18
intelligence agencies from 12 countries co-signed the Russian FSB router attack advisory
< 2 hrs
after public disclosure, Adobe ColdFusion CVE-2026-48282 was already exploited in the wild
35 GB
of Accenture source code confirmed stolen in the July 2026 corporate breach
116
CVEs patched by Microsoft in July 2026 Patch Tuesday including an actively exploited Defender zero-day

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Eighteen intelligence agencies from 12 allied nations issued a joint advisory this morning confirming that Russian FSB hackers are actively exploiting vulnerable routers to penetrate critical infrastructure across energy, healthcare, financial services, defense, and government sectors worldwide. The same day, the European Union sanctioned nine Russian individuals and four entities for coordinated cyberattacks against critical infrastructure. This Monday cyber threat brief July 2026 documents the convergence of five active exploits your security team must address before the week progresses: a coordinated Russian FSB campaign targeting unpatched Cisco routers, a Microsoft Defender zero-day granting SYSTEM privileges on fully patched Windows devices, a maximum-severity Adobe ColdFusion remote code execution flaw exploited within two hours of disclosure, an ongoing Microsoft Teams vishing campaign deploying blockchain-evading malware, and a confirmed 35GB source code breach at Accenture.

All five threats share a common attribute: confirmed active victims in the past seven days. The Russian router campaign is the most structurally dangerous because the target is network infrastructure, not endpoints. A compromised border router does not trigger endpoint detection and response alerts, does not appear in user behavior analytics, and silently maps internal networks while pre-positioning for potential destructive action. Ghost Blizzard, the designation for FSB Centre 16, has confirmed attribution from the U.S., UK, Australia, and nine partner nations, giving this advisory the highest credibility rating of any warning issued this quarter.

The technical scope of today's active threats is broad: nation-state infrastructure exploitation, OS-level privilege escalation, server-side unauthenticated code execution, social-engineering malware delivery, and third-party supply chain exposure. Monday morning is when patching decisions are made. Every item in this Monday cyber threat brief July 2026 has a specific, actionable fix available right now.

Russian FSB Router Attacks on Critical Infrastructure: What Ghost Blizzard Is Doing Right Now

Russian FSB Centre 16, tracked by Western intelligence as Ghost Blizzard, Energetic Bear, Crouching Yeti, and Dragonfly, is conducting opportunistic exploitation of internet-facing routers with default or weak Simple Network Management Protocol (SNMP) credentials. A joint advisory from the UK National Cyber Security Centre and 17 partner agencies across 11 additional countries, published July 13, 2026, confirms the group is scanning at scale for Cisco devices and exploiting three vulnerability categories: legacy SNMP configurations using default community strings, Cisco Smart Install (SMI) protocol misuse on internet-facing switches, and web-portal management interface flaws on Cisco IOS devices.

FSB Centre 16 struck the Polish energy grid in December 2025, disrupting heating systems for more than 500,000 civilians. The group attacked telecommunications infrastructure across EU member states throughout 2024 and 2025 under EU sanctions documentation. The July 13 advisory and simultaneous EU sanctions represent the most coordinated Western government response to Russian cyber activity since 2022. The timing signals that the campaign is active now, not historical.

Six sectors are confirmed as primary targets: communications, defense, energy, financial services, government, and healthcare. Any organization in these sectors running Cisco routers with default SNMP community strings, legacy SNMP versions, or Cisco SMI enabled should treat this advisory as an immediate response event. Ghost Blizzard's post-compromise objective is persistent access: mapping network topology, exfiltrating device configuration files, and pre-positioning capability for potential destructive attacks during geopolitical escalation.

UK and allies urge critical sectors to improve defences against Russian intelligence targeting routers and network devices with weak or default configurations.

UK National Cyber Security Centre, July 13, 2026

How Do Russian FSB Hackers Exploit Routers? The Technical Mechanism

Ghost Blizzard's exploitation chain targets the network management plane, not corporate endpoints. The attack begins with internet-wide scanning for Cisco devices responding on UDP port 161 (SNMP) with default community strings including public, private, and vendor-specific defaults. SNMPv1 and SNMPv2c are inherently unauthenticated protocols: any device responding with a known community string exposes full read access to device configuration data, routing tables, access control lists, and interface configurations without requiring any credentials beyond the community string.

After SNMP access is confirmed, Ghost Blizzard exploits Cisco Smart Install. Cisco SMI is a plug-and-play provisioning protocol for Cisco IOS switches designed for zero-touch deployment in branch environments. When SMI is enabled and internet-facing, an unauthenticated attacker can download device configurations, replace the operating system image, and execute arbitrary Tcl scripts directly on the device. Cisco documented SMI misuse in 2018 and issued advisories to disable SMI on all internet-facing devices, but adoption remains incomplete across organizations managing legacy network infrastructure at scale.

The third vector, Cisco web-portal flaws, targets devices with HTTP or HTTPS management interfaces exposed to the internet. Chaining SNMP credential access with web-portal authentication bypasses allows Ghost Blizzard to establish a full authenticated management session. After initial access, the group extracts configuration files, establishes persistent backdoor access, and uses the compromised router as an internal network reconnaissance platform. The December 2025 Poland energy attack demonstrates the endgame: not just intelligence collection but pre-positioned capability for physical-world disruption.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

July 2026 Patch Tuesday: RoguePlanet Zero-Day and Critical Kerberos RC4 Deadline

Microsoft patched 116 security vulnerabilities in the July 2026 Patch Tuesday release, including CVE-2026-50656, the RoguePlanet vulnerability in Microsoft Malware Protection Engine (mpengine.dll). RoguePlanet is a race condition flaw that allows any process running on a Windows device to spawn a command shell with SYSTEM-level privileges, bypassing all standard user access control mechanisms. Researcher Nightmare-Eclipse demonstrated the exploit works on fully patched Windows 10 and Windows 11 systems regardless of whether Microsoft Defender's real-time protection is active.

Microsoft released the fix in Malware Protection Engine version 1.1.26060.3008, distributed automatically via Windows Update. Organizations with blocked Windows Update policies, air-gapped environments, or manual Defender update configurations need to manually trigger the engine update. Without the patch, a local attacker can use the SYSTEM shell path for ransomware staging or lateral movement without triggering standard endpoint detection.

July 14, 2026 marks Phase 2 enforcement of Microsoft's Kerberos RC4 hardening initiative. RC4 encryption support in Kerberos is disabled by default starting Tuesday. Organizations running legacy Windows Server 2008 R2, applications authenticating via RC4-HMAC, or Kerberos configurations not migrated to AES encryption will see authentication failures begin at the next domain controller restart. Full patch details on SharePoint RCE CVE-2026-45659, also addressed in this Patch Tuesday cycle, are covered in our dedicated advisory. If your AES migration is incomplete, use the AllowRC4 registry key to buy time and escalate the migration today.

Adobe ColdFusion CVE-2026-48282: Maximum-Severity RCE Actively Exploited Within Hours

Adobe ColdFusion CVE-2026-48282 is a path traversal vulnerability that allows remote attackers to execute arbitrary code on vulnerable ColdFusion servers without any authentication. The flaw received a maximum CVSS score of 10.0. Adobe released patches addressing ColdFusion 2025.9 and ColdFusion 2023.20 in a coordinated security bulletin ahead of the July 2026 disclosure window, but exploitation began within two hours of full technical details becoming public.

The first confirmed exploitation attempt originated from IP address 103.207.14.220, geolocated to India. Security researchers tracking the exploit wave noted rapid weaponization consistent with organized criminal groups that prepare automated exploit code during the responsible disclosure window and deploy immediately at publication. Adobe had previously warned that the vulnerability was easy to exploit and likely to be targeted in attacks. CISA added CVE-2026-48282 to the Known Exploited Vulnerabilities catalog immediately following confirmed wild exploitation, establishing a compliance deadline for federal agencies.

Adobe ColdFusion is used extensively in U.S. federal government environments, healthcare records systems, and financial services applications, sectors where legacy ColdFusion deployments frequently run unsupported versions. Organizations that have not already patched based on our earlier dedicated Adobe ColdFusion CVE-2026-48282 advisory should treat this as an emergency remediation today. Any internet-facing ColdFusion instance without the July patch applied is currently compromised or imminently at risk.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

EtherRAT Teams Campaign, Accenture 35GB Breach, and Progress ShareFile Threat

Three additional high-priority threats complete today's Monday Intel Drop, each targeting a distinct layer of enterprise attack surface.

The EtherRAT campaign targeting Microsoft Teams continues. Financially motivated threat actors impersonate corporate IT support staff over Teams voice calls, convince employees to install HopToDesk or AnyDesk, then deploy EtherRAT, a cross-platform remote access trojan written in Node.js. EtherRAT's defining characteristic is its command-and-control architecture: it retrieves its C2 server address from Ethereum smart contracts, making traditional domain takedowns ineffective. Financial and healthcare organizations are confirmed primary targets. Attacker infrastructure observed in July campaigns includes email helpdesk@Progressive936.onmicrosoft[.]com and malware distribution domain camorreado[.]click.

Accenture confirmed a breach resulting in 35GB of source code stolen from the firm. The exfiltrated material includes proprietary codebases and internal tooling. Organizations using Accenture as a managed security service provider should conduct an immediate access review to determine whether their proprietary data or authentication credentials were included in the stolen material. Accenture manages security operations for thousands of enterprise clients globally, amplifying the supply chain exposure risk beyond the firm itself.

Progress Software instructed all ShareFile Storage Zone Controller administrators to immediately shut down servers following what it described as a credible external security threat to the on-premises file-sharing product. Progress has not disclosed a CVE identifier, indicating either active zero-day exploitation or verified imminent threat intelligence. Any organization running ShareFile Storage Zone Controllers on Windows should comply with the shutdown advisory immediately and await formal patch guidance.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why This Monday Cyber Threat Brief July 2026 Matters for Your Organization

Five threats, five distinct vectors, all confirmed active within the same seven-day window. The pattern is not coincidental: nation-state actors, criminal groups, and opportunistic attackers are all operating at a tempo that outpaces quarterly patch cycles.

The Russian FSB router campaign is the most structurally dangerous item in this brief because it targets the network foundation every other security control depends on. A compromised border router does not trigger endpoint detection alerts, does not appear in user behavior analytics, and does not generate SIEM events when it silently maps your internal network topology and pre-positions for a future destructive attack. Organizations that focus patching energy exclusively on endpoint operating systems while leaving network device firmware at vendor-default configurations provide attackers with an unmonitored entry point that bypasses the entire defense stack.

The Kerberos RC4 enforcement deadline on July 14 means that any organization still using RC4-HMAC in Active Directory will discover failed logins and application outages tomorrow morning. This is a deterministic, predictable failure announced six months in advance. If your Kerberos migration is incomplete, the window to escalate is right now.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

This Monday cyber threat brief July 2026 documents the simultaneous convergence of nation-state infrastructure attacks, criminal malware campaigns, OS-level privilege escalation, and supply chain exposure in a single seven-day window. Three key takeaways: Russian FSB Centre 16 is actively exploiting Cisco routers targeting critical infrastructure right now, with 18 nations confirming the campaign; the July Patch Tuesday includes an actively exploited Defender zero-day requiring manual engine updates in non-standard environments; and the Kerberos RC4 deprecation deadline lands tomorrow with no further warning. Block EtherRAT IOCs, shut down ShareFile controllers, patch ColdFusion, and verify Ghost Blizzard controls are in place before your team starts work Tuesday.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is Ghost Blizzard and which sectors does it target?

Ghost Blizzard is the Microsoft threat intelligence designation for FSB Centre 16, a Russian Federal Security Service unit confirmed by 18 intelligence agencies from 12 countries as responsible for opportunistic router exploitation campaigns targeting critical infrastructure globally. The group is also tracked as Energetic Bear, Crouching Yeti, and Dragonfly. Confirmed primary target sectors are communications, defense, energy, financial services, government, and healthcare. The December 2025 Poland energy grid attack, which disrupted heating for more than 500,000 civilians, is directly attributed to FSB Centre 16.

How do Russian FSB hackers exploit routers?

FSB Centre 16 exploits three specific vulnerabilities: default or weak SNMP community strings on SNMPv1/SNMPv2c devices, Cisco Smart Install protocol misuse on internet-facing switches, and web-portal management interface flaws on Cisco IOS devices. The attack chain starts with internet-wide UDP port 161 scanning, extracts device configurations using SNMP access, then escalates using Cisco SMI or web interface flaws. No user interaction is required. A Cisco device with a default SNMP community string such as public or private that is reachable from the internet is exposed immediately.

What is CVE-2026-50656 RoguePlanet and am I at risk?

CVE-2026-50656, named RoguePlanet, is a race condition vulnerability in Microsoft Malware Protection Engine (mpengine.dll), the core scanning component of Microsoft Defender. The flaw lets any local process spawn a command shell with SYSTEM-level privileges on fully patched Windows 10 and Windows 11 devices without requiring administrative rights. You are at risk if Defender's Malware Protection Engine has not updated to version 1.1.26060.3008. Microsoft distributes this update automatically through Windows Update, but air-gapped systems and environments with blocked Windows Update require a manual engine update.

Is Adobe ColdFusion CVE-2026-48282 patched?

Yes. Adobe released patches before the July 2026 disclosure date. ColdFusion 2025.x users should apply the July security update, and ColdFusion 2023.x users should update to version 2023.20 or later. The patch addresses the path traversal vulnerability that enables unauthenticated remote code execution. If you have not yet applied this patch, exploitation is confirmed in the wild: an attacker successfully exploited the flaw within two hours of public disclosure, and CISA has added it to the Known Exploited Vulnerabilities catalog with a federal agency remediation deadline.

What is EtherRAT malware and how do I detect it?

EtherRAT is a cross-platform remote access trojan written in Node.js that retrieves its active command-and-control server address from Ethereum smart contracts, making traditional domain-based takedowns ineffective. It arrives through Microsoft Teams vishing campaigns where attackers impersonate IT support staff and convince victims to install HopToDesk or AnyDesk. Detection indicators include Teams voice calls from external tenants marked Unfamiliar, HopToDesk or AnyDesk installations by non-IT users, Node.js execution from unexpected directories, and outbound traffic to Ethereum JSON-RPC endpoints from standard workstations.

How do I protect routers from Russian state hackers?

Apply four controls immediately. First, migrate all SNMP configurations to SNMPv3 with authentication and encryption, and remove SNMPv1 and SNMPv2c community strings entirely. Second, disable Cisco Smart Install using the no vstack command on all Cisco IOS devices that do not require it for active provisioning. Third, restrict router web management interfaces to internal management subnets using IP access control lists. Fourth, audit all network device passwords against vendor-published default credential lists and change any that match. These four controls address every attack vector documented in the NCSC July 2026 advisory.

What happened in the Accenture data breach July 2026?

Accenture confirmed that attackers exfiltrated approximately 35GB of source code from the firm in July 2026. The stolen material includes proprietary codebases and internal tooling from one of the world's largest cybersecurity and IT consulting firms. Organizations that use Accenture as a managed service provider or that share code repositories with Accenture should conduct an access review to determine whether any of their proprietary data or authentication credentials were included in the exfiltrated material.

What does Kerberos RC4 deprecation mean for my organization?

Starting July 14, 2026, Microsoft's Phase 2 Kerberos hardening update disables RC4-HMAC encryption by default in Active Directory environments. Any Kerberos authentication request using RC4 will fail. Applications affected include legacy Windows Server 2008 R2 systems, older SQL Server versions, certain SAP integrations, and any application not migrated to AES-128 or AES-256 Kerberos encryption during Phase 1. If your organization has completed the AES migration, no impact is expected. If RC4 is still in use, disable enforcement temporarily via the AllowRC4 registry key and complete the AES migration before re-enabling.

Sources & references

  1. NCSC: UK and Allies Urge Critical Sectors to Improve Defences Against Russian Intelligence Targeting
  2. CISA: Adds Three Known Exploited Vulnerabilities to Catalog, July 7 2026
  3. The Hacker News: Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges
  4. Security Affairs: Adobe ColdFusion Flaw CVE-2026-48282 Now Exploited in the Wild
  5. BleepingComputer: Fake IT Support Calls on Microsoft Teams Push EtherRAT Malware

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.