SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape.
This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Here are this week’s highlights:
OFAC hits Iranian central bank crypto reserves
OFAC designated two cryptocurrency wallets directly linked to Iran’s Central Bank, marking the first such action against the institution and tying them to the IRGC-Qods Force and Hizballah. In coordination with US law enforcement, Tether froze approximately $344 million in USDT across the addresses, which had accumulated roughly $370 million through nearly 1,000 transactions since March 2021 and largely remained dormant after late 2023 as sovereign reserves.
US seeks extradition of teenage Scattered Spider member arrested in Finland
Finnish authorities arrested 19-year-old Peter Stokes (online handle ‘Bouquet’), a dual US-Estonian citizen, as he tried to board a flight to Japan. US prosecutors in Chicago charge him as a key member of the Scattered Spider hacking group, alleging involvement in multiple intrusions against large corporations. Stokes faces counts of wire fraud, conspiracy, and computer intrusion. The US is pursuing his extradition while highlighting his flashy lifestyle and public taunting of law enforcement.
ADT suffers major data leak
Home monitoring provider ADT has confirmed that unauthorized actors gained access to its cloud-based systems, leading to the exposure of customer information. The ShinyHunters extortion group claimed responsibility for the attack, asserting they exfiltrated over 10 million records from a Salesforce database after ransom negotiations failed. Data verified by Have I Been Pwned indicates approximately 5.5 million unique email addresses were leaked, alongside names, physical addresses, and in some instances, partial SSNs.
Microsoft sunsets outdated encryption for legacy email protocols
Microsoft has announced that Exchange Online will begin blocking TLS 1.0 and 1.1 for all POP and IMAP traffic starting in July 2026. This full deprecation eliminates previous workaround options, forcing a mandatory transition to TLS 1.2 or later for any products still relying on legacy cryptographic standards.
Outdated NSA mapping tool poses risk to industrial networks
CISA has issued an advisory regarding a critical vulnerability in GRASSMARLIN, an open source tool originally developed by the National Security Agency (NSA) for mapping industrial control system (ICS) networks. The flaw allows attackers to trigger out-of-band exfiltration of sensitive files, which experts say can facilitate lateral movement in industrial networks. Because the tool reached end-of-life status in 2017, no official patches will be released.
Poor metrics undermine SOC effectiveness
The UK’s National Cyber Security Centre (NCSC) warns that measuring a Security Operations Center (SOC) through ticket volume and log counts creates perverse outcomes that compromise network safety. The agency suggests that leaders should prioritize ‘time to detect’ and ‘time to respond’ metrics, which are best validated through red or purple team exercises. It encourages analysts to focus on high-value threat hunting and expertise rather than simply racing to close alerts as quickly as possible.
North Korean hackers deploy sophisticated virtual meeting lures against crypto firms
BlueNoroff, a financially motivated arm of the North Korean Lazarus Group, is conducting a social engineering campaign aimed at Web3 organizations. Attackers lure executives into fake Zoom meetings where fabricated technical issues prompt victims to execute malicious PowerShell scripts disguised as software fixes. This malware harvests credentials from cryptocurrency wallet extensions and captures live webcam footage to refine deepfake personas for subsequent attacks.
Cursor IDE vulnerability opens door for silent code execution
Novee Security has identified a high-severity vulnerability in the Cursor IDE that allows attackers to achieve arbitrary code execution via malicious Git hooks. Tracked as CVE-2026-26268, the flaw is triggered when the tool’s AI agent autonomously performs Git operations, executing hidden scripts in nested repositories without the developer’s knowledge or approval.
CISA releases guidance for zero trust in OT and agentic AI services adoption
CISA has published two guidance resources developed in collaboration with other agencies. One focuses on applying zero trust principles to operational technology (OT), addressing the growing IT-OT convergence that has expanded attack surfaces. In the second guidance, CISA and partners urge measured rollout of agentic AI systems. The resource highlights key security risks and challenges while offering practical steps for design, deployment, and operation that align with existing cybersecurity frameworks and strengthen oversight.
Attackers hijack Qinglong task management platforms to mine cryptocurrency
Snyk reports that threat actors are exploiting authentication bypass vulnerabilities in the Qinglong open source task scheduler to deploy a persistent cryptominer. The flaws, tracked as CVE-2026-3965 and CVE-2026-4047, allow unauthenticated remote code execution by exploiting discrepancies in how the system handles URL rewriting and case-sensitive path matching. Impacted servers experience severe CPU saturation.
Related: In Other News: Satellite Cybersecurity Act, $90K Chrome Flaw, Teen Hacker Arrested
Related: In Other News: Unauthorized Mythos Access, Plankey CISA Nomination Ends, New Display Security Device
