ctipilot.ch

CTI Daily Brief — 2026-05-24

Typedaily
Date2026-05-24
GeneratorClaude Opus 4.7 (`claude-opus-4-7`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.59
Items6
CVEs8
On this page

On this page

Tags (13)
Regions (3)
References (18)

0. TL;DR

  • LiteSpeed User-End cPanel plugin CVE-2026-48172 (CVSS 4.0 = 10.0) is being actively exploited — any logged-in cPanel user can call the lsws.redisAble JSON-API endpoint to run arbitrary scripts as root on shared-hosting servers. The vendor confirms in-the-wild exploitation and ships the fix in plugin v2.4.7 / WHM v5.3.1.0 (LiteSpeed, 2026-05-21). Multi-tenant root compromise affects every co-hosted tenant on the box — patch and hunt now.
  • Attackers exfiltrated ~97,600+ patient records from six German university hospitals (Cologne, Freiburg, Heidelberg, Tübingen, Ulm, Mannheim) via Saarland billing processor Unimed — GDPR Art. 9 health data plus bank-account data in some cases, no clinical-system encryption. The Unimed perpetrator is unattributed; the pattern echoes the Kairos-linked ARWINI breach covered 2026-05-19, but that overlap is an analyst observation, not a sourced attribution (The Record, 2026-05-22).
  • A Packagist (PHP/Composer) supply-chain wave hit the Laravel-Lang ecosystem — 700+ version tags rewritten to point at attacker forks, an autoload.files backdoor that executes on every request, and a separate 8-package package.json postinstall strand dropping a Linux implant. Full mechanics in today's deep dive (Socket, 2026-05-23).
  • A DNS-resolver patch cluster landed the same week — Unbound 1.25.1 fixes 11 CVEs including a CVSS 9.8 pre-auth DNSSEC use-after-free (CVE-2026-33278), and ISC BIND 9.18.49/9.20.23 fix a DoH use-after-free (CVE-2026-3593) and a single-query DoS (CVE-2026-5946). No exploitation reported; patch recursive infrastructure.
  • Deleted Google Cloud API keys keep authenticating for up to 23 minutes due to GCP IAM eventual consistency — key revocation is not an immediate containment action; update GCP incident-response runbooks accordingly (Aikido, 2026-05-21).

3. Research & Investigative Reporting

Deleted Google Cloud API keys keep authenticating for up to 23 minutes

Aikido Security researcher Joe Leon published findings (2026-05-21, updated 2026-05-22) showing that deleted Google Cloud API keys continue to authenticate API requests for a median of ~16 minutes and up to ~23 minutes, measured across 10 controlled trials against Gemini, BigQuery and Maps APIs (Aikido, 2026-05-21). By contrast, Google service-account keys revoke in ~5 seconds and Gemini-specific keys in ~1 minute. The root cause is eventual consistency in GCP's IAM credential-propagation layer: deletions propagate gradually across distributed authorisation servers rather than atomically. Google first closed the report as "Won't Fix (working as intended)" before reopening it as a P0 after public disclosure (Aikido, 2026-05-21).

Why it matters to us: Key rotation/revocation is the reflexive first containment step in most cloud IR runbooks, and this breaks the assumption that it is immediate. An attacker holding a stolen key retains a usable window to exfiltrate BigQuery datasets, run Gemini inference, or query Maps billing after the defender believes the key is dead. For any CH/EU public-sector tenant on GCP, treat API-key deletion as a ~30-minute containment action: delete to start the clock, then monitor Cloud Audit Logs for post-deletion use of the key, and — for GDPR Art. 33 / Swiss DSG Art. 24 purposes — count the full post-deletion window as continued exposure when the key reached PII. Where viable, prefer service-account keys (near-instant revocation). Maps to ATT&CK T1550.001 (Application Access Token).

Atos TRC: "hardware-gated" Windows drivers can be made BYOVD-exploitable in software

Research from the Atos Trusted Research Center (referenced by NDSS Symposium 2026 paper 2026-s1491), resurfaced in in-window reporting on 2026-05-22, argues that a large class of Windows kernel-mode drivers previously treated as BYOVD-resistant — because triggering their vulnerable IOCTL paths supposedly required physical hardware — can be made fully exploitable without that hardware (The Hacker News, 2026-05-22). Three techniques remove the gate: binding a PnP driver's AddDevice callback to a software-emulated device with an attacker-chosen hardware ID (via SetupAPI / the Software Device API); filter-driver restacking on disk/storage device stacks to bind otherwise-unloadable drivers; and direct registry manipulation under HKLM\SYSTEM\CurrentControlSet\Control\Class to associate a vulnerable driver with an existing device object. The write-up frames these against real-world example drivers to show IOCTL code paths reachable without the assumed hardware (Atos TRC, 2026-04-17).

Why it matters to us: BYOVD is a staple kernel-level EDR-bypass technique for ransomware affiliates and APTs operating against EU/CH targets, and this work expands the effective LOLDrivers attack surface — vulnerable-driver blocklists that implicitly assume a hardware prerequisite need re-evaluation. Hunt HKLM\SYSTEM\CurrentControlSet\Control\Class writes to UpperFilters/LowerFilters/ClassFilters from non-SYSTEM processes (Sysmon EID 13), driver-load events (Sysmon EID 6) for drivers loaded from user-writable paths, and streaming/thunk-class kernel drivers loaded by a non-system process. Hardening: enforce the Microsoft Vulnerable Driver Blocklist (WDAC) and HVCI/Memory Integrity, and re-test blocklist coverage against these hardware-gate-bypass techniques. ATT&CK T1068, T1014, T1562.001.

4. Updates to Prior Coverage

UPDATE: npm ships 2FA-gated "staged publishing" GA in response to the 2026 supply-chain worm waves

UPDATE (supply-chain worm wave, originally covered 2026-05-23): GitHub announced on 2026-05-22 that npm staged publishing is now Generally Available — a maintainer must run npm stage publish (npm CLI 11.15.0+), which uploads the version to a consumer-invisible staging queue, then pass a separate 2FA challenge to approve the release before it becomes installable (GitHub Changelog, 2026-05-22). This directly targets the automated mass-publish pattern behind the Megalodon GitHub-repo campaign (covered 2026-05-23) and the earlier mini-shai-hulud / TeamPCP npm waves, where many malicious versions were pushed in seconds via compromised maintainer sessions — a human-in-the-loop 2FA gate would have broken that tempo.

The same release adds three install-source restriction flags — --allow-file, --allow-remote and --allow-directory (each all | none) — letting CI/CD pipelines forbid installs from remote URLs or local paths, the vectors abused in several 2026 dependency-confusion and supply-chain campaigns (The Hacker News, 2026-05-23). For CH/EU public-sector development teams, the operational action is to enable staged publishing on org-owned packages and set --allow-remote none / --allow-directory none in production CI.

5. Deep Dive — Packagist supply-chain wave: Laravel-Lang autoloader backdoor and the cross-ecosystem postinstall strand

Background. The 2026 software supply chain has absorbed a sustained run of registry- and repo-level compromises — the mini-shai-hulud / TeamPCP npm/PyPI worm, the Megalodon GitHub-repo backdooring campaign (covered 2026-05-23), and the actions-cool/issues-helper GitHub Action and nx-console VS Code extension compromises (covered 2026-05-20). Those targeted npm, PyPI and CI tooling; the Packagist (PHP/Composer) ecosystem had largely escaped. Between 2026-05-22 and 2026-05-23 that changed, in two technically distinct, concurrent strands with different delivery mechanics — each flagged within hours by Socket, Aikido and StepSecurity (Socket, 2026-05-23). Socket reports the postinstall strand alone spans 700+ associated GitHub repositories under common attacker infrastructure (Socket, 2026-05-22); whether a single operator runs both strands is not established by the cited reporting.

Strand 1 — Laravel-Lang tag rewrite + autoloader backdoor. An actor with organisation-level push access to the Laravel-Lang GitHub org rewrote more than 700 historical version tags across four community PHP localisation packages — laravel-lang/lang (~7.8k stars), laravel-lang/http-statuses, laravel-lang/attributes, laravel-lang/actions. Rather than committing to the canonical repos, the attacker pointed existing version tags at commits in attacker-controlled forks, so the malicious code never appears in the main repository's commit history (StepSecurity, 2026-05-22). The injected src/helpers.php is registered under each composer.json's autoload.files key. Because every Composer application executes require __DIR__.'/vendor/autoload.php' at boot — Laravel, Symfony and PHPUnit included — the backdoor runs on every request with no post-install step required. A per-host MD5 fingerprint (directory path + architecture + inode) makes the payload fire once per machine to evade redundant-execution detection. The dropper builds its command-and-control hostname at runtime from character-code arrays (array_map('chr', …)) to defeat static string analysis, disables TLS certificate verification, spoofs a browser User-Agent, and fetches a ~5,900-line PHP credential stealer, which it writes to a hidden temp file and runs via exec("php …") on Unix or a VBScript-plus-cscript chain on Windows (Socket, 2026-05-23). The stealer is organised into fifteen collector modules targeting saved passwords from multiple Chromium-based browsers, Google Cloud application-default credentials, Docker auth tokens, SSH private keys, Git credentials (.gitconfig, .git-credentials, .netrc), shell and database history, kubeconfig, .env, wp-config.php, docker-compose.yml, VPN configurations, cryptocurrency wallets and password-manager vaults; results are AES-256-encrypted, exfiltrated, and the stealer self-deletes (Aikido, 2026-05-23).

Strand 2 — eight packages, cross-ecosystem postinstall. A concurrent campaign poisoned eight Packagist packages — devdojo/wave, devdojo/genesis, katanaui/katana, elitedevsquad/sidecar-laravel, r2luna/brain, baskarcm/tzi-chat-ui, moritz-sauer-13/silverstripe-cms-theme and crosiersource/crosierlib-base — by inserting a malicious hook into package.json (not composer.json) scripts.postinstall (Socket, 2026-05-22). The cross-ecosystem placement is deliberate: teams auditing PHP/Composer dependencies routinely skip the package.json lifecycle hooks bundled alongside JS build tooling. The hook downloads a Linux ELF from a code-hosting release URL, writes it to a hidden executable file under /tmp masquerading as an SSH daemon (e.g. /tmp/.sshd), marks it executable and launches it in the background with TLS verification suppressed and error output silenced (The Hacker News, 2026-05-23). The eight span CMS themes and developer libraries — including a SilverStripe CMS theme (moritz-sauer-13/silverstripe-cms-theme) and the crosiersource/crosierlib-base library — so the blast radius reaches any PHP project that pulled them as a direct or transitive dependency.

Kill chain → MITRE ATT&CK. Initial access and execution map to T1195.002 (Compromise Software Supply Chain) and T1059.004 (Unix Shell, via exec/postinstall); the runtime C2-hostname assembly and AES-256 output to T1140 (Deobfuscate/Decode Information); the /tmp/.sshd naming to T1036.005 (Masquerading: Match Legitimate Name or Location); the stealer's harvesting to T1552.001 (Credentials in Files) and T1083 (File and Directory Discovery); and the JS-side delivery to T1204.002 (User Execution: Malicious File).

Detection concepts (no IOCs). Audit composer.lock for any of the four laravel-lang/* packages at versions tagged in the 2026-05-22 → 2026-05-23 window, and for the eight named Strand-2 packages. Flag any autoload.files entry introduced by a version-tag change that has no counterpart in the package's upstream git history, and treat any scripts.postinstall / scripts.preinstall hook inside a PHP-only Composer package as a high-fidelity anomaly. On hosts and CI runners, hunt (Sysmon EID 1 / Linux auditd) for web-server worker processes (php-fpm, php-cgi, apache2, nginx) spawning exec("php …") or cscript.exe, for composer/npm spawning shells or initiating network connections during install, and for an executable hidden file under /tmp resembling sshd. Egress monitoring: outbound HTTPS from PHP worker processes during autoload, and installs pulling binaries from code-hosting release CDNs during composer/npm install.

Hardening. Run composer audit (Composer 2.6+), pin exact dependency versions, and verify composer.lock hash integrity in CI. Review whether organisation-level GitHub token scoping permits tag rewrites across all repositories and rotate admin tokens if compromise is suspected. On any affected host, treat all secrets reachable by the PHP worker process — cloud keys, SSH keys, .env, Git tokens — as compromised and rotate aggressively. For the JS-tooling surface, adopt npm's new staged-publishing 2FA gate and --allow-remote none / --allow-directory none install controls (see § 4). Note that Packagist removed the malicious versions, but development branches stay infected while upstream GitHub repos remain compromised — verify upstream state before reinstalling any of the named packages.

6. Action Items

  • Patch LiteSpeed cPanel plugin now if exposed — upgrade to plugin v2.4.7 / WHM v5.3.1.0, or disable the plugin until patched; CVE-2026-48172 is actively exploited (§ 2). Hunt cPanel access logs for cpanel_jsonapi_func=redisAble from non-administrative accounts (LiteSpeed, 2026-05-21).
  • Audit Composer dependencies for the Packagist wave — check composer.lock for laravel-lang/{lang,http-statuses,attributes,actions} at 2026-05-22/23 tags and for the eight named Strand-2 packages; on any affected host treat all PHP-worker-reachable secrets (cloud keys, SSH, .env, Git tokens) as compromised and rotate (§ 5) (Socket, 2026-05-23).
  • Patch recursive/authoritative DNS — upgrade to Unbound 1.25.1 and ISC BIND 9.18.49 / 9.20.23; monitor unbound/named for crash telemetry in the interim (§ 2) (NLnet Labs, 2026-05-20).
  • Revise GCP incident-response runbooks — treat API-key deletion as a ~30-minute containment action, not an immediate one; monitor Cloud Audit Logs for post-deletion key use and prefer service-account keys where viable (§ 3) (Aikido, 2026-05-21).
  • Inventory outsourced-billing data exposure (healthcare) — identify which third-party processors hold GDPR Art. 9 data, confirm Art. 32 measures, and hunt for large outbound transfers from billing/ERP systems with no inbound job trigger (§ 1) (The Record, 2026-05-22).
  • Harden the npm side of CI — enable staged publishing on org-owned packages and set --allow-remote none / --allow-directory none in production pipelines (§ 4) (GitHub Changelog, 2026-05-22).
  • Re-test the Windows Vulnerable Driver Blocklist against the Atos TRC hardware-gate-bypass techniques; enforce WDAC + HVCI and hunt Control\Class filter-key writes from non-SYSTEM processes (§ 3) (The Hacker News, 2026-05-22).

7. Verification Notes

  • Items dropped (with reason):
    • NGINX CVE-2026-9256 — medium-severity heap buffer overflow in ngx_http_rewrite_module; no in-the-wild exploitation or public PoC, vendor-rated medium, and a sibling rewrite-module bug (CVE-2026-42945) was already covered 2026-05-18. Held below the § 2 inclusion gate.
    • Stormshield SNS CVE-2025-9086 (CERTFR-2026-AVI-0631, 2026-05-22) — remote denial-of-service only, single-source CERT-FR relaying Stormshield bulletin 2026-010. DoS-only with no code-execution path described; below the § 2 operational threshold despite the ANSSI-certified-firewall public-sector relevance.
    • The Oncology Institute (NASDAQ: TOI) SEC 8-K Item 1.05 (2026-05-22) — US/indirect nexus; the primary SEC EDGAR filing URL returns HTTP 403 to automated fetch and only an aggregator summary (Minichart) was reachable. Held out on source-quality and less-is-more grounds; the two-stage disclosure pattern (Nov-2025 Item 7.01 → confirmed patient-data access six months later) is noted for GDPR Art. 33 materiality-benchmarking interest.
  • Reduced confidence: the BYOVD-without-hardware research (§ 3) rests on an Atos TRC write-up dated 2026-04-17 (~5 weeks before window), surfaced by in-window reporting (The Hacker News, 2026-05-22, both referencing NDSS Symposium 2026 paper 2026-s1491); included as MEDIUM confidence. Specific demonstrated-driver names were not retained because the primary's detailed body could not be re-verified in this run; the NDSS PDF was not machine-parseable and is not cited.
  • Attribution — Unimed breach left open: all cited sources report the Unimed-breach perpetrator as unknown (heise: "It is not yet known who is responsible"; The Record: no actor publicly claimed responsibility). The Kairos / Hannover-Police attribution carried by heise applies to the separate ARWINI Lower-Saxony statutory-billing breach (covered 2026-05-19), not Unimed. The brief therefore leaves Unimed attribution open and presents the ARWINI resemblance explicitly as an analyst pattern observation rather than a sourced attribution.
  • Scope (Unimed breach): the brief names the six university hospitals that issued individual disclosures (Cologne, Freiburg, Heidelberg, Tübingen, Ulm, Mannheim); heise and The Record indicate the affected set is larger (on the order of nine institutions), with further notifications likely given Unimed's broad hospital footprint.
  • Source divergence (deep dive): Socket enumerates the Laravel-Lang stealer as ~17 collector classes with XOR obfuscation; Aikido describes 15 modules with AES-256 encryption. The brief follows the Aikido figures (cited inline); the divergence does not change the defender takeaway.
  • No-IOC handling: the Laravel-Lang dropper's runtime-assembled C2 hostname was omitted per no-IOC policy; the deobfuscation behaviour is described instead. The /tmp/.sshd masquerade is retained as a host-based hunt concept (local path, not an attacker-controlled domain/URL).
  • Single-source items: none admitted to §§ 1–5 (all multi-source); the dropped Stormshield item was the only single-source candidate.
  • Candidate sources: 2 surfaced, 1 admitted per the one-per-run cap. Added ccb-belgium (Centre for Cybersecurity Belgium — Belgian national CERT; contributed the corroborating Unbound advisory this run). Held as overflow for a future run: vulnerability-circl-lu (CIRCL Luxembourg CVE lookup / EU-centric advisory cross-reference).
  • Stalled sub-agents: none — S1–S4 all returned within the 30-minute budget.
  • Coverage gaps: sophos-xops (HTTP 503, 6th consecutive run); trendmicro-research (HTTP 500, 3rd run); databreaches-net (HTTP 403, no usable Wayback snapshot); inside-it-ch (Cloudflare managed challenge on bridge); cert-eu (no new advisory in window beyond 2026-006); cert-fr-actualite (ACT feed stale since CERTFR-2025-ACT-049, 2025-11); darkreading (per-article 403, no Wayback); cnil-fr (no new in-window decision); edpb (120th plenary scheduled 2026-05-28); ico-uk (no new in-window enforcement beyond already-covered POCA action); sec-disclosures-edgar (direct filing pages 403, bridge used).