ctipilot.ch

CTI Daily Brief — 2026-06-03

Typedaily
Date2026-06-03
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items9
CVEs10
On this page

On this page

Tags (21)
Regions (5)
References (24)

0. TL;DR

  • Oracle WebLogic CVE-2024-21182 (CVSS 7.5) added to CISA KEV on evidence of active exploitation — an unauthenticated attacker reaching the T3 or IIOP listeners (default ports 7001/7002) gains unauthorized access to WebLogic-accessible data. Patched in Oracle's July 2024 CPU; the in-window signal is the fresh exploitation, not the 23-month-old fix. WebLogic remains common middleware in EU finance and public-sector estates (The Hacker News, 2026-06-02).
  • Google patches an actively-exploited, High-severity Android zero-day, CVE-2025-48595, in the June 2026 bulletin — an Android Framework integer overflow giving no-interaction local privilege escalation across Android 14/15/16; Google reports "limited, targeted exploitation" (a profile consistent with commercial-spyware use, though no source attributes this case). Full fix requires the 2026-06-05 patch level (Android Security Bulletin, 2026-06-01).
  • A four-year-old Linux container-escape, CVE-2022-0492, re-enters CISA KEV — the cgroup-v1 release_agent missing-CAP_SYS_ADMIN check lets a process in a permissively-profiled container execute code at host level. Today's deep dive (§ 5) covers the escape path and the mandatory-access-control hardening that closes it (CISA, 2026-06-02).
  • NCSC Switzerland issues a pre-event cyber advisory ahead of the G7 Évian summit (15–17 June) — the NCSC explicitly anticipates hacktivist DDoS against Swiss organisations (NCSC Switzerland, 2026-06-01); an independent threat map additionally flags state intelligence collection against hotel/telecom infrastructure and mobile-device targeting, echoing the NoName057(16) DDoS waves seen during Bürgenstock 2024 (ZENDATA, 2026-05-03). Most delegations transit Swiss infrastructure (Geneva–Vaud corridor).
  • Dashlane discloses a TOTP brute-force that downloaded the encrypted vaults of fewer than 20 personal-plan users — attackers exhausted the bounded six-digit TOTP keyspace to register a new trusted device, the same new-device-registration kill chain as the 2022 LastPass breach. Vaults stay master-password-encrypted but face offline cracking (TechCrunch, 2026-06-02).

3. Research & Investigative Reporting

Sophos finds an attacker-built, AI-orchestrated EDR-evasion testing lab during incident response

Sophos X-Ops disclosed an EDR-evasion development-and-testing environment recovered during an incident-response engagement and linked to an active (unnamed, still-under-investigation) ransomware group (Sophos X-Ops, 2026-06-02). The framework's Python payload generator — many modules partly AI-generated, with Russian-language comments — carried nearly 80 modules covering more than 70 evasion techniques. What distinguishes the lab is its agentic structure: a coordinator agent set rules for role-separated agents (EDR testing, OPSEC hardening, documentation, proxy stress-testing, VM deployment) connected over the Model Context Protocol to a Git repository, with the operator using the Cursor AI IDE and Ludus for rapid VM provisioning (Help Net Security, 2026-06-02). Payloads were tested against three isolated Windows Server 2022 VMs — one Sophos-equipped, one CrowdStrike-equipped, one EDR-free as baseline — with a Sliver/Cobalt Strike C2 stack and a Cloudflare Worker fronting the backend.

Why it matters to us: This is a concrete data point on adversaries operationalising agentic AI for detection-engineering against the exact EDR products (Sophos, CrowdStrike) deployed across CH/EU public-sector estates. The defensive principle is unchanged — the productivity multiplier is on the attacker's tooling, not a new bypass class — but it raises the priority of behavioural telemetry on payload-origin paths: Sophos noted the customer detection fired on "malicious payloads originating from a testing directory," a useful hunt pivot for anomalous build/test artefacts on endpoints.

ANNUAL REPORT — Sophos 2026 Active Adversary Report: identity is the dominant intrusion root cause [SINGLE-SOURCE]

Sophos published its 2026 Active Adversary Report (drawing on 661 IR/MDR cases) on 2026-06-02 (Sophos X-Ops, 2026-06-02). Per PD-9 this report gets one treatment; the findings that change defender priorities rather than the survey scorecard: identity-based compromise — stolen/valid credentials, brute force, and phishing — was the leading root cause, and missing or misconfigured MFA was present in a majority of incidents. Time from initial access to Active Directory compromise has compressed materially, with Impacket among the most frequently observed post-exploitation toolkits and AnyDesk the most-abused legitimate remote-access tool. The recurring telemetry blind spots are the actionable part: firewall logs were missing in roughly half of ransomware cases, and a meaningful share of compromised Windows Servers were running end-of-life builds. [SINGLE-SOURCE] (vendor IR telemetry report).

Why it matters to us: The hunt targets generalise directly to public-sector AD estates — alert on Impacket artefacts (impacket-* tool names in process trees, secretsdump-style NTDS access, SMBExec/WMIExec parent processes), instrument the initial-access-to-DC-compromise window, inventory EOL Windows Servers, and verify firewall log retention before an incident rather than during one.

SANS ISC: SVG phishing wave abuses a non-standard MIME type to slip past WAF/email pattern-matching [SINGLE-SOURCE]

SANS ISC handler Xavier Mertens documented a fresh wave of phishing emails carrying SVG attachments whose embedded JavaScript is obfuscated with combined Base64 + XOR encoding and, on decode, redirects the victim via window.location.href to a credential-harvesting page (SANS ISC, 2026-06-02). The notable evasion is the use of <script type="application/ecmascript"> instead of the standard text/javascript — browsers execute both identically, but email-security and WAF products that pattern-match specifically on text/javascript can miss the non-standard declaration. Because SVGs open natively in Windows browsers, the redirect fires on file open with no extra click. [SINGLE-SOURCE] (SANS Internet Storm Center). Detection: flag email attachments of Content-Type: image/svg+xml that contain embedded <script> elements; treat the application/ecmascript/application/javascript MIME variants as equivalent to text/javascript in inspection rules; sandbox SVG attachments before delivery and watch newly-registered low-cost TLDs (the campaign used a .cfd domain) at the proxy.

Operation XENOFISCAL: SideCopy (APT36) hits provincial treasury officials with XenoRAT via an mshta/HTA chain

Seqrite Labs documented Operation XENOFISCAL, a SideCopy (Transparent Tribe / APT36, Pakistan-attributed) campaign against finance officials across Afghanistan's 34 provincial treasury directorates (Mustoufiats) (Seqrite Labs, 2026-05-29). The chain is the group's long-standing signature — a spear-phishing ZIP carrying a Pashto-language LNK that invokes mshta.exe to pull an obfuscated HTA/JavaScript stage from a compromised education domain, which stages .NET loaders in memory before dropping the publicly available XenoRAT (keylogging, screen capture, remote shell) (The Hacker News, 2026-06-02). Persistence uses a Registry Run key typosquatting Microsoft Edge ("Edgre") plus a Scheduled Task; C2 ran on an EU-hosted bulletproof AS (AS59711) previously tied to the group. ATT&CK: T1566.001, T1218.005 (mshta proxy execution), T1547.001, T1053.005.

Why it matters to us: The victimology is South-Central Asian, but the LNK→mshta.exe→HTA→RAT pattern and the typosquatted-product Run-key persistence are directly transferable hunt content for any public-sector treasury/finance environment: alert on mshta.exe spawning wscript.exe or making outbound HTTP, and on Run-key values that misspell legitimate Microsoft product names.

4. Updates to Prior Coverage

UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer

UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to write payloads directly into %APPDATA%\…\Start Menu\Programs\Startup\ for persistence without a Registry or Scheduled-Task artefact (Sekoia TDR, 2026-06-01).

The series also names GammaSteel, a modular file-stealer (consolidating prior QuietSieve/HarvesterX-class modules) that captures files by extension and — newly — exfiltrates to attacker-controlled S3-compatible cloud storage in addition to Gamaredon's previously documented HTTP/Telegram channels (The Hacker News, 2026-06-02). The full chain runs WinRAR archive → GammaPhish (HTA) → GammaLoad (VBScript downloader) → GammaWorm/GammaSteel.

Delta for defenders: CVE-2025-8088 is fixed in WinRAR 7.13 (August 2025), so the entry vector is closed by patching — inventory WinRAR versions across the estate. Hunt for archive utilities writing executables or .vbs into Programs\Startup paths (Sysmon EID 11 on target path containing Programs\Startup), WinRAR spawning wscript.exe/mshta.exe, and VBScript processes making outbound requests to S3 endpoints inconsistent with normal business traffic. The targeting is Ukraine-centric, but the WinRAR vector reaches any organisation that opens archive-format lures.

Changes since first coverage(1 prior appearance)
  1. 2026-06-022026-06-02

5. Deep Dive — Linux cgroups v1 release_agent container escape (CVE-2022-0492) re-enters active exploitation

Background. CVE-2022-0492 was disclosed and patched in early 2022; Palo Alto Unit 42 published the canonical technical analysis in March 2022, walking through how the cgroup-v1 release_agent mechanism becomes a container-escape primitive and how earlier mainline kernels shipped without the missing capability check (Unit 42, 2022-03-07). It has sat quietly for four years. CISA's addition of the CVE to the Known Exploited Vulnerabilities catalog on 2026-06-02 (CISA, 2026-06-02) signals fresh in-the-wild exploitation — consistent with attackers harvesting the large tail of unpatched legacy kernels still running container-dense workloads.

The bug. The kernel's cgroup_release_agent_write() handler in kernel/cgroup/cgroup-v1.c failed to verify that a process writing the cgroup-v1 release_agent file holds CAP_SYS_ADMIN in the initial user namespace — CWE-862 Missing Authorization, CVSS 7.0 (Red Hat, CVE-2022-0492). The release_agent is a host path the kernel executes as root on the host whenever the last task leaves a cgroup that has notify_on_release set. Because the write was under-authorised, a process that can mount or reach a writable cgroup-v1 hierarchy can point release_agent at an attacker-controlled script and then empty a cgroup to trigger it — code execution crosses the container boundary into the host root context. This is the textbook T1611 Escape to Host (MITRE ATT&CK T1611).

Exploitation prerequisites — where it actually bites. The attacker needs prior code execution inside a container (initial access via some other vector — an exposed app, a malicious image, a prior § 1-class foothold). The escape requires the ability to mount a cgroup-v1 hierarchy and write release_agent, which in turn requires CAP_SYS_ADMIN in the user namespace that owns that hierarchy. Unit 42 details the dangerous unprivileged path: a process creates a new user namespace (unshare) to obtain CAP_SYS_ADMIN within that namespace and mount a cgroup-v1 hierarchy — viable when the container runtime has not confined the workload with a seccomp profile blocking the mount/unshare calls or an AppArmor/SELinux policy (Unit 42's final write-up scopes the technique to this unprivileged path). A workload directly granted CAP_SYS_ADMIN reaches the same mount/release_agent primitive trivially, which is why over-broad capability grants are dangerous in their own right. The common denominator is a permissively-profiled container: no seccomp, no mandatory-access-control LSM. Self-hosted Kubernetes clusters and bespoke runtimes that strip the default Docker seccomp profile are the typical exposed surface; managed clusters with hardened pod-security defaults and cgroup-v2-only hosts are largely out of scope.

Kill chain. Initial access into the container (T1190/T1610-class) → discovery of cgroup-v1 writability and capability set (T1082) → T1611 Escape to Host: mount a cgroup-v1 controller, set notify_on_release=1, write a host-path payload into release_agent, then spawn-and-exit a process inside a child cgroup so the kernel executes the payload as host root → host-level execution, after which the operator has the usual post-escape options (credential theft from the host, lateral movement to the orchestrator control plane, T1610 deploying further containers).

Hunt and detection concepts (no rule code): the highest-signal artefact is a write to a release_agent file anywhere under /sys/fs/cgroup/** by a non-root or containerised process — Falco/sysdig ship a community rule for exactly this, and auditd can watch the path. Pair it with auditing of in-container mount() of cgroup filesystems and unshare/clone calls that create new user namespaces (auditd syscall rules), and with Linux Sysmon (EID 1) on processes whose executable path was just written via a cgroup release_agent. On the host, a root-context process spawned with no normal parent lineage (kernel-invoked) executing a script from a container-writable path is the escape firing.

Hardening / mitigation. Patch the kernel to 5.17+ or apply the distro backport (every maintained enterprise distro shipped one in 2022) — this restores the CAP_SYS_ADMIN check and closes the class. Independently of patching, the misconfiguration controls neutralise the path: enforce a seccomp profile (the Docker/containerd defaults already block the required mount), apply AppArmor or SELinux confinement to every workload, never grant CAP_SYS_ADMIN to application containers, and move hosts to cgroup v2 exclusively (systemd.unified_cgroup_hierarchy=1), which does not expose the release_agent escape primitive at all. Mounting /sys/fs/cgroup read-only inside containers removes the write target. For Swiss/EU public-sector teams running self-managed Kubernetes or container hosts on long-lived LTS kernels, this KEV addition is the prompt to verify both the kernel patch level and the pod-security/seccomp baseline, since either control alone defeats the escape.

6. Action Items

  • Close internet exposure of Oracle WebLogic T3/IIOP and confirm the July 2024 CPU is applied (§ 2, CVE-2024-21182). It is actively exploited unauthenticated; block T3/IIOP at the perimeter, restrict to internal admin subnets via connection filters, and alert on external initiators to ports 7001/7002.
  • Push the Android 2026-06-05 patch level across MDM/EMM fleets and gate non-compliant devices for CVE-2025-48595 (§ 2) — prioritise Swiss federal/cantonal devices given the G7 Évian travel window.
  • Verify container hosts on two axes for CVE-2022-0492 (§ 5): kernel ≥ 5.17 (or distro backport) and a seccomp/AppArmor/SELinux baseline on every workload; migrate hosts to cgroup-v2-only. Deploy the Falco/auditd watch on release_agent writes under /sys/fs/cgroup.
  • Run G7 Évian readiness for Geneva–Vaud-corridor and Swiss public-sector orgs (§ 1): pre-stage DDoS mitigation, review customer-facing-IdP MFA, rotate admin credentials before 15 June, and brief travelling staff on mobile-device physical security.
  • Inventory WinRAR to ≥ 7.13 and hunt Startup-folder writes to close the Gamaredon CVE-2025-8088 entry vector (§ 4); alert on archive utilities writing .exe/.vbs into Programs\Startup.
  • Move credential-manager and high-value account authentication off TOTP to FIDO2/passkeys (§ 1, Dashlane), and add detection for rapid sequential auth attempts carrying different OTP values from one source.
  • Operationalise the Sophos AAR hunt targets (§ 3): alert on Impacket artefacts (secretsdump/SMBExec/WMIExec), audit AnyDesk use, verify firewall-log retention, and inventory EOL Windows Servers before an incident forces the question.

7. Verification Notes

  • Recency window: 36 h (gap to prior daily 2026-06-02 ≈ 24 h — standard daily class; no coverage-window extension required).
  • Items dropped (dedup / already covered):
    • Operation Dragon Weave (China-aligned RUSTCLOAK → AZUREVEIL/AdaptixC2, Czech Republic/Taiwan; surfaced by S3 and S4) — already covered in full as the 2026-06-02 deep dive; no material in-window delta, dropped.
    • KnowledgeDeliver CVE-2026-5426 (Mandiant ViewState/machineKey unauth RCE) — already covered in the 2026-W22 weekly vulnerability roll-up; primary disclosure 2026-05-25 is out-of-window. Dropped.
  • Items dropped (out-of-window, PD-7):
    • South Staffordshire Water ICO £963,900 Cl0p fine (ZeroLogon CVE-2020-1472, 20-month undetected persistence) — strong water-sector/NIS2 content, but the enforcement action dates to 2026-05-12 (~3 weeks old) with no fresh in-window development; only the enforcement-register listing carried an in-window timestamp. Held out; may resurface if a fresh angle appears.
    • Trend Micro Apex One CVE-2026-34926 (directory traversal, agent-update-channel abuse) — vendor/CERT-FR advisories date 2026-05-21/22 (out-of-window) and the CVE is already in cves_seen; the only in-window hook was the US-FCEB KEV remediation deadline, which is not a fresh-threat signal for this audience (PD-13). Dropped.
    • Windows DNS Client CVE-2026-41096 (CVSS 9.8) and Hyper-V CVE-2026-40402 (CVSS 9.3) — May 2026 Patch Tuesday flaws (patched 2026-05-12, out-of-window); MSRC assesses exploitation "Unlikely"/"Less Likely" (PoC-only for the DNS flaw), so neither clears a § 2 active-exploitation gate. The in-window NCSC-NL advisory update concerned active exploitation of the companion Netlogon flaw CVE-2026-41089, which was already covered on 2026-06-02. Dropped.
    • codexui-android npm OpenAI Codex token theft (Aikido Security) — primary disclosure 2026-05-27 and corroboration 2026-06-01 both fall outside the 36 h window; logged for possible later pickup if fresh reporting appears.
  • Items dropped (verification / fake-news guard):
    • FSB claim of Western-intelligence spyware on Russian officials' phones — single self-attributing FSB statement (carried by The Record and Meduza, 2026-06-02) with no CVE, sample, or independent technical corroboration; excluded as awareness-only per the fake-news guard. Will be reassessed if technical evidence surfaces.
  • Items dropped (periodic-report dedup, PD-9):
    • ENISA NIS360 2026 (rail/drinking-water/wastewater enter the risk zone) — the periodic report was already given its dedicated treatment in the 2026-W22 weekly policy section; not re-summarised here.
  • Reduced confidence (aggregator-only sourcing): the Dashlane item (§ 1) is backed by TechCrunch, The Hacker News and BleepingComputer — Dashlane's own support advisory returned HTTP 403 and no vendor/regulator primary was reachable. TechCrunch (Zack Whittaker) is original reporting rather than a pure restatement, but all three are journalism hosts; treat the technical specifics as press-sourced pending a vendor advisory.
  • Single-source items (flagged in-line): Sophos 2026 Active Adversary Report (§ 3 — single vendor IR-telemetry report; vanity percentages deliberately omitted per PD-4, only structural/hunt findings carried); SANS ISC SVG-phishing diary (§ 3 — sole source SANS Internet Storm Center, HIGH-reliability primary technique research). The § 5 deep dive (CVE-2022-0492) leans on Unit 42 for mechanics plus CISA as the in-window KEV-addition disclosing party (national-CERT carve-out for the exploitation-status fact).
  • Contradictions / notes: sub-agents disagreed on the WinRAR CVE-2025-8088 fixed version (7.10 vs 7.13); the brief states 7.13 (August 2025), the version consistent with the vendor's published fix. The unverified "Cobalt Strike / Sodinokibi honeypot payload" detail one sub-agent attached to the WebLogic item was dropped — the cited reporting confirms active exploitation but not those specific payloads.
  • Sub-agents: S1–S4 all returned (Claude Sonnet 4.6). No stalls.
  • Coverage gaps: databreaches-net (Wayback fallback unusable; persistently unavailable); inside-it-ch (Cloudflare challenge / 403, Wayback unusable); sophos-xops (blog feed HTTP 503 — content recovered via WebSearch + direct article fetch, not a true gap); cert-fr-actu-recent (actualité feed stalled at October 2025); cnil-fr (no in-window enforcement action identified); sec-disclosures-edgar (no qualifying 8-K Item 1.05 cyber-incident filings in window); cisco-psirt, jpcert, apple-security — no in-window items found.