top of page

Security Tips


Two Ransomware Crews Hit Sysco in Two Months. Qilin in May, ShinyHunters in June. When Two Gangs Walk the Same Door Weeks Apart, the Door Was the Problem.
Sysco is the largest food distributor in the world, and in the span of about eight weeks it got claimed by two different extortion crews. Qilin, the ransomware operation, named Sysco as a victim in early May. Then on June 15, ShinyHunters claimed it had stolen more than 61 million Salesforce records from the company — customer information, employee data, and internal corporate records — and set a June 18 payment deadline. When the deadline passed with no payment, the data sta
Patrick Duggan
11 hours ago4 min read


Avalon Ships Its Own Ransomware and Outsources Its Brain to Groq. The Attacker Types English; a Public LLM Writes the Shell Commands.
On July 1, Blackpoint Cyber researchers Nevan Beal and Sam Decker published a teardown of a malware framework they are calling Avalon, and it is the clearest example yet of the thesis we have been writing all week: the attacker's brain is now a rented API. Avalon is a full modular framework — credential theft, lateral movement, remote access, recovery disruption, and its own bundled ransomware component internally named CrownX. What makes it worth a post is not the feature li
Patrick Duggan
12 hours ago4 min read


Bad Epoll Is the Second Linux Root Bug in a Week — and It Fires From Inside Chrome's Sandbox. Still No Attack in the Wild. Both Are True.
Two days after we wrote up DirtyClone, the Linux kernel handed defenders a second local-root flaw in the same week. This one is called Bad Epoll, tracked as CVE-2026-46242, and before we get into it, here is the same sentence of honesty we led the DirtyClone post with, because it is the whole reason to read us instead of the wire copy: there is a working exploit, and there is no confirmed attack in the wild. Both are true right now. The difference between those two facts is t
Patrick Duggan
12 hours ago5 min read


DirtyClone Rewrites Your su Binary in Memory and Never Touches the Disk. There's a Working Exploit — and No Confirmed Attack Yet. Both Are True.
There is a new Linux kernel privilege-escalation flaw called DirtyClone, tracked as CVE-2026-43503, and it does something that should bother anyone who trusts their integrity monitoring: it makes an unprivileged local user into root by rewriting a privileged binary in memory, and it leaves nothing on disk to prove it happened. Before we get into how, one sentence of honesty that the headlines are skipping, because it's the whole point of reading us instead of them: there is a
Patrick Duggan
19 hours ago5 min read


The First AI-Run Ransomware Didn't Crack Anything. It Walked Through Default Passwords — and That's the Scary Part.
Sysdig's Threat Research Team published something on July 1 that every headline is getting half-right. They documented JADEPUFFER — the first case they can find of a ransomware operation run end to end by an AI agent, an LLM that broke in, stole credentials, moved laterally, and encrypted a production database with no human at the keyboard. The headline writes itself: the machines are doing ransomware now. That headline is true and it is also the least interesting thing about
Patrick Duggan
1 day ago4 min read


In April We Called the Security Stack the Attack Surface. The Honest Question Is Whether That Was Prognostication — Here's the Ledger.
In April we published a post arguing that your security vendor is your attack surface. The provocation aged well enough that the honest thing to do is not take a victory lap but ask the uncomfortable question directly: was that prognostication, or is it just pattern-matching backwards now that the news agrees? A prediction only counts if the claim predates the evidence. So here is the ledger, with dates, including the one receipt we have to throw out. First, what the April po
Patrick Duggan
2 days ago4 min read


The FortiGate Credentials Feeding This Ransomware Wave Were an Audit Result We Published in June. Here's What We Had, and What We Didn't.
Researchers reported this week that credentials harvested from hundreds of thousands of FortiGate firewalls are now being used as the initial access for ransomware attacks run by the INC and Lynx operations. When a story like that crosses the wire, the honest question for a threat-intelligence shop is not "did we call it." It is "could a customer pulling our feed have stopped this, and if not, exactly where does our early warning end and our blind spot begin." So here is that
Patrick Duggan
2 days ago4 min read


Dragos Named Three New OT Threat Groups. One Deployed Wipers During the Iran Conflict. Here's Where Each One Fits.
Dragos now tracks 26 OT threat groups, three of them new this cycle: SYLVANITE, AZURITE, and PYROXENE. We keep a standing watch on adversaries who touch industrial control systems, and until today our adversary index held the old mineral-named roster — CHRYSENE, MAGNALLIUM, XENOTIME, DYMALLOY — but not these three. This is us closing that gap, and doing the part that matters more than the names: saying which existing threat each one actually belongs to, because none of these
Patrick Duggan
2 days ago4 min read


Five Countries Got a Veto on Palantir. Americans Got ImmigrationOS.
Here is the argument in one sentence, and then the receipts. When Switzerland, France, Germany, Denmark, and the Netherlands looked at Palantir, they saw a machine they could not audit, running under a foreign legal jurisdiction, and they said no. Americans were handed the same machine, pointed inward, and never got the vote. The European half of this we documented already. Switzerland's Zurich Commercial Court dismissed 22 of 23 of Palantir's requests against an investigativ
Patrick Duggan
2 days ago5 min read


CitrixBleed Came Back a Third Time. 476 Spaces and a Half-Written XML Tag Is All It Takes to Read NetScaler's Memory.
Here is the entire exploit. You send NetScaler a login request to the SAML endpoint. Inside it, one XML tag — the opening of a SAML authentication request — with no closing bracket, no attributes, nothing after it but 476 blank spaces. That's it. The appliance's parser starts reading the tag, never finds a terminator, and keeps reading straight past the end of its buffer into whatever memory sits next door. Then it hands you those adjacent bytes back, tucked inside a cookie c
Patrick Duggan
2 days ago4 min read


Alex Karp Says Enterprises Pay for Tokens That Create No Value. Our Tokens Fixed Four Production Failures Today.
Yesterday on Squawk Box, Palantir CEO Alex Karp named OpenAI and Anthropic and said "something has gone completely wrong" with the token model. Enterprises, he says, are "livid" — "paying for tokens that create no value." The anchor told him he sounded pretty angry. Futurism called it a televised nervous breakdown. Forbes got him on record calling the AI industry "effing insane." I run an enterprise. It's small — one guy in Minnesota, a partnership with an AI, and about $500
Patrick Duggan
2 days ago4 min read


A Perfect-10 Zero-Day Just Owned the Brain of Cisco SD-WAN. Chain It With the Bug We Mapped in May and You Run the Whole Network.
*Cisco disclosed [CVE-2026-20182](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-20182) this week: an authentication bypass in the Catalyst SD-WAN Controller, scored a perfect CVSS 10.0, and already being exploited as a zero-day in the wild. Read what that sentence actually says, because the severity number undersells it. The SD-WAN Controller is not an edge box — it is the control plane, the brain that tells every branch, every tunnel, every remote office
Patrick Duggan
2 days ago4 min read


The Gauges Were All Green and the Line Was Down: Five Systems Lied to Me in a Day, and That's the Whole Security Story
*There is a scene in The Phoenix Project where Erik drags Bill out of the war room, away from the dashboards, and makes him stand on the actual plant floor and watch the actual work. Because the dashboards were green and the product was still coming out broken, and no amount of staring at green was going to fix that. I lived that scene this week — as the guy whose dashboards were lying. I caught five of my own systems reporting "success" while doing nothing at all, in a singl
Patrick Duggan
2 days ago6 min read


We Spent Twenty Years Teaching People Not to Click. Attackers Just Stopped Needing the Click.
Verizon's 2026 Data Breach Investigations Report contains a sentence that quietly reorganizes an entire industry's priorities: software vulnerabilities now start more breaches than stolen credentials. Read that again. For two decades, the reigning wisdom held that the human is the weakest link — that the breach begins with someone clicking a link they shouldn't. We built an industry on it: phishing simulations, security-awareness training, "think before you click" posters in
Patrick Duggan
2 days ago4 min read


Adobe Just Dropped Five Perfect-10s in ColdFusion. The Exploit Is the Oldest Religion on the Web: Upload a File, Get a Shell.
On July 1, Adobe shipped an emergency stack of patches for ColdFusion and Campaign Classic, and the severity numbers are the kind you do not see often: five separate vulnerabilities rated CVSS 10.0, a perfect score, the maximum the scale allows. Two of them — [CVE-2026-48276](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48276) and [CVE-2026-48283](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48283) — are unrestricted file-upload flaws
Patrick Duggan
2 days ago4 min read


China Is Inside DHS's Own Threat-Sharing Network. The Bug They Used Has Been on CISA's Known-Exploited List Since 2025.
The Department of Homeland Security exists, in part, to warn everyone else about cyber threats. Its Homeland Security Information Network — HSIN — is the platform where DHS shares sensitive, unclassified intelligence with federal, state, local, and private-sector partners: alerts, incident coordination, information about persons of interest. This week, DHS confirmed that HSIN and a connected SharePoint collaboration server were breached. The watchmen's own watchtower got walk
Patrick Duggan
2 days ago4 min read


AI Is Now a Door, a Lure, and a Safe. The Twist Is That Attackers Are Opening All Three With Tricks Older Than the Technology.
In a single week we documented three separate attacks against artificial intelligence, and at first glance they have nothing to do with each other. One...
Patrick Duggan
3 days ago6 min read


BlackField Didn't Just Ransom Nidec. It Published a Price Menu: $2M to Make It Go Away, $5K a Day to Stall, $400K for Anyone to Just Buy Your Data.
A ransomware group calling itself BlackField hit a Taiwanese subsidiary of the Japanese motor-manufacturing giant Nidec in late June 2026, claimed more than...
Patrick Duggan
3 days ago5 min read


AI Hallucinates a Domain for Your Brand. An Attacker Registers It Before You Do. We Already Measure the First Half — Which Is the Whole Point.
Here is an attack that could only exist in 2026. A large language model, asked about your company, confidently invents a web address for you that does not...
Patrick Duggan
3 days ago5 min read


Ten of Eleven AI Coding Agents Can Be Fooled by Bash Tricks Older Than Their Users. The One That Held Won by Reading the Command the Way the Shell Will.
Researchers at Adversa AI took eleven popular open-source AI coding agents — the kind that read a repository, reason about it, and then run shell commands...
Patrick Duggan
3 days ago5 min read
bottom of page