
For hackers, sharing is caring.
CISA warns of active SharePoint attacks. The NSA pushes coordinated vulnerability disclosure. ClickLock Stealer targets macOS. Splunk and Zoom patch critical flaws. Spirals ransomware strikes in under 24 hours. New Windows evasion techniques emerge. LabubaRAT poses as NVIDIA software. 23andMe settles over its 2023 breach. Plus, a look back at one of the most audacious data center heists ever pulled off. Our guest is Ryan Kalember, Chief Strategy Officer at Proofpoint, discussing why agentic AI is creating a new insider threat. Near, far, wherever you are…the scam must go on.
Today is Thursday July 16th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
CISA urges immediate patching of SharePoint servers.
The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to immediately secure on-premises Microsoft SharePoint servers after confirming that three vulnerabilities, CVE-2026-332201, CVE-2026-45659, and CVE-2026-56164, are being actively exploited. Administrators are advised to apply Microsoft’s security updates, follow mitigation and incident response guidance, hunt for indicators of compromise, and rotate SharePoint machine keys where appropriate, as patching alone may not remove attacker persistence. Microsoft also recommends enabling Antimalware Scan Interface (AMSI) integration to help detect malicious activity. Security experts warn that organizations should treat the advisory as more than a routine patching exercise, noting that a compromised SharePoint server can provide attackers with a pathway to critical systems, increasing the risk of ransomware, widespread network compromise, and data disclosure.
The NSA encourages CVD programs.
The National Security Agency (NSA), in partnership with CISA, Japan’s JPCERT/CC, and the Netherlands’ NCSC-NL, has released new guidance encouraging technology suppliers to establish coordinated vulnerability disclosure (CVD) programs that promote collaboration with security researchers. The guidance recommends publishing a clear vulnerability disclosure policy, maintaining an open and inclusive reporting process, and defining a broad scope for security testing. It also highlights the value of third-party intermediaries, such as national incident response teams, in coordinating disclosures and facilitating communication between researchers and vendors. Officials say robust CVD programs help organizations identify and remediate vulnerabilities more effectively, strengthen customer trust, and improve overall security. The agencies also encourage suppliers to regularly review and update their disclosure programs to keep pace with evolving cyber threats and industry best practices.
ClickLock Stealer targets macOS through social engineering.
Researchers at Group-IB have identified ClickLock Stealer, a new macOS malware that relies on social engineering, rather than software exploits, to steal sensitive data. First observed in early June, the malware has reportedly targeted more than 100 users across 33 countries, primarily in Europe. Victims are lured to fake Cloudflare verification pages that instruct them to manually execute a malicious Terminal command. Once launched, the malware steals browser data, cryptocurrency wallets, password manager information, macOS Keychain contents, FTP credentials, and shell history before exfiltrating the data through a Telegram bot. To defeat macOS security protections, ClickLock Stealer repeatedly terminates processes, suppresses security notifications, and displays convincing password prompts, coercing users into granting the access needed to harvest protected credentials while maintaining a persistent backdoor on infected systems.
Splunk and Zoom patch critical vulnerabilities.
Splunk and Zoom have released security updates addressing multiple vulnerabilities across their products, including several critical and high-severity flaws. Splunk patched three product-specific issues that could enable command safeguards bypass, path traversal, credential exposure, and unauthorized file writes, alongside fixes for vulnerabilities in third-party components such as OpenSSL and Golang. Zoom resolved four Windows vulnerabilities, including a critical flaw that could allow remote, unauthenticated account takeover and three high-severity privilege escalation and race condition issues. Neither company has reported evidence that the vulnerabilities are being actively exploited.
Spirals ransomware takes hold in less than 24 hours.
Researchers at Symantec have identified a new ransomware operation called Spirals that completed a full attack, from initial compromise to data theft and encryption, in less than 24 hours. The June intrusion targeted a South Asian IT services firm after attackers compromised an internet-facing IIS server and rapidly established persistence, harvested credentials, and moved laterally across the network. The attackers disabled Microsoft Defender, attempted to remove security software, and stopped backup, database, and virtualization services before deploying a Rust-based ransomware payload disguised as bitsadmin.exe. Stolen data was used to support a double extortion scheme, with victims threatened with public disclosure if they failed to pay within six days. Symantec has published indicators of compromise to help organizations detect and defend against the emerging threat.
Bind-Link abuse undermines Windows security controls.
Bitdefender Labs has documented three new attack techniques that abuse Windows’ legitimate Bind Filter file-system virtualization feature to evade security tools after attackers gain local administrator privileges. Dubbed File-Binding, Process-Binding, and Silo-Binding, the techniques can redirect trusted file paths to malicious content, disguise malicious processes as legitimate applications, and present different filesystem views to security tools and running processes. According to Bitdefender, these methods can undermine endpoint detection and response (EDR) products, AppLocker, Windows Firewall, AMSI, Sysmon, and forensic tools by exploiting assumptions that file paths reliably identify executable content. Microsoft assessed the issue as low severity because it requires administrator access, but Bitdefender argues the techniques represent a significant post-compromise threat, similar to Bring Your Own Vulnerable Driver (BYOVD) attacks, and has published detection guidance for defenders.
LabubaRAT masquerades as legitimate NVIDIA software.
Blackpoint Cyber’s Adversary Pursuit Group has identified a previously undocumented Rust-based remote access trojan (RAT) dubbed LabubaRAT, which masquerades as legitimate NVIDIA software to evade detection. Disguised as nvidia-sysruntime.exe, the malware uses fake NVIDIA metadata and artifacts while providing attackers with persistent remote access to compromised Windows systems. Researchers found that LabubaRAT supports command execution, PowerShell and JavaScript execution, screenshot capture, file transfers, archive management, SOCKS5 proxying, and optional user-level persistence. The malware communicates through multiple channels, including HTTPS polling, WebView2, and DNS tunneling, allowing operators to maintain access even if one communication method is blocked. Blackpoint says the malware appears to function as a reusable access framework rather than a one-off payload, with configurable settings for organizations, groups, servers, and API keys managed through associated command-and-control infrastructure.
23andMe settles with 42 states over their 2023 data breach.
A coalition of 42 state attorneys general has reached an $18 million settlement with 23andMe over cybersecurity failures that led to a 2023 data breach affecting 6.9 million customers. The breach exposed sensitive personal information, including genetic ancestry data, and investigators found the company lacked protections against credential-based attacks, failed to monitor for suspicious activity, and did not address known security vulnerabilities. Attorneys general also criticized 23andMe for initially denying the breach and blaming customers’ password practices. The settlement requires the 23andMe Research Institute, which acquired the company’s assets following its 2025 bankruptcy, to implement stronger security measures, conduct regular risk assessments, establish independent security oversight, and preserve customers’ ongoing rights to delete their personal data and destroy genetic samples. The institute has pledged to maintain 23andMe’s existing privacy policies governing customer data.
Revisiting a classic data center heist.
A lengthy feature in The New York Times Magazine recounts the 2007 theft of roughly 80 servers from a Verizon data center in London, orchestrated by career criminal Terry Ellis. Hired through an intermediary who claimed the servers contained sensitive banking records, Ellis assembled a team of thieves and computer technicians to execute the highly planned operation. Disguised as police officers responding to a rooftop emergency, they subdued security guards, removed the targeted servers, and escaped in under an hour. The article uses the heist to explore the growing importance of data centers as repositories of the world’s most valuable digital assets and argues that their physical security often receives less attention than cybersecurity. Although Ellis was eventually arrested and imprisoned, the incident highlighted the risks of physical attacks on critical infrastructure and underscored how concentrated stores of sensitive data remain attractive targets for determined criminals.
Near, far, wherever you are…scammers target Celine Dion fans.
Céline Dion’s long-awaited return to Paris has created another sold-out performance, just not the one fans expected. According to Group-IB, scammers are targeting eager concertgoers through Facebook and convincing fake ticket websites, turning excitement into an encore of fraud. The scheme is particularly clever: victims receive what appears to be a legitimate Ticketmaster ticket, complete with a valid transfer and QR code, only to discover that the same ticket has been sold to multiple buyers. The first person through the gate enjoys the show, while everyone else gets an expensive lesson in ticket validation. Researchers also uncovered more than 20 phishing domains impersonating Ticketmaster, AXS, the venue, and Céline Dion’s official site, many built with Shopify to mimic authentic checkout pages. Group-IB advises fans to buy only through authorized sellers, avoid direct bank transfers, and verify that payment details match the seller’s identity before hitting the high note on a purchase.
If the deal seems too good to be true, don’t let your heart Go On. You may find yourself singing the blues outside the arena instead of inside it.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
