Home  /  Episodes  /  Jun 29, 2026

Episode show notes

Jun 29's Top Cyber News NOW! - Ep 1163

Aired Jun 29, 2026 Daily Cyber Threat Brief Hosted by Dr. Gerald Auger

At a glance

Federal agencies face urgent Cisco patch deadlines while AWS has already patched a serious credential theft flaw in Amazon Q. Meanwhile, researchers are warning of coordinated attacks using AI agents to pull malware from GitHub and fake SMS campaigns targeting high-ranking government officials—old social engineering tricks with fresh urgency in 2026.

Stories covered

Why is CISA demanding urgent patching of Cisco Unified Communications Manager?

What happened: CISA set a deadline (already passed as of June 28) for federal agencies to patch CVE affecting Cisco Unified Communications Manager Server. The vulnerability involves server-side request forgery (SSRF) and is being actively exploited in the wild. Cisco released the patch on June 3.

Why it matters: SSRF is OWASP top 10 and the vulnerability is remotely exploitable without authentication—if found via Shodan, you're compromised. But CISA directives lack enforcement teeth; without consequences, patch timelines slip.

What to do: Coordinate with your networking team immediately. This isn't a one-person job. Treat it as urgent because active exploitation means threat actors are already hunting unpatched instances.

---

Does China's new AI rival actually match Anthropic's Mythic in capability?

What happened: Chinese security vendor Qihoo 360 claims to have developed an AI model that matches or exceeds Mythic capabilities. CEO Jiang Hong Yi described the U.S. effort as a "cyber nuclear weapon" and said China's approach uses 20 years of malware knowledge and multi-agent swarming rather than brute-force techniques.

Why it matters: This is an arms race narrative, but timing is suspect—Qihoo 360 has been running conferences for 14 years, suggesting this effort predates the U.S. Mythic ban. The real concern is that AI models capable of finding and weaponizing exploits are now competing commodities, not unicorns.

What to do: Monitor for now. This is strategic posturing as much as technical development. Focus on detecting and blocking suspicious AI-driven reconnaissance in your own environment.

---

What credentials can attackers steal through Amazon Q vulnerabilities?

What happened: Wiz researchers disclosed a high-severity flaw in AWS's Amazon Q developer extension for VS Code. The extension would auto-execute configuration files in cloned repositories without user permission, allowing malicious repos to steal cloud credentials, API keys, and environment variables.

Why it matters: AWS patched this in May (disclosed April 20), but the underlying issue—AI tools executing code blindly without human oversight—is now a category of attack. This mirrors the risk in any "agentic" coding tool left unsupervised.

What to do: Meet with your DevOps and developer teams monthly. Confirm they've patched Amazon Q. Remind them to stay engaged with what AI tools execute; don't let Claude drive unattended. Framing this as "stay mindful" rather than "change your workflow" builds buy-in.

---

How are clean GitHub repos tricking AI agents into running malware?

What happened: Researchers at Mozilla's Zeroday Investigative Network demonstrated how a seemingly benign GitHub repository could execute malicious payloads invisible to security scanners, AI agents, and human reviewers. Attackers use multi-step execution (Python scripts, shell scripts, DNS-based C2) to evade detection.

Why it matters: This is the logical extension of the Amazon Q flaw. Spreading malicious actions across multiple stages defeats both AI analysis and traditional SIEM detection. The attack gives attackers interactive shell access with developer privileges and full access to local secrets.

What to do: Educate developers that cloning and running unknown repos is high-risk. Implement DNS-based C2 detection in your SIEM (it's noisy and obvious if you're looking). Consider restricting PowerShell execution on developer machines via GPO.

---

What new cybersecurity rules did the FCC pass for emergency systems?

What happened: The FCC approved new regulations Thursday to strengthen cyber defenses for the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA), as well as undersea cable security. The rules aim to prevent hijacking attacks by malicious actors.

Why it matters: A compromised EAS could spread disinformation, disable emergency coordination, or broadcast false alerts (e.g., non-existent nuclear strikes, incorrect evacuation routes). The 1983 movie WarGames and the 2018 Hawaii false missile alert are cautionary tales. Integrity and availability breaches have cascading real-world harm.

What to do: Monitor for now. If you advise government or critical infrastructure, use the CIA triad framework to model EAS threats: availability (system shutdown), integrity (message manipulation), and confidentiality (less relevant here). Tabletop exercises should include "operate without EAS" scenarios.

---

Are Russian intelligence services using fake support SMS to steal Ukrainian credentials?

What happened: Ukraine's SBU and the FBI uncovered a long-running campaign where Russian intelligence sent SMS messages masquerading as messaging platform support bots, asking users to disclose account credentials. Targets include Ukrainian government officials, military, politicians, and activists across Ukraine, Europe, and the US.

Why it matters: This is classic social engineering at executive scale and it's working despite four years of active conflict. The success rate suggests inadequate GRC and awareness training. Attackers don't need zero-days when phishing credentials at the leadership level delivers the same access.

What to do: Implement mandatory phishing awareness training. Teach officials to verify support requests by calling the company directly using a known number. Deploy SMS filtering and multi-factor authentication (MFA) without SMS as an option. This attack is not new but remains devastatingly effective.

---

Why did a Russian dairy company revert to pen and paper?

What happened: Ufa Gormal Zavod, a Russian dairy producer in Bashkortostan, was hit by a ransomware attack (reportedly Lockbit variant) and forced back to manual operations. No details on data compromise or recovery timeline.

Why it matters: Lockbit is a Russian gang hitting a Russian target—unusual. Either accidental spillover or operator desperation after law enforcement pressure. Either way, it underscores that no sector (even agriculture) and no country (even where actors are based) is safe from ransomware.

What to do: Conduct tabletop exercises asking: "Can we operate without IT?" If the answer is "no," you need better backup and recovery plans, offline data stores, and manual fallback procedures. Ransomware in 2026 is table stakes; assume it will happen to you.

---

How is the hospitality sector being phished via fake Calendly complaint emails?

What happened: Microsoft threat intelligence reported a campaign running since April targeting hospitality reception and booking staff with fake guest complaint emails (bed bugs, etc.) sent via Calendly's notification system. The emails contain LNK files that trigger PowerShell to download the Tron RAT, using obfuscation and anti-analysis techniques (Cloudflare Turnstile, geolocation filters).

Why it matters: Hospitality staff are help-desk-on-steroids and will open anything to satisfy guests. The LNK→PowerShell→obfuscated download chain is reliable. The campaign is high-volume and list-driven, not spear-phishing, suggesting broad success.

What to do: Disable LNK file execution via GPO where possible. Implement strict application allowlisting on reception machines. Train staff to verify complaints via phone before clicking links. Monitor for unexpected PowerShell execution and outbound connections to unknown URLs. Harden reception endpoints to the highest standard—they're your front line.

---

Key takeaways

  • Patch urgency (Cisco SSRF, Amazon Q) is rising but enforcement mechanisms remain weak; treat critical CVEs as blocking issues, not backlog items.
  • AI-powered attacks are now commonplace: agents executing malware, multi-stage payloads evading detection, and threat actors already defending against AI-based analysis.
  • Social engineering at scale (SMS phishing to executives, fake support emails) remains devastatingly effective; awareness training and MFA (not SMS) are non-negotiable.
  • Assume ransomware will hit you; test your ability to operate without IT and maintain air-gapped backups.
  • Hardening reception, development, and executive endpoints is critical—these roles are high-value targets for initial access.

Topics covered

cisco SSRF, CISA deadline, CVE vulnerability management, amazon Q, AWS credential theft, GitHub malware, AI agents, PowerShell execution, emergency alert system, FCC cybersecurity, social engineering, SMS phishing, lockbit ransomware, hospitality sector, LNK file execution, DNS C2, tabletop exercises

Show notes generated from the live transcript using AI on Mon, 29 Jun 2026 19:19:23 GMT. Errors? Open the YouTube replay for the source of truth.

Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.