Cybersecurity News and Magazine

The Cyber Express Weekly Roundup: AI Security Controls, Major Patch Releases, Public Sector Audits, and Emerging Online Scams

Ashish Khaitan — Fri, 12 Jun 2026 11:48:04 +0000

This week's cybersecurity developments highlight a growing emphasis on proactive security measures, governance oversight, and risk management across both public and private sectors. From large-scale vulnerability remediation efforts and AI security enhancements to government-led technology reviews and event-driven cybercrime campaigns, organizations continue to face a complex threat landscape. A common theme across this week's stories is the balance between innovation and security. As institutions adopt AI-powered systems, expand digital services, and move critical operations online, security teams are being challenged to strengthen protections without slowing modernization efforts. At the same time, threat actors continue to capitalize on public-interest events and trusted digital platforms to conduct fraud and data-theft campaigns.

The Cyber Express Weekly Roundup

CBSE Re-Evaluation Portal Receives Final Security Clearance

The Central Board of Secondary Education (CBSE) has completed the final cybersecurity review of its examiner-facing re-evaluation platform, clearing the way for the reassessment of Class 12 answer scripts. Following an IIT-led audit and security testing process, examiners can now access the system to process applications submitted by more than 70,000 students. Read more...

OpenAI Expands Lockdown Mode Across ChatGPT Accounts

OpenAI has extended its Lockdown Mode security feature to all personal ChatGPT users, including Free, Go, Plus, Pro, and self-service Business accounts. The feature is designed to reduce the risk of prompt injection-related data exposure by limiting access to high-risk capabilities such as live web browsing, Deep Research, Agent Mode, and external file interactions. Read more...

UK Courts Explore AI-Powered Legal Assistance

The UK government has announced plans to test AI legal assistants within Crown Courts as part of broader judicial modernization efforts. The tools are expected to assist with legal research, case review, scheduling, and administrative processes while remaining under human supervision. Read more...

Microsoft Issues Largest Patch Tuesday Update on Record

Microsoft's June 2026 Patch Tuesday addressed a record-breaking 200 security vulnerabilities across its product ecosystem, including Windows, Office, Azure, and Exchange. The release included fixes for three publicly disclosed zero-day vulnerabilities and dozens of critical flaws. Read more...

ServiceNow Clarifies Nature of Recent Security Incident

ServiceNow has provided additional details regarding a recently disclosed security vulnerability, stating that observed activity originated from security researchers and customer investigations rather than malicious attackers. The company released a security update to address the issue and emphasized that there is no evidence of customer data misuse. Read more...

World Cup-Themed Scams Target Fans Ahead of FIFA 2026

Cybercriminals are already leveraging interest in the FIFA World Cup 2026 to launch phishing campaigns, fake ticket sales, and fraudulent recruitment schemes. Security researchers and law enforcement agencies have identified numerous lookalike domains impersonating official FIFA services in an effort to steal personal and financial information. Read more...

Weekly Cybersecurity Takeaway

This week's developments demonstrate that cybersecurity is becoming a foundational requirement for digital transformation rather than a separate consideration. Whether securing AI platforms, protecting educational systems, modernizing public services, or managing enterprise vulnerabilities, organizations are being forced to address security challenges alongside innovation initiatives. Meanwhile, threat actors continue to exploit trust, familiarity, and public interest to achieve their objectives. From phishing campaigns targeting global sporting events to attacks focused on cloud services and enterprise platforms, the most effective defenses remain strong security governance, timely patching, user awareness, and continuous monitoring of emerging risks.

FIFA World Cup 2026 Scams: Fake Websites, Ticket Fraud, and Job Scams Already Active

Ashish Khaitan — Fri, 12 Jun 2026 08:10:15 +0000

The FIFA World Cup 2026 may not kick off until June 11, 2026, but cybercriminals have already begun exploiting anticipation surrounding the tournament. Security researchers and law enforcement agencies are warning that FIFA World Cup 2026 scams are actively targeting fans, job seekers, and businesses through fake websites, phishing campaigns, and fraudulent online services. The FBI recently issued a Public Service Announcement warning that threat actors are creating fraudulent versions of FIFA-affiliated websites to steal personal information, conduct financial fraud, and sell fake products and services. Researchers at Cyble independently reviewed the FIFA domains identified by the FBI and confirmed that many remained active at the time of analysis. With 48 teams competing across 16 host cities in the United States, Canada, and Mexico, the tournament is expected to attract billions of viewers worldwide, making it an attractive target for cybercriminal activity.

Fake FIFA Domains and Typosquatting Attacks

According to the FBI, attackers are building websites that closely resemble FIFA’s official platform, www.fifa.com. These sites are designed to collect personally identifiable information (PII), including names, addresses, email accounts, banking information, and payment card details. Many of these operations rely on a typosquatting attack, a technique in which criminals register lookalike FIFA domains featuring slight spelling changes, missing characters, or alternative extensions. Examples identified by the FBI include fifa[.]help, fifa-online[.]com, jobs-fifa[.]com, fifa-ticket[.]live, fifa-hiring[.]com, and ww-fifa[.]com. Cyble researchers noted that malicious FIFA domains often reappear quickly after takedowns, indicating a continuously evolving fraud infrastructure rather than isolated campaigns.

Ticket, Hospitality, and Recruitment Fraud

One of the most convincing examples analyzed by researchers was ww-fifa[.]com, a typosquatting attack that removes a single "w" from the legitimate FIFA address. The site presented itself as an official FIFA World Cup 2026 portal and promoted premium hospitality packages that allegedly included tickets, food, beverages, lounge access, and other services. Researchers identified several red flags, including broken images, duplicate page titles, suspicious navigation links, and requests for personal and financial information through illegitimate payment forms. Cyble also uncovered employment-related FIFA World Cup 2026 scams. The domain fifaworldcup-careers[.]com impersonated a FIFA recruitment portal offering World Cup-related positions. VirusTotal data showed that the website was flagged by 8 of 91 security vendors, while the root domain was flagged by 14 of 91 vendors. [caption id="" align="aligncenter" width="936"] Fake FIFA 2026 domain scoring (Source: Cyble)[/caption] WHOIS records revealed that the domain was registered and updated in April 2026, with the registrant's identity hidden behind privacy protection services. Researchers also found two SSL certificates issued on April 15 and April 16, including a wildcard certificate covering subdomains.

How Fans Can Stay Safe

The FBI advises users to type www.fifa.com directly into their browser rather than relying on search engine results, sponsored advertisements, or links received through messages. Users should verify URLs carefully, save official pages as bookmarks, and avoid sharing sensitive information unless a site's legitimacy has been independently confirmed. The agency also warns that fraudulent streaming platforms are likely to increase as the tournament approaches. Fans should rely only on official FIFA channels and licensed broadcasters when searching for FIFA World Cup 2026 content. Anyone who encounters a suspected scam should preserve screenshots, domain information, communication records, and payment details before reporting the incident to the Internet Crime Complaint Center (IC3). With FIFA World Cup 2026 scams already active and new FIFA domains appearing regularly, experts warn that vigilance will be critical throughout the tournament period.

163 Organizations Hit by Thai Gambling SEO Poisoning Campaign

Ashish Khaitan — Fri, 12 Jun 2026 07:28:39 +0000

A large-scale Thai gambling SEO poisoning operation has compromised 163 organizations across more than 30 countries by exploiting abandoned cloud DNS delegations, according to research from Cyble Research & Intelligence Labs (CRIL). The ongoing SEO poisoning campaign has affected government agencies, healthcare organizations, financial institutions, universities, and critical infrastructure operators, allowing attackers to host Thai-language gambling content on trusted enterprise domains.

How the SEO Poisoning Campaign Works

Researchers found that the campaign primarily abuses abandoned Azure DNS zone delegations. When organizations retire cloud projects, DNS records that delegate subdomains to Azure are often left behind. Threat actors identify these orphaned delegations, recreate the abandoned DNS zones under new Azure subscriptions, and gain authority over the affected subdomains. Using this method, the attackers deploy a Next.js-based Thai-language gambling kit protected by valid Let's Encrypt wildcard certificates. As a result, users, browsers, and search engines see what appears to be legitimate content hosted under trusted corporate domains. At the time of publication, 161 of the 163 affected organizations remained actively compromised.

Discovery Leads to Global Exposure

The investigation began when CRIL identified unusual DNS activity on a Verizon subdomain environment. Researchers discovered more than 1,000 individually named subdomains serving Thai-language gambling content. Each page contains affiliate links designed to drive user registrations and generate commissions. Further analysis revealed the same infrastructure and content fingerprints across 162 additional organizations. More than 90 compromised enterprise subdomains shared the same Next.js build ID (QQOrXCFjoI6C9oF-4YVhl), favicon path (/img/ib99-hq.ico), and affiliate redirect destinations.

Four DNS Abuse Methods Identified

The Thai gambling SEO poisoning operation relied on four compromise mechanisms:

Azure DNS zone takeover: More than 150 organizations were affected through abandoned Azure DNS delegations.
DigitalOcean DNS zone takeover: Two organizations were compromised using a similar technique.
Direct wildcard DNS misconfigurations: Two organizations had wildcard records pointing to attacker-controlled infrastructure.
Mass A-record creation: Verizon's environment contained over 1,000 individual DNS records directing traffic to gambling content.

Certificate Transparency records showed some abandoned zones had remained dormant for years. One pharmaceutical company's subdomain had not seen a legitimate certificate since October 2019 before attackers obtained a new certificate on April 11, 2026. Another electronics firm's platform showed a gap between February 2023 and April 10, 2026.

Monetization and Backend Infrastructure

The SEO poisoning campaign generated revenue through affiliate tracking codes such as "ibiza99vip1," "bigwinv1," "seven77vip1," and "link99." Researchers observed server-side filtering that verified visitors originated from Thailand before redirecting them to gambling platforms. The campaign ultimately linked to four gambling destinations: ibiza99.autos, big888.store, seven77.click, and link99.nova555.rest. The gambling pages promoted deposits as low as 1 Thai Baht (approximately $0.03 USD) and included structured SEO content, FAQ schema, and mobile optimization features. Behind the delivery infrastructure, researchers uncovered a dedicated backend fleet of 103 servers located in Hong Kong under AS398478 (PEG TECH INC). Evidence linking the servers included identical TLS fingerprints, shared certificates, matching HTTP hashes, uniform MySQL configurations, and common administration tools.

Detection and Mitigation

CRIL noted that traditional security tools are unlikely to detect this Thai gambling SEO poisoning activity because the attackers use valid certificates, reputable domains, and clean infrastructure. The researchers recommend continuous monitoring of Certificate Transparency logs, auditing all DNS delegations, and immediately removing abandoned NS records pointing to cloud providers. According to the report, the campaign demonstrates how a single DNS hygiene failure can be systematically exploited at scale. Rather than breaching networks or applications, the attackers capitalized on forgotten cloud configurations, turning trusted domains into vehicles for a sophisticated SEO poisoning campaign targeting Thai search traffic.

Mackay Sugar Security Incident Forces Mill Shutdowns and Halts Harvesting Operations

Ashish Khaitan — Thu, 11 Jun 2026 07:58:02 +0000

Australia's second-largest sugar producer, Mackay Sugar, is investigating a cyberattack that has disrupted parts of its operations and temporarily halted sugarcane harvesting in Queensland's Mackay region. The Mackay Sugar security incident has led to the suspension of milling activities at two of the company's facilities while cybersecurity specialists and authorities work to determine the nature and impact of the attack. In a statement released on Wednesday, Mackay Sugar confirmed that it was responding to a cybersecurity incident affecting some of its operations. The sugar producer said its immediate priorities are ensuring the safety of employees, protecting operational systems, and maintaining business continuity during the investigation. "Our immediate focus is the safety of our people, protecting operational systems, and maintaining business continuity," the company said.

Mackay Sugar Security Incident Disrupts Key Operations

According to the company, specialist cybersecurity experts have been engaged to assist with the investigation and recovery efforts. Mackay Sugar also said it is working closely with relevant authorities to examine the incident and restore affected systems safely. The Mackay Sugar security incident has had a direct impact on production activities. Local media reports indicated that the company was forced to shut down its Farleigh and Racecourse sugar mills, two major facilities located in Queensland's Mackay region. As a result, growers were instructed to stop harvesting sugarcane until further notice. Canegrowers Mackay, an organization representing local sugarcane farmers, confirmed the directive in a statement issued on Wednesday. "Mackay Sugar has asked for all harvesting to cease immediately and not resume until further communication comes directly from the company," the statement read. The organization further confirmed that both sugar milling and cane haulage operations at the Farleigh and Racecourse mills had been suspended. The disruption comes shortly after both facilities commenced their annual sugarcane crushing season.

Growers Await Further Updates

While the shutdown has affected many growers in the region, producers in the Marian district have not experienced any immediate impact. According to a report from Australia's ABC News, Mackay Sugar's third mill, located in the district, is not scheduled to begin operations until next week. The sugar producer said it has implemented interim processes and temporary measures to support essential business functions and reduce operational disruption while recovery efforts continue. "Interim processes are in place to support critical business functions and minimise disruption where possible," the company stated. The company also emphasized that it is maintaining communication with employees, growers, and business partners throughout the incident. "We are communicating directly with our employees, growers, and key partners and will continue to provide updates as more information becomes available," Mackay Sugar said.

Investigation Continues as Details Remain Limited

At this stage, the sugar producer has not disclosed specific details about the cyberattack. The company has not indicated whether sensitive data was compromised or whether the incident involved ransomware or another form of malicious activity. Mackay Sugar reiterated that it takes cybersecurity responsibilities seriously and acknowledged the uncertainty caused by the disruption. "We take our responsibility to protect our systems, operations and information very seriously. We apologise for any disruption or uncertainty this incident may cause and we will provide timely updates as we continue our investigation," the company said. The ongoing Mackay Sugar security incident highlights the operational risks cyberattacks can pose to critical industries. As investigations continue, the company is focused on restoring systems safely while minimizing impacts on growers and production activities. Mackay Sugar operates three mills and generates annual revenue exceeding $420 million. The sugar producer supplies raw sugar to domestic customers and international markets, including South Korea, Indonesia, Japan, and Malaysia. Further updates regarding the Mackay Sugar security incident are expected as the investigation progresses and additional information becomes available.

ServiceNow Flaw Prompted Security Update After Researcher-Observed Activity, Not Active Attacker Exploitation

Ashish Khaitan — Thu, 11 Jun 2026 06:53:42 +0000

A recently disclosed ServiceNow flaw led to an emergency security update after unusual activity was identified in customer environments. While early reports suggested that unknown threat actors had exploited the vulnerability, ServiceNow has clarified that the observed activity originated from security researchers and customer security teams, not malicious actors. The issue, first widely discussed on Reddit, triggered concern across the cybersecurity community after evidence emerged showing that certain queries against ServiceNow instance data were possible under specific conditions. However, ServiceNow has now confirmed that no data was used or retained in a malicious manner. The company stated that the vulnerability affected certain customer configurations and could, in limited scenarios, allow an unauthenticated user to gain elevated access beyond intended permissions.

ServiceNow Flaw and Security Update Deployment

ServiceNow released a security update on June 5, 2026, addressing the issue across hosted customer environments.

“On June 5, 2026, ServiceNow applied a security update to hosted customer instances. The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”

To reduce the risk associated with the ServiceNow flaw, the company modified endpoint configurations to ensure access is restricted to authenticated users only. At the time of disclosure, the issue had not yet been assigned a CVE identifier.

The vulnerability initially surfaced through Reddit discussions, where users raised concerns about potential exposure and questioned the internal response timeline.

No Evidence of Attacker Exploitation, Says ServiceNow

ServiceNow has clarified that there is no evidence of active exploitation by threat actors. Instead, the company said it identified unusual activity linked to research testing and customer-led investigations. According to ServiceNow, a subset of customer instances was queried during this activity, but the activity was not malicious in nature. The company also emphasized that affected customers were directly notified and provided with remediation guidance.

Scope of the ServiceNow Flaw and Affected Customers

The issue primarily impacted customers using the Australia platform release and some instances running pre-Australia configurations with specific changes.

“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia.”

ServiceNow stressed that the incident was limited in scope and not a systemic issue affecting its entire customer base.

A company spokesperson reiterated that communication efforts focused on a small subset of impacted customers rather than a broad population.

Community Discussion and Reddit Timeline Questions

The ServiceNow flaw also sparked debate on Reddit regarding disclosure timelines and internal awareness.

One user, “d3s7iny,” claimed their security team had previously reported the vulnerability and alleged that ServiceNow had known about the issue since April 7, 2026. The post suggested the issue had been treated as non-urgent and scheduled for a later fix.

While these claims circulated widely online, they remain unverified and have not been confirmed by ServiceNow.

Bug Bounty Reports and Early Disclosure Signals

ServiceNow’s advisory confirmed that multiple bug bounty submissions were received shortly before the patch was released.

Between June 3 and June 4, 2026, customers reported a potential security issue through bug bounty channels that aligned with earlier internal findings.

The company also referenced a confidential report submitted on April 22, 2026, which described similar behavior affecting instance data access under specific conditions.

These overlapping reports contributed to the eventual identification and remediation of the ServiceNow flaw.

Clarification on Researcher Activity and Final Response

ServiceNow has since issued a public clarification, stating that the observed activity came from security researchers and customer investigation teams, not from malicious exploitation.

An official notification is available on the company’s trust portal: https://trust.servicenow.com/notifications/1205429e-fea3-4cbf-b37b-8cd3a4e07aef

The company emphasized that no customer data was retained or misused during the process and that the vulnerability was addressed through a targeted security update.

CISA Sets 72-Hour Patch Window for Federal Systems Facing Highest Cyber Risks

Samiksha Jain — Thu, 11 Jun 2026 06:02:42 +0000

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new risk-based approach to vulnerability remediation, requiring federal civilian agencies to patch the most dangerous cyber vulnerabilities within 72 hours. Announced through Binding Operational Directive (BOD) 26-04, the new CISA vulnerability management directive replaces older remediation requirements with a framework designed to prioritize vulnerabilities that pose the greatest risk to government systems. The move comes as cybersecurity officials warn that artificial intelligence is helping threat actors identify and exploit security flaws faster than ever before. The directive aims to improve federal cyber resilience while ensuring agencies focus resources on threats most likely to be exploited.

New Risk-Based Model for Vulnerability Remediation

Under the directive, federal civilian agencies must evaluate vulnerabilities against four key criteria:

Asset exposure to the public internet
Inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog
Whether exploitation can be automated
The level of control an attacker could gain after exploitation

According to CISA officials, vulnerabilities meeting three of these four conditions will face accelerated remediation deadlines. The strictest requirement applies to vulnerabilities that are actively exploited, can be automated, and affect internet-facing systems. Agencies must patch such vulnerabilities within 72 hours. In cases where exploitation could allow attackers to gain complete control of a system, agencies are also required to investigate whether a compromise has already occurred before applying security updates. For vulnerabilities that meet similar risk criteria but cannot be exploited automatically, agencies will have up to 14 days to complete remediation, provided attackers have not already achieved full system control. Federal agencies have been given 180 days to update their internal policies and adopt the new timelines.

CISA Vulnerability Management Directive Responds to AI-Driven Cyber Threats

A key driver behind the CISA vulnerability management directive is the growing concern that artificial intelligence is reducing the time between the release of a security patch and active exploitation by threat actors. CISA noted that cybercriminals are increasingly leveraging AI-powered tools to discover, analyze, and exploit vulnerabilities more efficiently. As a result, defenders have less time to respond once a vulnerability becomes public. The agency said the new framework reflects today's threat environment by considering not only the vulnerability itself but also attacker capabilities, exploitability, asset exposure, and the potential consequences of a successful attack. By combining these factors, CISA aims to help agencies make informed remediation decisions without overwhelming IT teams with unnecessary patching activities.

Directive Consolidates Existing Federal Requirements

The new directive harmonizes and updates requirements from two previous federal cybersecurity mandates:

BOD 19-02, which focused on vulnerability remediation for internet-accessible systems
BOD 22-01, which addressed risks associated with Known Exploited Vulnerabilities (KEV)

Rather than treating all vulnerabilities equally, the updated approach prioritizes those most likely to be weaponized by attackers. Acting CISA Director Nick Andersen said the directive is intended to help agencies focus on areas of highest risk while improving transparency, predictability, and resource planning for remediation efforts. The agency also encouraged organizations outside the federal government to adopt similar risk-based vulnerability management practices.

Agencies Must Check for Compromise Before Patching

One of the most significant additions in the new directive is the requirement for agencies to determine whether a vulnerable system has already been compromised before applying patches. CISA emphasized that installing a security update does not automatically remove attackers who may already have gained access to a network. As a result, agencies must assess when and how a compromise occurred and conduct appropriate investigations before remediation. This requirement reflects growing concerns that attackers often maintain persistence inside networks even after vulnerabilities are patched. The agency described compromise assessment as a critical component of effective cybersecurity risk management, particularly for vulnerabilities already known to be exploited in the wild.

Strengthening Federal Cybersecurity Readiness

The CISA vulnerability management directive aligns with broader U.S. government efforts to strengthen cybersecurity and secure federal information systems against increasingly sophisticated threats. The directive supports objectives outlined in the Executive Order on Promoting Advanced Artificial Intelligence Innovation and Security, which calls for enhanced protection of civilian federal networks. As agencies implement the new requirements, CISA will monitor compliance, track progress, and provide support where necessary. The agency said the initiative represents an important step toward reducing cybersecurity risk across the federal enterprise while ensuring faster responses to the vulnerabilities most likely to be targeted by attackers.

French Government’s Tchap Messaging Platform Breached via Compromised Account

Ashish Khaitan — Wed, 10 Jun 2026 09:17:17 +0000

French authorities are investigating a security incident involving Tchap, the encrypted messaging platform used by the French government, after attackers reportedly gained access through a compromised user account. The Tchap Breach incident, which ANSSI detected, has prompted an ongoing investigation led by DINUM, the digital affairs directorate of the French government. According to information released on Monday, the Tchap breach was identified on Sunday when ANSSI, France’s national cybersecurity agency, detected suspicious activity on the platform. Officials said a threat actor accessed the service using a hijacked account, raising concerns about potential exposure of user conversations and shared data. The breach comes as Tchap continues to expand across the French public sector, serving hundreds of thousands of users following a government-wide push to reduce reliance on foreign communication applications.

Tchap’s Growing Role Within the French Government

Tchap was launched in 2018 through a collaboration between DINUM and ANSSI. Built on the decentralized Matrix protocol, the platform was developed specifically for use within the French public sector as a secure messaging and collaboration tool. The service has experienced significant growth in recent years. According to available figures, Tchap now records more than 300,000 monthly active users and has surpassed 500,000 downloads on Google’s Play Store. Its adoption accelerated after French Prime Minister François Bayrou introduced a directive in early August 2025 requiring civil servants to use Tchap for professional communications while prohibiting the use of foreign messaging applications for official work-related discussions.

DINUM Alerts CNIL Following Potential Data Exposure

In response to the Tchap breach, DINUM informed France’s data protection authority, the CNIL, because of the possibility that personal information shared by users may have been exposed. Authorities also notified all Tchap users and reminded them about the security limitations of public chat rooms on the platform. Officials emphasized that public channels can be discovered and joined by any Tchap user and that messages exchanged in these rooms are not encrypted. Providing an update on the investigation, DINUM stated: "At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker's persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data." The French government agency further noted: "A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap's terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms."

Threat Actor Claims Social Engineering Led to the Tchap Breach

While DINUM has not released additional technical details regarding how the intrusion occurred, an individual claiming responsibility for the Tchap breach publicly shared alleged evidence over the weekend and described the attack as the result of a social engineering operation. The threat actor stated: "I social engineered a valid account on the education shard (matrix.agent.education.tchap.gouv.fr). Everything below is what that one account could reach; other shards will have more." According to the claims, access to a legitimate account enabled visibility into a substantial amount of information available through the platform. The individual also shared samples of files allegedly obtained during the intrusion and claimed to have uncovered hardcoded LDAP credentials. Those credentials were reportedly exposed through a PowerShell script shared by a regional director within a French tax authority.

Alleged Theft of Documents, Messages, and User Information

The threat actor further alleged that more than 13.5GB of documents and media files were taken from Tchap. These files were reportedly shared by public servants using the messaging service. In addition to the documents, the attacker claimed to have collected nearly 650,000 messages and information associated with more than 73,000 user accounts. The purported dataset allegedly includes email addresses, organizational details, meeting links, account information, device metadata, and other user-related records. The individual also made allegations regarding the accessibility of shared files on the platform, stating: "Every file ever shared on Tchap, on any shard, is downloadable without a token." They added: "The media IDs come from the messages. Once you have a message with a media URL you can pull the file freely regardless of which shard hosts it." These claims have not been independently verified by French authorities.

Microsoft Patches Record 200 Vulnerabilities in June 2026 Patch Tuesday

Ashish Khaitan — Wed, 10 Jun 2026 07:14:31 +0000

Microsoft's June 2026 Patch Tuesday, released on June 10, 2026, addressed 200 security vulnerabilities across Windows, Office, Azure, and related products—the largest single Patch Tuesday release in the programme's history, surpassing the previous record of 167 CVEs. The update includes fixes for three publicly disclosed zero-day vulnerabilities and 33 critical-severity flaws. The June 2026 release patches vulnerabilities across all major Microsoft product families: Windows 11 and Windows Server, Microsoft Office, Exchange Server, .NET Framework, Azure services, Hyper-V, Remote Desktop Services, and HTTP.sys. Of the 200 CVEs addressed, 33 are rated Critical, 166 are rated Important, and one is rated Moderate. Twenty-eight of the critical flaws are remote code execution vulnerabilities, four are elevation of privilege issues, and one is an information disclosure flaw.

June 2026 Patch Tuesday: Three Zero-Day Vulnerabilities

This month's release includes patches for three publicly disclosed zero-days. None are currently known to be under active exploitation, but security researchers note that patch reversal is underway. CVE-2026-50507 – Windows BitLocker Bypass (publicly disclosed): This vulnerability, nicknamed "YellowKey" by the researcher who discovered it, allows a local attacker with physical access to a device to bypass BitLocker's full-disk encryption and access data on an encrypted drive. The flaw requires local access and an elevated privilege context, reducing immediate remote risk—but it is significant for organisations that rely on BitLocker to protect data on lost or stolen hardware. The severity rating is Important. CVE-2026-49160 – HTTP/2 Denial of Service (publicly disclosed): Dubbed "HTTP/2 Bomb," this vulnerability was publicly disclosed by researchers at offensive security firm Calif before the patch was available. An unauthenticated remote attacker can exhaust server memory by sending crafted HTTP/2 frames, causing denial of service on Windows IIS and other HTTP.sys-dependent services. CVE-2026-45586 – Windows CTFMON Privilege Escalation (publicly disclosed): This elevation-of-privilege flaw in the Windows Collaborative Translation Framework Monitor (ctfmon.exe) grants a logged-in attacker SYSTEM-level privileges. While exploitation requires local access, it is a valuable component in multi-stage attack chains following initial compromise. Headline Critical Vulnerability: CVE-2026-45657

Beyond the three zero-days, security professionals should prioritise CVE-2026-45657, a Windows Kernel use-after-free vulnerability with a CVSS score of 9.8. The flaw stems from improper handling of TCP/IP operations within the Windows Kernel and allows a remote, unauthenticated attacker to execute arbitrary code at the SYSTEM level with no user interaction. Microsoft has classified it as "wormable" under certain network configurations. "CVE-2026-45657 is the kind of vulnerability that keeps defenders up at night," said a Zero Day Initiative researcher. The CVSS 9.8 score, combined with wormable potential, means we could see mass exploitation the moment a reliable exploit is developed.

The record-breaking scale of this month's release creates prioritisation challenges for already-stretched security teams. Microsoft and independent researchers recommend prioritising patches for BitLocker-protected devices, HTTP.sys and IIS infrastructure, Remote Desktop Services, Hyper-V hosts, and Windows Kernel components.

Mitigation Steps

Deploy June 2026 cumulative updates (KB5094126 for Windows 11, KB5094127 for Windows 10) without delay.
Prioritise CVE-2026-45657 patching on all internet-accessible Windows systems.
Apply the IIS/HTTP.sys patch for CVE-2026-49160 on all public-facing web servers.
Audit BitLocker-protected device inventory and apply CVE-2026-50507 patches before deploying new field hardware.
Review CTFMON and SYSTEM privilege escalation detections in endpoint security tooling.
Use the Microsoft Security Update Guide (msrc.microsoft.com) to filter by CVSS >= 9.0 for prioritisation.
Validate patch deployment through automated compliance reporting within 72 hours.

AI Heads to UK Courts, Bringing New Cybersecurity and Governance Challenges

Samiksha Jain — Tue, 09 Jun 2026 11:31:41 +0000

The UK government is moving ahead with plans to test AI legal assistants in the Crown Court as part of a broader effort to reduce case delays and improve court operations. The initiative, announced at London Tech Week, will see artificial intelligence used to support legal research, case analysis, trial scheduling, and administrative tasks across parts of the justice system.

The move comes as courts continue to face significant backlogs, prompting officials to explore how technology can help legal professionals spend less time on routine work and more time handling active cases.

AI Legal Assistants to Support Crown Court Work

Under the new initiative, AI legal assistants will be developed with input from legal experts and AI developers to help lawyers and court staff manage routine legal tasks.

According to the government, the tools are expected to assist with legal research, reviewing case materials, and analysing information that would otherwise require significant manual effort. The aim is to improve efficiency across the Crown Court and help cases progress through the system more quickly.

Before any deployment in live court environments, the AI legal assistants will be tested in controlled settings to assess performance, reliability, and compliance with legal standards.

AI Tool Planned for Trial Scheduling

The government also revealed plans for judges to use an AI-powered case management tool designed to identify trial-ready cases and group similar hearings together.

Officials believe the technology can help courts make better use of available judicial resources by improving scheduling and reducing delays caused by administrative bottlenecks.

By helping courts prioritize and organize cases more effectively, the system could contribute to faster case resolution and improved courtroom utilization.

Justice Transcribe Expands Across Probation Services

Alongside the Crown Court initiatives, the government confirmed that all probation officers in England and Wales have now been equipped with Justice Transcribe, an AI-powered transcription tool.

The platform automatically records and transcribes conversations with offenders, eliminating the need for probation officers to manually transfer handwritten notes into digital systems.

Government estimates suggest the technology could save the equivalent of 18,750 calendar days of administrative work annually, allowing probation staff to dedicate more time to offender supervision and case management.

Similar AI Technology Being Tested in Tribunals

A similar transcription tool is currently being trialled within Immigration and Asylum Tribunals.

The pilot allows judges to generate digital case notes through automated transcription, reducing paperwork and administrative workloads. If successful, the technology could be expanded to other courts and tribunals across the justice system.

AI Growth Labs to Support Legal Technology Development

The announcement follows the launch of the government's new AI Growth Labs, testing environments designed to help organizations develop and evaluate AI systems before deployment.

The facilities are expected to support the UK's legal technology sector by providing controlled environments where AI applications can be assessed for safety, performance, and operational effectiveness.

With AI legal assistants, AI-powered scheduling tools, and automated transcription platforms now being tested across multiple parts of the justice system, the UK government is increasingly exploring how artificial intelligence can support court operations and reduce administrative workloads without replacing legal decision-making.

Kuwait and Oman Sign Cybersecurity Pact to Counter Rising Digital Threats

Ashish Khaitan — Tue, 09 Jun 2026 07:11:12 +0000

As digital transformation accelerates across the Gulf region, Kuwait and Oman have taken a significant step toward strengthening their collective cybersecurity capabilities. The two countries recently signed a Memorandum of Understanding (MoU) designed to enhance bilateral cooperation in cybersecurity and improve their ability to address sophisticated digital threats. The agreement reflects a growing recognition that cybersecurity has become a critical component of national security. With government services, public institutions, and essential infrastructure becoming more dependent on digital technologies, Kuwait and Oman are seeking to strengthen their defenses against emerging cyber risks while ensuring the security of sensitive government data and digital systems.

Key Areas Covered Under the Kuwait and Oman Cybersecurity MoU

The cybersecurity MoU between Kuwait and Oman outlines several areas of cooperation aimed at boosting digital resilience and preparedness in both countries. One of the primary focuses of the agreement is the exchange of technical expertise. Through dedicated communication channels, both nations will share information related to newly identified vulnerabilities, cyber threats, and emerging attack methods. This information-sharing framework is expected to improve situational awareness and enable faster responses to evolving cybersecurity challenges. The MoU also emphasizes joint training initiatives. Kuwait and Oman plan to launch advanced training programs designed to develop highly skilled national professionals specializing in cybersecurity incident response. By strengthening local expertise, both countries aim to improve their readiness to manage and mitigate cyber incidents effectively. In addition, the agreement promotes greater field coordination between relevant authorities. Enhanced coordination will help improve the ability of both nations to respond to advanced cyberattacks, particularly those targeting critical sectors and essential infrastructure.

A Shared Vision for a Secure Digital Future

Officials from Kuwait and Oman have described the MoU as a reflection of their shared commitment to building what they referred to as a “digital fortress” capable of protecting national assets and strategic resources. The agreement comes at a time when government institutions are expanding the use of electronic services and cloud computing technologies. In this environment, cybersecurity is no longer viewed as an optional technical consideration. Instead, it has become a foundational requirement for ensuring business continuity, safeguarding sensitive information, and protecting citizen privacy. The cybersecurity partnership demonstrates how Kuwait and Oman are aligning their efforts to address common digital security concerns while preparing for future technological developments. By working together, both countries aim to establish stronger protective measures against cyber threats that transcend national borders.

Expanding Cooperation Beyond Cyber Defense

Beyond immediate security objectives, the MoU is expected to create opportunities for broader technological collaboration between Kuwait and Oman. Officials noted that the agreement represents an advancement in bilateral relations and could serve as a foundation for future initiatives in emerging areas of cybersecurity innovation. Potential areas of cooperation include the development of advanced encryption technologies, the integration of artificial intelligence into cyber defense systems, and the creation of unified security standards. Such initiatives could contribute to stronger regional cybersecurity frameworks and support the shared interests of Gulf Cooperation Council (GCC) member states. The agreement therefore extends beyond traditional cyber protection measures, positioning Kuwait and Oman to explore innovative solutions that address the evolving nature of digital threats while supporting long-term technological growth.