Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1896+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Newsletter
  3. Issue #27
NEWSLETTERIssue #27
Weekly Digest #27 — Zero-Days Everywhere, Sanctions Escalate, and Your Browser Extension Just Betrayed You

Weekly Digest #27 — Zero-Days Everywhere, Sanctions Escalate, and Your Browser Extension Just Betrayed You

This week: Progress ShareFile and SonicWall hit with chained zero-days, the US sanctions its first VPN provider, ShinyHunters walks into Salesforce through the front door, and a 1.6M-install browser extension was hiding a dormant data collector the whole time.

Dylan H.

CosmicBytez Labs

July 14, 2026
7 min read

Welcome back to the CosmicBytez Labs Weekly Digest — your Monday briefing on what moved in cybersecurity this week. Issue #27 is a heavy one: two emergency-level zero-days disrupted enterprise file sharing and VPN infrastructure, the US government took direct aim at ransomware enablers rather than just ransomware operators, and a trusted browser extension with 1.6 million installs turned out to have a hidden tracking mechanism waiting to be switched on. Let's get into it.


Top Stories

ShareFile Zero-Day Forces Emergency Shutdown — Patches Now Available

Progress Software ordered all on-premises ShareFile Storage Zone Controller customers to immediately shut down their Windows servers on July 10 — no patch available, just "shut it down now." Four days later, emergency patches landed: versions 5.12.5 (5.x branch) and 6.0.2 (6.x branch) fix a high-severity path traversal zero-day that allowed authenticated attackers to read and write arbitrary files on the server — a setup that can lead to webshell deployment and full RCE.

This is the second major ShareFile crisis in three months, following the April 2026 pre-auth RCE chain (CVE-2026-2699 + CVE-2026-2701, both CVSS 9.x). If MOVEit's history tells us anything, ShareFile's profile as an enterprise file transfer platform makes it a persistent high-value target. If you're running on-prem Storage Zone Controllers, patch now and review your IIS logs for path traversal patterns.

Read the full article →


SonicWall SMA1000 Chained Zero-Days — CVSS 10.0, CISA Gives Agencies 3 Days

SonicWall disclosed two vulnerabilities in its SMA 1000 series appliances that are being actively chained in zero-day attacks against enterprise remote access infrastructure:

  • CVE-2026-15409 — Unauthenticated SSRF, CVSS 10.0. No credentials needed.
  • CVE-2026-15410 — Post-auth OS command injection, CVSS 7.2. When chained with the SSRF, the authentication barrier largely disappears.

CISA added both to its Known Exploited Vulnerabilities catalog the same day SonicWall published the advisory — July 14 — with a federal remediation deadline of July 17. That three-day window is unusually aggressive and signals confirmed, active exploitation at scale. Affected models: SMA 6210, 7210, and 8200v. Patches are available (12.4.3-03453 and 12.5.0-02835); there are no workarounds.

Read the full article →


ShinyHunters Is Walking Into Salesforce — No Exploit Required

Microsoft's threat intelligence team published a detailed breakdown of how actors aligned with ShinyHunters have spent a year quietly draining corporate Salesforce environments — and none of it involved exploiting a Salesforce vulnerability. Three documented attack paths:

  1. Stolen credentials and session tokens harvested via reverse-proxy phishing (think Evilginx), bypassing SMS/TOTP MFA entirely.
  2. OAuth application abuse — compromising third-party integrations (some authorized years ago and long forgotten) to query Salesforce APIs undetected.
  3. Experience Cloud misconfigurations — Guest user permissions set too broadly, exposing internal records without any authentication at all.

The operational playbook is consistent: bulk-export contact records and deal data, create persistent backdoor accounts, move slowly to avoid anomaly alerts. CRM systems are now as much a target as cloud infrastructure — and defending them requires the same rigor.

Read the full article →


US Sanctions First VPN Provider and Malware Cryptor Seller

The Treasury Department's OFAC designated a commercial VPN service and a malware cryptor seller this week, marking a deliberate policy shift toward targeting the ransomware ecosystem rather than just the operators themselves. The VPN provider offered residential proxy services that masked attacker traffic behind legitimate IP addresses; the cryptor seller helped ransomware payloads evade endpoint detection.

An OFAC designation cuts off access to US-linked financial systems and cloud infrastructure, and creates secondary sanctions exposure for anyone who continues doing business with the designated parties. This won't stop ransomware groups — they'll find alternative providers — but it raises the cost and risk for the entire support layer. Organizations should verify their VPN and anonymization vendors aren't on the SDN list, and endpoint detection strategies need to move beyond signature-based AV.

Read the full article →


ModHeader Pulled from Chrome and Edge After Hidden Tracker Found in 1.6M Installs

Google and Microsoft simultaneously removed ModHeader — a popular HTTP header editor used by developers and security testers — after researchers found a dormant browsing-history collector embedded in the official store version. The collector was switched off (empty allow-list), but the full mechanism to record and transmit browsing history was present and activatable via a configuration update, with no new store submission required.

This is the "sleeper monetization" model in practice: build a legitimate, useful extension, accumulate a trusted install base, then flip the collection switch later. The extension had 1.6 million combined installs across Chrome and Edge. If you have ModHeader installed, remove it. Enterprise teams should be auditing their browser extension inventory — this pattern is not unique to ModHeader.

Read the full article →


Security Corner

A high-impact batch of advisories this week — several with active exploitation confirmed:

  • CVE-2026-56155 — Microsoft AD FS Golden SAML Attack — CVSS 7.8, CISA KEV (federal deadline July 28). Permissive ACLs on the AD FS DKM container allow an attacker with a limited domain foothold to extract token-signing private keys and forge SAML assertions for any user — bypassing MFA entirely. Patch via July 2026 Patch Tuesday, audit your DKM ACLs, and treat unpatched AD FS servers as potentially compromised.

  • CVE-2026-51538 and CVE-2026-51537 — Review these if they match your environment; advisories published this week.

  • CVE-2026-58409 and CVE-2026-58065 — Additional advisories from the July 14 batch.

  • CVE-2026-61500 and CVE-2026-57433 — Published alongside the Patch Tuesday wave; check applicability.

CISA's Joomla advisory also warrants attention: iCagenda and Balbooa Forms extensions are reportedly being exploited as zero-days. If you're running Joomla-based properties, check CISA's advisory and pull those extensions until patches are confirmed.


Quick Takes

  • Spanish police dismantled a €140M cyber fraud ring, arresting four individuals. The operation targeted banks across Europe using phishing, SIM swapping, and social engineering. Scale reminder: fraud-as-a-service is running at nine-figure revenue. Read →

  • Ksenia Sobchak's Telegram was hacked and her email breached in an operation that demonstrates once again how high-profile accounts become vectors for disinformation and social engineering at scale. Read →

  • CISA's GitHub leak produced a useful lessons-learned post this week. The incident highlighted how secrets in public repositories can persist far longer than most organizations realize. Worth reading for anyone managing GitHub org security. Read →

  • Lidl disclosed a breach of its online shop after a service provider was compromised — another reminder that your vendor's security posture is your security posture. Read →

  • A misconfigured server exposed three active Evilginx phishing operations targeting Microsoft 365 users. The reverse-proxy phishing toolkit is now mainstream threat actor tooling, capable of bypassing standard MFA. Phishing-resistant FIDO2 is the answer. Read →

  • Centers Laboratory data breach affects 540,000 individuals — lab data breaches carry outsized harm potential given the sensitivity of health and diagnostic records. Read →

  • ScamBuster — a project using automation to waste scammers' time at scale — got coverage this week. Worth a read as a morale boost, and the underlying technique has legitimate threat intel value. Read →


Upcoming

  • Golden SAML deep-dive — CVE-2026-56155 is a textbook case for why hybrid identity environments need layered defenses beyond MFA. We'll be publishing a practical hardening guide for AD FS and Entra ID environments.
  • Browser extension security guide — the ModHeader incident is one of many. We're working on an enterprise-focused guide to browser extension auditing, allowlisting, and risk management.
  • Salesforce security checklist — based on the ShinyHunters research, a practical checklist for CRM administrators covering MFA enforcement, Connected App audits, Experience Cloud hardening, and API monitoring.

Stay sharp, patch fast, and check your browser extensions.

— Dylan H., CosmicBytez Labs

#Newsletter#Cybersecurity#Zero-Day#Ransomware#Supply Chain#Sanctions#Identity Security
Previous Issue

Issue #26

Enjoyed this issue?

Subscribe to get the latest security alerts and tutorials delivered to your inbox.

Subscribe for Free

Related Articles

Why Every Business Needs Cyber Insurance in 2026

Cyber insurance stopped being optional for Canadian small businesses in 2024. By 2026 it's table-stakes — but most owners are walking into renewal without…

6 min read

What Rural Alberta Businesses Get Wrong About Ransomware

The five most common things rural Alberta business owners believe about ransomware that are wrong, expensive, and entirely fixable.

7 min read

Starlink and Cybersecurity: Securing Rural Connectivity in 2026

Starlink solved one rural problem and accidentally created another. Connection is fast — but the security defaults that worked for traditional ISP-managed…

7 min read
Back to Newsletter Archive