Weekly CISO Digest — Week of 2026-06-15: Secure Boot Bypass Threat Escalates

Headline Incident: Critical Secure Boot Bypass in Vulnerable UEFI Shim Bootloaders

Security researchers disclosed CVE-2026-35273, a critical vulnerability in outdated UEFI shim bootloaders affecting Microsoft, RedHat, CentOS, Oracle, OpenSuse, and WhiteCanyon. Attackers can exploit this flaw to bypass Secure Boot protections using Bring Your Own Vulnerable Driver (BYOVD) techniques, enabling code execution during the earliest boot phase. This allows adversaries to evade endpoint detection and achieve persistent, stealthy platform compromise across multiple operating systems. The vulnerability is global in scope and impacts both enterprise and cloud environments. Immediate patching and revocation of vulnerable shims are essential to prevent foundational trust erosion and long-term undetected breaches.

This Week's Incidents

ShinyHunters Ransomware Group Compromises Council of Europe Data

What: ShinyHunters exfiltrated 297 GB of HR and payroll data from the Council of Europe (coe.int), including 409,000 payslips and 14,000 CVs, and issued a final ransom warning.
Who's at risk: European government and public sector organizations.
Action: Review access controls and monitor for data leaks; prepare incident response for potential extortion.

Ukrainian Pleads Guilty for Role in Conti Ransomware Scheme

What: Oleksii Lytvynenko pleaded guilty in the U.S. for Conti ransomware attacks targeting over 1,000 global networks between 2021-2022.
Who's at risk: Organizations worldwide, especially in North America, with unpatched systems.
Action: Audit backups and incident response plans; ensure ransomware playbooks are current.

FBI Disrupts Massive AI-Powered Phishing Service Outsider Enterprise

What: FBI, Google, and Black Lotus Labs dismantled Outsider Enterprise, a Chinese phishing-as-a-service using AI kits across 1M URLs, stealing 3.8M credit card records and causing $1.9B in losses.
Who's at risk: Telecom subscribers (AT&T, T-Mobile, Verizon), enterprises targeted by SMS phishing.
Action: Enhance SMS phishing detection and user awareness; block known malicious domains.

Phishing Attacks Decline but Risk Intensifies with More Targeted Campaigns

What: Zscaler's 2026 report shows phishing volume down 20%, but attackers now use targeted, high-conversion campaigns leveraging AWS cloud infrastructure.
Who's at risk: Government and services sector organizations globally.
Action: Monitor for cloud-based phishing infrastructure; prioritize targeted phishing simulation training.

Nightspire Ransomware Attack on K****** County

What: Nightspire ransomware group claimed an attack on K****** County in Mieta, with details undisclosed.
Who's at risk: Local government and municipal agencies.
Action: Review endpoint protection and network segmentation; validate offline backups.

Ransomware Attack on Balai Besar POM Bandung

What: The nova group attacked Indonesia’s Balai Besar POM di Bandung, stealing regulatory data and posting samples for ransom leverage.
Who's at risk: Regulatory and public health agencies in Southeast Asia.
Action: Monitor for data leaks on dark web; strengthen access controls and incident response.

Dragonforce deploys ransomware against INK studio in the UK

What: Dragonforce claims ransomware deployment against INK, a London CGI/animation studio, disrupting operations.
Who's at risk: Creative and media production companies in Europe.
Action: Audit endpoint security and review business continuity plans.

AuditTeam ransomware attack on I-***YS in Russia

What: AuditTeam claimed a ransomware attack on I-***YS in Russia, threatening data disruption; claims unconfirmed.
Who's at risk: Russian enterprises and organizations with exposed RDP or weak credentials.
Action: Enforce strong authentication and monitor for lateral movement.

WinRAR Vulnerability CVE-2025-8088 Actively Exploited Against Ukrainian Organizations

What: Patched WinRAR flaw CVE-2025-8088 is exploited by SHADOW-EARTH-066 and Earth Dahu (Gamaredon) via spear-phishing, targeting Ukrainian government, military, and judiciary.
Who's at risk: Ukrainian public sector and organizations using outdated WinRAR.
Action: Ensure all endpoints are patched; block malicious RAR attachments and monitor for suspicious PowerShell activity.

NSO Group Conducts Phishing Campaign Against WhatsApp Users

What: Meta reports NSO Group phishing campaigns targeting WhatsApp users in Jordan and Lebanon, using malicious links and rogue accounts to deploy spyware.
Who's at risk: Messaging platform users in MENA region, especially high-value targets.
Action: Educate users on phishing risks; monitor for suspicious WhatsApp activity.

Ransomware attack on Blue Nile Medical Center exposes patient records

What: Nightspire ransomware attack on Blue Nile Medical Center (US) led to encryption and exposure of 3,000+ patient EHRs.
Who's at risk: Healthcare providers and clinics in North America.
Action: Review EHR system security and incident response for health data breaches.

Iran-Linked Handala Breaches California Water Utility

What: Handala, an Iran-linked group, breached a California water utility exploiting CVE-2026-10520, risking critical infrastructure.
Who's at risk: U.S. water utilities and critical infrastructure with unpatched vulnerabilities.
Action: Patch CVE-2026-10520 immediately; review OT/ICS network segmentation.

Ransomware Attack on Silsbee Police Department

What: Nightspire ransomware hit Silsbee Police Department (US), encrypting court-related data and demanding extortion.
Who's at risk: Law enforcement agencies and local governments.
Action: Harden law enforcement networks and ensure regular, tested backups.

Murray County restores systems after ransomware attack, pays $200,000 fee

What: Murray County, Georgia, paid $200,000 ransom after a ransomware attack; most systems now restored.
Who's at risk: U.S. county governments and public sector entities.
Action: Review ransom payment policies and insurance coverage; test restoration procedures.

This Week's Pattern

• Ransomware remains pervasive, targeting government, healthcare, and public sector globally, with multiple incidents attributed to Nightspire and other groups.
• Phishing tactics are evolving: AI-powered phishing-as-a-service and targeted spear-phishing campaigns are causing higher losses despite lower overall volume.
• Critical vulnerabilities (CVE-2026-35273, CVE-2025-8088, CVE-2026-10520) are actively exploited, underscoring the urgent need for rapid patching and foundational trust reviews in enterprise environments.