← Back to Archive

Ransomware Cripples Coca-Cola Production as Critical WordPress, SharePoint, and OpenSSL Flaws Exploited in the Wild

Executive Summary

The week of July 11-18, 2026 has been marked by significant operational disruptions across multiple critical infrastructure sectors, with ransomware attacks impacting food and beverage production, healthcare diagnostics, and professional services. Simultaneously, a surge of critical vulnerabilities affecting widely-deployed platforms—including WordPress, Microsoft SharePoint, and OpenSSL—are being actively exploited, prompting emergency federal directives.

  • Ransomware Operations Intensify: Coca-Cola suspended US Fairlife dairy production following a ransomware attack, while Abbott Laboratories investigates dual cyber incidents amid extortion claims. A new threat group, "The Gentlemen," has overtaken Qilin as the most prolific ransomware operator, with government agencies reportedly falling victim daily.
  • Critical Zero-Days Under Active Exploitation: CISA added a SharePoint RCE zero-day (CVE-2026-58644) to its Known Exploited Vulnerabilities catalog, while a new WordPress core vulnerability (wp2shell) allows unauthenticated code execution on unpatched 6.9 and 7.0 installations. A Windows zero-day dubbed "LegacyHive" enables privilege escalation on fully-patched systems.
  • Supply Chain and Third-Party Risks Materialize: Ernst & Young disclosed a data breach stemming from a compromised third-party support ticket system. The DigiCert breach has been attributed to the GoldenEyeDog subgroup "CylindricalCanine," raising concerns about code-signing certificate integrity across software supply chains.
  • Nation-State Activity Continues: Iranian actors reportedly tracked US military personnel via mobile phones, while a new espionage malware called GoSerpent targets Southeast Asian governments. North Korean threat actors are using steganography in fake coding tests to deliver malware.
  • Regulatory Developments: The Pentagon suspended CMMC Phase 2 third-party audits, though underlying CUI protection obligations remain in effect. The EU ordered Google to open Android's camera, microphone, and screen access to rival AI assistants.

Threat Landscape

Nation-State Threat Actor Activities

  • Iranian Mobile Surveillance: Reports indicate Iranian threat actors have developed capabilities to track US military personnel through mobile phone data. This represents a significant counterintelligence concern for defense personnel and contractors. (SecurityWeek)
  • GoSerpent Espionage Campaign: A previously undocumented malware called GoSerpent has been targeting government entities and diplomatic missions in Southeast Asia since late 2025. The malware focuses on espionage operations, suggesting nation-state backing. Organizations with regional operations should review network traffic for anomalous Go-based binary communications. (The Hacker News)
  • North Korean Contagious Interview Campaign: The DPRK-linked threat group continues its fake job interview campaign, now employing steganography to hide malicious payloads within SVG flag images. The OtterCookie-aligned malware targets developers through fake coding tests, representing ongoing supply chain and insider threat risks. (The Hacker News)
  • GoldenEyeDog/CylindricalCanine Attribution: Security researchers at Expel have attributed the April 2026 DigiCert breach to a threat cluster dubbed CylindricalCanine, a subgroup of GoldenEyeDog. The breach resulted in code-signing certificate theft, with potential downstream impacts on software integrity verification across multiple sectors. (The Hacker News)

Ransomware and Cybercriminal Developments

  • The Gentlemen Emerges as Top Ransomware Threat: Analysis by ReliaQuest indicates "The Gentlemen" has overtaken Qilin as the most prolific ransomware operation. This shift in the ransomware landscape suggests either increased operational tempo or successful recruitment of affiliates from competing groups. (Infosecurity Magazine)
  • Government Agencies Under Daily Attack: A new study warns that government organizations are being targeted by ransomware attackers daily, with threat actors specifically exploiting the fact that agencies cannot afford disruption to public services. This creates significant leverage for extortion demands. (Infosecurity Magazine)
  • Scattered Spider Sentencing: Two leading members of Scattered Spider—Thalha Jubair and Owen Flowers—were sentenced in the UK to 66 months imprisonment. US authorities previously accused Jubair of participating in at least 120 attacks. This represents significant law enforcement progress against The Com hacker collective. (CyberScoop)
  • REvil Suspect Detained: Armenia has detained a Russian tourist named Aleksandr Ermakov since June 28 on a US extradition request for a REvil ransomware suspect. Defense lawyers claim mistaken identity, highlighting the complexities of international cybercriminal prosecution. (The Hacker News)
  • ACR Stealer Campaign: The ACR Stealer infostealer, active since 2024, is using ClickFix lures to exfiltrate browser passwords, session tokens, PDFs, and Microsoft 365 documents from enterprise networks. The campaign represents ongoing credential theft risks for organizations across sectors. (The Hacker News)

Emerging Attack Vectors

  • NadMesh Botnet Targets AI Infrastructure: A new Go-based botnet called NadMesh is actively hunting exposed AI services to harvest cloud credentials and Kubernetes tokens. The operator's dashboard claims 3,811 unique AWS keys, with a Shodan harvester continuously identifying new targets. Organizations deploying AI services should audit external exposure immediately. (The Hacker News)
  • Malicious npm Packages Target Vite Ecosystem: Seven malicious npm packages targeting the Vite frontend tooling ecosystem have been discovered using blockchain-based command and control to deliver remote access trojans. Development teams should audit dependencies and implement software composition analysis. (The Hacker News)
  • Fake TTF Files in Phishing Campaign: A global phishing campaign is using fake TrueType Font (TTF) files to deliver stealthy malware, bypassing traditional email security controls. (CSO Online)

Sector-Specific Analysis

Food and Agriculture / Manufacturing

Coca-Cola Fairlife Production Suspended: Coca-Cola has suspended US production at its Fairlife dairy subsidiary following a ransomware attack. The company has not yet determined the full scope, nature, or impact of the incident. This disruption affects a significant portion of the US dairy beverage supply chain and highlights the vulnerability of food production facilities to cyber attacks.

Impact Assessment: Fairlife operates multiple production facilities across the United States. Extended downtime could affect product availability and pricing in the dairy beverage market. Organizations in the food and beverage sector should review incident response plans and ensure offline backup capabilities for operational technology systems. (SecurityWeek)

Nichirei Operations Disrupted: Japanese frozen food giant Nichirei disconnected systems on July 13 following a cyberattack and is gradually restoring operations. This represents the second major food production disruption this week, underscoring sector-wide targeting. (SecurityWeek)

Healthcare and Public Health

Abbott Laboratories Dual Incidents: Abbott Laboratories is investigating two separate cybersecurity incidents. The company confirmed unauthorized access to internal legacy Exact Sciences systems in its Cancer Diagnostics business, while also facing extortion claims. Healthcare organizations should monitor for potential data exposure and review third-party system access controls.

Implications: Cancer diagnostics data is highly sensitive and could be leveraged for targeted extortion or identity theft. Downstream healthcare providers using Abbott diagnostic services should prepare for potential notification requirements. (Bleeping Computer)

23andMe Settlement: 23andMe agreed to an $18 million settlement with 42 US attorneys general over its 2023 data breach, including enhanced data protection requirements. This establishes precedent for genetic data protection obligations that may influence future healthcare sector regulations. (Infosecurity Magazine)

Defense Industrial Base

TKMS Naval Defense Firm Hit by Ransomware: German naval defense contractor ThyssenKrupp Marine Systems (TKMS) has been impacted by a ransomware attack. Details remain limited, but the incident raises concerns about defense supply chain security and potential data exposure affecting naval programs. (SecurityWeek)

CMMC Phase 2 Suspension: The Pentagon has suspended CMMC Phase 2 third-party audits. Industry professionals broadly agree this pauses certification audits but does not suspend the underlying legal obligation to protect Controlled Unclassified Information (CUI). Defense contractors should continue compliance preparations while monitoring for updated guidance. (SecurityWeek)

Financial Services

Ernst & Young Data Breach: Ernst & Young is notifying customers of a data breach caused by the compromise of a third-party support ticket system used by IT personnel. This incident highlights the persistent risk of third-party service provider compromises affecting major financial services firms.

Recommended Actions: Financial institutions should audit third-party support system access, implement network segmentation for support tools, and review data classification for information accessible through support channels. (Bleeping Computer)

Money Laundering Charges: US prosecutors charged a New York man and woman for roles in a large-scale crime ring laundering money stolen in cyber investment fraud scams. This enforcement action demonstrates continued focus on disrupting the financial infrastructure supporting cybercrime. (Bleeping Computer)

Information Technology

DigiCert Code-Signing Certificate Theft: The attribution of the April 2026 DigiCert breach to the CylindricalCanine threat cluster raises significant concerns about code-signing certificate integrity. Organizations should verify certificate chains and monitor for unauthorized software signatures.

Lidl Data Breach: Retail giant Lidl disclosed a data breach, though details remain limited. Retail sector organizations should review point-of-sale and customer data protection measures. (SecurityWeek)

Communications

EU Orders Android AI Assistant Access: The European Commission ordered Google to provide rival AI assistants the same access to Android's camera, microphone, screen content, and wake word functionality that Gemini currently enjoys. This regulatory action has significant implications for mobile device security architecture and data access controls. (The Hacker News)

Vulnerability and Mitigation Updates

Critical Vulnerabilities Requiring Immediate Action

CVE/Name Product Severity Status Action Required
CVE-2026-58644 Microsoft SharePoint Server Critical Actively Exploited Patch immediately; added to CISA KEV
wp2shell WordPress Core 6.9, 7.0 Critical Actively Exploited Update to patched version immediately
HollowByte OpenSSL High Public Exploit Patch OpenSSL installations
LegacyHive Windows (all current versions) High Zero-Day, Public Exploit Monitor for patch; implement mitigations
Fortinet Flaws FortiSandbox Critical Actively Exploited Patch by July 19 (CISA mandate)

Detailed Vulnerability Analysis

SharePoint RCE Zero-Day (CVE-2026-58644): CISA added this critical vulnerability to its Known Exploited Vulnerabilities catalog on Thursday. The flaw allows remote, authenticated attackers to execute arbitrary code on SharePoint servers. Exploitation was observed shortly after disclosure, indicating sophisticated threat actors with rapid weaponization capabilities.

Mitigation: Apply Microsoft patches immediately. If patching is not immediately possible, consider temporarily restricting SharePoint access to trusted networks and implementing enhanced monitoring for suspicious SharePoint activity. (SecurityWeek, CISA)

WordPress wp2shell Vulnerability: This critical flaw in WordPress core allows unauthenticated attackers to execute code via anonymous HTTP requests. Notably, the vulnerability affects bare WordPress installations with zero plugins, meaning the attack surface includes every WordPress 6.9 and 7.0 site. WordPress released patches on Friday.

Mitigation: Update all WordPress installations immediately. Organizations should inventory WordPress deployments, including shadow IT instances, and implement web application firewall rules to block exploitation attempts. (The Hacker News)

OpenSSL HollowByte DoS Vulnerability: An 11-byte malicious TLS request can cause unpatched OpenSSL servers to allocate up to 131 KB of memory that is never released until process restart. On glibc systems, this memory exhaustion can effectively freeze server operations.

Mitigation: Patch OpenSSL installations. Implement rate limiting on TLS connections and monitor for memory exhaustion indicators. (The Hacker News, Bleeping Computer)

Windows LegacyHive Zero-Day: A security researcher released a Windows privilege escalation exploit that works on fully-patched systems. No official patch is currently available.

Mitigation: Implement principle of least privilege, monitor for suspicious privilege escalation activity, and restrict local administrator access. Consider application whitelisting to prevent unauthorized code execution. (Bleeping Computer)

CISA Advisories and Directives

  • Fortinet FortiSandbox Vulnerabilities: CISA ordered government agencies to prioritize patching two actively exploited vulnerabilities in Fortinet FortiSandbox by July 19, 2026. Private sector organizations using FortiSandbox should treat this deadline as equally urgent. (Bleeping Computer, Infosecurity Magazine)
  • SharePoint KEV Addition: CVE-2026-58644 was added to the Known Exploited Vulnerabilities catalog, triggering federal agency patching requirements. (CISA)

Resilience and Continuity Planning

Lessons from Recent Incidents

Third-Party Risk Materialization: The Ernst & Young breach via a compromised support ticket system and the DigiCert certificate theft demonstrate that third-party service providers remain a critical attack vector. Organizations should:

  • Conduct comprehensive third-party risk assessments, including support and administrative tools
  • Implement network segmentation to limit third-party system access to sensitive data
  • Require multi-factor authentication for all third-party administrative access
  • Establish monitoring and alerting for anomalous third-party system activity

Supply Chain Security Developments

Software Supply Chain Integrity: The DigiCert code-signing certificate theft and malicious npm packages targeting the Vite ecosystem highlight ongoing software supply chain risks. Recommended actions include:

  • Implement software composition analysis (SCA) tools to identify vulnerable or malicious dependencies
  • Verify code-signing certificates and monitor for unauthorized signatures
  • Establish software bill of materials (SBOM) requirements for critical systems
  • Consider private package registries with security scanning for development environments

Risk Ledger Funding: Risk Ledger raised $32 million in Series B funding for its collaborative supply chain security platform, indicating continued market investment in third-party risk management solutions. (SecurityWeek)

Cross-Sector Dependencies

Food Production Disruptions: The simultaneous ransomware attacks on Coca-Cola/Fairlife and Nichirei demonstrate the vulnerability of food production to cyber attacks. Extended disruptions could affect:

  • Retail food availability and pricing
  • Cold chain logistics and transportation
  • Agricultural supply chains (dairy, raw materials)
  • Healthcare nutrition services dependent on specific products

AI Infrastructure Security

Emerging AI Attack Surface: The NadMesh botnet's targeting of exposed AI services for cloud credential theft represents an emerging threat to organizations deploying AI capabilities. Security teams should:

  • Audit external exposure of AI services and APIs
  • Implement strong authentication for AI service endpoints
  • Monitor for credential harvesting activity targeting AI infrastructure
  • Review cloud IAM policies for AI service accounts

Regulatory and Policy Developments

Federal Guidelines and Regulatory Changes

CMMC Phase 2 Suspension: The Department of Defense suspended CMMC Phase 2 third-party certification audits. Key implications:

  • Third-party CMMC audits are paused pending further guidance
  • Legal obligations to protect CUI under DFARS 252.204-7012 remain in effect
  • Self-assessment requirements continue
  • Defense contractors should maintain compliance readiness while monitoring for updated timelines

(SecurityWeek)

23andMe Settlement Precedent: The $18 million settlement with 42 state attorneys general establishes enhanced data protection requirements for genetic information. Healthcare and life sciences organizations should review data protection practices for genetic and biometric data in anticipation of similar enforcement actions. (Infosecurity Magazine)

International Policy Developments

EU Android AI Access Mandate: The European Commission's order requiring Google to open Android's camera, microphone, and screen access to rival AI assistants has significant implications:

  • Mobile device security architecture may require redesign
  • Enterprise mobile device management (MDM) policies may need updates
  • Data access and privacy controls for AI assistants will require enhanced scrutiny
  • Organizations should monitor implementation timelines and security implications

(The Hacker News, CSO Online)

Compliance Deadlines

  • July 19, 2026: CISA-mandated deadline for federal agencies to patch Fortinet FortiSandbox vulnerabilities
  • October 2026: Windows Server 2022 reaches end of mainstream support (extended support continues for five years)

Training and Resource Spotlight

Industry Investment and Tools

Beacon Security Funding: Beacon Security raised $13 million for its security data platform, which helps organizations detect, hunt, and protect assets across environments at machine speed. This investment reflects continued market demand for unified security visibility solutions. (SecurityWeek)

GRC AI Tool Readiness: A report by Drata analyzing survey responses from security and IT professionals indicates that a majority of organizations agree many GRC AI tools aren't ready for production use. Organizations should carefully evaluate AI-powered compliance tools before deployment. (Security Magazine)

Emerging Roles and Best Practices

Business Information Security Officer (BISO): GTT's VP of Strategy discusses the emergence and benefits of the BISO role, which bridges security and business operations. Organizations should consider whether this role could improve security-business alignment. (Security Magazine)

Cloud Security Integration: Security Magazine highlights that physical and digital security can no longer be treated as separate conversations, particularly for cloud infrastructure protection. (Security Magazine)

Research and Analysis

Military Autonomy and Trusted Infrastructure: Analysis from The Hacker News examines whether trusted information infrastructure can keep pace with the race to field military autonomous capabilities across US, UK, and NATO forces. Defense sector organizations should monitor evolving requirements for autonomous system security. (The Hacker News)

Alan Turing Voice Encryption History: Schneier on Security highlights newly released details of Alan Turing's Delilah voice encryption system from wartime papers, providing historical context for modern cryptographic development. (Schneier on Security)

Looking Ahead: Upcoming Events

Conferences and Training

  • July 21, 2026 (11:00 AM - 1:30 PM EDT): NCCoE Cybersecurity Connections Event: Accelerating the Adoption of Mobile Driver's Licenses - NIST National Cybersecurity Center of Excellence quarterly networking event focusing on mobile identity credentials. (NIST)
  • July 21, 2026: NIST Time and Frequency Division Annual Seminar - Covers precision clocks, atomic frequency standards, RF and optical synchronization, optical oscillators, quantum information, and positioning systems. Relevant for communications and timing-dependent infrastructure. (NIST)
  • July 22, 2026: NIST Publication: Securing AI Data Center: Architecture, Security Posture, and Emerging Standards - New guidance on AI data center security architecture and emerging standards. Critical reading for organizations deploying AI infrastructure. (NIST)
  • September 2, 2026: HHS/NIST Event: Safeguarding Health Information: Building Assurance through HIPAA Security 2026 - Joint event by HHS Office for Civil Rights and NIST ITL on HIPAA security requirements. Essential for healthcare sector security professionals. (NIST)

Critical Deadlines

  • July 19, 2026: CISA-mandated patch deadline for Fortinet FortiSandbox vulnerabilities affecting federal agencies
  • October 2026: Windows Server 2022 mainstream support ends (90 days from current date)

Threat Awareness Periods

  • Summer Travel Season: Increased mobile device exposure and remote access risks as personnel travel. Review VPN and remote access security controls.
  • Back-to-School Period (August-September): Education sector should prepare for increased targeting as academic year approaches.
  • Q3 Financial Reporting: Financial services sector should maintain heightened awareness during quarterly reporting periods.

Recommended Preparation Actions

  • Complete patching for all actively exploited vulnerabilities before the weekend
  • Audit WordPress installations across the enterprise, including shadow IT
  • Review third-party support system access and implement enhanced monitoring
  • Verify incident response plan readiness given increased ransomware activity
  • Brief executive leadership on current threat landscape and sector-specific risks

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection decision-making. Recipients are encouraged to verify information through official channels and adapt recommendations to their specific operational environments.

Report Date: Saturday, July 18, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.