Canadian Cyber Security Journal
SOCIAL:
Filed under: News

Cybersecurity Daily Brief — Thursday, July 2, 2026

Here are today’s top cybersecurity stories for Thursday, July 2, 2026.

CISA Adds Actively Exploited SharePoint RCE Flaw to KEV Catalog
CISA warned attackers are exploiting CVE-2026-45659, a deserialization flaw in Microsoft SharePoint Server rated CVSS 8.8. An authenticated attacker with Site Member permissions is able to execute arbitrary code on unpatched servers in low-complexity attacks requiring no user interaction. Microsoft patched the flaw in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016, and federal agencies must remediate by July 4.
BleepingComputer

Citrix Patches Six NetScaler Flaws, Including CitrixBleed-Style Memory Overread
Citrix released fixes for six vulnerabilities in NetScaler ADC and NetScaler Gateway with CVSS scores from 6.9 to 8.8. The most scrutinized, CVE-2026-8451, is a memory overread triggered by malformed SAML requests when an appliance is configured as a SAML identity provider, sharing a root cause with the CitrixBleed class of flaws. The bulletin also addresses the HTTP/2 Bomb denial-of-service technique. Citrix reports no evidence of exploitation.
SecurityWeek

Exploitation of NetScaler Memory Disclosure Flaw CVE-2026-3055 Begins
Attackers are targeting NetScaler appliances with public proof-of-concept code for CVE-2026-3055, a memory overread disclosed in March, retrieving arbitrary memory content in HTTP responses. Reconnaissance attempts were first observed last week, with active exploitation confirmed within days. A working exploit published on GitHub extracts administrative session IDs and cookies, enabling session hijacking on unpatched appliances.
SecurityWeek

FortiBleed Credential Theft Campaign Linked to INC and Lynx Ransomware
New analysis ties the FortiBleed campaign, which harvested more than 110 million credentials from roughly 430,000 FortiGate firewalls, to the INC and Lynx ransomware operations. Researchers found an operator with access to FortiBleed infrastructure logged in to both groups’ negotiation panels, and at least 12 ransomware deployments traced back to the stolen access. Lynx is widely assessed as a rebrand of INC.
BleepingComputer

ChocoPoC RAT Targets Security Researchers Through Trojanized Exploit Repos
A joint investigation by YesWeHack and Sekoia identified at least seven GitHub repositories hosting proof-of-concept exploits with poisoned Python dependencies delivering a remote access trojan named ChocoPoC. The malware hides in PyPI packages pulled in as dependencies rather than in the exploit code itself, retrieves its final payload from a Mapbox dataset, and steals data from compromised researcher and pentester systems. The campaign has run since late 2025.
BleepingComputer

Check Point Documents AI-Generated Browser-Only Ransomware
Check Point Research analyzed a DeepSeek-generated sample abusing Chromium’s File System Access API to read, encrypt, and overwrite files entirely from the browser on Windows, macOS, Linux, ChromeOS, and Android. Researchers say the AI model bridged a theoretical browser-only ransomware concept, previously dismissed as unfeasible due to sandboxing limits, into a working attack chain. No in-the-wild abuse has been observed.
The Hacker News

Alleged Scattered Spider Member Extradited From Finland to Face US Charges
The US Department of Justice announced the extradition of Peter Stokes, 19, a dual US and Estonian citizen accused of participating in at least four intrusions under the handle “Bouquet,” including an $8 million extortion attempt against a luxury jewelry retailer. Prosecutors link Scattered Spider to more than 100 network intrusions and over $100 million in ransom payments. Stokes appeared in a Chicago federal court on June 30 and remains in custody.
The Hacker News

Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Delivery
Security researcher Bert-Jan Pals examined roughly 3,000 payloads from live ClickFix campaigns and found API-driven servers now hand each visitor the same malware in a different disguise, undermining signature-based detection. Newer pages pair a clipboard command with a silently downloaded file, using a short orchestrator line built to slip past AMSI script scanning.
The Hacker News

Microsoft Adds Teams Controls to Block Unauthorized AI Bots From Meetings
Microsoft introduced a Teams admin policy named “Manage external bots and their access to meetings,” which detects external bots, holds them in the meeting lobby, and requires organizer approval before admission. Lobby participants are now grouped into “Waiting” and “Suspected threats” categories, and identified bots require approval even where lobby bypass is enabled. The phased rollout completes by the end of July.
SecurityWeek

Stay tuned for today’s in-depth analysis posts.

Enjoy this article? Don’t forget to share.