CTI Daily Brief — 2026-05-28

ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface

The ILIAS Security Group released a coordinated nine-issue security update on 2026-05-27 covering the open-source Learning Management System that dominates the CH/DE/AT public-sector e-learning estate: Swiss federal training portals, NATO DEEP ADL, and the majority of Swiss and German university LMS deployments (ILIAS Security Blog, 2026-05-27; NCSC-CH, 2026-05-27; BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27). CVE identifiers were not assigned in the BSI CSAF document; the vendor uses internal MantisBT IDs.

Two issues are rated critical by the vendor. MantisBT 0047787 (CVSS 4.0: 9.8) is a missing access-control check in TileImageUploadHandler; an attacker with network access to the upload endpoint can write arbitrary files, bypassing authentication entirely — the textbook prerequisite for arbitrary file write to RCE on a PHP application. MantisBT 0047691 (CVSS 4.0: 9.3) is a post-auth SQL injection in the MyStaff module. Companion high-severity findings: MantisBT 0047581 (CVSS 8.7) — broken access-control in the SOAP interface permitting unauthenticated SOAP calls; MantisBT 0047472 (CVSS 7.1) — SQL injection reachable via the SOAP API; MantisBT 0047770 (CVSS 8.5) and 0047778 (CVSS 8.1) — sort-field and SCORM2004-module SQLi paths; MantisBT 0047258 — unauthorized SOAP function calls.

Why it matters to us: ILIAS is mission-critical for Swiss federal civil-servant training and Swiss/DACH academic certification — a compromise of the LMS exposes course content, learner PII, certification records, and any HR/IDP integration on the SOAP interface. NCSC.ch's recommended interim mitigation is to disable the SOAP interface on any deployment that does not require it for enterprise HR / SIS integration. Patched branches: 9.20, 10.8, 11.1. Detection concepts: monitor web-server access logs for POSTs to TileImageUploadHandler without a valid session cookie; flag any request to /ilias.php?baseClass=ilSOAPExplorer or the SOAP WSDL endpoint from non-internal source IPs. Hardening: AppArmor/SELinux profile constraining php-fpm writeable paths to content directories; reverse-proxy ACL blocking external access to /webservice/soap/ until patched.

Germany's federal cabinet approves the Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect traffic and disable attacker infrastructure

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback (Heise Security, 2026-05-27; onvista / dpa, 2026-05-27; t-online, 2026-05-27). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

Why it matters to us: German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add de.bka, de.bsi, de.bpol as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025

On 2026-05-26T14:00Z, CrowdStrike Counter Adversary Operations, Google, and the Shadowserver Foundation executed a simultaneous takedown of all four C2 channels operated by GlassWorm, a developer-targeting supply-chain campaign active since at least early 2025 (CrowdStrike Counter Adversary Operations, 2026-05-27; TechCrunch, 2026-05-27; The Hacker News, 2026-05-27). GlassWorm's C2 architecture was designed for resilience: (1) Solana blockchain — C2 server addresses encoded in transaction memo fields as an immutable public dead-drop; (2) BitTorrent DHT — GlasswormRAT queries the peer-to-peer network for configuration data stored against hardcoded public keys; (3) Google Calendar — event titles used as Base64-encoded path dead-drops; (4) traditional VPS-hosted C2 for final payload. Taking down any subset would have left the remainder operational.

The attack surface spanned VS Code Marketplace, Open VSX (reaching Forgejo/Gitea-based forks), npm, PyPI, and direct GitHub repository poisoning via stolen developer credentials — 300+ GitHub repositories poisoned across the campaign. Infected hosts were converted into covert infrastructure: SOCKS proxies, hidden VNC (HVNC) servers, and Node.js-based remote execution nodes via WebRTC. CrowdStrike attributes the operators to likely Russia-based actors on the basis of the malware's CIS-locale / language / timezone exit check.

Dutch National Police arrest 35-year-old over AFC Ajax fan-data breach — misconfigured API access-control and shared keys exposed 300,000+ accounts and 42,000 season-ticket records

Dutch National Police arrested a 35-year-old man from the municipality of Buren on 2026-05-26 on suspicion of computer trespass (computervredebreuk) against AFC Ajax Amsterdam, following an investigation triggered by Ajax's own disclosure in late March 2026 (BleepingComputer, 2026-05-27; The Record, 2026-05-27; NL Times, 2026-05-26; AFC Ajax victim statement, 2026-03-25). Investigators searched the suspect's residence and seized multiple digital storage devices. Ajax's own statement (issued at the time of the original March 2026 disclosure) attributes the breach to an unauthorised actor who accessed Ajax systems and exfiltrated data; BleepingComputer and The Record, citing the Dutch police release, report the underlying API flaw exposed more than 300,000 fan accounts and 42,000+ season-ticket holders (BleepingComputer, 2026-05-27; The Record, 2026-05-27). RTL reporting cited in BleepingComputer notes the attacker demonstrated the ability to reassign a VIP season ticket in seconds and modify stadium-ban records. Ajax filed an Article 33 GDPR notification to the Dutch Autoriteit Persoonsgegevens (AP) and a criminal complaint; the underlying gap has since been patched.

FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails

The FBI issued CSA 260526 on 2026-05-26 warning that Silent Ransom Group (SRG; tracked variously across cited sources as Luna Moth, Chatty Spider and UNC3753, with the Storm-0252 designation specifically referenced by CyberScoop) — a Russia-linked extortion-only gang that does not deploy ransomware — has escalated its campaign against US law firms by physically sending operatives into victim offices impersonating IT support when remote access attempts fail (CyberScoop, 2026-05-27; The Record, 2026-05-27; Help Net Security, 2026-05-27). The kill chain begins with callback phishing — an email or call pretexting urgent IT support with a callback number; on the call, the actor attempts to establish a remote desktop session. If the target resists, an associate physically visits the office and attempts to insert a USB storage device into a workstation. CyberScoop, citing the FBI, reports the group has claimed more than 100 attacks.

Iran MOIS attributed to LACMTA destructive breach via "Ababil of Minab" hacktivist front — 700 GB exfiltrated, backups and VMs deliberately destroyed

Gambit Security (Israeli threat-intelligence firm) published a technical report on 2026-05-26 attributing the March 2026 breach of Los Angeles County Metropolitan Transportation Authority (LACMTA / LA Metro) to an Iran-MOIS-linked cluster operating under the hacktivist persona Ababil of Minab (Gambit Security, 2026-05-26; TechCrunch, 2026-05-26; The Record, 2026-05-27). The persona surfaced in late March / early April 2026 claiming to be a standalone hacktivist crew; Gambit's forensic evidence ties the cluster's infrastructure and techniques to the MOIS-attributed Black Shadow group, a designation the Israel National Cyber Directorate (INCD) has previously applied. The campaign exfiltrated a large volume of emails, backups and other files from LACMTA, then deliberately targeted the recovery layer: virtual machines and storage volumes were deleted, backup infrastructure was destroyed, and multiple destructive techniques were applied in parallel to force concurrent remediation pathways and maximise downtime. LA Metro required weeks to recover. The campaign also touched named and unnamed organisations in Israel, Saudi Arabia and Turkey.

CVE-2026-48842 — Roundcube Webmail pre-authentication SQL injection in `virtuser_query` plugin (CVSS 8.1)

The Roundcube Project shipped 1.6.16 (LTS) and 1.7.1 on 2026-05-24 patching a pre-authentication SQL-injection in the virtuser_query plugin: an unauthenticated network attacker can inject arbitrary SQL through the plugin's login-time virtual-user lookup when the plugin is enabled (Roundcube Project, 2026-05-24; NCSC Switzerland, 2026-05-27; Heise Security, 2026-05-27). Companion fixes in the same release: CVE-2026-48844 (HIGH — code injection in the LDAP autovalues option when configured; PHP-eval-class flaw), CVE-2026-48843 (HIGH — CSS-sanitisation bypass in HTML email via SVG animate attributeName="style" that can leak data through SSRF or disclose server-side information), and CVE-2026-48848 (HIGH — HTML-sanitisation bypass permitting CSS injection via a crafted SVG document). Branches 1.5.x and earlier are EOL and do not receive patches. Roundcube is the dominant self-hosted webmail across European public administrations, ISPs and academia — NCSC Switzerland flagged the cluster as requiring prompt action.

CVE-2026-35087 / CVE-2026-35089 / CVE-2026-35090 — Slican PBX telephony exchanges, triple pre-authentication admin bypass (CERT Polska)

CERT Polska disclosed three vulnerabilities in Slican PBX firmware on 2026-05-27; Slican is a Polish manufacturer of PBX and IP-telephony equipment with broad deployment in Polish government, public administration and healthcare, and is also sold across Central and Eastern Europe (CERT Polska, 2026-05-27; ENISA EUVD-2026-32276, 2026-05-27). CVE-2026-35087 (CVSS 4.0: 9.3) — the administrative protocol accepts a specific command that bypasses credential checks, granting admin shell access. CVE-2026-35089 (CVSS 4.0: 8.7) — the secure key protecting the admin service is generated deterministically from system properties obtainable without authentication; an attacker can recompute the key and extract admin credentials. CVE-2026-35090 (CVSS 4.0: 9.3) — the remote management modem interface accepts a hardcoded caller-ID that bypasses admin authentication on the PSTN side; if remote access is disabled, the call temporarily re-enables it. All three are exploitable remotely without authentication. Affected/fixed pairs: IPx series (≥ 6.61.0040), CCT-1668 / MAC-6400 (≥ 6.56.0430), CXS-0424 (≥ 6.30.0510), NCP (≥ 1.24.0250). EOL hardware (versions ≤ 4.xx — CCT-1668 CCT1CPU, MAC-6400, CXS-0424 discontinued 2011/2012) will not receive patches; vendor recommends hardware replacement.

CVE Summary Table

MuddyWater / Seedworm — Symantec and Carbon Black document new DLL-side-loading pair via signed Fortemedia and SentinelOne binaries, ChromElevator for Chromium App-Bound Encryption bypass, Node.js orchestration

Symantec's Threat Hunter Team and Broadcom's Carbon Black published findings on 2026-05-12 documenting a Q1 2026 MuddyWater (a.k.a. Seedworm, Static Kitten, MERCURY, TEMP.Zagros — attributed to Iran's Ministry of Intelligence and Security) espionage campaign across at least nine organisations on four continents. The story re-surfaced this run via fresh aggregator coverage on 2026-05-26 (The Hacker News) — included in window on that basis. Named victim categories include industrial and electronics manufacturing, education and public-sector bodies, financial services, and an international airport in the Middle East (Symantec / Broadcom Threat Intelligence, 2026-05-12; The Hacker News, 2026-05-26; Industrial Cyber, 2026-05-13).

The differentiating TTPs from prior MuddyWater coverage are twofold. First, DLL side-loading via two pairs of legitimately signed third-party binaries: Fortemedia audio-driver binary fmapp.exe side-loading a malicious fmapp.dll; SentinelOne's sentinelmemoryscanner.exe side-loading a rogue sentinelagentcore.dll — abuse of a signed security-product binary specifically chosen to bypass signature-based detection. Both malicious DLLs embed ChromElevator, an open-source post-exploitation tool that bypasses Chromium App-Bound Encryption to extract passwords, cookies and payment-card data without triggering AV. Second, orchestration moved to Node.js: node.exe appears as a parent-process ancestor of cmd.exe before any operator commands — i.e. a Node.js script (not a human operator) drives the kill chain. PowerShell scripts pulled from a staging server perform discovery (T1087, T1482), screenshot capture, SAM-hive theft via VSS (T1003.002), and SOCKS5 reverse-proxy tunnelling (T1090.003). A credential harvester calls CredUIPromptForWindowsCredentialsW to display a Windows security dialogue and trick targets into entering credentials. A Kerberos TGT extractor via GSS-API was also observed.

Why it matters to us: signed-binary side-loading abusing a security-product binary is the highest-value evasion class — signature-based controls are bypassed by design. Detection: Sysmon EID 7 image-loads from fmapp.exe or sentinelmemoryscanner.exe outside their expected installation directories; alert on node.exe as a parent of cmd.exe or powershell.exe -enc in non-developer environments; flag CredUIPromptForWindowsCredentialsW calls from non-standard parents. Hardening: AppLocker / WDAC enforcing signed-and-known-path DLL loads; restrict node.exe execution to development OUs.

Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO-poisoning lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners under signed Microsoft binary

Microsoft Defender Experts documented an active cryptojacking campaign dating from March 2026 that uses GPU-utility brand impersonation (CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear) as initial delivery via SEO poisoning (Microsoft Security Blog, 2026-05-26; The Hacker News, 2026-05-27). The operationally novel evolution is from April 2026: users querying AI chatbots for software-download recommendations were directed to attacker-controlled domains in generated responses — search-poisoning extended into the LLM-generation layer. Delivery chain: (1) fake utility site hosts a ZIP on a gleeze.com subdomain (DDNS via Dynu); (2) ZIP contains the legitimate executable alongside an autorun.dll; (3) DLL side-loading installs vcredist_x64.dll via msiexec.exe — a ScreenConnect packaged installer named to mimic Visual C++ Redistributable; (4) ScreenConnect establishes persistent remote access; (5) the session delivers SimpleRunPE.exe; (6) SimpleRunPE persists via Registry Run keys and scheduled tasks, configures Microsoft Defender exclusions, and uses process hollowing to inject miner code (gminer, lolMiner, SRBMiner-MULTI) into a Microsoft-signed binary. 150+ malicious domains identified since March 2026.

SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR [SINGLE-SOURCE]

SANS ISC handler Manuel Humberto Santander Pelaez published a forensic walkthrough on 2026-05-27 reconstructing an Akira ransomware intrusion using only two log sources — SSLVPN syslog and Windows EVTX exports — joined by source IP and normalised time (SANS Internet Storm Center, 2026-05-27). [SINGLE-SOURCE] — high-reliability technical primary, but no independent corroboration of the specific kill chain. Initial access (T1078.001 / T1133): non-distributed brute force from a single hosting-provider IP against a single local SSLVPN account that had been deprovisioned in Active Directory but remained provisioned as a local firewall user with no MFA. Discovery: EID 4688 captures nltest.exe /dclist:, net.exe group "Domain Admins" /domain, net.exe group "Enterprise Admins" /domain, whoami.exe /all, and a renamed AdFind.exe variant, all parented explorer.exe → cmd.exe. Credential access (T1558.003 Kerberoasting): a cluster of EID 4769 RC4-encrypted TGS requests for multiple SPNs from a single workstation within a 90-second window. Lateral movement (T1021.001): EID 4624 Logon Type 10 chain from jump host to file server, domain controllers, backup server; EID 4672 special-logon privileges on DC. Defense evasion + impact: EID 1102 security-log clear; sc.exe / net stop of endpoint-protection services (System EID 7036); vssadmin delete shadows /all /quiet.

Why it matters to us: the diary is a forensic-primer for any SOC operating without full EDR coverage — the standard scenario in smaller public-sector entities and DACH commune networks. Concrete takeaways the SANS ISC author makes directly: reconcile local SSLVPN account directories against AD source-of-truth (deprovisioned-in-AD-but-retained-in-firewall is the recurring initial-access pathway in this class); alert on > 50 failed SSLVPN auths from a single source per hour; enable EID 4688 process auditing on every Windows host, set Security log size ≥ 1 GB; alert on RC4 TGS-REP (EID 4769 EncryptionType=0x17) for multiple SPNs from one workstation in a short window; EID 1102 security-log clear is incident-grade in every case; time-sync every host including the firewall to the same NTP source so perimeter-to-endpoint joins remain reliable.