
Loading summary
A
Cybersecurity Today is brought to you by nordlayer. Teams today work across multiple tools and devices, but security often remains fragmented and this is exactly what Nord Layer can help you address. Nord Layer gives your company centralized control over access by individuals and teams and keeps connection secure from anywhere with no additional hardware required. Visit nordlayer.com cybersecurity today and use the discount code NLSUMMER26 for a special discount on your purchase.
B
An alleged Scattered Spider member's anonymity gets squashed Google Flaw could have turned chatbots into data thieves, a 16 year old Linux bug allowed for guest VM escapes, AI forces Apple to break a patching habit and a clever new phish hunts for marketers Google Accounts this is Cybersecurity Today and I'm your host David Shipley. Let's get started. A newly unsealed federal complaint shows how US law enforcement and prosecutors traced an alleged scattered Spider hacker to a break in at a luxury jewelry retailer. It all came down to a single Windows device ID the hacker. News reports that Microsoft records tied that persistent identifier to the account attackers used to hold access during the May 2025 intrusion and then to accounts prosecutors say belong to 19 year old Peter Stokes. Stokes, a dual US Estonian citizen known online as Bouquet, was extradited from Finland and made his first court appearance in Chicago on June 30th. He's charged with conspiracy, computer intrusion and fraud. None of the allegations against him have been proven in court. Like many Scattered Spider attacks, the way in was through the help desk over three days last May. Attackers called the retailers IT support from Google voice numbers, posed as locked out staff, and talked their way into password and MFA resets. Within hours they controlled three accounts, two of them IT administrators. They installed Ngrok and Teleport, pushed data to Amazon cloud storage, and pulled out at least 77 gigabytes. A ransomware attempt got blocked, but the Demand still landed $8 million paid in crypto. The company refused cleanup costs, ran the company about $2 million. The operator of the attack hid behind a VPN, other tunneling tools and aliases. It wasn't good enough, prosecutors say. The same device kept surfacing on the same IP addresses as Snapchat, Apple and Facebook accounts. They attribute to Stokes accounts flaunting cash, watches and diamond chains. Reading Hack the Planet When Finnish police stopped Stokes at Helsinki Airport bound for Japan, they seized two 2 terabyte hard drives. It'll be interesting to see what comes of the forensic search of those devices. One arrest alone may not change much, but a win here is still a win group. IB argues Scattered Spider isn't so much a gang but a loose scene of small independent cells, and says arresting a few won't stop the threat. Still, the Scattered Spider arrests are starting to add up. Krebs on security reported in June that two men who were members of the group pled guilty in the United Kingdom to criminal charges stemming from an August 2024 cyber attack that crippled Transport for London, the public transport network operator for the UK capital. Thala Jabbar, 20, of east London and 18 year old Owen Flowers of Walsall and admitted conspiring to commit unauthorized acts against Transport for London Computer Systems and causing risk of serious damage to human welfare. And in the spring, a core leader of Scattered Spider, who was responsible for a series of high profile phishing attacks and cryptocurrency thefts from 2021 to April 2023 pled guilty to US federal charges. Tyler Robert Buchanan of Dundee, Scotland, pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. The 24 year old was arrested by Spanish police in Palma in 2024 as he attempted to board a charter flight to Naples, Italy. Google has fixed a vulnerability that would have let an attacker seize data from AI agents and chatbots built with one of its flagship tools. Dark reading reports of Veronis Threat Labs disclosed the flaw this week, calling it Rogue agent, a permission boundary issue in Google Cloud's dialogflow CX platform. Dialogflow CX is the tooling many companies use to build enterprise AI agents, customer support systems, financial services bots, healthcare chatbots, the kind of bots that handle sensitive data. By design, the weak point here was a feature called Code blocks, chunks of custom Python that process user Input and call APIs. Those blocks run inside Google's Cloud run environment, with public network egress on by default so they can reach out to the Internet and cross data perimeters that zero trust architecture is supposed to prevent. Agents sharing a single cloud project share the same execution, and because Google manages it, the customer has no direct view into what's running. An attacker who compromised a privileged account could update the code block for just one agent, overwrite an internal execution file with a malicious version, and fold it into the pipeline for every future conversation. From there, a lot of things were possible reading conversation history, harvesting session data, or slipping a fake RE authentication prompt into a chat to lift real credentials. The permission needed for this attack could be granted at the project level, so this was never just limited to top tier admins. Varonis reported the issue in November 2025. Google patched it in April and fully resolved it last month and says it has no indication any customer was compromised using the flaw. A Linux kernel bug that sat undiscovered for nearly 16 years lets an attacker break out of a virtual machine and run code on the host underneath it. That kind of vulnerability is a huge risk to clients of cloud hyperscalers like Google and Amazon Web Services or Microsoft Azure. Leaping computer reports to flaw dubbed Janus Escape and tracked as CVE2026, 53, 359 is a use after free flaw in the Shadow MMU emulation of KVM on x86. Researcher Han Woo Kim found it and used it as a zero day in Google's KVM CTF reward program. It was patched in June. An attacker with root inside a guest vm, which is the default setup on public cloud instances, can execute code as root on the host, then take over every other guest running on that machine. On builds like Red Hat Enterprise Linux, where devkvm is world writable, even an unprivileged attacker can use the flaw to gain root on an unpatched machine. Or they could use it to cause a host kernel panic and and knock every tenant on that same box offline. Kim calls it the first guest to host escape that fires on both intel and AMD architecture rather than being pinned to just one. The breadth is what makes this a real headache for multi tenant clouds like Google, Microsoft Azure or aws. Kim published a technical write up and a proof of concept that triggers a host kernel panic, but says a full escape exploit won't be released for the foreseeable future. Apple is changing how it ships security fixes, and the reason behind it is AI. Dark Reading reports the company has long saved big bundled bug fixes for major OS releases. On June 29, it broke that pattern, pushing security updates for iPhones, iPads, MacBooks and Safari with no version release attached. Apple has shipped out of band fixes before, but the motivation was new this time. Speaking with Reuters, the company said it was adapting to a reality where AI speeds the development of hacking tools, and it needed to shrink the gap between a fix going public and it landing on customers devices. Rocky Cole, co founder of Iverify, points to Mandiant's time to exploit numbers and how things have changed. The average time for exploit in 2018 was 63 days. Over the last two years it went negative. Attackers are now weaponizing flaws before a patch is even public. Zero days are getting used even more than N days. Cole says he's watched it firsthand through OpenAI's trusted access program. His two person team has turned up around a dozen bugs, one of them now acknowledged by Apple as a CVE and in some cases used AI tools to push those bugs towards exploitation faster. Patching only helps if people install them. Cole described a malware infection last week on a Device still running iOS 16 from a user who stopped updating because they disliked the new interface for newer versions. And Cole argues the deeper problem is even more structural for Apple, particularly when it comes to iOS. IOS has no EDR or XDR layer for defenders to build on, and its ecosystem stays closed to third party security tools that may no longer prove a sustainable security approach for Apple or its users. A phishing campaign is impersonating more than 30 well known brands Adobe, Netflix, Coca Cola, OpenAI and more inside fake job interviews built to steal Google account credentials from marketing professionals bleeping computer reports. The operation abuses two legitimate cloud platforms before the victim ever reaches anything malicious. The email looks like it comes from the peopleforce HR platform. The links underneath route through a Salesforce marketing cloud domain, then through a real estate CRM called wiseagent, and only then land on an attacker's page. Will Thomas of Team CMERU, who analyzed the campaign, counted at least 34 domains impersonating high value companies across airlines, food and beverage, luxury goods, staffing and entertainment. Affected brands included American airlines, Louis Vuitton, McKinsey, FIFA and more. The lure is a recruiter reaching out about a new marketing role, dressed up with the names and photos of real recruiters at the impersonated firms. One sample posed as an Adidas recruiter and asked the target to schedule a call. Clicking through to book the meeting landed the victim on adidas-hiring.com where a continue with Google button triggered what looked like a Google sign in popup. But it wasn't. The window was an HTML and CSS rendering inside the phishing page. A browser in the browser attack, where the fake authentication prompt is created to imitate every element of the real thing. Abusing those platforms doesn't mean any of them were breached, Thomas notes. The attacker likely just registered legitimate accounts or used stolen logins to wire up the clever redirect chain. The operation has been running for at least five months, and a full domain list is in Thomas analysis on GitHub. Attacks like this also highlight how criminals will use legitimate infrastructure to hide malicious activity in trusted domains. Blocking based on email record hygiene like spf, dmarc and dkim won't do you any good when they use this technique. And that's Cybersecurity Today for Wednesday, July 8, 2026. If today's show was useful, please like it. Subscribe and leave a rating or review wherever you get your podcasts. It makes a real difference in helping new listeners find us and feel free to share the show with someone you you think would benefit. We appreciate all of your feedback. Feel free to drop us a note@technewsday.com or CA or you can leave a comment under the YouTube video. I've been your host, David Shipley. I'll be back on the news desk on Friday with the latest headlines.
A
Once again, we'd like to thank NORD Layer for their support in sponsoring this show. Teams today work across multiple tools and devices, but security often remains fragmented. This is exactly what NORD Layer can help you address. It provides a network security platform with easy to manage network access, monitoring and control, and without additional hardware or complex infrastructure. Nordlayer helps businesses of all sizes manage and secure access to company resources going beyond what traditional VPNs can offer. And it provides encrypted connectivity with visibility across your entire network environment. And did we mention no new hardware required? Visit nordlayer.com cybersecurity today and use the code NLSUMMER26 for a special discount during their summer sale.
Cybersecurity Today – Episode Summary
Episode: “Scattered Spider squashed, Rogue Agent AI flaw, 16 year-old Linux bug and new phish hunts marketers”
Date: July 8, 2026
Host: David Shipley
This episode of Cybersecurity Today delivers an incisive roundup of the week’s most pressing cybersecurity incidents and trends impacting businesses and individuals. Host David Shipley breaks down high-profile law enforcement actions against members of the Scattered Spider hacker collective, dissects major vulnerabilities (from Google’s AI platform to a 16-year-old Linux kernel bug), and explains emerging threats—including a phishing campaign targeting marketing professionals through trusted brands.
Unsealing New Federal Complaint:
Attack Walkthrough:
Wider Crackdown:
Critical AI Platform Flaw:
Scope and Mitigation:
Historic Vulnerability Discovered:
Technical Impact:
AI Changes the Patch Game:
Underlying Security Challenges:
Multi-Platform Attack Chain:
Expert Insights:
This episode shines a light on how aggressive law enforcement tactics and diligent threat research are gradually countering major hacking collectives like Scattered Spider, while also highlighting how criminals exploit both technical weaknesses (like historic code flaws and wrongly scoped permissions in AI tools) and psychological ones (like trust in brand-name recruiters). Listeners are encouraged to stay vigilant and proactive, especially as the cybersecurity landscape is transformed by AI and cloud complexity.
Note: This summary omits advertisements and podcast promotion.