Home / Episodes / Jun 22, 2026
Episode show notesJun 22's Top Cyber News NOW! - Ep 1158
At a glance
Brazil's emergency alert system was breached by unauthorized actors who sent fake extreme-level alerts across multiple cities. Meanwhile, North Korea–linked hackers compromised 140+ npm packages in a supply chain attack targeting developers' credentials and crypto wallets, and researchers disclosed a permanent boot ROM vulnerability in A12 and A13 iPhones that requires physical access but cannot be patched.
Stories covered
Did hackers breach Brazil's national emergency alert system?
What happened: Unauthorized actors remotely triggered fake emergency alerts on cell phones across São Paulo, Rio de Janeiro, and other Brazilian cities on Saturday morning. The alerts, classified as "extreme" level and containing Portuguese text written in leetspeak, were sent via Anatel's (Brazil's telecom agency) cell broadcast system, which was subsequently taken offline during investigation.
Why it matters: Compromised emergency alert systems erode public trust and create operational chaos during real crises. For practitioners, this is a critical infrastructure attack that bypasses expected access controls and demonstrates the need for tabletop exercises around emergency system compromise scenarios.
What to do: If you manage emergency notification infrastructure, conduct incident response tabletops focused on unauthorized alert scenarios. Review authentication and authorization controls on cell broadcast platforms. Monitor for suspicious access patterns to systems that distribute alerts. Implement segregation and alerting for lateral movement into alerting infrastructure.
---
What is Prinz Eugen ransomware's attack strategy?
What happened: ThreatDown researchers identified Prinz Eugen, a new ransomware operation with a hands-on-keyboard approach that prioritizes recently modified files for encryption, leaves no ransom note, and does not operate as a ransomware-as-a-service model. Initial access is achieved through stolen RDP credentials followed by manual execution of a malware dropper (server_tool.exe).
Why it matters: Prinz Eugen's focus on recently modified business-critical files maximizes victim pressure. The operation uses legitimate RMM software and living-off-the-land techniques to evade detection. The lack of a RaaS model suggests a smaller but potentially more sophisticated threat actor.
What to do: Enforce strong password policies on all RDP-accessible accounts. Restrict external RDP exposure or gate it behind MFA and network segmentation. Monitor for suspicious RMM tool activity and unexpected file encryption patterns. Maintain offline, immutable backups with timestamp protections and change-data-capture to avoid copying encrypted files.
---
Should organizations be concerned about the deepfake No Fakes Act?
What happened: The Senate Judiciary Committee approved the "No Fakes Act," legislation that would grant Americans near-exclusive rights to their digital AI replicas for 70+ years, allowing them to license or sue over unauthorized use. Senators and advocacy groups expressed concerns it could become a tool to suppress free speech.
Why it matters: From a cybersecurity lens, deepfakes (voice and video) are being weaponized by threat actors—particularly North Korean APTs—to conduct voice phishing, bypass employee verification in social engineering, and establish false trust. Legal frameworks could provide recourse, though criminals typically ignore laws. The practical security impact depends on technical controls, not legislation alone.
What to do: Implement voice authentication requiring multi-factor proof of identity for sensitive transactions. Train users on deepfake indicators in video calls. Monitor for anomalous video/voice calls requesting credential or payment confirmations. Document deepfake incidents for legal evidence, but prioritize technical detection and behavioral verification over relying on legal remedies post-incident.
---
How did North Korea compromise 140+ npm packages in a supply chain attack?
What happened: Microsoft attributes the Mastra AI supply chain attack to Sapphire Sleet (also called Blue Noroff), a North Korean state actor. Attackers compromised an npm maintainer account (e-hender) and published malicious updates across 140+ packages, including a typosquatted package named "easyjs" (spoofing day.js). Post-install hooks deployed a malware dropper targeting developers' API keys, auth tokens, and cryptocurrency wallets.
Why it matters: npm is a high-velocity attack surface with minimal vetting. Compromised developer credentials, API keys, and crypto wallets enable lateral movement into enterprise environments and financial theft. The attack chain—maintainer compromise → malicious dependency → post-install execution → credential harvesting → C2 beaconing—is a textbook supply chain kill chain.
What to do: Scan dependencies for known-malicious packages; use Software Composition Analysis (SCA) tools with real-time threat feeds. Require cryptographic verification of package integrity. Implement runtime monitoring for suspicious post-install scripts. Rotate and revoke exposed API keys and auth tokens immediately. Assume npm dependencies may be compromised; isolate development environments from production credentials.
---
What is the Gravity SMTP WordPress plugin vulnerability?
What happened: CVE-2024-5383, a medium-severity (CVSS 5.3) information disclosure flaw in Gravity SMTP, allows unauthenticated attackers to call a REST API endpoint (/wp-json/gravity-smtp/v1/test/machdata) that returns ~365 KB of JSON containing API keys, OATH tokens, configuration data, and system information. Word Fence has blocked 17+ million exploit attempts since May 2026. A patch (version 2.1.5) is available.
Why it matters: Exposed API keys can be chained with other vulnerabilities to gain initial access to cloud infrastructure (AWS, etc.). Leaked SMTP credentials enable business email compromise. The vulnerability requires only an HTTP GET request—no authentication—making it low friction to exploit at scale.
What to do: Update Gravity SMTP to version 2.1.5 immediately. Search logs for GET requests to /wp-json/gravity-smtp/v1/test/machdata and treat as indicators of compromise. Rotate all exposed API keys, OATH tokens, and SMTP credentials. Implement WAF rules to block the vulnerable endpoint if patching is delayed. Audit all API key usage for unauthorized activity.
---
Can researchers really jailbreak A12 and A13 iPhones?
What happened: Researchers disclosed "USBticket8," a checkm9-style exploit targeting Apple A12 and A13 chips (iPhone XS, XR, iPhone 11 families). The flaw resides in the immutable boot ROM and allows bypass of secure boot via physical USB access in DFU mode. A14 and newer chips are unaffected. The exploit requires physical access and cannot be patched via software updates.
Why it matters: Boot ROM vulnerabilities are permanent hardware flaws affecting the chain of trust. While this requires hands-on access (impractical for remote attacks), it enables nation-state adversaries or determined threat actors to install persistent, undetectable implants at the OS level. It's a worst-case scenario for secure boot design.
What to do: If you manage high-value targets (government, law enforcement, journalists), assume devices using A12/A13 are at risk if physically compromised. Enforce device management policies requiring newer hardware. Monitor for anomalous behavior in A12/A13 devices. Assume any device that leaves custody may have been targeted with this exploit if the holder is a high-value target.
---
What is Gentle Killer and why does it matter?
What happened: ESET identified Gentle Killer, a centrally managed EDR-killing toolkit deployed by the Gentleman ransomware gang before payload execution. The group, active since late 2025, has claimed 504 victims and ranks among the top five most active RaaS operations in 2026. Gentle Killer includes eight variants exploiting vulnerable drivers (BYOVD technique) to disable 400+ security-related processes across major EDR/antivirus products.
Why it matters: Most RaaS affiliates handle EDR evasion themselves; Gentleman centralizes and operationalizes it, lowering barriers to entry for less-skilled attackers. Pre-built, maintained EDR killers mean affiliates can deploy ransomware more reliably. This is a significant shift in operational maturity and accessibility of ransomware-as-a-service.
What to do: Monitor for vulnerable signed drivers being dropped to disk—implement allow-lists for known-good drivers and alert on unsigned or suspicious driver loads. Create behavioral alerts for unexpected termination of security processes (track process names published in ESET's report). Implement kernel-level protections (e.g., hypervisor-based monitoring) that are harder to kill from user space. Test EDR resilience against driver-based termination techniques.
---
How many Texas hunting and fishing license holders were exposed in the breach?
What happened: The Texas Parks and Wildlife Department (TPWD) disclosed a breach affecting 3 million+ customers' personal information via its license system vendor. Exposed data includes driver's licenses, passport numbers, email addresses, phone numbers, and residential addresses. The agency confirmed that SSNs, dates of birth, and financial information were not compromised (per current investigation). TPWD is working with the vendor on enhanced monitoring and safeguards.
Why it matters: Personally identifiable information (name, address, driver's license, passport number, email, phone) is sufficient for SIM swaps, account takeovers, and spear-phishing attacks. The combination enables credential stuffing, social engineering impersonation of government agencies, and identity fraud. Affected individuals are now high-value targets.
What to do: If you manage similar public databases, assume disclosed PII will be cross-referenced with other breaches and monetized. Monitor credit bureaus and darkweb marketplaces for your organization's data. Notify customers proactively with free credit monitoring access—don't require them to opt in. Implement breach response playbooks that disclose timely, detailed information to avoid secondary disclosures that undermine trust.
Key takeaways
- Supply chain attacks targeting npm remain a high-velocity threat; assume all open-source dependencies may be compromised and require runtime isolation and credential segregation.
- EDR-killing has evolved from affiliate-driven improvisation to centralized, operator-maintained toolkits (Gentle Killer); defenders must monitor for driver-based process termination and kernel-level anomalies.
- RDP exposed to the internet with weak credentials remains the fastest path to ransomware deployment; enforce complex passwords, MFA, and network segmentation over relying on detection.
- Boot ROM vulnerabilities (USBticket8) are unfixable but require physical access; high-value targets should assume A12/A13 devices are at risk if they leave custody.
- WordPress plugin vulnerabilities (Gravity SMTP) continue to expose API keys at scale; patch immediately and rotate all exposed credentials.
Topics covered
Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.