Home / Episodes / Jun 15, 2026
Episode show notesJun 15's Top Cyber News NOW! - Ep 1153
At a glance
Anthropic suspended access to its most capable AI models following a US government export control directive banning foreign nationals from using them. Meanwhile, Oracle PeopleSoft exploitation is hitting higher education institutions hard, Maine's breach portal went offline after fake submissions, and critical vulnerabilities in Splunk Enterprise and Windows updates need immediate patching. A Ukrainian Conti ransomware operator pleaded guilty after extradition, and consulting firms KPMG and EY faced embarrassment for publishing AI-generated reports full of hallucinations.
Stories covered
Why did the US government force Anthropic to ban foreign access to Claude?
What happened: The US Department of Defense issued an export control directive ordering Anthropic to block access to its two most capable AI models, Claude 5 (Fable 5) and Mythos 5, for all foreign nationals—both inside and outside the US, including Anthropic's own international employees. The directive came just as Anthropic was rolling out Fable 5 to Pro and enterprise customers.
Why it matters: This represents a significant access control failure by the government, which beta-tested Mythos for three months before issuing the ban post-launch. From a practitioner perspective, it highlights how difficult it is to enforce access restrictions on internet-facing services; VPNs and geofencing bypass controls are trivial to circumvent. The move also signals that nation-states view advanced AI capabilities as strategic assets requiring export controls.
What to do: Monitor how this precedent develops. If you handle AI model deployments in your organization, expect similar regulatory scrutiny on access controls. Plan access restriction mechanisms early rather than retrofitting them post-launch.
What's the latest on the Oracle PeopleSoft zero-day hitting higher education?
What happened: Mandiant and Google researchers warn that Shiny Hunters gang is exploiting an unpatched CVE in Oracle PeopleSoft People Tools to conduct remote code execution attacks against over 100 organizations, many in higher education including the University of Nottingham. Attacks date back to at least May 27th and remain active.
Why it matters: The vulnerability allows unauthenticated attackers to execute arbitrary code and take control of affected servers. Higher education institutions are particularly vulnerable due to resource constraints, legacy infrastructure, and a culture of open data sharing that often conflicts with security controls. This represents a shift in Shiny Hunters' typical tactics—they're known for social engineering, not technical exploitation at scale.
What to do: If you run Oracle PeopleSoft, patch immediately. Audit who has access to your PeopleSoft instance and whether it's internet-facing (it should not be). Check patch compliance via vulnerability scans and escalate any gaps to infrastructure teams.
Why did Maine disable its data breach notification portal?
What happened: Maine's Attorney General's Office took its public data breach reporting portal offline after someone submitted fraudulent breach disclosures for Discord and VRChat that were processed and published on the state website. The office is reviewing procedures to prevent future abuse; companies can still submit breaches but the public must now contact the AG directly.
Why it matters: This illustrates the difference between security and usability. The original portal prioritized ease of use over validation, creating a process vulnerability. When you slide the security slider left, usability suffers; the state has now shifted it right by requiring verbal submissions, adding friction and reducing accessibility.
What to do: Monitor for how many state and federal breach notification portals lack verification controls. If you're responsible for breach notifications, ensure your submission process includes validation checks. Don't assume no one will abuse a trust-based system.
What's the risk from the critical Splunk Enterprise CVE?
What happened: Cisco Splunk released updates for a critical vulnerability (CVSS 9.8) in Splunk Enterprise that allows unauthenticated attackers to create or truncate arbitrary files and execute remote code through an unprotected PostgreSQL sidecar service endpoint. Affects versions below 10.2.4 and 10.0.7. Splunk Cloud is not affected.
Why it matters: This is an unauthenticated RCE—always a 9.8 CVSS score and a critical priority. The PostgreSQL sidecar service lacks authentication on the API endpoint. While the threat actor would need network access to exploit this (your Splunk instance should not be internet-facing), once compromised, the attacker gains initial foothold in your environment and can dump or modify SIEM data—a dangerous privilege in a security operations environment.
What to do: Identify which Splunk Enterprise versions you're running. If below 10.2.4 or 10.0.7, prioritize patching. Verify your Splunk instance is not internet-facing and check network segmentation. If running Splunk in AWS or cloud environments, review security group rules to ensure sidecar services are not exposed.
Should I be concerned about Novo Nordisk's clinical trial data breach?
What happened: Danish pharmaceutical company Novo Nordisk reported a cyber attack where clinical trial participant data related to Ozempic and Wegovy was stolen. The data was pseudonymized, meaning no direct links to personal identifiers existed, though the company warned participants to remain vigilant.
Why it matters: Clinical trial data falls under HIPAA protections only if a hospital or physician is conducting the trial as a covered entity. Novo Nordisk's trials are sponsored by the pharmaceutical company, so HIPAA does not apply. From a risk perspective, the impact is low: patients are unlikely to stop using these drugs due to a data breach, and the pseudonymization adds friction to re-identification. However, intellectual property theft—not participant data—is the real concern for pharma companies.
What to do: Monitor for now. If you work in pharmaceutical security, focus your effort on protecting drug formulation IP and clinical trial methodologies rather than overweighting participant data protection relative to business risk.
Why did KPMG pull its AI report due to hallucinations?
What happened: KPMG retracted a report titled "Redefining Excellence in the Age of Agentic AI" after organizations including UBS, the UK's NHS, and Transport for London reported that the report's claims about their AI usage were false or misleading. The report was written using AI and contained numerous hallucinated facts. EY has faced similar criticism for AI-generated reports with fake footnotes.
Why it matters: Major consulting firms that charge premium fees for expertise are using AI to generate reports, then publishing inaccurate work without proper validation. This represents a bait-and-switch: clients pay for expert analysis but receive unreviewed AI output. It also undermines the consulting industry's value proposition and ironically makes the case for replacing consultants with AI.
What to do: Monitor for now. If your organization contracts with large consulting firms for research reports, add validation and fact-checking clauses to procurement agreements. Don't assume external reports from established firms have been properly reviewed.
What's the issue with Windows Update Standalone Installer failures?
What happened: Microsoft fixed a known issue where Windows updates released since May 2025 failed when deployed via the Windows Update Standalone Installer (WSA) from a network share on Windows 11 (24H2, 25H2) and Windows Server 2025 devices. The fix was applied via group policy to home and non-managed devices starting in September 2025.
Why it matters: This primarily affects enterprise networks using WSA for patch distribution. Home users rarely use this method. If you're missing patches on Windows servers post-May 2025, this could be the culprit and will appear in vulnerability scans.
What to do: Check with your infrastructure or server teams whether your organization uses WSA for patch distribution. If so, verify that June 2025 patches and later have been applied. Alert them proactively and cite this known issue to help them triage any missed patches. No action required if you use standard Windows Update or WSUS.
Why is a Ukrainian Conti ransomware operator finally facing prison time?
What happened: Alexi Litvinenko, a 44-year-old Ukrainian national, was extradited from Ireland to the US and pleaded guilty to wire fraud conspiracy for his work with the Conti ransomware operation between 2021 and 2022. He faces up to 20 years in prison and is scheduled for sentencing on September 10th.
Why it matters: Conti was the most prolific and effective ransomware gang of the early 2020s, operating with over 100 employees, including dedicated QA, development, and licensing teams that tested ransomware against every major EDR solution. The gang collapsed when Russia invaded Ukraine and internal factions split. This conviction is symbolic but unlikely to deter active ransomware operators still operating from jurisdictions that don't extradite to the US.
What to do: Monitor for now. Use this as a reminder that ransomware actors operating in friendly extradition countries (e.g., Ukraine, Ireland) face legal jeopardy; those in Belarus, Russia, and similar countries do not. This does not change your defensive posture, only reinforces that financial cybercrime has real consequences for actors outside state protection.
Key takeaways
- Anthropic's forced suspension of Claude 5 shows that access controls on internet-facing services are nearly impossible to enforce—VPN and geofencing bypasses are trivial, and the US government's retroactive approach to export controls is ineffective.
- Three critical patches demand immediate action: Oracle PeopleSoft (active exploitation in higher ed), Splunk Enterprise (unauthenticated RCE), and Windows updates (if using WSA). Prioritize PeopleSoft and Splunk.
- Process vulnerabilities are as dangerous as technical ones; Maine's breach portal compromise shows that trust-based systems without validation controls fail predictably.
- Large consulting firms are publishing AI-generated reports without proper review, creating liability for clients who rely on their accuracy. Validate external research before acting on it.
- Conti's decline and this conviction underscores that ransomware actors face real legal consequences only if they operate in extradition-friendly countries; most remain untouched in Eastern Europe.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.