CTI Daily Brief — 2026-06-21

0. TL;DR

A new Go-based ransomware family, Prinz Eugen, encrypts most-recently-modified files first and drops no ransom note — confirmed against a French public-sector workforce agency. Initial access is stolen RDP credentials, followed by backdoor admin-account creation and RemotePC RMM abuse for lateral movement (Malwarebytes ThreatDown, 2026-06-17). The no-note, out-of-band-extortion model defeats ransom-note-based detection — hunt on RDP-logon-then-admin-account-creation and .prinzeugen write fan-out instead. See § 5.
The Gravity SMTP WordPress plugin is being mass-exploited (≈17M blocked requests) to dump configured SES / Google / Mailjet / Resend / Zoho credentials from any site running ≤ 2.1.4. CVE-2026-4020 is an unauthenticated REST endpoint that returns a full system report including API keys and OAuth tokens; the patch shipped in March but exploitation surged two months later, so a vulnerable site should treat every configured email credential as already harvested (The Next Web, 2026-06-20). See § 2.
Microsoft now attributes last week's Mastra npm scope compromise to North Korea's Sapphire Sleet (BlueNoroff) and discloses the access vector our 2026-06-18 coverage could not: a dormant maintainer account that retained publish rights across all 142 @mastra packages (BleepingComputer, 2026-06-20). See § 4.
The UK Information Commissioner resigned with immediate effect, leaving the ICO leaderless mid-restructure and with enforcement caseload already at a decade low (UK ICO, 2026-06-19). Organisations with open UK-GDPR cases (e.g. the HCRG 16-month notification-delay investigation, § 1) should expect timelines to slip further.
Two more third-party-vendor breaches land on public-sector and healthcare bodies: 3.08M Texas hunting/fishing-licence holders (with a public-vs-AG-filing contradiction over whether SSNs were taken) and Amazon's One Medical Seniors archive (with ShinyHunters' unverified 8.8TB claim and a deadline that expires today) (BleepingComputer, 2026-06-19). See § 1.

1. Active Threats, Trending Actors, Notable Incidents & Disclosures

UK Information Commissioner resigns with immediate effect — regulator left leaderless mid-restructure

The UK Information Commissioner's Office confirmed on 2026-06-19 that Commissioner John Edwards resigned with immediate effect after an independent workplace investigation found a "case to answer" over conduct described as inappropriate (UK ICO, 2026-06-19). The departure lands while the ICO is mid-transition toward a new statutory Information Commission and while its active-investigation caseload has fallen sharply over the past several years, leaving a large backlog of unassigned cases (The Record, 2026-06-19). The Department for Science, Innovation and Technology has put interim governance arrangements in place but published no succession timeline.

Why it matters to us: The ICO is the UK's GDPR supervisory authority. For Swiss and EU organisations relying on UK data-transfer adequacy or with live ICO breach-enforcement cases (the HCRG matter below among them), a leaderless regulator with a shrinking caseload means enforcement and notification timelines are likely to extend — a continuity risk to factor into cross-border data-protection planning, not an operational threat.

HCRG Care Group first notifies patients of a February 2025 Medusa breach — 16 months on `[SINGLE-SOURCE]`

HCRG Care Group, described by the cited source as a major UK-based healthcare services provider, has begun notifying patients in June 2026 of a Medusa ransomware attack that occurred in February 2025 — more than 16 months after the incident (HIPAA Pulse, 2026-06-18). The Medusa gang publicly claimed the attack and asserted data theft at the time, and analysis of the stolen dataset circulated well before formal notifications, meaning affected individuals could have learned of their exposure from media coverage rather than from the provider. UK-GDPR sets two distinct clocks — supervisor notification within 72 hours under Article 33 and notification to affected individuals "without undue delay" under Article 34 — and a 16-month gap to individual notification is precisely the kind of timeline the latter is meant to prevent. [SINGLE-SOURCE] — see § 7.

Texas Parks & Wildlife: 3.08M licence holders exposed via an unnamed third-party vendor — with a public-vs-AG-filing SSN contradiction

The Texas Parks and Wildlife Department disclosed on 2026-06-18/19 that a breach at an unnamed third-party vendor handling hunting and fishing licence sales exposed 3,087,721 customers' names, driver's-licence numbers, passport numbers, email addresses, phone numbers and residential addresses (BleepingComputer, 2026-06-19). The Texas Cyber Command flagged the intrusion (reported 13 May). TPWD's public statement said Social Security numbers were not involved — but The Register reviewed the agency's own filing to the Texas Attorney General's breach portal and reports it contradicts that, indicating SSNs were included (The Register, 2026-06-19). The vendor remains unnamed; Kroll is providing credit monitoring.

Amazon's One Medical confirms a legacy-storage breach; ShinyHunters' 8.8TB claim is unverified and its deadline expires today `[SINGLE-SOURCE]`

One Medical (Amazon) confirmed on 2026-06-13 that an unauthorised party accessed a legacy third-party file-storage system retaining archived records for One Medical Seniors (formerly Iora Health), during a 2026-06-08 to 2026-06-11 window, affecting demographic and clinical records for patients at nine clinics (BankInfoSecurity, 2026-06-19). One Medical states the breach is confined to that legacy system. Separately, ShinyHunters claims theft of 8.8 TB and set a 2026-06-22 negotiation deadline — today — but the company has not confirmed ShinyHunters' involvement or the data volume, and no sample has been released to validate the claim. [SINGLE-SOURCE] — see § 7.

2. Trending Vulnerabilities

CVE-2026-4020 — Gravity SMTP WordPress plugin: unauthenticated config-dump of email-connector credentials, mass-exploited

CVE-2026-4020 is an unauthenticated information-disclosure flaw in the Gravity SMTP WordPress plugin (all versions through 2.1.4). A REST endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data ships with a permission_callback that unconditionally returns true; an unauthenticated request triggers the plugin's register_connector_data() routine, which returns a roughly 365 KB JSON system report containing API keys and OAuth tokens for every configured email connector (Amazon SES, Google Workspace, Mailjet, Resend, Zoho), plus WordPress/PHP versions, database configuration and the active-plugin inventory (The Next Web, 2026-06-20). The fix shipped in version 2.1.5 on 2026-03-17 (GitHub Advisory GHSA-jxfc-8wcq-xxcg), but mass exploitation began roughly two months later: defenders report on the order of 17 million blocked exploitation attempts, peaking in early June (The Next Web, 2026-06-20). WordPress is pervasive across European public-sector and government communications sites; any instance that ran a pre-2.1.5 version should be treated as having had its email-connector credentials harvested.

The vulnerability clears the § 2 bar on confirmed in-the-wild mass exploitation (vendor-blocked-request telemetry), not on a KEV/EUVD listing. Detection: web-server access logs for GET requests to /wp-json/gravitysmtp/v1/tests/mock-data (often with a ?page=gravitysmtp-settings parameter) from external IPs; a ~365 KB response body is a distinctive marker. Maps to T1190 Exploit Public-Facing Application → T1552.001 Unsecured Credentials: Credentials In Files. Remediation is two-step and the second step is the one most sites miss: upgrade to ≥ 2.1.5, then rotate every SES / Google / Mailjet / Resend / Zoho credential the plugin held, since the patch closes the leak but does not invalidate already-exfiltrated tokens.

3. Research & Investigative Reporting

Krebs and Qurium tie the "Popa" Android-TV residential-proxy botnet to a NASDAQ-listed proxy vendor

Krebs on Security and the Qurium Media Foundation jointly documented Popa, a residential-proxy botnet that has run on millions of Android-based consumer TV boxes for roughly four years, operating as a plugin component of the larger Vo1d botnet (Krebs on Security, 2026-06-18). The botnet monetises infected devices by relaying advertising fraud, account-takeover traffic and AI data-scraping through residential IP space so the traffic appears to originate from ordinary home users. Qurium's forensic tracing of several dozen control domains found infrastructure operated in lockstep with NetNut — a "residential proxy" service tied to publicly-traded Alarum Technologies (NASDAQ: ALAR) — via the NinjaTech entity and a shared neonative library (Qurium, 2026-06-18). Propagation is through thousands of malware-laced pirated streaming and torrent apps reaching unofficial Android TV hardware. Per the fake-news guard, this is the researchers' documented corporate-infrastructure linkage — Alarum has not been charged with any offence, and the legal characterisation of the proxy traffic is unresolved; attribute the connection to Krebs/Qurium rather than asserting it as adjudicated fact.

Why it matters to us: Residential-proxy traffic is hard to block without collateral damage, and it inverts a common SOC assumption — an authentication attempt arriving from a "residential" ASN may be proxy-relayed attack traffic, not a geographic-targeting signal. Practical posture for a public-sector SOC: flag authentication events from residential ASNs that are anomalous for your user population, watch for consumer Android-TV IP ranges touching sensitive portals (those devices have no business authenticating to corporate services), and treat residential-proxy provider ranges as a credential-stuffing source against citizen-facing portals. Maps to T1090.002 Proxy: External Proxy and T1496 Resource Hijacking.

4. Updates to Prior Coverage

UPDATE: Mastra npm scope compromise attributed to North Korea, with the access vector our deep dive could not name

UPDATE (originally covered 2026-06-18): The deep dive on 2026-06-18 documented the easy-day-js poisoning of 140+ @mastra packages but noted the cited primaries did not disclose how the publishing account was obtained, and made no attribution. Microsoft Threat Intelligence has now closed both gaps: it attributes the operation to North Korea's Sapphire Sleet (BlueNoroff / UNC1069) and states the access vector was a dormant former-contributor npm account (ehindero) whose publish rights across the entire @mastra scope were never revoked (BleepingComputer, 2026-06-20).

Microsoft's analysis details the post-install chain — easy-day-js disables TLS verification, pulls a cross-platform Node.js implant that enumerates 166 cryptocurrency-wallet browser extensions and steals browser profiles, then establishes a scdev svchost service running as SYSTEM for boot persistence (Microsoft Threat Intelligence, 2026-06-17). Snyk independently confirms the dormant-account root cause and notes npm does not expire scope-publish permissions on inactivity (Snyk, 2026-06-16). The defender action shifts from "remove easy-day-js" to a structural control: audit your own private-registry and package-scope ACLs for dormant accounts with retained publish rights, and enforce time-bound or MFA-gated publish tokens. Microsoft notes this is Sapphire Sleet's second npm scope-takeover of 2026 (after Axios in April) — a systematised dormant-high-privilege-account hunt, not a one-off.

UPDATE: Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed

UPDATE (originally covered 2026-06-19): The Klue compromise first covered on 2026-06-19 (Icarus obtaining a legacy Klue credential) now has a named, growing victim list and a documented post-access technique. Klue confirms the attacker harvested customer-provisioned OAuth tokens for connected platforms — principally Salesforce, plus Gong, HubSpot, SharePoint and others — and used them to query customer CRM instances directly (Klue, 2026-06-19).

Huntress forensics show the stolen tokens were used to hit Salesforce REST endpoints at /services/data/v59.0/query/<STRING> with a python-urllib User-Agent — anomalous in a legitimate Klue-integration context (Huntress, 2026-06-18). Confirmed affected organisations now include Huntress, Recorded Future, Tanium, Jamf and Sprout Social; Icarus has publicly claimed the attack and is demanding contact via Session messenger (BleepingComputer, 2026-06-19). The chain — compromise an integration platform's legacy credential, harvest downstream OAuth tokens, query customer CRM APIs from the platform's legitimate IP range — bypasses perimeter controls. Detection surface: Salesforce Event Monitoring for a python-urllib API caller, unusual /services/data/v*/query/ volumes from non-user principals, and out-of-hours API sessions from unexpected source orgs. Hardening: audit and revoke OAuth grants to third-party SaaS vendors (especially inactive integrations), enforce IP restrictions on Salesforce connected-app policies, and scope integration-platform credentials so one compromised account cannot chain to every downstream tenant.

5. Deep Dive — Prinz Eugen: a Go-based encryptor that targets recent files first and leaves no ransom note

Malwarebytes ThreatDown published a technical deep dive into Prinz Eugen, a Go-based ransomware operation active since at least April 2026 and operating as a standalone crew rather than a ransomware-as-a-service affiliate (Malwarebytes ThreatDown, 2026-06-17). A confirmed European victim — Transitions Pro Centre Val de Loire, a French state-funded workforce-transition agency — puts it squarely in scope for a Swiss/EU public-sector SOC, alongside victims reported in finance and US automotive services. Two design choices make it worth a defender's attention: it leaves no ransom note on disk, and it encrypts the most-recently-modified files first (BleepingComputer, 2026-06-20).

Kill chain. Initial access is via stolen RDP credentials (T1133 External Remote Services, T1021.001 Remote Desktop Protocol). Post-access is hands-on-keyboard: the operator creates a backdoor local admin account (the documented command line is net user admin germania /add, T1136.001 Create Account: Local Account), stages the encryptor as servertool.exe (downloaded via Chrome into the user's Music folder, T1105 Ingress Tool Transfer), and abuses the legitimate RemotePC (IDrive) RMM tool plus enterprise platforms (SharePoint, OneDrive, Citrix) for lateral movement and to blend with normal activity. Encryption is T1486 Data Encrypted for Impact; extortion is conducted entirely out-of-band (no on-host note), defeating the common detection heuristic of alerting on dropped ransom-note files.

Encryption internals. The Go binary encrypts with ChaCha20-Poly1305 (AEAD) using a 32-byte master key and per-file random IVs, with a three-stage key-derivation chain — Argon2id → SHA-256 → HKDF-SHA256. Encrypted files carry a CHV1 magic header and the .prinzeugen extension. After encryption the binary zeroes its hardcoded key material and forces garbage collection before self-deleting, frustrating post-incident key recovery from memory. The "recent files first" ordering is the operationally significant detail: it maximises impact on active business data while shortening the encryption window before detection.

Hunt and detection concepts (no IOCs). The highest-fidelity signal is the access-to-persistence transition: an RDP logon from an unusual ASN or geography followed within minutes by local-admin-account creation (Windows Security Event ID 4624 logon → 4720 account created → 4732 added to Administrators). Watch for net user … /add on command lines (Event ID 4688 process creation with command-line auditing), servertool.exe executing with directory-path arguments, and RemotePC installed on endpoints outside the managed-software inventory — a standalone high-signal hunt. Finally, monitor for .prinzeugen extension fan-out across file shares.

Hardening / recovery. Restrict RDP to VPN or jump-host access and enforce MFA on all remote-access sessions — this closes the documented initial-access vector. Inventory and revoke dormant RMM licences and add network detection for RemotePC traffic originating from endpoints that should never be remote-administered. The "recent files first" behaviour has a recovery corollary worth planning around: file-share snapshots taken within the last 24–48 h before an encryption event will have the highest recovery fidelity, so frequent short-interval, access-controlled backups or snapshots are disproportionately valuable against this family.

6. Action Items

Patch Gravity SMTP to ≥ 2.1.5 and rotate every email-connector credential it held (CVE-2026-4020, § 2). Upgrading closes the leak but does not invalidate tokens already harvested during mass exploitation — rotate SES / Google / Mailjet / Resend / Zoho keys and OAuth tokens for any site that ran ≤ 2.1.4. Hunt access logs for GET requests to /wp-json/gravitysmtp/v1/tests/mock-data.
Close the RDP-credential initial-access path and audit RMM tooling against the Prinz Eugen pattern (§ 5). Restrict RDP to VPN/jump-host with MFA, inventory and revoke dormant RemotePC/RMM licences, and add detection for the RDP-logon-then-local-admin-creation sequence (Event IDs 4624 → 4720 → 4732). Verify frequent short-interval, access-controlled backups exist given the family's recent-files-first encryption ordering.
Audit package-scope and private-registry ACLs for dormant accounts with retained publish rights (§ 4, Mastra/Sapphire Sleet). Enforce time-bound or MFA-gated publish tokens and revoke publish access on contributor offboarding; this is the structural control the DPRK attribution makes urgent.
Inventory and prune OAuth grants to third-party SaaS integration platforms (§ 4, Klue/Icarus). Revoke tokens for inactive integrations, enforce IP restrictions on Salesforce connected-app policies, and add Salesforce Event Monitoring detection for python-urllib API callers and anomalous /services/data/v*/query/ volume from non-user principals.
Bring legacy and "decommissioned" third-party storage into third-party risk scope (§ 1, One Medical / Texas / HCRG pattern). Archival systems holding clinical/PII data outside normal operational scope are the recurring breach surface; require contractual breach-notification timelines and segmentation guarantees, and reconcile any public breach statement against your regulator filing before publishing.

7. Verification Notes

Items dropped:
- PTC Windchill / FlexPLM CVE-2026-12569 — surfaced again by S2 (NCSC-CH #12713, BSI after-hours outreach) but covered in full on 2026-06-20 (deep dive + § 0 Immediate Action callout + § 2). No material new in-window development (no new victim, CVE, patch or attribution), so not re-reported per PD-8. CVSS is consistent with the prior coverage (10.0 CVSS 3.1 / 9.3 CVSS 4.0).
- INC ransomware "830+ victims" report (Acronis TRU / The Hacker News) — the primary (Acronis TRU) is dated 2026-06-10, outside both the 36 h and 72 h windows; the only near-window source is an aggregator synthesis (The Hacker News, 2026-06-18) and the lead figures are vendor victim-count metrics. Dropped per PD-7 (out-of-window primary) and PD-4 (vanity metrics). The technical substance (Rust-rewritten Windows/Linux encryptors, BYOVD EDR evasion, a Veeam-targeting credential dumper, and initial access via known Citrix NetScaler, Fortinet EMS, SimpleHelp and Citrix Bleed 2 exploits) may warrant pickup by the weekly if it stays current.
- Sophos X-Ops AI infostealer-triage pipeline — Sophos blog dated 2026-06-16, outside the window and single-source; included by S3 only to honour the sophos-xops rotation obligation. Dropped per PD-7.
Single-source items (PD-5):
- HCRG Care Group notification delay (§ 1) — cited to HIPAA Pulse only; the DataBreaches.net article body returned HTTP 403 on every bridge attempt this run, so only the corroborating publication was independently readable. Core claim (16-month delay on a Feb-2025 Medusa breach) is consistent across the feed summary and HIPAA Pulse.
- One Medical / ShinyHunters (§ 1) — cited to BankInfoSecurity only; One Medical's own security-event-notice page was not reached in this run and is therefore not cited. The 8.8 TB figure and the 2026-06-22 deadline are ShinyHunters' unverified claims, not confirmed facts.
Contradictions: Texas Parks & Wildlife SSN scope — TPWD's public statement says Social Security numbers were not involved; The Register reports the agency's own filing to the Texas Attorney General's breach portal indicates SSNs were included. The brief reports both and flags the discrepancy rather than resolving it, on the basis that the AG filing is the more formal disclosure channel.
Reduced-confidence items: none beyond the single-source flags above.
Recency: standard daily window (gap to prior brief 24 h; window_hours = 36, developing-window 72 h). All published items have an in-window source; § 4 UPDATEs cite an in-window delta (BleepingComputer 2026-06-20) even where the underlying primary (Microsoft 2026-06-17) is just outside the 36 h window, per the PD-7 UPDATE carve-out.
Sub-agents: all four (S1–S4) returned within budget; none stalled.
Tooling: the end-of-run tools/source_health.py accessibility probe did not complete within its wall-clock budget this run (timed out); state/source_health.json is unchanged from the prior run and the per-source accessibility snapshot was not refreshed. No impact on the brief; flagged for the next run.
Coverage gaps: cert-fr (feed stale / no in-window advisory); bsi-de (no 2026-06-20/21 items in feed); ncsc-nl (no 2026-06-20/21 advisory); cert-eu (latest advisory 2026-06-10, outside window); inside-it-ch (RSS reachable but no in-window security items — recurring rotation gap, 5+ runs); databreaches-net (feed 200 but article bodies 403 via WAF — recurring rotation gap, 4+ runs); heise-sec (article bodies TollBit-gated; used RSS summary + EN edition); sec-disclosures-edgar (bridge returned HTTP 500, retry returned 0 Item-1.05 8-K filings in window); cnil-fr (no in-window enforcement actions); dragos, dfirreport, acronis-tru (no in-window primary, or 403).

On this page