Loading summary
A
Cybersecurity Today is brought to you by Nord Layer. Nord Layer gives your company centralized control over individuals and teams who access your systems, keeping connections secure from anywhere with no additional hardware required. Visit Nordlayer.com and use the discount code NLSummer26 for a special discount on your purchase.
B
An AI agent runs a ransomware attack from start to finish for the first time, a new critical vulnerability for Oracle creates fresh headaches. Police bust Netnut, a US county quietly paid a million dollar ransom and a lawmaker investigating spyware abuse ends up a victim. This is Cybersecurity Today and I'm your host David Shipley. Lets get started. Researchers say they found the first ransomware attack run entirely by an AI agent, start to finish, with no human at the keyboard. The security firm Sysdig calls it Jade Puffer. It's an autonomous large language model agent that handled the whole attack, reconnaissance, credential theft, lateral movement, persistence, privilege escalation and the encryption itself. And the researchers say it improvised when a step failed. The agent retried with adjusted parameters in one sequence. It went from a failed login to a working fix in 31 seconds. In an ironic twist, the AI powered ransomware got in via CVE2025 3248, an unauthenticated remote code execution flaw in Langflow, and an open source framework for building LLM powered AI apps. Langflow patched the vulnerability back in April 2025, and CISA flagged it as actively exploited a month later. But plenty of Internet exposed instances were never hardened, and many were sitting on cloud credentials and API keys. From there, the agent dumped a PostgreSQL database, hunted through environment variables, pulled credentials, and pivoted To a production MySQL server running Alibabo Nakos. It encrypted 1042 Nakos configuration items, deleted the originals, and dropped an extortion table With a ransom demand, a Bitcoin address, and a ProtonMail contact, here's where the machine gave itself away. The ransom note bragged about using AES256 encryption. Sysdig says the real encryption was the far weaker AES 128 ECB. The Bitcoin address is also a well known example wallet lifted straight from public documentation, likely something the model regurgitated from its training data. And the encryption key was generated at random, never saved or sent anywhere. So even if a victim paid the ransom, there's nothing to decrypt the data with. Agentic ransomware may be here, but like a lot of large language model AI hype. It doesn't exactly work well yet. That's not to say that agentic ransomware won't cause chaos. It almost certainly will. Whether it fully pays off for criminals to use it, particularly if it continues to prove unreliable, is an open question. There's a fresh critical flaw in Oracle's enterprise software under active attack this flaw lands in the midst of a horrible year for Oracle customers dealing with the fallout from another exploited vulnerability earlier this summer in one of its products. The new flaw is CVE2026 46817 and it's a bug in Oracle Payments, part of the E Business suite. It rates a whopping 9.8 out of 10 on the CVSS scale and and an unauthenticated attacker with network access over HTTP can compromise the product outright. Oracle patched the flaw back in May as part of a larger update, but researchers at security firm Defuse say they caught a threat actor exploiting it on one of their honey pots on June 27. Coming from a French IP behind a VPN, there's no public proof of concept code yet and no prior known exploitation. Shadow Server and Valadin peg roughly 950 exposed Oracle payments instances as potentially vulnerable. Oracle is still living through one of the year's ugliest breach waves since June. The Shiny Hunters extortion crew tracked by Mandiant as UNC6240 have been tearing through Oracle PeopleSoft clients using a separate 9.8 out of 10 0day CVE2026 35, 273. Google says the campaign ran from late May, before Oracle's June 10th advisory, and hit more than 100 organizations across some 300 PeopleSoft instances. The education sector took the brunt of that attack, with universities seemingly the primary target. But the victim list from that attack keeps growing. On Friday, we covered that Nissan has confirmed a breach affecting current and former employees across four countries, exposing Social Security numbers, banking details, payroll and tax records. The national association of Insurance Commissioners in the US got hit too, and had its data leaked after refusing to pay two different Oracle products. Two two different 9.8 out of 10 flaws and lots of breach pain to go around. If you use Oracle Payments, now's the time to make sure you're patched. A joint operation involving Google has disrupted netnut, one of the largest residential proxy networks in the world, and cut off access to millions of hijacked devices. Along the way. Netnut also tracked as Papa Gave, gave criminals and espionage crews a way to hide behind ordinary home Internet addresses. This is what's known as a residential proxy. With a residential proxy, you route your attack traffic through someone's living room, and it looks like someone regularly browsing the Web rather than a threat actor casing a target. Google's Threat Intelligence Group estimates the botnet controlled at least 2 million compromised devices worldwide and including smart TVs and streaming boxes. The devices got roped in the usual way, through malware that was either pre installed before purchase or Trojanized apps that users downloaded and installed themselves. Some of the Netnut devices were tied To Bad Box 2.0, which packages proxy plugins into infected applications. Once compromised, the device becomes an exit node created quietly routing someone else's traffic through a victim's ip. The takedown pulled in Google, the FBI, Lumen Technologies, the Shadow Server foundation, and other partners. The FBI seized netnut.com and other associated domains. Google disabled the accounts running command and control, warned affected users through Play Protect and shared technical details on Netnut's SDKs and and backend with law enforcement and researchers. In a single week last month, Google observed 316 distinct threat clusters using suspected Netnot exit nodes. Cybercriminals and espionage groups alike running password spraying campaigns and reaching into victim environments. Google expects the disruption to ripple across the wider proxy industry, since Netnut ran a reseller program that let others private label its network. But Mandiant offered a sober caveat to the success. Disrupting one proxy service often just sends criminal operators shopping for a replacement capacity from a proxy competitor. As long as there's billions of vulnerable IoT devices plugged into the Internet, there's always going to be another Netnut to bust. Researchers say a US Government entity paid about a million dollars to keep stolen files off the Internet, and the crew that took the money may not be a traditional ransomware gang at all. The case comes from a study by Ransom isac built on a leaked negotiation chat and blockchain trails that the payment left behind. The group calls itself Kairos, and researchers found that they didn't use an encryptor or locker, and there was no offer for a decryption key. Nothing was scrambled in their attack. Their threat was simpler Steal the files, then charge the victim not to publish them. Ransom ISAC doesn't name the victim, but the chat points to Union County, Ohio. In May 2025, the county said it detected ransomware and later told more than 45,000 residents and staff their data had been taken, including Social Security numbers, financial records, fingerprints and and passport numbers. Neither the county nor Kairos has confirmed the link. The negotiation in the chat dragged on for about a month. Kairos opened the negotiations at $3 million, claiming more than 2 terabytes of stolen data. The county started at 100,000 and inched upwards. Kairos set a hard final number 1 million paid by a deadline or the files would go public. Based on the chat, it looks like the county may have paid on June 13 with roughly 9.44 bitcoin, 10 times its first offer. Within hours, the money was split and pushed through a chain of wallets towards exchanges, including a Russian service called Belki. And what exactly did the payment buy from the criminals? Apparently a proof of deletion file and promises that the data would not be shared. Sophos reported last year that only about half of ransomware attacks still bother with encryption. That's the lowest rate in six years. Kairos itself has gone quiet and the leak site is down, but a wallet tied to the operation was still moving money as recently as May 2026. It's worth noting that if Kairos is rushing, they may be taking the summer off before coming back to work in the fall. A member of the European Parliament tasked with investigating spyware abuse was himself repeatedly hacked with Pegasus while he was serving on an investigative committee. The finding comes from the Citizen Lab, the world leading University of Toronto research group. Former member of the European Parliament Stelios Kubelu sat on the PEGA committee the body set up in 2022 to probe how EU member states were using commercial spyware against journalists, lawmakers and critics. Forensic analysis of his iPhone found that it was compromised in October 2022, then again in March 2023 during the committee's work. It's the first time a PEGA Committee member has been publicly identified as a Pegasus victim while serving on the committee. The Pegasus infections leaned on a zero day exploit in Apple's homekit software, code name Pwn youn Home. Victims didn't have to tap, click a link or make a mistake to be exploited. Apple has since patched the vulnerability, and Kugaloo received three separate Apple threat notifications about mercenary spyware over the following two years. The first infection landed while Kugaloo was in hospital for surgery, days after a visit from a Greek investigative journalist whose own phone had been hit with Predator spyware. The second coincided with the intense final drafting of the committee's report two months before it was adopted. Citizen Lab hasn't pinned the attack on any single government and says there's no evidence Greece was behind it, but it found an infrastructure overlap with an earlier campaign against exiled Russian and Belarusian journalists. A shared email address the lab believes was unique to to a single operator. This points to a Pegasus customer who is licensed to spy on multiple EU jurisdictions and that's Cybersecurity Today for Monday, July 6, 2026. If you enjoyed today's show, we'd love to hear from you. You can send us a comment by visiting technewsday.com or CA, or you can leave a comment under the YouTube video I've been your host, David Shipley. Thanks for listening and have a fantastic start to your week. Stay safe out there.
A
Once again, we'd like to thank Nord Layer for their support in sponsoring this show. Teams today work across multiple tools and devices, but security often remains fragmented. That is exactly where Nord Layer fits in. Nord Layer is a network security platform that not only enables secure access to company systems, but it also provides easy to manage centralized control over users, teams, devices and network activity. Without additional hardware or complex infrastructure, company data is protected, compliance issues are solved, access management and security policies are automated. Nord Layer helps businesses of all sizes manage the complexity of access and monitor and manage that access while at the same time replacing legacy VPNs. Encrypted connectivity with full visibility across your entire network environment. And did we mention no new hardware required? Contact Nordlayer.com and use the discount code NL Summer 26 for a special discount on your purchase.
Date: July 6, 2026
Host: David Shipley
This episode of "Cybersecurity Today" dives into a historic AI-run ransomware attack, a dangerous new Oracle vulnerability, the international takedown of the NetNut proxy network, revelations about a US county quietly paying ransom without data encryption, and spying against a prominent member of the EU’s spyware investigation committee. Host David Shipley explores how these events signal both the growing sophistication and persistent flaws in cybercrime, and what organizations should do to shore up defenses.
| Timestamp | Quote | Speaker | | --------- | ----- | ------- | | 01:07 | “In one sequence, it went from a failed login to a working fix in 31 seconds.” | David Shipley | | 03:05 | “Agentic ransomware may be here, but like a lot of large language model AI hype. It doesn't exactly work well yet.” | David Shipley | | 06:39 | "Two two different 9.8 out of 10 flaws and lots of breach pain to go around." | David Shipley | | 06:49 | "If you use Oracle Payments, now's the time to make sure you're patched." | David Shipley | | 07:20 | "With a residential proxy, you route your attack traffic through someone's living room, and it looks like someone regularly browsing the Web rather than a threat actor casing a target." | David Shipley | | 09:09 | "As long as there's billions of vulnerable IoT devices plugged into the Internet, there's always going to be another NetNut to bust." | David Shipley | | 09:46 | "Their threat was simpler: Steal the files, then charge the victim not to publish them." | David Shipley | | 11:36 | "It's the first time a PEGA Committee member has been publicly identified as a Pegasus victim while serving on the committee." | David Shipley |
David Shipley brings urgency and sharp analysis to a span of global stories that illustrate both the innovation and ongoing risks in cybersecurity. From AI-driven threats that (for now) outsmart themselves, to institutional vulnerabilities and state-level digital espionage, the episode is a brisk, authoritative snapshot of the threats facing businesses and governments in mid-2026.
Tone: Direct, factual, occasionally darkly witty; focused on practical lessons for organizations and policymakers.