Alex: Welcome to Cleartext. It's Monday, June 8th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. A Check Point VPN zero-day that's already being exploited by ransomware operators, a whistleblower lawsuit that should make every CISO rethink their vendor contracts, China-nexus actors expanding their toolkit on network edge devices, threat actors literally walking into buildings to steal data, and Massachusetts just added another tile to the privacy compliance mosaic. Plus, we'll touch on Russia's surveillance upgrades, RubyGems taking a stand on supply chain attacks, and why your AI agents might be your newest insider threat.

Jordan: But let's start where the fire is hottest. If you're running Check Point Remote Access VPN, stop what you're doing and go check your patching status. CVE-2026-50751. CVSS 9.3. Authentication bypass. And it's not theoretical — a Qilin ransomware affiliate is actively exploiting this in the wild as a zero-day.

Alex: Walk us through the mechanics, Jordan.

Jordan: It's an authentication bypass affecting both Check Point Remote Access VPN and Mobile Access. Specifically, if you're running IKEv1 mode, an unauthenticated remote attacker can bypass both certificate validation and password authentication. That's full bypass. No credentials needed. Check Point has released patches, so this is an emergency change control situation. If you can't patch immediately, you need compensating controls — disable IKEv1 if possible, restrict access at the network layer, and assume compromise if you've been running an exposed instance.

Alex: And the fact that Qilin is the affiliate exploiting this matters. They're one of the more aggressive ransomware-as-a-service operations right now. They're not sitting on zero-days to be patient. They move fast, they exfiltrate, and they extort. So the window between exploitation and catastrophic data loss is compressed.

Jordan: Right. And this is a pattern we keep seeing. VPN appliances at the network edge continue to be the single most consequential attack surface for enterprise defenders. Ivanti, Fortinet, Palo Alto, now Check Point again. The perimeter device is the perimeter problem.

Alex: Which is a perfect segue into our next story, because China-nexus actors are thinking exactly the same way. Volexity published research today on VerdantBamboo — that's their name for the cluster Microsoft tracks as Clay Typhoon — deploying a BSD variant of the BRICKSTORM backdoor along with two other malware families, PLENET and AGENTPSD, specifically targeting Linux appliances.

Jordan: This is significant for a couple of reasons. First, the BSD variant. When you see a threat actor invest in porting their implant to BSD, they're not doing it for academic interest. They're doing it because they've encountered BSD-based appliances in target environments and they need persistent access on those platforms. This is capability expansion driven by operational necessity.

Alex: And what does that tell us about their targeting?

Jordan: It tells us they're inside networks where enterprise-grade network appliances run BSD derivatives — think firewalls, load balancers, specialized routing infrastructure. These are the devices that sit between segments, that handle sensitive traffic, that defenders often have limited visibility into. VerdantBamboo is building a cross-platform toolkit specifically to live on the infrastructure that most organizations treat as black boxes from a detection standpoint.

Alex: So the action item for CISOs here is twofold. One, make sure your threat model explicitly accounts for compromise of network appliances, not just endpoints. Two, if you're in sectors that Chinese state-affiliated actors historically target — defense industrial base, telecom, technology, critical infrastructure — you should be working with your detection teams to hunt for indicators associated with BRICKSTORM and these related families. Volexity's report has the technical details.

Jordan: And honestly, even if you're not in those sectors, the techniques transfer. Once these toolkits mature, they get reused across campaigns.

Alex: Let's shift to what might be the most consequential story of the day from a governance and liability perspective. A former IBM vice president of threat intelligence has filed a False Claims Act lawsuit alleging that IBM and AT&T concealed significant cybersecurity deficiencies while holding major federal government contracts.

Jordan: This is the kind of story that should be circulating in every CISO's legal and compliance channels today. The allegation is that basic security controls were not implemented, that known deficiencies went unresolved for years, and that sensitive federal data was potentially exposed throughout. And the vehicle here — the False Claims Act — is designed exactly for this. It carries treble damages and it's built for cases where contractors misrepresent their performance to the government.

Alex: Let me frame why this matters beyond IBM and AT&T. If you're a CISO at any organization that relies on managed security services or outsourced IT from major vendors, this case should trigger a hard look at your vendor due diligence process. What security representations are in your contracts? How do you verify them? And critically, what's your legal exposure if a vendor you selected is later found to have misrepresented their security posture?

Jordan: And for CISOs who are themselves at service providers or contractors — especially those with government work — this is a signal that the enforcement environment is tightening. The DOJ's Civil Cyber-Fraud Initiative has been building momentum. This lawsuit, if the allegations hold, could set precedent for what constitutes adequate cybersecurity disclosure by federal contractors. That's board-level risk.

Alex: Absolutely. I'd recommend every CISO with federal contract exposure brief their general counsel on this case this week.

Jordan: Now let's talk about a threat that's literally walking through the front door. Google Mandiant and GTIG published a detailed attribution on UNC3753, also known as the Silent Ransom Group. Between January and May of this year, they targeted dozens of U.S. professional services, legal, and financial services organizations using a combined vishing and physical intrusion playbook.

Alex: Break down that attack chain.

Jordan: It starts with voice phishing — fake IT support calls. They're convincing enough to get initial access or credentials. But what makes this campaign distinctive is the physical component. They're conducting actual physical intrusions into target facilities to support data theft. And the timeline is compressed — Mandiant reports data exfiltration within hours of initial contact. They're not deploying ransomware. They're stealing data and going straight to extortion.

Alex: This is a wake-up call for how siloed most organizations still are between physical security and cybersecurity. Your SOC might be world-class, but if someone can social engineer their way past the front desk and plug into your network from a conference room, none of that matters.

Jordan: Law firms are particularly vulnerable here because of the nature of the data they hold — privileged communications, M&A details, litigation strategy. The extortion leverage is enormous. But this pattern will expand to other sectors. If you're a CISO, run a tabletop exercise this quarter that explicitly includes a combined social engineering and physical access scenario. And harden your help desk authentication immediately. If your IT support team can't verify caller identity through a secure channel, you have a gap that this group will exploit.

Alex: The BleepingComputer coverage adds useful operational detail on the law firm targeting specifically. Check our show notes for both sources.

Jordan: Let's move to Russia. The Ministry of Digital Development published updated technical standards for SORM — the System for Operative Investigative Activities — at the end of May. This is Russia's state-mandated surveillance infrastructure that all telecom and internet providers operating in Russia must support.

Alex: For CISOs at multinationals with Russian operations, employees, or data flows touching Russia, this is a compliance and risk story. The upgraded SORM standards expand the state's technical interception capabilities. That means any data transiting Russian infrastructure — email, messaging, browsing, VPN traffic — faces an elevated interception risk under a legal framework that offers essentially zero transparency or recourse.

Jordan: And the practical implication is that your legal team and your security team need to jointly assess what data exposure exists in Russian operations. If you haven't already segmented Russian operations from your core enterprise infrastructure, this should accelerate that conversation.

Alex: Staying on governance, Massachusetts passed a comprehensive privacy bill that includes a blanket ban on selling precise location data. This makes Massachusetts the latest state to join what is now a thoroughly fragmented U.S. privacy landscape.

Jordan: The location data ban is the sharp edge here. If your organization uses, brokers, or passes location data through marketing, HR analytics, fleet management, anything — you now have another state-specific prohibition to comply with. And the patchwork keeps growing.

Alex: If you don't have a unified data governance framework that can accommodate state-by-state variation, you're building compliance debt that will compound. This is an area where investment now saves you emergency spend later.

Jordan: Two more items, quickly. RubyGems is implementing dependency cooldowns — essentially a waiting period before new dependencies can be consumed — as a defense against supply chain attacks. It's a simple, elegant control. It won't stop everything, but it raises the cost for attackers who rely on typosquatting and dependency confusion. Other package managers should follow suit.

Alex: And from the same Risky Business bulletin, Cisco has warned of a new SD-WAN zero-day, and Google layoffs have reportedly hit security teams. That second item is worth watching. When a platform provider that handles a significant portion of the internet's infrastructure reduces its security headcount, that's a systemic risk signal that deserves attention.

Jordan: Last segment before our outlook. BankInfoSecurity published a thoughtful piece on AI agents as the new insider threat. As AI agents are granted autonomous access to systems and data — executing multi-step workflows with minimal human oversight — they functionally mirror insider risk profiles.

Alex: This is the governance challenge I keep raising with boards. Your insider threat program was designed for humans. It assumes behavioral patterns, access request workflows, and audit trails that are built around human decision-making. AI agents don't fit that model. They access data at machine speed, across systems, and often with overly broad permissions because the use case demanded it.

Jordan: The fix isn't exotic. It's applying the same principles — least privilege, behavioral baselines, audit trails — but extending them to non-human identities. If your IAM program doesn't have a workstream for AI agent governance, you're behind.

Alex: Looking at the week ahead, Jordan, what's the through-line you see?

Jordan: The theme is convergence of threat vectors. Physical and cyber in the UNC3753 campaign. Network appliances becoming the primary target for both Chinese espionage and ransomware affiliates. AI agents creating insider risk at machine scale. The boundaries that we've used to organize security programs — physical versus cyber, human versus non-human, endpoint versus network — those boundaries are becoming liabilities. The threat actors don't respect them, and our organizational structures shouldn't either.

Alex: I'd add the governance dimension. Between the IBM-AT&T whistleblower case, Massachusetts privacy law, and Russia's SORM upgrades, CISOs are operating in an environment where the legal and regulatory consequences of security decisions are accelerating faster than the threat landscape itself. If your board isn't hearing about legal exposure alongside technical risk, you're telling an incomplete story.

Jordan: Well said. Busy week ahead.

Alex: That's Cleartext for Monday, June 8th, 2026. Show notes and links to every story we covered are at cleartext.fm. We'll see you tomorrow.

Jordan: Stay sharp.