☕ Good Morning Security Gang,
Today’s episode revolved around a theme that the cybersecurity industry knows all too well but still struggles to execute consistently:
The gap between what we know we should do and what we actually do.
Today’s stories weren’t centered around sophisticated nation-state tradecraft or groundbreaking zero-day discoveries. Instead, they highlighted familiar failures: unpatched systems, forgotten credentials, abandoned vendor integrations, poor access governance, and delayed remediation. A Cisco vulnerability patched three weeks ago is now under active exploitation. The Klue supply chain breach continues expanding, with LastPass becoming the latest confirmed victim. The Five Eyes alliance issued a stark warning that AI-driven cyberattacks are arriving faster than most organizations are prepared for. Meanwhile, members of the notorious Scattered Spider group pleaded guilty in connection with one of the most disruptive attacks in the United Kingdom’s recent history.
The lesson is straightforward. The fundamentals still determine outcomes.
Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.
🧭 Executive Summary
Today’s threat landscape revealed a recurring pattern.
Organizations continue suffering significant incidents not because they lack security tools, but because known risks remain unresolved long after they’ve been identified. Whether it’s Cisco systems left unpatched for weeks, OAuth credentials surviving years after pilot projects end, or identity controls failing to keep pace with modern threats, attackers continue finding success through operational gaps rather than technical brilliance.
At the same time, governments are beginning to prepare for the next era of cybersecurity. The Five Eyes alliance warned that AI will dramatically accelerate offensive cyber operations, while the United States formally established deadlines for federal post-quantum cryptography adoption.
The future is arriving quickly.
The challenge is that many organizations are still struggling with yesterday’s security problems.
📰 Top Stories & Deep Dive Analysis
🚨 Cisco Unified Communications Manager Vulnerability Under Active Exploitation
Cisco issued an urgent warning that CVE-2026-20230, a high-severity server-side request forgery vulnerability affecting Unified Communications Manager and Unified Communications Manager Session Management Edition, is now being actively exploited in the wild. The vulnerability carries a CVSS score of 8.6 and was originally patched on June 3rd.
The flaw exists within the Web Dialer component and allows unauthenticated attackers to write arbitrary files to the underlying operating system through crafted HTTP requests. Once file write access is achieved, attackers can escalate privileges and gain root-level control of the server.
Researchers demonstrated that attackers can obtain required hostname information directly from the system before exploitation begins, significantly lowering the barrier to entry. Threat intelligence firms have already observed reconnaissance activity, including attempts to create test files designed to identify vulnerable targets.
What makes this story notable is not the vulnerability itself.
It’s the timing.
Organizations have had access to a patch for more than three weeks, yet attackers are still finding enough vulnerable systems to justify active exploitation campaigns. Given how widely Cisco Unified Communications Manager is deployed across enterprise voice, collaboration, and call center environments, the potential impact is significant.
If you’re running CUCM and haven’t patched yet, you’re operating on borrowed time.
🔗 Klue Supply Chain Breach Expands as LastPass Becomes Latest Victim
The Klue supply chain incident continues to evolve into one of the most significant SaaS-based breaches of 2026. New details reveal that the initial compromise originated from a credential issued to a third party during a limited pilot project in 2022. The credential remained active for four years after the pilot ended and ultimately became the entry point for attackers.
Attackers used the dormant credential to access Klue’s infrastructure, steal OAuth tokens connected to Salesforce and Gong environments, and pivot into customer systems where they extracted sensitive CRM data.
Today’s major development is the confirmation that LastPass was among the impacted organizations.
“The Klue breach didn’t start with Icarus. It started with a vendor offboarding process that never actually happened.” James Azar
According to LastPass, attackers accessed customer contact information, phone numbers, email addresses, physical addresses, support case information, and sales-related records stored within Salesforce. The company emphasized that password vaults were not compromised.
However, that distinction may provide little comfort to affected customers.
The stolen information provides attackers with exactly the type of contextual intelligence needed to launch highly targeted phishing campaigns, executive impersonation attacks, and sophisticated social engineering operations.
This incident marks the third major Salesforce OAuth-focused supply chain attack in less than a year.
At some point, the issue is no longer the attackers.
It’s the industry’s inability to properly govern third-party trust relationships.
⚖️ Scattered Spider Members Plead Guilty in Transport for London Attack
Two members of the notorious Scattered Spider cybercrime collective pleaded guilty on the opening day of their trial in the United Kingdom. Twenty-year-old Tahala Jubair and eighteen-year-old Owen Flowers admitted to conspiracy charges related to the cyberattack against Transport for London.
The attack caused widespread operational disruption, forced password resets for approximately 28,000 employees, exposed Oyster card refund data affecting roughly 10 million customers, and generated recovery costs estimated between £29 million and £39 million.
The evidence against the pair was substantial. Investigators recovered screenshots showing active access to Transport for London systems along with video recordings documenting portions of the intrusion.
The broader significance of this case lies in the demographics.
Scattered Spider continues to demonstrate that some of the most damaging cyberattacks globally are being conducted by individuals barely old enough to vote. Previous arrests and convictions have already impacted several core members of the group, including Tyler Buchanan and Noah Urban.
Yet despite these arrests, the pipeline remains active.
Authorities estimate that approximately one in five children between the ages of 10 and 16 in the United Kingdom have engaged in activities that technically violate computer misuse laws.
The next generation of cybercrime talent is already forming.
The question is whether defenders can adapt quickly enough.
🤖 Five Eyes Warns AI-Powered Cyberattacks Are Months Away, Not Years
The Five Eyes intelligence alliance, consisting of the United States, United Kingdom, Australia, Canada, and New Zealand, issued a joint advisory warning that advanced AI systems are poised to fundamentally transform the cyber threat landscape.
Unlike previous warnings that focused on theoretical future risks, this advisory is remarkably direct.
“The Five Eyes aren’t warning us about a future scenario. They’re describing the present state.” James Azar
The agencies involved including CISA and the NSA state that AI is already being used offensively and that frontier models will soon accelerate vulnerability discovery, exploitation development, reconnaissance, and attack automation at unprecedented speed.
The advisory emphasizes that cybersecurity must be treated as a board-level business risk rather than solely an IT responsibility.
Organizations were urged to focus on five foundational areas:
Reduce attack surface exposure
Accelerate patch management
Eliminate unsupported legacy systems
Strengthen identity controls
Regularly test incident response capabilities
The timing of this advisory is notable given the reported 400% increase in cyber activity targeting satellite operators and space-sector organizations following recent geopolitical tensions involving Iran.
The message from Five Eyes is clear.
The organizations struggling with basic cybersecurity today will be the least prepared for AI-accelerated attacks tomorrow.
⚡ Need to Know
🍎 New Atomic macOS Stealer Campaign Targets Apple Users
Researchers identified a new ClickFix campaign targeting macOS users. Victims are tricked into opening Terminal and executing malicious commands that install the Atomic macOS Stealer. The malware targets browsers, cryptocurrency wallets, Apple Keychain, Telegram, Discord, and hardware wallet software. No legitimate website should ever instruct users to paste commands into Terminal.
🔐 Trump Signs Post-Quantum Cryptography Executive Order
President Trump signed Executive Order 14409 establishing deadlines for federal migration to post-quantum cryptography. High-value federal systems must adopt quantum-resistant key establishment mechanisms by December 31, 2030, and quantum-resistant digital signatures by December 31, 2031. Federal contractors will face similar expectations.
🛠️ OpenAI Expands Cybersecurity Initiative
OpenAI announced major updates to its Daybreak cybersecurity initiative, focusing on patch deployment and open-source software security. Through partnerships with HackerOne and Trail of Bits, the program aims to accelerate remediation efforts across critical open-source projects.
🌐 International Cybercrime Marketplace Operator Extradited
Spanish authorities extradited Algerian national Abdullah Balami to the United States. He is accused of operating cybercrime marketplaces known as Market Zero Day and Spoxy, which allegedly facilitated the sale of stolen credentials, exploits, and cybercrime services.
🚗 Israeli Defense Sector Removes Chinese Vehicles
Israeli defense contractor Elbit Systems has begun replacing Chinese-made vehicles within its corporate fleet due to concerns surrounding surveillance, connectivity, and supply chain risks. Other critical infrastructure operators in Israel are reviewing similar policies.
🎯 Key Takeaway
Today’s show wasn’t about advanced persistent threats.
It wasn’t about artificial intelligence.
And it wasn’t even about zero-days.
It was about execution.
A Cisco patch available for three weeks.
A credential left active for four years.
An OAuth token nobody reviewed.
An identity relationship nobody questioned.
The cybersecurity industry spends enormous resources discussing emerging threats.
Yet attackers continue succeeding through problems we already know how to solve.
🧠 James Azar’s CISOs Take
What stood out to me today is how many of these incidents trace back to governance failures rather than technology failures. The Cisco vulnerability had a patch. The Klue breach started with a credential that should have been removed years ago. The Scattered Spider intrusions repeatedly relied on social engineering rather than sophisticated exploitation. We continue investing heavily in advanced security technologies while leaving basic operational controls under-managed. Attackers notice that imbalance, and they exploit it relentlessly.
The second takeaway is that the timeline for cyber risk continues shrinking. The Five Eyes warning wasn’t written for future generations of security leaders. It was written for today’s leadership teams. AI-driven attack acceleration is happening now. Quantum-resistant cryptography deadlines are already being established. Organizations that cannot maintain credential hygiene, patch management discipline, and access governance today will struggle even more in an environment where attackers operate faster and at greater scale. The fundamentals are no longer simply best practices. They’re survival requirements.
🛠️ Action Items
Patch Cisco Unified Communications Manager immediately
Audit all internet-facing Cisco Web Dialer deployments
Review temporary vendor credentials and pilot program accounts
Audit Salesforce OAuth integrations and connected applications
Rotate dormant API keys and OAuth tokens
Alert executives and customer-facing teams to phishing risks from the Klue breach
Strengthen help desk verification procedures against social engineering
Review organizational readiness for AI-assisted cyber threats
Begin post-quantum cryptography inventory and planning efforts
Train users against ClickFix and Terminal-based phishing attacks
Assess third-party trust relationships and vendor offboarding procedures
🔥 Stay Cyber Safe.
