CTI Daily Brief — 2026-06-23

ShapedPlugin build pipeline compromised — three Pro WordPress plugins backdoored to steal credentials, 2FA secrets and drop a web shell

Wordfence disclosed on 2026-06-22 that an attacker breached the build and Easy Digital Downloads (EDD) distribution pipeline of plugin vendor ShapedPlugin and injected backdoor code into the Pro (paid) releases of three products — Product Slider Pro for WooCommerce (before 3.5.4), Real Testimonials Pro (fixed in 3.2.5) and Smart Post Show Pro (before 4.0.2) — tracked as CVE-2026-10735 (Wordfence, 2026-06-22; BleepingComputer, 2026-06-22). The free versions hosted on the WordPress.org repository were not affected — only the licensed Pro updates pushed through EDD between roughly 21 May and 12–16 June carried the injection. The malicious code planted a LicenseLoader.php stub that executes when an administrator loads any wp-admin page; it calls out to a C2, downloads a second-stage payload, installs it as a hidden fake plugin (masquerading as woocommerce-subscription / woocommerce-notification), reports the victim domain, then deletes itself to frustrate forensics (The Hacker News, 2026-06-22). The second stage steals WordPress admin credentials, 2FA TOTP secrets, wp-config.php salts and database credentials, and maintains persistence through hidden REST API endpoints. Timestamp analysis pointed to an automated injection touching only four files inside a two-hour window — consistent with a pipeline-level compromise rather than manual tampering.

Why it matters to us: This is the "trusted update channel" supply-chain pattern again (cf. the W25 OptinMonster strand), and the operational consequence is that patching is not remediation — Wordfence's guidance is to treat any site that installed an affected Pro update as fully compromised. Detection concepts (no IOCs): hunt for a LicenseLoader.php in plugin directories; for installed plugins named woocommerce-subscription / woocommerce-notification that do not appear in the admin plugin list; for php-fpm/apache2/nginx child processes making outbound connections (Sysmon EID 1 with a web-server parent image, or auditd execve on PHP workers); and for wp_users rows with administrator role created after ~21 May. Mapped to T1195.002 Compromise Software Supply Chain, T1505.003 Server Software Component: Web Shell, T1552.001 Unsecured Credentials: Credentials In Files. Remediation: update to the fixed Pro versions, then rotate all WordPress secrets — admin passwords, 2FA, DB credentials and wp-config.php salts — and review the WooCommerce order/SMTP-credential exposure.

Two Scattered Spider members plead guilty over the 2024 Transport for London intrusion

Thalha Jubair (20) and Owen Flowers (18) changed their pleas to guilty at Woolwich Crown Court on 2026-06-22, both admitting conspiracy to commit unauthorised acts against Transport for London under the Computer Misuse Act (UK National Crime Agency, 2026-06-22; ITV News, 2026-06-22). The 31 August – 3 September 2024 intrusion disrupted TfL services for three months, forced in-person password resets for all 28,000 staff, and affected roughly 10 million customers including Oyster systems, at a cost the NCA puts at £29M in loss and recovery (ITV and the BBC reported £39M — see § 7). Flowers additionally admitted attempted intrusions against US healthcare providers Sutter Health and SSM Health; the NCA ties both defendants to the Scattered Spider collective (UNC3944 / Storm-0875), and sentencing is set for 16 July 2026 (Yahoo/BBC, 2026-06-22).

CVE-2026-20896 — Gitea (Docker): trust-all reverse-proxy default lets an unauthenticated attacker impersonate any user via `X-WEBAUTH-USER`

Gitea 1.26.3 (2026-06-20) and 1.26.4 (2026-06-21) fix a cluster of four flaws; the critical one is CVE-2026-20896 (CVSS 9.8). The official Gitea Docker image shipped with REVERSE_PROXY_TRUSTED_PROXIES defaulting to the wildcard *, meaning Gitea trusts the reverse-proxy authentication header from any source. Any attacker who can reach the container's HTTP port can therefore send an X-WEBAUTH-USER header naming an arbitrary user — including an administrator — and be authenticated as that user with no credentials (Gitea, 2026-06-21; GitHub Security Advisory GHSA-f75j-4cw6-rmx4, 2026-06-21). Bare-metal deployments with an explicit trusted-proxy CIDR are unaffected unless they also set the wildcard. The same release also patches CVE-2026-27775 (protected-branch enforcement race in single-push batch operations), CVE-2026-20779 (CVSS 7.1 — TOTP 2FA bypass via a web-flow TOCTOU race and stateless X-Gitea-OTP replay inside the OTP validity window) and CVE-2026-22874 (SSRF in the webhook / repo-migration subsystems). Germany's BSI issued WID-SEC-2026-2027 on 2026-06-22 rating the set "hoch" (BSI WID, 2026-06-22). No in-the-wild exploitation reported yet; included on the pre-auth-critical-on-widely-deployed-software gate. Gitea is the dominant self-hosted GitHub alternative across DACH/EU public-sector DevOps and sovereign-cloud environments, so an internet-reachable or loosely-segmented Docker instance is an immediate admin-takeover risk (T1190 Exploit Public-Facing Application, T1078.001 Default Accounts). Mitigations: set REVERSE_PROXY_TRUSTED_PROXIES to the exact reverse-proxy IP/CIDR, or disable ENABLE_REVERSE_PROXY_AUTHENTICATION entirely if header-auth is not used; upgrade to 1.26.4. Hunt for admin logins sourced from the reverse-proxy IP with no corresponding password-auth audit entry, and webhook calls to RFC-1918 addresses.

CVE-2026-12789 — ILIAS 11.0: unpatched, PoC-public SQL injection in the learning-progress subsystem (DACH education exposure)

BSI WID-SEC-2026-2016 (2026-06-22) flags CVE-2026-12789, an SQL injection in ILIAS 11.0's learning-progress tracking — specifically ilTrQuery::executeQueries in components/ILIAS/Tracking/classes/class.ilTrQuery.php (BSI WID, 2026-06-22; GitHub Advisory GHSA-69G6-PGGC-389P, 2026-06-21). Exploitation requires an authenticated session (the advisory indicates elevated privileges are needed — PR:High), and the CVSS v4 base score is a low 2.0, reflecting the auth prerequisite and limited data-exposure scope. The operational concern is not the score: no patch is available (the vendor has been unresponsive to coordinated disclosure), a proof-of-concept is public, and ILIAS is the dominant open-source LMS across Swiss, German and Austrian universities, vocational schools (Berufsschulen) and public-sector training portals; an ENISA EUVD record exists (EUVD-2026-38153) (ENISA EUVD, 2026-06-22). Below the standard § 2 CVSS/exploitation gate, retained on CH/EU-public-sector-education relevance — see § 7. Until a fix ships: apply WAF rules blocking SQL metacharacter sequences on the tracking endpoints; restrict learning-progress endpoints to enrolled roles; and confirm the ILIAS database account lacks FILE/DROP/superuser rights (T1190 Exploit Public-Facing Application, T1078 Valid Accounts). Hunt DB slow-query / WAF logs for UNION SELECT patterns in POST bodies to tracking endpoints and anomalous result-set volumes.

"Squidbleed" — a 29-year-old heap over-read in Squid's FTP gateway leaks other users' cleartext HTTP credentials (CVE-2026-47729)

Researchers at Calif.io disclosed CVE-2026-47729, nicknamed Squidbleed: a heap buffer over-read in the Squid proxy's FTP-over-HTTP gateway (src/FtpGateway.cc) introduced by a 1997 code commit (Calif.io, 2026-06-18; The Hacker News, 2026-06-22). The root cause is a whitespace-skipping loop that calls strchr(w_space, *copyFrom) without first checking for the string terminator: strchr returns a non-NULL pointer when the search character is the embedded \0, so the parser walks past the end of the FTP directory-listing buffer into adjacent heap memory containing other users' cached HTTP requests. An attacker who controls an FTP server and can induce the proxy to fetch from it (FTP support and TCP/21 are in Squid's default Safe_ports ACL) can leak Authorization headers, session cookies, API keys and other cleartext request content from concurrent users sharing the same proxy worker (SecurityWeek, 2026-06-22). HTTPS relayed via CONNECT tunnels is not exposed; only cleartext HTTP and TLS-terminating proxy setups are. SUSE rates it moderate (CVSS 6.5) and there is no confirmed in-the-wild exploitation. The fixed-version picture is disputed upstream: the patch was merged in spring 2026, but the Squid maintainer first attributed the fix to 7.6 (released 8 June 2026) then corrected that to 7.7, while Debian's assessment is that the referenced commit is already present in 7.6, and SecurityWeek reports the fix shipped in 7.6 (The Hacker News, 2026-06-22; SecurityWeek, 2026-06-22). The safe reading for defenders is to treat the fixed version as uncertain and verify against your own build rather than assuming a single release line is clean — see § 7. Calif.io credits an AI model (Anthropic's "Claude Mythos") with surfacing the strchr edge case during AI-assisted fuzzing — another data point in the AI-assisted-vulnerability-discovery pattern the W25 weekly tracked.

Why it matters to us: Squid is widely deployed as a forward / caching / web-filtering proxy across EU public-sector networks, university perimeters and ISP infrastructure — exactly the multi-user environments where the cross-user leak has impact. Interim mitigation that does not depend on resolving the fixed-version dispute: disable FTP proxying (acl ftp proto FTP + http_access deny ftp, or drop FTP from Safe_ports) where it is not needed, and restrict who can reach the proxy from untrusted/multi-tenant segments. Confirm the fix is present in your actual build (RHEL/Debian/Ubuntu ship 4.x–6.x — check for a backport) rather than trusting a version number. Detection: monitor Squid access.log for ftp://-scheme requests from unusual clients and for worker heap-corruption / crash signals (T1190 Exploit Public-Facing Application; effective outcome resembles T1040 Network Sniffing).

Elastic shows how the newly-GA Azure AD Graph Activity Logs close a long-standing Entra enumeration blind spot `[SINGLE-SOURCE]`

Elastic Security Labs published a detection-engineering guide (2026-06-19) on ingesting the newly generally-available AADGraphActivityLogs into SIEM/XDR to catch tooling that has historically been invisible (Elastic Security Labs, 2026-06-19). Although Microsoft deprecated Azure AD Graph in favour of Microsoft Graph, the legacy API remains live and is actively used by ROADtools (ROADrecon), AzureHound and AADInternals for Entra ID tenant enumeration — the classic pre-lateral-movement step in identity attacks. The new log source (available from early 2026) records every legacy-Graph call with UPN, client_id, user-agent, source IP, HTTP method, resource path and response code. Elastic's rules surface ROADrecon-pattern user-agents, anomalous 4xx bursts (permission probing), FOCI (Family Of Client IDs) mismatches that signal lateral movement, device-code-flow auth immediately followed by Graph enumeration, and unusual ASN origins for Graph calls. [SINGLE-SOURCE] — Elastic is a vendor lab, not a national CERT, so the carve-out does not apply; the underlying log source and detections are independently verifiable against Microsoft documentation (see § 7).

Why it matters to us: Entra ID is the identity backbone for Swiss federal and cantonal administrations, EU institutions and essentially every Microsoft 365 tenant, and legacy-Graph enumeration has been a genuine detection gap for years. The concrete action is cheap and high-value: enable AADGraphActivityLogs in Entra diagnostic settings and route them to your SIEM, then build (or import Elastic's) detections on userAgent.original, client_id against your known app registrations, and http.response.status_code 4xx spikes (T1590 Gather Victim Network Information, T1087.004 Account Discovery: Cloud Account, T1078.004 Valid Accounts: Cloud Accounts).

UPDATE: FortiBleed — first full tool-chain disclosure (FortigateSniffer, SNIFTRAN, GPU cracking cluster); Fortinet confirms no new CVE

UPDATE (originally covered 2026-06-18, last 2026-06-20): New analysis published 2026-06-22 gives the first complete tool-chain picture of the FortiBleed credential-harvesting campaign. The operators deploy a purpose-built Golang tool, FortigateSniffer, that abuses FortiOS's native diagnose sniffer packet diagnostic command to capture authentication traffic on a compromised FortiGate; a second tool, SNIFTRAN, converts the captured traffic to PCAP, which a Python toolkit then parses for cleartext credentials, NTLM hashes, Kerberos tickets and LDAP/SQL auth material across ~24 protocols (BleepingComputer, 2026-06-22; SOCRadar, 2026-06-16).

Fortinet's PSIRT response confirms the campaign uses no new vulnerability — it reuses credentials from the previously-disclosed CVE-2026-24858, CVE-2025-59718 and CVE-2025-59719 plus brute force against devices lacking strong passwords and MFA (Fortinet PSIRT, 2026-06-19; SecurityWeek, 2026-06-22). Reported tradecraft includes a distributed 36-GPU cluster — rented from a generative-AI provider, per BleepingComputer — for offline cracking of the harvested hashes; SOCRadar characterises the operators as Russian-speaking (SOCRadar, 2026-06-16).

The delta for defenders is a concrete detection surface that earlier coverage lacked: FortiOS audit-logs diagnose sniffer packet execution, so hunt for unexpected CLI sniffer invocations and stray PCAP files on the appliance, and — because harvested AD credentials are the downstream prize — treat all domain credentials on any FortiBleed-corpus device as compromised and force a domain-wide rotation, watching for anomalous Kerberos service-ticket requests (event 4769) and new-source Logon Type 3 events (4624) against privileged accounts. Upgrade to firmware with PBKDF2 password hashing to make offline cracking expensive, terminate active sessions, enable MFA and disable external management access.

UPDATE: Klue/Icarus OAuth-token breach — named victim list expands to nine firms, mostly cybersecurity vendors

UPDATE (originally covered 2026-06-21): At least nine Klue customers have now publicly confirmed Salesforce-CRM data impact from the 11–12 June Icarus intrusion: HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social (SecurityWeek, 2026-06-22). Exposed data is sales-account and contact information — names, business emails, job titles, phone numbers and addresses — exfiltrated via OAuth tokens from a dormant Klue→Salesforce integration; the actor (Icarus, also tracked as UNC6395) had set a 22 June publication deadline.

The concentration of cybersecurity vendors in the victim list is the notable delta: contact data for security-operations staff at those firms' customers now sits in a threat-actor corpus and is prime material for precision spear-phishing aimed at security roles. The structural lesson is unchanged from first coverage — enumerate and revoke unused third-party OAuth grants in Salesforce (Setup → Identity → OAuth Usage), scope active grants to minimum-necessary objects, and alert via Salesforce Event Monitoring on a connected app pulling thousands of account records in a single short session.