Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities
Cybersecurity Weekly Briefing, 6-12 June
Chrome 149 patches 429 vulnerabilities, including a critical flaw in ANGLE with potential sandbox escape
Google has released Chrome 149 with fixes for 429 vulnerabilities, a record number for a stable browser update. Notably, the update addresses 22 vulnerabilities classified as critical by Google and 87 classified as high severity. The most notable flaw is CVE-2026-10881 (CVSSv3 9.6), an out-of-bounds read and write in ANGLE that could allow sandbox escape via crafted HTML pages. The update also fixes multiple use-after-free vulnerabilities, insufficient validation of untrusted input, incorrect implementations and memory errors.
Although no active exploitation has been reported, Chrome’s market share and the potential for code execution via a web-based vector justify prioritising the update to version 149.0.7827.53 on Linux and 149.0.7827.53/54 on Windows and macOS.
Active UNC3753 campaign targeting the financial sector via physical intrusions
Mandiant has published an in-depth analysis of a campaign carried out by UNC3753, also known as Luna Moth, Chatty Spider or Silent Ransom Group, which has compromised dozens of organisations in the legal, financial and professional services sectors in the United States.
The group operates exclusively through vishing and social engineering: its operatives impersonate the corporate IT department over the phone, convince employees to initiate screen-sharing sessions and download RMM tools such as AnyDesk, Zoho Assist or Bomgar to establish persistent access, all without deploying any traditional malicious payloads. Once inside, they exfiltrate data (legal agreements, PII, financial records) using portable tools such as WinSCP or Rclone, or simply by dragging files to cloud storage accounts controlled by the attacker.
The most significant aspect of this new phase of the campaign is the tactical escalation: when remote attempts fail, the group sends individuals physically to the victim’s offices posing as IT technicians to exfiltrate data via USB. Extortion demands arrive by email within 30 minutes of the theft.
It is recommended that out-of-band verification controls be implemented urgently for any technical support requests and that the installation of unauthorised RMM be blocked.
NFCShare: Android malware designed to steal NFC data from bank cards spreads to Spain and Italy
Researchers at D3Lab have documented new variants of the NFCShare Android malware, distributed as fake updates for legitimate banking apps hosted on GitHub, as part of a campaign active since 14 May 2026 that primarily targets customers of banks in Italy and Spain. The malicious repository, created on 10 April, has come to host 56 unique APKs that impersonate apps from Intesa Sanpaolo, Banca Sella, Nexi, Fideuram and Mooney, amongst others.
After tricking the victim with a fake verification screen, the malware reads the card details via Android’s IsoDep interface and EMV commands (card number, type, expiry date and 4-digit PIN), exfiltrating them to the attacker’s C2 server via WebSocket. This information can be used directly in NFC payment relay schemes, in line with the documented patterns of NGate or SuperCard X. The new variants introduce malformed APKs with poisoned internal paths to hinder automated static analysis, although they do not prevent manual analysis.
It is recommended to install banking apps exclusively from Google Play, enable Play Protect, and be wary of any request asking you to hold your card close to the NFC reader as a verification step.
ServiceNow confirms that an unauthenticated endpoint exposed corporate instance data
According to BleepingComputer, ServiceNow has notified affected customers after confirming that attackers actively exploited an access control flaw in a REST API endpoint that was configured with `requires_authentication=false`, allowing unauthenticated queries on customer instance data tables.
The company applied an emergency patch on 5 June 2026 to hosted instances, restricting access to authenticated users. ServiceNow has confirmed that attackers successfully queried instance data, although it has not specified what information was accessed; ServiceNow instances typically store support tickets, employee records, asset inventories, credentials and API tokens shared during incident resolution. The issue primarily affects customers on the Australia platform version and earlier versions with certain custom configurations.
Administrators should review logs for requests to the affected endpoint, rotate credentials and tokens exposed via support workflows, and check whether they have received a support case from ServiceNow (the absence of such a case indicates that the organisation is not among those affected).
Ivanti Sentry: Unauthenticated RCE vulnerabilities with CVSS scores of 10.0 and 9.9, and a public PoC available
Ivanti has issued a security advisory regarding two critical vulnerabilities in Ivanti Sentry (formerly MobileIron Sentry), the inline gateway that manages and encrypts traffic between mobile devices and enterprise systems.
- The first, CVE-2026-10520 (CVSSv3 10.0 according to Ivanti), is an operating system command injection in the unauthenticated endpoint /mics/api/v2/sentry/mics-config/handleMessage that allows a remote attacker to execute arbitrary commands as root without any credentials.
- The second, CVE-2026-10523 (CVSSv3 9.9 according to Ivanti), is an authentication bypass that allows the creation of arbitrary administrative accounts and the gaining of full control of the system.
On 10 June, watchTowr published a comprehensive technical analysis alongside a working proof-of-concept for CVE-2026-10520, making active exploitation imminent: Ivanti Sentry has already appeared twice in CISA’s KEV catalogue, confirming threat actors’ longstanding interest in this product. Versions 10.7.0, 10.6.1 and 10.5.1 (and earlier) are affected, and fixes are available in versions 10.7.1, 10.6.2 and 10.5.2.
It is recommended to update urgently, outside the usual patching cycles, before widespread exploitation begins.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
