Weekly Cyber Update: 5 June 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

ClickFix and InstallFix campaigns automate malware delivery at scale

Thousands of websites have been compromised in a series of campaigns designed to direct unwitting visitors to malware-delivery infrastructure, according to security researchers. The threat actor responsible was dubbed “DriveSurge” by security vendor Silent Push. They use malicious code injected into high-reputation sites to route visitors through the zTDS traffic distribution system. This profiles them and decides whether to use ClickFix or InstallFix (fake update) techniques to trick users into downloading and installing malware. It’s unclear what type of malware, but infostealers would be a safe bet.

Why it matters

DriveSurge is an initial access broker (IAB) operating on a pay-per-install (PPI) model. This means compromised enterprise users/endpoints could be targeted in secondary attacks for data theft, ransomware/extortion and more. ClickFix-style attacks are known to have high success rates.

Assured’s recommended action

Update security awareness training to include ClickFix/InstallFix. Block users from launching PowerShell.exe or mshta.exe direct from the browser or via Windows Run, in order to reduce the attack surface. Update EDR to detect suspicious activity. Consider conditional access policies to mitigate session hijacking via infostealer malware.

---

Two-year-old Oracle flaw weaponised in new round of attacks

Oracle WebLogic Server users have been warned that threat actors are exploiting a high-severity vulnerability discovered and patched by the vendor in 2024. CVE-2024-21182 is said to be “easily exploitable” for unauthenticated attackers with network access via T3 and IIOP. It could result in unauthorised access to critical data or complete access to all Oracle WebLogic Server-accessible data. There are reportedly over 1500 WebLogic servers exposed and vulnerable to the flaw.

Why it matters

US cybersecurity agency CISA has added CVE-2024-21182 to its known exploited vulnerabilities (KEV) catalogue, warning that this type of flaw is a frequent attack vector and poses “significant risks”. Endpoints like WebLogic servers are a popular target for initial access in damaging attacks like ransomware and data theft.

Assured’s recommended action

Scan for vulnerable WebLogic Server instances and apply the patch as per Oracle’s instructions. Hunt for IoCs and suspicious activity related to the enterprise WebLogic environment.

---

Researchers warn of new DoS attack that works in seconds

Security researchers have discovered a new denial-of-service (DoS) attack that can be launched from a single home computer and take down web servers in 20 seconds. “HTTP/2 Bomb” was discovered with the help of AI and targets NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. It combines two techniques in a novel way – HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling.

Why it matters

At-risk servers have a huge global footprint. Although NGINX and Apache have issued patches to fix the issue, Microsoft IIS, Envoy, and Cloudflare Pingora had not at the time of writing. A proof of concept has already been published, meaning attacks could be imminent.

Assured’s recommended action

Identify any vulnerable web servers and deploy patches where available. Where vendor updates aren’t yet ready, consider disabling HTTP/2 and reverting to HTTP/1.1 on exposed servers until patches have been issued. Contact your Cloud Delivery Network (CDN) provider to check if mitigations have been deployed upstream.

---

NCSC urges security teams to check their software dependencies

The National Cyber Security Centre (NCSC) has published new guidance designed to help security teams better “understand, mitigate and more effectively respond” to open source software risks. The document explains how software supply chain attacks are evolving, such as the recent Shai-Hulud campaigns. They typically target developer environments, and abuse automation and open publishing models to propagate rapidly, the NCSC warned.

Why it matters

The NCSC is signalling that software supply chain security is no longer a “nice to have” but an essential pre-requisite for a mature cybersecurity posture. This is likely to be an area the authorities ask about in assessments and supplier assurance frameworks. It’s already part of the Cybersecurity Assessment Framework (CAF), which is likely to form the requirements set out in the Cyber Security and Resilience Bill.

Assured’s recommended action

Follow the NCSC’s broad advice. Understand what you’re running by maintaining a Software Bill of Materials (SBOM) for every significant application. Verify the integrity of packages, not just the source. Monitor for changes in package ownership and “maintainership”. Pin dependencies, and treat your CI/CD pipelines as critical infrastructure.

---

Most firms that miss 24-hour patch window report incidents

Over 80% of organisations that aren’t able to patch within 24 hours of a security update becoming available report incidents involving known vulnerabilities, according to the Cloud Security Alliance (CSA). A new report from the non-profit highlighted that companies are failing to patch quickly enough. It also found that only 9% of organisations remediate critical or high-severity vulnerabilities in production within 24 hours, with three-quarters (74%) taking between one and seven days.

Why it matters

It’s not essential to patch all vulnerabilities within 24 hours. But for actively exploited, high-severity flaws, the window between public disclosure and weaponised exploitation is now measured in hours, thanks to the impact of AI. Organisations that treat patching as a weekly or monthly rhythm are structurally exposed. AI is also compressing the time from initial access to ransomware deployment inside a network, by automating reconnaissance and evasion.

Assured’s recommended action

Understand what your tiered patching SLA looks like for critical, actively exploited vulnerabilities on perimeter systems – and when it was last tested. Ensure EDR detections are tuned for automated, AI-assisted lateral movement patterns. Adopt risk-based patching programmes to prioritise the most critical, exploitable flaws.