Subscribe

Social Media Links

Insights

 | 3 minute read

Ankura CTIX FLASH Update – July 17, 2026


Recent cybersecurity research highlights how threat actors continue to exploit trust in both traditional software and emerging AI technologies to gain access to sensitive systems and data. In one campaign, a Russian threat group distributed the Starland Remote Access Trojan (RAT) through trojanized versions of legitimate applications such as WebEx and Zoom, enabling the theft of credentials, cryptocurrency wallet data, system information, and Active Directory details while maintaining persistent access to compromised devices. At the same time, researchers uncovered a new AI-focused attack technique known as Agent Data Injection (ADI), which manipulates information that AI agents inherently trust, potentially causing them to execute unauthorized commands, click malicious links, or make incorrect decisions without appearing compromised. The research reinforces the importance of validating software sources, monitoring privileged activity, maintaining strong endpoint protections, and implementing robust trust and data-validation controls for AI systems as organizations continue to expand their use of automation and intelligent assistants. CTIX analysts will continue to report on the latest malware strains and attack methodologies.


Federal prosecutors have unsealed an indictment against three (3) Russian nationals accused of running bulletproof hosting services Media Land and ML.Cloud, which provided infrastructure and tech support to ransomware gangs and fraud forums. Aleksandr Volosovik (“Yalishanda”) owned Media Land, Yulia Pankova owned ML.Cloud, and Kirill Zatolokin handled customer payments and coordination. The services hosted malware delivery, C2, phishing, DDoS, and stolen card marketplaces, supporting groups like LockBit, BlackSuit, Play, Briansclub, and Bidencash, and enabling attacks that caused at least $62 million in losses across banks, schools, hospitals, governments, and media companies in over twenty (20) US states. All three (3) face charges including computer fraud, wire fraud, and money laundering. The US State Department is offering up to $10 million for information on foreign government-linked associates or use of these companies. The defendants and their firms were previously sanctioned by the US, UK, Australia, and, more recently, the EU in its first joint cyber sanctions package against Russia.


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that threat actors are actively exploiting three (3) vulnerabilities in internet-exposed on-premises Microsoft SharePoint Server deployments to bypass authentication, achieve remote code execution (RCE), steal IIS machine keys, establish persistence, and deploy malware. The flaws (CVE-2026-32201, CVE-2026-45659, CVE-2026-56164) impact all supported self-hosted SharePoint Server versions, including SharePoint Server Subscription Edition. While Microsoft also patched two (2) additional SharePoint vulnerabilities (CVE-2026-55040 and CVE-2026-58644) that have not yet been observed in active attacks, CISA considers them likely future targets. Shadowserver currently tracks nearly 10,000 internet-exposed SharePoint servers, with more than 800 still unpatched against two (2) of the actively exploited flaws. CISA recommends organizations immediately apply Microsoft’s latest security updates, verify successful patch installation, enable AMSI integration and Microsoft Defender Antivirus detections, hunt for indicators of compromise before rotating IIS machine keys, implement enhanced logging, and minimize internet exposure by restricting administrative access or placing SharePoint servers behind Layer 7 reverse proxies. The three (3) actively exploited vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, mandating federal agencies to remediate CVE-2026-56164 by July 17, 2026. Since November 2021, CISA has identified eleven (11) actively exploited SharePoint vulnerabilities, seven of which have also been leveraged in ransomware attacks.

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 


© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in
I need help with