SecurityWeek’s weekly cybersecurity news digest provides a quick rundown of significant developments that may not warrant their own full articles but are still important for understanding the wider threat landscape.
This handpicked summary spotlights major stories spanning vulnerability disclosures, policy changes, industry reports, and other notable events, helping readers stay well-informed about the constantly shifting cybersecurity environment.
Here are this week’s top stories:
OFAC targets Iranian central bank’s cryptocurrency holdings
OFAC has sanctioned two cryptocurrency wallets directly tied to Iran’s Central Bank, marking the first time the institution has been targeted in this way. The wallets were linked to the IRGC-Qods Force and Hizballah. Working alongside US law enforcement, Tether froze roughly $344 million in USDT across the addresses, which had accumulated about $370 million through close to 1,000 transactions since March 2021 and had mostly sat idle after late 2023 as sovereign reserves.
US pursues extradition of teenage Scattered Spider member arrested in Finland
Finnish authorities detained 19-year-old Peter Stokes (online alias ‘Bouquet’), a dual US-Estonian citizen, as he attempted to board a flight to Japan. US prosecutors in Chicago have charged him as a prominent member of the Scattered Spider hacking group, alleging he took part in multiple breaches targeting large corporations. Stokes faces charges of wire fraud, conspiracy, and computer intrusion. The US is seeking his extradition while drawing attention to his lavish lifestyle and open taunting of law enforcement.
ADT hit by major data breach
Home security provider ADT has confirmed that unauthorized parties gained access to its cloud-based systems, resulting in the exposure of customer data. The ShinyHunters extortion group claimed responsibility for the attack, stating they stole over 10 million records from a Salesforce database after ransom negotiations broke down. Data verified by Have I Been Pwned shows approximately 5.5 million unique email addresses were leaked, along with names, physical addresses, and in some cases, partial Social Security numbers.
Microsoft phases out outdated encryption for legacy email protocols
Microsoft has announced that Exchange Online will start blocking TLS 1.0 and 1.1 for all POP and IMAP traffic beginning in July 2026. This complete deprecation removes previous workaround options, requiring a mandatory upgrade to TLS 1.2 or higher for any products still using older cryptographic standards.
Outdated NSA mapping tool creates risk for industrial networks
CISA has issued a warning about a critical vulnerability in GRASSMARLIN, an open source tool originally created by the National Security Agency (NSA) for mapping industrial control system (ICS) networks. The flaw enables attackers to trigger out-of-band exfiltration of sensitive files, which experts say can help facilitate lateral movement within industrial networks. Since the tool reached end-of-life status in 2017, no official patches will be made available.
Flawed metrics weaken SOC performance
The UK’s National Cyber Security Centre (NCSC) cautions that evaluating a Security Operations Center (SOC) based on ticket volume and log counts produces counterproductive outcomes that undermine network security. The agency recommends that leaders prioritize ‘time to detect’ and ‘time to respond’ metrics, best validated through red or purple team exercises. It encourages analysts to concentrate on high-value threat hunting and building expertise rather than simply rushing to close alerts as fast as possible.
North Korean hackers use elaborate virtual meeting lures to target crypto firms
BlueNoroff, a financially motivated offshoot of the North Korean Lazarus Group, is running a social engineering campaign targeting Web3 organizations. Attackers trick executives into joining fake Zoom meetings where staged technical problems prompt victims to run malicious PowerShell scripts disguised as software fixes. The malware steals credentials from cryptocurrency wallet extensions and captures live webcam footage to refine deepfake personas for follow-up attacks.
Cursor IDE flaw enables silent code execution
Novee Security has discovered a high-severity vulnerability in the Cursor IDE that allows attackers to achieve arbitrary code execution through malicious Git hooks. Tracked as CVE-2026-26268, the flaw is triggered when the tool’s AI agent automatically performs Git operations, running hidden scripts in nested repositories without the developer’s knowledge or consent.
CISA publishes guidance for zero trust in OT and agentic AI services adoption
CISA has released two guidance documents developed in collaboration with other agencies. One focuses on implementing zero trust principles in operational technology (OT), addressing the growing IT-OT convergence that has broadened attack surfaces. In the second document, CISA and partners advocate for a cautious rollout of agentic AI systems. The resource outlines key security risks and challenges while providing practical steps for design, deployment, and operation that align with existing cybersecurity frameworks and strengthen oversight.
Attackers hijack Qinglong task management platforms for cryptocurrency mining
Snyk reports that threat actors are exploiting authentication bypass vulnerabilities in the Qinglong open source task scheduler to deploy a persistent cryptominer. The flaws, tracked as CVE-2026-3965 and CVE-2026-4047, allow unauthenticated remote code execution by taking advantage of inconsistencies in how the system handles URL rewriting and case-sensitive path matching. Affected servers experience severe CPU overload.
Related: In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested
Related: In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
