CTI Daily Brief — 2026-06-05

VerdantBamboo (UNC5221 / WARP PANDA): an 18-month China-nexus intrusion that lived entirely on EDR-blind edge appliances and proxied into Microsoft 365 past Conditional Access `[SINGLE-SOURCE]`

Volexity attributes an incident-response case at a European organisation to a China-linked actor it tracks as VerdantBamboo (assessed with high confidence as UNC5221, also WARP PANDA), with access dating back at least 18 months (Volexity, 2026-06-04). Initial access came through the victim's MSP: the actor had planted a BSD build of the BRICKSTORM Golang backdoor on the MSP's pfSense firewall. The defining tradecraft is deliberate EDR avoidance — every implant sat on appliances that cannot run an endpoint agent (firewall, Synology NAS, a retired GroupWise server) or on an Egnyte Storage Sync Linux VM. BRICKSTORM's proxy capability on the Storage Sync host let the actor route authentication to the victim's M365 tenant through that appliance's trusted egress IP, defeating Conditional Access rules that would have blocked an unrecognised source address (T1090 internal proxy, T1078.004 cloud accounts). After Volexity's first remediation, VerdantBamboo simply re-authenticated to the firewall with stolen admin credentials, re-enabled SSL VPN, and redeployed BRICKSTORM to the NAS — alongside two previously undocumented implants: AGENTPSD (a PyInstaller-packaged Python HTTPS reverse shell kept as a fallback) and PLENET/GRIMBOLT (a .NET Native AOT backdoor on a Linux NAS).

Why it matters to us: this is the precise threat model a federal SOC carries — an MSP relationship plus a fleet of edge appliances that are invisible to EDR by design. Detection has to move off the endpoint: hunt M365 sign-in logs for interactive auth originating from the egress IPs of NAS / storage-sync / firewall appliances (those should never originate user logins), alert on SSL-VPN re-enablement and admin auth to perimeter devices, and treat any appliance the vendor forbids you from instrumenting as an assumed-breach surface. Mandate MFA on all firewall management and SSL-VPN interfaces, and put the MSP's access to your perimeter under the same scrutiny as a privileged insider. [SINGLE-SOURCE] — Volexity primary IR (see § 7).

Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT

Proofpoint reports that TA4922, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known ValleyRAT (Winos 4.0) with newly observed families: Atlas RAT (a C-based RAT) and RomulusLoader, which DLL-side-loads (T1574.002) AnyDesk and SyncFuture, plus SilentRunLoader, a Python infostealer pulling Chrome credentials and cookies (T1555.003). A notable TTP shift is the deliberate move of conversations to LINE, WhatsApp and Microsoft Teams to pull targets off enterprise email controls before payload delivery.

Why it matters to us: German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

Unit 42 Operation FlutterBridge: notarized macOS backdoor hides its logic in a remote WebView and exfiltrates documents through an "AI summarise" feature

Unit 42 details Operation FlutterBridge, the evolution of cluster CL-CRI-1089 (active since August 2025), which distributes macOS backdoors disguised as productivity apps (PodcastsLounge, PDF-Brain, PDF-Ninja) via hundreds of Google Ads bought through verified shell companies (Unit 42, 2026-06-02; The Hacker News, 2026-06-04). Every sample was signed with a valid Apple Developer ID and passed notarization, with zero VirusTotal detections at analysis time — Gatekeeper does not catch these. The FlutterShell payload keeps its malicious logic on an attacker-controlled website and uses a Flutter JavaScript-to-native bridge to translate JSON commands into native macOS calls, so capability changes need no new binary. Confirmed behaviour: arbitrary shell execution, file read/write, environment-variable theft, Chrome hijacking via the "Secure Preferences" file, and document exfiltration routed through the attacker's server under the guise of an AI document-summarisation feature. Targeting is global with explicit emphasis on Western Europe, including France and Germany.

Why it matters to us: notarization-bypassed, Developer-ID-signed macOS malware defeats the controls most teams lean on for Mac fleets. The reliable detection layer is behavioural: macOS endpoint telemetry for apps that instantiate a WKWebView with a custom JS message handler that then spawns shell processes, non-browser writes to Chrome's Secure Preferences, and outbound connections from "productivity" apps to CDN-fronted infrastructure.

UK National Federation of Subpostmasters hit by ransomware via a cPanel flaw; disruption persists into June

The UK National Federation of Subpostmasters (NFSP) was struck by ransomware around 30 April 2026 after attackers exploited a vulnerability in cPanel to gain initial access, manipulate server-side files, and lock out administrative accounts before deploying ransomware (Computer Weekly, 2026-06-04; Risky Business, 2026-06-05). As of early June the parent Post Office had suspended all email to and from the @nfsp.org.uk domain as a precaution; NFSP says no data was lost and reported the incident to the ICO. The entry vector is the operative detail: cPanel — ubiquitous in shared hosting and small-org infrastructure — remains under-patched, and authentication-bypass / privilege-escalation flaws in it map cleanly to T1190 (Exploit Public-Facing Application) followed by T1486 (Data Encrypted for Impact).

CVE-2026-34906 / CVE-2026-34907 — Simple SA "Wirtualna Uczelnia": unauthenticated SSTI-to-RCE in the student-administration platform used across Polish public universities

CERT Polska published a coordinated-disclosure advisory for Wirtualna Uczelnia ("Virtual University"), a proprietary higher-education administration platform by Simple SA deployed across Polish universities (CERT Polska, 2026-06-02). CVE-2026-34906 is a Server-Side Template Injection in the redirectToUrl endpoint: insufficient validation of the redirect-URL parameter lets an unauthenticated attacker inject template expressions that execute on the server, reaching remote code execution (T1190, CWE-1336). CVE-2026-34907 is a companion reflected XSS via the locale parameter. Both affect all versions through build wu#2016.437.295#0#20260327_105545; CERT Polska records the finding from Dawid Bakaj (VIPentest) and no vendor patch or fixed version had been published at disclosure, and no in-the-wild exploitation is reported. As the national CERT and primary disclosing party, CERT Polska is the sole source (national-CERT carve-out, PD-5).

Why it matters to us: a pre-auth RCE in a public-facing student portal is a foothold into university networks and a trove of academic identity data — the EU public-sector education sector the brief tracks. Until Simple SA ships a fix, restrict the redirectToUrl endpoint to internal/authenticated sources at the reverse proxy or WAF, and hunt web-server access logs for template metacharacters (${...}, #{...}, {{...}}) in the redirect parameter.

CVE Summary Table

GMO Flatt Security: one GitHub issue could hijack any public repo running Anthropic's claude-code-action — and could have poisoned the action itself

Researcher RyotaK (GMO Flatt Security) disclosed a two-part flaw in Anthropic's claude-code-action GitHub Actions workflow, remediated in v1.0.94 (GMO Flatt Security, 2026-06-04; The Hacker News, 2026-06-04). The core bug is in checkWritePermissions() (src/github/validation/permissions.ts): the function unconditionally returns true for any actor whose username ends in [bot], on the assumption that GitHub App bots are admin-installed. But anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or PR on any public repository — so an attacker-controlled [bot] actor passes the gate, and agent mode lacked the secondary checkHumanActor() guard present in tag mode. Chained with indirect prompt injection (instructions embedded in the issue body that Claude reads during triage), the default read/write workflow token could be steered to read /proc/self/environ, exchange the OIDC token for a Claude GitHub App installation token with code/issues/workflows write, and exfiltrate secrets to the issue comment feed. Pointed at anthropics/claude-code-action itself, the same chain could have poisoned the action and propagated downstream. A second variant stemmed from Anthropic's own example workflow shipping allowed_non_write_users: "*". Anthropic rated the issues 7.8 (CVSS 4.0) and paid a bounty; RyotaK notes he has reported roughly 50 separate permission-system bypasses in this class. The underlying problem is not unique to Anthropic: separate "Comment and Control" research by Aonan Guan, reported in April, independently showed Claude Code, Gemini CLI and GitHub Copilot agents are all exposed to prompt injection via issue/PR comments (SecurityWeek, 2026-04-16).

Why it matters to us: any team running AI coding agents in CI/CD has imported a new, structural untrusted-input surface. Update claude-code-action to v1.0.94+, audit every issues/pull_request_target-triggered workflow that grants an AI agent write scope, and never widen allowed_non_write_users beyond vetted accounts.

University of Toronto / Vector Institute: a self-propagating worm that runs open-weight LLMs on compromised hosts to synthesise per-target exploits

A team from CleverHans Lab (University of Toronto), the Vector Institute, Cambridge and ServiceNow Research published a proof-of-concept worm (arXiv:2606.03811) on 2 June 2026, picked up this week by the German technical press (arXiv, 2026-06-02; heise online, 2026-06-04). The worm runs open-weight LLMs on already-compromised hosts to generate exploit code tailored to each machine it reaches — consuming stolen compute instead of attacker infrastructure or a commercial AI API, which makes platform-level safety controls (rate-limits, content policies) structurally irrelevant. On an isolated 33-node mixed Linux/Windows/IoT range the agent identified vulnerabilities on most hosts and propagated across several generations, and — the load-bearing finding — synthesised working exploits for three CVEs published after its model's training cutoff, i.e. adaptive reasoning beyond static knowledge. The authors frame the economic asymmetry: marginal attacker cost per new infection approaches zero while defenders must patch every reachable flaw. The paper withholds usable exploit code; closest ATT&CK analogues are T1203, T1210, T1570.

Why it matters to us: the operational implication is that "no public PoC yet" stops being a reliable proxy for low near-term exploitation risk, which pressures patch-velocity SLAs and elevates internal micro-segmentation from best-practice to load-bearing control. A pragmatic early-warning signal: unexpected local LLM-inference activity on compromised hosts (e.g. Ollama on port 11434, sustained GPU-heavy processes where none belong).

UPDATE: ShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed

UPDATE (originally covered 2026-06-02): DentaQuest, a Sun Life subsidiary administering dental and vision benefits for ~35 M US Medicaid, Medicare and employer-plan members, is the latest confirmed named victim of the ShinyHunters data-extortion campaign last covered here on the Charter Communications listing. ShinyHunters listed DentaQuest on 23 May with a 27 May ransom deadline and published 234 GB after the deadline passed unpaid; in a 1 June statement DentaQuest confirmed unauthorised access to "a limited portion of its network" (BleepingComputer, 2026-06-04).

The dataset is HIPAA-format ASC X12 claims interchange — names, postal and email addresses, dates of birth, phone numbers, health-insurance details and Medicaid IDs across 2.6 M unique email addresses (BankInfoSecurity, 2026-06-04). DentaQuest's specific attack vector is not publicly confirmed, but the extortion pattern (extortion-without-encryption, a hard deadline, publish-on-refusal) matches the broader ShinyHunters campaign — several of whose other victims this year were reached through compromised cloud-SaaS (Salesforce) access. The operational reminder for defenders is unchanged: this actor monetises pure exfiltration, so backups do not blunt the leverage — detection has to land at the bulk-export stage (large outbound archive transfers from claims systems; and, where cloud-SaaS access has been the entry point for other victims, off-hours SaaS API token generation and anomalous bulk-export API calls).