CTI Daily Brief — 2026-06-06

Typedaily

Date2026-06-06

GeneratorClaude Opus 4.8 (`claude-opus-4-8`)

ClassificationTLP:CLEAR

LanguageEnglish

Promptv2.60

Items7

CVEs7

On this page

0. TL;DR
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
2. Trending Vulnerabilities
3. Research & Investigative Reporting
4. Updates to Prior Coverage
5. Deep Dive — Luna Moth / Silent Ransom Group (UNC3753): vishing-to-physical-access data-theft extortion against legal and professional services
6. Action Items
7. Verification Notes

References (20)

0. TL;DR

Second Cisco Catalyst SD-WAN Manager zero-day under active exploitation (CVE-2026-20245) — a post-authentication command-injection that yields root on the appliance; Cisco confirms limited in-the-wild use pushing configuration changes to managed edge devices, and there is no patch. Reachable to netadmin attackers directly or by chaining the earlier pre-auth bypass CVE-2026-20182 (NCSC-CH GovCERT, 2026-06-05). See § 2.
Two distinct self-propagating npm worms hit the JavaScript supply chain in the same window — the new Rust-built IronWorm (eBPF kernel rootkit + Tor C2, ~36 packages, cloud/AI-key sweep) (JFrog, 2026-06-03), and a fresh Miasma variant that reached 73 Microsoft GitHub repositories including the Azure Durable Task ecosystem (§ 4). Both abuse install-time scripts and stolen publishing credentials.
Luna Moth / Silent Ransom Group (UNC3753) escalates to sending operatives into victim offices with USB drives — Mandiant documents a Jan–May 2026 vishing-to-data-theft extortion campaign against legal/financial firms with sub-one-hour exfiltration; one victim reportedly paid ~$20 M (Mandiant, 2026-06-05). Deep dive in § 5.
SolarWinds Serv-U DoS zero-day added to CISA KEV (CVE-2026-28318) — an unauthenticated Content-Encoding: deflate POST crashes the SFTP/FTP service; fixed in Serv-U 15.5.4 Hotfix 1 (SolarWinds, 2026-06-04). See § 2.
Critical account-takeover flaw in MISP (CVE-2026-10868, CVSS 9.0) — the threat-intel platform that underpins CERT-EU, GovCERT.ch and most EU national-CERT sharing; a mass-assignment bug lets an authenticated user edit another account (GitHub Security Advisory, 2026-06-04). Patched. See § 2.
Five Eyes issue a rare joint bulletin on Chinese intelligence recruiting via LinkedIn and job platforms — targeting cleared personnel, researchers and policy staff; directly relevant to Swiss/EU public-sector personnel security (The Record, 2026-06-03). See § 1.

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

Five Eyes joint bulletin: Chinese military intelligence recruiting cleared personnel through LinkedIn and job platforms

On 2026-06-03 the five Five Eyes domestic-intelligence services (ASIO, CSIS, FBI, MI5, NZSIS) released an unusual joint bulletin, Safeguarding Our Secrets, warning that China's military-intelligence apparatus is systematically using professional-networking and freelance-work platforms — LinkedIn, Indeed, Upwork — to identify and cultivate people with access to classified or otherwise privileged information (MI5, 2026-06-03; The Record, 2026-06-03). Operatives pose as recruiters, consultants, HR representatives or think-tank staff for fabricated cover companies outside China, open with benign foreign-policy / defence / trade research commissions paying hundreds to a few thousand dollars per deliverable, then escalate toward sensitive material and migrate the relationship to encrypted messaging to reduce platform visibility. Named target categories include security-clearance holders, military personnel, academics, researchers and journalists.

Why it matters to us: This is a human-intelligence tradecraft advisory rather than a technical-intrusion one, and Switzerland — outside Five Eyes but a hub for international organisations, financial regulation and dual-use research — is squarely in the target set. The defensible surface is personnel-security, not EDR: brief cleared and research staff on the innocuous-task-to-sensitive-request progression, give them a low-friction route to report unsolicited foreign-recruitment contact, and treat unsolicited "paid policy paper" approaches to staff with administrative or network access as a counter-intelligence signal, not a side gig.

IronWorm: Rust-built npm worm ships an eBPF kernel rootkit, Tor C2 and a cloud/AI-credential sweep

JFrog Security Research disclosed IronWorm, a self-propagating npm supply-chain worm distributed across roughly 36 packages from a compromised publisher account (JFrog, 2026-06-03; BleepingComputer, 2026-06-04). Unlike the JavaScript-stager Shai-Hulud lineage, IronWorm executes a Rust ELF payload through an install-time preinstall hook and carries an embedded eBPF object (T1195.002 Compromise Software Supply Chain, T1059.004 Unix Shell via lifecycle script). JFrog reports the eBPF component provides kernel-level process, socket and anti-debug concealment — hiding the implant from procfs-based enumeration and many EDR agents — while the command channel runs over Tor: the malware downloads the Tor expert bundle, writes its own torrc, and beacons to a hidden service. The stealer sweeps dozens of environment variables and credential paths spanning AWS, GCP, Azure, HashiCorp Vault, Kubernetes, Docker, GitHub and npm tokens, and the 2026 generation of AI-provider API keys (Anthropic, OpenAI, Gemini and others). Self-propagation reuses stolen npm credentials — including npm Trusted Publishing secrets — to publish trojanised versions of the victim's own packages.

Why it matters to us: The eBPF rootkit moves npm-worm tradecraft below the userland telemetry most pipelines rely on, so process-tree hunting on the build host is no longer sufficient. Detection concepts: alert on node/npm/npx parent processes spawning sh/bash during preinstall/postinstall (Sysmon-for-Linux EID 1), audit bpf() syscalls from non-privileged processes via auditd, and watch CI/CD egress for Tor bootstrap traffic. Hardening: run npm install --ignore-scripts in CI, pin lockfile integrity, and scope/rotate npm publish tokens — Trusted Publishing credentials are now an explicit propagation target.

2. Trending Vulnerabilities

CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch)

Cisco has confirmed a second actively-exploited zero-day in Catalyst SD-WAN Manager (formerly vManage), tracked as CVE-2026-20245 (Cisco PSIRT; NCSC-CH GovCERT, 2026-06-05). It is a command-injection flaw: an attacker with netadmin privileges can inject arbitrary OS commands that execute as root on the underlying appliance (T1059.004 Unix Shell, following T1078 Valid Accounts). Per Cisco, exploitation requires either valid netadmin credentials or prior exploitation of the pre-auth bypass CVE-2026-20182 (covered in weekly W22) or CVE-2026-20127 — making the realistic path an unauthenticated-to-root chain against an internet-exposed Manager. Cisco states it has "observed limited cases where the exploitation of this bug resulted in a configuration change pushed to edge devices," i.e. the blast radius extends from the management plane to every managed edge router. No fixed release is available; Cisco's only guidance is to restrict management-plane access to trusted hosts and verify edge-device configuration. Detection concepts: review the SD-WAN Manager CLI audit log for unexpected command execution and EDR/host telemetry for shells spawned under the management daemon's service account; treat any unplanned config push to edge devices as a hunting trigger. Hardening: ACL the management interface to a dedicated management VLAN, enforce MFA for netadmin, and rotate Manager credentials given confirmed in-the-wild use.

CVE-2026-28318 — SolarWinds Serv-U: unauthenticated DoS added to CISA KEV

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on 2026-06-05, confirming active exploitation (SolarWinds, 2026-06-04; ENISA EUVD). The flaw is an uncontrolled-resource-consumption issue (CWE-400): an unauthenticated remote attacker sends a crafted HTTP POST carrying Content-Encoding: deflate, triggering decompression memory exhaustion that crashes the Serv-U SFTP/FTP service (T1499.003 Application Exhaustion Flood). On default configurations the service does not auto-restart, so a single request causes a sustained availability outage of the managed-file-transfer endpoint. Fixed in Serv-U 15.5.4 Hotfix 1. Per PD-13, the operational driver here is the confirmed exploitation, not the US BOD 22-01 remediation date: managed-file-transfer appliances are recurrent ransomware-adjacent targets, and an internet-exposed Serv-U that can be knocked offline by one packet is a denial-of-service risk to any process that depends on it. Detection concepts: monitor Serv-U service-process restart/crash events and web-access logs for POST requests with unusual Content-Encoding values.

BSI published WID-SEC-2026-1800 covering seven vulnerabilities in MISP, the open-source threat-intelligence sharing platform that underpins CERT-EU, GovCERT.ch, CIRCL.lu and most EU national-CERT and ISAC feeds (BSI CERT-Bund, 2026-06-04; GitHub Security Advisory, 2026-06-04). The most severe, CVE-2026-10868 (CVSS 9.0), is a mass-assignment bug in UsersController::edit(): insufficient field filtering lets an authenticated user inject another account's identifier into the edit request, so the update is applied to an unintended account (T1078 Valid Accounts / account manipulation) — an authenticated account-takeover and privilege-manipulation primitive. The other six (CVE-2026-10854/10855/10856/10860/10861/10864) cover access-control bypass on private galaxy metadata, an org-crossing event-template overwrite, and an open redirect. In a multi-organisation sharing hub the account-takeover combined with the cross-org template overwrite enables manipulation of the shared indicator pool itself. Patches shipped 2026-06-04; the CVE-2026-10868 fix explicitly strips the User.id field before edit processing. Detection concepts: review MISP access logs for UsersController::edit POSTs where the posted user id differs from the session user id, and audit user accounts for unexpected role/group attribute changes.

CVE Summary Table

CVE	Product	CVSS	EPSS	KEV	Exploited	Patch	Source
CVE-2026-20245	Cisco Catalyst SD-WAN Manager	n/a	n/a	No	Yes	None (mitigation only)	Cisco PSIRT
CVE-2026-28318	SolarWinds Serv-U (≤ 15.5.4)	7.5	n/a	Yes	Yes	15.5.4 Hotfix 1	SolarWinds
CVE-2026-10868	MISP	9.0	n/a	No	No	Patched 2026-06-04	GHSA

3. Research & Investigative Reporting

OP-512: China-linked cluster runs a cryptographically-unique, self-reporting IIS web-shell framework against legacy .NET servers [SINGLE-SOURCE]

ReliaQuest documented OP-512, a previously-unreported China-linked espionage cluster targeting internet-facing Microsoft IIS servers running end-of-life .NET Framework 4.0 (ReliaQuest, 2026-06-05) [SINGLE-SOURCE — ReliaQuest original disclosure]. The framework is a three-component web shell — one .aspx file manager plus two .ashx command handlers — that is per-deployment cryptographically unique (RSA signatures and RC4 keys differ per installation), defeating signature-based detection. It carries a timestomping module that matches shell file timestamps to surrounding legitimate IIS artefacts (T1070.006 Timestomp), uses reflective .NET assembly loading to bypass static scanning (T1620), and implements a novel self-reporting beacon: the deployed shell's URL is hex-encoded into a DNS subdomain query issued from w3wp.exe, so the operator is notified of a live shell without actively scanning for it. ReliaQuest found initial access roughly 75 days before the shell was deployed, consistent with patient espionage tradecraft, and notes overlap with the hex-encoded-DNS technique seen in CL-STA-0048 while assessing OP-512 as a separate cluster.

Why it matters to us: Many Swiss and EU public-sector estates still run legacy IIS/ASP.NET portals and intranet apps on .NET 4.0 — exactly OP-512's stated footprint. The detection lesson is concrete: filesystem timestamps are useless for triage here (timestomped), so hunt on behaviour instead — w3wp.exe issuing long hex-string DNS subdomain queries, w3wp.exe spawning cmd.exe/powershell.exe/csc.exe (Sysmon EID 1), reflective-assembly loads, and .aspx/.ashx writes into web roots (Windows Security EID 4663 on inetsrv paths). Hardening: isolate or retire .NET 4.0 servers and apply WDAC/AppLocker to block execution of unsigned web-root artefacts.

4. Updates to Prior Coverage

UPDATE: Miasma supply-chain worm reaches 73 Microsoft GitHub repositories, adds Azure credential collectors

UPDATE (originally covered 2026-06-02): The Miasma worm — the TeamPCP-spawned descendant of the Mini Shai-Hulud lineage first covered against the Red Hat @redhat-cloud-services npm namespace — recompromised the durabletask package and propagated into the Microsoft GitHub estate. On 2026-06-05 GitHub disabled 73 repositories across the Azure, Azure-Samples, Microsoft and MicrosoftDocs organisations in a 105-second automated terms-of-service sweep, taking the entire Azure Durable Task family (.NET, Go, Java, JS, MSSQL, Netherite, protobuf) offline (OpenSourceMalware, 2026-06-05; The Hacker News, 2026-06-06).

The material delta from the 2026-06-02 coverage: the variant adds Azure CLI auth-cache and managed-identity token collectors (earlier Shai-Hulud strains targeted AWS and GitHub), and the recompromise traces to the same durabletask credential foothold from the May TeamPCP incident — i.e. credentials taken in May were never fully revoked. Azure Durable Task is a foundational dependency for Azure Functions / serverless workflows widely consumed in EU public-sector cloud deployments, so the downstream exposure is cloud infrastructure, not just developer machines.

Defender takeaway: audit ~/.azure/ credential stores on developer workstations and CI/CD runners that installed any affected @azure/* package; rotate Azure managed-identity tokens and Kubernetes service-account tokens on those systems; monitor GitHub audit logs for unexpected public-repo creation (the worm's secret-exfil-as-public-repo behaviour is what trips GitHub's automated sweep). Note the worm-vs-defender naming overlap is real here — "Miasma" is the attacker worm, not a tool.

5. Deep Dive — Luna Moth / Silent Ransom Group (UNC3753): vishing-to-physical-access data-theft extortion against legal and professional services

Background and why this is a deep dive now. Luna Moth (also Silent Ransom Group / SRG, Chatty Spider, UNC3753) is a financially-motivated data-theft-and-extortion crew that has operated since 2022, originally tied to the BazarCall callback-phishing ecosystem. Its defining trait is the absence of ransomware: it does not encrypt, it steals and threatens publication. In May 2025 the FBI publicly warned that the group had spent roughly two years targeting US law firms via callback phishing (BleepingComputer, 2025-05-23). This brief covered the group's physical-intrusion escalation on 2026-05-28, when the FBI's 2026-05-26 Cyber FLASH (CSA 260526) reported operatives entering law-firm offices to insert USB exfiltration devices when remote social engineering failed. The reason for a fuller treatment now is three genuinely-new in-window developments: (1) Mandiant published a comprehensive primary forensic analysis on 2026-06-05 that supplies the kill-chain and ATT&CK detail the earlier news-only FBI-FLASH coverage lacked; (2) a major law firm reportedly paid ~$20 M in a suppression payment; and (3) the group moved its C2 onto DNS fast-flux infrastructure. The deep dive consolidates these into the actionable picture a defender needs — it does not re-report the physical-USB tactic as novel.

The 2026 campaign. Mandiant attributes a January-through-May 2026 data-theft extortion campaign against dozens of US professional-, legal- and financial-services organisations to UNC3753 (Mandiant, 2026-06-05). The intrusion is entirely social-engineered — there is no exploit in the chain. A benign invoice- or subscription-themed email establishes pretext; a follow-up vishing call impersonating internal IT support walks the target into hosting a screen-share session and installing a remote-access tool. Mandiant observed the actor convincing victims to install AnyDesk, Bomgar or Zoho Assist, and in one engagement to execute a "SuperOps RMM agent" via a cURL command. From there the actor pivots through BYOD or virtual desktops, enumerates file shares and document-management systems, then stages and exfiltrates using portable WinSCP or Rclone. The compression of the timeline is the operational headline: Mandiant notes that in many incidents the full sequence from first contact to data theft occurred within a single business day, and "Recently, Mandiant observed data searches, staging, and theft initiated in under an hour." Extortion follows by unbranded email, typically with a short deadline and a threat to publish on the actor's leak site.

The physical-access escalation (first flagged 2026-05-28, now forensically confirmed). The off-network tactic the FBI FLASH warned about is now corroborated in Mandiant's primary reporting: "individuals posing as IT technicians entered corporate offices to attempt direct exfiltration of data from an endpoint using USB storage media" (T1052.001 Exfiltration over Physical Medium). This bypasses every network-side control — egress filtering, RMM-installer detection, cloud-upload DLP — because the data never crosses the network perimeter. Visitor management and physical-security posture become a detection surface that EDR and log telemetry cannot cover.

Kill chain and ATT&CK mapping. Initial access via T1566.004 Spearphishing Voice and T1204.002 User Execution; remote access established through T1219 Remote Access Software; discovery via T1083 File and Directory Discovery and T1135 Network Share Discovery; collection and exfiltration via T1074 Data Staged, T1567.002 Exfiltration to Cloud Storage and, in the physical variant, T1052.001. The FBI's 2026-05-26 Cyber FLASH independently corroborates the campaign and underscores that, because no encryption is used and only legitimate remote-access and file-transfer tooling appears, conventional ransomware detections do not fire and few host artefacts remain (Help Net Security, 2026-05-27).

Why this run. Two in-window developments make this current rather than a recap of the 2025 FBI warning. First, a major US law firm, Weil, Gotshal & Manges, reportedly paid an estimated ~$20 M suppression payment after client data was stolen from an external cloud-storage site — an unusually large, fast (reportedly within days) payout that signals how high the leverage is when the stolen material is privileged legal data (Legal Cheek, 2026-06-03). Second, the group is hardening its operational infrastructure: a 2026-06-05 report documents SRG moving its command-and-control onto DNS fast-flux infrastructure, improving resilience against takedown and static-indicator blocking (Security Affairs, 2026-06-05).

Detection and hardening (no IOCs). Behavioural pivots: alert on RMM-agent installation (AnyDesk/Bomgar/Zoho/SuperOps) initiated from cmd.exe/powershell.exe or a cURL one-liner (Sysmon EID 1 with parent-process anomalies); flag portable WinSCP/Rclone execution from user-profile paths and high-volume outbound SSH/cloud-storage transfer sessions; watch document-management systems (e.g. iManage/SharePoint) for sudden keyword-search spikes and bulk downloads from VDI sessions. Hardening: block unauthorised RMM agents via WDAC/application control; restrict VDI/VPN authentication to corporate-managed devices with step-up MFA on BYOD; disable USB mass-storage write via GPO on sensitive endpoints; and — uniquely relevant given the in-person vector — enforce visitor credentialing and escort policies, and have help-desk staff verify any "IT support" callback against an out-of-band internal directory before granting remote or physical access. For Swiss and European legal and professional-services firms the campaign is directly transferable: the IT-helpdesk-impersonation vector is identical to the social-engineering pressure already seen across European corporate intrusions, and the physical-intrusion escalation raises a duty-of-care question that is squarely a physical-security, not just a SOC, problem.

6. Action Items

Mitigate Cisco Catalyst SD-WAN Manager now — no patch exists (see § 2 CVE-2026-20245). Actively exploited to root; ACL the management plane to a dedicated management VLAN, enforce MFA for netadmin, rotate Manager credentials, and confirm the earlier pre-auth bypass CVE-2026-20182 is remediated so the unauth-to-root chain is broken. Hunt the CLI audit log and edge-device config-push events.
Patch SolarWinds Serv-U to 15.5.4 Hotfix 1 if you run it internet-exposed (see § 2 CVE-2026-28318). Unauthenticated single-request DoS, confirmed exploited; until patched, restrict the SFTP/FTP/HTTP interface exposure.
Patch MISP instances to the 2026-06-04 release (see § 2 CVE-2026-10868). Multi-org sharing hubs are highest-priority given the account-takeover + cross-org template-overwrite combination. Pre-patch, monitor UsersController::edit requests where the posted user id ≠ session user id.
Lock down npm build pipelines against IronWorm and Miasma (see § 1 and § 4). Enforce npm install --ignore-scripts in CI, pin lockfile integrity, rotate/scope npm publish (incl. Trusted Publishing) tokens, and rotate Azure managed-identity / ~/.azure credentials on any runner that installed an affected @azure/* package. Add bpf()-syscall and Tor-bootstrap egress monitoring on build hosts.
Hunt legacy IIS / .NET 4.0 servers for OP-512 behaviourally, not by timestamp (see § 3). Look for w3wp.exe issuing long hex-string DNS subdomain queries and spawning cmd/powershell/csc; isolate or retire EOL .NET 4.0 hosts.
Harden against Luna Moth helpdesk-impersonation and physical intrusion (see § 5). Block unauthorised RMM agents via application control, require out-of-band verification of "IT support" callbacks, restrict VDI/VPN to managed devices, and — given the in-person USB vector — review visitor-credentialing/escort policy and USB-write GPO on sensitive endpoints. Brief cleared/research staff on the LinkedIn/job-platform recruitment tradecraft in § 1.

7. Verification Notes

Items dropped:
- CVE-2026-49975 (HTTP/2 Bomb) — surfaced by S1 and S2 but already covered as the full deep dive on 2026-06-04; the in-window BSI WID-SEC-2026-1791 and NCSC-CH advisory 12610 are national-CERT pickup, not a material new development (no new exploitation, no new patch beyond what was already reported), so it is not re-reported under PD-8.
- Chrome 149 ANGLE sandbox-escape (reported CVSS 9.6) — does not clear a § 2 inclusion gate (no in-the-wild exploitation, no public PoC); the "record 429 vulnerabilities" framing is a vendor-release count, not threat signal. The single sub-agent that surfaced it (S1) had unreliable sourcing (below); the bare CVE id is therefore omitted from this note rather than recorded as fact. Apply Chrome auto-update via MDM as routine.
- Everest Forms Pro WordPress unauthenticated RCE (reported CVSS 9.8) — only an NVD page (a hard-blocked source) and a single aggregator carried it; no acceptable vendor/research primary was reachable and the exploitation claim was single-source. Dropped pending a verifiable advisory; CVE id omitted as unverified.
- Altium Enterprise Server path-traversal cluster (reported CVSS up to 10.0, unauth file write) — would clear the CVSS gate but is a niche electronics/defence-engineering product with no observed exploitation and low CH/EU public-sector nexus; the only sourcing was a single sub-agent whose URL ledger proved unreliable (below). CVE ids omitted as unverified.
- ESET BTMOB Android RAT-as-a-service — primary source dated 2026-05-26 (well outside the 36 h window, and outside the 72 h developing window); Latin-America targeting with low CH/EU nexus.
- Red Canary "Entra Agent ID → Teams" identity-abuse research — primary dated 2026-06-01, outside the 36 h window; genuinely relevant to CH/EU Copilot/M365 deployments and flagged here for possible pickup if a fresh development lands.
- Hola Browser update-pipeline cryptominer compromise — real (Sophos/BleepingComputer) but lower operational signal (≈0.1 % of users, cryptominer payload); omitted for focus.
Single-source / reduced-confidence:
- OP-512 (§ 3) is a single-source original disclosure by ReliaQuest; included as research with the lab named, per the PD-5 carve-out for primary research.
- InfoGuard Q2 2026 Threat Intelligence Report (Iran-resumes / Rockwell FactoryTalk ICS pivot / Russia OT probing) — the InfoGuard primary blog was unreachable and only a German press relay (itiko.de) carried the specific findings; the FactoryTalk-pivot claim could not be independently corroborated, so it is logged here rather than reported as fact.
Data-quality note (research sub-agent reliability): S1 returned several fabricated or guessed Source URLs — its JFrog IronWorm URL returned HTTP 404, its OP-512 ReliaQuest URL and several The-Hacker-News slugs were incorrect, and it recorded false 200 statuses for those URLs in the run's URL-liveness ledger (work/<run-id>/url-liveness.tsv). Every S1-derived item retained in this brief (Cisco SD-WAN, SolarWinds Serv-U, IronWorm, Miasma, OP-512) was re-verified against independently-confirmed primaries (NCSC-CH / CISA-KEV bridge, ReliaQuest's correct URL, JFrog Research's correct URL) before inclusion; affected items were dropped.
Contradictions: S1 and S3 reported OP-512 with conflicting URLs and differing web-shell detail (S1: three role-specific shells; S3/ReliaQuest: one .aspx + two .ashx with RSA/RC4 per-deployment keying). Resolved in favour of the ReliaQuest source text, which was fetched and verified directly.
Coverage gaps: sec-disclosures-edgar (no Item 1.05 8-K filings in window); databreaches-net (HTTP 403, Cloudflare); inside-it-ch (HTTP 403 / empty feed across direct, RSS and Wayback — unreachable this run); sophos-xops (HTTP 503, sixth consecutive run); zdi, recordedfuture-insikt (RSS feed 404); cnil-fr, edpb (no in-window enforcement notices); sekoia (not fetched — time).