☕ Good Morning Security Gang,
Our final show before the extended Fourth of July holiday, and before diving into today’s cybersecurity headlines, I want to wish everyone a safe and happy Independence Day. As our nation celebrates 250 years, it’s worth remembering that while our adversaries work tirelessly to divide us, what unites us is far stronger than anything that attempts to pull us apart. Disconnect from the noise this weekend, spend time with family and friends, enjoy your communities, and appreciate just how fortunate we are to live in an era of remarkable innovation and opportunity.
Now, onto cybersecurity.
Today’s show reinforced a trend that has become impossible to ignore throughout 2026: attackers are consistently moving faster than enterprise operations. Oracle E-Business Suite continues facing active exploitation with nearly a thousand internet-facing systems exposed. Huntress uncovered an astonishing 81 million Microsoft 365 password spray attempts that bypass traditional MFA protections. AI-powered development environments are now becoming direct attack targets through zero-click vulnerabilities requiring virtually no user interaction. Meanwhile, researchers connected the massive FortiBleed credential theft campaign directly to active ransomware operators, turning what many viewed as credential theft into an immediate ransomware threat.
The common thread today is simple: attackers are exploiting trusted platforms before organizations can adapt their defenses.
Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.
🧭 Executive Summary
Today’s cybersecurity landscape centered on trust boundaries.
Whether those boundaries exist inside enterprise ERP systems, Microsoft authentication flows, AI-powered development tools, VPN infrastructure, or cloud identities, attackers continue finding ways to exploit assumptions built into modern enterprise technology.
The traditional perimeter has disappeared.
Today’s perimeter is every authentication flow, every AI agent, every trusted software dependency, every remote access platform, and every enterprise application connected to your business.
Organizations that understand those trust boundaries and actively validate them will remain resilient. Those relying on yesterday’s assumptions will continue finding themselves reacting instead of preventing.
📰 Top Stories & Deep Dive Analysis
🚨 Oracle E-Business Suite Under Widespread Active Attack
Oracle’s difficult year continues as researchers confirmed that more than 900 internet-facing Oracle E-Business Suite (EBS) instances remain exposed while attackers actively exploit CVE-2026-46817, a critical vulnerability affecting Oracle Payments’ File Transmission component. Oracle originally released patches during its May Critical Patch Update, yet exploitation continues accelerating across exposed environments.
Threat intelligence company Diffuse reported observing active exploitation against its honeypots throughout the past week, while Shadowserver currently tracks approximately 950 publicly exposed Oracle EBS deployments. Although Oracle has not formally acknowledged active exploitation, independent researchers continue documenting real-world attack activity.
This follows a troubling pattern. Oracle’s product ecosystem including PeopleSoft and E-Business Suite has experienced repeated exploitation throughout 2026. Recent attacks have impacted universities, insurance regulators, government organizations, and major enterprises.
Oracle environments should no longer be viewed as routine enterprise applications.
They should be treated as high-priority attack surfaces requiring accelerated patch management, restricted internet exposure, and continuous monitoring.
If your organization still exposes Oracle EBS directly to the internet, today is the day to change that.
🔐 Huntress Detects 81 Million Microsoft 365 Password Spray Attempts
Huntress researchers disclosed one of the largest password spraying campaigns observed this year after identifying 81 million login attempts targeting Microsoft 365 tenants over just a two-week period between June 12 and June 26.
Rather than attacking interactive logins protected by traditional MFA, attackers abused Azure’s Resource Owner Password Credential (ROPC) OAuth authentication flow, a legacy mechanism that submits credentials directly to Microsoft’s token endpoint without supporting modern MFA or single sign-on protections.
The campaign successfully compromised accounts across multiple organizations despite MFA being enabled.
Why?
Because MFA wasn’t protecting every authentication path.
“MFA isn’t binary. Having MFA and having MFA protect every authentication path are two very different things.” James Azar
Researchers found several recurring misconfigurations, including Conditional Access policies operating only in report mode, MFA enforced solely for administrators, trusted location exceptions, and policies scoped only to selected cloud applications.
The takeaway is significant.
Having MFA enabled no longer guarantees protection.
Security teams must validate that every authentication mechanism including legacy OAuth flows, PowerShell authentication, Azure CLI, and older API clients is actually covered by modern authentication controls.
This campaign should prompt every Microsoft 365 administrator to review Conditional Access policies before heading into the holiday weekend.
🤖 Zero-Click Cursor IDE Vulnerabilities Put AI Development at Risk
Researchers at Cato AI Labs disclosed two critical vulnerabilities affecting Cursor IDE, one of the fastest-growing AI-assisted software development platforms now deployed across more than half of the Fortune 500. Both vulnerabilities received CVSS 9.8 severity ratings.
Unlike traditional remote code execution flaws, these vulnerabilities require virtually no deliberate user interaction.
“The model isn’t the security boundary. Treat every AI input like attacker-controlled user input.” James Azar
A developer simply opens an AI prompt that references attacker-controlled content from an MCP server, malicious search result, or poisoned web resource. The Cursor agent automatically processes the content, escapes its intended sandbox, overwrites critical files, and ultimately executes attacker-controlled code on the developer’s workstation.
Perhaps the most concerning aspect is that the issue extends beyond Cursor itself.
Researchers indicated similar architectural weaknesses likely exist across multiple AI coding assistants because the underlying trust model remains fundamentally similar.
The security challenge is no longer simply protecting source code.
It’s protecting autonomous coding agents capable of interacting directly with local filesystems, development environments, cloud credentials, and enterprise repositories.
Organizations adopting AI-assisted development should immediately review how these tools access local resources, external content, and Model Context Protocol (MCP) services.
🎯 FortiBleed Officially Linked to Active Ransomware Operations
One of the biggest developments today comes from SOC Radar, which directly linked the FortiBleed credential theft operation to both the Lynx and INC ransomware groups.
FortiBleed initially appeared to be another credential harvesting campaign targeting Fortinet VPN infrastructure.
Researchers now believe it served as the front-end access operation supporting ransomware deployment.
The campaign compromised more than 73,000 Fortinet credentials, targeted approximately 430,000 FortiGate firewalls, installed packet sniffers across roughly 19,000 devices, and even maintained persistent administrator backdoors on hundreds of operational systems.
SOC Radar also identified browser sessions logged directly into ransomware negotiation portals from systems participating in the credential theft operation, providing unusually strong evidence connecting credential harvesting directly to ransomware affiliates.
For organizations using Fortinet infrastructure, the message is clear.
Patching alone is no longer sufficient. Every Fortinet administrative password and VPN credential should be rotated immediately if it has not already been replaced since FortiBleed first emerged.
Treat every previously harvested credential as compromised.
⚡ Need to Know
🌍 U.S. Restores Global Access to Anthropic’s Advanced AI Models
Following implementation of additional safety controls, the U.S. government lifted recent export restrictions affecting Anthropic’s advanced Fable 5 and Mythos 5 AI models. Global access restoration has already begun after Anthropic introduced enhanced safeguards intended to detect restricted usage with greater than 99% effectiveness.
⚖️ Scattered Spider Suspect Extradited to the United States
Nineteen-year-old Peter Stokes, also known online as “Bouquet,” was extradited from Finland to face U.S. charges tied to multiple Scattered Spider intrusions, including attacks against major retailers. Prosecutors allege the broader operation generated more than $100 million through ransomware activity and social engineering targeting IT help desks.
🏛️ DHS Confirms Homeland Security Information Network Breach
The Department of Homeland Security confirmed attackers compromised a legacy instance of the Homeland Security Information Network (HSIN), the collaboration platform supporting federal, state, local, and private-sector information sharing including coordination surrounding the FIFA World Cup. Classified systems were reportedly unaffected while investigators continue determining scope and attribution.
🏭 Kubota Employee Data Exposed After Month-Long Network Intrusion
Industrial equipment manufacturer Kubota disclosed attackers maintained access to internal systems for more than one month before detection. Exposed employee information includes Social Security numbers, financial account information, benefit records, and other sensitive personnel data.
🍎 Adobe, Google, and Citrix Release Critical Security Updates
Adobe addressed seven critical ColdFusion vulnerabilities carrying perfect CVSS 10.0 ratings. Google released Chrome updates addressing 382 vulnerabilities, including fifteen critical flaws. Citrix also patched six NetScaler vulnerabilities, including a new CitrixBleed-style issue affecting SAML identity provider deployments. Organizations should prioritize deployment before the holiday weekend.
🎯 Key Takeaway
Today’s show wasn’t really about Oracle.
It wasn’t about Microsoft.
And it wasn’t about AI.
It was about boundaries.
The authentication boundary.
The ERP boundary.
The AI sandbox.
The VPN credential.
The trusted platform.
Every major attack discussed today crossed a boundary defenders assumed was already secure.
Modern cybersecurity isn’t about building bigger walls.
It’s about continuously validating every trusted relationship inside your environment.
🧠 James Azar’s CISOs Take
What stood out to me today is how consistently attackers continue bypassing security not by defeating our strongest controls, but by finding the paths we forgot to protect. Oracle E-Business Suite, legacy Azure authentication flows, AI coding assistants, and Fortinet VPN infrastructure all represent trusted systems performing exactly as they were designed. The failures occur because organizations assume those trusted paths remain secure indefinitely. Trust is not permanent. It has to be continuously validated, especially as technology evolves faster than operational processes.
The second lesson is that AI development environments deserve the same security architecture we’ve spent decades building around production infrastructure. AI coding agents now possess access to repositories, cloud credentials, local filesystems, and enterprise environments. They have effectively become privileged identities. If we’re willing to threat model domain administrators, VPN gateways, and cloud identities, we need to apply that exact same discipline to autonomous AI agents before they quietly become our next major attack surface.
🛠️ Action Items
Confirm Oracle E-Business Suite May security updates have been deployed
Remove unnecessary internet exposure from Oracle EBS environments
Audit Microsoft Conditional Access policies for legacy authentication flows
Disable ROPC and other legacy authentication methods where possible
Patch Cursor IDE immediately once vendor updates become available
Review AI coding agent access to local filesystems and external MCP services
Rotate all Fortinet administrative and VPN credentials if not already completed
Hunt for unauthorized Fortinet administrator accounts, especially admin
Patch Adobe ColdFusion, Google Chrome, Citrix NetScaler, and related platforms before the holiday
Review DHS and critical infrastructure information-sharing connections for exposure
Complete high-priority patching before heading into the Fourth of July weekend
🔥 Stay Cyber Safe.












