CTI Daily Brief — 2026-06-12

AudiA6 ransomware crypto-laundering service dismantled — two charged, Switzerland among the participating countries

A coordinated operation led by the US Secret Service, IRS-CI, Europol and Eurojust — with participation from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Poland, Switzerland and the United Kingdom — dismantled AudiA6 on 11 June, a crypto-laundering service trusted by ransomware operations since 2021 (US Secret Service, 2026-06-11). Two men resident in Batumi, Georgia — Ruslan Igorevich Tkachuk (37) and Alexander Vladimirovich Ledenev (25) — were arrested and charged in the Eastern District of Pennsylvania with conspiracy to launder monetary instruments and sting money laundering. Blockchain analysis traced roughly 10,333 BTC (~$389.7 M at transaction-time value) through AudiA6 wallets, with ~393 BTC directly attributable to darknet markets, ransomware crews and cybercrime services; the service charged 3–10 % commission and returned "cleaned" funds within about an hour through chains of fraudulent exchange accounts opened with stolen identities. Europol links AudiA6 to more than 15 international cybercrime investigations and reports infrastructure seizures in the US, Iceland, Germany and France, alongside the seizure of the Dark2Web forum where the service advertised (Europol, 2026-06-11).

Why it matters to us: the takedown removes a monetisation layer used by ransomware groups that target EU and Swiss organisations, and seized transaction records may retrospectively attribute earlier ransom payments — IR teams with open extortion cases should watch for law-enforcement follow-up requests.

"GreatXML": unpatched BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested

The researcher operating as Nightmare Eclipse (also tracked as Chaotic Eclipse) published GreatXML on 11 June — a working proof-of-concept that bypasses BitLocker full-volume encryption and spawns a SYSTEM command prompt inside the Windows Recovery Environment (WinRE), with no CVE assigned and no Microsoft patch available (SecurityWeek, 2026-06-11). The technique places a crafted unattend.xml at the root of the recovery partition plus a second malformed XML under Recovery/, then reboots into WinRE; the Microsoft Defender Offline scan path processes the attacker-controlled XML while the volume is unlocked. Per the researcher, "any Windows machine becomes vulnerable to GreatXML as soon as Defender's offline scanning is initiated" — i.e. the bypass arms itself once an offline scan has ever run on the host (SecurityWeek, 2026-06-11). Independent researcher Will Dormann disputes the practical severity, noting that triggering the prerequisite Defender Offline scan requires an existing Windows logon with admin credentials — an attacker in that position could already disable BitLocker outright (The Register, 2026-06-11). NCSC-CH is tracking the disclosure as part of the same researcher's zero-day series (BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, RoguePlanet — RoguePlanet covered 2026-06-11) (NCSC-CH CSH, 2026-06-11). Maps to T1542.001 (Pre-OS Boot) territory: code execution from the recovery path while the BitLocker-protected volume is mounted.

Why it matters to us: evil-maid and stolen-laptop scenarios against BitLocker-protected fleets get cheaper where an offline scan has previously run. Until a patch lands: audit recovery-partition contents for unexpected unattend.xml/ReAgent.xml modifications, require TPM+PIN pre-boot authentication on high-value mobile assets, and weigh reagentc /disable on machines where recovery capability is dispensable.

The Gentlemen ransomware: 478 claimed leak-site victims, self-propagating Go encryptor, operator publicly named

The Gentlemen — tracked by Microsoft as Storm-2697 and by PRODAFT as Phantom Mantis / LARVA-368 — has claimed 478 victims on its leak site, with victims concentrated in Thailand, the UK, Brazil, Germany and India (The Hacker News, 2026-06-11). Microsoft's technical dissection details a Go encryptor obfuscated with Garble: per-file ephemeral Curve25519 key pairs with XChaCha20 (the ephemeral public key is appended to each encrypted file after an --eph-- marker), a --spread argument that "turns the malware from a single-host encryptor into a self-propagating worm" — simultaneously abusing network shares, scheduled tasks and remote process execution (T1021.002, T1053.005) — and a --full mode that spawns a SYSTEM-context child via a scheduled task named gentlemen_system (Microsoft Threat Intelligence, 2026-05-28). Defence evasion includes disabling Defender real-time monitoring (T1562.001), re-enabling SMBv1 and registry changes for anonymous share access; persistence runs via UpdateSystem/UpdateUser scheduled tasks and Run keys. On 10 June, KrebsOnSecurity published a deanonymisation tracing the operator handle "Hastalamuerte"/"Zeta88" to a named Russian national in Izhevsk, corroborated by Intel 471, Constella and Flashpoint (KrebsOnSecurity, 2026-06-10). Check Point Research documents the affiliate-favourable 90/10 revenue split and reports affiliates obtaining initial access via Fortinet SSL-VPN credentials (Check Point Research, 2026-05-13). Note: Krebs cites 332 published victims since mid-2025 versus the leak site's 478 claim — see § 7.

Why it matters to us: the initial-access pattern is concrete and huntable — review Fortinet SSL-VPN authentication logs for brute-force sequences followed by a first-time successful logon from a new ASN; alert on scheduled-task creation named gentlemen_system/UpdateSystem/UpdateUser (Windows Event ID 4698) and on shadow-copy deletion; treat SMBv1 re-enablement on any host as a high-confidence compromise signal.

CISA replaces the KEV 14-day rule: BOD 26-04 introduces risk-tiered remediation with a 3-day class for the worst exposures

CISA issued Binding Operational Directive 26-04 ("Prioritizing Security Updates Based on Risk") on 10 June, superseding and revoking BOD 19-02 and BOD 22-01 — the directive that created the flat KEV remediation deadlines (CISA, 2026-06-10). US federal civilian agencies must now tier remediation by four criteria: internet exposure of the asset, KEV listing, exploit automatability, and total-versus-partial technical impact. Vulnerabilities meeting all four require remediation within three calendar days plus a forensic triage before patching to determine whether the system was already compromised; low-risk findings may defer to the next upgrade cycle. CISA's companion post cites AI-accelerated exploitation as a driver and notes that "only 26% of vulnerabilities on CISA's Known Exploited Vulnerabilities (KEV) Catalog were fully remediated by organizations in 2025," with median time-to-remediation rising to 43 days (CISA, 2026-06-10). The directive binds only US FCEB agencies — it carries no jurisdictional weight in Switzerland or the EU — but the four-criterion model is a transferable benchmark for patch-governance SLAs under NIS2 Art. 21 vulnerability-handling obligations.

Why it matters to us: if your patch SLA still treats every KEV entry identically, the four-criterion test (exposed + KEV + automatable + total control) is a defensible way to concentrate emergency-change effort; CISA's pilot data suggests only ~1 % of findings land in the 3-day class.

[SINGLE-SOURCE] Maine's breach-notification portal abused for fraudulent filings against VRChat and Discord — both companies deny any breach

Maine's Attorney-General breach-notification portal published fraudulent data-breach filings — one claiming a 2.4-million-user VRChat cloud compromise, another a 10-million-user Discord breach — because submissions are published without filer-identity verification (BleepingComputer, 2026-06-11). VRChat stated: "VRChat did not submit this Notice of Data Incident, and the employee/email cited does not exist. We have no reason to believe that our data or systems have been compromised." Discord likewise denied filing. The Maine AG's office acknowledged the fraudulent notices and moved to remove them. [SINGLE-SOURCE — BleepingComputer.]

Why it matters to us: CTI teams routinely treat state breach portals as authoritative collection sources — this incident shows they can be poisoned. Require victim confirmation or regulator follow-up before acting on (or republishing) portal-only breach claims; the same trust-exploitation pattern would work against any unauthenticated notification channel.

June 2026 Patch Tuesday: four CVSS ≥ 9.1 criticals — Windows kernel TCP/IP RCE, Nuance PowerScribe, Azure Stack Edge, Exchange Online

Microsoft's June cumulative update (9 June) carries four criticals that clear the CVSS 9+ bar. CVE-2026-45657 (CVSS 9.8) is the priority: a use-after-free with a heap-overflow component in the Windows kernel's TCP/IP processing path, reachable by "specially crafted network traffic" with no authentication and no user interaction, yielding SYSTEM-level code execution (Microsoft MSRC, 2026-06-09). Microsoft rates exploitation "Less Likely" and reports no in-the-wild activity, but the unauthenticated network-reachable kernel surface makes this the June cycle's patch-first item for any Windows host exposed to untrusted networks. CVE-2026-26142 (CVSS 9.8) is an unauthenticated deserialization-of-untrusted-data RCE (CWE-502) in Nuance PowerScribe, the radiology reporting platform common in hospital imaging departments — clinical networks integrating PowerScribe with PACS/RIS should patch and restrict the service to clinical subnets (Microsoft MSRC, 2026-06-09). CVE-2026-47643 (CVSS 9.8) lets an unauthenticated attacker control the file name/path in an Azure Stack Edge upload endpoint (CWE-73), writing outside the intended directory through to code execution on the hybrid-cloud appliance (Microsoft MSRC, 2026-06-09). CVE-2026-48579 (CVSS 9.1), an improper-authorisation information-disclosure flaw in Exchange Online, is already fixed service-side with no customer action required — tenants wanting assurance can review the Unified Audit Log for anomalous mailbox-access operations predating 4 June (Microsoft MSRC, 2026-06-04). NCSC-NL groups these in its June Patch Tuesday advisories (NCSC-NL, 2026-06-11, NCSC-NL 0189).

CVE-2026-25089 — Fortinet FortiSandbox: unauthenticated OS command injection in the web UI's VNC-launch handler (CVSS 9.8)

Fortinet patched CVE-2026-25089 (CWE-78, internal reference FG-IR-26-141) on 9 June: the FortiSandbox web interface's "start VNC" handler passes attacker-controlled JSON to the underlying OS without sanitisation, allowing a remote unauthenticated attacker to achieve second-order command injection via a crafted HTTP request (NCSC-NL, 2026-06-11). Affected: FortiSandbox 5.0.0–5.0.5 and 4.4.0–4.4.8 (plus corresponding Cloud/PaaS builds); fixed in 5.0.6 and 4.4.9. CCB Belgium urges immediate patching and warns that the public availability of a proof-of-concept exploit increases the likelihood of exploitation (CCB Belgium, 2026-06-11). No in-the-wild exploitation is reported, and the management interface is not meant to be internet-reachable — but with a public PoC available, a compromised FortiSandbox hands an attacker every file your SOC submits for detonation, plus a trusted foothold inside the security stack (T1190). Discovered internally by Fortinet's product-security team; the FortiGuard PSIRT page was unreachable in this run (see § 7).

CVE Summary Table

Imperva and Varonis: indirect prompt injection and "agent phishing" against the OpenClaw AI agent — fixed in v2026.4.23, but the attack class generalises

Two independent teams published complementary findings against OpenClaw, the self-hosted AI-agent platform that plugs into messaging systems, mailboxes, file systems and APIs. Imperva showed that shared contact names, vCard fields and location-pin labels flow into the LLM prompt with no untrusted-content boundary: a crafted contact — its injected command hidden behind 65 whitespace characters so the UI truncates it — executed python3 on the victim's host the moment the victim shared the contact with their agent (Imperva, 2026-06-10). Varonis demonstrated "agent phishing": a plain email from a plausible sender persuaded a mailbox-connected agent to forward mock AWS IAM keys and a customer export to an external address, with no exploit involved — the agent simply lacks sender-identity verification before acting (Varonis, 2026-06-09). Both teams note OpenClaw's default memory persistence lets one successful injection survive across sessions. The vendor fix (v2026.4.23) moves messaging-object metadata into a separate untrusted channel — but the structural lesson stands: wherever an agent ingests third-party-controlled strings (contacts, calendar invites, ticket bodies), that channel is an injection surface (T1059). Defender takeaway: pin OpenClaw ≥ v2026.4.23; inventory which AI agents hold mailbox send-permissions or shell access; gate agent-initiated outbound actions behind approval workflows the same way you gate privileged operations.

[SINGLE-SOURCE] ESET: OceanLotus (APT32) compromises a stock-trading platform's update server — selective SPECTRALVIPER delivery, no integrity checks to defeat

ESET documents two SPECTRALVIPER-delivered OceanLotus (APT32) intrusions running from mid-2024 into 2026: a long-dwell espionage compromise of a Vietnamese infrastructure/transport construction firm (likely via RCE on a public-facing Microsoft SQL Server, T1190) and — more transferable — a supply-chain attack on FireAnt MetaKit, a stock-investment platform, between October 2025 and March 2026 (ESET WeLiveSecurity, 2026-06-11). The platform's update mechanism fetched its version.xml over plain HTTP with no integrity validation; OceanLotus replaced the update binary with a downloader that fingerprinted hosts and delivered the SPECTRALVIPER backdoor via process injection and DLL side-loading (T1195.002, T1055) to only a small subset of victims — investigative targeting, not mass compromise. ESET's disclosure attempts to the vendor went unanswered. [SINGLE-SOURCE — ESET Research.] Defender takeaway: the pattern (unsigned updates, cleartext transport, no version-file integrity check) is endemic in regional/vertical software far beyond Vietnam — inventory third-party auto-updaters in your estate and flag any fetching over HTTP or lacking signature validation; egress-monitor the hosts that run them.

npm v12 will disable install scripts by default — audit CI/CD pipelines before July

GitHub announced that npm v12 (expected July 2026) disables dependency lifecycle scripts (preinstall/install/postinstall, including implicit node-gyp builds) by default, requires npm approve-scripts for explicit opt-in, and blocks Git/remote-URL dependencies without --allow-git/--allow-remote (GitHub Changelog, 2026-06-09). This is a structural response to the install-script abuse that powered this spring's npm worm wave (Shai-Hulud/Miasma, IronWorm, TeamPCP — coverage 2026-06-06 through 2026-06-10) and brings npm in line with other package managers that already block install scripts by default (BleepingComputer, 2026-06-11). The warnings are live today in npm ≥ 11.16.0. Defender takeaway: this is a breaking change with a security upside — run npm install under 11.16.0 now to enumerate deprecation warnings, build the script allow-list before v12 ships, and treat any pipeline that must keep scripts enabled wholesale as a finding.

UPDATE: ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records

UPDATE (originally covered 2026-06-11): the initial-access vector that was attacker-asserted yesterday is now vendor-confirmed: Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated RCE in the PeopleTools Environment Management Hub (PSEMHUB, versions 8.61/8.62), and published an out-of-band Security Alert with fixes (Oracle, 2026-06-10; SecurityWeek, 2026-06-11).

Mandiant GTIG formally attributes the campaign to UNC6240 (ShinyHunters), dating exploitation 27 May – 9 June — a zero-day for the full window — and details the post-exploitation chain: customised MeshCentral remote-management agents masquerading as Microsoft Azure components for persistence and C2, and a per-victim _fanout.sh lateral-movement script spraying SSH credentials against internal hosts harvested from /etc/hosts (T1190, T1021.004). Mandiant notified more than 100 organisations with exposed PSEMHUB endpoints; 68 % are higher-education institutions (Mandiant GTIG, 2026-06-11).

The University of Nottingham — confirmed as a victim yesterday — now quantifies the damage: roughly 40 GB exfiltrated covering ~455,000 individuals across its UK, Malaysia and China campuses, including names, contact details, ethnicity, disability, passport and tuition-payment data; the ICO says it is assessing the report (BleepingComputer, 2026-06-11; The Record, 2026-06-11; University of Nottingham, 2026-06-10). Action: see the § 0 callout — patch out-of-band and compromise-assess; yesterday's hardening guidance (default SSH service accounts, PSEMHUB exposure) stands.