TL;DR
Two Scattered Spider members sentenced to 5.5 years for the 2024 Transport for London attack. Microsoft patches record 570 flaws. macOS ClickLock stealer forces password surrender by killing apps repeatedly.
Executive Summary
- Two leading Scattered Spider members convicted and sentenced to 5.5 years each for orchestrating the August 2024 Transport for London cyberattack, which crippled 148 systems and affected all 27,000 employees.
- Microsoft released patches for 570 security vulnerabilities in a single Patch Tuesday cycle—nearly triple the previous record—reflecting accelerating vulnerability disclosure and patch burden.
- ClickLock, a new macOS infostealer, terminates running applications in a loop until users surrender their login password through social engineering, targeting at least 100 users.
- New malware campaigns including TELEPUZ (spreading via ClickFix since late April) and OkoBot (deploying 20+ payloads for cryptocurrency theft) are actively circulating.
- CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog, including critical flaws in Microsoft Active Directory Federation Services, SharePoint, and Oracle E-Business Suite.
Top Threats Today
1. Scattered Spider Members Sentenced for £numerous Transport for London Attack
Severity: HIGH Affected: transportation
Owen Flowers (age 18) and Thalha Jubair (age 20) were each sentenced to five and a half years at Woolwich Crown Court on July 16, 2026, for their roles in the August 2024 cyberattack on Transport for London [1]. The attack rendered 148 TfL systems inoperable and forced all 27,000 transport authority employees into temporary office arrangements ⚠[1]. Both men were identified as key members of the prolific cybercrime group Scattered Spider [2]. This marks a significant law enforcement victory against a threat actor responsible for high-impact ransomware and extortion operations targeting critical infrastructure and major enterprises.
Sources:[1] The Hacker News[2] Krebs on Security[3] The Record
Recommended Action
- Review security incidents involving Scattered Spider or similar ransomware-as-a-service operators and verify remediation completeness
- Audit access controls and authentication mechanisms across critical systems to prevent recurrence of similar lateral movement chains
- Monitor threat intelligence feeds for attribution updates on Scattered Spider affiliates and copycat operations
2. Microsoft Patches Record 570 Vulnerabilities in Single Cycle
Severity: HIGH Affected: technology
Microsoft released software updates to address at least 570 security vulnerabilities in Windows operating systems and other software [1]. This figure represents nearly triple the number patched in the previous record-breaking Patch Tuesday release the prior month, reflecting a dramatic escalation in vulnerability remediation demands [1]. The surge in patching workload underscores both the expanding attack surface and the acceleration of vulnerability discovery and disclosure pipelines affecting enterprise environments.
Sources:[1] Krebs on Security
Recommended Action
- Prioritize Microsoft security updates immediately; segment the patch cycle into critical and high-severity CVEs for rapid deployment
- Increase staffing or automation for patch testing and deployment to manage the elevated volume
- Monitor CISA’s Known Exploited Vulnerabilities catalog daily to identify which of the 570 patches address actively targeted flaws
3. ClickLock macOS Infostealer Kills Apps Until Password Extracted
Severity: HIGH Affected: technology
ClickLock Stealer, a new macOS information-stealing malware, coerces users into surrendering their login password by repeatedly terminating all visible running processes ⚠ every 210 milliseconds until the victim complies [1]. The malware arrives as a command pasted into Terminal, presents a fake system dialog requesting the password, and when the victim cancels, installs two LaunchAgents to persist [1]. SecurityWeek reports the malware has targeted at least 100 users to steal passwords and cryptocurrency [3]. This represents a significant escalation in social engineering sophistication, bypassing traditional macOS security through persistent application killing rather than exploiting OS vulnerabilities directly.
Sources:[1] The Hacker News[2] BleepingComputer[3] SecurityWeek
Recommended Action
- Alert macOS users not to paste commands from untrusted sources into Terminal; use endpoint detection and response (EDR) tools to monitor for unexpected LaunchAgent installations
- Deploy mobile device management (MDM) to restrict Terminal access and monitor process termination loops on managed Macs
- Cross-check cryptocurrency wallet and credential storage for unauthorized access; reset passwords for any affected accounts
4. TELEPUZ and OkoBot Malware Campaigns Actively Spreading
Severity: HIGH Affected: technology
Cybersecurity researchers have identified a new modular malware called TELEPUZ spreading via websites infected with ClickFix lures since late April 2026 [1]. Elastic Security Labs researcher Cyril François characterized the malware as “full-featured, lightweight, and modular” [1]. Separately, a new malicious framework called OkoBot is delivering more than 20 payloads in attacks focused on stealing cryptocurrency wallet seed phrases, credentials, and other sensitive data [2]. Both campaigns leverage social engineering and click-based exploitation to establish initial compromise, lowering the attacker barrier and increasing infection likelihood across less technically sophisticated users.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Deploy web filtering and sandboxing to detect ClickFix-themed sites and prevent user interaction
- Conduct user awareness training on fake technical support lures and malware delivery via pasted commands or downloads
- Monitor for TELEPUZ and OkoBot indicators of compromise (IOCs) and apply network-based detection signatures
5. Five CVEs Added to CISA KEV Catalog; Exploitation Underway
Severity: HIGH Affected: government
CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog, signaling confirmed active exploitation in the wild. CVE-2026-46817 affects Oracle E-Business Suite with improper privilege management, allowing unauthenticated network access to compromise Oracle Payments [1]. CVE-2026-56155 (Microsoft Active Directory Federation Services insufficient access control) and CVE-2026-56164 (Microsoft SharePoint missing authentication) enable privilege escalation over a network [3][4]. CVE-2026-15409 (SonicWall SMA1000 server-side request forgery) permits remote unauthenticated attacks [5]. CVE-2023-4346 affects KNX Protocol with an overly restrictive account lockout mechanism [2]. All carry federal remediation deadlines of July 17–29, 2026.
Sources:[1] CISA KEV[2] CISA KEV[3] CISA KEV[4] CISA KEV[5] CISA KEV
Recommended Action
- Immediately verify whether CVE-2026-56164 (SharePoint) or CVE-2026-56155 (Active Directory Federation Services) affect your environment and prioritize patching before July 17–28 deadlines
- Patch Oracle E-Business Suite (CVE-2026-46817) and SonicWall SMA1000 appliances (CVE-2026-15409) urgently to prevent unauthorized privilege escalation and lateral movement
- Review CISA’s full KEV catalog daily and cross-reference with your asset inventory to track remediation progress
Today’s Action Checklist
- ☐ URGENT: Cross-reference the five new CISA KEV CVEs (CVE-2026-46817, CVE-2026-56155, CVE-2026-56164, CVE-2026-15409, CVE-2023-4346) against your environment and begin remediation immediately.
- ☐ URGENT: Test and deploy Microsoft’s 570-CVE patch bundle, prioritizing CISA KEV and critical-severity flaws; allocate additional patching resources to manage volume.
- ☐ Alert macOS user base to avoid pasting Terminal commands from untrusted sources and watch for unexpected application termination loops or credential prompts.
- ☐ Review web filtering and endpoint detection rules for ClickFix, TELEPUZ, and OkoBot indicators; test sandboxing of suspicious websites.
- ☐ Conduct brief security awareness reminder to all staff on social engineering vectors (fake support, ClickFix, app-killing malware) and reporting procedures.