CTI Daily Brief — 2026-05-27

Typedaily

Date2026-05-27

GeneratorClaude Opus 4.7 (`claude-opus-4-7`)

ClassificationTLP:CLEAR

LanguageEnglish

Promptv2.60

Items5

CVEs5

On this page

0. TL;DR
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
2. Trending Vulnerabilities
3. Research & Investigative Reporting
4. Updates to Prior Coverage
5. Deep Dive — Tycoon 2FA after the March 2026 takedown: two-tier AiTM operator architecture and the OAuth device-code variant
6. Action Items
7. Verification Notes

References (17)

0. TL;DR

Lithuania's Centre of Registers breached — ~600,000 property and legal-entity records exfiltrated. Attackers abused login credentials issued to institutions authorised to query the Real Estate Register and Register of Legal Entities, querying from foreign-administered infrastructure; Vilnius's prosecutors suspect a foreign-state actor and the agency head resigned within days (The Record, 2026-05-26). The same register architecture exists in every EU member state.
ShinyHunters Salesforce extortion — two fresh victim confirmations. Charter Communications (Spectrum) confirmed a breach but disputes that sensitive PI or CPNI was taken (BleepingComputer, 2026-05-26), while 7-Eleven confirmed a breach affecting roughly 185,000 individuals — CyberInsider reports Social Security and driver's-licence numbers in the exposed set (CyberInsider, 2026-05-26); both trace to the vishing → Entra → Salesforce-Aura pattern.
Tycoon 2FA adapted within weeks of the March 2026 takedown. Elastic Security Labs maps a two-tier operator architecture and a Microsoft-only OAuth device-code-grant variant that mints and replays Primary Refresh Tokens; today's deep dive covers the Entra ID / Google Workspace detection logic and a documented Identity Protection false-negative gap.
GitHub Enterprise Server pre-auth SSRF — CVE-2026-9312 (CVSS 4.0 = 9.2). Path-traversal injected into an upload endpoint lets an unauthenticated attacker redirect internal API calls to internal services, potentially exposing App tokens and service-account secrets; patch on-prem GHES below 3.22 (ENISA EUVD, 2026-05-27).

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected

Lithuania's Prosecutor General's Office disclosed that attackers accessed more than 600,000 records from the Centre of Registers — the state enterprise that manages the Real Estate Register and the Register of Legal Entities — over a window running from early April to disclosure (The Record, 2026-05-26). The access vector was not a software exploit but credential abuse: attackers obtained and misused login credentials assigned to institutions authorised to query the registers, originating the connections from foreign-administered infrastructure (The Record, 2026-05-26). Exfiltrated fields include names, dates of birth, national ID numbers, property addresses, cadastral numbers and registry identifiers; contact details, bank accounts and payment data were reported as not in the stolen set. Lithuanian officials publicly framed the incident as likely the work of a foreign country, with one politician alleging Russian-intelligence hallmarks, and the head of the Centre of Registers resigned within days (Euronews, 2026-05-25; LRT, 2026-05-22). Reporting cross-references comparable intrusions against Slovakia's land register and Ukraine's state registers.

Why it matters to us: property and corporate-entity registers are high dossier-value targets — they let an intelligence service resolve home addresses and asset holdings for officials, diplomats and military personnel — and the identical register-API architecture is in production across every EU member state, Switzerland's commercial register (Zefix) and cantonal land registries included. The kill chain here is authorised-account abuse (T1078 Valid Accounts / T1530 Data from Cloud Storage), not a CVE: institutional service accounts querying register APIs need per-institution rate limits, MFA on the service principal, ASN/IP-range anchoring (institutional access should originate from known networks), and query-volume anomaly detection. Hunt for bulk-query bursts from institutional accounts outside business hours or from ASNs inconsistent with the institution's historical access pattern, and retain register access logs long enough to reconstruct a multi-week exfiltration window.

2. Trending Vulnerabilities

CVE-2026-9312 — GitHub Enterprise Server (< 3.22): unauthenticated SSRF via upload-endpoint path traversal exposes internal services and credentials

An unauthenticated attacker can inject path-traversal content into the request parameters of a GitHub Enterprise Server upload endpoint; insufficient input validation lets the crafted request bypass the intended upload flow and redirect internal API calls to arbitrary internal services, potentially reading internal service responses and exposing sensitive credentials such as GitHub App tokens, service-account keys and internal API secrets (ENISA EUVD EUVD-2026-32027, 2026-05-27). The flaw (also tracked as GHSA-fwfp-h68w-2hcr, CVSS 4.0 = 9.2) was reported through the GitHub Bug Bounty program and affects all GHES releases prior to 3.22; fixes ship in 3.16.20, 3.17.17, 3.18.11, 3.19.8, 3.20.4 and 3.21.1 (GitHub Security Advisory GHSA-fwfp-h68w-2hcr). EPSS is 0.0 and no in-the-wild exploitation is reported, but on-prem GHES is common in Swiss financial-sector and EU large-enterprise development estates, and an SSRF that reaches internal credential stores is a direct foothold for lateral movement (T1190 Exploit Public-Facing Application). Patch to the relevant fixed release; until patched, restrict who can reach the GHES management/upload surface at the network layer and hunt server access logs for upload-endpoint requests carrying ../ / %2e%2e%2f traversal sequences.

CVE-2026-9642 — Delta Electronics DIAView SCADA: incomplete fix for prior unauthenticated remote database access (CVE-2025-62582) [SINGLE-SOURCE]

Tenable Research disclosed that the vendor's mitigation for CVE-2025-62582 (unauthenticated remote database access in Delta Electronics DIAView, an HMI/SCADA application) is bypassable: an unauthenticated remote attacker can still reach the databases configured in a DIAView project despite the prior fix (CVSS 3.1 = 9.8) (Tenable Research TRA-2026-44, 2026-05-26). Delta is a major industrial-automation vendor with installations across EU manufacturing and energy OT estates, and Switzerland has a sizeable Delta customer base in precision manufacturing. Because the original CVE-2025-62582 fix is incomplete, organisations that believed they had remediated remain exposed (T1190 Exploit Public-Facing Application against the OT historian/database layer). Treat any DIAView project reachable from IT or internet segments as still vulnerable: confirm a corrected fix directly with Delta rather than assuming the earlier patch closed the path, enforce strict IT/OT segmentation so the historian database tier is unreachable from general networks, and monitor for connections to DIAView database listener ports from non-engineering workstations. Single-source on Tenable Research as of this run; no second independent report located in-window.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-9312	GitHub Enterprise Server < 3.22	9.2 (v4.0)	0.0%	No	No	3.16.20 / 3.17.17 / 3.18.11 / 3.19.8 / 3.20.4 / 3.21.1	ENISA EUVD
CVE-2026-9642	Delta Electronics DIAView SCADA	9.8 (v3.1)	n/a	No	No	Incomplete (bypass of CVE-2025-62582 fix)	Tenable TRA-2026-44

3. Research & Investigative Reporting

No qualifying standalone research items this run — the run's one substantive piece of primary technical research (Elastic Security Labs' Tycoon 2FA detection-engineering analysis) is given full treatment in § 5 Deep Dive; this section is intentionally left empty.

4. Updates to Prior Coverage

UPDATE: ShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected

UPDATE (originally covered 2026-05-24 / 2026-05-25): Charter Communications (Spectrum) has confirmed it was breached after ShinyHunters listed it and threatened to leak data; Charter notified law enforcement but states that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated — disputing the actor's claim of 42 million records (BleepingComputer, 2026-05-26; CyberInsider, 2026-05-23). ShinyHunters claims initial access on 1 April 2026 via vishing that compromised an employee Entra account, then bulk-exported customer records from Charter's Salesforce CRM.

Separately, 7-Eleven confirmed its ShinyHunters incident affects roughly 185,000 individuals; BleepingComputer reports the exposed fields as names, dates of birth, email addresses, phone numbers and physical addresses (describing the affected as franchisee-document holders) (BleepingComputer, 2026-05-26), while CyberInsider additionally reports Social Security numbers and driver's licence numbers in the set (CyberInsider, 2026-05-26). The 185,000 figure is not contradictory with the earlier unconfirmed 600,000-record CRM claim. Both intrusions follow the campaign's Salesforce-Aura pattern (vishing → Entra account → CRM export, or unauthenticated /s/sfsites/aura guest-profile queries): audit guest-user object permissions on Experience Cloud, enable Secure Guest User Record Access, restrict SSN/ID fields to named users, and enforce phishing-resistant MFA (FIDO2/passkeys) on SaaS admin accounts.

UPDATE: Nimbus Manticore (UNC1549 / Screening Serpens) — Check Point details MiniFast backdoor, Zoom-task hijacking and SEO-poisoning delivery

UPDATE (originally covered 2026-05-23): Following Unit 42's coverage of UNC1549 / Screening Serpens AppDomainManager hijacking, Check Point Research (published 2026-05-22, widely re-reported this week) adds material technical depth on three February–April 2026 campaign waves keyed to Operation Epic Fury (Check Point Research, 2026-05-22; The Hacker News, 2026-05-26). The IRGC-affiliated actor replaced its MiniJunk family with a new backdoor, MiniFast — a 64-bit DLL with a single CheckForUpdates export and a JSON HTTP C2 using API-style endpoints (/agent/init, /agent/poll, /upload/) and a 14-opcode command set including DLL injection, UAC elevation and scheduled-task persistence.

Two persistence/delivery techniques are new versus the prior coverage: (1) Zoom scheduled-task hijacking (T1053.005) — instead of creating a suspicious new task, the malware watches for the legitimate ZoomUpdateTaskUser-<SID> task and hijacks it; (2) SEO poisoning (T1598.003) via a fake SQL Developer download domain ranked on Bing/DuckDuckGo, alongside T1574.008 AppDomain hijacking via redirected .config files. The loader chain validates parent=svchost.exe before proceeding and abused two SSL.com-issued code-signing certificates (Check Point Research, 2026-05-22). Hunt for ZoomUpdateTaskUser-* task modifications by non-Zoom processes, non-default AppDomainManager values in .NET .config files, and execution from user-writable AppData paths.

5. Deep Dive — Tycoon 2FA after the March 2026 takedown: two-tier AiTM operator architecture and the OAuth device-code variant

Background. Tycoon 2FA is among the most prolific adversary-in-the-middle (AiTM) phishing-as-a-service kits, built to intercept the post-MFA session cookie of Microsoft 365 and Google Workspace accounts in real time. In March 2026 a coordinated takedown led by Microsoft and Europol — with Cloudflare, SpyCloud and eSentire — seized over 300 domains, but operators adapted within weeks, and by late April 2026 campaigns combined Tycoon tradecraft with OAuth Device Code phishing flows (Elastic Security Labs, 2026-05-26). This brief last covered the post-takedown device-code pivot on 2026-05-18; Elastic's 2026-05-26 analysis is a detailed detection-engineering treatment of the kit's current operator architecture and is the basis for the technique mapping below.

Two operating variants. The kit now runs in two structurally distinct modes. The classic WebSocket AiTM reverse-proxy intercepts the authenticated session cookie as the victim completes MFA against a real Microsoft/Google login (T1557 Adversary-in-the-Middle, T1539 Steal Web Session Cookie, replayed via T1550.004 Web Session Cookie). The newer device-code-grant abuse variant is Microsoft-only: it leverages the Microsoft Authentication Broker client ID 29d9ed98-a469-4536-ade2-f981bc1d605e to obtain and replay a Primary Refresh Token (PRT), escalating a single phished code into durable token material (T1528 Steal Application Access Token). The token-type progression Elastic observed in Entra sign-in logs is the tell: incomingTokenType:none → refreshToken → primaryRefreshToken.

Two-tier operator architecture and the cross-tier signal. The operation splits across two tiers with different network fingerprints. Tier 1 (Kit Relay) performs token acquisition from cloud-VPS egress IPs using node / axios / undici / node-fetch user agents. Tier 2 (Operator Console) performs post-compromise enumeration from residential-shaped ISP egress with a fixed browser UA. Because single-ASN rules only catch one tier, Elastic's highest-confidence indicator is the cross-tier pivot: two distinct ASNs (one cloud-VPS, one residential-shaped) authenticating as the same user principal within minutes and sharing the same c_sid correlation value. Within roughly 30–60 seconds of a successful token replay, Tier 2 runs a Microsoft Graph reconnaissance burst — transitiveRoleAssignments, tenantRelationships/getResourceTenants (cross-tenant lateral-movement preparation), contact harvesting and subscribedSkus — typically 20–30+ calls spanning four or more recon categories (T1087.004 Cloud Account Discovery, T1526 Cloud Service Discovery).

Detection concepts. Elastic shipped multiple Entra ID and Google Workspace detections, including an ES|QL "Microsoft Graph Multi-Category Reconnaissance Burst" rule that fires on the four-plus-category Graph enumeration inside a short window. Concept-level hunts a SOC can build without the rules: in Entra sign-in logs, alert on node/axios/undici/node-fetch user agents paired with the Microsoft Authentication Broker client ID, and on device-registration events using non-standard UAs (not Dsreg / DeviceRegistrationClient / Dalvik); for Google Workspace, alert on Admin SDK login_success events landing within ~1 second across multiple relay IPs, and on an OAuth token.authorize for the Chrome client 77185425430.apps.googleusercontent.com followed by a DEVICE_REGISTER_UNREGISTER_EVENT within 0.6–1.2 seconds. Critical detection gap: Entra ID Identity Protection may not flag the kit infrastructure because of rapid IP rotation, and Elastic observed the risk engine flagging anomalousToken but subsequently marking the victim aiConfirmedSafe — a false negative that defenders cannot treat Identity Protection alone as sufficient coverage for. Elastic's automated response (disable account, delete device principals, revoke sessions, open a case) runs in under ten seconds, inside the observed 10–20-minute kit-to-operator handoff window — the operational point being that response must beat the handoff, not merely detect after it.

Hardening. Enable Microsoft Token Protection via Conditional Access so a stolen session/refresh token is bound to the originating device; require compliant or managed devices for access to sensitive resources; and use Authentication Methods policies to block the OAuth Device Code flow for the majority of users who never legitimately need it — the device-code variant collapses if the grant is disabled for the targeted population. None of these depend on a patch; they are policy changes that remove the attack path the kit monetises.

6. Action Items

Patch on-prem GitHub Enterprise Server below 3.22 (CVE-2026-9312, pre-auth SSRF reaching internal credentials) — apply the relevant fixed release (3.16.20 / 3.17.17 / 3.18.11 / 3.19.8 / 3.20.4 / 3.21.1); until patched, restrict the management/upload surface at the network layer and hunt upload-endpoint logs for ../ / %2e%2e%2f traversal. See § 2.
Re-verify Delta Electronics DIAView remediation (CVE-2026-9642) — the prior CVE-2025-62582 fix is bypassable; confirm a corrected patch with Delta rather than assuming the earlier fix held, and ensure no DIAView historian/database tier is reachable from IT or internet segments. See § 2.
Harden government register / cadastral API access — for CH/EU public-sector register operators: enforce MFA on institutional service accounts, anchor institutional access to known ASNs/IP ranges, apply per-institution query-rate limits, and alert on bulk-query bursts outside business hours. Drawn from the Lithuania Centre of Registers breach in § 1.
Close the Salesforce-Aura path — audit Experience Cloud guest-user object permissions, enable Secure Guest User Record Access, restrict SSN/government-ID fields to named users, and enforce phishing-resistant MFA (FIDO2/passkeys) on SaaS admin accounts. Drawn from the ShinyHunters update in § 4.
Deploy AiTM/device-code detection and policy — stand up the Microsoft Graph reconnaissance-burst hunt and cross-tier (two-ASN, same c_sid) correlation, enable Conditional Access Token Protection, and block the OAuth Device Code flow for users who do not need it. Do not treat Entra Identity Protection as sufficient coverage on its own. See § 5.

7. Verification Notes

Items dropped:
- MuddyWater / Seedworm DLL side-loading campaign (Symantec / Broadcom Threat Hunter Team) — surfaced by two sub-agents, but the primary Symantec analysis is dated 2026-05-12 (one agent) / 2026-05-22 (the other); the only in-window source is a 2026-05-26 The Hacker News restatement with no fresh exploitation, victim or patch development. Out of window per PD-7 (primary older than the 36 h window, no fresh in-window delta, not a previously-covered item eligible for an UPDATE). High-relevance Iran-aligned espionage campaign (signed-binary DLL side-loading via fmapp.exe / sentinelmemoryscanner.exe, ChromElevator) noted for the record; will reconsider if a fresh national-CERT or victim development lands.
- Five-year database-ransom census (ransomnews.com) — single-source from a small, independently unverified research organisation; corroboration was a Security Affairs restatement, not independent reproduction. Headline figures (46.3% of 65,907 exposed databases, 215+ billion records, BTC-wallet economics) are vanity-metric-style aggregates that PD-4 excludes; dropped as [SINGLE-SOURCE] / reduced-confidence. Underlying defender lesson (never expose MongoDB/MySQL/Elasticsearch to the internet unauthenticated) is already standard hardening.
- The Oncology Institute SEC 8-K Item 1.05 (third-party vendor breach) — the SEC EDGAR filing URL returned HTTP 403 to the sub-agent, so the primary filing text could not be verified in-run; the only verifiable source was a single SecurityWeek article, and the TriZetto/Cognizant vendor attribution is SecurityWeek's timeline-based inference, not stated in the filing. Dropped as reduced-confidence / single verifiable source; US-only healthcare with indirect CH/EU relevance.
- Mini Shai-Hulud (TeamPCP) § 4 UPDATE — dropped at the verification cap. The UPDATE's sole citation was CERT-FR's weekly bulletin CERTFR-2026-ACT-023, and across this run's verification loop three independent verifier reads of that exact URL contradicted each other: one read it as the campaign bulletin with no named victim, one quoted a French sentence stating ANSSI is aware of several French victims, and the iteration-5 (cap) verifier fetched it and reported it as a week-21 vulnerability roundup (Drupal/F5/Microsoft/Cisco/Linux-kernel) with no mention of TeamPCP, Mini Shai-Hulud, the named packages, the source-code leak, or French victims. Because the claimed delta (widened package scope, source-code leak, French-victim awareness) could not be reliably tied to the cited source and no alternate source was fetched for it, the entire UPDATE — its TL;DR bullet and § 6 action item included — was dropped rather than published on an unverifiable attribution (PD-1). The Mini Shai-Hulud / TeamPCP campaign itself remains real and was last covered 2026-05-26; only today's CERT-FR-sourced delta is withheld pending a verifiable source.
CVEs that did not clear a § 2 inclusion gate:
- CVE-2026-45659 — Microsoft SharePoint Server 2016/2019/SE deserialization RCE (CVSS 8.8) — fails all § 2 gates: post-auth (minimum Site Member, PR:L), CVSS below 9.0, MSRC "Exploitation Less Likely", not CISA-KEV, no public PoC. Surfaced by three sub-agents and carries NCSC-CH (advisory 12594) and BSI (WID-SEC-2026-1652) same-day advisories on the out-of-band CVE addition. Operational note for Swiss/EU public-sector SOCs: the CVE was added to Microsoft's set out-of-band on 2026-05-26 after shipping in the May 2026 Patch Tuesday — ensure vulnerability-management tooling ingests the late CVE so already-patched farms are scored correctly.
- CVE-2026-44895 — yoda-digital mcp-gitlab-server < 0.6.0 (no-auth SSE RPC endpoint, CVSS 4.0 = 9.2) — clears the EUVD CVSS 9.0–10.0 gate but is a niche npm MCP-server package with marginal deployment in the target audience; not promoted to § 2. Relevant only to teams running this specific MCP GitLab bridge bound to 0.0.0.0 with wildcard CORS — patch to 0.6.0 if in use.
Single-source items included: CVE-2026-9642 (Delta DIAView, Tenable Research TRA-2026-44 only) — marked [SINGLE-SOURCE] in § 2; included on Tenable's HIGH-reliability researcher standing.
Recency: standard 36 h window (24 h gap to 2026-05-26). The Nimbus Manticore § 4 UPDATE cites Check Point Research dated 2026-05-22; included as an UPDATE on previously-covered UNC1549 (2026-05-23) carrying material new technical detail and broad in-window (2026-05-26) amplification.
Contradictions / unresolved: sub-agents reported the Symantec Seedworm primary as 2026-05-12 (S3) vs 2026-05-22 (S1); unresolved, but the item was dropped on recency grounds regardless. Charter disputes ShinyHunters' 42M-record claim and asserts no sensitive PI/CPNI was taken — the brief reports both the actor claim and the victim's dispute rather than adjudicating. On 7-Eleven, the two cited sources differ on the exposed field set — BleepingComputer lists names, DOBs and contact/address data (no SSN / driver's licence), while CyberInsider additionally reports SSNs and driver's licence numbers; the brief reports both with attribution rather than asserting the high-sensitivity fields as settled.
Verification: the brief ran the full 5-iteration verification loop without reaching a CLEAN verdict (cap-breach safety valve), rotating Opus (iterations 1, 3, 5) and Sonnet (2, 4). Net effect across iterations: a wrong Security Affairs URL on the Nimbus Manticore item was removed and the cert claim re-anchored to Check Point; the missing @tanstack/@squawk packages were added (then the whole Mini Shai-Hulud item was later dropped, see below); an unsourced "first" superlative was removed from the Tycoon 2FA deep dive; the 7-Eleven field-set attribution was split between BleepingComputer and CyberInsider; and the CVE-2026-9312 citation was moved onto the static-HTML GHSA advisory. The iteration-5 (cap) verifier found the § 4 Mini Shai-Hulud UPDATE's sole CERT-FR citation unverifiable (three iterations read that URL three different ways), so that UPDATE was dropped. verification_residual_count = 2 records the iteration-5 truth findings, both resolved by dropping the affected item rather than left in the published brief.
Sub-agents: all four (S1–S4) returned within the wall-clock cap; no stalls.
New source candidate (this run): cyberinsider (cyberinsider.com — breach journalism, server-rendered, no 403) added as candidate; it contributed corroborating primaries to the Charter and 7-Eleven confirmations. Overflow candidates not added (one-per-run cap): security.com (Symantec/Broadcom Threat Hunter Team's current domain; the old symantec-enterprise-blogs.security.com URL 404s — worth a future source-URL update).
Coverage gaps: databreaches-net (bridge 403 for 7th consecutive run); inside-it-ch (bridge 403×5); sophos-xops (503); trendmicro-research (500); greynoise (no structured RSS feed); volexity (malformed RSS, no 2026 items surfaced); securityweek (feed 403, covered via article fetches); sec-edgar (archive 403 on individual filing pages — full-text search bridge works, filing htm does not); cnil-fr, edpb, ncsc-ie, safeonweb-be, ncsc-uk, cert-pl, jpcert — no in-window qualifying items found this run.