Archive for July 17, 2026

What the Oracle vulnerability says about today’s patching problem

Posted in Commentary with tags , on July 17, 2026 by itnerd

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their systems by Saturday against ongoing attacks exploiting a critical vulnerability in the Oracle E-Business Suite (EBS) financial application. The directive to repeat states that as mandated by Binding Operational Directive (BOD) 26-04, this needs to be patched by tomorrow. AKA Saturday.

Ted Miracco, Approov (https://www.linkedin.com/in/tedmiracco)

“Organizations continue to struggle to patch critical vulnerabilities quickly because enterprise resource planning (ERP) platforms like Oracle and SAP are highly customized and deeply interwoven with other business applications. Patching them isn’t like updating a web browser; a single database update can break custom API integrations, halting payroll, shipping, or manufacturing.

“The window for ‘safe testing’ no longer exists for edge-facing systems. In the past, organizations had 30 to 90 days to test and deploy patches before exploits were widely weaponized. Today, threat actors reverse-engineer patches and deploy exploits within days or even hours.

“To better prioritize and respond to these types of threats, security teams must implement strict Web Application Firewall (WAF) rules, sever internet exposure, or place vulnerable assets behind a Zero Trust Network Access (ZTNA) gateway until patches can be safely tested. When patches can be deployed to a staging environment, tested automatically, and instantly rolled back if they fail, emergency deployments become a low-risk routine rather than a weekend crisis.”

Damon Small, Board Member, Xcape, Inc. (https://www.linkedin.com/in/damon-small-7400501)

“Deploying a patch on a single computer may seem like a trivial task, but doing it across an enterprise that may have hundreds, or even thousands, of servers is daunting.  That said, we have seen incidents where a patched vulnerability is exploited months after it was resolved.  As an industry, we must strike a balance between operational readiness and patching fatigue.

The first open source vulnerability scanner was released in 1995.  Since then, vulnerability management has remained the least sexy, yet the most important, directive in cyber security.  Frankly, as an industry, we struggle to update software quickly, and this fact will become more problematic as the time between vulnerabilities being discovered and them being actively exploited continues to shrink.

Security leaders should first and foremost ensure that their organizations have accurate software and hardware inventories. You cannot defend what you can’t see. Additionally, as ‘silent’ or no-reboot patching becomes an industry standard, automatic updates may follow.”

Donald McFarlane, Advisory Board Member, Xcape, Inc. (https://www.linkedin.com/in/dmcfarlane)

“Organizations rarely fail to patch because they lack another alert: they struggle when they lack reliable asset inventories, clear ownership, tested maintenance paths, or the authority to interrupt business-critical systems and processes. In today’s machine-scale, machine-speed adversarial environment, IT organizations must deploy critical security patches far more quickly.  When immediate patching is not possible, leaders must prioritize vulnerabilities based on active exploitation, internet exposure, mission impact and potential blast radius, not severity scores alone.  They should know in advance who owns each critical system, how it can be isolated, and how emergency changes can be made safely.  

“Patching is not the finish line: organizations must determine whether an adversary arrived before the fix was applied. Find material exposure before an adversary does, fix it, and prove the risk actually went down.”

Kevin Surace, CEO, Token (https://www.linkedin.com/in/ksurace)

“Patching is rarely as simple as installing an update. Critical enterprise applications are often deeply connected to financial systems, databases, customized workflows, and third-party software, so teams fear that an untested patch could interrupt essential operations. 

“The deeper problem is that many organizations do not have an accurate, continuously updated inventory of their systems. They may not know which servers are exposed to the internet, which versions are running, who owns them, or whether a patch was successfully applied.

“In this case, Oracle released the patch in May, exploitation was observed by late June, and more than 1,000 Oracle E Business Suite systems were still exposed to the internet in July. That is not primarily a technology failure. It is a failure of ownership, visibility, testing capacity, and executive accountability.

“Urgent federal patching orders and extremely short remediation deadlines are becoming more visible, but this particular action was not technically a standalone Emergency Directive. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog under Binding Operational Directive 26 04 and required remediation within three days.

“The significance is the deadline. CISA is effectively telling agencies that once exploitation is confirmed, the traditional patching cycle is no longer acceptable. Attackers are weaponizing vulnerabilities faster, while many organizations are still operating through monthly maintenance windows, lengthy approval processes, and manual asset reviews.

“These directives also reveal an uncomfortable truth: too many organizations still need an external government deadline to force action on vulnerabilities that vendors have already patched.

“Security leaders should prioritize vulnerabilities based on actual exploitation, internet exposure, business importance, and the potential impact of compromise, not simply on the severity score. A vulnerability that is being actively exploited against an exposed financial system should move immediately ahead of a higher scoring flaw on an isolated test machine.

“Every critical system needs a named business owner, a technical owner, a tested emergency patching procedure, and a clearly defined authority capable of accepting the operational risk of patching or the security risk of delaying it. When exploitation is confirmed, teams should be able to patch, isolate, restrict network access, or temporarily remove a system from service without waiting through days of meetings.

“Organizations should also assume that patching may come too late. Organizations must review logs for evidence of earlier exploitation, rotate potentially exposed credentials, inspect connected systems, and protect privileged access with hardware based biometric assured identity.

“Biometric assured identity would not prevent an unauthenticated Oracle software exploit such as this one. It can, however, stop attackers from turning stolen administrator credentials into broader access after the initial compromise. Patching closes the software vulnerability. Biometric assured identity helps contain what attackers can do next.”

Steven Swift, Managing Director, Suzu Labs (https://www.linkedin.com/in/steven-swift-5238956a)

“Patching is a big thankless task, and it rarely gets the resourcing it would require to actually patch all the things quickly. In order to have any chance at keeping up with patching, organizations need to implement solutions to automate both patching and vulnerability scanning.

“A lot of organizations are hesitant to patch immediately, because there have been enough issues with bad patches being released over the years, that the risk of patching slowly is preferred over the risk of patching fast and breaking things.

“Patching automation is great for those systems which are consistently deployed across the organization. However, the applications that are only on a few systems are those least likely to have automated patching. This would be fine, except for that there tends to be a lot of applications that fall into this category. Practically, that means staff can patch the vast majority of things consistently and in a timely manner, and still always have a long tail of vulnerabilities that are more challenging to fix.

“This is compounded when ownership is split between different teams. Especially so when organizational priorities are split. If teams are under pressure to hit tight deadlines, the last thing they want to do is spend time fixing/patching things that don’t directly assist in that goal. This results in a lot of vulnerability management teams spending much of their time providing reports on what needs patching, to teams that will get to it when they get to it.

“As for what leadership can do to better prioritize and respond to new vulnerabilities? A big part of is keeping metrics so that the work being done isn’t invisible anymore. If the team is consistently patching 90% of all published CVEs in a timely manner, and yet all that leadership sees are reports showing the remaining 10%, it can look like the team just isn’t doing much patching when the opposite is true.

“Track stale vulnerabilities in the organization, and prioritize those. Stale can be older than 30, 90, or 365 days for example. Depending on how mature existing processes are. Once all of the stale vulnerabilities are remediated, build automation to handle as much repeatable work as is possible. Provide developers with vulnerability feedback as early in the process as you can, as it costs much less time and money to fix code early on, than it does after release.”

While it is beyond time to patch all the things, organizations need rethink how they go about keeping their environments safe. Because patching is clearly not enough.

FIFA World Cup Fraud Campaigns, an Analysis

Posted in Commentary with tags on July 17, 2026 by itnerd

The SOCRadar threat research unit (STRU) has published an in-depth analysis of fraud campaigns associated with the 2026 FIFA World Cup. With the final coming up this Sunday, SOCRadar has tracked the fraud ecosystem between April and July, spanning the counterfeit merchandise stores, FIFA portal impersonation, and ticketing/betting infrastructure. 

Interestingly, rather than peaking during the tournament’s biggest matches such as earlier this week’s semi-finals, fraud activity peaked before kickoff, as operators activated infrastructure that had been prepared weeks in advance. 

Key findings of this research include: 

  • The FIFA portal impersonation cluster, linked to the GHOST STADIUM phishing-kit lineage, now spans 850+ domains – nearly triple the 300+ publicly reported in May. STRU reconstructed the kit’s evolution through the developers’ own Chinese-language code comments, including a documented bug fix and an OPSEC migration between two generations – effectively the threat actor’s own development log.
  • 79% of domains observed at the activity peak were registered within the previous 30 days. Operators quietly bought infrastructure in May and activated it at the tournament’s opening.
  • The betting network hacked nothing. It legally purchased expired domains – a defunct US staffing agency, a French artisan site – for their retained SEO authority, a supply chain that is legal, frictionless, and largely beyond the reach of technical controls.
  • Counterfeit storefronts burned through domains in under five days and used deliberately modest 22-30% discounts, calibrated to look like a plausible promotion rather than a scam.
  • STRU also disproved three of its own most striking leads – a shared Telegram bot token, an identical registrant hash, a common template – all artifacts of shared infrastructure, not shared operators. A transparency point that sets the research apart from typical vendor reporting.
  • Defender takeaway with legs beyond the World Cup: for event-driven fraud, the critical monitoring window is before the event begins – directly applicable to the 2028 Olympics and every future major event.

For full details on SOCRadar’s findings, the research can be read here: https://socradar.io/blog/fifa-world-cup-2026-fraud-campaigns/

Trojanized Zoom/WebEx installers expose a growing trust problem

Posted in Commentary with tags , on July 17, 2026 by itnerd

Researchers are tracking a campaign distributing trojanized Zoom and WebEx installers to steal credentials and other sensitive data. The culprit, not that it matters, are Russians. This serves as a reminder that attackers are increasingly weaponizing trusted business software instead of relying on traditional phishing lures.

You get get more info here: https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/

Donald McFarlane, Advisory Board Member, Xcape, Inc.

“Trust is part of the attack surface: attackers do not need to invent unfamiliar lures when they can impersonate the applications, people and workflows that employees already trust.

“AI continues to raise the quality and scale of such attacks. Adversaries can produce more convincing phishing, deepfakes, counterfeit interfaces and customized malware far faster than before, and security programs must therefore assume that even careful users will sometimes be deceived. The answer is not more training alone, but stronger controls around software provenance, managed installation, application execution, identity, endpoint behavior and unusual network activity. 

“Organizations should design systems so that a convincing fake cannot easily become a compromise, and so that blast radii are limited.”

Kevin Surace, CEO, Token (https://www.linkedin.com/in/ksurace)

“Attackers impersonate applications such as Zoom and Webex because employees already recognize, trust, and routinely install them. A familiar product removes much of the hesitation that an unknown application would create and makes the malicious download appear to be part of normal business activity.

“The attackers do not need to invent a compelling new story. They simply borrow the reputation, branding, and expected behavior of software the victim already uses.

“User trust has become one of the attacker’s most effective tools. The victim is not persuaded to run something that looks malicious, but rather something that appears necessary and legitimate. This is why employee awareness alone cannot solve the problem. Attackers only need one employee to trust the wrong installer once, and increasingly convincing websites, messages, and software packages make that mistake difficult to eliminate completely.

“Organizations should prevent employees from installing unauthorized software and distribute approved applications through controlled enterprise software portals. Application allowlisting, code signing verification, endpoint detection, restricted scripting tools, browser download controls, network segmentation, and automatic isolation of suspicious systems can help stop the malware before it becomes established.

“Organizations must also protect the identities and accounts the malware is designed to steal. Hardware based biometric assured identity makes stolen passwords and authentication codes useless because access still requires the registered physical device, the authorized user’s fingerprint, proximity to the computer, and a cryptographic request from the legitimate domain.

“Biometric assured identity does not replace endpoint security or prevent someone from downloading malware. It ensures that even when malware captures credentials, attackers cannot simply reuse them from another device to enter protected applications, cloud services, or corporate networks.”

Jacob Krell, Sr. Director, Secure AI Solutions & Cybersecurity, Suzu Labs (https://www.linkedin.com/in/jacob-krell)

“The shift to hybrid work changed how business software gets installed. Five years ago, IT deployed conferencing and collaboration tools through managed packages. Now employees download Zoom, WebEx, and remote administration tools themselves five minutes before a meeting or a support session, with no oversight and no verification beyond ‘does the website look right.’ 

UAT-11795 is exploiting that behavioral shift across multiple categories, from conferencing platforms to database clients to developer utilities. A trojanized installer works because the real software actually installs and runs. The user joins their meeting, opens their database, never suspects a thing. Meanwhile, endpoint security has improved at catching novel binaries, so attackers wrapped their payload inside software the endpoint already expects to see.

“User trust has become just the first domino in these attacks. The security stack trusts these applications too. EDR tools baseline their behavior and suppress alerts on their process activity. Firewalls allow their traffic patterns. Allowlists include their binary names.

“When attackers wrap malware inside a WebEx or Zoom installer, they inherit trust at every layer simultaneously, from the human, the endpoint agent, the network policy, and the application control rules. Enterprise business software sits at the intersection of human trust and automated trust. Attackers are picking targets where those compound.

“Organizations should restrict where software installs come from. If users can only install applications through a managed catalog like Intune or SCCM, a trojanized installer from a random URL never executes. That’s the prevention layer most orgs skip because it creates friction with end users.

“For detection, publisher code signature verification on installers is the first check. UAT-11795 used NSIS to package their payload, so the installer carries no legitimate vendor signature. Most orgs enforce signature checks on running executables but not on the installers that put them there.

“Process lineage monitoring is the backstop. Conferencing software spawning Python interpreters, database tools creating scheduled tasks with random suffixes, those are process tree anomalies that EDR can catch if the detection rules exist. I’ve seen environments where broad filename matching on the allowlist lets anything that looks like a business app sail through unchecked.”

This should serve as a warning that only trusted apps, as in trusted from your organization, are the only ones that need to be installed. All others should be discarded like the garbage that they are.

Cyberattack on Japanese refrigerated logistics provider disrupts restaurants

Posted in Commentary with tags on July 17, 2026 by itnerd

A cyberattack on Nichirei Logistics Group, Japan’s largest refrigerated logistics provider, has disrupted food deliveries to restaurants, retailers, and food manufacturers across the country.

The company, which serves approximately 5,000 customers through a network of 140 refrigerated distribution centers, confirmed hackers breached its servers and shut down key systems to contain the incident.

The disruption has affected all 1,300+ KFC Japan restaurants, with the chain warning of ingredient shortages, limited menus, shorter operating hours and potential temporary closures. KFC has also suspended online ordering through its website and mobile app.

Other businesses reporting delivery delays or product shortages include Hotto Motto, Yayoi Ken, Kura Sushi, retailer Aeon and frozen food manufacturer TableMark.

Phil Wylie, Senior Consultant & Evangelist, Suzu Labs:

“This incident highlights how cyberattacks against operational technology and logistics providers can have immediate real-world consequences. While many organizations focus on protecting customer data, attacks that disrupt the availability of critical business systems can be just as damaging. In this case, the ripple effects extended from a single refrigerated logistics provider to thousands of restaurants, retailers, and food manufacturers that depend on timely deliveries.

 “Organizations should view this as a reminder that cybersecurity risk extends beyond their own environment. Critical third-party providers should be evaluated not only for their security posture, but also for their operational resilience and recovery capabilities. Business continuity planning should include scenarios where key suppliers become unavailable due to a cyber incident, with contingency plans for alternate suppliers, manual processes, and inventory management.

 “As attackers increasingly target supply chains to maximize disruption, resilience has become just as important as prevention. The organizations that recover the fastest are those that have already planned for the possibility that a critical partner will be temporarily offline.”

Donald McFarlane, Advisory Board Member, Xcape, Inc.:

“This incident is another reminder of the importance of supply-chain dependencies, and how cyber risk can cascade from one logistics provider into thousands of businesses and their customers.  Had the disruption been broader, the consequences could have extended far beyond limited menus.  Critical infrastructure security must follow a simple discipline: find material exposure before an adversary does, fix it, and prove the risk actually went down.”

If you are part of a supply chain, or even if you are not, you need to prepare yourself as the attackers are coming for you. And you it is a matter of when not if they arrive.

Researchers finds ChatGPT-5.5 completed full simulated cyberattack chain

Posted in Commentary with tags on July 17, 2026 by itnerd

A new report from Cato Networks found that OpenAI’s ChatGPT-5.5 successfully completed a full, multi-stage simulated cyberattack against a corporate network without human intervention. According to the report, ChatGPT-5.5 is the first publicly available AI model Cato tested to autonomously execute the entire attack chain in a controlled environment.

The model completed the 32-step attack in two of 10 attempts, carrying out reconnaissance, privilege escalation, lateral movement and data exfiltration.

Cato said the testing was conducted in a controlled environment designed to evaluate AI cyber capabilities rather than real-world systems.

Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:

“I’ve been using LLMs to complete complex offensive security challenges for over a year. The capability has been here.

“Cato’s “agentic attacker” is a full offensive stack, an agent platform, MCP-enabled tooling, and structured operational guidance, with GPT-5.5 as the reasoning layer. Their own researchers say the improvements across six scenarios came from better harness engineering while the model stayed the same.

“Two out of ten is the full-chain success rate with the agent handling planning and execution autonomously after a single prompt. A human operator stepping in at a handful of critical decision points in that 32-step chain would push that rate much higher. When I run LLM-driven offensive workflows, the model rarely fails on the individual steps. It fails on choosing which step to take next. That’s exactly the kind of error a practitioner fixes in seconds.

“Organizations should be preparing for continuous automated offensive pressure. An attacker running these workflows around the clock doesn’t need a high success rate when they have unlimited attempts. Each new model generation lowers the expertise needed to build an effective harness, and a black market for prebuilt offensive stacks is coming. Less-skilled operators will buy attack capabilities that required years of training a short time ago.”

What organizations need to do is to prepare themselves for LLM’s to attack them. The failure to not do so means that they will get pwned at some point.