
Loading summary
A
Cybersecurity Today is brought to you by NORD Layer. Teams today work across multiple tools and devices, but security often remains fragmented and this is exactly what NORD Layer can help you address. NORD Layer gives your company centralized control over access by individuals and teams and keeps connection secure from anywhere with no additional hardware required. Visit nordlayer.com cybersecurity today and use the discount code NLSUMMER26 for a special discount on your purchase.
B
The Share File shutdown gets an explanation A year of salesforce break ins Hospitals are finding far more security holes than they can close. This scam that talks you into hacking yourself is now the number one way malware gets in. And in Australia, a 20 year old server takes down a national telecommunications network. This is Cybersecurity Today and I'm your host David Shipley. Let's get started. The emergency share file shutdown was the result of a previously unknown critical vulnerability, and the good news is there's now a patch out. Progress Software has confirmed the trigger for their alert a new, previously unknown high severity path traversal flaw affecting every 5. X and 6. X version of their storage zone controller. Customers need to apply that fix before bringing the ShareFile storage zone controller back online. On Monday, we covered the initial News Progress telling their customers to power down the servers, citing a credible external threat with no known CVE associated and no timeline provided. The read at the time was that that kind of shutdown order usually means there's no patch immediately available, or worse, there might be a problem that couldn't be solved. Progress has now provided the answer, and the good news is it can be fixed. According to reporting by Bleeping Computer, an authenticated administrative user could read arbitrary files, write attacker controlled content into arbitrary directories, or map out the server's file system. The fixes are out for versions 5.12.5 and 6.0.2. Install them and the controllers can come back online. There's other good news here. Progress says it has no evidence that the flaw was used by criminals before its alert went out, and no sign of unauthorized access to any customer accounts or data. Bleeping Computer asked Progress whether the flaw was discovered internally or by an outside security researcher. So far, they haven't heard back. A CVE has been reserved, but Progress won't publish the details for at least a few weeks, and that may be wise. As we've reported researchers demonstrated last year that threat actors can feed a CVE advisory into an AI system and get working proof of concept exploit code back in under 15 minutes and for less than a dollar a two week window before the technical details go live and public can give organizations much needed room to patch before criminal exploits arrive. Microsoft has published a map of how attackers spent the past year walking into corporate Salesforce environments without exploiting a single flaw in Salesforce itself. The research looks at a year of activity by the data extortion crew known as Shiny Hunters, and it sorts their activities into three major techniques. What all of these techniques share is that none of them required anything to be broken into from a code perspective. They abused trust that organizations had already extended, usually in the form of OAuth connections linking Salesforce and to the apps and vendors around it. When the access comes from a real user who approved a genuine connected app sign in monitoring barely registered it. Path number one was a phone call. Attackers posing as IT support and they walked employees through Salesforce OAuth consent screen and got them to authorize a malicious app dressed up as Salesforce's own data loader. No malware, no stolen password, just a call and a few clicks. That wave hit Google's own Salesforce instance along with other major brands like Chanel and Pandora. Path number two skips the employee. It's about compromising a vendor whose App already holds OAuth access. Steal those tokens and then you query every downstream instance all at once and you've got a ton of data. The Salesloft Drift breach last August is the clearest case of path two. Google estimated it potentially exposed more than 700 organizations, including cybersecurity and IT firms like Cloudflare, Zscaler and Palo Alto Networks. PaaS number three didn't need stolen credentials. It abused guest access that was left misconfigured on Salesforce instances. Microsoft and Salesforce say they've shipped new tooling to catch what their logs previously may have missed connected app attribution, OAuth scope visibility, and a new risk score for integrations that people previously hadn't been paying enough attention to. In the most recent case in June, attackers got into competitive intelligence platform Clue through a legacy test credential that someone had left active and forgotten. Then they used it to read the Salesforce data of some of Clue's customers, including another batch of cybersecurity firms. We'll see how Shiny Hunters and others evolve as these new monitoring tools are rolled out. Healthcare providers fixed just 6% of their identified cybersecurity risks in the first half of 2026. Over the same time last year, they managed to deal with about 23%. That's the key finding from a new mid year report by Fortified Health Security, and it describes a sector falling critically behind. The problem here isn't just about a catastrophic breach, it's the volume of security issues. Healthcare organizations log 60% more critical and high severity vulnerabilities this year than the year before, finding far more than they can keep up with from a remediation perspective. The report calls it visibility outpacing capacity Two areas hurt healthcare the most. The first is the supply chain. Providers identified six times as many third party risks as last year, and nearly two thirds of those third party risks were critical or high. Hospitals lean on dozens of vendors and as the Change healthcare attack showed, one supplier's breach can cascade across the entire industry. The second major area is identity. Providers found four times more access control vulnerabilities than a year ago, and 92% of healthcare network domains had at least one administrative account whose password hasn't changed in three years. Fortified's core recommendation is that hospitals and healthcare facilities have to drill for cyber attacks the way fire departments have to drill for fires. Building the muscle memory and what to do before an emergency, not during it. The medical drama TV show the Pit gives a great example of what a cyber attack can look like and do to an ER in a major hospital. While these attacks don't happen every day, thankfully hospitals and healthcare organizations have to train and equip for them anyway. As the report puts it. Probability doesn't change responsibility and nor does it change the massive impact of a healthcare attack. Hospital systems under attack or shut down to prevent an attack or reduce capacity by up to 90%, and that can have dramatic impacts on patient outcomes as well as health care facilities in the surrounding area. Click fix, the technique that talks users into infecting their own machines, has grown into a full criminal ecosystem, and it's slipping past technology defenses. That's the new picture from Reversing Labs, research that analyzed more than 4,000 click fix samples. The mechanics behind a click fix attack are becoming sadly, all too familiar. A landing page mimics a captcha check or a critical software update telling a victim to copy a command and paste it into the Windows run box or the macOS terminal. There's no file download, no obvious vulnerability, and because it rides in using legitimate tools, each step can look like ordinary computer use. Which is why some signature based antivirus and endpoint detect and response keep missing. This attack behind the click fix technique is a maturing business model. Full click fix kits are selling on underground forums from $250 a month up to $1,800 for a lifetime license. Lumastealer is still the most common payload delivered by ClickFix, but researchers are seeing more remote access trojans like Darkgate and X Worm that hand attackers live Keybo. The scale of these attacks is rising. Reliaquest, studying attacks from March through May, found that Click fix was the single most common way criminals delivered malware during that time. It also watched the technique cross platforms, delivering Atomic Stealer to Macs for the very first time. And when Apple added a feature that scans commands pasted into terminal, the attacker simply rerouted to trigger script editor instead. Rely on Quest's advice here. For enterprises, macOS can no longer be treated as lower risk than Windows. Data from Boseron Security also adds to this picture. Qlik fix is optimized to beat machines, and as shown by the prior research, it clearly does. But the human layer can be a different story. Across roughly 7.8 million phishing simulations sent over the past year, co Click Fix was the least clicked lure that was sent about 1.5% click rate, well under the 5.7% click rate for credential capture. Phishing and Click Fix was the most reported phish by our clients. When people did click they ran the command line less often than they would fill out a login page and give up their credentials. And the users who consistently passed earlier phishing tests were the least likely to fall for click fix. The technique that can slip by antivirus doesn't slip by a well trained person. Finally, we turn to Australia, where a 20 year old server took down a national telecommunications network last Wednesday. Telstra suffered an outage that knocked out mobile connections, payment terminals and train services. It also blocked 000 their emergency call line. More than 600 emergency callers couldn't get through the cause, according to reporting by informationage. A single obsolete time server, a symmetricom sync server S300 discontinued back in 2016. It manages time across a network and it hit a well known GPS rollover bug. The internal weak counter maxes out roughly every 20 years and resets. This one rolled back to 2006 and that caused the network to lose sync. The server can be replaced for under $30,000. The outage could cost Telstra up to 30 million in fines under tougher rules brought in after last year's Optus breach. And Telstra CEO Vicky Brady has admitted that the company knew about the flaw. Telstra executives will be in front of a Senate committee Friday to explain how a known problem in a discontinued server took down emergency calling. And that's Cybersecurity today for Wednesday, July 15th. I've been your host, David Shipley. Thanks for listening. We appreciate all of your feedback. Feel free to drop by technewsday.com or CA, or you can leave a comment under the YouTube video. We'll be back on Friday, July 17th with the latest headlines. Until then, stay safe.
A
Once again, we'd like to thank NORD Layer for their support in sponsoring this show. Teams today work across multiple tools and devices, but security often remains fragmented. This is exactly what NORD Layer can help you address. It provides a network security platform with easy to manage network access, monitoring and control, and without additional hardware or complex infrastructure. Nordlayer helps businesses of all sizes manage and secure access to company resources going beyond what traditional VPNs can offer. And it provides encrypted connectivity with visibility across your entire network environment. And did we mention no new hardware required? Visit nordlayer.com cybersecurity today and use the code NL Summer 26 for a special discount during their summer sale.
Cybersecurity Today
Episode: ShareFile explained, healthcare in critical cyber condition and click fix tops malware charts
Host: David Shipley (with ad voiceover by Jim Love)
Date: July 15, 2026
This episode of Cybersecurity Today, hosted by David Shipley, delivers timely updates on several high-stakes cybersecurity developments. The main themes include:
(00:37 – 04:50)
Incident Summary:
Progress Software forced an emergency shutdown of ShareFile storage zone controllers due to a high-severity, previously unknown path traversal flaw affecting all 5.X and 6.X versions.
Vulnerability Details:
“An authenticated administrative user could read arbitrary files, write attacker controlled content into arbitrary directories, or map out the server's file system.”
— David Shipley (01:36)
Resolution:
Fixes have been issued for versions 5.12.5 and 6.0.2. The servers can safely be brought back online once patched.
No Known Exploitation:
Progress Software stated there’s no evidence that criminals exploited the flaw pre-alert, and no sign of unauthorized data access.
CVE Disclosure Caution:
Progress is withholding technical details for a few weeks to prevent accelerated criminal exploitation, mindful of AI’s role accelerating exploit development:
“Researchers demonstrated last year that threat actors can feed a CVE advisory into an AI system and get working proof of concept exploit code back in under 15 minutes and for less than a dollar.”
— David Shipley (03:43)
(04:51 – 07:46)
No Software Exploits Needed:
Attackers (notably Shiny Hunters) compromised Salesforce environments using social engineering and abused trusted OAuth connections—never technically “breaking in.”
Main Attack Techniques:
“No malware, no stolen password, just a call and a few clicks.”
— David Shipley (05:41)
Evolving Defenses:
New Salesforce and Microsoft tools now enable better detection: connected app attribution, OAuth scope visibility, and risk scoring for integrations.
Recent Case:
Attackers breached Clue (a competitive intelligence platform) through a legacy, forgotten credential, accessing more Salesforce customer data.
Insight:
The threat is less about technical exploits and more about abusing existing trust relationships and identity controls.
(07:47 – 10:26)
Sector Lagging in Remediation:
Healthcare providers only fixed 6% of identified cybersecurity risks in 2026’s first half, compared to 23% last year.
Explosion of Vulnerabilities:
60% more critical/high vulnerabilities reported year-over-year. Remediation capacity isn’t keeping up.
Top Problem Areas:
“As the Change Healthcare attack showed, one supplier's breach can cascade across the entire industry.”
— David Shipley (08:59)
Core Recommendation:
Hospitals must train for cyberattacks the way firefighters drill—preparing for incidents before they happen.
Impact Quote:
“Hospital systems under attack or shut down to prevent an attack or reduce capacity by up to 90%, and that can have dramatic impacts on patient outcomes…”
— David Shipley (10:08)
(10:27 – 12:02)
What is Click Fix?
A scam where users are tricked into running malicious commands (“clicking to fix” a fake issue), typically via fake captchas or software update prompts.
“A landing page mimics a captcha check or a critical software update telling a victim to copy a command and paste it into the Windows run box or the macOS terminal.”
— David Shipley (10:34)
Evasion Tactics:
No file downloads; exploits trusted system tools, bypassing antivirus and EDR solutions.
Criminal Ecosystem:
Full "click fix kits" sell from $250/month to $1,800 lifetime.
Most Common Payloads:
Lumastealer remains dominant, but Remote Access Trojans like Darkgate and XWorm are on the rise—with cross-platform attacks targeting macOS for the first time.
Attack Prevalence:
Reliaquest found click fix was the #1 malware delivery method (March–May 2026). Attackers adapt to Apple’s security measures by switching delivery mechanisms within macOS.
Human Layer as a Defense:
Phishing simulation data (Boseron Security):
- Click fix spam had the lowest click rate (1.5%) compared to credential phishing (5.7%).
- Well-trained users rarely fell for click fix schemes.
“The technique that can slip by antivirus doesn't slip by a well trained person.”
— David Shipley (11:55)
Key Advice:
Enterprises should no longer treat macOS as lower risk than Windows.
(12:03 – 12:56)
Incident:
A 20-year-old Symmetricom Sync Server S300, discontinued since 2016, suffered a GPS “rollover bug,” resetting its clock and desynchronizing Australia’s national telecom network. Result: Outage of payment terminals, train services, mobile networks, and even 000 emergency calls.
Consequences:
More than 600 emergency calls blocked; cost of server replacement under $30,000—potential fines up to $30 million.
Admission and Accountability:
Telstra CEO Vicky Brady confirmed executives were aware of the obsolete server flaw. Senate hearings are scheduled.
Memorable Quote:
“A single obsolete time server...took down emergency calling.”
— David Shipley (12:43)
Shipley’s tone is direct, practical, and mildly urgent—emphasizing both the evolving threat landscape and pragmatic steps organizations can take. He highlights the interplay between technical vulnerabilities and human factors, and calls for greater preparedness, especially in critical sectors.
This episode is a must-listen for security leaders in IT, healthcare, and any organization managing third-party software or legacy systems, offering concrete examples of both threat evolution and effective defenses.