Quick Takeaways
- Threat actors increasingly exploited public-facing applications and AI vulnerabilities, notably using T1190 exploits and targeting specific software like Microsoft Entra ID with sophisticated phishing and token theft tactics.
- Ransomware-related listings doubled, with threat actors employing zero-day exploits (e.g., Microsoft Defender) and evasion techniques like process blocking to bypass defenses.
- Defense strategies must shift to behavior-based detection, emphasizing memory injection, abnormal session activities, and supply chain verification, especially for identity management and public-facing assets.
Threats, Attack Techniques, and Targets
The second quarter of 2026 saw a rise in cyber attacks targeting public assets, identities, and AI systems. The number of known exploited vulnerabilities (KEV) listings increased by 27%, reaching 75. The main targets included web and server applications, endpoints, network perimeter devices, and remote management tools. Threat actors also focused on vulnerabilities related to AI and supply chain security.
One common attack method was Exploit Public-Facing Application (T1190). Attackers exploited vulnerabilities in applications like SimpleHelp, Check Point, Ivanti Sentry, Oracle PeopleSoft, Cisco, and Splunk. They used techniques such as OAuth device code phishing, man-in-the-middle attacks (AiTM), and stealing tokens or sessions. Threat actors also targeted Microsoft Entra ID and applied PhaaS schemes. Zero-day vulnerabilities in Microsoft Defender and other malware hiding techniques were also listed. AI systems faced new challenges, with attacks like data exfiltration on M365 Copilot and prompt injection cases leading to remote code execution. Supply chain attacks, such as OpenClaw and ClawHub, persisted.
Impact, Security Implications, and Remediation Guidance
These attack trends highlight serious security risks. Successful exploits can lead to data theft, unauthorized access, and disruption of services. For example, ransomware activities increased from 8.5% to 16.0%, showing a growing threat to organizations’ critical data. Evasion techniques, like blocking security processes, make detection harder. AI systems are especially vulnerable to injection and supply chain attacks.
To reduce risk, organizations should shift security focus. Moving from signature detection to behavior-based detection is vital. Monitoring behaviors like memory injection, telemetry disconnection, and abnormal session activity can help. Protecting identities requires short-lived tokens, multi-factor authentication at gateways, and conditional access policies. Human oversight and verification are important for high-risk AI operations.
Security teams should assess public-facing applications and perimeter devices based on KEV and EPSS standards. Also, verify that existing endpoint detection and response (EDR) or extended detection and response (XDR) tools cover relevant attack techniques. Lastly, organizations should review their logs and alert systems for better detection. If needed, remediation guidance should be obtained from the relevant vendor or authority.
Expand Your Tech Knowledge
Learn how the Internet of Things (IoT) is transforming everyday life.
Discover archived knowledge and digital history on the Internet Archive.
ThreatIntel-V1
