CTI Daily Brief — 2026-05-22

Operation Saffron dismantles First VPN — 33+ servers seized, user database captured, Switzerland named JIT participant; Phobos RaaS infrastructure link confirmed

A coordinated international law enforcement action on 2026-05-19–20 took down First VPN, a Russian-language criminal anonymisation service established in 2014 and systematically marketed on cybercrime forums as a no-log, law-enforcement-resistant tool (Eurojust, 2026-05-21). Europol stated the service "appeared in almost every major cybercrime investigation the agency supported" (BleepingComputer, 2026-05-21). Led by French and Dutch investigators through a Eurojust joint investigation team established in November 2023, the operation seized more than 33 servers distributed across 27 countries (server-host count); 16 nations participated through Europol's Joint Cybercrime Action Taskforce; 7 nations sat on the Eurojust-led JIT, including Switzerland, France, Netherlands, Luxembourg, Romania, Ukraine, and the UK — signalling fedpol/GovCERT.ch operational involvement. Law enforcement arrested the administrator in Ukraine, captured the full user database (over 5,000 accounts) and cryptographic connection records, and generated 83 intelligence packages covering 506 users distributed to partner agencies; Help Net Security reporting confirms the captured data links to the Phobos ransomware-as-a-service operation and broader ransomware, fraud, and data theft investigations (Help Net Security, 2026-05-21). The primary domains (1vpns.com, 1vpns.net, 1vpns.org) and associated .onion mirrors were seized. Historical network flows to those domains in proxy or firewall logs now constitute potential investigative leads flowing through Europol sharing channels; Phobos affiliates have repeatedly targeted EU public-sector and healthcare organisations.

Calypso/Red Lamassu (Bronze Medley) deploys Showboat (Linux) and JFMBackdoor (Windows) against telecoms — new implant pair disclosed by Lumen Black Lotus Labs and PwC Threat Intelligence

Lumen's Black Lotus Labs and PwC Threat Intelligence disclosed on 2026-05-21 two purpose-built implants used by the China-aligned espionage cluster Calypso (also tracked as Red Lamassu, Bronze Medley — active since at least mid-2022 based on binary upload and victim telemetry) in a multi-year campaign against telecommunications providers (Lumen Black Lotus Labs, 2026-05-21 · PwC Threat Intelligence, 2026-05-21). Confirmed victims include a Middle East ISP, an Afghanistan ISP, and entities in Azerbaijan, the US, and Ukraine; European telecoms are within the actor's documented targeting pattern. Showboat is a modular ELF binary masquerading as a Linux kernel worker thread (kworker — T1036.005 Masquerade: Match Legitimate Name) providing remote shell (T1059.004), bidirectional file transfer, SOCKS5 proxy to internal network segments (T1090.001 Internal Proxy), and a hide command that fetches a rootkit payload from Pastebin at runtime (T1102.001 Dead Drop Resolver) — the C2 payload is exfiltrated base64-encoded inside PNG image fields to blend with web traffic (Lumen Black Lotus Labs, 2026-05-21). JFMBackdoor, the Windows counterpart, is delivered via DLL sideloading (T1574.002): a batch script drops a legitimate signed executable that loads the malicious DLL, providing remote shell, file operations, SOCKS5 proxy, and self-removal (PwC Threat Intelligence, 2026-05-21). C2 infrastructure clusters to Chengdu, Sichuan-geolocated IP ranges; X.509 certificate SAN/CN patterns link the victim set (Lumen Black Lotus Labs, 2026-05-21). Detection: hunt for kworker ELF processes whose parent is not kthreadd (PID 2) on Linux telecom servers (auditd EXECVE or Sysmon for Linux EID 1 parent-pid check); alert on unsigned DLLs loaded by vendor-signed executables (Sysmon EID 7: signed process, unsigned module); flag egress DNS queries or HTTP GET to pastebin.com from daemon-context processes.

ICO secures £355,880 POCA confiscation against former Markerstudy Insurance employee for off-hours bulk record access and sale [SINGLE-SOURCE]

The UK Information Commissioner's Office announced on 2026-05-21 a £355,880.10 confiscation order at Manchester Crown Court under the Proceeds of Crime Act against Rizwan Manjra, a former Markerstudy Insurance Services Limited employee (ICO, 2026-05-21). Manjra had pleaded guilty in December 2024 under Computer Misuse Act 1990 s.1 after accessing over 32,000 insurance policies on weekends — outside his scheduled hours — and exfiltrating data via mobile phone for onward sale to a third party. The POCA order requires disgorgement of financial benefit; non-payment triggers a 3.5-year default prison term. The enforcement pattern — weekends, anomalously high read volume, exfiltration via mobile rather than corporate network — is the canonical UEBA/behavioural-analytics insider-threat detection profile: any user account generating bulk read activity against insurance, medical, or government record databases outside scheduled shift patterns warrants alert triage (Windows EID 4663 object access on sensitive share / DLP network egress alert on mobile-hotspot NAT patterns). The POCA track running parallel to the GDPR fine channel represents a meaningful escalation in UK enforcement posture applicable to CH/EU insider-threat compliance modelling.

CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)

CVE-2026-34926 (CVSS 6.7, CWE-23 Relative Path Traversal) affects Apex One On-Premise server and agent builds below 17079. An authenticated attacker who has already obtained administrative credentials to the Apex One management server traverses the directory structure to modify a key table, injecting malicious code that the management server then distributes to all enrolled agent endpoints via the product's built-in update mechanism — one compromised management console results in fleet-wide code execution on every managed endpoint. The exploitation prerequisite (admin credentials to the Apex One server) does not reduce urgency: CISA added CVE-2026-34926 to KEV on 2026-05-21 following confirmed ITW exploitation, and management server admin accounts are a high-value target for credential theft campaigns. JPCERT/CC confirmed exploitation in the wild on 2026-05-22; CISA added CVE-2026-34926 to KEV on 2026-05-21. Fixed: server and agent build 17079 per Trend Micro KA-0023430. The Apex One as a Service (SaaS) variant is not affected. Until patched, restrict local-network access to the Apex One management console to a dedicated management VLAN; treat the console host as Tier-0 infrastructure given its fleet-wide code distribution capability. Technique: T1574 Hijack Execution Flow via trusted software update path.

CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)

CVE-2025-34291 (CVSS 4.0: 9.4 / CVSS 3.1: 8.8, CWE-942 Overly Permissive CORS) affects Langflow <= 1.6.9. The platform's default CORS policy (allow_origins='*' with allow_credentials=True) combined with the refresh token cookie configured as SameSite=None allows any malicious webpage to perform cross-origin requests with the authenticated victim's credentials, reaching /api/v1/auth/refresh to obtain access tokens and subsequently calling all authenticated endpoints — including Langflow's code-execution functionality. Exploitation requires only victim browser navigation to an attacker-controlled page; no prior access needed (T1190 Exploit Public-Facing Application). First confirmed exploitation: 2026-01-23; Trend Micro documented Flodric botnet deployment through compromised Langflow instances. CISA added CVE-2025-34291 to KEV on 2026-05-21. Fixed: Langflow 1.7.0 (restrictive CORS default) and 1.9.3 (explicit fix). Block internet exposure of Langflow instances; enforce HTTPS-only with explicit CORS allowlists; hunt for anomalous subprocess execution from the Langflow process tree (Sysmon EID 1, parent langflow-backend or uvicorn).

CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

UPDATE: TeamPCP Mini Shai-Hulud — Unit 42 and StepSecurity confirm SLSA Build Level 3 attestation invalidated as integrity gate

UPDATE (originally covered 2026-05-19, updated 2026-05-21): Unit 42 (Palo Alto Networks) and StepSecurity published concurrent technical analyses on 2026-05-21 of the TeamPCP Mini Shai-Hulud npm supply-chain campaign, establishing the defining novelty of this wave: the first documented case of malicious npm packages carrying valid SLSA Build Level 3 provenance attestations (Unit 42, 2026-05-21). Attackers compromised TanStack's legitimate GitHub Actions CI/CD pipeline's trusted OIDC identity mid-workflow — without stealing developer credentials — making the SLSA attestation genuine while the package payload was malicious. This invalidates "package carries valid provenance attestation" as a sufficient supply-chain integrity gate.

The execution chain runs tanstack_runner.js under the Bun JavaScript runtime, enumerating stored credentials including gh auth token capture (T1552.001 Unsecured Credentials: Credentials In Files); stolen npm tokens and GitHub PATs are used to backdoor every package the victim account can publish (T1650 Acquire Access), making the worm self-propagating across the npm ecosystem. By end of the 2026-05-11 wave, 373 malicious package versions across 169 npm packages and PyPI mirrors were active (Unit 42, 2026-05-21).

Defender actions from this technical update: (a) SLSA attestation verification is now insufficient as a sole gate — add runtime behavioural scanning of npm install scripts alongside provenance checks; (b) Pin GitHub Actions to commit SHAs, not mutable tags, to prevent mid-workflow OIDC identity hijack; (c) If pipelines ran npm publish during 2026-05-11 to 2026-05-12, rotate npm tokens and GitHub PATs and audit owned packages for unauthorised versions; (d) In environments where Bun is not an approved runtime, flag any bun or bun.js process execution from a CI runner context (Sysmon EID 1 process-name filter).

UPDATE: Microsoft Defender CVE-2026-41091 + CVE-2026-45498 — both CVEs confirmed exploited, out-of-band engine update 4.18.26040.7 confirmed as fix

UPDATE (originally covered 2026-05-20): Both Microsoft Defender vulnerabilities confirmed as actively exploited in the wild in a combined out-of-band engine update (The Hacker News, 2026-05-21). CVE-2026-41091 (CVSS 7.8, CWE-59 improper link resolution / link following in MsMpEng.exe) allows an authorized local standard-user to abuse Defender's privileged process's symbolic-link resolution during file-system operations to elevate to NT AUTHORITY\SYSTEM (T1068 Exploitation for Privilege Escalation). CVE-2026-45498 (CVSS 4.0, local DoS) was exploited alongside CVE-2026-41091 in observed attacks. Fixed: CVE-2026-41091 (LPE) requires Defender Antimalware Engine >= 1.1.26040.8; CVE-2026-45498 (DoS) requires Antimalware Platform >= 4.18.26040.7. Verify both via Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion — environments with delayed WSUS/Intune update rings must confirm the engine version, not only the platform version, to confirm the LPE patch is applied. Environments with delayed auto-update channels (WSUS/Intune with manual approval) or air-gapped Defender deployments are at risk. Hunt signal: Sysmon EID 1 for SYSTEM-level process spawns from MsMpEng.exe as parent.

UPDATE: West Pharmaceutical Services — 8-K/A confirms full operational restoration, data investigation ongoing

UPDATE (originally covered 2026-W21): West Pharmaceutical Services (NYSE: WST) filed an 8-K/A amendment under SEC Item 1.05 on 2026-05-20 confirming full operational restoration across all manufacturing, supply chain, and commercial sites globally after the May 4 ransomware intrusion (SEC EDGAR 8-K/A, 2026-05-20). No unauthorized activity observed since 2026-05-05. Data exfiltration scope and threat actor attribution remain under investigation; Palo Alto Networks Unit 42 is conducting the forensic response. The 8-K/A marks formal closure of the containment phase under the SEC's mandatory cyber-incident disclosure cycle; data impact scope will require a further disclosure when the investigation concludes.