Police Arrest 5,800 Suspects in Global Anti-Fraud Crackdown
Law enforcement agencies across 97 countries have arrested over 5,800 suspects and seized nearly $300 million in illicit assets in a massive, coordinated anti-fraud operation. Dubbed “Operation First Light 2026,” the INTERPOL-led initiative targeted a wide variety of social engineering fraud, including business email compromise, sextortion, romance scams, and investment fraud.
Investigators tracked illicit money flows of both fiat currency and virtual assets, blocking over 31,000 bank accounts and identifying more than 142,000 victims worldwide. This operation underscores the massive scale of transnational cybercrime networks and demonstrates that international cooperation and rapid payment interception are increasingly effective tools in combating financially motivated cyber threats.
This is a genuine win in the ongoing effort to disrupt organized cybercrime. However, it also signals an important reality: the arrest of 5,800 suspects and the seizure of $300 million represents enforcement against an ecosystem that generates billions annually. For every arrested suspect, others are taking their place. The operation disrupts criminal networks temporarily, but the underlying motivation—financial gain through fraud and extortion—remains constant.
For organizations, the lesson is clear: assume fraudsters are actively targeting your business, your employees, and your customers. Detection and prevention matter more than hoping law enforcement will stop them first.
CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV
The US Cybersecurity and Infrastructure Security Agency has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, mandating swift patching by federal agencies. The flaws impact widely used enterprise tools, including an arbitrary code execution bug in Adobe products, security bypasses in the Joomla content management system, and a severe vulnerability in the Langflow AI development framework.
Because these bugs are already being weaponized by threat actors in the wild, CISA has ordered all Federal Civilian Executive Branch agencies to apply the necessary security updates by July 10, 2026. This swift federal action serves as a strong warning to private sector organizations that they must prioritize these specific patches to prevent immediate, real-world cyberattacks on their own networks.
When CISA mandates federal agencies to patch by a specific date, that’s a clear signal: these vulnerabilities are being actively exploited right now. For any organization running Adobe products, Joomla, or Langflow, this is a priority alert. The window for patching before attackers compromise your systems is rapidly closing.
Read more: https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
‘GodDamn’ Ransomware Uses BYOVD to Smite US Companies
A rebranded ransomware group known as “Hyadina” is deploying a new locker called “GodDamn” against US companies using a malicious but officially Microsoft-approved driver. The attackers initially breach systems using legitimate tools like AnyDesk before dropping a custom kernel driver dubbed “PoisonX,” which inexplicably received a valid Microsoft Hardware Compatibility signature.
This driver enables a “bring-your-own-vulnerable-driver” attack, allowing the hackers to silently kill endpoint security processes and remove API hooks without triggering alarms. Following this evasion, the group deploys a suite of open-source credential stealers before finally launching their ransomware payload.
This incident highlights the dangerous evolution of BYOVD attacks and the critical need for organizations to implement behavioral monitoring, as relying solely on driver blocklists is often too slow to stop signed malware. The attack chain is devastating: legitimate remote access tool, malicious driver signed by Microsoft, endpoint security disabled, credentials stolen, ransomware deployed. At each stage, the attack looks normal because it uses legitimate tools and signatures.
Detection requires looking at behavior and patterns, not just checking whether a file is signed or recognized.
Read more: https://www.darkreading.com/cyberattacks-data-breaches/goddamn-ransomware-byovd-smite-companies
Microsoft Reins in RoguePlanet Zero-Day Threat
Microsoft has issued an out-of-band emergency patch for “RoguePlanet,” a high-severity privilege escalation zero-day vulnerability in Windows Defender. Disclosed publicly by a disgruntled security researcher, the vulnerability allows a local attacker to elevate their access from a basic user to the highest SYSTEM level.
While the flaw requires local code execution first, it serves as a powerful second-stage tool that enables threat actors to tamper with security telemetry, dump credentials, and establish deep persistence on a compromised machine. The researcher’s public disclosure ahead of the standard Patch Tuesday forced an accelerated fix.
This vulnerability illustrates a critical threat pattern: once an attacker has a foothold on your machine, they can weaponize your security tools to gain deeper access and hide their activity. The fact that this flaw exists in a fully patched system means organizations can’t rely solely on patches to stay safe. They need to assume attackers will get local access and have controls in place to prevent local privilege escalation.
Read more: https://www.darkreading.com/vulnerabilities-threats/microsoft-rogueplanet-zero-day-threat
Ubiquiti Warns of New Max Severity UniFi OS Vulnerability
Ubiquiti has released critical security updates to address a maximum-severity command injection vulnerability in its UniFi OS platform. The flaw impacts the UniFi Connect Application used to manage commercial building operations, allowing malicious actors with network access to execute arbitrary commands on the host device due to improper access controls.
In addition to this bug, Ubiquiti patched six other critical vulnerabilities across its routers, gateways, and surveillance systems, many of which require zero user interaction to exploit. With over 100,000 UniFi OS instances exposed online globally, these systems remain a prime target for botnets and state-sponsored espionage groups.
This wave of critical patches emphasizes the urgent need for administrators to update internet-exposed infrastructure. Unpatched networking devices are frequently hijacked for stealthy, large-scale cyberattacks. A compromised UniFi system gives attackers control over your network infrastructure—traffic routing, access control, monitoring. That’s a critical asset to defend.
Palo Alto Networks Patches 13 Vulnerabilities
Palo Alto Networks recently published advisories addressing 13 vulnerabilities across its product lineup, including a high-severity buffer overflow in its PAN-OS firewall software. The most critical flaw could allow an unauthenticated attacker to cause a denial-of-service condition and potentially execute arbitrary code using specially crafted network traffic.
Other medium-severity bugs impact the Prisma Access Agent, potentially enabling man-in-the-middle attacks that intercept VPN traffic and bypass data loss prevention controls. Fortunately, Palo Alto Networks has not observed any active exploitation of these specific vulnerabilities in the wild yet.
Given the historical tendency of advanced threat actors to rapidly weaponize vulnerabilities in edge security devices, organizations must promptly apply these updates to prevent network perimeter breaches. A compromised firewall or VPN gateway is a disaster—it’s your first line of defense. Once compromised, attackers control what enters and leaves your network.
Read more: https://www.securityweek.com/palo-alto-networks-patches-13-vulnerabilities/
