CTI Daily Brief — 2026-06-10

France's Tchap government messenger breached via account takeover — 73,467 civil servants' metadata scraped, CNIL notified

On 7 June 2026 ANSSI detected a compromise of Tchap, the French state's sovereign Matrix-based encrypted messenger used by some 825,000 civil servants across all ministries; DINUM published its disclosure on 8 June (DINUM, 2026-06-08). The attacker obtained a single account on the education shard (matrix.agent.education.tchap.gouv.fr) through account impersonation; the attacker further claims to have used a Tchap directory-search function to enumerate accounts across the service, a mechanism DINUM has not confirmed and which The Register reports as part of a set of unverified attacker claims (Help Net Security, 2026-06-09; The Register, 2026-06-09). DINUM confirms 73,467 agents (under 9% of registered users) had name, first name, email address, employing entity and avatar potentially exposed; private rooms protected by Matrix end-to-end encryption were not accessible from a compromised user account, only public-room content (DINUM, 2026-06-08). The unverified actor additionally claims bulk scraping of ~643,000 messages and ~13.5 GB of media, alleging that any media object is retrievable without an auth token once its media ID is known — an unconfirmed content-repository access-control claim that, if true, would widen the exposure considerably (The Register, 2026-06-09). DINUM has notified CNIL and blocked the account; the investigation is ongoing.

"Ghost-Sender": Exchange Online accepts spoofed inbound mail bypassing SPF/DKIM/DMARC when a third-party MX fronts the tenant — no vendor patch

Swiss security firm InfoGuard Labs disclosed "Ghost-Sender" on 9 June, a configuration-layer email-spoofing weakness affecting Microsoft 365 tenants whose published MX record points to a third-party gateway (Barracuda/Proofpoint/Mimecast) rather than Microsoft (InfoGuard, 2026-06-09). When inbound filtering is enforced only on the MX path, an attacker who knows the target domain can connect directly to the tenant's *.mail.protection.outlook.com endpoint and relay messages that present as any internal or external sender; because the delivery originates from Microsoft IP space, SPF passes, DKIM has no mismatched signature to fail on, and DMARC is evaluated favourably — the spoofed mail lands in the inbox, in some cases rendering the impersonated internal user's profile picture (NCSC-CH, 2026-06-09). InfoGuard reports that across its bug-bounty sample over 20% of Exchange Online domains were exploitable and roughly half of external-MX deployments lacked the mitigation; Microsoft characterised the behaviour as a known architectural limitation and has not shipped a platform fix, while NCSC-CH issued its own advisory and Microsoft Support confirmed active abuse (NCSC-CH, 2026-06-09). This is a configuration issue (no CVE), enabling high-fidelity BEC and internal-sender impersonation against any organisation on the affected architecture.

Why it matters to us: the EXO-plus-external-filter topology is the dominant Microsoft 365 model in Swiss and EU public-sector environments, and there is no patch — mitigation is configuration. Add an inbound connector of type "Partner"/"On-premises" that requires the gateway's pinned TLS certificate or approved IP ranges, and a priority-0 transport rule that quarantines or rejects inbound mail not arriving via the approved external-filter connector; ensure Enhanced Filtering for Connectors (skip-listing) is configured so EXO evaluates the true originating IP. Hunt in Message Trace for mail received on the Default Frontend connector rather than the expected partner connector.

NCSC-CH Week 23: coordinated surge in job-seeker targeting — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery

NCSC Switzerland's Week 23 report (9 June) documents three concurrent technique chains aimed at job seekers in Switzerland (NCSC-CH, 2026-06-09). The first sends fake interview-confirmation emails for plausible Swiss employers, linking to a counterfeit Google login that harvests credentials (T1566.002, T1078). The second uses fraudulent job offers demanding identity documents for "onboarding," with stolen Swiss IDs then used to order goods and run parcel-reshipping (freight-forwarder) fraud. The third operates through compromised LinkedIn recruiter profiles that direct candidates to download a "technical assessment" or "onboarding" GitHub repository carrying infostealer malware that targets crypto wallets, browser cookies and saved credentials (T1566.003, T1059.001, T1555). NCSC notes attackers systematically exploit applicants' urgency and unfamiliarity with new-employer processes to lower vigilance.

Why it matters to us: the LinkedIn→GitHub chain is a credible vector into corporate endpoints via employees in job-search mode and HR/talent teams handling external candidate code. Detection signal: git clone / GitHub downloads followed by script execution minutes after a LinkedIn contact (Sysmon EID 1, parent git.exe / python.exe from a freshly-cloned path). This is a national-CERT primary disclosure for its own jurisdiction.

Meta discloses 20,225 Instagram account takeovers via an AI support-tool logic flaw; Maine AG notification filed 8 June

Meta filed a breach notification with the Maine Attorney General on 8 June disclosing that a logic flaw in its AI-assisted account-recovery tool ("High Touch Support") allowed unauthorised actors to hijack 20,225 Instagram accounts between 17 April and 31 May 2026 (BleepingComputer, 2026-06-08). A separate code path failed to verify that the email address supplied with a reset request matched the account's registered address, so the reset link was sent to the attacker-provided address — a confused-deputy bypass requiring no prior knowledge of the victim's email, phone or password (Security Affairs, 2026-06-08). Accounts with two-factor authentication enabled were protected from full takeover even when the reset link was obtained. Meta disabled the tool on discovery (31 May), invalidated pending reset links, and will notify affected users on 19 June.

Why it matters to us: this is the AI-support-automation risk class in practice — a "helpful" AI workflow induced to act on attacker-supplied identity claims without cross-checking authoritative records (T1078, T1556). Organisations deploying AI help-desk or self-service account-recovery should audit whether the AI decision path can be steered by attacker-controlled email/identity input, and enforce 2FA so a password-reset bypass alone does not yield takeover.

CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth OS command injection to root (CVSS 10.0), public PoC published today

CVE-2026-10520 is an unauthenticated OS command injection in Ivanti Sentry (formerly MobileIron Sentry), the EMM/MDM enforcement gateway that proxies email and applications to managed devices and frequently fronts Exchange. The vulnerable endpoint is /mics/api/v2/sentry/mics-config/handleMessage on the MICS admin API (port 8443): ConfigServiceController.handleMessage() accepts XML payloads containing commandexec blocks whose reqandres field is passed unvalidated through ConfigRequestProcessor.handleExecute() into native command execution, yielding root-level RCE with no authentication (watchTowr, 2026-06-10). watchTowr published the technical analysis and a working PoC on 2026-06-10; CVE-2026-10523 is a companion authentication bypass (CWE-288) covered in the same Ivanti advisory (watchTowr, 2026-06-10). No in-the-wild exploitation is confirmed yet, but a same-day public PoC against a pre-auth root RCE on a government-grade MDM gateway sharply compresses the window. Affected: all Sentry before R10.5.2 / R10.6.2 / R10.7.1; patch immediately and restrict the MICS interface (8443) to management IPs in the interim (T1190, T1059.004).

CVE-2026-47291 — Microsoft June Patch Tuesday: HTTP.sys pre-auth RCE (CVSS 9.8) headlines the largest-ever release (198 CVEs)

Microsoft's June 2026 Patch Tuesday addressed 198 CVEs (32 Critical), the largest in program history (Rapid7, 2026-06-09). The headline is CVE-2026-47291 in HTTP.sys (CWE-190 integer overflow into a CWE-122 heap write): an unauthenticated attacker sends a crafted request to any Windows service built on the HTTP Protocol Stack (IIS, WinRM, WMI-over-HTTP) to achieve RCE, rated "Exploitation More Likely" (Microsoft MSRC, 2026-06-09). Microsoft notes systems at the default MaxRequestBytes of 16384 bytes are not impacted — only deployments that raised it above ~65 KB are exposed, so resetting that registry value is a stopgap. Three publicly-disclosed (not-yet-exploited) zero-days also shipped: CVE-2026-49160 (HTTP.sys HTTP/2 compression-bomb DoS, the IIS analogue of the earlier nginx/Apache CVE-2026-49975, now mitigated with MaxHeadersCount), CVE-2026-50507 (BitLocker physical-access bypass), and CVE-2026-45586 (CTFMON EoP); the release also includes the DHCP Client RCE CVE-2026-44815 (CVSS 9.8, "Less Likely") and VSCode EoP CVE-2026-47281 (CVSS 9.6) (Tenable, 2026-06-09; SANS ISC, 2026-06-09). Prioritise the HTTP.sys patch on any Windows host exposing IIS/WinRM.

CVE-2026-44748 — SAP June Patch Day: SAML XML Signature Wrapping in NetWeaver AS ABAP (CVSS 9.9) plus an unauth RFC kernel memory-corruption (CVSS 9.8)

SAP's June Patch Day (9 June) shipped multiple HotNews notes; the most severe affect NetWeaver AS ABAP and ABAP Platform — the ERP backbone across Swiss federal/cantonal administration and EU public-sector bodies (Onapsis, 2026-06-09). CVE-2026-44748 (CVSS 9.9) is an XML Signature Wrapping flaw in the SAML authentication handler: an attacker takes a legitimately-signed SAML assertion and replaces the processed element with attacker-controlled identity data while leaving the signature valid, enabling privilege escalation/account takeover. It spans SAP_BASIS 702–919, an unusually broad patch footprint (NCSC-CH, 2026-06-09). CVE-2026-27671 (CVSS 9.8) is memory corruption via improper RFC protocol validation reachable unauthenticated over the network; CVE-2026-40128 (CVSS 9.0) is a path traversal in the NetWeaver AS Java Web Container; CVE-2026-22732 (CVSS 9.1) is a missing-security-headers bug in Spring Security affecting Commerce Cloud/Data Hub (SAP, 2026-06-09). Exploitation is listed UNKNOWN for all four. Apply the June SAP Security Notes (SAP Note 3746332 is the SAML XSW fix for CVE-2026-44748) and enable RFC gateway ACLs (gw/acl_mode=1) and SNC to reduce the RFC-kernel exposure. CCB Belgium issued a parallel public-sector "patch now" advisory (CCB, 2026-06-09).

CVE-2026-47895 — strongSwan: pre-auth double-free in libstrongswan identity cloning, unauthenticated RCE over EAP (patched 6.0.7)

The strongSwan project disclosed CVE-2026-47895 on 8 June (fixed in 6.0.7): a double-free in the clone() method of identification_t in libstrongswan, caused by checking encoded.len but not encoded.ptr (strongSwan, 2026-06-08.html)). An identity with empty-but-non-NULL binary encoding (e.g. chunk_from_hex() on empty input) makes the original and clone point to the same heap allocation; on glibc — which always returns a unique non-NULL pointer for zero-length malloc() — the double-free fires reliably. The exploitable path is the EAP-Identity exchange: the server clones and stores the supplied identity, and when authentication fails the IKE SA teardown triggers the free, making this reachable pre-authentication against any strongSwan IKEv2 server with EAP enabled (EAP-Identity, EAP-TTLS sub-identity, XAuth xauth-eap). All versions since 4.3.3 are affected; BSI published WID-SEC-2026-1832 (BSI CERT-Bund, 2026-06-09). strongSwan is the canonical Linux IPsec/IKEv2 stack (ETH Zurich lineage) across CH/EU VPN infrastructure. No public PoC or ITW exploitation reported; upgrade to 6.0.7, or temporarily require certificate-only auth.

CVE-2026-44963 — Veeam Backup & Replication: authenticated domain-user deserialization RCE on the backup server (CVSS 9.4)

Veeam patched CVE-2026-44963 (CVSS v4 9.4, CWE-502) on 9 June: any authenticated domain user — no elevated Veeam privilege required — can execute code on the Backup Server when it is domain-joined; workgroup servers are unaffected (Veeam, 2026-06-09). It affects all v12 builds up to 12.3.2.4465 (fixed in 12.3.2.4854); v13.x is not affected. Reported by watchTowr's Sina Kheirkhah (The Hacker News, 2026-06-09). No ITW exploitation is confirmed, but backup infrastructure is a perennial pre-encryption ransomware target (Akira, Black Basta, LockBit have historically gone after Veeam first), so treat as urgent (T1210, T1486). Upgrade to 12.3.2.4854; where patching is blocked, Veeam's hardening guidance includes removing the backup server from the domain.

CVE-2026-11645 — Google Chrome V8 out-of-bounds read/write exploited in the wild, added to CISA KEV

Google patched CVE-2026-11645 (CVSS 8.8), an out-of-bounds read and write in the V8 engine, in Chrome 149.0.7827.103; a crafted HTML page achieves code execution inside the renderer sandbox (Chrome, 2026-06-08). The bug was exploited in the wild before patching and CISA added it to the KEV catalog on 9 June; per the Chrome advisory it affects Chromium-based browsers including Edge and Opera (Chrome, 2026-06-08). The KEV listing is the operational signal here — confirmed active exploitation of a one-click browser bug (T1189, T1203). Update Chrome/Edge/Opera to 149.0.7827.103+ across the estate.

CVE-2026-7473 — Arista EOS tunnel-decapsulation logic flaw bypasses segmentation, added to CISA KEV

Arista EOS contains an incomplete-comparison flaw (CWE-1023) in its tunnel-decapsulation logic: where a VXLAN, decap-group or GRE decapsulation config is present, the switch decapsulates and forwards tunneled packets whose destination IP matches the configured decap IP even from unexpected sources, letting an attacker inject traffic into a VXLAN fabric and bypass network segmentation; CISA added CVE-2026-7473 to its KEV catalog on 9 June (Arista, 2026-06-09). Relevant to datacenter-fabric operators in CH/EU finance and government. Apply Arista SA-0137 and add decap source-IP validation/access-lists on VTEP interfaces (T1599.001).

CVE-2026-47344 et al. — TYPO3 core June release: 13 CVEs across every supported branch (10.4 ELTS → 14.3 LTS)

TYPO3 published 13 advisories on 8 June (TYPO3-CORE-SA-2026-006 onward) covering XSS bypassing the HTML Sanitizer, authenticated RCE, privilege escalation, open redirect and other security-restriction bypasses, fixed in 10.4.57/11.5.51/12.4.46 ELTS, 13.4.31 LTS and 14.3.3 LTS (TYPO3, 2026-06-08). BSI CERT-Bund catalogued the batch as WID-SEC-2026-1835 (HIGH) (BSI CERT-Bund, 2026-06-09). TYPO3 is the dominant CMS for German-speaking public-sector web estates (federal ministries, cantonal/municipal portals, universities across DACH), and the version span means essentially every production install carries at least one of these CVEs. No active exploitation reported; the higher-impact vectors require authentication. ELTS-branch operators need a subscription for fixes — those without one should accelerate migration to 13.4 LTS / 14.3 LTS.

CVE Summary Table

Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain

Trend Micro documents two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year after the fix (Trend Micro, 2026-06-08). SHADOW-EARTH-066 (UAC-0226) delivers GIFTEDCROOK via crafted RAR archives with decoy PDFs and hidden ADS payloads that extract to the Startup folder and run in-memory PowerShell DLL loaders to steal passwords, cookies and documents from Chrome, Edge, Opera and Firefox; a separate Earth Dahu chain uses an HTA-to-VBScript dropper (The Hacker News, 2026-06-09). Both actors moved C2 off Telegram to dedicated servers after Russia's February 2026 Telegram block. The defender lesson is the persistence of an exploited entry point in unmanaged software: hunt wscript.exe/mshta.exe spawned from archive-extraction events, Startup-folder writes (Sysmon EID 11), and PowerShell script-block logging (EID 4104) for in-memory reflection. CVE-2025-8088 affects any unpatched WinRAR globally; ensure deployed versions are current (T1059.005, T1547.001, T1555.003).

Unit 42 catalogues cloud-logging defense-evasion across AWS CloudTrail and Google Cloud Logging — with concrete detection mappings [SINGLE-SOURCE]

Unit 42 enumerates seven cloud-logging attack categories — five evasion, two visibility (Unit 42, 2026-06-09). Evasion techniques: stopping CloudTrail trails (StopLogging), deleting S3/GCS log destinations, removing GCP log-routing sinks, impairing customer-managed encryption keys (CMEK) so logs become unreadable, and log poisoning to mask activity with benign-looking entries; visibility techniques redirect logs to attacker accounts via cross-account delivery for long-term reconnaissance of defender detections (T1562.008, T1070, T1530). Hardening: S3 Object Lock / GCS locked-bucket immutable retention; IAM restrictions on cloudtrail:StopLogging, cloudtrail:DeleteTrail, logging.sinks.delete; alert on cloudtrail:UpdateTrail modifying KMS-key associations and on KMS key-policy changes affecting CloudTrail encryption. Log-integrity monitoring is a NIS2 incident-detection expectation, making this directly relevant to EU cloud-resident public-sector and financial workloads. [SINGLE-SOURCE] (Unit 42 primary research).

Red Canary: Microsoft Entra Agent ID abuse — OBO OAuth flow turns a compromised AI agent into a delegated phishing sender [SINGLE-SOURCE]

Red Canary's latest Entra ID AI-agent analysis examines the On-Behalf-Of (OBO) OAuth flow exploited through assistive agents (Red Canary, 2026-06-08). An agent blueprint configured with access_agent scope and broad Graph permissions (Mail.Send, Mail.ReadWrite, Group.Read.All) can send phishing email via the Graph sendMail endpoint with full delegated authority, appearing to originate from the impersonated user; standard sign-in and Exchange audit logs show the agent acting for the user, not an attacker (T1199, T1078.004). Detection requires correlating three sources — MicrosoftGraphActivityLogs (Agent.agentType == agenticAppInstance AND Agent.agentSubjectType == notAgentic), AADNonInteractiveUserSignInLogs, and Exchange Purview audit logs — joined on ClientRequestId. Defenders should audit Entra agent-blueprint permission grants for dangerous scope combinations and apply least privilege. As Microsoft 365 Copilot/agent features roll into CH/EU public-sector tenants, this becomes a near-term identity-monitoring gap. [SINGLE-SOURCE] (Red Canary primary research).

Check Point: a TDS-gated ecosystem impersonates security tools (Ghidra, dnSpy, ILSpy) to deliver SessionGate, RemusStealer and a clipboard hijacker [SINGLE-SOURCE]

Check Point Research details a malware-distribution operation that impersonates open-source reversing tools using CloudFront-hosted JavaScript to hijack download clicks and route victims through a Traffic Distribution System enforcing geo/device/VPN/frequency filtering before delivering one of three payloads (Check Point Research, 2026-06-03). The payloads are SessionGate (a per-session multi-stage loader with AES-encrypted modules), RemusStealer (targeting 20+ browsers, 220+ wallet extensions, 77 password-manager extensions and 18 2FA tools), and AnimateClipper (a clipboard hijacker with on-chain C2). The targeting is notable for this audience: it goes after security researchers and developers searching for trusted tools, bypassing standard phishing-awareness training (T1566, T1204, T1555, T1111). Hunt for ghidra/dnspy/ilspy download-then-execute chains under browser child processes and clipboard-API access from unexpected processes. [SINGLE-SOURCE] (Check Point primary research).

UPDATE: PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions

UPDATE (originally covered 2026-05-30): Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit 42, 2026-06-09). The bug (CWE-565, reliance on a cookie without integrity checking) lets an attacker extract the encryption certificate's public key from the TLS handshake and forge authentication-override cookies when that certificate is shared with another function; Rapid7 dates successful exploitation to 17 May from low-cost hosting IPs (Rapid7, 2026-05-29).

Affected: PAN-OS 10.2/11.1/11.2/12.1 and Prisma Access where authentication override is enabled with a shared certificate; patched in 12.1.7+, 11.2.12+, 11.1.15+, 10.2.18-h6+ and corresponding Prisma builds (Palo Alto Networks, 2026-06-03). Patch, then force one re-authentication so override cookies regenerate; as a workaround disable authentication override or assign it a dedicated certificate. Hunt GlobalProtect gateway logs for auth-method=cookie from unexpected source IPs.

UPDATE: Shai-Hulud/Miasma supply-chain worm jumps to PyPI as "Hades" — 37 malicious wheels across 19 packages

UPDATE (originally covered 2026-06-06): The Miasma/Mini-Shai-Hulud supply-chain lineage previously tracked across npm and GitHub has opened a PyPI front dubbed "Hades": Socket and others identified 37 malicious wheel artifacts across 19 packages abusing Python's .pth site-module startup mechanism to auto-execute on interpreter start without an import (The Hacker News, 2026-06-09). The payload downloads the Bun runtime from GitHub and runs triple-encrypted JavaScript that sweeps GitHub/CI tokens, npm/PyPI/cloud (AWS/GCP/Azure) keys, Kubernetes and Vault configs, SSH keys and AI-tool configs, and plants backdoor config in AI coding-assistant workspaces so future agent sessions execute attacker instructions (Socket, 2026-06-07).

Affected packages spanned developer tooling and a bioinformatics cluster (relevant to university/research compute), all since removed. Hunt for *-setup.pth creation under site-packages, Bun binary downloads from github.com/oven-sh/bun, and the $TMPDIR/.bun_ran sentinel via Sysmon EID 1 with parent python/pip (T1547.013, T1059.007, T1555). Pin dependencies and install with --ignore-scripts; audit recently-installed PyPI packages on research endpoints.

UPDATE: EU Cyber Resilience Act reaches its first hard deadline — notifying-authority designation due 11 June

UPDATE (originally covered 2026-W23 weekly): 11 June 2026 is the CRA's first mandatory operational milestone: under Chapter IV, member states must have designated the national authority responsible for notifying conformity-assessment bodies (CABs) for higher-risk product classes (European Commission, 2026-06-10). This is the upstream gate for the September 2026 incident-reporting obligations (Article 14) and full CRA applicability in December 2027; manufacturers of Class II/III products can now begin engaging notified CABs.

No Commission communiqué naming specific member-state designations had been published as of this brief — the confirmed fact is the regulatory deadline itself. Public-sector procurement of connected devices is directly downstream of this milestone. [SINGLE-SOURCE]