ctipilot.chSwitzerland · Europe · Public sector

CTI Daily Brief — 2026-05-06

daily 2026-05-06 by Claude Sonnet 4.6 (`claude-sonnet-4-6`) TLP:CLEAR English prompt v2.19 18 items 10 CVEs
On this page

On this page

References (49)

AI-generated content — no human review. This brief was produced autonomously by an LLM (Claude Sonnet 4.6, model ID claude-sonnet-4-6) executing the prompt at prompts/daily-cti-brief.md as a Claude Code routine on Anthropic-managed cloud infrastructure. Nothing here is reviewed or edited by a human before publication. All facts are linked inline to the public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

0. TL;DR

  • CVE-2026-31431 "Copy Fail" — Linux kernel LPE actively exploited; CISA KEV deadline 2026-05-15. An unprivileged local attacker can silently overwrite setuid-root binaries in kernel page cache without touching disk; a public 732-byte Python exploit requires no timing precision. All major Linux distributions since 2017 are affected. Patch immediately; interim: blacklist the algif_aead module. Full technical detail § 5. (CERT-EU Advisory 2026-005, 2026-04-30)
  • CVE-2026-4670 (CVSS 9.8) — Critical unauthenticated auth bypass in Progress MOVEit Automation; CERT-FR advisory issued. No in-the-wild exploitation confirmed at time of disclosure (2026-05-04), but MOVEit's 2023 Cl0p-exploitation history makes this an emergency priority. Patch to 2025.1.5 / 2025.0.9 / 2024.1.8. (Help Net Security, 2026-05-04)
  • DigiCert support portal compromised — 60 fraudulent EV code-signing certificates generated; 11 confirmed used to sign Zhong Stealer malware. Social engineering via support chat; secondary failure: absent EDR on one analyst system allowed 12-day dwell. Audit software signed with DigiCert EV certificates updated April–May 2026. (Help Net Security, 2026-05-04)
  • French government identity agency (ANTS/France Titres) — up to 18 million citizen records exfiltrated; suspect detained. Breach of the agency managing French biometric passports, national IDs, and driving licences. Direct threat-model transfer to CH and EU national identity registries. (Help Net Security, 2026-05-04)
  • Europol IOCTA 2026: state-criminal actor convergence and GenAI-enabled fraud are the defining strategic threats for European public-sector defenders. Annual EU threat assessment explicitly identifies interweaving of state-sponsored hybrid operations with criminal actors as the primary strategic risk. First coverage — see § 4. (Europol / EC Migration & Home Affairs, 2026-04-28)

2. Switzerland, Europe & Public Sector

[SINGLE-SOURCE-NATIONAL-CERT] Switzerland: NCSC "Double Phishing" — Parcel Delivery Lure Followed by Telephone Callback Fraud

The Swiss Federal Office for Cybersecurity (BACS/NCSC) published its Week 18 focus article on 2026-05-05 documenting a refined two-stage social-engineering methodology targeting Swiss residents under the guise of parcel-delivery notifications (NCSC Switzerland — Im Fokus / "In Focus", 2026-05-05). Attackers impersonate Swiss Post, DHL, and DPD to harvest credentials or card data via phishing sites, then follow up with a direct telephone call to the victim to extract additional information or authorise fraudulent transactions in real time. This "Double Phishing" technique is particularly effective because the second stage — a voice call — bypasses conventional email and web security controls entirely, exploiting trust built by the apparent digital authenticity of the first stage. The technique aligns with Telephone-Oriented Attack Delivery (TOAD) patterns increasingly documented across European consumer and SME targeting. Public-sector contact centres and help-desk staff should be briefed on this pattern — specifically, recognising unsolicited inbound calls referencing recent online interactions or delivery notifications.

CH/EU nexus: Direct — Swiss government NCSC advisory; Swiss Post explicitly named as impersonated entity. | Public-sector nexus: Social-engineering risk applicable to public-sector employees and citizens using government e-services. [SINGLE-SOURCE-NATIONAL-CERT]

Germany: DENIC .de TLD Outage from DNSSEC Misconfiguration — All German Government Web Services Affected

On 2026-05-05, DENIC — the registry for the .de country-code top-level domain — began serving malformed RRSIG (DNSSEC signature) records for the entire .de zone, causing all DNSSEC-validating resolvers (including Google Public DNS and Cloudflare DNS) to return SERVFAIL for millions of .de hostnames (IP.network Blog, 2026-05-05; heise Security (DE) — "DNS-Probleme: .de-Domains nicht erreichbar" ("DNS issues: .de domains unreachable"), 2026-05-05; SecurityWeek, 2026-05-05). Because DNSSEC-validating resolvers refuse to return records that fail cryptographic validation rather than falling back to unvalidated resolution, availability was fully severed for end-users on standard public resolvers. All German government portals and critical-infrastructure services reachable via .de hostnames were impacted. The incident was assessed as an operational misconfiguration rather than a cyber attack, and resolved during 2026-05-05. It illustrates a well-known but under-managed DNSSEC operational risk: a single broken zone-signing pipeline can cascade to national-scale availability failure.

CH/EU nexus: Direct — German national TLD registry; all German government web services and portals affected. | Public-sector nexus: All .de-hosted German government services were impacted. | Defender takeaway: Public-sector DNS administrators should deploy RRSIG expiry monitoring and zone-signing pipeline health alerts, and validate that DNSSEC failure incident-response procedures are documented and tested — particularly for zones critical to citizen-facing government services.

France: ANTS Government Identity Agency — Up to 18 Million Citizen Records Exfiltrated; Suspect Detained

France Titres (officially Agence Nationale des Titres Sécurisés — ANTS), the French government agency responsible for issuing biometric passports, national identity cards, and driving licences, confirmed a breach in which between 12 and 18 million citizen records were exfiltrated, with French authorities detaining a 15-year-old suspect on 2026-04-25 — a development widely reported during this brief's window (Help Net Security, 2026-05-04; The Register, 2026-04-30; TechCrunch, 2026-04-22). The stolen data includes national ID numbers, full names, email addresses, dates of birth, and unique account identifiers; a subset of records also includes home addresses, places of birth, and phone numbers — covering approximately one-third of the French adult population. Breach detection is reported to have occurred on 2026-04-13; the citizen notification arrived nine days later on 2026-04-22. No specific technical vulnerability or initial-access vector has been publicly confirmed. Charges against the suspect include unauthorised access, data theft, disruption of a state system, and possession of hacking tools. The stolen dataset creates elevated phishing and social-engineering risk for French citizens that will persist for years.

CH/EU nexus: Direct EU nexus — French government central identity registry; GDPR breach-notification obligations apply; peer risk for all EU and CH national identity management systems. | Public-sector nexus: Core government digital-identity infrastructure directly comparable to Swiss e-ID architecture and EU member-state ID registries. | Defender takeaway: National identity registries should audit privileged access controls on identity databases, deploy anomaly detection on bulk database read patterns, and verify that GDPR-mandated breach-notification timelines are achievable given current incident-detection tooling.

[SINGLE-SOURCE-NATIONAL-CERT] CERT-FR Batch Advisories 2026-05-04/05: PaperCut, Thunderbird, QNAP QTS, VMware Tanzu, Traefik, Android

ANSSI/CERT-FR published seven advisories between 2026-05-04 and 2026-05-05 covering products widely deployed in European public-sector IT environments (CERT-FR / cert.ssi.gouv.fr, 2026-05-04/05). The most notable for public-sector defenders: PaperCut (CERTFR-2026-AVI-0533) — print-management software historically targeted with critical exploits, prevalent in government and education across Europe; administrators should assess the advisory before general deployment. Mozilla Thunderbird (CERTFR-2026-AVI-0529) — common email client on European public-sector desktops; multiple flaws addressed. QNAP QTS (CERTFR-2026-AVI-0528) — NAS devices frequently found in SME and local-government environments. VMware Tanzu Kubernetes Runtime (CERTFR-2026-AVI-0527) — cloud-native infrastructure increasingly deployed in government cloud-migration and digital-transformation projects. Traefik (CERTFR-2026-AVI-0531) — widely used reverse proxy and API gateway in cloud-native public-sector deployments; see CVE-2026-32305 in § 1b for the specific mTLS bypass flaw. Android (CERTFR-2026-AVI-0534) — affects government Mobile Device Management (MDM) environments; confirm patch deployment via MDM console. Specific CVE identifiers for the PaperCut, Thunderbird, QNAP, VMware Tanzu, and Android advisories were not retrieved in this run; consult the CERT-FR advisories directly at cert.ssi.gouv.fr for CVE listings and severity ratings. [SINGLE-SOURCE-NATIONAL-CERT, CVE detail incomplete for five of seven advisories]

3. Notable Incidents & Disclosures

From Sub-agent 4. One paragraph per incident; framed as post-incident summaries for defenders.

DigiCert Support Portal Compromise — 60 Fraudulent EV Code-Signing Certificates, 11 Used to Sign Malware. DigiCert, one of the world's largest certificate authorities, confirmed on 2026-05-04 that a targeted social-engineering attack on its internal support portal resulted in the fraudulent generation of 60 Extended Validation code-signing certificates (Help Net Security, 2026-05-04; SecurityWeek, 2026-05-04). Beginning 2026-04-02, an attacker repeatedly submitted a malicious Windows screensaver executable (.scr) via DigiCert's Salesforce-based customer-support chat; two analyst endpoints were infected, with the second going undetected for approximately twelve days due to absent or degraded endpoint-protection coverage on that system. The attacker used portal access to obtain certificate initialization codes and generated 60 EV code-signing certificates across multiple customer accounts; DigiCert confirmed 27 were directly attacker-linked. A community member subsequently identified that 11 of the 60 certificates were used to sign the Zhong Stealer malware family, linked to Chinese e-crime activity targeting cryptocurrency assets. All 60 certificates have been revoked; DigiCert has mandated MFA on support portal access and restricted file-upload functionality. Defender takeaway: Software updated via EV-signed packages between 2026-04-02 and 2026-05-04 where the signer is DigiCert-backed warrants validation against the revoked certificate list; organisations should audit whether EDR coverage on support and analyst systems meets the same bar as production endpoints.

Instructure (Canvas LMS) — Data Breach Affecting Global Education Institutions Including Possible EU Scope. Instructure, operator of the Canvas learning management system, confirmed on 2026-05-03/04 that names, email addresses, student ID numbers, and user-to-user messages were accessed in a cybersecurity incident (BleepingComputer, 2026-05-04; TechCrunch, 2026-05-05; SecurityWeek, 2026-05-04). Instructure detected disruptions to API-dependent tools on approximately 2026-04-30 and responded by revoking privileged credentials and access tokens. Passwords, financial data, and government IDs were not affected per company disclosure. The ShinyHunters threat group claimed responsibility and alleged 275 million individuals across approximately 9,000 institutions were affected, including EU and Asia-Pacific institutions; Instructure has confirmed the data categories but not the attacker's scale figure. Canvas is widely deployed at European universities and public-sector vocational training institutions. Defender takeaway: SaaS platform API key management and OAuth token grants are a critical and often under-monitored attack surface; organisations relying on third-party LMS or SaaS platforms should audit token grants and verify that credential-revocation playbooks can execute within hours of detection.

Trellix — Source Code Repository Breach; Product Integrity Impact Unknown. Trellix, a major endpoint security and XDR vendor serving enterprise and government customers globally, confirmed on 2026-05-04 that an unauthorised party accessed a portion of its internal source code repository (BleepingComputer, 2026-05-04; The Hacker News, 2026-05-04). The company engaged external forensic specialists and notified law enforcement. Trellix stated no evidence was found that its product code-release or distribution pipeline was affected, and no evidence the accessed code was exploited or altered; the initial access vector, duration of access, scope of repositories affected, and customer data impact have not been disclosed. Defender takeaway: Organisations running Trellix endpoint or XDR products should monitor for anomalous agent behaviour or unexpected software update signatures and maintain elevated scrutiny on any Trellix software updates until the forensic investigation concludes publicly — the supply-chain integrity question remains unresolved.

ADT Inc. — Cloud Environment Breach: Customer PII Accessed (SEC 8-K Filed 2026-04-24). ADT Inc. (NYSE: ADT), a major US home security and monitoring company, disclosed via SEC Form 8-K on 2026-04-24 that it detected unauthorised access to certain cloud-based environments on 2026-04-20 (ADT Newsroom, 2026-04-24; SEC 8-K filing, 2026-04-24). Compromised data includes names, phone numbers, and addresses from a limited set of customer and prospective-customer data; a small percentage of records also included dates of birth and last four digits of Social Security numbers or Tax IDs. Payment data, bank accounts, and customer security systems were not affected. The ShinyHunters threat actor claimed the initial access vector was a vishing (voice-phishing) attack targeting an employee's Okta SSO account, followed by Salesforce data exfiltration — ADT has not officially confirmed this vector. Defender takeaway: Telephone-targeted SSO account compromise followed by CRM data exfiltration is a recurring pattern with direct EU applicability; organisations should enforce phishing-resistant MFA (FIDO2) on identity providers and CRM platforms, and conduct regular vishing-awareness exercises.

Mediaworks Kft (Hungary) — Data-Theft Extortion Claim Confirmed by Company; 8.5 TB Alleged [EU Nexus]. The World Leaks cyber-extortion group — which rebranded in early 2025 from Hunters International and shifted to data theft without ransomware encryption — claimed responsibility for a breach of Mediaworks Kft, a large Hungarian media conglomerate, with the company confirming the incident on 2026-05-04 (The Record, 2026-05-04; Security Boulevard, 2026-05-04). World Leaks claims approximately 8.5 TB of exfiltrated data including payroll records, contracts, financial statements, and internal editorial communications; Mediaworks confirmed "a significant amount of illegally obtained data may have come into the possession of unauthorized persons." No specific technical vector has been disclosed. As a Hungarian EU-member entity, Mediaworks is subject to GDPR breach-notification obligations; no regulatory notification had been publicly announced as of the reporting window. Defender takeaway: Data-theft-only extortion groups defeat backup-centric ransomware defences; effective detection requires egress monitoring and data-loss-prevention tooling capable of alerting on large-volume exfiltration before the attacker goes public.

4. Research & Investigative Reporting

From Sub-agent 3.

ANNUAL REPORT — Europol Internet Organised Crime Threat Assessment (IOCTA) 2026. Europol published its annual IOCTA on 2026-04-28 — the authoritative EU-level reference document for organised cybercrime trends, directly informing Europol's operational priorities and EU member-state law-enforcement resourcing (Europol / European Commission Migration and Home Affairs, 2026-04-28) [SINGLE-SOURCE-NATIONAL-CERT]. The 2026 edition's central thesis is that encryption technologies, proxy/anonymisation infrastructure, and generative AI are jointly lowering barriers and expanding the operational reach of criminal actors across four domains: cybercrime enablers (dark-web infrastructure, cryptocurrency laundering, privacy coins), online fraud (GenAI-customised social engineering at scale), cyber attacks (ransomware with increasing data-exfiltration emphasis over encryption), and online child sexual exploitation. The strategic emphasis for EU public-sector defenders is the report's explicit identification of the "increasing interweaving of state-sponsored hybrid threats with criminal actors" as a defining strategic risk — a convergence theme directly visible in this brief's incidents (ShinyHunters targeting government identity agencies; World Leaks targeting politically significant EU media entities). Public institutions, major technology companies, and EU citizens' personal data are identified as primary risk targets. Published 2026-04-28, eight days before this brief — outside the standard 72-hour recency window; included as first coverage. See § 7. Not to be re-summarised in subsequent briefs; specific findings may be cited as context.

China-Nexus UAT-8302 Conducts Long-Term Government Espionage in South America and Southeastern Europe. Cisco Talos published a detailed disclosure of UAT-8302 on 2026-05-05, a China-nexus APT assessed with high confidence to be conducting long-term access operations against government entities — in South American government networks since at least late 2024 and in southeastern European government agencies in 2025 (Cisco Talos, 2026-05-05; The Hacker News, 2026-05-05). Post-compromise activity includes network reconnaissance using the open-source gogo scanner, credential extraction with Impacket, lateral movement, and persistent access via an extensive overlapping toolset: NetDraft/NosyDoor (.NET FINALDRAFT variant), CloudSorcerer v3.0, SNOWLIGHT/SNOWRUST (Rust-based VShell stager), Deed RAT/Snappybee (ShadowPad successor), Zingdoor, Draculoader (delivering Crowdoor and HemiGate), Stowaway proxy, and SoftEther VPN. Tooling overlaps link UAT-8302 to multiple Chinese APT clusters — Ink Dragon, Earth Alux, Jewelbug, REF7707, LongNosedGoblin, and Erudite Mogwai/Space Pirates — suggesting a shared digital-quartermaster infrastructure model among Chinese state-adjacent actors. Southeastern European government victims place this campaign within direct EU relevance. No specific initial-access CVEs are disclosed in the public reporting.

ScarCruft / APT37 Deploys BirdCall via Gaming Platform Supply-Chain Attack — First Documented Android Instance. ESET Research published on 2026-05-05 a detailed investigation into a supply-chain attack conducted by North Korea-aligned ScarCruft (APT37/Reaper) that trojanized both Android and Windows distributions of a Chinese gaming platform popular with ethnic Koreans in China's Yanbian border region (ESET WeLiveSecurity, 2026-05-05; The Hacker News, 2026-05-05; BleepingComputer, 2026-05-05). On Android, game packages were repackaged to inject BirdCall — the first documented Android instance of this malware family — collecting contacts, SMS, call logs, media files, documents, and ambient audio recordings (restricted to 19:00–22:00 local time). On Windows, a mono.dll library in the update mechanism delivered RokRAT, which deployed the Windows BirdCall variant. Both variants use legitimate cloud-storage services (Zoho WorkDrive, pCloud, Yandex Disk) as C2 channels, blending malicious traffic with normal cloud activity. The primary victims are ethnic Korean refugees and defectors in Yanbian — a diaspora population of high intelligence interest to Pyongyang. While no EU victims were identified, the supply-chain methodology, multi-platform implant design, and C2-via-cloud-storage evasion are directly instructive for defenders assessing their own software supply-chain exposure and cloud-service traffic monitoring.

TeamPCP "Mini Shai-Hulud" — SAP npm Supply-Chain Worm with AI Coding Agent Propagation Vector. The TeamPCP threat actor published malicious versions of four SAP Cloud Application Programming Model (CAP) npm packages on 2026-04-29, injecting preinstall scripts that harvest credentials for GitHub, npm, AWS, GCP, and Azure from developer environments and CI/CD pipelines (SANS ISC Diary, 2026-05-04; Sophos X-Ops; Check Point Research, 2026-05-04). Stolen credentials are exfiltrated by creating a public GitHub repository on the victim's own account — using victim infrastructure against itself. The worm component allows republication into additional packages accessible with any stolen npm token. Notably, the campaign injects malicious hooks via .claude/settings.json (Claude Code SessionStart hooks) and .vscode/tasks.json (VSCode task runners), making this one of the first documented supply-chain attacks to weaponise AI coding agent configurations as a propagation vector. Approximately 1,800 GitHub repositories were observed compromised within hours of initial publication. SAP CAP is widely deployed in European public-sector digitalisation and digital-transformation projects; cloud credential harvesting from CI/CD pipelines in these environments creates downstream risk for government cloud tenancies. A related VECT 2.0 ransomware from the same actor contains a critical encryption flaw that renders it a data wiper for files above 128 KB rather than a recoverable encryptor.

[SINGLE-SOURCE] Microsoft Code-of-Conduct AiTM Phishing Bypasses MFA Across 13,000+ Organisations. Microsoft documented a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting more than 35,000 users across over 13,000 organisations, primarily observed 2026-04-14 to 2026-04-16 (Microsoft Threat Intelligence, 2026-05-04) [SINGLE-SOURCE-OTHER]. The attack chain begins with a PDF attachment impersonating an internal code-of-conduct compliance notice, progressing through a Cloudflare CAPTCHA, an intermediate credential-harvesting page, an image-selection challenge, and finally a proxied Microsoft sign-in page that captures live session tokens — bypassing MFA by stealing authenticated tokens rather than credentials. The campaign abused legitimate email delivery services to pass sender-reputation checks. No actor attribution was provided. Targeted sectors included healthcare, financial services, and professional services; cross-border enterprise mail flows create inherent European exposure for multinational organisations.

[SINGLE-SOURCE] Microsoft Edge Stores Browser-Managed Passwords in Plaintext in Process Memory. A security researcher documented a finding that Microsoft Edge stores all browser-managed passwords in plaintext within process memory, enabling extraction by any local process capable of creating a memory dump using basic string-search tooling (SANS ISC Diary, 2026-05-04) [SINGLE-SOURCE-OTHER]. Microsoft reportedly characterises this as intended design, creating a gap between the apparent security of biometric unlock prompts for the password manager and the actual storage model. While requiring local access, this is a significant post-exploitation capability: any code execution on a Windows endpoint running Edge — whether via malware, a compromised extension, or a hijacked user session — trivially extracts all stored passwords without cryptographic decryption. Edge is commonly deployed as the mandated default browser in government environments, where privileged accounts with browser-stored credentials represent a significant latent exposure.

5. Deep Dive — CVE-2026-31431 "Copy Fail": Deterministic Linux Kernel Local Privilege Escalation

Incident Narrative

CVE-2026-31431, named "Copy Fail" by Ubuntu security researchers, is a local privilege escalation vulnerability in the Linux kernel first disclosed on approximately 2026-04-29/30, with CERT-EU issuing Advisory 2026-005 on 2026-04-30 specifically for EU institution and member-state defenders (CERT-EU Advisory 2026-005, 2026-04-30). CISA confirmed active exploitation and added the vulnerability to the Known Exploited Vulnerabilities catalog on 2026-05-01 with a federal remediation deadline of 2026-05-15 (The Hacker News, 2026-05-01). BSI Germany updated its advisory on 2026-05-04 confirming in-the-wild exploitation is ongoing (BSI CERT-Bund WID-SEC-2026-1232, updated 2026-05-04).

Root Cause and Mechanism

The vulnerability results from an unintended interaction between three separate Linux kernel changes made in 2011, 2015, and 2017, related to the AF_ALG (Application-Layer Generic) socket interface for the kernel cryptographic API and the splice() system call (Unit 42, 2026-05-05). Specifically, a 2017 performance optimisation in the algif_aead (Authenticated Encryption with Associated Data) module introduced a logic defect in how the kernel manages memory ownership during splice() operations on AF_ALG sockets.

An unprivileged process can exploit this defect to perform a controlled, deterministic 4-byte write into the kernel's page cache — the in-memory representation of any file readable by the attacker — without triggering copy-on-write semantics (Microsoft Security Blog, 2026-05-01). The page cache is the kernel's primary mechanism for caching file content in RAM; when an executable is loaded, the kernel reads it from the page cache. Modifications to the page cache affect what the kernel presents when the file is read or executed — without modifying the on-disk copy of the file. By targeting setuid-root executables such as /usr/bin/su, /usr/bin/sudo, or /usr/bin/passwd, an attacker can inject attacker-controlled bytes that execute with root privileges the next time the binary is invoked.

Why This Defeats File Integrity Monitoring

Conventional file integrity monitoring tools — AIDE, Tripwire, auditd file-watch rules (-w /usr/bin/sudo -p rwxa), and IMA/EVM-based boot attestation — compare on-disk file checksums or extended attributes. Because CVE-2026-31431 modifies only the kernel page cache and not the on-disk content, these controls produce no detection signal for this attack (Ubuntu, 2026-05-01). A setuid binary can be modified and exploited without any detectable change to the on-disk inode, mtime, or cryptographic hash.

Exploitation Characteristics

The exploit is deterministic — it requires no timing windows, no kernel address space layout randomisation bypasses, and no kernel-version-specific offsets (Unit 42, 2026-05-05). A public implementation exists as a 732-byte Python script using only the standard library. Go and Rust reimplementations have appeared in public code repositories. All mainstream Linux distributions shipping kernels between version 4.14 (2017) and 6.19.11 are affected, including Ubuntu 20.04–24.04, RHEL 8/9/10, Amazon Linux 2023, SUSE 16, Debian, and Fedora (Red Hat RHSB-2026-02).

Container Risk

Docker, LXC, and Kubernetes container runtimes grant container processes access to the AF_ALG subsystem when the algif_aead kernel module is loaded — which is the default on most distributions. A container process exploiting CVE-2026-31431 can modify page-cached setuid binaries on the host kernel, enabling container-to-host privilege escalation. Multi-tenant Kubernetes clusters and shared CI/CD runners where untrusted code may execute represent compounded risk surfaces (CERT-EU Advisory 2026-005).

ATT&CK Technique Mapping

  • T1068 — Exploitation for Privilege Escalation: Core exploitation path — an unprivileged process leverages a kernel vulnerability to obtain root access. Detection focus: process ancestry anomalies where a low-privileged process spawns a shell or root-privileged child following AF_ALG socket activity.
  • T1548.001 — Abuse Elevation Control Mechanism: Setuid and Setgid: The attacker targets setuid-root binaries to obtain elevated execution context. Detection focus: unexpected execution of setuid binaries (su, sudo, passwd) from atypical parent processes; audit execve events for setuid binaries originating from non-interactive shell sessions.
  • T1055 — Process Injection (adjacent): The page-cache modification is functionally analogous to code injection — attacker-controlled bytes are placed into the kernel's execution buffer for a trusted binary. Standard process-injection detection techniques (memory scanning, binary hollowing detection) do not cover this kernel-layer technique.

Detection Concepts

Defenders should consult Unit 42's detection guidance and CERT-EU Advisory 2026-005 for current detection recommendations. Key conceptual targets:

  1. Kernel module load auditing: Alert on loading of algif_aead and related AF_ALG modules by processes other than kernel init. auditd can generate events on init_module and finit_module system calls; unexpected module loads at runtime are suspicious.
  2. AF_ALG socket creation in container namespaces: EDR or eBPF-based monitoring should flag AF_ALG socket creation (socket(AF_ALG, ...)) originating from container network namespaces — this is atypical for standard containerised workloads and highly suspicious in any environment where algif_aead has not been explicitly permitted.
  3. Setuid binary execution from unexpected parent processes: Behavioural rules on execve of /usr/bin/su, /usr/bin/sudo, /usr/bin/passwd from parent processes without a matching interactive terminal or pam stack are a post-exploitation signal.
  4. On-disk FIM is insufficient: Teams relying solely on file-integrity monitoring for setuid binaries should understand this provides no detection signal for this specific attack. Supplement with runtime behavioural detection.

Hardening and Mitigation

Per CERT-EU Advisory 2026-005, Ubuntu, and Red Hat RHSB-2026-02:

  1. Apply kernel patches. Patched upstream versions: 6.18.22, 6.19.12, 7.0. Distribution packages are being released; check your distribution's security advisory feed for the relevant kernel package version and plan a coordinated patch-and-reboot cycle.
  1. Interim mitigation — blacklist algif_aead: Create a modprobe drop-in to prevent the module from loading, then update the initramfs and reboot. Test that no critical services require algif_aead before deploying at scale. This interim mitigation blocks the exploit but does not address the underlying kernel bug — patching remains the definitive fix.
  1. Container hardening — seccomp: Apply seccomp profiles that block AF_ALG socket creation for containerised workloads that do not require kernel cryptographic API access. In Kubernetes, enforce Pod Security Standards restricted profile or a custom seccomp profile that denies AF_ALG socket creation. Consider this a layered control rather than a replacement for kernel patching.
  1. CISA KEV federal deadline: 2026-05-15. Swiss and European public-sector organisations should treat this deadline as a target regardless of formal applicability — it reflects the urgency of active exploitation.

6. Updates to Prior Coverage

No updates this run. This is the first brief in the series; no prior coverage exists to update.

7. Verification Notes

Items verified multi-source: CVE-2026-31431 (CERT-EU, Microsoft, Unit 42, Ubuntu, BSI, THN); CVE-2026-4670/5174 (Help Net Security, THN, CERT-FR, NVD); CVE-2026-41940 (watchTowr, Rapid7, CyberScoop, Help Net Security, Shadowserver telemetry); CVE-2026-23918 (THN, CERT-FR); CVE-2026-32305 (NVD, CERT-FR); ScarCruft/BirdCall (ESET, THN, BleepingComputer); UAT-8302 (Cisco Talos, THN); TeamPCP SAP npm worm (SANS ISC, Sophos X-Ops, Check Point); DigiCert support portal (Help Net Security, SecurityWeek); Instructure (BleepingComputer, TechCrunch, SecurityWeek); Trellix (BleepingComputer, THN); ADT (ADT newsroom, SEC 8-K); Mediaworks Hungary (The Record, Security Boulevard, company statement); Germany .de DNSSEC outage (IP.network, SecurityWeek, heise Security).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]:

  • NCSC Switzerland "Double Phishing" advisory (§ 2) — single source: NCSC Switzerland Im Fokus, 2026-05-05.
  • CERT-FR batch advisories (§ 2) — single source per advisory: ANSSI/CERT-FR cert.ssi.gouv.fr; CVE identifiers for PaperCut, Thunderbird, QNAP, VMware Tanzu, and Android advisories were not retrieved in this run — administrators must consult the CERT-FR advisories directly for full CVE listings.
  • Europol IOCTA 2026 (§ 4) — single source: Europol / EC Migration & Home Affairs, 2026-04-28.

Items marked [SINGLE-SOURCE-OTHER]:

  • Microsoft AiTM "Code of Conduct" phishing campaign (§ 4) — single source: Microsoft Threat Intelligence blog, 2026-05-04. No independent corroboration retrieved.
  • Microsoft Edge cleartext passwords (§ 4) — single source: SANS ISC Diary, 2026-05-04. No independent corroboration retrieved.

Items dropped:

  • Fiserv / Everest group: Everest ransomware group listed Fiserv on its leak site approximately 2026-05-03. Fiserv has issued no public statement. Dropped per Prime Directive 6 (ransomware leak-site claim without victim confirmation or HIGH-reliability journalism corroboration).
  • Medtronic / ShinyHunters: ShinyHunters claimed a Medtronic breach (alleged 9 million records) on 2026-05-04. Medtronic has issued no public statement. Dropped pending victim confirmation.

Unconfirmed vector noted: ADT breach vector (vishing attack on Okta SSO account, followed by Salesforce exfiltration) was claimed by the ShinyHunters threat actor. ADT's official disclosures do not confirm this vector. Reported in § 3 with clear attribution to the attacker's claim.

Recency window notes:

  • Europol IOCTA 2026 (§ 4) was published 2026-04-28 — eight days before this brief, outside the standard 72-hour recency window (and outside an extended 72-hour window for actively developing items). Included as first coverage for this brief series given its high relevance to the EU public-sector audience; will not be re-summarised in subsequent briefs per Prime Directive 9.
  • France ANTS breach: primary breach event (detected 2026-04-13, citizen notification 2026-04-22) falls outside the 72-hour window. Included because the suspect detention (2026-04-25) was widely reported as a material new development during this reporting window (coverage 2026-05-04), and this is a high-relevance ongoing story at a peer EU government identity registry.
  • CVE-2026-31431 CERT-EU advisory was published 2026-04-30 (outside 72h); the BSI Germany advisory update on 2026-05-04 and the CISA KEV listing with a 2026-05-15 deadline confirm this as an actively developing item within the window.

Source failures (consecutive_failures incremented in sources.json):

  • CISA.gov (cisa-kev, cisa-advisories, cisa-news, cisa-directives): HTTP 403 on direct fetches. KEV and advisory data obtained via corroborating secondary sources.
  • inside-it.ch: HTTP 403.
  • CSIRT Italia / csirt-acn-it: HTTP 403.
  • PRODAFT / prodaft: HTTP 403.
  • UK ICO / ico-uk: HTTP 403. UK ICO breach notifications not covered in this run.
  • Cisco Talos / talos: HTTP 403 on direct fetch; UAT-8302 content obtained via The Hacker News corroboration.

Sources with no qualifying items in the reporting window (fetched, no failures): NCSC UK, CERT Polska, Tenable Research, Rapid7 (no new in-window posts beyond cPanel ETR), watchTowr Labs (no new in-window posts beyond cPanel), ZDI, VulnCheck, GreyNoise, Shadowserver (telemetry used via secondary reporting), Volexity, The DFIR Report, Krebs on Security, Sekoia.io, Citizen Lab, CNIL France, EDPB.

Coverage gaps: CCN-CERT Spain (not fetched, sub-agent budget limit); GovCERT.ch advisory archive (navigation page only); CERT.at and GovCERT Austria (navigation pages only, no dated advisory content returned); NCC Group Research, WithSecure Labs, Dragos, SANS ICS, Cloudflare Cloudforce One, Akamai SIRT, Elastic Security Labs, Group-IB, Secureworks CTU, Red Canary, Huntress, Sygnia — not fetched in this run.