ARTICLE
16 July 2026

Ankura CTIX FLASH Update – July 15, 2026

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers services and end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura has more than 2,000 professionals serving 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover ValueTM. For more information, please visit, ankura.com.
Ankura's content hub showcases critical insights spanning cybersecurity threats, financial services transformation, and global market dynamics. From AI-accelerated cyberattacks and ransomware evolution to IPO market shifts and regulatory compliance challenges, these analyses examine how organizations navigate an increasingly complex operational landscape shaped by technological disruption, geopolitical volatility, and regulatory pressure.
United States Strategy
Ankura Consulting Group LLC’s articles from Ankura Consulting Group LLC are most popular:
  • within Strategy topic(s)

Malware Activity

AI-Assisted Threat Actors Accelerate Active Directory and Cloud Attacks

Cybersecurity researchers have documented separate intrusions demonstrating how threat actors are increasingly using artificial intelligence as a force multiplier to accelerate established attack techniques rather than develop entirely novel capabilities. In an early June 2026 incident, an unknown attacker used pre-compromised credentials to establish RDP access to a domain-joined Windows Server and deployed an apparently AI-generated, or “vibe-coded,” PowerShell script to aggressively enumerate the Active Directory environment, collecting information on domain controllers, users, computers, groups, organizational units, and trusts before generating an HTML inventory report. The actor later used the legitimate s5cmd utility and SharpShares to identify accessible data repositories, staged the collected information in CSV files, archived it, and exfiltrated the data to a remote server. Huntress assessed that the script’s over-engineered fallback mechanisms, placeholder text, stylized output, and iterative title indicated extensive assistance from a large language model, allowing the attacker to prioritize speed and aggression over stealth. Separately, Sygnia investigated an AI-assisted attack against a large AWS environment that progressed from initial access to broad compromise in roughly 72 hours, as a financially motivated actor repeatedly used newly acquired credentials to conduct cloud enumeration, harvest secrets, establish persistence, abuse CI/CD pipelines, access databases, exfiltrate data, and disrupt operations. The attacker also denied access to S3 buckets, reduced ECS service capacity to zero, created network-blocking ACL rules, and purged SQS queues to increase pressure on the victim for extortion. Researchers emphasized that neither intrusion relied on novel malware nor zero-day vulnerabilities. Instead, AI significantly reduced the time and effort needed to chain familiar adversary behaviors across complex environments, enabling even less-skilled actors to conduct faster, broader, and potentially more damaging operations. CTIX analysts will continue to report on novel attack methods and malicious software.

Threat Actor Activity

Russian State Hackers Target Vulnerable Routers to Breach Critical Infrastructure

US and allied cybersecurity agencies warn that Russian state-sponsored hackers from FSB Center 16 (Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, Static Tundra) are systematically targeting vulnerable and poorly configured routers and other networking devices to infiltrate critical infrastructure worldwide. The actors scan internet-facing IP ranges for devices using default or weak SNMP credentials, then send SNMP set-requests, often via spoofed IPs, to copy configuration files and exfiltrate them over TFTP or FTP to attacker-controlled servers. They also exploit known Cisco flaws, including CVE-2018-0171 in Smart Install, to gain arbitrary code and command execution. Sectors reported to be at the highest risk include energy, communications, defense industrial base, healthcare, financial services, and government. The advisory follows the disruption of FrostArmada, a separate APT28 campaign that hijacked DNS settings on 18,000 MikroTik and TP-Link SOHO routers to steal Microsoft 365 credentials and OAuth tokens. CTIX Analysts recommend that defenders at high-risk organizations disable Cisco Smart Install, move to SNMPv3, enforce strong unique passwords, block SNMP/TFTP at edge firewalls, restrict management protocols, keep firmware patched, and replace end-of-life devices to reduce exposure.

Vulnerabilities

Microsoft-Signed Legacy UEFI Bootloaders Enable Secure Boot Bypass and Persistent Bootkit Attacks

Cybersecurity researchers at ESET have identified eleven (11) outdated, Microsoft-signed UEFI shim bootloaders that attackers could abuse to bypass Secure Boot and execute malicious code before the operating system or endpoint security tools initialize. The vulnerable applications, primarily based on shim version 0.9 or earlier, remain trusted on UEFI systems that recognize Microsoft’s legacy “Microsoft Corporation UEFI CA 2011” certificate and can be used in a bring-your-own-vulnerable-driver (BYOVD)-style attack to deploy persistent UEFI bootkits such as Bootkitty, HybridPetya, or BlackLotus. An attacker with administrative privileges or the ability to modify the boot process could replace a current shim with an older, still-trusted Microsoft-signed version, bypass Machine Owner Key (MOK) denylist enforcement and Secure Boot Advanced Targeting (SBAT) protections and execute arbitrary code during the early boot phase. This pre-OS execution can establish deeply entrenched persistence capable of surviving system reboots, and, in some cases, operating system reinstalls while also evading endpoint detection and response (EDR) tools. The issues, tracked as CVE-2026-8863 and CVE-2026-10797, stem largely from vulnerable vendor-specific bootloaders remaining signed and trusted long after flaws in the upstream shim project were publicly disclosed and fixed, creating a long-term software supply chain exposure. Microsoft revoked the affected bootloaders as part of its June 2026 Patch Tuesday updates, but researchers warn that the expiration of the legacy 2011 UEFI CA certificate alone does not prevent previously signed binaries from executing unless they are explicitly revoked, highlighting how old but trusted components can undermine Secure Boot without requiring attackers to exploit a newly discovered vulnerability. CTIX analysts strongly urge supply chain Microsoft administrators to ensure they have implemented the most recent patches and conduct internal investigations to ensure there hasn’t already been a compromise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More