Home / Episodes / Jun 19, 2026
Episode show notesJun 19's Top Cyber News NOW! - Ep 1157
At a glance
Law enforcement disrupted Evil Corp's botnet across 15,000 WordPress sites in a coordinated international operation, but the group remains operational. Meanwhile, attackers are exploiting outdated REDCap servers in healthcare, China-linked groups are abusing Microsoft Teams relays for C2 evasion, and critical F5 NGINX vulnerabilities enable unauthenticated code execution—all requiring immediate patching and monitoring.
Stories covered
How did law enforcement disrupt Evil Corp's Sokgolish botnet across WordPress sites?
What happened: Authorities from the Netherlands, Canada, US, and Germany (Operation Endgame) cleaned Sokgolish malware infections from nearly 15,000 compromised WordPress websites and took 106 servers and domains offline.
Why it matters: This represents a significant coordinated takedown of organized cybercrime infrastructure, but Evil Corp remains financially viable and capable of rebuilding. The cleanup affected website owners should change credentials, enable MFA, delete unknown accounts, and keep WordPress updated—basic hygiene that should already be standard practice.
What to do: If you operate WordPress sites, verify credentials haven't been compromised, enforce MFA, audit for unauthorized accounts, and ensure all plugins and core are patched. Monitor for re-exploitation since the threat group isn't disrupted long-term.
---
Why did Icarus steal Salesforce CRM data from Clue and multiple organizations?
What happened: Threat actors exploited a dormant but active credential at Clue (the Battle Cards Salesforce integration platform) to access customer Salesforce instances, stealing CRM data including contact info, sales communications, quotes, and competitive intelligence. Salesforce has disabled the integration.
Why it matters: Clue likely lost most or all customers by having its core product disabled; customers like Huntress (an MDR firm) were extorted. The stolen data (sales contacts, pricing, competitive reports) has unclear resale value, making ransom payment unlikely but still representing operational disruption and reputational risk.
What to do: If you use third-party Salesforce integrations, audit credential permissions and rotation schedules. Review your Salesforce access logs for suspicious API queries. Assume extortion emails may follow data theft even if payment demands lack credibility.
---
What is the UK's cyber chief warning about hostile nation-state attacks on critical infrastructure?
What happened: Richard Horne, CEO of the UK's National Cyber Security Center, stated that 75% of the 200+ critical infrastructure incidents handled in the past year were attributed to state actors, emphasizing that tomorrow's kinetic attacks are based on recon gathered today.
Why it matters: This confirms widespread nation-state prepositioning in Western critical infrastructure (confirmed examples: China's Flax Typhoon, Salt Typhoon, Volt Typhoon in US power and telecom). However, the statement itself restates well-established attack chain theory and doesn't offer tactical novelty for practitioners.
What to do: Monitor for now. If you support critical infrastructure, assume advanced persistent threat activity and operate under zero-trust principles. Focus on detection and response readiness rather than prevention alone.
---
Why is Senator Warner alarmed about CISA budget cuts and regional staffing gaps?
What happened: Senator Mark Warner sent letters to CISA's acting director and DHS leadership expressing concern over widespread agency cuts, understaffed regional divisions, and the disbanding of the multi-state information sharing and analysis center (MSISAC). Warner introduced legislation to restore MSISAC funding.
Why it matters: CISA supports critical information sharing between federal, state, local, and private sector organizations. Budget cuts reduce the agency's ability to coordinate incident response, share threat intelligence, and support smaller entities. However, Congressional letters alone rarely drive immediate budget reversal.
What to do: Monitor for now. If you rely on CISA threat feeds or MSISAC coordination, document dependencies and explore backup intelligence sources. Advocacy through your sector's ISAC may amplify pressure for restored funding.
---
How did attackers spy on Beats Studio Buds conversations through Bluetooth?
What happened: Apple patched a high-severity Beats Studio Buds flaw (missing Bluetooth BR/EDR authentication) that allowed attackers within Bluetooth range to eavesdrop on user conversations through an unpaired device's microphone. The vulnerability stemmed from open-source code in Apple software.
Why it matters: The attack requires close physical proximity (15–20 feet), a device actively seeking pairing, and specific conditions. It's an academic proof-of-concept rather than a practical mass-exploitation vector, but illustrates protocol-level vulnerabilities in wireless stacks.
What to do: Update Beats firmware and iOS if affected. Don't sleep on protocol-level analysis—buffer overflows, stack corruption, and authentication bypasses in network protocols remain valuable attack surfaces despite appearing obscure compared to application-layer exploits.
---
How are Dragon Force hackers hiding C2 traffic inside Microsoft Teams relays?
What happened: A custom Go-based RAT called Backdoor.Turn uses legitimate Microsoft Teams relay infrastructure and QUIC to tunnel command-and-control traffic, evading network detection. The malware obtains anonymous Teams visitor tokens and routes C2 through Microsoft's TURN relays, remaining invisible to defenders.
Why it matters: This technique leverages trusted infrastructure to blend malicious traffic with legitimate Teams usage. Defenders cannot easily flag Teams traffic as suspicious, making detection require behavioral analysis or compromised endpoint telemetry. Initial compromise requires separate exploitation (SQL Server was involved in observed cases).
What to do: Deploy EDR and behavioral analytics to detect unusual process execution and outbound connection patterns, even to trusted destinations. Hunt for SQL Server exploitation and BYOVD (bring-your-own-vulnerable-driver) abuse. Monitor for suspicious Teams visitor token generation if you have Teams API logging enabled. Patch Windows kernel and disable ASLR on systems running older kernels if applicable.
---
Why are F5 NGINX servers vulnerable to unauthenticated remote code execution?
What happened: F5 released out-of-band patches for two critical NGINX vulnerabilities (both CVE, CVSS 9.2): a use-after-free in an HTTP module and a heap-based buffer overflow. Both allow unauthenticated remote code execution with potential for memory corruption, service restart, or arbitrary code execution.
Why it matters: NGINX is ubiquitous in load balancers, reverse proxies, and API gateways. Unauthenticated RCE with high CVSS scores require immediate patching. Exploitation becomes easier on systems with ASLR disabled, though ASLR has been default on modern OSes since ~2015.
What to do: Patch F5 NGINX systems immediately. Verify ASLR is enabled on underlying OS. Buffer overflows remain exploitable in 2026—prioritize this patch as you would a kernel vulnerability. If immediate patching is blocked, implement network segmentation to restrict NGINX exposure.
---
Why are outdated REDCap servers in healthcare targeted by Chinese espionage actors?
What happened: Google's threat intelligence team reports that UNC6508 (China-linked) routinely targets legacy REDCap servers—open-source platforms for clinical research data—deployed at academic medical centers and healthcare organizations. Of ~8,500 internet-exposed REDCap instances globally, only 1% run the latest version. One observed intrusion went undetected for a year before attackers used harvested credentials to exfiltrate data; the Infinite Red backdoor was deployed 3 months post-compromise.
Why it matters: Intellectual property from medical research, clinical trial data, and vaccine/treatment formulas have enormous asymmetric value. State actors gain years of R&D benefit without development cost. REDCap's low profile and widespread healthcare use make it an attractive espionage target overlooked by security teams.
What to do: Immediately audit internet-exposed REDCap instances in your environment. Update to the latest version. Enable MFA, restrict network access to REDCap servers, and implement egress filtering. Hunt for anomalous credential usage and long-dwell-time intrusions using EDR. Notify your healthcare ISAC if you identify compromise.
---
Key takeaways
- Evil Corp remains dangerous despite Operation Endgame takedown; organizations must treat as ongoing threat, not resolved incident.
- China-linked actors are systematically targeting overlooked platforms (REDCap, third-party integrations) and establishing long-term footholds in healthcare and critical infrastructure.
- Relay-based C2 evasion through trusted infrastructure (Teams, Microsoft TURN) requires behavioral detection and EDR—network signatures alone are insufficient.
- Buffer overflows, protocol-level vulnerabilities, and BYOVD abuse remain viable exploitation paths in 2026; assume legacy systems have multiple attack surfaces.
- Patch F5 NGINX and Beats immediately; update REDCap and audit WordPress credential hygiene as high-priority response actions.
Topics covered
ransomware, operation endgame, evil corp, sokgolish, CVE-2026 (approximate), salesforce, icarus, threat intelligence, microsoft teams, C2 evasion, turn relay, NGINX vulnerabilities, buffer overflow, REDCap, UNC6508, china espionage, critical infrastructure, CISA budget cuts, bluetooth vulnerability, protokol security, EDR, incident response
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.