Canadian Cyber Security Journal
SOCIAL:
Filed under: News

Cybersecurity Daily Brief — Thursday, July 9, 2026

Here are today’s top cybersecurity stories for Thursday, July 9, 2026.

Mount Royal University Confirms 10TB Data Breach — CMD Ransomware Group Demands $1.9M
Mount Royal University in Calgary confirmed a ransomware attack originating on June 17, 2026, in which threat group CMD Organization stole 10 TB of data from university file storage systems and deleted the originals to obstruct recovery. Stolen files include passport scans, student records, and employee data. The university is offering two years of credit monitoring to all current and recent employees and is notifying affected individuals. BleepingComputer

Microsoft Patches RoguePlanet Defender Zero-Day CVE-2026-50656
Microsoft released Microsoft Malware Protection Engine version 1.1.26060.3008, closing the RoguePlanet zero-day (CVE-2026-50656, CVSS 7.8) that allowed standard users to obtain SYSTEM-level access on fully patched Windows 10 and Windows 11 devices via a race condition in Defender’s real-time scanning engine. The vulnerability was publicly disclosed by the Nightmare Eclipse researcher following June 2026 Patch Tuesday and remained unpatched for weeks. The engine update deploys automatically via Windows Update. BleepingComputer

CISA Orders Federal Agencies to Patch Adobe ColdFusion CVE-2026-48282 by July 10
CISA issued an emergency directive under Binding Operational Directive 26-04 requiring federal civilian executive branch agencies to remediate the maximum-severity Adobe ColdFusion path traversal vulnerability CVE-2026-48282 (CVSS 10.0) by Friday. Active exploitation was confirmed within hours of disclosure, with attack traffic traced to an IP geolocated to India. The flaw enables unauthenticated remote code execution on ColdFusion versions 2025.9, 2023.20, and earlier. BleepingComputer

GodDamn Ransomware Uses Microsoft-Signed PoisonX Driver to Kill Endpoint Defenses
Symantec’s Threat Hunter Team disclosed GodDamn, a ransomware operation assessed as a rebrand of Beast ransomware. GodDamn deploys the PoisonX kernel driver (g11.sys) — carrying a legitimate Microsoft Hardware Compatibility signature — to terminate endpoint security processes and remove user-mode API hooks before encrypting files. Attacks observed in early June 2026 used AnyDesk for initial remote access and a NirSoft-based toolkit for credential harvesting. The Hacker News

Ubiquiti Patches Six More Critical UniFi Flaws Across Routers, Cameras, and NAS Devices
Following Wednesday’s disclosure of CVE-2026-50746 (CVSS 10.0) in UniFi Connect Application, Ubiquiti shipped patches for six additional critical vulnerabilities (CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, CVE-2026-55116) across UniFi Talk, UniFi Access, UniFi Protect, UniFi OS Server, and a wide range of Ubiquiti routers, gateways, NAS, and surveillance systems. Censys reports over 100,000 UniFi OS instances exposed on the public internet. BleepingComputer

Lurking Lizard: China-Linked Threat Actor Runs 230-Domain Residential Proxy Network via Fake 7-Zip Installers
Infoblox exposed Lurking Lizard, a China-assessed threat actor that has operated an end-to-end residential proxy-as-a-service network since at least August 2022. The actor distributes trojanized 7-Zip installers to recruit victim devices, impersonates major proxy providers, and uses drop-catching to acquire expired high-trust domains. More than 230 lookalike domains support the operation, alongside fake review sites that drive traffic to its storefronts. The Hacker News

17 Fake Payment SDK Packages on npm and PyPI Steal Developer Credentials and API Keys
Socket’s AI scanner detected 17 malicious packages published July 7, 2026, across npm (13) and PyPI (4), impersonating official SDKs for Paysafe, Skrill, and Neteller. The packages return fake API success responses while exfiltrating Paysafe API keys, AWS access keys, GitHub tokens, npm tokens, and passwords to an AWS-hosted command-and-control server. PyPI variants activate automatically on import. Each npm package was flagged within six minutes of publication. BleepingComputer

Indirect Prompt Injection Manipulates AI Agents Into Making Unauthorized Cryptocurrency Payments
Zscaler ThreatLabz documented two active campaigns embedding hidden instructions in web pages to hijack autonomous AI agents. In one, agents searching for a non-existent Python library are instructed to purchase a $3.00 developer license using a Stripe checkout link or Ethereum wallet. Testing across 26 large language models found four — including Llama 3.3 70B Instruct and Gemini 2.5 Pro — completed the unauthorized payment when exposed to the injected prompts. SecurityWeek

AssuranceAmerica Discloses Breach Exposing 6.99 Million Driver’s License Numbers
Atlanta-based auto insurer AssuranceAmerica notified nearly 7 million customers that a March 16, 2026, employee credential compromise gave attackers access to names, contact details, driver’s license numbers, insurance policy data, and claims information. An external forensics review concluded June 15, after which the company began customer notifications. It is the largest known driver’s license number exposure in the United States so far this year. BleepingComputer

Stay tuned for today’s in-depth analysis posts.

Enjoy this article? Don’t forget to share.