July 13 Threat Intelligence Brief

0
6

Key Takeaways

  • Major data breaches: AssuranceAmerica exposed 7 M records; Latvia’s forestry firm suffered ransomware and 44 GB leak; Moody Bible Institute’s breach impacted >2.3 M individuals.
  • Supply‑chain and AI‑enabled attacks: Injective Labs’ SDK compromise stole crypto keys; autonomous ransomware JadePuffer used an LLM; malicious code hidden in open‑source files can hijack AI coding agents; a Dialogflow CX flaw lets low‑privilege users exfiltrate chatbot data.
  • Critical infrastructure vulnerabilities: Unpatched Tenda routers contain a hidden backdoor; Linux KVM hypervisor flaw (CVE‑2026‑53359) permits guest‑to‑host escape; U‑Boot signature‑verification bugs affect secure‑boot devices; Opera GX browser flaw allowed silent installation of malicious modifications.
  • Threat‑intelligence insights: Iran‑linked Cavern Manticore targets Israeli entities via a modular .NET C2 framework; June 2026 saw 2,270 weekly attacks per organization, ransomware up 33%; student‑employment phishing abused school emails and Google Forms; China‑linked UAT‑7810 expands relay‑box infrastructure by compromising networking gear.

Top Attacks and Breaches
The week of 13 July featured several high‑profile incidents. U.S. auto insurer AssuranceAmerica disclosed a breach affecting roughly 7 million individuals after attackers compromised an employee’s credentials and accessed names, contact details, driver’s license numbers, insurance policy and account data, vehicle information, and claims records. In Latvia, the state‑owned forestry company Latvijas Valsts Meži fell victim to a ransomware attack that leveraged an unpatched system left vulnerable for two years. The intrusion disrupted mapping, hunting, contractor, and customer systems and resulted in the leakage of approximately 44 GB of internal documents, credentials, cryptographic keys, source code, and email correspondence.

A supply‑chain compromise struck Injective Labs, a developer of blockchain and cryptocurrency software. Attackers gained access to its SDK project, published malicious npm packages, and when developers used the legitimate key‑generation functions embedded in the tainted software, their cryptocurrency wallet private keys and seed phrases were exfiltrated. Lastly, the U.S. faith‑based educational institution Moody Bible Institute reported a data breach impacting more than 2.3 million donors, students, alumni, and supporters. The ShinyHunters extortion group claimed responsibility and published allegedly stolen data, including names, dates of birth, residential addresses, email addresses, and phone numbers.


AI‑Related Threats
Researchers highlighted a new autonomous ransomware operation dubbed JadePuffer, which employed a large language model to conduct an intrusion without direct human control. The operation exploited CVE‑2025‑3248 in an exposed Langflow instance, accessed a production MySQL server, exfiltrated selected information, deleted the database, and issued an extortion demand.

Separate work demonstrated that malicious instructions concealed inside open‑source project files could achieve remote code execution when processed by AI coding agents such as Anthropic Claude Code and OpenAI Codex. With automated permissions granted, the agents interpreted the attacker‑controlled scripts and executed them, revealing a risk that may extend to other autonomous development tools.

Finally, a vulnerability in Google Dialogflow CX—named Rogue Agent—allowed users with limited agent‑editing permission to insert persistent malicious code. The injected script could capture and exfiltrate chatbot conversations. Google patched the flaw, and no known customer environments were reported as compromised through this specific issue.


Vulnerabilities and Patches
Multiple Tenda router models (including FH1201, W15E, AC10, AC5, and AC6 firmware versions) are affected by CVE‑2026‑11405, an undocumented authentication backdoor that provides administrative access via a hidden password. Attackers can bypass configured credentials and alter device and network settings.

Linux maintainers released a patch for CVE‑2026‑53359, a critical flaw in the Kernel‑based Virtual Machine (KVM) hypervisor. A malicious guest virtual machine could corrupt host kernel memory and potentially escape into the host environment. The vulnerability impacts Intel and AMD x86 systems and is especially pertinent to shared cloud infrastructures.

U‑Boot addressed six vulnerabilities concerning signature verification of Flattened Image Tree files used during secure boot. Two of the flaws could enable arbitrary code execution when a device loads a supposedly verified image, while four could cause Denial‑of‑Service crashes. Given U‑Boot’s widespread use in routers, cameras, and embedded controllers, the updates are significant for securing boot processes.

Opera issued a fix for a critical vulnerability in the Opera GX browser that allowed malicious websites to install browser modifications without user confirmation. An attacker‑controlled modification could inject styles across open tabs, leak sensitive information such as Gmail addresses, and crash the browser. The patch restores the requirement for user consent before any browser modification is applied.


Threat Intelligence Reports
Check Point Research profiled Cavern Manticore, an Iran‑linked threat actor targeting Israeli government and information‑technology organizations. The group employs a modular .NET command‑and‑control framework, abuses remote‑management software, and hijacks a compromised software‑update mechanism to deploy capabilities such as file‑management, database interaction, scanning, and tunneling. Check Point’s Threat Emulation and Harmony Endpoint solutions are noted as providing protection against this actor.

In a broader analysis, Check Point researchers reported that during June 2026 organizations faced an average of 2,270 weekly attacks. Ransomware incidents rose 33 % compared with June 2025, and the ransomware gang The Gentlemen surpassed Qilin as the most active group for the month.

A separate investigation uncovered a student‑employment phishing campaign that abused compromised school email accounts and Google Forms. Over 3,200 messages passed email authentication checks and attempted to harvest banking information, residential addresses, and other details useful for money‑mule recruitment and account compromise.

Finally, researchers examined UAT‑7810, a China‑linked threat actor that compromises internet‑facing networking devices to expand its operational relay‑box infrastructure. The group developed new malware components and exploited unpatched Ruckus and ASUS devices to create proxy nodes for affiliated threat actors, thereby extending its reach and resilience.


Overall, the week’s developments underscore the growing sophistication of attacks—from credential‑theft and ransomware to AI‑driven intrusions and supply‑chain compromises—highlighting the urgent need for timely patching, robust credential management, vigilant monitoring of AI‑assisted development tools, and comprehensive threat‑intelligence sharing. Organizations should prioritize updating exposed services (e.g., Langflow instances, Dialogflow CX, Tenda routers), enforce least‑privilege principles for AI agents, and leverage detection capabilities such as those offered by Check Point to mitigate the evolving threat landscape.

SignUpSignUp form

LEAVE A REPLY

Please enter your comment!
Please enter your name here