CTI Daily Brief — 2026-05-21

Webworm (China-aligned) shifts to EU government targets — EchoCreep (Discord C2) and GraphWorm (Microsoft Graph / OneDrive C2) backdoors documented by ESET, with Belgian, Italian, Serbian, Polish and Spanish governmental victims

ESET Research published a technical analysis on 2026-05-20 of Webworm — also tracked as FishMonger / Aquatic Panda / SixLittleMonkeys / Space Pirates — documenting a 2025 campaign pivot to European governmental organisations in Belgium, Italy, Serbia and Poland, plus a South African university; the group has abandoned its prior primary backdoors (Trochilus RAT, McRat / 9002 RAT) in favour of two new custom implants — EchoCreep (which ESET describes as written in Go) and GraphWorm (ESET WeLiveSecurity, 2026-05-20). EchoCreep uses Discord as a bidirectional C2 channel, encoding commands with base64 + AES-CBC-128; it creates per-victim Discord channels named after the victim IP (or IP+hostname), supports file upload/download and cmd.exe command execution, and ESET recovered 433 decrypted Discord messages dating back to 2024-03-21 from four unique victim channels (T1102.002 Web Service: Bidirectional Communication, T1059.003 Windows Command Shell). GraphWorm is more capable: an implant (implementation language not stated in the ESET write-up) that authenticates against the Microsoft Graph API and uses per-victim OneDrive directories for C2, with /createUploadSession for large-file exfiltration and AES-256-CBC + base64 encoding on uploaded data (T1102.002, T1071.001 Application Layer Protocol — Web Protocols); it persists at logon and spawns cmd.exe sessions under the implant's process context. The custom proxy toolkit added in 2025 includes WormFrp (a modified frp that pulls its config from a compromised AWS S3 bucket wamanharipethe.s3.ap-south-1.amazonaws.com), ChainWorm (multi-hop chaining), SmuxProxy, and WormSocket (socket.io-based proxy); a SharpSecretsdump Impacket-look-alike credential dumper was uploaded to the same S3 bucket in October 2025 (T1003.001 OS Credential Dumping: LSASS Memory) (ESET, 2026-05-20; The Hacker News, 2026-05-20). Files exfiltrated from victims and staged in the S3 bucket included virtual-machine snapshots from an Italian governmental entity and an mRemoteNG connection-configuration file plus a Microsoft Visio infrastructure diagram from a Spanish governmental entity — both documents that materially aid follow-on intrusion. Initial-access tradecraft documented against Serbian targets used CVE-2017-7692 (SquirrelMail post-auth RCE), implying credential theft preceded webmail exploitation. Why it matters to us: the cloud-API C2 design (Discord, Microsoft Graph) blends with legitimate enterprise traffic and defeats domain / URL block-lists. Detection concept — alert on Sysmon EID 3 outbound HTTPS to discord.com/api/* or graph.microsoft.com from process trees whose parent is not the expected first-party application (Discord.exe, Teams.exe, OneDrive.exe, Office); correlate Graph API non-interactive sign-ins in Entra ID for app registrations with no enterprise approval path; flag cmd.exe spawned by long-running services with no interactive user context. Hardening — Conditional Access for the Microsoft Graph application restricting non-managed device sign-ins; block socket.io and Discord WebSocket outbound at the SWG for server workloads that have no business reason; force first-party-only WebSocket egress on government-segment workstations.

SonicWall Gen6 SSL-VPN incomplete-patching (CVE-2024-12802) — Akira-linked actors brute-force MFA via UPN/SAM account-name split, February–March 2026 intrusions

Threat actors whose TTPs are consistent with Akira ransomware activity successfully bypassed MFA on SonicWall Gen6 SSL-VPN appliances running officially-patched firmware between February and March 2026; SonicWall and incident-response vendors confirm the root cause is that the firmware update for CVE-2024-12802 (CVSS 9.1, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) does not by itself enforce MFA on both User Principal Name (user@domain) and SAM-account-name (DOMAIN\user) login formats — six additional manual LDAP-reconfiguration steps from SonicWall KB kA1VN0000000RBd0AM are required (Cybersecurity Dive, 2026-05-20; BleepingComputer, 2026-05-20). Attackers brute-forced credentials against the UPN login path — which accepts authentication without triggering MFA challenges when the LDAP reconfiguration is incomplete — at speed and without producing the standard authentication alerts; per BleepingComputer's reporting, intrusion responders observed sessions of 30 to 60 minutes during which attackers logged in, performed network reconnaissance, tested credential reuse on internal systems and logged out. Gen6 SSL-VPN reached end-of-life on 2026-04-16 and receives no further security updates; Gen7 and Gen8 are remediated by firmware update alone. Why it matters to us: the technique is a textbook example of why CVSS / vendor-advised patch status is insufficient operational signal — the appliance shows patched-firmware version, MFA appears enabled in the admin UI, and authentications succeed against an alternative account-name format that bypasses the policy enforcement entirely. Detection concept — SonicWall Gen6 SSL-VPN syslog filter for successful SSL-VPN authentications where the login field is UPN-format rather than SAM-format, especially from source IPs with high authentication-attempt volume; correlate with short-duration recon-and-credential-reuse sessions consistent with the 30-to-60-minute pattern BleepingComputer documents. Hardening — complete every step in SonicWall KB kA1VN0000000RBd0AM; given Gen6 EoL, migrate to Gen7/Gen8 on a defined cut-over timeline.

B1ack's Stash carding marketplace publicly releases 4.6M card records — SOCRadar attributes collection to e-skimming and phishing; not confirmed by issuing banks

The dark-web carding marketplace B1ack's Stash — operational since at least 2023, with prior free-release waves of 1M cards in April 2024 and 4M in February 2025 — announced the free release of approximately 4.6 million stolen credit and debit card records on 2026-05-18 as a punitive action against vendors that cross-listed cards on competing shops (SOCRadar, 2026-05-18; Security Affairs, 2026-05-20). Each record carries the full primary account number, expiration date, CVV2, cardholder name, billing address, email, phone number and source IP — sufficient detail for card-not-present (CNP) fraud. SOCRadar's analysis estimates ~4.3 million records are net-new after de-duplication and expired-card filtering; geographic distribution is approximately 70 % US-issued, with Canada, UK, France, Malaysia, Hong Kong, Singapore and Thailand as secondary sources. SOCRadar attributes the collection methodology to e-skimming and phishing based on capture completeness. This is a dark-web marketplace claim — B1ack's Stash listed the dump for free, but no individual issuing bank has confirmed that specific cards originated from their systems. Defender takeaway: Swiss and European card-fraud teams should query their compromise feeds (FS-ISAC, card-network compromise files) for matching BIN ranges and review e-skimming exposure on legacy WooCommerce / Magento storefronts in the customer-facing estate; the consistent collection-method finding across multiple B1ack's Stash waves points at front-end JavaScript skimmer infections as the upstream root cause that still goes undetected in many low-volume merchant configurations.

CVE-2026-42822 — Microsoft Azure Local Disconnected Operations (ALDO): CVSS 10.0 unauthenticated network elevation-of-privilege, "Exploitation More Likely"

Microsoft assigned CVE-2026-42822 (CVSS 3.1 = 10.0, CWE-287 Improper Authentication, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) to an authentication-bypass flaw in Azure Local Disconnected Operations (ALDO) — Microsoft's solution for running Azure services in air-gapped or partially-disconnected infrastructure environments — that allows an unauthorised network attacker to elevate privileges over a network with no credentials and no prior foothold (Microsoft MSRC, 2026-05-18). MSRC rates "Exploitation More Likely"; no in-the-wild exploitation observed and no public PoC at advisory release. Cloud-managed Azure customers using Microsoft-operated Resource Manager environments are already protected — only manually-operated air-gapped Azure Local stacks need action. Remediation requires upgrading ALDO to version 2604 or later via the standard ALDO update channel. Defender takeaway: EU public-sector operators running Azure Local for data-sovereignty / federal data-residency compliance (a common pattern in Bundesverwaltung and German Bundesbehörden environments) should treat this as a Patch-Tuesday-class emergency on disconnected infrastructure where update cadence is typically slower than cloud-managed Azure. Restrict the ALDO management plane to admin-only OOB subnets until v2604 is installed.

CVE-2026-45829 — ChromaDB Python FastAPI server: pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; still unpatched in v1.5.9)

HiddenLayer / Hadrian researchers disclosed CVE-2026-45829, a CVSS 4.0 = 10.0 pre-authentication RCE in ChromaDB's Python FastAPI server (affected from v1.0.0) (Hadrian Security, 2026-05-19; BleepingComputer, 2026-05-19). The vulnerable endpoint is POST /api/v2/tenants/{tenant}/databases/{db}/collections: when the request body sets trust_remote_code: true with an attacker-controlled HuggingFace model identifier (or a local path), the server fetches and executes the attacker-supplied Python code before the auth check fires, then politely returns 403 Forbidden after the code has run. The flaw exists only in the Python FastAPI server (chromadb[server] pip package) — the default Rust server (chroma run) does not traverse this code path. Per BleepingComputer's reporting of Shodan queries, approximately 73 % of internet-exposed ChromaDB instances are running a vulnerable version of the software. As of disclosure, ChromaDB v1.5.9 (latest) is unpatched. Mitigations: disable the Python FastAPI server and migrate to the Rust server; alternatively, block network-level access to the ChromaDB API (it should never be internet-exposed in the first place); if internal, set trust_remote_code: false server-wide via config. Detection concept — unexpected outbound network connections from ChromaDB Python server processes; child processes spawned by uvicorn / gunicorn workers with non-default lineage; access logs showing POST /api/v2/.../collections bodies referencing HuggingFace repository slugs with attacker-controlled patterns. T1190 Exploit Public-Facing Application; the impact maps to T1059.006 Python execution under the server context.

Keycloak 26.6.2 — 16 CVEs including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and cross-realm IDOR in Authorization Services (CVE-2026-4630)

The Keycloak project shipped 26.6.2 on 2026-05-19, fixing 16 CVEs across identity, authentication and authorisation subsystems; BSI's CERT-Bund issued advisory WID-SEC-2026-1612 on 2026-05-20 classifying the batch as HIGH risk (Keycloak Project, 2026-05-19; BSI CERT-Bund, 2026-05-20). The operationally highest-priority CVEs for public-sector defenders: CVE-2026-7507 — session fixation in the OIDC login flow where a crafted state parameter before user authentication completes enables account takeover (T1078 Valid Accounts, T1556 Modify Authentication Process); CVE-2026-37982 — execute-actions token replay allowing unauthorised WebAuthn / FIDO2 credential enrollment on a victim account after one user interaction (T1098.005 Account Manipulation: Device Registration); CVE-2026-37979 — the OIDC token introspection endpoint /auth/realms/{realm}/protocol/openid-connect/token/introspect does not enforce audience restrictions, leaking claims from lightweight access tokens scoped to one client when presented to any introspection-enabled endpoint; CVE-2026-4630 — cross-resource-server IDOR in the Authorization Services Protection API allowing an authenticated attacker with a token from realm A to read or modify resource permissions in realm B on the same Keycloak instance; CVE-2026-37978 — cross-role PII leakage via the admin /auth/admin/realms/{realm}/clients/{client}/evaluate-scopes endpoint bypassing user-view permissions; CVE-2026-6856 — acceptable-AAGUID policy bypass in WebAuthn packed self-attestation, allowing enrollment of hardware tokens outside the configured policy list. Fix: upgrade to 26.6.2; Red Hat build of Keycloak (RH-SSO / RHBK) 26.2.x is similarly affected via separate RHSA advisories. Defender takeaway: Keycloak is the de-facto standard IAM for EU public-sector and Swiss cantonal / federal identity federation projects, with multiple member-state digital-identity frameworks and national eHealth platforms built on top. Detection concept — admin audit-log entries showing token-introspection responses for mismatched audiences; cross-realm access attempts surfaced as RESOURCE_TYPE: authorization_resource in admin event logs; WebAuthn enrollment events with an AAGUID outside the configured policy list.

CVE Summary Table

PinTheft — Linux kernel local-privilege-escalation primitive (RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite), PoC public, Arch Linux default-loaded

Aaron Esau (V12 Security) disclosed PinTheft on 2026-05-19 via the oss-security mailing list — a Linux kernel local privilege escalation that chains an RDS (Reliable Datagram Sockets) zerocopy double-free with io_uring fixed-buffer reference manipulation to overwrite the page cache of a SUID-root binary and gain root (oss-security / V12 Security, 2026-05-19; BleepingComputer, 2026-05-20). The bug lives in rds_message_zcopy_from_user() in the RDS send path: a partial page fault mid-scatter causes the error path to drop already-pinned pages while leaving the scatterlist bookkeeping live, so cleanup drops the pages a second time. The exploit registers an anonymous memory page as an io_uring fixed buffer (FOLL_PIN bias of 1024 references), drains all references via 1024 deliberately-failing RDS sends, then reuses the stale io_uring page pointer to overwrite the page cache of a SUID-root binary and redirect execution to attacker shellcode. Prerequisites: RDS kernel module loaded, io_uring enabled, a readable SUID-root binary, x86_64. The RDS module is default-loaded only on Arch Linux — not on Ubuntu, Fedora, Debian, RHEL or SUSE — narrowing the primary defender population to Arch CI/CD runners, developer workstations and AUR-based servers, plus any environment that explicitly modprobe'd rds. Upstream kernel patch landed before disclosure; no CVE assigned at disclosure. Technique class: T1068 Exploitation for Privilege Escalation. Defender detection — auditd syscall events for rds_sendmsg / io_uring_* from unexpected binaries; Sysmon Linux EID 1 with process lineage showing a non-root process spawning a root shell without sudo/su. Hardening: modprobe.d blacklist rds if not in use; sysctl kernel.io_uring_disabled=2 for untrusted workloads; apply upstream kernel patch when distributed via the distro's normal update channel.

UPDATE: Drupal SA-CORE-2026-004 / CVE-2026-9082 ships — "highly critical" pre-auth SQL injection in core database API, PostgreSQL-only

UPDATE (originally covered 2026-05-20): yesterday's brief carried Drupal's PSA pre-warning that a "highly critical" core advisory was scheduled for 2026-05-20; today the SA-CORE-2026-004 advisory landed with CVE-2026-9082 assigned — an anonymous SQL-injection in Drupal core's database abstraction API (CWE-89) rated 20/25 on Drupal's risk scale (Highly Critical) that affects only PostgreSQL-backed installations. Specially-crafted HTTP requests slip past sanitisation in the core DB-API layer and inject arbitrary SQL with no authentication; successful exploitation leads to information disclosure, privilege escalation and — in some database configurations — RCE. The Drupal Security Team explicitly stated that "exploits might be developed within hours or days" of advisory release (Drupal PSA, 2026-05-18).

Affected versions: 8.9.0 through 10.4.10, 10.5.x < 10.5.10, 10.6.x < 10.6.9, 11.0.0 through 11.1.10, 11.2.x < 11.2.12, 11.3.x < 11.3.10. Patched: 10.4.10 / 10.5.10 / 10.6.9 / 11.1.10 / 11.2.12 / 11.3.10 (released 2026-05-20). MySQL / MariaDB / SQLite installations are not affected by this CVE. Drupal 7 is unaffected; sites on EOL Drupal 8/9 majors must apply manual patch files. Drupal Steward WAF subscribers receive vendor-provided rules at advisory release per the service description; non-subscriber sites must apply the core update. NCSC-CH carried the advisory in its Security Hub (NCSC-CH, 2026-05-19; SecurityWeek, 2026-05-19; CSO Online, 2026-05-20).

UPDATE: TeamPCP / Mini Shai-Hulud campaign — GitHub itself breached (~3,800 internal repos via poisoned VS Code extension), Microsoft `durabletask` PyPI worm propagates via AWS SSM and `kubectl exec`, Grafana confirms missed-token-rotation root cause

UPDATE (originally covered 2026-05-13 deep dive; multiple subsequent updates): three new TeamPCP / Mini Shai-Hulud developments landed in this window — GitHub itself, the official Microsoft durabletask PyPI package, and the Grafana Labs root-cause disclosure.

GitHub. GitHub confirmed on 2026-05-20 that TeamPCP (also tracked as UNC6780) accessed approximately 3,800 internal GitHub repositories after a single GitHub employee installed a poisoned Visual Studio Code extension on their device (The Hacker News, 2026-05-20; The Record, 2026-05-20; Infosecurity Magazine, 2026-05-20; Help Net Security, 2026-05-20). GitHub detected and contained the breach on 2026-05-19, isolated the affected endpoint and rotated high-impact secrets; the company states there is no evidence customer data stored outside the internal repositories was accessed. GitHub has not publicly named the malicious VS Code extension or its publisher at this writing. TeamPCP listed the stolen repositories — including GitHub Actions internals, agentic-workflow code, Copilot internal projects, CodeQL tools, Codespaces, Dependabot, and a Rails controller managing organisations and PRs — for sale at $50,000, with LAPSUS$ announcing a joint sale and a $95,000 asking price.

durabletask (PyPI). Wiz Security reported on 2026-05-20 that the TeamPCP / Mini Shai-Hulud worm compromised the official Microsoft durabletask PyPI package via versions 1.4.1, 1.4.2 and 1.4.3 (Wiz, 2026-05-20). The payload is a dropper that fetches rope.pyz from check.git-service[.]com; per Wiz the second stage is a full credential stealer targeting AWS, Azure, GCP, Kubernetes and Vault credentials, 1Password and Bitwarden vaults, filesystem credentials and shell history. Propagation per Wiz: on Kubernetes hosts the worm uses kubectl exec; on AWS EC2 instances it propagates via AWS Systems Manager SendCommand against up to 5 targets per host (T1078.004 Cloud Accounts, T1570 Lateral Tool Transfer).

Grafana Labs. Grafana Labs published the post-mortem of its own TeamPCP breach on 2026-05-19, confirming the root cause was a single GitHub Actions workflow token that slipped through the rotation process after the TanStack npm supply-chain attack (Grafana Labs, 2026-05-19; BleepingComputer, 2026-05-20). Per Grafana's own post-mortem the TanStack compromise was detected on 2026-05-11 (note: BleepingComputer cites 2026-05-01 for the malicious-package consumption event — surfaced as a contradiction in § 7); Grafana rotated the bulk of its GitHub workflow tokens, but the residual unrotated token gave TeamPCP access to clone private source-code repositories (exact count not disclosed in Grafana's post-mortem). Grafana refused the extortion demand on 2026-05-16. The exfiltration scope is confirmed limited to Grafana Labs GitHub repositories (public source code, private source code and internal repos); customer production data was not affected.