ctipilot.ch

CTI Daily Brief — 2026-06-09

Typedaily
Date2026-06-09
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items8
CVEs7
On this page

On this page

Tags (22)
Regions (4)
References (23)

0. TL;DR

  • Check Point IKEv1 VPN auth bypass (CVE-2026-50751, CVSS 9.3) actively exploited by a Qilin affiliate since 7 May — a month before disclosure. Unauthenticated session forgery on Remote Access / Mobile Access gateways; NCSC-CH issued an Action-Required advisory and CISA added it to KEV (Check Point, 2026-06-08). See § 5.
  • LiteLLM AI-gateway command injection (CVE-2026-42271) added to CISA KEV — host RCE via the MCP test endpoints, unauthenticated when chained with CVE-2026-48710; fixed in 1.83.7 (GitHub Advisory).
  • Working public exploit for a one-character Linux kernel nf_tables UAF (CVE-2026-23111) — >99% reliable local-root and container escape across mainstream distros; patch shipped upstream 5 February (Exodus Intelligence, 2026-06-08).
  • Microsoft Teams external chat is now ~42% of phishing alerts in Cortex, driven by APT29 (Cloaked Ursa) and UNC6692 IT-support impersonation — a configuration-hardening problem, not a patch (Unit 42, 2026-06-08).
  • TeamPCP open-sources its Mini Shai-Hulud supply-chain framework on GitHub, spawning a new "Phantom Gyp" derivative and underscoring that valid SLSA provenance does not survive a subverted build environment (SANS ISC, 2026-06-08).

Immediate Action — Patch Check Point IKEv1 VPN gateways (CVE-2026-50751). An unauthenticated attacker can forge a Remote Access / Mobile Access VPN session without a valid password on gateways running the deprecated IKEv1 key exchange, and the flaw is being exploited in the wild by a Qilin ransomware affiliate (exploitation observed since 7 May 2026, a month before disclosure). NCSC-CH has issued an Action-Required advisory flagging the CVE as actively exploited. Apply hotfix sk185033 now, disable legacy IKEv1 remote-access client support, and begin forensic lookback from 7 May for VPN sessions established without a matching MFA/password event.

3. Research & Investigative Reporting

Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692

Unit 42 reports that collaboration-platform phishing reached 42% of all phishing alerts in Cortex in the first four months of 2026, up from 30% in the preceding period, with Microsoft Teams external messaging the dominant vector (Unit 42, 2026-06-08). Two clusters dominate: Cloaked Ursa (APT29 / Midnight Blizzard) uses previously-compromised M365 tenants — often small-business accounts — to stand up IT-support-styled domains, then sends Teams messages requesting MFA approval or credential re-entry under an account-maintenance pretext. UNC6692 floods inboxes to manufacture urgency, then poses as IT support over Teams, ultimately delivering the SNOW suite — SNOWBELT (browser-extension backdoor), SNOWGLAZE (WebSocket tunneler) and SNOWBASIN (persistent backdoor) — after dumping LSASS via Task Manager (T1003.001) and moving laterally with Pass-the-Hash (T1550.002) (Mandiant, 2026-04-23). The root enabler is the default Teams configuration permitting unrestricted external-tenant messaging.

Why it matters to us: Hardening is configuration, not patching — restrict external access in the Teams Admin Center to explicitly-allowed partner domains and disable unmanaged/consumer-account chat. Detection concepts: Entra ID sign-in logs for logons originating from external M365 tenants; Teams activity logs for ExternalUserJoined events followed by rapid file/link shares; MDI alerts on MFA anomalies after cross-tenant contact. Extend AiTM-aware Conditional Access to Teams sign-in contexts.

Microsoft Threat Intelligence: AI-brand impersonation drives Lumma Stealer and Vidar delivery via signed binaries

Microsoft Threat Intelligence documents a campaign by Storm-3075 (initial-access broker) and Fox Tempest (malware-signing-as-a-service operator) that weaponises public enthusiasm for AI tools, impersonating ChatGPT, Claude, DeepSeek and Microsoft Copilot through SEO poisoning, malvertising and multi-stage redirection chains (Rebrandly → CAPTCHA gate → credential-harvesting landing) (Microsoft, 2026-06-08). Downloaded binaries are code-signed with certificates obtained through Fox Tempest's MSaaS operation (T1553.002), suppressing initial detection; payloads include Lumma Stealer, Vidar, Hijack Loader and Oyster, with fraudulent GitHub repositories used for payload staging. Microsoft's separate analysis details the Fox Tempest malware-signing-as-a-service operation that supplies the certificates (Microsoft, 2026-05-19).

Why it matters to us: Code-signing is no longer a trust anchor here — a valid Authenticode signature on a fresh "AI tool" installer is consistent with this chain. Detection concepts: Sysmon EID 1 for browser-parented processes spawning infostealer-family command lines; EDR process-injection alerts for Hijack Loader. Phish-resistant MFA (FIDO2/passkeys) removes the downstream AiTM credential-replay value even when an endpoint is seeded.

Exodus Intelligence publishes working exploit for a one-character Linux kernel nf_tables use-after-free (CVE-2026-23111)

Exodus Intelligence released a full technical write-up and working exploit for CVE-2026-23111, a use-after-free in the Linux kernel nf_tables subsystem caused by a single misplaced ! operator in nft_map_catchall_activate() that inverts the genmask check and skips inactive catchall elements during the abort path (Exodus Intelligence, 2026-06-08). Exodus reports >99% reliability on idle Debian Bookworm/Trixie and Ubuntu 22.04/24.04 LTS, yielding unprivileged-local-user to root escalation and container escape (T1068, T1611) (The Hacker News, 2026-06-08). The flaw was patched upstream on 5 February 2026; distro packages are shipping the fix (Ubuntu Security, rated 7.8). No network-reachable path exists — exploitation requires local access or code execution inside a container, making this high-value post-exploitation tooling for shared compute (Kubernetes nodes, CI/CD runners, multi-tenant VMs).

Why it matters to us: With a reliable public exploit now available, the patch gap is the exposure. Apply vendor kernel updates containing the 5 February upstream fix; in container environments enforce seccomp and AppArmor/SELinux profiles that restrict nf_tables syscalls for untrusted workloads. Detection concepts: anomalous UID transitions to 0 from non-root parents (Linux audit execve/setuid records); unexpected privileged process spawns inside containers.

4. Updates to Prior Coverage

UPDATE: TeamPCP open-sources its Mini Shai-Hulud framework, spawning a new "Phantom Gyp" derivative

UPDATE (originally covered 2026-06-06): A SANS ISC handler diary tracking the TeamPCP supply-chain campaign through 7 June reports the operators have open-sourced their Mini Shai-Hulud framework on GitHub, triggering a second wave of derivative campaigns (SANS ISC, 2026-06-08). Beyond the previously-covered Miasma worm — which compromised npm packages including Red Hat's @redhat-cloud-services scope (Wiz, 2026-06-01) — the diary names a newly-tracked Phantom Gyp campaign that abuses node-gyp / binding.gyp install-time script execution in compromised npm packages; both inject malicious CI/CD hooks (SANS ISC, 2026-06-08).

The diary's load-bearing detection-engineering point: valid SLSA provenance attestations do not protect against supply-chain injection when the build environment itself is subverted from the inside. The recommended shift is from attestation-verification to build-pipeline integrity — monitor GitHub Actions runner process trees for unexpected outbound network from within a build, alert on actions/upload-artifact shipping signed-but-anomalous binaries, and cross-check published package checksums against CI logs via independent transparency ledgers (e.g. Sigstore Rekor). EU/Swiss public-sector teams running npm-based automation or Red Hat tooling should audit CI/CD pipeline definitions for unexpected workflow-step insertions.

5. Deep Dive — Check Point IKEv1 VPN Authentication Bypass (CVE-2026-50751)

On 8 June 2026 Check Point disclosed and shipped a hotfix for CVE-2026-50751 (CVSS 9.3), an authentication bypass affecting Remote Access VPN and Mobile Access gateways configured for the deprecated IKEv1 key exchange (Check Point, 2026-06-08). The disclosure is notable not for its novelty as a bug class but for its timeline: exploitation began no later than 7 May 2026 — a full month before public disclosure — surged in early June, and is attributed by Check Point to a financially-motivated actor deploying Qilin ransomware (Help Net Security, 2026-06-08). NCSC-CH issued an Action-Required advisory the same day, flagging the CVE as actively exploited (NCSC-CH, 2026-06-08).

Mechanics. The flaw is a logic-flow weakness in certificate validation within the IKEv1 Remote Access / Mobile Access path. An unauthenticated remote attacker can exploit it to establish a VPN session without presenting a valid user password — defeating the authentication step that the VPN front-end is supposed to enforce (Rapid7, 2026-06-08). Importantly, the bypass yields a VPN session, not direct code execution: post-authentication activity — credential abuse, lateral movement, privilege escalation — is still required to reach internal resources. The exposure surface is gateways still running deprecated IKEv1 (not the current IKEv2); legacy Remote Access clients that default to IKEv1 are the principal liability.

Kill chain. Initial access maps to T1190 Exploit Public-Facing Application: the attacker reaches the internet-exposed VPN portal and forges a session via the certificate-validation bypass. From the VPN-assigned address space the actor pivots using T1078 Valid Accounts — operating from inside the trust boundary the VPN was meant to gate — toward the credential-access, lateral-movement and impact stages that precede Qilin ransomware deployment. Check Point assesses the same actor is concurrently scanning Palo Alto (PAN-OS), Fortinet and F5 VPN products, consistent with an edge-device-focused access broker feeding a ransomware operation (Check Point, 2026-06-08); BleepingComputer corroborates the Qilin linkage (BleepingComputer, 2026-06-08).

Affected and patched versions. Affected trains span R80.20.X, R80.40, R81, R81.10 (these four End-of-Support), R81.10.X, R81.20, R82, R82.00.X and R82.10, plus Spark appliances; the remediation is the hotfix and fixed releases documented in Check Point sk185033 (Check Point sk185033). Check Point also disclosed CVE-2026-50752 (CVSS 7.4), a separate IKEv1 weakness enabling man-in-the-middle interference on site-to-site connections — not exploited in the wild but to be patched in the same maintenance window.

Hunt and detection concepts. Because exploitation predates disclosure by a month, forensic lookback should start 7 May 2026. Review VPN authentication logs for remote-access sessions established without a matching MFA/password event; flag sessions negotiated over IKEv1-only tunnels where the estate is otherwise IKEv2. Treat lateral movement originating from VPN-assigned address ranges as a hunt anchor — authentication and access events sourced from the VPN pool to internal services shortly after an anomalous session establishment. With confirmed in-the-wild exploitation pre-dating disclosure by a month, the case argues for compressing the change window rather than waiting for IPS coverage to mature.

Hardening. Apply the sk185033 hotfix immediately; where patching lags, the structural mitigation is to disable legacy IKEv1 remote-access client support and migrate to IKEv2, which removes the vulnerable path entirely. Enforce mandatory machine-certificate authentication and enable IPS with updated signatures as a stopgap. The broader lesson for Swiss/EU public-sector estates is the recurring one for internet-exposed edge appliances: a deprecated-but-enabled protocol is an attack surface, and the gap between silent exploitation and vendor disclosure is where ransomware access brokers operate.

6. Action Items

  • Patch Check Point IKEv1 VPN gateways now (CVE-2026-50751) — pre-auth authentication bypass under active exploitation by a Qilin affiliate since 7 May; apply hotfix sk185033, disable deprecated IKEv1 remote-access support, and start forensic lookback from 7 May for VPN sessions established without a matching MFA event. See § 5.
  • Upgrade LiteLLM to 1.83.7 (CVE-2026-42271) — KEV-listed, actively exploited; unauthenticated when chained with CVE-2026-48710. Restrict the /mcp-rest/test/* endpoints at the network layer and audit API-key scoping in the interim. See § 2.
  • Apply kernel updates for CVE-2026-23111 and harden container syscall policy — a >99%-reliable public LPE/container-escape exploit is now available; ship the 5 February upstream fix and enforce seccomp/AppArmor restrictions on nf_tables for untrusted workloads. See § 3.
  • Lock down Microsoft Teams external access — restrict external messaging to allow-listed partner domains and disable unmanaged/consumer-account chat to close the APT29/UNC6692 social-engineering surface; extend AiTM-aware Conditional Access to Teams sign-in. See § 3.
  • Audit CI/CD pipeline definitions — TeamPCP derivatives (Miasma, Phantom Gyp) inject build-time hooks that pass SLSA provenance; review GitHub Actions workflow steps and monitor runner process trees for unexpected outbound network. See § 4.

7. Verification Notes

  • Items dropped:
    • Luna Moth / UNC3753 physical-USB extortion escalation (Mandiant GTIG, 2026-06-05) — substantively the same campaign and physical-intrusion development already given a full deep dive on 2026-06-06; no material new delta this run beyond the corroborating Security Affairs write-up (2026-06-08). Excluded under the no-repetition rule.
    • ICO £963,900 fine of South Staffordshire Water (Cl0p) — primary enforcement action dated 2026-05-11, ~4 weeks outside the 36 h window; no genuine in-window publication (a sitemap lastmod of 2026-06-02 is not a new article). Out-of-window: primary source 2026-05-11.
    • EU Council TTE meeting (CSA2 high-risk supplier framework / NIS2 simplification progress) — the 2026-06-09 meeting tables progress reports already captured in the 2026-W23 weekly policy section; no operational defender delta. Logged as horizon item, not re-reported.
    • CNIL €5M fine of IQVIA (health-data warehouses) — the underlying decision is dated 2026-05-28, outside the 36 h window; the only in-window hook was a corroborating article whose URL did not resolve to the IQVIA story, so the PD-7 fresh-development carve-out no longer holds. Dropped on recency. May resurface if genuine in-window reporting appears; the precedent (CNIL rejecting a "pseudonymous = anonymous" SRB defence) remains relevant to Swiss/EU health-data processors.
    • Avcon Jet (Austria) Qilin ransomware listing — sourced only to cybernews and a vendor blog (dexpose), no victim disclosure or HIGH-reliability journalism; leak-site-claim posture fails the fake-news guard. The Qilin/edge-VPN-targeting angle is retained on Check Point's HIGH-reliability attribution in § 5.
    • CVE-2026-8037 / CVE-2026-33691 (Progress Kemp LoadMaster) — dropped after verification: the only available citation (the Progress Customer Community bulletin) renders client-side and returns a portal/error shell rather than stable bulletin content, and BSI's WID-SEC-2026-1812 advisory page has the same SPA limitation. With no citable stable source for a no-ITW, no-PoC vulnerability, the item did not meet the citation bar. Worth re-checking next run if Progress publishes a stable bulletin URL or a secondary source covers it.
  • Single-source / reduced-confidence:
    • SoFi Securities (Hong Kong) third-party vendor breach — single-source (BleepingComputer with SoFi spokesperson confirmation), scope and data categories still under investigation, weak CH/EU and public-sector nexus. Held back pending corroboration; may resurface if a regulator notice or scope detail lands.
  • Contradictions: none surfaced this run.
  • Sub-agents: S1–S4 all returned within budget (Claude Sonnet 4.6). No stalls.
  • Coverage gaps: databreaches-net (persistent 403, no usable Wayback snapshot — breach stories covered via BleepingComputer/CyberScoop/The Record); inside-it-ch (persistent 404, 5+ runs); sophos-xops (503 streak, 4+ runs); sec-disclosures-edgar (no qualifying 8-K Item 1.05 filings in window); edpb, us-treasury-ofac (no in-window cyber decisions/designations); shadowserver, greynoise, wiz-blog, vulncheck (S1 not independently queried — coverage cross-checked via NVD/ENISA EUVD/CISA KEV); elastic-seclabs, dfirreport, intel471, kaspersky-securelist, checkpoint-research (most recent items outside the 36 h window).