On this page
On this page
- 0. TL;DR
- 1. Active Threats, Trending Actors, Notable Incidents & Disclosures
- 2. Trending Vulnerabilities
- 3. Research & Investigative Reporting
- 4. Updates to Prior Coverage
- 5. Deep Dive — DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)
- 6. Action Items
- 7. Verification Notes
Tags (22)
Regions (4)
References (33)
- CVE-2026-0257 ×3
- CVE-2026-50751 ×3
- CVE-2026-25089 ×2
- CVE-2026-48907 ×2
- CVE-2026-2473
- CVE-2026-39808
- CVE-2026-39813
- CVE-2020-25213
- CVE-2023-24932
- CVE-2023-52271
- CVE-2025-61155
- CVE-2025-1055
- Novo Nordisk discloses theft of clinical-trial and HCP data
- Munich LHM-Services GmbH — ~120,000 student records suspected on darknet, suspected insider threat, Bavarian DPA notified
- FishMonger (I-SOON) ports SprySOCKS backdoor to Windows (WIN_DRV/WIN_PLUS) with kernel-driver rootkit; government targets
- ErrTraffic — ClickFix MaaS distribution framework with EtherHiding/Polygon C2 resolution; EU WordPress targeting
- Potemkin loader + RMMProject RAT via ClickFix — Chromium App-Bound Encryption bypass, EtherRAT
- Rokarolla Android banking trojan — 217 banking/crypto apps, 137 commands, default call/SMS handler hijack
- DragonForce intrusion — first ITW Microsoft Teams TURN-relay C2 (Backdoor.Turn) + four-driver BYOVD chain
- FortiSandbox triple active exploitation (CVE-2026-39808/39813/25089) — simultaneous in-the-wild exploitation
- NCSC-NL — Security Advisories (RSS)
- BleepingComputer
- CISA Known Exploited Vulnerabilities Catalog
- ESET WeLiveSecurity
- heise Security
- Help Net Security
- Huntress Labs
- Malwarebytes Labs
- NCSC Switzerland — Cyber Security Hub (CSH) / GovCERT.ch
- Security Affairs
- Sekoia.io blog
- Palo Alto Networks Unit 42
- Zimperium zLabs
0. TL;DR
- Unauthenticated CVSS-10 RCE in the Joomla Content Editor (JCE) is being exploited by automated tooling — CVE-2026-48907 lets an unauthenticated attacker abuse the JCE profile-import endpoint to upload and run PHP; CISA added it to the KEV catalog on 2026-06-16 and the vendor says unpatched sites should assume compromise (Widget Factory / JCE, 2026-06-03). Municipal/education Joomla portals across Europe are the exposed surface. See the Immediate Action below and § 2.
- Three critical FortiSandbox flaws are now under simultaneous active exploitation — CVE-2026-39808, CVE-2026-39813 (April patches) and CVE-2026-25089 (patched 2026-06-09, previously disclosure-only here on 06-12) were all observed exploited in a 24-hour window; FortiSandbox feeds verdicts to the wider FortiGate/FortiMail stack (§ 4).
- PAN-OS GlobalProtect CVE-2026-0257 exploitation wave hits European targets — Arctic Wolf documents Impacket-style SMB lateral movement post-auth-bypass; NCSC-CH refreshed its advisory on 2026-06-16 (§ 4).
- DragonForce ransomware ran C2 through Microsoft Teams TURN relays — first in-the-wild abuse of Teams relay infrastructure to hide C2 in legitimate Microsoft traffic, plus a four-driver BYOVD chain; two-month dwell at a services firm (Deep Dive, § 5).
- 120,000 Munich student records suspected on the darknet — a City-of-Munich IT subsidiary reports a suspected insider-threat mass export; Bavarian DPA notified, criminal complaint filed — a direct EU public-sector deprovisioning lesson (§ 1).
- ClickFix delivery frameworks are scaling — Sekoia details ErrTraffic (blockchain-resolved C2, EU WordPress targeting) and Huntress documents the Potemkin loader/RMMProject (Chromium App-Bound-Encryption bypass); FishMonger/I-SOON also ported its SprySOCKS backdoor to Windows with a kernel rootkit (§ 1, § 3).
Immediate Action — Patch or isolate internet-facing Joomla sites running the JCE editor now. CVE-2026-48907 is an unauthenticated, no-interaction remote-code-execution flaw (CVSS v4 10.0) in the Joomla Content Editor extension before version 2.9.99.5: an attacker POSTs to
index.php?option=com_jce&task=profiles.import, imports a crafted editor profile that permits.phpuploads, then drops a web shell — yielding code execution as the web-server user (Widget Factory / JCE, 2026-06-03). CISA added it to the KEV catalog on 2026-06-16 citing active exploitation, and the attacks are fully automated, so the absence of a public registration form is not protective (YesWeHack, 2026-06-16). Upgrade to the patched JCE release (version 2.9.99.5 or 2.9.99.6) immediately; on any site that ran an unpatched JCE, hunt web logs for unauthenticated requests toprofiles.importand treat the earliest hit as the breach time.
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
Munich: ~120,000 student records suspected on the darknet — terminated employee under investigation
LHM-Services GmbH, the municipal IT subsidiary of the City of Munich that runs school-administration systems for Bavarian schools, is investigating a suspected data-protection incident involving roughly 120,000 students — names, addresses, dates of birth, nationalities and school assignments (the 120,000 figure originates in press reporting; LHM-Services says it learned of the incident from the press and questioned whether the data was actually publicly available) (Heise Security, 2026-06-16). The investigation, led by Munich's cybercrime unit and the Bamberg prosecutor, centres on a former employee suspected of having mass-downloaded and retained the dataset shortly before leaving — i.e. a suspected insider data-theft, not an external intrusion. A darknet-research firm engaged by LHM-Services found no evidence the data was publicly listed for sale at the time of writing, so the actual circulation scope is uncertain. LHM-Services notified the Bavarian State Data Protection Authority under GDPR Article 33 and filed a criminal complaint (LHM-Services GmbH press release, 2026-06-15).
FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit
ESET disclosed two previously undocumented Windows variants of SprySOCKS — a backdoor it attributes to FishMonger (a.k.a. Earth Lusca / Aquatic Panda / TAG-22), assessed with high confidence as operated by Chinese contractor I-SOON (ESET WeLiveSecurity, 2026-06-16). Previously known only as a Linux backdoor, the Windows builds (WIN_PLUS and WIN_DRV) were deployed in 2023–2024 against foreign-affairs, technology and telecom government bodies in Taiwan, Thailand, Pakistan and Honduras. WIN_PLUS persists as a Windows Print Processor (VSPMsg) and supports 30+ commands over TCP/UDP/WebSocket. WIN_DRV is the notable one: it loads a kernel driver (fsdiskbit.sys, signed with a certificate from the public PastDSE leaked-cert corpus) which memory-loads a second driver to deliver rootkit-class stealth — hiding processes, files, network connections and registry keys, and performing TCP traffic diversion so the backdoor receives operator commands on an arbitrary port that never appears in netstat (BleepingComputer, 2026-06-16). ESET notes limited, unconfirmed telemetry of a possible UEFI bootkit component (potentially CVE-2023-24932-class Secure Boot bypass).
Why it matters to us: Post-deployment detection is hard because the driver actively hides artefacts; the leverage is pre-deployment hygiene. Hunt scheduled-task creation (EID 4698 / Sysmon EID 1) referencing binaries under %SystemRoot%\Fonts\, Image File Execution Options hijacks of vds.exe, and kernel-driver loads (Sysmon EID 6) of drivers signed with PastDSE-derived certificates. Because TCP diversion defeats host network-tab inspection, rely on EDR kernel sensors / ETW for listening-socket enumeration. Validate that vulnerable/revoked drivers are blocked via WDAC/HVCI and the Microsoft vulnerable-driver blocklist.
2. Trending Vulnerabilities
CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0)
CVE-2026-48907 is an improper-access-control flaw (CWE-284) in the JCE extension — one of the most widely installed third-party Joomla editors — that chains three weaknesses in the profile-import workflow: a missing authentication check on index.php?option=com_jce&task=profiles.import, absent file-extension validation, and disabled upload-safety controls (YesWeHack, 2026-06-16). An unauthenticated attacker imports a crafted editor profile that permits .php (or other executable) extensions for the Image Manager / File Browser plugin, then uploads a web shell that lands in images/ by default — yielding OS-level code execution as the web-server user. The vendor states the attacks are fully automated and that a site without a public registration form is not safe; any site that ran a JCE version before 2.9.99.5 should assume compromise and restore from a pre-breach backup after confirming the timeline from web logs (Widget Factory / JCE, 2026-06-03). CISA added it to the KEV catalog on 2026-06-16. Patched in JCE version 2.9.99.5 (2026-06-03), further hardened in 2.9.99.6 (2026-06-06). Detection: unauthenticated POSTs to profiles.import in web logs; unfamiliar auto-named profiles at the top of the JCE profile list with PHP uploads enabled; unexpected PHP files in images/, media/ or tmp/.
CVE Summary Table
Compact view of the actively-exploited / weaponised CVEs across this brief (full context in § 2 above and the § 4 updates).
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-48907 | Joomla Content Editor (JCE) before version 2.9.99.5 | 10.0 (v4) | n/a | Yes (06-16) | Yes — automated | version 2.9.99.5 (06-03) | JCE |
| CVE-2026-39808 | Fortinet FortiSandbox — JRPC OS command injection | 9.8 | n/a | No | Yes (06-15) | Apr 2026 (FG-IR-26-100) | Help Net |
| CVE-2026-39813 | Fortinet FortiSandbox — JRPC path traversal / auth bypass | 9.1 | n/a | No | Yes (06-15) | Apr 2026 (FG-IR-26-112) | Help Net |
| CVE-2026-25089 | Fortinet FortiSandbox — web-UI command injection | 9.8 | n/a | No | Probable (faulty AI-built exploit) | 06-09 (FG-IR-26-141) | Security Affairs |
| CVE-2026-0257 | PAN-OS GlobalProtect — cookie auth bypass | 7.8 (v4) | n/a | Yes | Yes — since May 2026 | Vendor hotfixes | PAN PSIRT |
| CVE-2026-50751 | Check Point Security Gateway — IKEv1 auth bypass | 9.3 | n/a | No | PoC public | Hotfix (early June) | Help Net |
3. Research & Investigative Reporting
Unit 42 "Pickle in the Middle": cross-tenant code execution in Google Vertex AI via predictable staging buckets (CVE-2026-2473)
Unit 42 disclosed a cross-tenant RCE class in the Google Cloud Vertex AI SDK for Python (Unit 42, 2026-06-16). When a caller uploads a model without specifying a custom staging bucket, the SDK's stage_local_data_in_gcs() builds a deterministic, globally-unique bucket name from the project ID and region ({project-id}-vertex-staging-{region}). Because GCS bucket names are publicly claimable, an attacker who knows the target project ID can pre-register that bucket, attach a Cloud Function on object.finalize, and silently receive the victim's uploaded model.joblib — then swap in a malicious pickle. Vertex AI's serving agent deserialises the pickle and executes attacker code inside Google's serving container with the platform service account's privileges (The Hacker News, 2026-06-16). Google added bucket-name randomization (UUID4) in google-cloud-aiplatform 1.144.0 (2026-03-31) and the bucket-ownership check in the fully hardened 1.148.0 (2026-04-15); versions from 1.139.0 are affected and orgs on 1.144.0–1.147.x are only partially protected, so 1.148.0 is the version to target. No in-the-wild exploitation was observed.
Why it matters to us: Any EU/CH org running Vertex AI ML pipelines on the affected SDK that did not pin a staging bucket is exposed to the broader "resource-squatting" class — predictable cloud resource names without ownership verification. Upgrade the SDK to ≥ 1.148.0, audit jobs for default staging_bucket use, and alert on GCS objectCreate / ownership changes for any bucket matching the {project-id}-vertex-staging-{region} pattern not owned by your org.
Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain
ClickFix — fake browser/update dialogues that trick users into pasting attacker PowerShell — is maturing into a productised delivery channel, as this and the next item show. Sekoia's TDR team analysed ErrTraffic, a ClickFix distribution framework sold as MaaS by an actor using the handle "LenAI" on the Exploit.IN forum since at least December 2025 (Sekoia TDR, 2026-06-16). Affiliates compromise WordPress sites by credential-stuffing wp-login.php (one victim saw seven residential IPs in an 80-second window) or via WP File Manager CVE-2020-25213, then deploy a PHP backdoor as a must-use plugin (session-manager.php) that injects the ErrTraffic JavaScript. The JavaScript uses the EtherHiding technique — querying Polygon smart contracts via public RPC endpoints — to resolve C2 domains dynamically, defeating takedowns; it then serves ClickFix lures that drop Vidar, Stealc, SmokeLoader and others. ErrTraffic explicitly targets European and APAC visitors, putting public-sector WordPress portals in scope.
Why it matters to us: A reliable hunt artefact is the distinctive PowerShell comment block <# Code Verification: NNNNNNNNNNNN #> Sekoia found at the start of ErrTraffic command strings. Also watch for new PHP files under wp-content/mu-plugins/ (auto-loaded, no activation needed), credential-stuffing bursts on wp-login.php, and outbound requests from the web-server process to blockchain RPC endpoints.
Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption
Huntress documented a ClickFix chain delivering a previously undocumented x64 loader named Potemkin (active since at least February 2026): a ClickFix lure installs an MSI that drops Potemkin via an HTA payload; the loader uses a domain-generation algorithm for C2 and reflectively loads follow-on modules in memory (Huntress, 2026-06-16). Its payloads are EtherRAT (Node.js RAT with blockchain C2) and RMMProject, a Lua-scriptable DLL providing hidden remote desktop, keylogging and browser credential theft — including a module specifically built to defeat Chromium's App-Bound Encryption (the credential-storage protection added in Chrome 127) (The Hacker News, 2026-06-16). Huntress observed lateral movement across 11+ hosts in one intrusion, indicating network-wide credential harvesting rather than single-host compromise.
Why it matters to us: The ABE bypass means saved Chrome credentials are again at risk on infected hosts. Hunt for mshta.exe spawned by msiexec.exe/cmd.exe, reflective-load memory anomalies, DGA-style DNS from mshta.exe children, and non-browser processes calling Chrome's DPAPI/LocalState decryption. Block mshta.exe via AppLocker/WDAC where feasible.
Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover
Zimperium zLabs detailed Rokarolla, a new Android banking trojan distributed via sideloading from sites impersonating TikTok/Chrome, using a dropper that masquerades as Google Play Protect to obtain Accessibility Service permissions (Zimperium zLabs, 2026-06-16). It targets 217 banking and crypto apps via a 137-command framework: lifting the lock-screen PIN, intercepting SMS OTPs, rewriting the clipboard to hijack crypto payments, disabling Play Protect, and — distinctively — registering itself as the default call/SMS handler so a bank's warning call or SMS never reaches the victim (BleepingComputer, 2026-06-16). A target list of this breadth makes any Android device used for e-banking a plausible victim once an app is sideloaded.
Why it matters to us: Rokarolla cannot reach the Play Store; it relies entirely on sideloading. Enforce "Install from Unknown Sources" restrictions via Android Enterprise/MDM on managed devices and MAM containers for BYOD; flag any app that disables Play Protect or requests Accessibility Service immediately after a web-sourced install.
4. Updates to Prior Coverage
UPDATE: FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089
UPDATE (originally covered 2026-06-12): When CVE-2026-25089 was covered on 06-12 it was disclosure-only. Threat-intel firm Defused Cyber has now reported active exploitation of three FortiSandbox flaws within a single 24-hour window — CVE-2026-39808 (CVSS 9.8, JRPC OS command injection), CVE-2026-39813 (CVSS 9.1, JRPC path traversal / auth bypass), both with patches available since April 2026, and CVE-2026-25089 (CVSS 9.8, web-UI command injection), patched 2026-06-09 (Security Affairs, 2026-06-16).
FortiSandbox supplies sandboxed file verdicts that FortiGate, FortiMail, FortiProxy and FortiClient consume to make blocking decisions, so a compromised sandbox can suppress detection across the dependent Fortinet stack (Help Net Security, 2026-06-16). The CVE-2026-25089 exploit seen in the wild appears AI-generated and is assessed as faulty, yet still finds traction against unpatched deployments — evidence that exposed, unpatched FortiSandbox interfaces remain. Fortinet has not yet officially confirmed exploitation. Patch all three; until then, restrict management-interface exposure and watch FortiSandbox web-UI/JRPC access logs for unauthenticated external POSTs.
Changes since first coverage(1 prior appearance)
- 2026-06-122026-06-12First coverage. VNC-launch handler command injection; fixed 5.0.6/4.4.9; CCB+NCSC-NL advisories.
UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory
UPDATE (originally covered 2026-05-30): Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09). The flaw (CWE-565) decrypts an authentication-override cookie without any signature verification, letting an attacker forge a session and establish a VPN tunnel without credentials when the override feature is enabled (Palo Alto Networks PSIRT).
Arctic Wolf's telemetry documents post-exploitation consistent with Impacket tooling — SMB lateral movement, anonymous NTLM logon, share enumeration and domain-user discovery — across insurance, finance, manufacturing, education, engineering and healthcare targets in North America and Europe (Arctic Wolf, 2026-06-11). NCSC-CH refreshed its Security Hub advisory on 2026-06-16 to flag the Unit 42 confirmation (NCSC-CH Security Hub, 2026-06-16). Defenders: disable "Authentication Override" if not required, patch to fixed PAN-OS builds, and audit sessions since late May for Impacket-pattern lateral movement (EID 4624 Type 3 from unexpected IPs, SMB enumeration EID 5140/5145).
Changes since first coverage(2 prior appearances)
- 2026-06-102026-06-10UPDATE (orig 2026-05-30). Unit 42 2026-06-09 confirms attacker-established gateway sessions; was 'exploit attempts'.
- 2026-05-302026-05-30Active ITW exploitation, CISA KEV 2026-05-29; deep dive coverage
UPDATE: Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk
UPDATE (originally covered 2026-06-09): NCSC-NL updated its advisory (NCSC-2026-0179, version 1.0.1) on 2026-06-16 to note that public proof-of-concept code is now available for the Check Point Security Gateway IKEv1 authentication bypass (CVE-2026-50751, CVSS 9.3), increasing the probability of exploitation (NCSC-NL, 2026-06-16).
The flaw lets an unauthenticated client abuse the IKEv1 negotiation to bypass peer-signature verification and impersonate any VPN identity configured for certificate or mixed authentication (username/password-only configurations are not affected); the public PoC follows watchTowr's earlier technical analysis (Help Net Security, 2026-06-12). Apply the early-June Check Point hotfix; where feasible disable IKEv1 legacy mode or enforce mandatory machine-certificate authentication, which is not bypassable by this flaw.
Changes since first coverage(2 prior appearances)
- 2026-06-142026-W24Consolidated in § 1; Qilin affiliate exploiting IKEv1 auth-bypass
- 2026-06-092026-06-09First coverage + Immediate Action callout + deep dive. Pre-auth IKEv1 cert-validation bypass, CVSS 9.3, actively exploited by Qilin affiliate since 2026-05-07, CISA KEV, NCSC-CH Action-Required advisory.
UPDATE: Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale
UPDATE (originally covered 2026-06-13): The cloud data-extortion group FulcrumSec has publicly claimed the Novo Nordisk breach, saying it spent more than two months inside the networks and exfiltrated roughly 1.3 TB (~700,000 files) including source code, drug-pipeline data, ~11,500 pseudonymised clinical-trial records and internal AI artefacts; it demanded $25M, was refused, and is now exploring private sale of the data (Global Banking & Finance Review, 2026-06-16).
FulcrumSec is a data-theft-only (non-ransomware) group active since late 2025 with 21+ prior claimed victims; an actor profile characterises its access vectors as unpatched public-facing apps, dormant/embedded credentials and API keys, absent MFA and misconfigured cloud storage (MOXFIVE, 2026-06-10). Novo Nordisk has confirmed unauthorised access to a limited number of internal systems and pseudonymised clinical-trial data exposure but has not validated FulcrumSec's scope claims (Insurance Business Magazine, 2026-06-16). Detection focus for FulcrumSec-style actors: large outbound transfers (DLP), cloud-storage access logs, OAuth grants to unfamiliar apps, and long-dwell reuse of stale service-account credentials. Enforce MFA on all privileged cloud identities and rotate dormant credentials.
5. Deep Dive — DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD)
Background. DragonForce is a ransomware-as-a-service operation that has been documented since 2023 and rebranded itself in 2024–2025 as a "cartel"-style affiliate model; it has been tied to attacks on retail and enterprise targets across multiple regions and has previously leaned on affiliate-supplied access and living-off-the-land tooling. This deep dive is not about the ransomware payload but about an intrusion Symantec disclosed on 2026-06-16 that introduces a genuinely novel command-and-control technique and an unusually deep bring-your-own-vulnerable-driver (BYOVD) chain (Symantec / Broadcom, 2026-06-16).
The intrusion. Symantec investigated a DragonForce intrusion at an unnamed major U.S. services company that began in December 2025 — roughly two months of undetected dwell before discovery (BleepingComputer, 2026-06-16). Initial access was via an internet-facing MSSQL server (or purchased access) — a reminder that exposed database services remain a high-value entry point (T1190 Exploit Public-Facing Application). The actor then dropped a ZIP containing a legitimate, signed DbgView64.exe (or VirtualBox binary) alongside a malicious vboxrt.dll, executed via DLL side-loading (T1574.002). Persistence was established through a LimitBlankPasswordUse registry modification, creation of rogue local users/groups (T1136.001), and firewall-rule changes.
Backdoor.Turn and the Teams TURN-relay C2 (the novel part). Backdoor.Turn is a Go-based RAT injected into DbgView64.exe. It obtains an anonymous Microsoft Teams visitor token from Skype identity services, then establishes a TURN (Traversal Using Relays around NAT) relay session through Microsoft's own infrastructure and runs a QUIC tunnel to the actual attacker C2. Symantec assesses this is the first known malware to abuse Teams' TURN relay servers for C2 (Symantec / Broadcom, 2026-06-16). The defensive consequence is severe: a defender inspecting network flows sees only outbound connections to legitimate Microsoft IP ranges — the technique is a high-trust proxy/relay abuse (T1090 Proxy) that blends with the Teams traffic any Microsoft 365 tenant already generates.
The four-driver BYOVD chain. To disable defences, the actor loaded four signed-but-vulnerable kernel drivers (T1068 Exploitation for Privilege Escalation used to reach kernel for T1562.001 Impair Defenses): Huawei HWAuidoOs2Ec.sys (novel, no prior CVE), Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriverx64.sys (CVE-2025-61155), and K7 Security K7RKScan.sys (CVE-2025-1055). A custom malicious driver, ABYSSWORKER, masqueraded as a Palo Alto Networks driver to handle defence evasion. Follow-on activity included network scanning (T1046), AD/LDAP enumeration (T1018), TLS-certificate harvesting, browser credential theft (T1555.003), and credential-based lateral movement (T1021).
Detection concepts (no IOCs). (1) Hunt for DbgView64.exe or VirtualBox binaries initiating QUIC (UDP/443) sessions to Microsoft TURN-relay ranges with anomalous parent-child trees (vboxrt.dll → DbgView64.exe) — Sysmon EID 3 network-connection events filtered against expected Teams behaviour. (2) Alert on signed drivers from Huawei, Topaz, Tower of Fantasy or K7 Security loading on systems that are not gaming/AV hosts (Sysmon EID 6 driver-load). (3) Registry-value sets on HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (Sysmon EID 13). (4) Rogue local user/group creation (Windows Security EID 4720 / 4732) (Help Net Security, 2026-06-16).
Hardening. Enforce kernel-driver allow-listing via WDAC/HVCI and keep the Microsoft vulnerable-driver blocklist current (it covers the LOLDrivers entries this chain abuses); constrain egress so UDP/443 (QUIC) to Microsoft service tags is the only permitted path and is itself monitored; and audit any internet-reachable MSSQL/SQL Server instances out of existence. Because Backdoor.Turn rides genuine Microsoft relay infrastructure, IP/domain blocking is ineffective — the leverage is process-lineage and driver-load telemetry, not network reputation.
6. Action Items
- Patch or isolate JCE-enabled Joomla sites today (see § 0 Immediate Action, § 2). Upgrade to JCE 2.9.99.5/2.9.99.6; on any previously-unpatched site, hunt web logs for unauthenticated
index.php?option=com_jce&task=profiles.importPOSTs and treat the earliest hit as the breach time — exploitation is automated and CISA-KEV-confirmed. - Patch all three FortiSandbox CVEs and restrict the management interface (§ 4). CVE-2026-39808/39813 (April patches) and CVE-2026-25089 (06-09 patch) are under simultaneous exploitation; a compromised sandbox suppresses blocking across the FortiGate/FortiMail stack. Watch JRPC/web-UI access logs for unauthenticated external POSTs.
- Disable PAN-OS GlobalProtect "Authentication Override" if not required, patch, and hunt for Impacket lateral movement (§ 4). Audit VPN sessions since late May for anonymous NTLM logon and SMB enumeration (EID 4624 Type 3 from unexpected IPs, EID 5140/5145).
- For Check Point gateways, apply the early-June hotfix and prefer machine-certificate auth or disable IKEv1 legacy mode now that a CVE-2026-50751 PoC is public (§ 4).
- Upgrade
google-cloud-aiplatformto 1.148.0 (the fully hardened release — 1.144.0–1.147.x are only partially protected) and audit Vertex AI jobs for default staging buckets (§ 3); alert on ownership changes for{project-id}-vertex-staging-{region}buckets. - Add the ClickFix PowerShell hunt for the
<# Code Verification: NNNNNNNNNNNN #>artefact and formshta.exespawned bymsiexec.exe; blockmshta.exevia AppLocker/WDAC where feasible (§ 3). - Review offboarding access-revocation for staff with bulk-export rights over citizen/student data (§ 1, Munich). Bind database export credentials to just-in-time access tied to HR offboarding; alert on pre-departure bulk downloads.
- Refresh the Microsoft vulnerable-driver blocklist and enforce WDAC/HVCI driver allow-listing (§ 5, DragonForce BYOVD); constrain and monitor QUIC/UDP-443 egress to Microsoft service tags since Teams-relay C2 defeats IP/domain blocking.
7. Verification Notes
- Items dropped:
- CVE-2026-44963 (Veeam Backup & Replication, authenticated domain-user RCE) — surfaced by both S1 and S2 as significant, but out-of-window: primary sources are 2026-06-09/06-10 and the CVE is already in
cves_seen.json(first 06-10, last 06-14) with no in-window development. Retained here for awareness; if exploitation emerges it returns as a § 4 UPDATE. - CVE-2026-11645 (Google Chrome V8 zero-day) — already covered (
cves_seen06-10→06-14); primary sources 2026-06-08/06-09 are out-of-window with no fresh delta. Dropped. - IT Army of Ukraine — Kaluga Astral disruption — [SINGLE-SOURCE] (The Record, 2026-06-15); no direct CH/EU nexus. Noted for situational awareness only, not carried as an item.
- CVE-2026-44963 (Veeam Backup & Replication, authenticated domain-user RCE) — surfaced by both S1 and S2 as significant, but out-of-window: primary sources are 2026-06-09/06-10 and the CVE is already in
- Single-source / primary-research items: the Sekoia ErrTraffic (§ 3) and Huntress Potemkin (§ 3) analyses are single primary-research-lab disclosures (corroborated by reporting where available); presented as the labs' own findings.
- Reduced confidence: FortiSandbox exploitation (§ 4) is reported by Defused Cyber and relayed via Security Affairs / Help Net Security; Fortinet has not officially confirmed exploitation — attribution of the claim, not the vendor.
- Source dropped on liveness: the watchTowr technical write-up URL for CVE-2026-50751 (§ 4) returned 404 at the mechanical gate and was removed; the mechanism is now described at the level NCSC-NL and Help Net Security support, with watchTowr credited in prose only.
- NCSC-NL advisory rendering (§ 4 Check Point):
advisories.ncsc.nl/advisory?id=NCSC-2026-0179is an Angular SPA that returns a redirect/shell on direct fetch; its content (the public-PoC note) was confirmed via the bridge fetcher and S2's research. The content-readable Help Net Security article is listed first as the primary for the substantive claim; the NCSC-NL advisory is retained as the in-window (06-16) national-CERT reference. - Contradiction (PAN-OS CVE-2026-0257, § 4): Unit 42 (2026-06-09) observed successful auth-bypass VPN sessions but states no post-exploitation activity or lateral movement was observed; Arctic Wolf (2026-06-11) observed Impacket-pattern SMB enumeration and domain-user discovery in a subset of intrusions. The brief reports the Arctic Wolf observation as the lateral-movement signal; the two reflect different victim subsets and observation windows, not a factual conflict.
- Source list: added Zimperium zLabs as a
candidatesource (primary mobile threat research; contributed the Rokarolla item, § 3). Overflow not added this run (one-candidate cap): MOXFIVE (FulcrumSec actor profile, cited in § 4) — re-evaluate next run. - Sub-agents: all four (S1–S4) returned within budget (Claude Sonnet 4.6).
- Coverage gaps: databreaches-net (403, no Wayback snapshot — Novo Nordisk covered via alternates); sophos-xops (Next.js SPA body not extractable; 06-16 post confirmed but content unrecoverable); fortiguard-psirt (Angular SPA shell — FortiSandbox details via Security Affairs / Help Net); cert-at (RSS 404 on both feed URLs); rapid7-research (SPA body unextractable); inside-it-ch (not fetched this run); cnil-fr, edpb, ico-uk, sec-disclosures-edgar (no in-window qualifying items); akamai-sirt, dragos, sans-ics, talos (no in-window content).