Critical VPN Exploitation, WhatsApp Phishing Dispute, Instagram Accounts Hijacked
Quick Answer
The biggest cybersecurity stories this week include a critical Check Point VPN zero-day exploited by ransomware actors, WhatsApp phishing attacks linked to NSO Group, Instagram account hijacks via Meta's AI chatbot, and rising threats from infostealers, AI scams, and phishing campaigns.
Here’s your weekly roundup of the most significant cybersecurity developments from the past seven days. From a critical VPN flaw being weaponized by ransomware gangs to a rogue AI chatbot handing Instagram accounts to hackers, this week was packed with high-impact incidents and urgent warnings.
Critical Check Point VPN Zero-Day Exploited by Qilin Ransomware Gang
Check Point published a security advisory on June 8 for CVE-2026-50751, a critical authentication bypass vulnerability with a CVSS score of 9.3 that affects Check Point Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol. The attacks began on May 7, surged in early June, and have affected “a few dozen” organizations worldwide, with at least one incident linked to the Qilin ransomware operation.
Check Point estimates that the threat actor behind this vulnerability is also exploiting VPN vulnerabilities in products from other vendors, including Palo Alto Networks, Fortinet, and F5. Organizations using affected versions should apply hotfixes immediately or switch to IKEv2 as a mitigation measure.
This is a timely reminder that keeping legacy protocol configurations in production environments creates dangerous attack surfaces — and that DMARC, SPF, and DKIM controls reduce the phishing and spoofing vectors that ransomware actors frequently combine with initial access exploits.
Meta Files Contempt of Court Order Against NSO Group for Fresh WhatsApp Phishing Attacks
Meta-owned WhatsApp says it recently detected and disrupted a spear-phishing attempt linked to spyware company NSO Group, allegedly in defiance of a court order that bars the spyware maker from targeting WhatsApp.
Meta claims it disrupted spear-phishing attempts linked to NSO Group and is asking a US federal court to hold the spyware vendor in contempt for allegedly violating an injunction that bars it from targeting WhatsApp users. “We successfully disrupted NSO-linked social engineering attempts after investigating user reports,” Meta stated. “They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO.”
This follows a timeline that includes a May 2025 jury award of $167.3 million in punitive damages and $444,719 in compensatory damages against NSO Group, and an October 2025 permanent injunction barring NSO from ever targeting WhatsApp again.
Hackers Hijack High-Profile Instagram Accounts by Tricking Meta’s Own AI Chatbot
Hackers took over famous Instagram accounts by tricking Meta’s AI support chatbot. The AI let them change account details without checking who they really were. Hackers exploited Meta’s AI chatbot to take over high-profile Instagram accounts worth over $500,000 — with no password cracking needed. The entire attack reportedly took just a few minutes using a simple, convincingly worded message to Meta’s own support assistant.
Using AI-generated facial verification, the attackers bypassed safeguards including multi-factor authentication to convince the automated system they were the rightful account owners. Without any human escalation path, victims found themselves stuck in chatbot loops with no way to reclaim their accounts.
This incident is a sobering warning: AI-powered support systems without proper human oversight and guardrails can become the easiest entry point into any platform.
Instagram Password Reset Bug Leaked Users’ Full Email Addresses and Phone Numbers
A critical logic flaw in Instagram’s web-based account recovery workflow exposed unredacted user contact information — including full email addresses and phone numbers — before Meta rapidly patched it on June 6, 2026. The vulnerability allowed any unauthenticated user to initiate a standard recovery request for a target username and receive sensitive account identifiers in cleartext rather than the intended partially masked format.
Threat actors could leverage harvested email addresses and phone numbers for phishing campaigns, credential stuffing, SIM-swapping attacks, or broader identity correlation across platforms. This was the second major Instagram security lapse of the week, occurring just days after the AI chatbot hijacking incident.
Dashlane Password Manager Hacked — Encrypted Vaults Stolen via 2FA Brute-Force
Password manager Dashlane published a detailed post-incident advisory after a threat actor successfully brute-forced two-factor authentication protections and downloaded encrypted vaults belonging to fewer than 20 personal plan users between May 31 and June 4, 2026. The attacker’s objective was to bypass 2FA verification by flooding device registration API endpoints with a high volume of requests, systematically guessing valid 6-digit one-time tokens.
Dashlane confirmed that the encryption stack using Argon2 + AES-256-CBC + HMAC-SHA256 makes brute-forcing the Master Password statistically infeasible, and there is no evidence that Dashlane’s internal infrastructure was compromised. Nevertheless, the incident highlights how attackers can exploit peripheral authentication flows even when core encryption holds firm.
China-Linked Cybercrime Group TA4922 Expands Phishing Attacks Into Europe and Africa
A new Chinese-speaking cybercrime group has expanded its reach from East Asia into Europe and Africa, while rapidly overhauling the malware it uses to break into corporate networks. According to new analysis from Proofpoint, the actor tracked as TA4922 is financially motivated and focused on gaining remote access to victim systems for data theft, fraud, and the resale of access. Historically concentrated on Japan, the group also targets organizations in Taiwan, Korea, Singapore, and India — and in recent months, its campaigns have reached the UK, Germany, Italy, and South Africa.
Notable tactics include attempts to move conversations from emails to out-of-band communication channels like LINE, WhatsApp, and Microsoft Teams, allowing the attackers to bypass enterprise security controls and steal data or deliver malware. The group’s evolving malware arsenal includes Atlas RAT, RomulusLoader, SilentRunLoader, and variants of ValleyRAT.
Cisco Unified Communications Manager Flaw Lets Unauthenticated Attackers Gain Root Access
Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the system and, from there, climb to root. It is tracked as CVE-2026-20230, and proof-of-concept exploit code is already public.
The flaw allows any attacker with network access to write arbitrary files to the underlying operating system and then escalate to full root control, potentially taking over enterprise telephony infrastructure without ever presenting a valid credential. The vulnerability sits inside the Cisco WebDialer Web Service, a browser-based click-to-dial component. Organizations running Unified CM should upgrade to version 14SU6 immediately, or disable the WebDialer service as an interim measure.
Cisco Catalyst SD-WAN Manager Carries Unpatched Command-Injection Flaw — No Fix Yet
On the heels of the Unified CM disclosure, Cisco disclosed another high-severity flaw in Catalyst SD-WAN Manager tracked as CVE-2026-20245, with a CVSS score of 7.8, that can allow arbitrary command execution as root — with no patch yet available. The back-to-back Cisco disclosures in the same week highlight ongoing risks in enterprise network communication platforms and the urgency of monitoring Cisco’s PSIRT advisories closely.
Free Smart TV Apps Are Secretly Enrolling Millions of Devices Into AI Web-Scraping Proxy Networks
Free apps available on Samsung, LG, Roku, and other major smart TV platforms have been quietly enrolling millions of living room devices into a web-scraping proxy network. The most significant platform involved is PlayWorks Digital, which builds casual games and interactive content baked into TV ecosystems, reaching an estimated 250 million smart TV homes through partnerships with Samsung, LG, Vizio, Roku, Comcast, Cox, and Sky.
While the SDK vendor claims consent is obtained through an opt-in screen, security experts note the consent terms are not meaningfully clear to most users. Smart TVs, which remain connected around the clock and are rarely monitored the way phones or PCs are, represent an attractive and largely invisible proxy pool for data harvesting operations.
Pirated PC Games Delivering Password-Stealing Malware to 400,000+ Devices Worldwide
Cybercriminals are hiding malware in cracked and repacked games, infecting more than 400,000 devices worldwide. At the time of writing, this loader is trying to deliver an infostealer called ARC, which can grab saved browser passwords, cookies, cryptocurrency wallets, autofill data, system details, and clipboard contents.
Other payloads being dropped include Rhadamanthys stealer, Async Remote Access Trojan, and Backdoor.XWorm, which can expand the damage from credential theft to full remote control of the machine — meaning account takeovers, financial fraud, crypto theft, and deeper compromise of personal or work data. The lesson is clear: “free” cracked software is one of the most reliable delivery mechanisms for malware, not a bargain.
FBI: Americans Lost Nearly $900 Million to AI-Powered Scams in 2025
Deepfakes, voice cloning, and other AI-powered scams cost Americans nearly $900 million in 2025, according to the 2025 FBI Internet Crime Report. The staggering figure reflects the accelerating role of generative AI in enabling convincing fraud at scale — from fake executive voice calls demanding wire transfers to deepfake video calls impersonating family members in distress.
This trend reinforces why organizations must train employees to verify requests through a second, trusted channel — regardless of how authentic the voice, face, or email may appear.
Infostealers Are Now the Go-To Phishing Payload, Surpassing Traditional Malware
Cybercriminals prefer infostealers to traditional phishing techniques because they reduce friction, scale well, and are widely available. Unlike ransomware, which announces itself loudly, infostealers operate silently — harvesting browser credentials, session cookies, crypto wallets, and corporate login tokens and exfiltrating them before the victim ever notices.
Security researchers note that the rise of infostealer-as-a-service platforms on the dark web has dramatically lowered the barrier to entry for cybercriminals, making credential theft the entry point of choice for subsequent ransomware deployment, business email compromise, and account takeover attacks.
Thousands of Legitimate Websites Hijacked in Massive ClickFix and FakeUpdate Campaign
A large-scale hacking campaign has compromised thousands of legitimate websites, silently redirecting visitors to malicious pages. Victims encounter fake ClickFix prompts that trick them into running malicious commands, or fake browser update pages that deliver malware disguised as routine updates.
The ClickFix technique is particularly insidious because it exploits user trust — a legitimate-looking website presents an error message with a “fix,” asking the visitor to copy and paste a command into their system. The command then silently installs an infostealer or backdoor.
Meta’s AI Support Bot Flaw Exploited — A Warning for Businesses Deploying AI Customer Support
The Meta AI chatbot incident this week (see #3 above) has broader implications beyond Instagram. Meta patched the vulnerability in early June 2026 but hasn’t revealed how many accounts were compromised. Businesses rushing to deploy AI-powered customer support tools — whether for account recovery, password resets, or identity verification — must ensure these systems include mandatory human escalation paths, audit logging, and robust identity verification that cannot be fooled by social engineering alone.
The risk is not just theoretical: AI support bots that can modify accounts represent an entirely new attack surface that most security frameworks have not yet accounted for.
Check Point Also Discloses Second VPN Vulnerability — CVE-2026-50752 Enables Man-in-the-Middle Attacks
Beyond the critical zero-day (see #1 above), Check Point also identified a second vulnerability, CVE-2026-50752, related to certificate validation in IKEv1, which could be used in man-in-the-middle attacks on site-to-site VPNs, though no exploitation has been confirmed in the wild for this second flaw.
The double disclosure in a single week from a major security vendor underscores how legacy protocol support — particularly the aging IKEv1 — continues to create compounding risk for enterprise environments. Security teams should treat both CVEs as urgent priorities and review all VPN configurations for deprecated protocols.
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.
LinkedIn Profile →Take control of your DMARC reports
Turn raw XML into actionable dashboards. Start free - no credit card required.