Weekly Cyber Update: 26 June 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care

---

Five Eyes sounds the alarm over frontier AI

The Five Eyes intelligence alliance has joined calls urging global businesses to prepare now for the impact frontier AI will have on the threat landscape. A public statement released by the group’s security agencies including the UK’s NCSC warned that the technology will “fundamentally” transform offensive and defensive capabilities within months. Cyber must be treated as a business risk issue rather than a purely technical matter, they said. The news comes as one Chinese model maker said it had developed a model as powerful as Anthropic’s Mythos. And another released a model which experts said could be easy to jailbreak by Russian hackers.

Why it matters

This is a rare joint statement from the Five Eyes – emphasising the importance of its message. The allies warn that AI is collapsing the vulnerability exploitation window, which will cause great operational, financial and reputational harm to organisations which don’t have best practice measures in place.

Assured’s recommended action

Reduce the attack surface by limiting system access and connectivity and isolating systems that can be segregated. Prioritise patching according to risk and automate where possible. Take steps to address risks associated with legacy systems. Review and strengthen identity and access controls. Test and hone incident response plans. Consider AI tools to detect vulnerabilities earlier and respond to threats faster.

---

LastPass admits customer data stolen in Klue supply-chain breach

LastPass has become the latest victim of a supply chain compromise impacting customers of Klue. Threat actors from the Icarus extortion group compromised the market intelligence platform, stealing OAuth tokens connecting to customers’ Salesforce environments. With access to the latter it was able to steal and hold to ransom a range of data. Other victims include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity.

Why it matters

OAuth tokens have been used in several extortion campaigns. For LastPass customers, the following data may be compromised: Names, phone numbers, email and home addresses, support case information and sales/CRM-related data.

Assured’s recommended action

Audit all OAuth integrations and reduce access permissions where possible. Revoke Klue OAuth tokens. Prepare employees for follow-on phishing campaigns.

---

Maximum severity Ubiquiti flaws exploited

US security agency CISA has warned that three maximum severity flaws in Ubiquiti’s UniFi OS are being exploited in the wild. CVE-2026-34908 could lead to full system compromise by enabling an unauthenticated attacker to make unauthorised changes to the OS. CVE-2026-34909 is a directory/path traversal vulnerability that allows hackers to access sensitive config files and credentials for account takeover. CVE-2026-34910 enables attackers to inject and execute arbitrary OS commands for system takeover.

Why it matters

Ubiquiti UniFi OS is a popular IT infrastructure management platform. Attacking it could be the first step to broader compromise enabling espionage, data theft/extortion and even destructive attacks.

Assured’s recommended action

Determine UniFi OS exposure. Patch in line with vendor advice. Hunt for signs of compromise. Restrict exposure to the internet where possible.

---

Phishing simulation exercise “crossed a line”, say employees

A phishing exercise at a Canadian public sector organisation went badly wrong after union leaders branded it “insulting, degrading, disrespectful”, according to reports. Newfoundland and Labrador Health Services, ran a simulation that dangled an extra paid day off, framed as a thank-you for staff who’d slogged through a gruelling new health-records rollout. Thousands clicked, only to find out it was a test. Some staff said it pushed them toward early retirement, and the interim CEO was forced to publicly apologise and launch an investigation.

Why it matters

If done badly, phishing simulation exercises could have the opposite effect to that intended, damaging trust between employees and their organisation.

Assured’s recommended action

Review your phishing awareness strategy. Consider the ethics of running specific phishing simulations before deploying – engaging with other relevant business stakeholders from HR. Be sure to collect and process feedback from employees. It’s vital to create a culture where staff feel comfortable and are willing to report suspicious messages.