Meta’s recovery plan needed recovery.

Meta exposes 20,000 Instagram accounts through a support tool bug. CISA warns of active attacks on SolarWinds Serv-U. WordPress sites face takeover through a widely used plugin. A new Gafgyt variant broadens its reach. Pink extortionists steal cloud data with vishing and legitimate tools. Plus, allegations against IBM and AT&T, a dark web drug dealer gets 26 years, and the Monday business brief. Tim Starks from CyberScoop discusses the ongoing debate over staffing and budget cuts at CISA. NATO lets Ukraine play the bad guy.

Today is Monday June 8th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Meta bug in AI support tool exposed more than 20,000 Instagram accounts. 

Meta says a flaw tied to its AI-powered account recovery system allowed unauthorized actors to take over thousands of Instagram accounts.

The issue involved Meta’s High Touch Support tool, which helps locked-out users regain access. According to Meta, the tool functioned as intended, but a separate bug failed to verify that a password reset request matched the account’s registered email address. As a result, password reset links were sent to unassociated email addresses. Meta reported that 20,225 Instagram users were affected. Exposed information may have included contact details, profile data, messages, photos, videos, stories, and account activity.

Account recovery systems can become attractive attack targets when verification controls fail. Users without two-factor authentication were especially vulnerable. Meta has disabled the affected tool, invalidated reset links, and is reviewing similar recovery processes across its platforms.

Separately, Meta is asking a federal judge to hold NSO Group in contempt of court, alleging the spyware vendor continued targeting WhatsApp users despite a permanent injunction prohibiting it from doing so.

According to Meta, investigators disrupted NSO-linked social engineering activity that attempted to lure users to malicious websites outside WhatsApp through phishing-style links. The company also reported the creation of test accounts and groups on the platform and released indicators of compromise tied to the campaign. Meta did not disclose when the activity occurred, how many users were targeted, or whether any compromises were successful.

The allegations raise questions about the effectiveness of legal restrictions against commercial spyware vendors. Meta argues that continued activity would represent a direct violation of a court order issued after its earlier legal victory against NSO over Pegasus-related attacks.

CISA warns of active exploitation of SolarWinds Serv-U denial-of-service flaw. 

CISA has confirmed that attackers are actively exploiting a denial-of-service vulnerability in SolarWinds Serv-U file transfer servers and has directed federal civilian agencies to remediate it by June 19.

Tracked as CVE-2026-28318, the flaw allows remote, unauthenticated attackers to crash Serv-U services by sending specially crafted HTTP POST requests containing a deflate header. SolarWinds released a fix in Serv-U 15.5.4 Hotfix 1 and recommends patching immediately or blocking affected requests through a web application firewall.

Serv-U is widely used in regulated sectors where file transfer availability is critical. While the flaw enables service disruption rather than system takeover, denial-of-service attacks can interrupt operations and potentially divert defenders’ attention from other malicious activity.

Attackers exploit Everest Forms Pro flaw to take over WordPress sites. 

A critical vulnerability in the Everest Forms Pro WordPress plugin has been actively exploited for months, allowing attackers to seize control of vulnerable websites.

Tracked as CVE-2026-3300, the flaw affects the plugin’s Complex Calculation feature and allows remote, unauthenticated attackers to inject and execute PHP code on a server. According to Defiant, attackers have used the bug to create administrator accounts and deploy web shells. The issue was patched in version 1.9.13 in March, but exploitation began in April. Defiant says it has blocked more than 29,000 attack attempts.

With more than 100,000 sites using Everest Forms, unpatched systems remain exposed to full site compromise. Defenders should update immediately and review administrator accounts for signs of unauthorized access.

New Gafgyt variant expands targeting and DDoS capabilities across multiple device types. 

Researchers at Fortinet have identified C0XMO, a new variant of the Gafgyt botnet that targets DD-WRT routers and can spread across a wide range of internet-connected devices.

The malware supports multiple CPU architectures, including ARM, MIPS, PowerPC, and x86, and is delivered by exploiting CVE-2021-27137, an unauthenticated remote code execution flaw. Fortinet says C0XMO uses a modular design that allows operators to update exploits, expand targeting, and enhance lateral movement independently of the core payload. Once installed, it scans for vulnerable systems, brute-forces weak SSH and Telnet credentials, establishes persistence, and removes competing malware and tools.

The botnet is built primarily for distributed denial-of-service attacks and supports 19 attack methods. Fortinet notes that its architecture and feature set demonstrate a higher level of sophistication than earlier Gafgyt-based malware, highlighting the continued evolution of IoT botnet threats.

Pink extortion group steals cloud data through vishing and legitimate Microsoft tools. 

Researchers have identified a new financially motivated cybercrime group called Pink, which is using voice phishing and stolen cloud credentials to conduct data theft and extortion campaigns.

According to Palo Alto Networks Unit 42, the group, tracked as CL-CRI-1147, launched a data leak site in late May and is believed to be connected to the broader Com network. Pink impersonates IT staff in phone calls and directs employees to credential-harvesting websites. Once access is obtained, the attackers use compromised Microsoft 365 accounts and built-in Microsoft tools to rapidly collect data from OneDrive and SharePoint. Victims then receive extortion demands through internal email and Microsoft Teams messages.

Gurucul reports that Pink also uses fileless techniques designed to evade detection and hide from security analysis tools. The group’s reliance on legitimate accounts and cloud services highlights the growing challenge of detecting identity-based attacks that avoid traditional malware.

Former IBM executive alleges security failures concealed nation-state intrusions. 

A newly unsealed lawsuit accuses IBM and AT&T of failing to implement basic security controls and concealing evidence of nation-state intrusions into IBM cloud environments.

The allegations come from former IBM Vice President of Threat Intelligence William Barlow, who filed a False Claims Act lawsuit in 2020. According to the complaint, AT&T-managed VPN connections lacked logging, network segmentation was inadequate, and security monitoring gaps prevented investigators from fully assessing suspected intrusions linked to the Chinese threat group APT10. The lawsuit cites an internal report that identified more than 56,000 indicators of potential APT10 activity between 2013 and 2016 but said the activity could not be fully investigated because logs were unavailable.

The case highlights how missing visibility and monitoring can undermine incident response and leave organizations unable to determine the scope of a compromise. IBM disputes the allegations and noted that the U.S. Department of Justice declined to intervene in the case.

Dark web drug vendor sentenced to 26 years for sales on Nemesis Market. 

A California man has been sentenced to more than 26 years in federal prison for trafficking fentanyl and methamphetamine through Nemesis Market, one of the world’s largest dark web marketplaces.

According to court documents, 39-year-old Darren Hughes operated a vendor account on Nemesis Market and used free methamphetamine samples to attract customers. Prosecutors said Hughes sold methamphetamine and fentanyl pills to an undercover law enforcement agent on multiple occasions in 2023 in exchange for cryptocurrency. When he was arrested in June 2023, authorities found approximately 672 grams of methamphetamine and a loaded ghost gun in his vehicle.

The case underscores law enforcement’s continued focus on dark web marketplaces and cryptocurrency-enabled drug trafficking. It also highlights the lasting impact of international operations that dismantled major criminal platforms such as Nemesis Market in 2024.

Monday business brief — AI and cybersecurity firms attract fresh funding as consolidation continues. 

Investors continue pouring money into AI and cybersecurity, with several companies announcing new funding rounds and strategic acquisitions aimed at accelerating growth.

Observability platform Coralogix led the pack with a $200 million Series F round to expand its AI capabilities and enterprise reach. AI security startup Gray Swan raised $40 million to scale security for organizations deploying artificial intelligence, while AI governance company Geordie AI secured $30 million to support enterprise adoption of AI agents. Attack surface management provider MokN raised $15 million, and security compliance startup CRACI and biometrics firm Voxmind also announced new funding.

Meanwhile, consolidation in the sector continued. Industrial cybersecurity company Dragos acquired embedded device security specialist Phosphorus to expand protection across operational technology environments. Engineering firm Cyient also agreed to acquire AI-focused data engineering company TAO Digital Solutions.

The activity reflects continued demand for technologies that help organizations secure, govern, and operationalize AI at scale.

 

NATO lets Ukraine play the bad guy. 

In a NATO exercise in Poland, the fictional nation of Perantsa suffered a very bad week. First came a cyberattack that knocked out the power grid. Then a flood. Then a banking crisis. Behind it all was the equally fictional state of Karti, which flooded social media with AI-generated messages blaming government incompetence and conveniently offering help.

The twist: Ukrainian officials played the role of the disinformation operators.

The three-day simulation, held at NATO’s Joint Analysis, Training and Education Centre in Bydgoszcz, tested how governments respond to the kind of information warfare Ukraine faces daily. Ukrainian participants launched coordinated influence campaigns while allied teams worked to maintain public trust and communicate during the crises. By most accounts, the Ukrainians were faster, more creative, and more adept with AI, though judges said their fictional propaganda effort lost points for narrative consistency.

The exercise reflects NATO’s growing effort to learn from Ukraine’s wartime experience. Officials say the collaboration improves alliance readiness and helps Ukraine build closer interoperability with NATO, even as membership remains distant. Participants also acknowledged a familiar reality: simulations can teach valuable lessons, but they struggle to capture the pressure, uncertainty, and emotional intensity of a real conflict.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.