June 14, 2026 by sig9

Hacker Wars - June 14, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Grab your coffee and settle in, because the threat actors did not take the weekend off. Today we have AI models getting yanked offline by government order, a decade-long espionage campaign hiding inside authentication infrastructure, a critical Splunk RCE that scores 9.8, and a cautionary tale about what happens when you fire your IT guy and forget to revoke his access.

Anthropic Pulls Fable 5 and Mythos 5 Offline After US Government Export Order

Anthropic abruptly disabled its two most advanced models, Fable 5 and Mythos 5, for all users worldwide after the US government ordered it to block foreign national access citing national security concerns. The company complied but publicly disputed the basis, calling the cited jailbreak “narrow” and the capability “widely available elsewhere.” This is the first time an AI company has been forced to pull a production model under export control pressure, and it sets a messy precedent for the entire industry.

What to do: If your workflows depend on frontier AI models, build in fallback options. Single-provider dependency is now a compliance risk, not just a vendor lock-in concern.

Chinese Hackers Hijack Auth Flow, Spy on Isolated Network for a Decade

A Chinese threat actor compromised an organization’s authentication stack and maintained persistent access for 10 full years, giving them complete visibility into administrative activity on what was supposed to be an isolated network. Ten years. That is not an APT, that is a subscription. The attackers embedded themselves so deeply in the auth infrastructure that they could observe every admin action without triggering alerts, because they had effectively become part of the authentication mechanism itself.

What to do: Audit your authentication infrastructure for integrity, not just access. Implement hardware-backed attestation for critical auth components and run periodic out-of-band verification that your auth stack is actually doing what you think it is doing.

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Splunk patched CVE-2026-20253, a CVSS 9.8 vulnerability in Splunk Enterprise that allows unauthenticated attackers to perform file operations and achieve remote code execution. The flaw affects the REST API and does not require any credentials to exploit, which means every internet-facing Splunk instance is essentially a sitting duck until patched. If you are running Splunk in a SOC or as a log aggregator, this one should be keeping you up tonight.

What to do: Patch Splunk Enterprise immediately. If you cannot patch right now, restrict REST API access to trusted networks and review whether your Splunk instance is exposed to the internet. Spoiler: it probably is.

Ex-School District Employee Jailed for Hacks on Former Employer

A former IT employee at an Iowa school district was sentenced to 21 months in prison after conducting a prolonged cyberattack against his former employer that disrupted classroom operations, deleted accounts, and caused tens of thousands in damages. The attacks started after his employment ended, because apparently nobody thought to disable his credentials or remove his access. This is not a sophisticated threat actor story. This is a basic offboarding failure that turned into a criminal case.

What to do: When someone leaves, revoke everything, immediately. Not after the exit interview. Not at end of day. Right now. Automate deprovisioning and audit your offboarding process before a disgruntled ex-employee does it for you.

That’s the chaos for today. Stay sharp out there.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.