CTI Daily Brief — 2026-05-19

ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V., which audits prescription cost-effectiveness for statutory-health-insurance (GKV) patients in Lower Saxony via data exchange with Kassenärztliche Vereinigung Niedersachsen (KVN), AOK and other insurers — resulted in confirmed exfiltration of personal data (Deutsches Ärzteblatt, 2026-05-18; Heise Security, 2026-05-18). Intrusion signs were detected on ARWINI servers on 2026-05-04 and all systems were shut down on the same day; ARWINI's own statement, cited by Borns IT Blog on 2026-05-16, said particularly sensitive personal data (besondere Kategorien — GDPR Art. 9) are likely affected, with health and billing data on ≥70,000 patients in scope (Borns IT Blog, 2026-05-16). The Polizeidirektion Hannover is the investigating authority; the Landesbeauftragter für Datenschutz Niedersachsen (LfD) and BSI have been notified under the GDPR 72-hour rule and the German KRITIS / NIS2UmsuCG framework. Heise reports the Kairos ransomware group has claimed the attack and is threatening to sell approximately 2.87 TB of stolen data on its leak site, with attackers' leak-site claim dated 2026-05-11. The technical pattern is consistent with double-extortion ransomware now in the operator-leak-site phase.

Why it matters to us: GKV bodies and their mandated third-party auditors are NIS2 entities; the supply-chain relationship between KVN/AOK and ARWINI is precisely the data-processor scope hit by NMDL/IGJ in the Netherlands (covered 2026-05-14). Defender pattern: any GKV / AHV / cantonal health-insurance data-exchange counterparty should be inventoried as an in-scope critical-supplier under §8b BSI-Gesetz / NIS2UmsuCG, with breach-notification playbooks rehearsed for the 72-hour GDPR clock from a third party's detection event, not just one's own. Monitor for downstream phishing using GKV billing-data lures targeting affected patient cohorts.

BigBlueButton bbb-web < 3.0.21 / < 3.0.23 — three flaws in EU education and government virtual-classroom platform: weak session-token randomness, API checksum bypass, SSRF

BigBlueButton (BBB) — the de facto open-source virtual classroom platform deployed across German DFN, Swiss SWITCH, and pan-European GÉANT academic networks, including cantonal school deployments — published three GitHub Security Advisories on 2026-05-17 covering distinct flaws in its bbb-web component, all in versions before 3.0.21 (two of three) and 3.0.23 (one). CVE-2026-46351 (CVSS 8.1) is a CWE-330 weakness: the sessionToken is generated with insufficiently random values, letting an authenticated low-privilege attacker who shares or has observed a meeting determine other participants' session tokens and impersonate any conference user (BBB GHSA-7959-pf2v-xc4h, 2026-05-17). CVE-2026-46353 (CVSS 8.1) is a CWE-284 access-control bypass in the presentationUploadExternalUrl endpoint: by supplying specific URL parameters an attacker can bypass checksum validation and send valid API requests to restricted endpoints without proper authentication, with high confidentiality + integrity impact (BBB GHSA-43hc-5g2m-cqff, 2026-05-17). CVE-2026-46404 (CVSS 6.8) is a CWE-918 SSRF in presentation URL validation: insufficient redirect-following checks allow a high-privilege authenticated attacker to reach RFC1918 and link-local (169.254.0.0/16) addresses from the BBB server context (BBB GHSA-xqm3-6q7q-4v5h, 2026-05-17). BSI's WID-SEC-2026-1568 corroborated on 2026-05-18 (BSI WID-SEC-2026-1568, 2026-05-18).

Why it matters to us: BBB is operated at scale by Swiss cantonal Volksschule deployments, German Länder ministries of education and university IT, EU national-research-and-education networks (NRENs). The combination of session-token prediction + checksum bypass would let a low-privilege classroom participant impersonate other students and teachers or send arbitrary authenticated API calls; SSRF on the server gives a presenter-role lateral-movement primitive into RFC1918 networks (KVM hosts, internal LDAP, SIS endpoints). Upgrade bbb-web to ≥ 3.0.21 for the first two CVEs and ≥ 3.0.23 for the SSRF; monitor bbb-web logs for anomalous joins using close-by sessionTokens and for API calls to presentationUploadExternalUrl carrying unexpected URL parameters; alert on egress from the BBB server process to RFC1918 / 169.254/16 ranges. MITRE T1212 (Exploitation for Credential Access) covers the session-token-prediction primitive; the SSRF maps to T1190 (Exploit Public-Facing Application) chained with internal-network reach.

CISA contractor (Nightwing) exposed AWS GovCloud admin keys and internal credentials in public GitHub repo for ~6 months

A Nightwing government contractor used a public GitHub repository named "Private-CISA" as a personal sync mechanism between work and home machines, exposing highly-privileged credentials for CISA / DHS infrastructure from approximately 2025-11-13 to 2026-05-15 — about six months (Krebs on Security, 2026-05-18; Gizmodo, 2026-05-19). GitGuardian researcher Guillaume Valadon surfaced the repository on 2026-05-15. Exposed material included administrative credentials for three Amazon AWS GovCloud accounts, plaintext usernames and passwords (AWS-Workspace-Firefox-Passwords.csv) for dozens of internal CISA systems, SSH keys and cloud tokens, and credentials to CISA's internal Artifactory code-package repository ("LZ-DSO" — Landing Zone DevSecOps). The contractor had deliberately disabled GitHub's default push-protection secret scanning. Independent researcher Philippe Caturegli (Seralys) validated AWS keys against live GovCloud accounts at high privilege and confirmed the keys remained valid for at least 48 hours after the repository was taken down. CISA acknowledged a ~one-third workforce reduction from buyouts and resignations under the Trump administration may have weakened oversight of contractor behaviour.

Why it matters to us: Caturegli identified the Artifactory access as the highest-impact exposure — write access to a national cybersecurity agency's build-package repo would enable backdoor insertion into anything CISA built or deployed (T1195.002 Supply Chain Compromise: Compromise Software Supply Chain). The transferable lesson for EU/CH national CERT operators is independent of US politics: contractors and integrators with write access to NCSC / BSI / ANSSI build pipelines must be subject to organisation-level GitHub push-protection that administrators cannot disable, mandatory short-lived OIDC role assumption (no long-lived AWS keys), Artifactory access-log SIEM integration with off-hours bulk-download anomaly detection, and quarterly secret-scanning sweeps of contractor personal repos under contract. T1552.001 (Credentials In Files) / T1552.004 (Private Keys).

7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).

INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.

CVE-2026-42231 / -42232 / -44789 / -44790 / -44791 — n8n self-hosted automation: chained prototype-pollution and injection flaws enabling authenticated-to-RCE plus a Git-node arbitrary file read

n8n published five Critical security advisories on 2026-05-18, two on 2026-05-18 (-42231, -42232) and a follow-on cluster of three (-44789, -44790, -44791) released against later branches (n8n GHSA-q5f4-99jv-pgg5, 2026-05-18; The Hacker News, 2026-05-18). CVE-2026-42231 (CVSS 4.0: 9.4, CWE-1321) is the root cause: a prototype-pollution primitive reachable via crafted XML supplied to the xml2js library used by the n8n webhook handler. Once the global JavaScript object prototype is polluted, the chain pivots into the n8n Git node's SSH operations to achieve RCE on the n8n host by an authenticated user with workflow create / modify permission. CVE-2026-42232 (GHSA-hqr4-h3xv-9m3r, "XML Node Prototype Pollution to RCE") is a companion XML-Node prototype-pollution flaw exercising the same primitive in a second sink. The follow-on advisories: CVE-2026-44789 (GHSA-c8xv-5998-g76h, "HTTP Request Node Pagination Prototype Pollution to RCE"); CVE-2026-44790 (GHSA-57g9-58c2-xjg3, "Arbitrary File Read via Git Node" — a file-read primitive, not the SSH RCE chain); CVE-2026-44791 (GHSA-wrwr-h859-xh2r, "XML Node Prototype Pollution Patch Bypass"). Patched versions split between two branch trains: -42231 and -42232 in n8n 1.123.32 / 2.17.4 / 2.18.1; -44789, -44790 and -44791 in 1.123.43 / 2.20.7 / 2.22.1. No in-the-wild exploitation reported at the time of writing. Inclusion gate: CVSS 9.4 ≥ 9.0 (PD §2 inclusion gate via the CVSS 9.0–10.0 ENISA EUVD threshold).

CVE Summary Table

Symantec / Carbon Black document Fast16 hook engine targeting LS-DYNA/AUTODYN nuclear-simulation codes; Kim Zetter corrects "pre-Stuxnet" framing to contemporaneous-and-simulation-sabotage

Background. Fast16 — a Lua-based sabotage framework — was first disclosed by SentinelOne at LABScon 2026 in April 2026 and originally framed as a Stuxnet predecessor by approximately two years. Earlier reporting also speculated that the malware operated against physical centrifuge equipment. Both framings now appear incorrect on closer expert review.

Broadcom's Symantec and Carbon Black teams published a technical analysis on 2026-05-18 documenting the framework's operating envelope and target selection (Broadcom Security, 2026-05-18; The Hacker News, 2026-05-18). The architecture: a service binary embedding an early Lua 5.0 VM; a boot-start filesystem driver intercepting executable code as it is read from disk; and a rule-driven hook engine rewriting specific instruction sequences inside narrowly targeted simulation applications. The hook engine selectively intercepts execution inside LS-DYNA and AUTODYN — the canonical high-explosive simulation codes used for weapons design — and activates only when the simulated material density exceeds 30 g/cm³, the threshold reachable only under implosion shock-compression conditions relevant to weapons-grade uranium. Kim Zetter's investigative analysis on 2026-05-16 separately corrected the historical framing of the campaign (Kim Zetter / ZERO DAY, 2026-05-16): Fast16 was contemporaneous with Stuxnet, not a predecessor, and was engineered to feed false output to weapons engineers rather than to physically alter nuclear infrastructure. Defender relevance is narrow but specific: Broadcom appears to describe the first publicly-documented use of a filesystem-driver-level instruction-rewriting hook engine to corrupt scientific-simulation output — a sabotage technique class distinct from data exfiltration, ransomware, or DoS. Operators of national-laboratory research-computing environments, defence-related HPC clusters, and reactor-physics-modelling labs should add filesystem-driver-load monitoring (Sysmon EID 6, Windows boot-start driver enumeration) and integrity checking of long-running simulation binaries to their threat models.

UPDATE: TeamPCP / Shai-Hulud — first copycat wave (Phantom Bot + SSH/cloud stealers), Checkmarx Jenkins plugin trojanised again, PCPJack rival worm hits exposed cloud services

UPDATE (originally covered 2026-05-13, 2026-05-15): Three concurrent developments show the TeamPCP / Shai-Hulud campaign has entered an open-source-imitator phase following Datadog Security Labs' 2026-05-13 analysis of the leaked Shai-Hulud worm source code. First, OX Security disclosed on 2026-05-17 four malicious npm packages published by deadcode09284814 — chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils — combined weekly downloads ~3,000 (OX Security, 2026-05-17; The Hacker News, 2026-05-18). chalk-tempalte is a near-unmodified clone of the leaked Shai-Hulud worm with a modified C2 server and a new attacker-controlled key embedded in the code — the two primary sources disagree on whether this is a public or private key (see § 7); axois-utils bundles "Phantom Bot," a Golang HTTP/TCP/UDP/Reset-flood DDoS tool with Windows Startup folder and Linux scheduled-task persistence that survives package removal; the other two harvest SSH keys, cloud-provider credentials (AWS/GCP/Azure), and cryptocurrency wallet data.

Second, SANS ISC synthesised a 2026-05-18 campaign update confirming that Checkmarx officially acknowledged on 2026-05-11 that its Jenkins AST Scanner plugin had been trojanised — version 2026.5.09, compromise window 2026-05-09 01:25 UTC to 2026-05-10 08:47 UTC — making this TeamPCP's third confirmed Checkmarx intrusion in three months (SANS Internet Storm Center, 2026-05-18; Checkmarx, 2026-05-12). Hundreds of Jenkins controllers installed the malicious plugin before removal; remediated builds 2.0.13-848 and 2.0.13-847 are safe. CxSAST on-premise was unaffected; the cloud-integrated checkmarx/ast-github-action, checkmarx/kics-github-action, and VS Code extensions were all trojaned.

Third, SentinelLabs disclosed on 2026-05-07 — also folded into the SANS ISC summary — "PCPJack," a rival cloud worm that scans for exposed Docker, Kubernetes, Redis, MongoDB and RayML services and chains five CVEs (CVE-2025-29927 Next.js middleware auth bypass; CVE-2025-55182 Next.js Server Actions deserialization; CVE-2026-1357 WPVivid arbitrary file upload; CVE-2025-9501 W3 Total Cache RCE; CVE-2025-48703 CentOS Web Panel command injection) for initial access, then explicitly kills TeamPCP processes and removes TeamPCP artefacts before harvesting credentials — assessed by SentinelLabs with moderate confidence as possibly a former TeamPCP affiliate. Defender takeaway for the Swiss/EU public-sector SOC: developer endpoints and CI/CD runners with installed Checkmarx plugin should be audited for plugin versions outside the known-safe SHA range during the 2026-05-09 → 2026-05-10 window; npm audit and SBOM scans should flag the deadcode09284814 author/scope; egress from CI runners to *.lhr.life hostnames is a high-fidelity hunt pivot for the npm worm wave; Docker/Kubernetes/Redis/MongoDB endpoints exposed to the internet should be inventoried and removed from public exposure (PCPJack's scan list). MITRE T1195.002 (Supply Chain Compromise), T1552.001 (Credentials in Files), T1041 (Exfiltration over C2 Channel).

UPDATE: Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected

UPDATE (originally covered 2026-W21): Grafana Labs issued an official 2026-05-18 confirmation of the GitHub Pwn-Request breach previously reported in the 2026-W21 weekly summary (SecurityWeek, 2026-05-18; BleepingComputer, 2026-05-18; The Register, 2026-05-18). The material new disclosures in the 2026-05-18 confirmation: Grafana explicitly states (a) only source code was accessed — "no personal or customer information was stolen"; (b) the incident has not impacted customer systems or operations; (c) the ransom was refused. The technical-mechanism details (pull_request_target workflow misconfiguration, forked-PR injection of a curl command, harvested write-scoped GitHub token, canary-token detection) were previously reported in the 2026-W21 weekly summary citing THN's earlier coverage (The Hacker News, 2026-05-17); they are repeated here as context for defenders who did not catch the weekly. CoinbaseCartel is assessed by THN as an offshoot of the ShinyHunters / Scattered Spider / LAPSUS$ ecosystem and has accumulated ~170 victims since September 2025.

Defender takeaway: Grafana OSS is the de facto monitoring/observability platform in EU/CH public-sector SOC and NOC environments; defenders should monitor non-official Grafana plugin updates and unsigned Grafana agent builds for the next 30 days as a potential supply-chain trojanisation follow-on. The Pwn-Request attack pattern is the same class of CI/CD misconfiguration covered by SentinelOne's Living off the Pipeline taxonomy (referenced 2026-05-16); audit every pull_request_target workflow to ensure no privileged steps run on untrusted-fork code, set permissions: read-all at workflow level and elevate only as needed, and separate privilege-requiring steps into a second workflow_run workflow gated on merged code. MITRE T1195.002 / T1552.004 / T1567.

UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC in series; cldflt.sys CfAbortHydration path, claimed re-exploitable CVE-2020-17103 regression

UPDATE (originally covered 2026-05-15): Researcher "Chaotic Eclipse" / "Nightmare Eclipse" released a third unpatched Windows LPE PoC on 2026-05-17 — MiniPlasma — extending the YellowKey and GreenPlasma series covered in the 2026-05-15 daily (BleepingComputer, 2026-05-17; The Hacker News, 2026-05-18). The material new technical detail: MiniPlasma targets the cldflt.sys Cloud Filter Mini Filter Driver — specifically the HsmOsBlockPlaceholderAccess routine — and abuses the undocumented CfAbortHydration API to create arbitrary registry keys in the .DEFAULT user hive without proper ACL checks, escalating from standard user to SYSTEM. The flaw was originally reported by Google Project Zero (James Forshaw) in September 2020 and nominally patched in December 2020 as CVE-2020-17103; Chaotic Eclipse asserts the exact same code path remains exploitable on fully-patched Windows 11 with May 2026 cumulative updates applied. Will Dormann independently confirmed the PoC opens a SYSTEM cmd.exe reliably on Windows 11 Pro fully patched. The exploit reportedly fails on the latest Insider Preview Canary builds, suggesting Microsoft has a fix in the pipeline but has not yet released an out-of-band patch. ThreatLocker published two registry-path hunt pivots: \Registry\User\Software\Policies\Microsoft\CloudFiles\BlockedApps* and \Registry\User\.DEFAULT\Volatile Environment*.

Defender takeaway: the proliferation of unpatched LPEs from one researcher signals an extended period of SYSTEM-shell availability for any attacker that lands user-level execution on Windows endpoints. Sysmon EID 13 (RegistryEvent / SetValue) on the .DEFAULT hive from non-SYSTEM processes is the primary hunt pivot; Sysmon EID 6 driver-load monitoring catches related driver-abuse paths. Hardening: BitLocker PIN mitigates the companion YellowKey BitLocker bypass; disabling Cloud Files / OneDrive integration removes the MiniPlasma attack surface but is not practical in most environments. MITRE T1068 (Exploitation for Privilege Escalation).