# CTI Daily Brief — 2026-06-17

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Anthropic Claude (specific model not determined)) with parallel research and verification by sub-agents (Claude Sonnet 4.6, Claude Opus 4.8 (1M context)) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Anthropic Claude (specific model not determined) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8 (1M context), Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Unauthenticated CVSS-10 RCE in the Joomla Content Editor (JCE) is being exploited by automated tooling** — CVE-2026-48907 lets an unauthenticated attacker abuse the JCE profile-import endpoint to upload and run PHP; CISA added it to the KEV catalog on 2026-06-16 and the vendor says unpatched sites should assume compromise ([Widget Factory / JCE, 2026-06-03](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites)). Municipal/education Joomla portals across Europe are the exposed surface. See the Immediate Action below and § 2.
- **Three critical FortiSandbox flaws are now under simultaneous active exploitation** — CVE-2026-39808, CVE-2026-39813 (April patches) and CVE-2026-25089 (patched 2026-06-09, previously disclosure-only here on 06-12) were all observed exploited in a 24-hour window; FortiSandbox feeds verdicts to the wider FortiGate/FortiMail stack (§ 4).
- **PAN-OS GlobalProtect CVE-2026-0257 exploitation wave hits European targets** — Arctic Wolf documents Impacket-style SMB lateral movement post-auth-bypass; NCSC-CH refreshed its advisory on 2026-06-16 (§ 4).
- **DragonForce ransomware ran C2 through Microsoft Teams TURN relays** — first in-the-wild abuse of Teams relay infrastructure to hide C2 in legitimate Microsoft traffic, plus a four-driver BYOVD chain; two-month dwell at a services firm (Deep Dive, § 5).
- **120,000 Munich student records suspected on the darknet** — a City-of-Munich IT subsidiary reports a suspected insider-threat mass export; Bavarian DPA notified, criminal complaint filed — a direct EU public-sector deprovisioning lesson (§ 1).
- **ClickFix delivery frameworks are scaling** — Sekoia details ErrTraffic (blockchain-resolved C2, EU WordPress targeting) and Huntress documents the Potemkin loader/RMMProject (Chromium App-Bound-Encryption bypass); FishMonger/I-SOON also ported its SprySOCKS backdoor to Windows with a kernel rootkit (§ 1, § 3).

> **Immediate Action — Patch or isolate internet-facing Joomla sites running the JCE editor now.** CVE-2026-48907 is an unauthenticated, no-interaction remote-code-execution flaw (CVSS v4 10.0) in the Joomla Content Editor extension before version 2.9.99.5: an attacker POSTs to `index.php?option=com_jce&task=profiles.import`, imports a crafted editor profile that permits `.php` uploads, then drops a web shell — yielding code execution as the web-server user ([Widget Factory / JCE, 2026-06-03](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites)). CISA added it to the KEV catalog on 2026-06-16 citing active exploitation, and the attacks are fully automated, so the absence of a public registration form is not protective ([YesWeHack, 2026-06-16](https://www.yeswehack.com/news/rce-joomla-content-editor-extension)). Upgrade to the patched JCE release (version 2.9.99.5 or 2.9.99.6) immediately; on any site that ran an unpatched JCE, hunt web logs for unauthenticated requests to `profiles.import` and treat the earliest hit as the breach time.
>
> — *Source: [Widget Factory / JCE security update, 2026-06-03](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites) · Additional source: [YesWeHack — Unauthenticated RCE in the Joomla Content Editor extension, 2026-06-16](https://www.yeswehack.com/news/rce-joomla-content-editor-extension) · Additional source: [CISA — Adds one Known Exploited Vulnerability to Catalog, 2026-06-16](https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev · Region: global · Sector: public-sector, education · CVE: CVE-2026-48907 · CVSS: 10.0 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available · Evidence: "The vulnerability is being actively exploited, working exploit code is public, and the attacks are automated, so a site with no public registration is not safe." (Widget Factory / JCE); "The flaw allows attackers to create fake editor profiles without authentication and abuse the profile import functionality to upload and execute arbitrary PHP code on the server." (YesWeHack)*

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Munich: ~120,000 student records suspected on the darknet — terminated employee under investigation

LHM-Services GmbH, the municipal IT subsidiary of the City of Munich that runs school-administration systems for Bavarian schools, is investigating a suspected data-protection incident involving roughly 120,000 students — names, addresses, dates of birth, nationalities and school assignments (the 120,000 figure originates in press reporting; LHM-Services says it learned of the incident from the press and questioned whether the data was actually publicly available) ([Heise Security, 2026-06-16](https://www.heise.de/news/Datenschutzvorfall-in-Muenchen-120-000-sensible-Schuldaten-im-Darknet-11333920.html)). The investigation, led by Munich's cybercrime unit and the Bamberg prosecutor, centres on a former employee suspected of having mass-downloaded and retained the dataset shortly before leaving — i.e. a suspected insider data-theft, not an external intrusion. A darknet-research firm engaged by LHM-Services found no evidence the data was publicly listed for sale at the time of writing, so the actual circulation scope is uncertain. LHM-Services notified the Bavarian State Data Protection Authority under GDPR Article 33 and filed a criminal complaint ([LHM-Services GmbH press release, 2026-06-15](https://lhm-services.de/wp-content/uploads/2026/06/Pressemitteilung_LHM-Services-GmbH_15.06.2026-1.pdf)).

**Defender takeaway:** The root cause is the universal public-sector control gap — access deprovisioning for departing staff who hold export rights over centralised citizen/student data. Hunt for bulk export/download events (Windows EID 4663 object access; DLP/UEBA volume thresholds) by accounts flagged for offboarding, and bind database read/export credentials to just-in-time access tied to the HR offboarding workflow rather than only disabling the directory account. The exposure mirrors any Swiss canton or municipality running centralised school/citizen data through a third-party processor (GDPR/DPA Art. 5(1)(f) accountability extends to the processor).

— *Source: [Heise Security, 2026-06-16](https://www.heise.de/news/Datenschutzvorfall-in-Muenchen-120-000-sensible-Schuldaten-im-Darknet-11333920.html) · Additional source: [LHM-Services GmbH press release, 2026-06-15](https://lhm-services.de/wp-content/uploads/2026/06/Pressemitteilung_LHM-Services-GmbH_15.06.2026-1.pdf) · Tags: data-breach, insider-threat, identity · Region: dach, europe · Sector: education, public-sector*

### FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit

ESET disclosed two previously undocumented Windows variants of SprySOCKS — a backdoor it attributes to FishMonger (a.k.a. Earth Lusca / Aquatic Panda / TAG-22), assessed with high confidence as operated by Chinese contractor I-SOON ([ESET WeLiveSecurity, 2026-06-16](https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/)). Previously known only as a Linux backdoor, the Windows builds (WIN_PLUS and WIN_DRV) were deployed in 2023–2024 against foreign-affairs, technology and telecom government bodies in Taiwan, Thailand, Pakistan and Honduras. WIN_PLUS persists as a Windows Print Processor (`VSPMsg`) and supports 30+ commands over TCP/UDP/WebSocket. WIN_DRV is the notable one: it loads a kernel driver (`fsdiskbit.sys`, signed with a certificate from the public PastDSE leaked-cert corpus) which memory-loads a second driver to deliver rootkit-class stealth — hiding processes, files, network connections and registry keys, and performing TCP traffic diversion so the backdoor receives operator commands on an arbitrary port that never appears in `netstat` ([BleepingComputer, 2026-06-16](https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/)). ESET notes limited, unconfirmed telemetry of a possible UEFI bootkit component (potentially CVE-2023-24932-class Secure Boot bypass).

**Why it matters to us:** Post-deployment detection is hard because the driver actively hides artefacts; the leverage is pre-deployment hygiene. Hunt scheduled-task creation (EID 4698 / Sysmon EID 1) referencing binaries under `%SystemRoot%\Fonts\`, Image File Execution Options hijacks of `vds.exe`, and kernel-driver loads (Sysmon EID 6) of drivers signed with PastDSE-derived certificates. Because TCP diversion defeats host network-tab inspection, rely on EDR kernel sensors / ETW for listening-socket enumeration. Validate that vulnerable/revoked drivers are blocked via WDAC/HVCI and the Microsoft vulnerable-driver blocklist.

— *Source: [ESET WeLiveSecurity, 2026-06-16](https://www.welivesecurity.com/en/eset-research/fishmongers-arsenal-upgraded-sprysocks-windows/) · Additional source: [BleepingComputer, 2026-06-16](https://www.bleepingcomputer.com/news/security/windows-version-of-sprysocks-linux-malware-used-to-attack-govt-orgs/) · Tags: espionage, nation-state, china-nexus · Region: apac, global · Sector: public-sector, telco, technology*

## 2. Trending Vulnerabilities

### CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)

CVE-2026-48907 is an improper-access-control flaw (CWE-284) in the JCE extension — one of the most widely installed third-party Joomla editors — that chains three weaknesses in the profile-import workflow: a missing authentication check on `index.php?option=com_jce&task=profiles.import`, absent file-extension validation, and disabled upload-safety controls ([YesWeHack, 2026-06-16](https://www.yeswehack.com/news/rce-joomla-content-editor-extension)). An unauthenticated attacker imports a crafted editor profile that permits `.php` (or other executable) extensions for the Image Manager / File Browser plugin, then uploads a web shell that lands in `images/` by default — yielding OS-level code execution as the web-server user. The vendor states the attacks are fully automated and that a site without a public registration form is **not** safe; any site that ran a JCE version before 2.9.99.5 should assume compromise and restore from a pre-breach backup after confirming the timeline from web logs ([Widget Factory / JCE, 2026-06-03](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites)). CISA added it to the KEV catalog on 2026-06-16. Patched in JCE version 2.9.99.5 (2026-06-03), further hardened in 2.9.99.6 (2026-06-06). Detection: unauthenticated POSTs to `profiles.import` in web logs; unfamiliar auto-named profiles at the top of the JCE profile list with PHP uploads enabled; unexpected PHP files in `images/`, `media/` or `tmp/`.

— *Source: [Widget Factory / JCE security update, 2026-06-03](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites) · Additional source: [YesWeHack — Unauthenticated RCE in the JCE extension, 2026-06-16](https://www.yeswehack.com/news/rce-joomla-content-editor-extension) · Additional source: [CISA — Adds one Known Exploited Vulnerability to Catalog, 2026-06-16](https://www.cisa.gov/news-events/alerts/2026/06/16/cisa-adds-one-known-exploited-vulnerability-catalog) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, cisa-kev · Region: global · Sector: public-sector, education · CVE: CVE-2026-48907 · CVSS: 10.0 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

#### CVE Summary Table

Compact view of the actively-exploited / weaponised CVEs across this brief (full context in § 2 above and the § 4 updates).

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-48907 | Joomla Content Editor (JCE) before version 2.9.99.5 | 10.0 (v4) | n/a | Yes (06-16) | Yes — automated | version 2.9.99.5 (06-03) | [JCE](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites) |
| CVE-2026-39808 | Fortinet FortiSandbox — JRPC OS command injection | 9.8 | n/a | No | Yes (06-15) | Apr 2026 (FG-IR-26-100) | [Help Net](https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/) |
| CVE-2026-39813 | Fortinet FortiSandbox — JRPC path traversal / auth bypass | 9.1 | n/a | No | Yes (06-15) | Apr 2026 (FG-IR-26-112) | [Help Net](https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/) |
| CVE-2026-25089 | Fortinet FortiSandbox — web-UI command injection | 9.8 | n/a | No | Probable (faulty AI-built exploit) | 06-09 (FG-IR-26-141) | [Security Affairs](https://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html) |
| CVE-2026-0257 | PAN-OS GlobalProtect — cookie auth bypass | 7.8 (v4) | n/a | Yes | Yes — since May 2026 | Vendor hotfixes | [PAN PSIRT](https://security.paloaltonetworks.com/CVE-2026-0257) |
| CVE-2026-50751 | Check Point Security Gateway — IKEv1 auth bypass | 9.3 | n/a | No | PoC public | Hotfix (early June) | [Help Net](https://www.helpnetsecurity.com/2026/06/12/cve-2026-50751-poc-exploit/) |

## 3. Research & Investigative Reporting

### Unit 42 "Pickle in the Middle": cross-tenant code execution in Google Vertex AI via predictable staging buckets (CVE-2026-2473)

Unit 42 disclosed a cross-tenant RCE class in the Google Cloud Vertex AI SDK for Python ([Unit 42, 2026-06-16](https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/)). When a caller uploads a model without specifying a custom staging bucket, the SDK's `stage_local_data_in_gcs()` builds a deterministic, globally-unique bucket name from the project ID and region (`{project-id}-vertex-staging-{region}`). Because GCS bucket names are publicly claimable, an attacker who knows the target project ID can pre-register that bucket, attach a Cloud Function on `object.finalize`, and silently receive the victim's uploaded `model.joblib` — then swap in a malicious pickle. Vertex AI's serving agent deserialises the pickle and executes attacker code inside Google's serving container with the platform service account's privileges ([The Hacker News, 2026-06-16](https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html)). Google added bucket-name randomization (UUID4) in `google-cloud-aiplatform` 1.144.0 (2026-03-31) and the bucket-ownership check in the fully hardened 1.148.0 (2026-04-15); versions from 1.139.0 are affected and orgs on 1.144.0–1.147.x are only partially protected, so 1.148.0 is the version to target. No in-the-wild exploitation was observed.

**Why it matters to us:** Any EU/CH org running Vertex AI ML pipelines on the affected SDK that did not pin a staging bucket is exposed to the broader "resource-squatting" class — predictable cloud resource names without ownership verification. Upgrade the SDK to ≥ 1.148.0, audit jobs for default `staging_bucket` use, and alert on GCS objectCreate / ownership changes for any bucket matching the `{project-id}-vertex-staging-{region}` pattern not owned by your org.

— *Source: [Unit 42, 2026-06-16](https://unit42.paloaltonetworks.com/hijacking-vertex-ai-model/) · Additional source: [The Hacker News, 2026-06-16](https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html) · Tags: cloud, supply-chain, ai-abuse, vulnerabilities · Region: global · Sector: technology · CVE: CVE-2026-2473*

### Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain

ClickFix — fake browser/update dialogues that trick users into pasting attacker PowerShell — is maturing into a productised delivery channel, as this and the next item show. Sekoia's TDR team analysed ErrTraffic, a ClickFix distribution framework sold as MaaS by an actor using the handle "LenAI" on the Exploit.IN forum since at least December 2025 ([Sekoia TDR, 2026-06-16](https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/)). Affiliates compromise WordPress sites by credential-stuffing `wp-login.php` (one victim saw seven residential IPs in an 80-second window) or via WP File Manager `CVE-2020-25213`, then deploy a PHP backdoor as a must-use plugin (`session-manager.php`) that injects the ErrTraffic JavaScript. The JavaScript uses the EtherHiding technique — querying Polygon smart contracts via public RPC endpoints — to resolve C2 domains dynamically, defeating takedowns; it then serves ClickFix lures that drop Vidar, Stealc, SmokeLoader and others. ErrTraffic explicitly targets European and APAC visitors, putting public-sector WordPress portals in scope.

**Why it matters to us:** A reliable hunt artefact is the distinctive PowerShell comment block `<# Code Verification: NNNNNNNNNNNN #>` Sekoia found at the start of ErrTraffic command strings. Also watch for new PHP files under `wp-content/mu-plugins/` (auto-loaded, no activation needed), credential-stuffing bursts on `wp-login.php`, and outbound requests from the web-server process to blockchain RPC endpoints.

— *Source: [Sekoia TDR, 2026-06-16](https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/) · Additional source: [Malwarebytes Labs, 2026-06](https://www.malwarebytes.com/blog/threat-intel/2026/06/inside-a-malicious-infrastructure-delivering-etherrat-phishing-pages-and-malicious-software) · Tags: supply-chain, infostealer, phishing, cryptocrime · Region: europe, apac · Sector: public-sector, education, media · CVE: CVE-2020-25213*

### Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption

Huntress documented a ClickFix chain delivering a previously undocumented x64 loader named Potemkin (active since at least February 2026): a ClickFix lure installs an MSI that drops Potemkin via an HTA payload; the loader uses a domain-generation algorithm for C2 and reflectively loads follow-on modules in memory ([Huntress, 2026-06-16](https://www.huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack)). Its payloads are EtherRAT (Node.js RAT with blockchain C2) and RMMProject, a Lua-scriptable DLL providing hidden remote desktop, keylogging and browser credential theft — including a module specifically built to defeat Chromium's App-Bound Encryption (the credential-storage protection added in Chrome 127) ([The Hacker News, 2026-06-16](https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html)). Huntress observed lateral movement across 11+ hosts in one intrusion, indicating network-wide credential harvesting rather than single-host compromise.

**Why it matters to us:** The ABE bypass means saved Chrome credentials are again at risk on infected hosts. Hunt for `mshta.exe` spawned by `msiexec.exe`/`cmd.exe`, reflective-load memory anomalies, DGA-style DNS from `mshta.exe` children, and non-browser processes calling Chrome's DPAPI/LocalState decryption. Block `mshta.exe` via AppLocker/WDAC where feasible.

— *Source: [Huntress, 2026-06-16](https://www.huntress.com/blog/potemkin-loader-rmmproject-clickfix-attack) · Additional source: [The Hacker News, 2026-06-16](https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html) · Tags: infostealer, phishing, identity · Region: global · Sector: technology, public-sector*

### Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover

Zimperium zLabs detailed Rokarolla, a new Android banking trojan distributed via sideloading from sites impersonating TikTok/Chrome, using a dropper that masquerades as Google Play Protect to obtain Accessibility Service permissions ([Zimperium zLabs, 2026-06-16](https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities)). It targets 217 banking and crypto apps via a 137-command framework: lifting the lock-screen PIN, intercepting SMS OTPs, rewriting the clipboard to hijack crypto payments, disabling Play Protect, and — distinctively — registering itself as the default call/SMS handler so a bank's warning call or SMS never reaches the victim ([BleepingComputer, 2026-06-16](https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps/)). A target list of this breadth makes any Android device used for e-banking a plausible victim once an app is sideloaded.

**Why it matters to us:** Rokarolla cannot reach the Play Store; it relies entirely on sideloading. Enforce "Install from Unknown Sources" restrictions via Android Enterprise/MDM on managed devices and MAM containers for BYOD; flag any app that disables Play Protect or requests Accessibility Service immediately after a web-sourced install.

— *Source: [Zimperium zLabs, 2026-06-16](https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities) · Additional source: [BleepingComputer, 2026-06-16](https://www.bleepingcomputer.com/news/security/new-rokarolla-android-malware-targets-217-banking-crypto-apps/) · Tags: mobile, infostealer, organized-crime · Region: global, europe · Sector: finance*

## 4. Updates to Prior Coverage

### UPDATE: FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089

> **UPDATE (originally covered 2026-06-12):** When CVE-2026-25089 was covered on 06-12 it was disclosure-only. Threat-intel firm Defused Cyber has now reported active exploitation of three FortiSandbox flaws within a single 24-hour window — CVE-2026-39808 (CVSS 9.8, JRPC OS command injection), CVE-2026-39813 (CVSS 9.1, JRPC path traversal / auth bypass), both with patches available since April 2026, and CVE-2026-25089 (CVSS 9.8, web-UI command injection), patched 2026-06-09 ([Security Affairs, 2026-06-16](https://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html)).
>
> FortiSandbox supplies sandboxed file verdicts that FortiGate, FortiMail, FortiProxy and FortiClient consume to make blocking decisions, so a compromised sandbox can suppress detection across the dependent Fortinet stack ([Help Net Security, 2026-06-16](https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/)). The CVE-2026-25089 exploit seen in the wild appears AI-generated and is assessed as faulty, yet still finds traction against unpatched deployments — evidence that exposed, unpatched FortiSandbox interfaces remain. Fortinet has not yet officially confirmed exploitation. Patch all three; until then, restrict management-interface exposure and watch FortiSandbox web-UI/JRPC access logs for unauthenticated external POSTs.
>
> — *Source: [Security Affairs, 2026-06-16](https://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html) · Additional source: [Help Net Security, 2026-06-16](https://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, auth-bypass · Region: global · Sector: public-sector, defense, healthcare · CVE: CVE-2026-39808, CVE-2026-39813, CVE-2026-25089 · CVSS: 9.8 / 9.1 / 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, patch-available*

### UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory

> **UPDATE (originally covered 2026-05-30):** Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May ([Unit 42, 2026-06-09](https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/)). The flaw (CWE-565) decrypts an authentication-override cookie without any signature verification, letting an attacker forge a session and establish a VPN tunnel without credentials when the override feature is enabled ([Palo Alto Networks PSIRT](https://security.paloaltonetworks.com/CVE-2026-0257)).
>
> Arctic Wolf's telemetry documents post-exploitation consistent with Impacket tooling — SMB lateral movement, anonymous NTLM logon, share enumeration and domain-user discovery — across insurance, finance, manufacturing, education, engineering and healthcare targets in North America and Europe ([Arctic Wolf, 2026-06-11](https://arcticwolf.com/resources/blog/arctic-wolf-observes-increase-in-palo-alto-networks-globalprotect-authentication-bypass-exploitation-via-cve-2026-0257/)). NCSC-CH refreshed its Security Hub advisory on 2026-06-16 to flag the Unit 42 confirmation ([NCSC-CH Security Hub, 2026-06-16](https://security-hub.ncsc.admin.ch/#/posts/12605)). Defenders: disable "Authentication Override" if not required, patch to fixed PAN-OS builds, and audit sessions since late May for Impacket-pattern lateral movement (EID 4624 Type 3 from unexpected IPs, SMB enumeration EID 5140/5145).
>
> — *Source: [Unit 42, 2026-06-09](https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/) · [Palo Alto Networks PSIRT](https://security.paloaltonetworks.com/CVE-2026-0257) · Additional source: [Arctic Wolf, 2026-06-11](https://arcticwolf.com/resources/blog/arctic-wolf-observes-increase-in-palo-alto-networks-globalprotect-authentication-bypass-exploitation-via-cve-2026-0257/) · Additional source: [NCSC-CH Security Hub, 2026-06-16](https://security-hub.ncsc.admin.ch/#/posts/12605) · Tags: vulnerabilities, actively-exploited, auth-bypass, cisa-kev · Region: europe, global · Sector: finance, healthcare, education, public-sector · CVE: CVE-2026-0257 · CVSS: 7.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, cisa-kev, patch-available*

### UPDATE: Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk

> **UPDATE (originally covered 2026-06-09):** NCSC-NL updated its advisory (NCSC-2026-0179, version 1.0.1) on 2026-06-16 to note that public proof-of-concept code is now available for the Check Point Security Gateway IKEv1 authentication bypass (CVE-2026-50751, CVSS 9.3), increasing the probability of exploitation ([NCSC-NL, 2026-06-16](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0179)).
>
> The flaw lets an unauthenticated client abuse the IKEv1 negotiation to bypass peer-signature verification and impersonate any VPN identity configured for certificate or mixed authentication (username/password-only configurations are not affected); the public PoC follows watchTowr's earlier technical analysis ([Help Net Security, 2026-06-12](https://www.helpnetsecurity.com/2026/06/12/cve-2026-50751-poc-exploit/)). Apply the early-June Check Point hotfix; where feasible disable IKEv1 legacy mode or enforce mandatory machine-certificate authentication, which is not bypassable by this flaw.
>
> — *Source: [Help Net Security, 2026-06-12](https://www.helpnetsecurity.com/2026/06/12/cve-2026-50751-poc-exploit/) · Additional source: [NCSC-NL advisory NCSC-2026-0179, 2026-06-16](https://advisories.ncsc.nl/advisory?id=NCSC-2026-0179) · Tags: vulnerabilities, auth-bypass, poc-public, patch-available · Region: europe, global · Sector: public-sector, finance, telco · CVE: CVE-2026-50751 · CVSS: 9.3 · Vector: zero-click · Auth: pre-auth · Status: poc-public, patch-available*

### UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale

> **UPDATE (originally covered 2026-06-13):** The cloud data-extortion group FulcrumSec has publicly claimed the Novo Nordisk breach, saying it spent more than two months inside the networks and exfiltrated roughly 1.3 TB (~700,000 files) including source code, drug-pipeline data, ~11,500 pseudonymised clinical-trial records and internal AI artefacts; it demanded $25M, was refused, and is now exploring private sale of the data ([Global Banking & Finance Review, 2026-06-16](https://www.globalbankingandfinance.com/hacking-group-claims-major-hack-novo-nordisk-attempted-25/)).
>
> FulcrumSec is a data-theft-only (non-ransomware) group active since late 2025 with 21+ prior claimed victims; an actor profile characterises its access vectors as unpatched public-facing apps, dormant/embedded credentials and API keys, absent MFA and misconfigured cloud storage ([MOXFIVE, 2026-06-10](https://www.moxfive.com/blog/who-is-fulcrumsec-inside-the-cloud-extortion-group-behind-21-victims-and-counting)). Novo Nordisk has confirmed unauthorised access to a limited number of internal systems and pseudonymised clinical-trial data exposure but has not validated FulcrumSec's scope claims ([Insurance Business Magazine, 2026-06-16](https://www.insurancebusinessmag.com/us/news/cyber/ozempic-maker-novo-nordisk-hit-with-25-million-ransom-demand-after-claimed-data-breach-579161.aspx)). Detection focus for FulcrumSec-style actors: large outbound transfers (DLP), cloud-storage access logs, OAuth grants to unfamiliar apps, and long-dwell reuse of stale service-account credentials. Enforce MFA on all privileged cloud identities and rotate dormant credentials.
>
> — *Source: [Global Banking & Finance Review, 2026-06-16](https://www.globalbankingandfinance.com/hacking-group-claims-major-hack-novo-nordisk-attempted-25/) · Additional source: [Insurance Business Magazine, 2026-06-16](https://www.insurancebusinessmag.com/us/news/cyber/ozempic-maker-novo-nordisk-hit-with-25-million-ransom-demand-after-claimed-data-breach-579161.aspx) · Additional source: [MOXFIVE actor profile, 2026-06-10](https://www.moxfive.com/blog/who-is-fulcrumsec-inside-the-cloud-extortion-group-behind-21-victims-and-counting) · Tags: data-breach, organized-crime, cloud, identity · Region: europe, global · Sector: healthcare*

## 5. Deep Dive — DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)

**Background.** DragonForce is a ransomware-as-a-service operation that has been documented since 2023 and rebranded itself in 2024–2025 as a "cartel"-style affiliate model; it has been tied to attacks on retail and enterprise targets across multiple regions and has previously leaned on affiliate-supplied access and living-off-the-land tooling. This deep dive is not about the ransomware payload but about an intrusion Symantec disclosed on 2026-06-16 that introduces a genuinely novel command-and-control technique and an unusually deep bring-your-own-vulnerable-driver (BYOVD) chain ([Symantec / Broadcom, 2026-06-16](https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor)).

**The intrusion.** Symantec investigated a DragonForce intrusion at an unnamed major U.S. services company that began in December 2025 — roughly two months of undetected dwell before discovery ([BleepingComputer, 2026-06-16](https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/)). Initial access was via an internet-facing MSSQL server (or purchased access) — a reminder that exposed database services remain a high-value entry point ([`T1190` Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)). The actor then dropped a ZIP containing a legitimate, signed `DbgView64.exe` (or VirtualBox binary) alongside a malicious `vboxrt.dll`, executed via DLL side-loading ([`T1574.002`](https://attack.mitre.org/techniques/T1574/002/)). Persistence was established through a `LimitBlankPasswordUse` registry modification, creation of rogue local users/groups ([`T1136.001`](https://attack.mitre.org/techniques/T1136/001/)), and firewall-rule changes.

**Backdoor.Turn and the Teams TURN-relay C2 (the novel part).** Backdoor.Turn is a Go-based RAT injected into `DbgView64.exe`. It obtains an anonymous Microsoft Teams visitor token from Skype identity services, then establishes a TURN (Traversal Using Relays around NAT) relay session through Microsoft's own infrastructure and runs a QUIC tunnel to the actual attacker C2. Symantec assesses this is the first known malware to abuse Teams' TURN relay servers for C2 ([Symantec / Broadcom, 2026-06-16](https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor)). The defensive consequence is severe: a defender inspecting network flows sees only outbound connections to legitimate Microsoft IP ranges — the technique is a high-trust proxy/relay abuse ([`T1090` Proxy](https://attack.mitre.org/techniques/T1090/)) that blends with the Teams traffic any Microsoft 365 tenant already generates.

**The four-driver BYOVD chain.** To disable defences, the actor loaded four signed-but-vulnerable kernel drivers ([`T1068` Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) used to reach kernel for [`T1562.001` Impair Defenses](https://attack.mitre.org/techniques/T1562/001/)): Huawei `HWAuidoOs2Ec.sys` (novel, no prior CVE), Topaz Antifraud `wsftprm.sys` (CVE-2023-52271), Tower of Fantasy `GameDriverx64.sys` (CVE-2025-61155), and K7 Security `K7RKScan.sys` (CVE-2025-1055). A custom malicious driver, ABYSSWORKER, masqueraded as a Palo Alto Networks driver to handle defence evasion. Follow-on activity included network scanning ([`T1046`](https://attack.mitre.org/techniques/T1046/)), AD/LDAP enumeration ([`T1018`](https://attack.mitre.org/techniques/T1018/)), TLS-certificate harvesting, browser credential theft ([`T1555.003`](https://attack.mitre.org/techniques/T1555/003/)), and credential-based lateral movement ([`T1021`](https://attack.mitre.org/techniques/T1021/)).

**Detection concepts (no IOCs).** (1) Hunt for `DbgView64.exe` or VirtualBox binaries initiating QUIC (UDP/443) sessions to Microsoft TURN-relay ranges with anomalous parent-child trees (`vboxrt.dll` → `DbgView64.exe`) — Sysmon EID 3 network-connection events filtered against expected Teams behaviour. (2) Alert on signed drivers from Huawei, Topaz, Tower of Fantasy or K7 Security loading on systems that are not gaming/AV hosts (Sysmon EID 6 driver-load). (3) Registry-value sets on `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse` (Sysmon EID 13). (4) Rogue local user/group creation (Windows Security EID 4720 / 4732) ([Help Net Security, 2026-06-16](https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/)).

**Hardening.** Enforce kernel-driver allow-listing via WDAC/HVCI and keep the Microsoft vulnerable-driver blocklist current (it covers the LOLDrivers entries this chain abuses); constrain egress so UDP/443 (QUIC) to Microsoft service tags is the only permitted path and is itself monitored; and audit any internet-reachable MSSQL/SQL Server instances out of existence. Because Backdoor.Turn rides genuine Microsoft relay infrastructure, IP/domain blocking is ineffective — the leverage is process-lineage and driver-load telemetry, not network reputation.

— *Source: [Symantec / Broadcom, 2026-06-16](https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor) · Additional source: [BleepingComputer, 2026-06-16](https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/) · Additional source: [Help Net Security, 2026-06-16](https://www.helpnetsecurity.com/2026/06/16/dragonforce-microsoft-teams-malware-backdoor-turn/) · Tags: ransomware, organized-crime, identity, cloud · Region: us, global · Sector: technology, public-sector*

## 6. Action Items

- **Patch or isolate JCE-enabled Joomla sites today** (see § 0 Immediate Action, § 2). Upgrade to JCE 2.9.99.5/2.9.99.6; on any previously-unpatched site, hunt web logs for unauthenticated `index.php?option=com_jce&task=profiles.import` POSTs and treat the earliest hit as the breach time — exploitation is automated and CISA-KEV-confirmed.
- **Patch all three FortiSandbox CVEs and restrict the management interface** (§ 4). CVE-2026-39808/39813 (April patches) and CVE-2026-25089 (06-09 patch) are under simultaneous exploitation; a compromised sandbox suppresses blocking across the FortiGate/FortiMail stack. Watch JRPC/web-UI access logs for unauthenticated external POSTs.
- **Disable PAN-OS GlobalProtect "Authentication Override" if not required, patch, and hunt for Impacket lateral movement** (§ 4). Audit VPN sessions since late May for anonymous NTLM logon and SMB enumeration (EID 4624 Type 3 from unexpected IPs, EID 5140/5145).
- **For Check Point gateways, apply the early-June hotfix and prefer machine-certificate auth or disable IKEv1 legacy mode** now that a CVE-2026-50751 PoC is public (§ 4).
- **Upgrade `google-cloud-aiplatform` to 1.148.0 (the fully hardened release — 1.144.0–1.147.x are only partially protected) and audit Vertex AI jobs for default staging buckets** (§ 3); alert on ownership changes for `{project-id}-vertex-staging-{region}` buckets.
- **Add the ClickFix PowerShell hunt** for the `<# Code Verification: NNNNNNNNNNNN #>` artefact and for `mshta.exe` spawned by `msiexec.exe`; block `mshta.exe` via AppLocker/WDAC where feasible (§ 3).
- **Review offboarding access-revocation for staff with bulk-export rights over citizen/student data** (§ 1, Munich). Bind database export credentials to just-in-time access tied to HR offboarding; alert on pre-departure bulk downloads.
- **Refresh the Microsoft vulnerable-driver blocklist and enforce WDAC/HVCI driver allow-listing** (§ 5, DragonForce BYOVD); constrain and monitor QUIC/UDP-443 egress to Microsoft service tags since Teams-relay C2 defeats IP/domain blocking.

— *Source: [Widget Factory / JCE, 2026-06-03](https://www.joomlacontenteditor.net/news/jce-security-update-and-a-free-patch-for-older-sites) · Additional source: [Symantec / Broadcom, 2026-06-16](https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor) · Tags: vulnerabilities, actively-exploited, supply-chain · Region: global, europe · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - *CVE-2026-44963 (Veeam Backup & Replication, authenticated domain-user RCE)* — surfaced by both S1 and S2 as significant, but **out-of-window**: primary sources are 2026-06-09/06-10 and the CVE is already in `cves_seen.json` (first 06-10, last 06-14) with no in-window development. Retained here for awareness; if exploitation emerges it returns as a § 4 UPDATE.
  - *CVE-2026-11645 (Google Chrome V8 zero-day)* — already covered (`cves_seen` 06-10→06-14); primary sources 2026-06-08/06-09 are out-of-window with no fresh delta. Dropped.
  - *IT Army of Ukraine — Kaluga Astral disruption* — **[SINGLE-SOURCE]** (The Record, 2026-06-15); no direct CH/EU nexus. Noted for situational awareness only, not carried as an item.
- **Single-source / primary-research items:** the Sekoia ErrTraffic (§ 3) and Huntress Potemkin (§ 3) analyses are single primary-research-lab disclosures (corroborated by reporting where available); presented as the labs' own findings.
- **Reduced confidence:** FortiSandbox exploitation (§ 4) is reported by Defused Cyber and relayed via Security Affairs / Help Net Security; Fortinet has not officially confirmed exploitation — attribution of the claim, not the vendor.
- **Source dropped on liveness:** the watchTowr technical write-up URL for CVE-2026-50751 (§ 4) returned 404 at the mechanical gate and was removed; the mechanism is now described at the level NCSC-NL and Help Net Security support, with watchTowr credited in prose only.
- **NCSC-NL advisory rendering (§ 4 Check Point):** `advisories.ncsc.nl/advisory?id=NCSC-2026-0179` is an Angular SPA that returns a redirect/shell on direct fetch; its content (the public-PoC note) was confirmed via the bridge fetcher and S2's research. The content-readable Help Net Security article is listed first as the primary for the substantive claim; the NCSC-NL advisory is retained as the in-window (06-16) national-CERT reference.
- **Contradiction (PAN-OS CVE-2026-0257, § 4):** Unit 42 (2026-06-09) observed successful auth-bypass VPN sessions but states no post-exploitation activity or lateral movement was observed; Arctic Wolf (2026-06-11) observed Impacket-pattern SMB enumeration and domain-user discovery in a subset of intrusions. The brief reports the Arctic Wolf observation as the lateral-movement signal; the two reflect different victim subsets and observation windows, not a factual conflict.
- **Source list:** added **Zimperium zLabs** as a `candidate` source (primary mobile threat research; contributed the Rokarolla item, § 3). Overflow not added this run (one-candidate cap): MOXFIVE (FulcrumSec actor profile, cited in § 4) — re-evaluate next run.
- **Sub-agents:** all four (S1–S4) returned within budget (Claude Sonnet 4.6).
- **Coverage gaps:** databreaches-net (403, no Wayback snapshot — Novo Nordisk covered via alternates); sophos-xops (Next.js SPA body not extractable; 06-16 post confirmed but content unrecoverable); fortiguard-psirt (Angular SPA shell — FortiSandbox details via Security Affairs / Help Net); cert-at (RSS 404 on both feed URLs); rapid7-research (SPA body unextractable); inside-it-ch (not fetched this run); cnil-fr, edpb, ico-uk, sec-disclosures-edgar (no in-window qualifying items); akamai-sirt, dragos, sans-ics, talos (no in-window content).