fully online in 2029, its power won’t flow directly to the tech giant but instead onto the grid managed by Entergy Arkansas, which supplies one of the company’s data centers and will serve a future data center planned for West Memphis, a Google spokesperson told Canary Media. (CANARYMEDIA.COM)

How hard is it to build orbital data centers, actually?

SpaceX has pinned the bulk of its future value on orbital data centers. Not rockets. Not spacecraft. Instead, it envisions launching and maintaining a constellation of 1 million satellites capable of generating 120 GW to power tens of millions — and potentially up to 100 million — frontier-class GPUs for data center services. The company’s founder, Elon Musk, revealed plans for this massive constellation months ago, but until recently, the scope of the individual satellites was largely unknown. That changed in June, when Musk and Ian Dahl, director of satellite engineering for SpaceX, spoke in a promotional video about the company’s plans to develop the first iteration of an orbital data center, called an AI1 satellite. The video finally provided the company’s numbers about the satellite’s size and power capabilities. (ARSTECHNICA.COM)

Palm Beach strikes down data center plan after local backlash

Palm Beach County commissioners rejected a proposal late Wednesday to build a digital infrastructure hub to house AI data centers and warehouses, voting in line with the ardent opposition from local residents. The facility, known as Project Tango, would have filled dozens of acres of land about 20 miles from President Donald Trump’s Mar-a-Lago club. It faced a backlash from residents who feared it would cause power and water bills to spike, an echo of tension playing out across the country as tech giants sprint to build data centers. The 5-1 decision represents a show of the strength in Florida’s efforts to rein in the tech industry. (BLOOMBERG.COM)

Sunrun ‘distributed data center’ pilot taps its home solar and battery network

Sunrun is expanding a “distributed data center” pilot that will place computing hardware in homes already outfitted with its solar and battery energy storage systems, the company said on July 8. Unlike larger, centralized data centers that could increase the load on already-congested transmission and distribution networks, the smaller computing nodes will benefit the grid by increasing utilization of existing infrastructure, Sunrun said. Sunrun’s announcement comes about three months after SPAN, an electrical hardware startup, unveiled its own distributed compute initiative in partnership with NVIDIA. SPAN and NVIDIA executives said at the time that the concept would help technology companies sidestep the grid power constraints delaying the startup of traditional data centers while improving their AI models’ performance. (UTILITYDIVE.COM)

Emergency services

LAPD renegotiating deal with Flock Safety to access company’s license plate readers

Less than a week after the Los Angeles Police Department announced it had halted its relationship with Flock Safety over concerns about how the company shares data collected from automated license plate readers around the city, police officials said they are working out a new agreement — this time with more protections in place. Flock has been criticized for sharing its data with state and federal law enforcement agencies, which detractors say helps fuel the Trump administration’s immigration crackdown by giving authorities the ability to track the movements of undocumented immigrants. (LATIMES.COM)

Intelligence

Clayton says ODNI should act as ‘board of directors’ over intel community

Jay Clayton, President Donald Trump’s nominee to lead the Office of the Director of National Intelligence (ODNI), told senators on July 15 that the agency should function as a lean oversight body rather than an operational organization, likening it to a corporate board of directors overseeing the nation’s 18-agency intelligence community. Appearing before the Senate Intelligence Committee for his confirmation hearing on Wednesday, Clayton said ODNI should concentrate on coordinating intelligence agencies, resolving disputes, and setting strategic priorities rather than managing day-to-day intelligence operations. His comments come as the Trump administration continues efforts to reduce the size and scope of the intelligence office through a broader restructuring initiative. (MERITALK.COM)

Nuclear

GAO: Additional actions needed to plan for facilities and workforce investments at National Nuclear Security Administration

In July 2024, the National Nuclear Security Administration (NNSA) released an internal Integrated Science, Technology, and Engineering (ST&E) Plan documenting investments needed for ST&E capabilities over the next 20 years. NNSA’s plan identified and prioritized 46 ST&E facility investments across the nuclear security enterprise that support stewardship of the nuclear weapons stockpile and other NNSA missions. The investments were prioritized by mission importance and mission need time frame. They included sustainment and enhancement of existing facilities and construction of new facilities. NNSA also collected initial estimates of related ST&E workforce and programmatic investment needs — such as needed equipment and materials — from the nuclear security enterprise sites for the 20-year period. However, NNSA did not fully assess these funding needs and has no plans to do so. NNSA officials said that the plan focused on facility investments due to a deadline to provide that information for the agency’s Enterprise Blueprint, which was publicly released. Completing a comprehensive analysis of the ST&E workforce and programmatic investment needs would allow NNSA to better understand the total funding needs for stockpile stewardship and proactively plan for those needs. (GAO.GOV)

Resilience

Arizona’s new regional cyber center a ‘force multiplier’ for local governments, students

At the end of June, Arizona’s Department of Homeland Security announced the launch of the state’s newest regional security operations center. The state’s cyber leaders said it will serve as a “force multiplier” for local governments, school districts, tribal communities and critical infrastructure operators, while creating more workforce opportunities for students pursuing careers in cybersecurity. The Central Regional Security Operations Center operates out of both the Glendale Community College in Maricopa County and the Paradise Valley Community College in Phoenix. The center, which is the second official RSOC in Arizona, is an extension of the Arizona Cyber Command. The two locations are student-run cyber defense hubs, providing services such as monitoring, threat analysis, incident advisory and cyber threat intelligence to the state’s smaller and resource‑constrained government entities. (STATESCOOP.COM)

Space

Space Force faces budget uncertainty as leader plans exit next month

The U.S. Space Force’s soon-to-be retired top officer urged support for his service’s programs, the same day as House lawmakers said they would approve only a fraction of the funds the Trump administration requested for major space efforts. Space Force Gen. Chance Saltzman, the chief of space operations, told international military leaders at the Global Air and Space Chiefs’ Conference here on Tuesday that space is, undoubtedly, a warfighting domain. Invoking American poet Robert Frost, he said, “We must frame our choices around how to have military advantage, and for better or worse, the path we choose will make all the difference.” (DEFENSEONE.COM)

LEGISLATIVE UPDATES

House GOP’s budget bill to fund Iran war and U.S. farmers could be in trouble

House Speaker Mike Johnson’s plan for a $95 billion budget bill that would send money to the Pentagon for the Iran war and help for American farmers is in danger of failure amid pushback from Republicans worried about deficits and skepticism in the Senate. Fiscally conservative Republicans have said they wanted any new spending in a third spending package to be offset by budget cuts. But leadership decided not to pursue any cuts. Lawmakers are trying to pass the bill through a process known as reconciliation that allows them to bypass Democratic opposition; they have already used it twice this Congress to pass tax cuts and fund immigration enforcement agencies. (WASHINGTONPOST.COM)

Energy and Commerce sets vote on data center energy bill

The House Energy and Commerce Committee is planning to vote next week on bipartisan legislation to prevent data centers from raising electric utility bills, according to details shared with POLITICO. The Ratepayer Protection Act, H.R. 9340, will be the first among several bills considered in a sprawling markup that will begin Monday and pick up again Tuesday morning, when votes on the legislation will occur. Republican leaders are eager to move on the bill before their lengthy summer recess, as a means to show voters ahead of the midterms that they have concrete proposals to address electricity rate hikes tied to surging data center demand. (EENEWS.NET)

Cammack says China has deployed ‘digital twins’ of every lawmaker

Rep. Kat Cammack (R-Fla.) on Wednesday addressed the international race to achieve dominance over artificial intelligence and the importance behind each country’s efforts to take the lead. “China and Russia and Iran would love nothing more than for us to say, absolutely, no data science. And that is because it is a cognitive warfare. They will never ever militarily be able to take us over. But they can do the things that they want to do and overtake the United States in a number of different ways…,” Cammack, a member of the Subcommittee on Communications and Technology, told NewsNation’s Connell McShane at The Hill Nation Summit. (THEHILL.COM)

ALERTS AND ADVISORIES

Establishing a coordinated vulnerability disclosure program to work with security researchers

Developed by CISA, the National Security Agency (NSA) and international partners, this joint guidance contains best practices for software manufacturers and online service providers to design and implement a coordinated vulnerability disclosure (CVD) program for working with external security researchers that includes a clear vulnerability disclosure policy (VDP) and process for triaging, remediating and assigning Common Vulnerabilities and Exposures (CVE) identifiers to reported vulnerabilities. The guidance also provides considerations for leveraging third-party intermediaries, like CISA or other national computer security incident response teams, to substitute or supplement a CVD program. By implementing a robust CVD program aligned with this guidance, organizations can work transparently and collaboratively with security researchers to remediate vulnerabilities, build constructive relationships, enhance product security while improving vulnerability management processes, and demonstrate their dedication to protecting customers. (CISA.GOV)

CISA adds two known exploited vulnerabilities to catalog

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation: CVE-2023-4346 KNX Association KNX Protocol Connection Authorization Option 1 Overly Restrictive Account Lockout Mechanism Vulnerability and CVE-2026-46817 Oracle E-Business Suite Improper Privilege Management Vulnerability. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. (CISA.GOV)

Events

TO BE INCLUDED IN THIS CALENDAR, SUBMIT YOUR SECURITY-FOCUSED EVENT FOR CONSIDERATION

AI AND EDUCATION: On July 16, the Center for Universal Education at Brookings will host a conversation to examine the effects of AI slop on young children’s learning, development, and well-being, as well as the incentives driving its production. As the third event in the Generation AI Starts Early webinar series, the discussion will bring together perspectives from health, media, and policy to explore what AI-generated content means for young children, caregivers, policymakers, and the broader media ecosystem.

6G: Join CSIS, senior U.S. government officials and leading global partners for a July 29 public forum examining the geopolitical and security landscape of next-generation wireless infrastructure. This event will feature the launch of the “Call to Action for 6G Leadership and Security,” a joint initiative between the United States (coordinated by the National Telecommunications and Information Administration) and partner nations designed to strengthen digital supply chains, accelerate innovation, and expand multilateral cooperation on wireless technology. 

AI HEALTH CARE: The AI in Health Conference from Sept. 15 to Sept. 17 bridges the gap between artificial intelligence and real-world health outcomes — focusing not just on what AI can do, but on what it should do to improve patient care. Hosted by the Ken Kennedy Institute at Rice University, the fifth annual AI in Health Conference will explore the current landscape of artificial intelligence in health and present a research-driven outlook for the future of computational health innovation. The program is designed to connect researchers and innovators with engineers, clinicians, and entrepreneurs at the forefront of AI in healthcare and public health.


FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | BLUESKY

SUBSCRIBE TO THE CYBER FOCUS PODCAST: YOUTUBE | SPOTIFY | APPLE PODCASTS

SUBMIT A TIP

Click to listen highlighted text!