Canadian Cyber Security Journal
SOCIAL:
Filed under: News

Cybersecurity Daily Brief — Friday, July 17, 2026

Here are today’s top cybersecurity stories for Friday, July 17, 2026.

SharePoint CVE-2026-58644 Zero-Day Added to CISA KEV — Federal Deadline July 19
CISA added CVE-2026-58644, a critical deserialization of untrusted data flaw in Microsoft SharePoint Server (CVSS 9.8), to its Known Exploited Vulnerabilities catalog on July 16. Microsoft confirmed active zero-day exploitation in the wild on July 15. The flaw allows unauthenticated attackers to execute arbitrary code, establish persistence by stealing IIS machine keys, and deploy malware on affected SharePoint Server instances. Federal civilian agencies must apply patches by July 19, 2026.
SecurityWeek

NadMesh Go Botnet Hunts Exposed AI Services for AWS Keys and Kubernetes Tokens
A newly discovered Go botnet named NadMesh has been targeting exposed AI and MCP services since early July, with the operator’s own dashboard claiming 3,811 unique AWS keys harvested. The botnet scans for ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio instances, exfiltrating cloud credentials from environment variables, Kubernetes service account tokens, and Docker configuration files. Docker API and Jenkins RCE exploits account for over 52 percent of observed attack traffic.
The Hacker News

ACR Stealer Uses ClickFix Lures to Steal Browser Tokens and Microsoft 365 Files
Microsoft’s Defender Experts team documented a surge in ACR Stealer activity from late April to mid-June, with attackers using ClickFix social engineering to deliver the infostealer via two distinct intrusion chains. The malware steals saved browser passwords, live session tokens, PDFs, and files from enterprise-synchronized OneDrive and SharePoint directories. ACR Stealer, also marketed as Amatera Stealer, is available as a service starting at $199 per month.
Microsoft Security Blog

Scattered Spider Members Sentenced to 66 Months for Transport for London Attack
A UK court sentenced Thalha Jubair, 20, and Owen Flowers, 18, to 66 months (five and a half years) in prison on July 16 for the 2024 cyberattack on Transport for London. The pair accessed TfL systems between August 31 and September 3, 2024, disrupting operations and costing the authority an estimated £29 million. Both pleaded guilty in June, receiving a 15 percent sentence reduction. The National Crime Agency described the prosecution as the most significant of cyber offenders in UK history.
CyberScoop

ClickLock macOS Malware Kills Applications Every 210ms to Force Password Entry
Group-IB disclosed ClickLock Stealer, a new macOS infostealer delivered via ClickFix terminal commands that installs LaunchAgents and then cycles a kill loop terminating Finder, Dock, Spotlight, and major browsers every 210 milliseconds for up to 83 hours until the victim enters their login password. The malware targets credentials from eight browsers, 31 crypto wallet extensions, seven password managers, and macOS Keychain. At least 100 targets in 33 countries have been identified since May 2026.
BleepingComputer

Ernst & Young Discloses Data Breach After Support System Hack
Ernst & Young is notifying clients of a data breach after an unauthorized third party accessed the company’s IT support ticket system between March 28 and April 12, 2026. EY detected anomalous activity on April 23. Compromised data included personal and financial information used to prepare tax filings. EY is offering 24 months of identity monitoring through Experian to affected individuals, with enrollment open until October 31, 2026. No ransomware or extortion group has claimed responsibility.
BleepingComputer

CISA Orders Fortinet FortiSandbox Patching by July 19 as Exploitation Continues
CISA directed federal agencies to patch two actively exploited Fortinet FortiSandbox vulnerabilities — CVE-2026-39808 (unauthenticated OS command injection, CVSS 9.1) and CVE-2026-25089 (unauthenticated command injection, CVSS 9.1) — by July 19, 2026. Both flaws allow remote unauthenticated attackers to execute arbitrary commands with low complexity. Exploitation was confirmed in the wild and both CVEs were previously added to the CISA KEV catalog.
BleepingComputer

Pentagon Suspends CMMC Phase 2 Third-Party Assessment Requirement
The U.S. Department of Defense suspended the mandatory third-party assessment requirement for CMMC Phase 2 on July 13, citing an insufficient assessor ecosystem and cost burdens forcing small defense contractors out of the industrial base. Over 100,000 defense industry businesses required certification, with fewer than 100 assessors available to conduct them. A 60-day CMMC Reform Task Force review has been launched, with recommendations due by mid-September. Self-assessment requirements under Phase 1 remain in force.
SecurityWeek

Fortinet FortiClient EMS CVE-2026-35616 Zero-Day Remains Without Full Patch
Fortinet has issued an emergency hotfix for CVE-2026-35616, a CVSS 9.8 improper access control zero-day in FortiClient EMS that allows unauthenticated attackers to bypass authentication and achieve code execution on the server. Active exploitation was observed by watchTowr on March 31, and CISA added the flaw to its KEV catalog on July 14. A full patch in FortiClient EMS 7.4.7 is still pending. Affected versions are 7.4.5 and 7.4.6; the 7.2 branch is not affected.
CyberScoop

WhisperLeak: LLM Side-Channel Attack Infers User Prompt Topics From Timing
Researchers disclosed WhisperLeak, a side-channel attack against large language models that infers the topics of user prompts by analyzing token generation timing patterns. The technique exploits non-uniform latency in LLM autoregressive generation without requiring access to model weights or API responses. Researchers demonstrated the attack against multiple commercial LLM APIs, raising concerns for enterprises routing sensitive queries through external AI services.
SecurityWeek

Stay tuned for today’s in-depth analysis posts.

Enjoy this article? Don’t forget to share.