CyberWatch Weekly: ServiceNow Data Exposure, WinRAR Exploits, and AudiA6 Takedown

This week’s cybersecurity updates show three different sides of modern cyber risk. A ServiceNow security issue raised concerns about SaaS data exposure, Russia-aligned groups continued to exploit an old WinRAR flaw against Ukrainian organizations, and Europol disrupted a crypto-laundering service used by ransomware gangs. The message is consistent; attackers do not always need new tricks. Sometimes, they only need exposed data, unpatched software, or a financial pipeline that helps cybercrime survive.

ServiceNow Security Issue Raises Concerns Over Customer Data Exposure

ServiceNow notified some customers about a security issue that may have exposed customer instance data to unauthorized access. The issue was linked to a platform bug that, under certain circumstances, could allow unauthenticated users to gain greater access to ServiceNow-hosted data than intended.

ServiceNow applied a security update to hosted customer instances on June 5, 2026. The company also detected anomalous activity and reportedly observed successful queries of instance tables for a subset of customers.

ServiceNow is deeply embedded in enterprise operations, making even limited exposure significant. Organizations using SaaS platforms should not treat vendor security as a black box. Admins should review logs, monitor unusual API activity, enable strong access controls, validate guest access settings, and ensure security notifications from vendors are acted on quickly. Teams managing cloud and SaaS environments can build stronger skills in cloud governance, risk management, access control, and data protection by taking cloud security training, such as CCSP Training & Certification.

Key Takeaway: SaaS platforms are high-value targets. Know what’s exposed, and act on vendor alerts fast.

Source: Times of India Report

Russian Attackers Exploit Old WinRAR Flaw Against Ukrainian Organizations

Russia-aligned threat groups continued exploiting a patched WinRAR vulnerability, CVE-2025-8088, to target Ukrainian military, government, law enforcement, and related organizations. The flaw had already been fixed in WinRAR 7.13 in July 2025, but attackers still found it valuable because many systems remained unpatched.

The attacks began with weaponized emails carrying malicious RAR archives. When opened on vulnerable systems, the archive could silently write files outside the intended extraction folder. In some cases, files were placed in Windows Startup locations so the payload would run when the user logged in again.

Trend Micro linked the campaigns to SHADOW-EARTH-066 and Earth Dahu, also known as Gamaredon. One campaign deployed GIFTEDCROOK, an information stealer designed to harvest credentials, session cookies, and documents. Another used an HTA/ VBScript-based chain for espionage.

The fix is straightforward: patch WinRAR, verify versions across endpoints, audit unmanaged software, hunt for suspicious files in Startup folders, and improve phishing detection. Vulnerability management should cover everyday tools, not just OS and enterprise software.

Key Takeaway: Old vulnerabilities remain dangerous when widely used tools are not tracked, patched, or centrally managed.

Source: Dark Reading Report

Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware Gangs

European authorities disrupted AudiA6, a cryptocurrency laundering service used by ransomware gangs and cybercriminal networks to hide the origin of stolen digital assets. Europol said the operation cut off a major financial pipeline used to launder hundreds of millions in illicit profits.

AudiA6 allegedly helped criminals move funds through complex cryptocurrency transactions, fraudulent exchange accounts, mule wallets, and private messaging channels. According to law enforcement reports, the service had been used to launder more than €336 million since 2021 and was linked to more than 15 cybercrime investigations worldwide.

The disruption included arrests, premises searches, domain takedowns, server seizures, frozen crypto assets, blocked Telegram accounts, and seizure banners placed on AudiA6 and Dark2Web websites. The U.S. Department of Justice also announced charges against two alleged administrators.

This matters because ransomware does not survive only on malware. It survives on infrastructure, affiliates, payment channels, laundering services, and marketplaces that help criminals monetize attacks. To fight ransomware, organizations need strong backups, endpoint detection, identity security, payment-tracking support, and timely reporting to law enforcement.

Key Takeaway: Disrupting ransomware finance is as important as stopping the malware itself.

Source: The Hacker News Report

Final Thoughts This Week

For organizations, the focus should be simple: know what is exposed, patch what is unmanaged, monitor what matters, and prepare before attackers turn small gaps into major incidents.

Stay vigilant and stay informed with InfosecTrain’s CyberWatch Weekly.