CTI Daily Brief — 2026-06-27

FBI/CISA: Russian intelligence now phishing Signal Backup Recovery Keys for persistent account takeover

The FBI and CISA issued an updated joint advisory (PSA I-062626-PSA, 2026-06-26) escalating their March 2026 warning about Russian Intelligence Services operators tracked as UNC5792 (FSB-linked) and UNC4221 (military-linked) (FBI IC3, 2026-06-26). The new tactic abuses Signal's optional encrypted-backup feature rather than any flaw in the Signal Protocol: operators impersonate Signal support, walk the target through Settings → Chats → Chat Backups, then elicit the 30-character Backup Recovery Key. With that key an attacker can download and decrypt the complete private and group message history offline. Critically, the advisory states the compromised key remains valid even if the victim later re-registers a new account on the same phone number — generating a new key in Settings invalidates future downloads but does not undo data already exfiltrated (FBI IC3, 2026-06-26). Stated targets are current and former government officials, military personnel, political figures, journalists, and Ukraine-related officials. This is T1598.003 (spearphishing via service) leading to T1078 (valid-account takeover via the backup mechanism), with no platform-layer sensor — detection relies on user reporting and MDM telemetry for backup-enable events. Why it matters to us: Swiss federal, cantonal-police, and parliamentary staff using Signal for sensitive coordination sit squarely in the named target population. Issue policy now: high-risk personnel should regenerate their Signal Backup Recovery Key, treat any unsolicited "Signal support" message as hostile, and on managed devices disable Signal backups via MDM where operational security requires it.

UK Cyber Monitoring Centre publishes sector review of the Canvas/Instructure LMS breach — 160 universities, ShinyHunters extortion, ransom paid

The UK Cyber Monitoring Centre (CMC) published a post-incident sector review on 2026-06-25 of the April 2026 ShinyHunters (UNC6240) breach of Instructure's Canvas learning-management platform, which affected roughly 160 UK higher-education institutions (Computer Weekly, 2026-06-25). Attackers exfiltrated usernames, email addresses, course/enrolment data and student IDs, then pursued extortion by publishing victim lists, disrupting LMS access and defacing virtual learning environments; Instructure reportedly paid an undisclosed sum to have the stolen data destroyed (Computer Weekly, 2026-06-25), though Instructure's own incident statement describes only reaching an agreement and receiving deletion logs, without confirming a monetary payment (Instructure incident update). The CMC found no evidence of lateral movement into institutional networks but flagged residual phishing risk from the exfiltrated student/staff identity data. Its hardening recommendations are directly transferable: separate application and data layers to support clean recovery; inventory and contractually govern dependencies on offshore SaaS providers not subject to local law; and rehearse breach/business-continuity scenarios in tabletop exercises. Defender takeaway: Canvas is deployed at Swiss universities, German Hochschulen and Austrian Fachhochschulen; the same exfiltrated-identity → downstream-phishing risk applies. Education-sector SOCs should treat a third-party LMS breach as a phishing-enablement event for their entire student/staff population and pre-stage user comms, not only assess data-loss scope.

Microsoft: "Photo ZIP" phishing laundered through Calendly drops Node.js TonRAT against European hospitality front desks

Microsoft Threat Intelligence documented an active, since-April-2026 campaign against hospitality front-desk systems across Europe and Asia (Microsoft Threat Intelligence, 2026-06-25). The operators use authentication laundering — routing phishing mail through Calendly's SendGrid notification infrastructure and Google/share.google redirects so it passes SPF/DKIM/DMARC — before serving photo-<random>.zip archives whose IMG-<random>.png.lnk shortcuts masquerade as images. Execution runs multi-stage obfuscated PowerShell (BigInt arithmetic decoders that harden wave-over-wave), compiles a .NET DLL on the fly via csc.exe/cvtres.exe (T1027.004), then fetches a Node.js v24.13.0 runtime that executes the TonRAT implant. Persistence is the standout: dual HKCU\Run (Node component) plus HKCU\RunOnce (PE payload in C:\ProgramData\<random>\) keys, with the payload re-writing its RunOnce entry after every execution so removing only one key lets the other re-install on next logon. The loader also adds Add-MpPreference -ExclusionProcess Defender exclusions for its temp paths. Lures appear in Dutch, Danish and Japanese. Why it matters to us: Swiss and EU hotels/event venues running Windows front-desk systems are in scope. Hunt for node.exe spawned from %LOCALAPPDATA% running random-named .js files, csc.exe+cvtres.exe sequences outside CI, and new Defender process-exclusions on temp paths — and remember cleanup must remove both the Run and RunOnce keys in the same pass.

CVE-2026-43503 — Linux kernel "DirtyClone": page-cache corruption via XFRM/IPsec skb cloning (working PoC)

JFrog Security Research published a full working-exploit walkthrough on 2026-06-25 for DirtyClone, the latest residual variant of the DirtyFrag family (JFrog Security Research, 2026-06-25). The flaw lives in __pskb_copy_fclone(), which fails to preserve the SKBFL_SHARED_FRAG safety flag when cloning a socket buffer; the cloned buffer, still referencing shared file-backed page-cache memory, is then passed through the XFRM/IPsec in-place decryption path, letting attacker-controlled bytes land in the cached image of a setuid binary such as /usr/bin/su (Red Hat, 2026-06-23). Earlier DirtyFrag fixes (CVE-2026-43284, CVE-2026-43500, CVE-2026-46300) do not close this code path; the fix is mainline commit 48f6a5356a33 (Linux v7.1-rc5, merged 2026-05-21), and most distributions had not yet shipped patched kernels at disclosure. The attack leaves no kernel-log or audit-trail artefacts.

CVE-2026-46331 — Linux kernel "pedit COW": out-of-bounds write in the tc act_pedit module (public weaponised PoC)

A separate page-cache-corruption LPE, pedit COW, drew a public weaponised PoC (packet_edit_meme) within a day of CVE assignment on 2026-06-16 (Red Hat Product Security, 2026-06-19). The bug is a missing bounds check in tcf_pedit_act() in net/sched/act_pedit.c: the function computes the copy-on-write range once before iterating the key list, so writes from later typed keys (whose runtime header offsets are not accounted for) fall outside the private copy and into read-only file-backed page-cache memory — a partial COW. An unprivileged user with tc rule-write access (again, obtainable through user namespaces) overwrites the cached /bin/su to spawn a root shell (The Hacker News, 2026-06-26). Red Hat confirms RHEL 8/9/10, RHCOS (OpenShift) and RHOSP affected; the flaw is exposed since kernel v5.18 and fixed upstream in v7.1-rc7. Interim mitigation where tc pedit is unused: blacklist the act_pedit module, or set kernel.unprivileged_userns_clone=0.

Kaspersky GReAT: "StrikeShark" loader deploys Cobalt Strike via "Perfect DLL Hijacking" against government targets

Kaspersky GReAT published a full technical analysis (2026-06-26) of SharkLoader, an undocumented loader used in a cluster it tracks as StrikeShark and assesses with low confidence as a Chinese-speaking actor (based on the Chinese-authored FScan/Searchall/Pillager toolkit it deploys) (Kaspersky Securelist, 2026-06-24). The loader's signature is "Perfect DLL Hijacking": it sideloads through legitimate signed binaries (SystemSettings.exe, msedge.exe), then forcibly releases LdrpLoaderLock and decrements LdrpWorkInProgress so it can spawn threads from DllMain without deadlocking the Windows loader — an unusually sophisticated pattern. Two encrypted modules (DscCoreR.mui, Blowfish; SyncRes.dat, AES-128) install Microsoft Detours hooks across 50+ APIs to null ETW (EtwEventWrite), spoof svchost.exe as parent PID (T1134.004), and demote Beacon memory from RWX to RW during sleep via MinHook on VirtualAlloc/Sleep to evade memory scanners (Help Net Security, 2026-06-26). Initial access is via a long list of public-facing RCEs (ProxyLogon CVE-2021-26855, Openfire CVE-2023-32315, GeoServer CVE-2024-36401, F5 BIG-IP CVE-2023-46747, FortiOS CVE-2024-21762), with European targets including North Macedonia and Serbia. Why it matters to us: Swiss/EU organisations still exposed on any of the listed CVE versions are in the initial-access set. Hunt for SystemSettings.exe executing from %APPDATA% subdirectories, PrintDialog.dll loaded outside system32 (Sysmon EID 7), and processes whose ETW subsystem produces zero events.

Citizen Lab: Cellebrite UFED used by Russian authorities three months after the vendor's Russia pull-out

Citizen Lab published a forensic investigation (2026-06-25) confirming that Russian authorities used Cellebrite UFED / UFED 4PC / UFED Physical Analyzer to extract data from the iPhone 12 of opposition activist Andrey Pivovarov on 17 June 2021 — three months after Cellebrite cancelled its Russian contracts in March 2021 (Citizen Lab, 2026-06-25). Two independent evidence streams corroborate: on-device MobileLockdown records show a USB connection to a Host ID previously attributed to Cellebrite hardware, and an official forensic report authored by the MVD (Interior Ministry) Forensic Expert Center — commissioned by the Investigative Committee — explicitly names the UFED tooling and lists extracted WhatsApp/Telegram/Viber data with keyword searches for opposition figures (The Record, 2026-06-25). The operational lessons are blunt: physical seizure plus closed forensic tooling bypasses device encryption and end-to-end-encrypted messaging entirely; vendor contract cancellations and export controls are not a reliable technical barrier to tool proliferation; and MobileLockdown USB-host records are forensically valuable for identifying which extraction device touched a phone. Defender takeaway: For Swiss diplomatic, parliamentary and law-enforcement staff travelling to higher-risk jurisdictions, threat models must treat device seizure as an out-of-band bypass of all software-based controls — pairing this with today's § 1 Signal advisory, sensitive comms should assume both the device and its backups are reachable by a capable adversary.

CVE-2026-12957 — Amazon Q Developer auto-loaded workspace MCP configs, enabling repo-planted code execution and AWS credential theft (Wiz)

Wiz Research disclosed (2026-06-26) that the Amazon Q Developer VS Code extension automatically loaded and executed Model Context Protocol (MCP) server configurations from a workspace's .amazonq/mcp.json with no user consent, workspace-trust check, or warning (Wiz Research, 2026-06-26). Spawned MCP processes inherited the developer's full environment — AWS session tokens, IAM credentials, SSH agent sockets — so cloning a malicious repository and opening it with Amazon Q active silently executed an attacker command; a minimal PoC ran aws sts get-caller-identity and POSTed the result to an external host with zero clicks (The Register, 2026-06-26). Wiz places it in a documented class of at least six MCP-auto-execution flaws across AI coding assistants (Cursor, Windsurf, Claude Code) — a workspace-trust-enforcement failure pattern, not a one-off. Affected: Language Server for AWS < 1.65.0; fixed in 1.65.0 (discovered 2026-04-17, patched 2026-05-12, public 2026-06-26). Why it matters to us: Any CH/EU developer team using Amazon Q with AWS should confirm the language server is ≥ 1.65.0, audit repositories for .amazonq/mcp.json, and enforce VS Code workspace-trust policies so AI assistants do not auto-load configs from untrusted clones.

SANS ISC: Linux process-name masquerading via `prctl(PR_SET_NAME)` and how to detect it [SINGLE-SOURCE]

A SANS Internet Storm Center diary (2026-06-24) documents how Linux malware masquerades its process name via prctl(PR_SET_NAME, …), which writes the 15-character comm field in /proc/<pid>/comm — letting a process running ./ps-masquerade appear in ps/top/pgrep as a kernel worker thread such as [kworker/0:1-events] (SANS ISC, 2026-06-24). The detection key is the divergence between /proc/<pid>/comm (mutable) and /proc/<pid>/cmdline (the original argv, which the kernel will not grow beyond its fixed allocation): a genuine kernel thread has an empty cmdline, so any process whose comm resembles [kworker/*]/[kthreadd] but whose cmdline is non-empty is a high-fidelity hunt artefact. The diary points to eBPF-based tooling (Kunai) that captures the real command line at exec time independently of later comm mutation, and cites Operation Highland (Velvet Ant, Sygnia) as a real-world user of the technique (T1036 Masquerading). Why it matters to us: This is a free, immediately deployable hunt for any Linux fleet — and a useful complement to today's § 5 deep dive, where the same audit-blindness of in-memory tampering recurs.

UPDATE: PTC Windchill CVE-2026-12569 now confirmed exploited in the wild with JSP web shells

UPDATE (originally covered 2026-06-20): CISA added the PTC Windchill PDMLink / FlexPLM pre-auth deserialization RCE (CVE-2026-12569) to its Known Exploited Vulnerabilities catalog on 2026-06-25, confirming active in-the-wild exploitation — the operational shift from the disclosure we deep-dived on June 20 (The Hacker News, 2026-06-26).

Reported post-exploitation deploys JSP web shells to /Windchill/login/<16-hex>.jsp plus a flst.txt persistence marker — concrete hunt artefacts beyond the earlier abstract RCE description. ENISA's EUVD entry corroborates the unauthenticated deserialization root cause (ENISA EUVD EUVD-2026-37831). The driver for Swiss/EU manufacturing, pharma and aerospace operators running Windchill is the confirmed exploitation and the web-shell pattern, not the US-only federal remediation date; patch per PTC CS473270 and hunt web-server logs for .jsp creation under /Windchill/login/.

UPDATE: Mandiant documents the full Cisco Catalyst SD-WAN exploitation chain — CSV-injection to a root backdoor

UPDATE (originally covered 2026-06-26): Google Mandiant (GTIG) published (2026-06-24) the first complete TTP chain for the Cisco Catalyst SD-WAN Manager zero-day activity, observed at a service-provider victim from late 2025 into 2026 (Google Mandiant, 2026-06-24). NCSC-CH amended its Security Hub post to add the report on 2026-06-25 (NCSC-CH Security Hub post 12579).

The chain: authentication bypass via CVE-2026-20182/CVE-2026-20127 (rogue peering connection), then privilege escalation via CVE-2026-20245 — a malicious evil_tenant.csv uploaded through the request tenant-upload CLI carries unsanitised shell commands that append a troot root user to /etc/passwd and /etc/shadow, after which the actor reverts configuration changes and deletes the file for anti-forensics. This gives defenders concrete hunts the earlier advisory could not: search SD-WAN Manager instances for unexpected /etc/passwd additions, evil_tenant.csv artefacts, and request tenant-upload execution in CLI logs.

UPDATE: Klue/Icarus Salesforce breach widens to ~24 firms; the attacker is itself hacked and a second extortion actor emerges

UPDATE (originally covered 2026-06-25): Roughly two dozen companies have now publicly notified customers of the Klue–Salesforce OAuth-integration breach, up from eleven on June 25, with newly named EU-domiciled victims including Germany's Lucanet and Link11 alongside Blackbaud, Deel, Camunda and Tines (SecurityWeek, 2026-06-26).

Klue reportedly told customers that the attacker ("Icarus") was itself compromised and that the stolen dataset is now in the hands of a second, unnamed actor running an independent extortion campaign; Icarus's Tor leak site went offline (TechCrunch, 2026-06-25). The root cause is unchanged — a single over-privileged legacy OAuth integration credential granting bulk Salesforce access across ~195 customer orgs — reinforcing the standing action: audit and revoke dormant Connected Apps with export scopes, and alert on anomalous bulk ReportExport/API activity from integration service accounts.

UPDATE: "The Gentlemen" ransomware claims 478 victims and adds worm propagation — Switzerland the second-most-targeted European country

UPDATE (originally covered in the 2026-W25 weekly): The fresh in-window signal on The Gentlemen ransomware operation is geographic: Swiss tech press, citing Check Point Research, reports Switzerland as the second-most-targeted European country (after Germany) for the group (inside-it.ch, 2026-06-26).

The group's established profile — detailed earlier this month — is 478 claimed victims and a --spread command-line argument enabling self-propagation across Windows networks via SMB share enumeration and credential reuse (The Hacker News, 2026-06-11). Combined with the previously reported GentleKiller BYOVD EDR-killer, the Swiss-targeting signal means a foothold in one Swiss organisation can spread laterally without further operator action; defenders should enforce SMB signing, restrict admin shares, apply the Microsoft vulnerable-driver blocklist, and alert on a --spread argument in ransomware process trees.

UPDATE: Miasma / "Mini Shai-Hulud" npm worm runs a new wave across LeoPlatform/RStreams packages

UPDATE (originally covered 2026-06-09): The Miasma / Mini Shai-Hulud / Hades supply-chain worm — last seen backdooring @redhat-cloud-services packages and the TeamPCP "Phantom Gyp" framework — ran a fresh wave on 2026-06-24: 23+ malicious versions across the LeoPlatform and RStreams serverless-data-pipeline npm ecosystems (leo-sdk, leo-auth, leo-aws, leo-cli) after the czirker publisher account was compromised, plus a Go-module compromise of Verana Blockchain (Socket Security, 2026-06-25).

The wave reuses the previously documented binding.gyp/node-gyp install-time execution to stage a Bun runtime that harvests .env files, npm/GitHub/cloud tokens, SSH keys and IDE/AI-agent configs, scraping GitHub Actions CI secrets (JFrog, 2026-06-26), and again carries the RevokeAndItGoesKaboom campaign marker that Socket ties to the earlier codfish/semantic-release-action compromise (documented by StepSecurity), where the malicious action searched GitHub commit messages bearing that string as an operator dead-drop channel (Socket Security, 2026-06-25). Any CH/EU team consuming these packages in CI should rotate all exposed CI/cloud credentials since 2026-06-20 and alert on node-gyp evaluating JavaScript from binding.gyp.