CTI Daily Brief — 2026-05-30

CNIL fines IQVIA Operations France €5M for health data warehouse security failures: no MFA, no log monitoring, no network segmentation

France's CNIL fined IQVIA Operations France €5 million on 26 May 2026 for systematic GDPR violations across two authorised health data warehouses, LRX (fed by ~14,000 pharmacies) and EMR (fed by thousands of GPs) (CNIL, 2026-05-28). The CNIL enumerated five control failures: (1) IQVIA operated the warehouses outside the scope of its CNIL authorizations — deliberations 2018-289 and 2021-015 approved specific study types, and IQVIA conducted studies beyond those terms (Art. 66 of the French Data Protection Act); (2) patients were not informed that IQVIA acted as a data controller for their prescription data, violating GDPR Art. 14 information obligations; (3) multi-factor authentication was absent from all warehouse access paths; (4) no automated connection-log monitoring or alerting was in place — IQVIA confirmed retrospective deployment only after the CNIL investigation commenced; (5) no network segmentation between the health data warehouse and other IQVIA corporate infrastructure. The fine magnitude reflects the scope — "several tens of millions" of individuals — and IQVIA's market position. A compliance order with a €10,000/day penalty period accompanies the fine. For defenders this ruling operationalises baseline controls now explicitly expected for health data warehouse operations: MFA on all warehouse access paths, automated log alerting, network segmentation between sensitive-data stores and corporate infrastructure, and strict compliance with CNIL authorization scope for each study type conducted.

Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.

GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs

WithSecure Labs disclosed GREYVIBE on 28–29 May 2026, a previously-unnamed Russia-nexus threat cluster active since at least August 2025, targeting Ukrainian military, government, civilians, and businesses (WithSecure Labs, 2026-05-29; SecurityWeek, 2026-05-28). Five parallel attack chains: PhantomMail (spear-phishing with ZIP/RAR archives via Google Drive and 4sync), PhantomClick (fake CAPTCHA/ClickFix pages impersonating Zoom and LAPAS), PrincessClub (fraudulent adult-club sites with WebRTC-based social engineering), DroneLink (counterfeit Ukrainian Armed Forces charity sites), and Nebo (fake Russian military login portals). Core malware: LegionRelay (PowerShell RAT with file theft, screenshots, credential harvesting, RDP access; RC4 C2 comms), PhantomRelay (PowerShell RAT with dynamic script loading and watchdog persistence), and FallSpy (Android spyware for contact, call log, and geolocation extraction). Four custom obfuscators — LOOKVALPS, LOOKVALJS, DAYLIGHT, TEASOUP — were assessed as LLM-assisted developments. Attribution evidence: Russian-language panels and code comments; C2 servers in UTC+3 (Moscow time); OPSEC failures including public scan-platform uploads. WithSecure identifies possible links to UAC-0098 (former TrickBot associates). MITRE ATT&CK: T1566.001/T1566.002, T1059.001, T1005, T1204.001, T1133. Detection: alert on PowerShell spawned from archive-extraction utility parent processes; hunt scheduled tasks created by PowerShell beaconing to dynamic DNS; Android MDM alerts on sideloaded APKs accessing mic/camera. Organisations supporting Ukrainian government or civil-society counterparts are within the targeting scope.

LLMShare malvertising campaign: attackers embed fake outage pages in ChatGPT share links and serve infostealer downloads via Google Ads

Push Security documented LLMShare, a malvertising campaign in which attackers buy Google Ads targeting "ChatGPT" and "ChatGPT download" queries (Push Security, 2026-05-29; BleepingComputer, 2026-05-29). Victims clicking the ads land on legitimate chatgpt.com/s/[unique-id] share URLs that render attacker-controlled HTML — a fake high-traffic outage page with a "Download our desktop app to continue" button — directly from the OpenAI domain. Because chatgpt.com is trusted by enterprise web-filtering rules and firewalls, the landing page is not blocked. The download button redirects to an attacker-controlled domain impersonating OpenAI; the site uses cloaking (serves a benign page to scanners). Windows users receive an infostealer payload. The technique exploits the same ChatGPT Artifacts/sharing feature previously abused in the ACR Stealer campaign (covered 2026-05-26) and extends it to malvertising. Detection: monitor for browser-spawned executable downloads from chatgpt.com domains — legitimate ChatGPT desktop app downloads do not originate from that path; alert on unusual process launch from browser-extracted or browser-downloaded unsigned executables. MITRE ATT&CK: T1566.002, T1204.001, T1036, T1027.

CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse

Authentication override cookies in PAN-OS GlobalProtect are encrypted using the portal or gateway certificate. When that same certificate is shared with another service (most commonly the HTTPS service — a non-default but operationally common configuration), an unauthenticated attacker can extract the certificate's public key from the HTTPS service and forge valid authentication override cookies, obtaining a full VPN session without credentials (Palo Alto Networks PSIRT, 2026-05-29). Root cause: CWE-565 (Reliance on Cookies Without Validation and Integrity Checking). CVSS 4.0 = 7.8 HIGH (Exploit Maturity: ATTACKED). Affected: PAN-OS 10.2.x, 11.1.x, 11.2.x, 12.1.x; Prisma Access 10.2 and 11.2; Panorama and Cloud NGFW are not affected. Rapid7 MDR observed two exploitation waves — 18 May from Vultr-hosted infrastructure, 21 May from Dromatics Systems IP space — both sharing a deliberately spoofed, easily-recognisable MAC address pattern and machine names GP-CLIENT (Linux) and DESKTOP-GP01 (Windows), indicating a single actor (Rapid7 ETR, 2026-05-29). A public PoC is available. CISA added CVE-2026-0257 to KEV on 29 May. Detection: GlobalProtect connection logs with cookie-based auth-override events sourced from unexpected IP blocks; sessions authenticating without prior MFA web-step; PCAP anomaly of identical MAC across geographically-disparate sessions. Immediate remediation: upgrade to fixed PAN-OS versions (10.2.7-h34+, 11.1.4-h33+, 11.2.4-h17+, 12.1.4-h6+ and subsequent maintenance releases — full version table in the vendor advisory); or disable authentication override cookies; or assign an exclusive certificate to GlobalProtect not shared with any other service.

CVE-2026-48710 "BadHost" — Starlette (FastAPI / vLLM / LiteLLM / MCP SDK): Pre-Auth Auth Bypass via Malformed Host Header

Starlette < 1.0.1 reconstructs request.url by concatenating the HTTP Host header with the request path and re-parsing the composite string, but validates each component under separate rules (X41 D-Sec Advisory x41-2026-002, 2026-05-22; GitHub Advisory GHSA-86qp-5c8j-p5mr). Injecting a /, ?, or # into the Host header (e.g. Host: example.com/health?x=) shifts the path boundary reported by request.url.path, causing middleware applying path-based access control to authorise access to an unintended route while the ASGI handler serves the attacker-specified one. A single curl -H 'Host: foo?' localhost:8000/admin bypasses authentication. Root cause: CWE-436 (Interpretation Conflict). CVSS 3.1 = 6.5 (GitHub Advisory); X41 scores 7.0 under CVSS 4.0. Affected: all Starlette versions ≥ 0.8.3, < 1.0.1; downstream dependents include FastAPI, vLLM, LiteLLM, Google ADK-Python, BentoML, Gradio, Langflow, Open WebUI, and the Python MCP SDK — approximately 325 million weekly downloads and 400,000+ GitHub dependents. Discovered by X41 D-Sec during an OSTIF-sponsored vLLM audit. Nginx, Apache, Caddy, Traefik, HAProxy, and Cloudflare all terminate malformed Host headers upstream; only direct-listen Python ASGI deployments without a compliant reverse proxy are exposed. No confirmed exploitation as of publication. NCSC-NL issued advisory NCSC-2026-0171 on 29 May; CCB Belgium issued a "Patch Immediately" advisory. Fix: upgrade Starlette to ≥ 1.0.1 (or pull FastAPI ≥ 0.115.5, vLLM ≥ 0.23.0, or the equivalent downstream package that pins the fixed Starlette). If patching is not immediately possible, place a compliant reverse proxy in front of any ASGI application using path-based access control. Detection: parse web-server access logs for Host header values containing /, ?, or # followed by path components.

CVE Summary Table

ANNUAL REPORT — ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset

ESET published its APT Activity Report covering October 2025 through March 2026 on 28 May 2026 (ESET WeLiveSecurity, 2026-05-28). EU- and NATO-relevant findings for public-sector defenders: Sandworm (Russia/GRU) intensified destructive winter operations against Ukrainian infrastructure and targeted a Polish energy company in December 2025 — a NATO member state critical-infrastructure attack attributed with medium confidence; this represents continued Sandworm willingness to conduct wiper operations beyond Ukraine's borders. Sednit/APT28 deployed Covenant and BeardShell implants against Ukrainian military, drone manufacturers, and logistics companies. Lazarus Group ran Operation DreamJob targeting European drone manufacturers — ESET assesses this as technology acquisition for North Korea's weapons programme. Operation DangerousPassword compromised the axios JavaScript library (100+ million weekly npm downloads), injecting trojanised code and demonstrating ongoing North Korea supply-chain interest in developer ecosystem targeting. UNC5221 (China-nexus) deployed a new implant assessed as part of the SPAWN toolset, specifically targeting Ivanti VPN appliances (Connect Secure, Policy Secure); organisations running unpatched Ivanti VPN should audit for SPAWN toolset artefacts including SPAWNANT installer, SPAWNMOLE tunneller, SPAWNSNAIL SSH backdoor, and SPAWNSLOTH log-tampering utility. The report PDF is available at https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-apt-activity-report-q4-2025-q1-2026.pdf. Key defender actions: (a) confirm Sandworm wiper detection capability (file-destruction followed by MBR/VBR overwrite patterns, VSS deletion); (b) review Ivanti VPN logs for SPAWN footprints per CISA AA24-060A indicators; (c) audit npm dependency trees for axios versions <1.8.0 or 0.x released after the DangerousPassword campaign window.

Kimsuky (Velvet Chollima) deploys HTTPSpy RAT and Rust-based HelloDoor via VS Code Remote Tunnel and Cloudflare Quick Tunnel C2

ENKI WhiteHat and The Hacker News documented Kimsuky campaigns in March and April 2026 targeting South Korean military personnel and corporate entities with two malware chains (The Hacker News, 2026-05-29; ENKI WhiteHat, 2026-05-27). March chain: masquerade installers for nProtect Online Security and AhnLab Safe Transaction launch MemLoader.dll via regsvcs.exe, which downloads HTTPSpy. April chain: fake Webex meeting page delivers encrypted JavaScript (.jse extension) which stages a PowerShell downloader, ultimately installing HTTPSpy. HTTPSpy is a full-capability RAT (first observed 2022; previously used against a German defence manufacturer May–September 2024): RC4-encrypted C2, shell execution, file upload/download, screenshot capture, process injection, self-deletion. HelloDoor is a Rust-based PebbleDash variant (assessed LLM-assisted per ENKI): configurable sleep, command execution, directory traversal. C2 evasion: Kimsuky now abuses Visual Studio Code Remote Tunneling (authenticated via GitHub OAuth, registered via code --tunnel --name <name>) and Cloudflare Quick Tunnels (cloudflared.exe) — neither can be blocked by IP or domain without blocking Microsoft and Cloudflare respectively. JSONPing confirms active infections via a locally-running HTTP server, reducing exposure of attacker infrastructure. MITRE ATT&CK: T1036 (Masquerading), T1059.001 (PowerShell), T1059.007 (JavaScript), T1071 (Application Layer Protocol). Detection: hunt for regsvcs.exe as a parent of DLL loads in non-.NET-Framework contexts; alert on VS Code CLI processes with --tunnel argument from non-developer endpoints; audit GitHub OAuth app grants for unrecognised VS Code tunnel registrations; monitor cloudflared.exe on managed endpoints without prior baseline.

Sysdig TRT: first observed LLM-agent-driven post-exploitation — CVE-2026-39987 Marimo notebook RCE to database exfiltration in 4 pivots under one hour

Sysdig's Threat Research Team documented what they assess as the first in-the-wild LLM-agent-driven intrusion, observed on 10 May 2026 (Sysdig TRT, 2026-05-26; The Hacker News, 2026-05-29). Initial access: exploitation of CVE-2026-39987, a pre-auth RCE in Marimo notebook < 0.20.4 (patched in 0.23.0) on an internet-accessible instance (T1190). An AI agent then drove four autonomous pivots: (1) extracted two cloud credentials from the host filesystem (T1552.001); (2) replayed them via a Cloudflare Workers egress pool to call AWS Secrets Manager APIs and retrieve an SSH private key (T1555); (3) executed eight parallel SSH sessions against a downstream bastion (T1021.004); (4) exfiltrated the full schema and contents of a downstream PostgreSQL database within two minutes (T1048). Sysdig identified LLM agent involvement from four artefacts: improvised schema discovery without environmental foreknowledge; a Chinese-language planning comment in the command stream ("看还能做什么" — "See what else we can do"); machine-optimised command formatting (delimiter-separated, bounded output, stderr discarded, less disabled); and sequential hand-off of output values as inputs to subsequent commands. Cloudflare Workers obscured the origin IP. No attribution was made. Defender countermeasures: update Marimo to ≥ 0.23.0; restrict internet-accessible notebook deployments; monitor AWS CloudTrail for Secrets Manager GetSecretValue calls from unexpected IPs; restrict SSH bastion access to known CIDR ranges.

ChatGPhish: Permiso Security documents ChatGPT Markdown renderer trusting third-party image URLs and links — used for IP exfiltration and phishing via legitimate chatgpt.com

Permiso Security's P0 Labs (researcher Andi Ahmeti) disclosed on 29 May 2026 that ChatGPT's web summarisation feature unconditionally trusts and renders Markdown image URLs and links extracted from third-party pages, executing them inside the trusted chatgpt.com UI (Permiso Security P0 Labs, 2026-05-29; The Hacker News, 2026-05-29). An attacker embedding a small Markdown payload on any web page (GitHub README, SaaS dashboard, documentation portal) triggers the attack when a victim asks ChatGPT to summarise the page: the payload executes silently and can exfiltrate the victim's IP, User-Agent, and Referer via attacker-hosted image fetch; render malicious links styled as ChatGPT output; inject fake security alerts; and serve QR codes from attacker-controlled S3 buckets that bypass desktop URL filters by moving the click action to mobile. Permiso submitted to OpenAI via Bugcrowd on 29 April; after follow-up on 7 May, OpenAI marked it as not reproducible then as not applicable, without resolution. No CVE assigned. Defenders using ChatGPT for document summarisation in enterprise workflows should: restrict ChatGPT access to internal documentation portals; educate users that any AI-summarised third-party page can carry attacker instructions embedded in rendered output.

[SINGLE-SOURCE] Red Canary: detecting Entra Agent ID privilege escalation — credential injection into agent blueprints enables lateral movement across the entire tenant

Red Canary published a detection-engineering primer on 27 May 2026 on the AgentIdentityBlueprint.AddRemoveCreds.All role in Microsoft Entra's new Agent ID identity class — autonomous app identities that act in a tenant without human interaction (Red Canary, 2026-05-27). A misconfigured or adversary-controlled agent identity holding this role can add client secrets to any agent blueprint, then authenticate as any agent identity in the tenant — including high-privilege ones — after legitimate credential rotation. The full privilege-escalation chain: agent app → malicious role assignment (AgentIdentityBlueprint.AddRemoveCreds.All) → credential injection into target blueprint → authenticate as high-privilege agent → pivot to all downstream resources that blueprint can access. Relevant log sources: AuditLogs — look for "Update application – Certificates and secrets management" with a non-human InitiatedBy.app.servicePrincipalId; MicrosoftGraphActivityLogs — Graph API calls from agent service principals with unusual IP and UserAgent fields; AADServicePrincipalSignInLogs — filter on Agent.agentType: agenticAppInstance. Correlation: match SignInActivityId from Graph logs to UniqueTokenIdentifier in sign-in logs to reconstruct credential-add-to-authentication chains. MITRE ATT&CK: T1098 (Account Manipulation), T1078.004 (Valid Accounts: Cloud Accounts). Swiss public-sector M365 deployments adopting AI agents via Copilot Studio or Azure AI Foundry should establish baselines for each agent identity's API scope and alert on credential additions to blueprints by any identity other than the provisioning pipeline. [SINGLE-SOURCE]

UPDATE: Nightmare Eclipse / Chaotic Eclipse — Microsoft's Digital Crimes Unit threatens criminal action; GreenPlasma and MiniPlasma (`cldflt.sys` SYSTEM escalation) remain unpatched; researcher announces July 14 drop

UPDATE (originally covered 2026-W21): Microsoft's Digital Crimes Unit issued a formal public statement on 28–29 May 2026 calling uncoordinated zero-day releases "never justifiable" and warning its DCU would "continue bringing cases against these actors and those that enable their criminal activity" (The Record, 2026-05-29). The pseudonymous researcher Nightmare Eclipse / Chaotic Eclipse responded by threatening a new vulnerability release on 14 July 2026 (the next Patch Tuesday).

Of the six Windows vulnerabilities the researcher has released since early April: BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091) are patched and saw confirmed in-the-wild exploitation following PoC publication. YellowKey (CVE-2026-45585 — BitLocker bypass via Windows Recovery Environment, requiring physical access), GreenPlasma (LPE class), and MiniPlasma remain unpatched as of 30 May 2026. MiniPlasma specifically abuses the Windows Cloud Files Mini Filter Driver (cldflt.sys) to achieve a SYSTEM shell from a standard user session on fully-patched Windows 11; the root cause is assessed as an incomplete remediation of CVE-2020-17103 (no CVE yet assigned to MiniPlasma itself).

The July 14 release deadline should be treated as a hard date for resolving any outstanding Windows LPE chain gaps. Defenders on Windows 11 estates should monitor for cldflt.sys-related anomalies and consider AppLocker/WDAC policies blocking unsigned executables from low-privileged user sessions while patches are pending. Next Patch Tuesday: 10 June 2026.

UPDATE: Ivanti Secure Access Client — NCSC.ch adds CVE-2026-8992 (local privilege escalation, CVSS 7.8) to May advisory

UPDATE (originally covered 2026-05-08): NCSC Switzerland updated its Ivanti May 2026 advisory on 29 May 2026, adding CVE-2026-8992, a local privilege escalation in the Ivanti Secure Access Client (NCSC Switzerland Security Hub, 2026-05-29). CVSS 3.1 = 7.8 HIGH. A locally-authenticated attacker on a managed endpoint running the Ivanti SAC client can escalate from a standard Windows user session to local admin. Ivanti patched CVE-2026-8992 in all SAC client versions released on or after 12 May 2026. This is secondary to the actively-exploited CVE-2026-6973 (Ivanti EPMM admin-authenticated RCE, CISA KEV) which remains the highest-severity Ivanti item. Detection: Windows Event IDs 4672 and 4673 (special privilege assignment) correlated with Ivanti SAC process lineage (ivanti-vpn.exe, Ivanti Secure Access Client.exe). Hardening: update SAC client to any release from 12 May 2026 or later via EPMM-managed software inventory.