# CTI Daily Brief — 2026-07-03

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Anthropic Claude (specific model not determined)) with parallel research and verification by sub-agents (Sonnet 5) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Anthropic Claude (specific model not determined) · **Sub-agents:** S1: Sonnet 5 · S2: Sonnet 5 · S3: Sonnet 5 · S4: Sonnet 5 · verify: _(pending)_ · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.69 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Coolify ships an emergency fix for a CVSS 9.9 authenticated command-injection RCE (CVE-2026-34038).** Any org self-hosting the Coolify PaaS for CI/CD should patch to ≥ v4.0.0-beta.469 now: a user with only application "write" permission can inject OS commands via the `dockerfile_location` / `pre_deployment_command` deployment parameters and exfiltrate application secrets from deployment logs ([coollabsio GHSA, 2026-07-02](https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp)).
- **SOCRadar ties the mass FortiBleed FortiGate credential-harvesting operation to live INC Ransom / Lynx ransomware deployments for the first time** (a single operator seen working both groups' negotiation panels; ≥12 ransomware deployments), and says the crew holds an undisclosed Nextcloud zero-day now in coordinated disclosure ([SOCRadar, 2026-07-01](https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/)). Single-vendor investigative claim — see § 4 and § 7 caveats.
- **Medtronic is notifying ~9 million people of a ShinyHunters-claimed April breach of corporate IT systems** (names, DOB, SSNs, health data), 2.5 months after containment; it says medical devices were unaffected and segregated from the compromised networks ([BleepingComputer, 2026-07-02](https://www.bleepingcomputer.com/news/security/medtronic-notifies-customers-impacted-by-shinyhunters-data-breach/)).
- **Two US SEC 8-K disclosures reinforce the third-/fourth-party access boundary:** AdaptHealth was breached via a social-engineered hijack of a *third-party contractor's* session into cloud patient-management apps ([SEC 8-K, 2026-07-02](https://www.sec.gov/Archives/edgar/data/1725255/000110465926080297/ahco-20260627x8k.htm)); Navient disclosed borrower SSN exposure from a ransomware hit on its *outside law firm* ([SEC 8-K, 2026-07-02](https://www.sec.gov/Archives/edgar/data/1593538/000114036126027441/ef20077249_8k.htm)).
- **Quiet vulnerability day otherwise:** Cisco patched an unauthenticated file-read in Catalyst Center (CVE-2026-20191, CVSS 7.5, no exploitation) — noted in § 7 rather than § 2. No item cleared the deep-dive or Immediate-Action bar.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment

Medical-device manufacturer Medtronic began notifying customers on 2026-07-02 of a breach the ShinyHunters extortion group first claimed in April. Medtronic's investigation found an unauthorized actor accessed certain corporate IT systems between 2026-04-13 and 2026-04-19 after unusual activity was noticed on 2026-04-15; ShinyHunters listed the company on its leak portal on 2026-04-18 claiming ~9 million records (names, contact details, dates of birth, Social Security numbers, health-related information) and later pulled the entry — consistent with the group's pattern after a ransom is paid ([BleepingComputer, 2026-07-02](https://www.bleepingcomputer.com/news/security/medtronic-notifies-customers-impacted-by-shinyhunters-data-breach/)). Medtronic states it found "no evidence" the data was published, and that the compromised corporate systems were segregated from device-operating networks so therapy delivery was unaffected ([The Register, 2026-07-02](https://www.theregister.com/security/2026/07/02/pacemaker-manufacturer-medtronic-warns-patients-cybercrooks-may-have-swiped-health-data/5265768)). No initial-access vector is disclosed. This is the same ShinyHunters cluster behind the recent Salesforce/PeopleSoft-adjacent extortion wave (Nissan, NAIC — see prior coverage), but a corporate-IT compromise rather than the SaaS-integration pattern seen elsewhere; the source does not confirm shared tradecraft.

**Defender takeaway:** a delisted extortion-portal entry is not proof of data destruction — treat any listed-then-delisted victim as presumptively breached and monitor for downstream credential-stuffing and DOB/PII-driven targeted phishing regardless of ransom outcome. The 2.5-month detection-to-notification gap is worth benchmarking against your own breach-notification SLAs.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/medtronic-notifies-customers-impacted-by-shinyhunters-data-breach/) · Additional source: [The Register](https://www.theregister.com/security/2026/07/02/pacemaker-manufacturer-medtronic-warns-patients-cybercrooks-may-have-swiped-health-data/5265768) · Tags: data-breach, organized-crime · Region: us, global · Sector: healthcare · Evidence: "The investigation determined that from April 13 to April 19, 2026, an unauthorized actor accessed certain Medtronic corporate IT systems." (BleepingComputer); "Based on our investigation, this incident did not impact the ability of any Medtronic device to operate safely and deliver intended therapy." (The Register)*

### AdaptHealth breached via a social-engineered hijack of a third-party contractor's session [SINGLE-SOURCE]

DME and home-healthcare provider AdaptHealth Corp. (Nasdaq: AHCO) filed an SEC Form 8-K (Item 1.05) on 2026-07-02 disclosing that an actor accessed its cloud-based business applications — including internal patient-management systems and document storage — through "a successful social engineering attack that compromised a user session associated with a third-party contractor" ([SEC 8-K, 2026-07-02](https://www.sec.gov/Archives/edgar/data/1725255/000110465926080297/ahco-20260627x8k.htm)). The company received an extortion communication on 2026-06-15 and determined materiality on 2026-06-27; confirmed exfiltration includes a stored insurance-billing password file plus patient PII and PHI, though it says SSNs and payment-card data are not held in the affected systems ([StockTitan filing digest, 2026-07-02](https://www.stocktitan.net/sec-filings/AHCO/8-k-adapt-health-corp-reports-material-event-80512081bbc7.html)). No threat-actor group is named. The session-hijack-of-a-contractor pattern echoes Scattered-Spider-style help-desk/vishing tradecraft, though the filing does not attribute.

**Defender takeaway:** contractor/third-party sessions into cloud EHR and document SaaS are a distinct trust boundary. Conditional Access that treats contractor accounts like staff, and long-lived session tokens not re-validated against device/location, are the exploitable gap — enforce phishing-resistant MFA plus token-theft-resistant session binding (e.g. Continuous Access Evaluation) on contractor identities, and scope CASB impossible-travel / new-device-reuse alerts specifically to guest/contractor principals.

— *Source: [SEC EDGAR — AdaptHealth 8-K](https://www.sec.gov/Archives/edgar/data/1725255/000110465926080297/ahco-20260627x8k.htm) · Additional source: [StockTitan filing digest](https://www.stocktitan.net/sec-filings/AHCO/8-k-adapt-health-corp-reports-material-event-80512081bbc7.html) · Tags: data-breach, phishing, identity · Region: us · Sector: healthcare · Evidence: "The incident was the result of a successful social engineering attack that compromised a user session associated with a third-party contractor." (SEC EDGAR — AdaptHealth 8-K); "The Company has confirmed that certain data was exfiltrated from its systems including a stored password file associated with insurance billing." (SEC EDGAR — AdaptHealth 8-K)*

### Navient discloses borrower SSN exposure from a ransomware hit on its outside law firm [SINGLE-SOURCE]

Student-loan servicer Navient Corporation (Nasdaq: NAVI) filed a Form 8-K (Item 1.05) on 2026-07-02 disclosing a material incident that did not touch its own systems: on 2026-06-08 it learned a third-party law firm providing services to the company had suffered a ransomware attack against the firm's own systems, and that Company-related borrower data held by the firm — names, dates of birth, addresses and Social Security numbers — was accessed ([SEC 8-K, 2026-07-02](https://www.sec.gov/Archives/edgar/data/1593538/000114036126027441/ef20077249_8k.htm)). Navient found no evidence of access to its own environment and no operational disruption but determined materiality on 2026-06-29 given the volume and sensitivity of the exposed data. No ransomware group is named and no leak-site posting has surfaced; this is the victim's own regulatory disclosure of a fourth-party compromise, and no independent press coverage of the filing was found in-window (single-source — see § 7).

**Defender takeaway:** the failure surface here is entirely upstream at the vendor. Litigation and collections files are a known high-value ransomware target (bulk PII with minimal relative security investment) — contracts with outside counsel and collections firms that hold SSN-class identifiers (AHV-number-class equivalents) should mandate encryption-at-rest, short breach-notification SLAs, and independent security assessment.

— *Source: [SEC EDGAR — Navient 8-K](https://www.sec.gov/Archives/edgar/data/1593538/000114036126027441/ef20077249_8k.htm) · Tags: data-breach, ransomware, supply-chain · Region: us · Sector: finance · Evidence: "The incident involved a ransomware attack affecting certain of the Firm's information systems." (SEC EDGAR — Navient 8-K); "Such data includes borrower information such as customer names, date of birth, addresses and Social Security numbers." (SEC EDGAR — Navient 8-K)*

## 2. Trending Vulnerabilities

### CVE-2026-34038 — Coolify: authenticated command injection to RCE and secrets exfiltration (CVSS 9.9)

Coolify — a widely used open-source self-hosted PaaS / deployment platform (a Heroku/Vercel alternative for organizations running their own CI/CD-to-production pipelines) — fixed a CWE-78 OS command-injection flaw (CVSS 3.1 9.9, `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`) in `ApplicationDeploymentJob.php`. The `dockerfile_location` and `pre_deployment_command` deployment parameters are passed to a shell without escaping, letting a user with only application "write" permission inject arbitrary OS commands (via `;`, `&&`, backticks) that execute on the underlying host during a deployment; because deployment logs capture command output, exploitation also exfiltrates the application's configured environment secrets ([coollabsio GHSA-qqrq-r9h4-x6wp, 2026-07-02](https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp)). The vendor advisory notes a separate permission-bypass means the attacker does not need explicit "deploy" rights — broad "write" access is enough. BSI CERT-Bund published WID-SEC-2026-2182 the same day citing the GHSA as origin ([BSI CERT-Bund, 2026-07-01](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2182)). Fixed in ≥ v4.0.0-beta.469; ≤ v4.0.0-beta.462 are affected. No in-the-wild exploitation is reported by the vendor or BSI, and the CVE is not yet NVD-enriched. Detection: audit deployment-job logs for shell metacharacters in `dockerfile_location`/`pre_deployment_command` submitted by non-admin write-scoped accounts, and flag unexpected child processes off the PHP-FPM/queue-worker tree during a deployment (T1059 / T1190). Hardening: patch, restrict "write" grants to trusted users, and rotate any secrets referenced in deployment env vars that were reachable before patching.

— *Source: [coollabsio GHSA-qqrq-r9h4-x6wp](https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp) · Additional source: [BSI CERT-Bund WID-SEC-2026-2182](https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2182) · Tags: vulnerabilities, rce, patch-available · Region: global · Sector: technology · CVE: CVE-2026-34038 · CVSS: 9.9 · Vector: zero-click · Auth: post-auth · Status: patch-available · Evidence: "An authenticated remote command injection vulnerability (CWE-78) in Coolify allows users with application 'write' permissions to achieve Remote Code Execution (RCE)" (coollabsio GHSA-qqrq-r9h4-x6wp)*

## 3. Research & Investigative Reporting

*No new research with operational defender impact this run — this section is intentionally left empty.* The one in-window investigative finding, SOCRadar's FortiBleed report, is a material development on a thread this brief already tracks and is carried as an UPDATE in § 4.

## 4. Updates to Prior Coverage

### UPDATE: FortiBleed FortiGate credential-harvesting linked to INC Ransom / Lynx deployments; scale revised ~5× up

> **UPDATE (originally covered 2026-06-18; last daily update 2026-06-24):** The new delta is a ransomware connection. SOCRadar's Threat Research Unit reports what it calls the first confirmed link between the FortiBleed FortiGate credential-harvesting operation and actual ransomware deployment — an operational-security lapse on attacker infrastructure exposed logs showing a single operator working negotiation panels for both the INC Ransom and Lynx RaaS operations, with victim data overlapping between the FortiBleed dataset and an INC-linked open directory, and at least 12 ransomware deployments stemming from the harvested access ([SOCRadar, 2026-07-01](https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/)). The campaign's scale (430,000+ targeted firewalls) and Russian-speaking initial-access-broker attribution were already reported in the 2026-06-24 brief and are unchanged; the ransomware-deployment link and the two items below are what is new.
>
> Separately, SOCRadar says the group holds at least one undisclosed Nextcloud zero-day (no CVE assigned, technical detail withheld pending a whitepaper) that it states it is disclosing to Nextcloud responsibly; The Hacker News adds that the exposed staging server also held reconnaissance on ~29,000 Citrix IP addresses, suggesting targeting beyond Fortinet ([The Hacker News, 2026-07-02](https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html)). These are SOCRadar's investigative claims from a single exposed server and are not yet independently corroborated by a second telemetry-holding lab (see § 7). Defender action for FortiGate operators: the newly-confirmed credential-theft-to-ransomware link means any historically internet-exposed FortiGate management/VPN interface should be treated as credential-compromised — rotate local/VPN and downstream domain credentials and hunt the VPN → domain-controller → domain-admin path; Nextcloud operators should track the coordinated disclosure.
>
> — *Source: [SOCRadar](https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/) · Additional source: [The Hacker News](https://thehackernews.com/2026/07/fortibleed-credential-theft-linked-to.html) · Tags: ransomware, organized-crime, russia-nexus · Region: global*

## 5. Deep Dive

No item met the deep-dive bar in the reporting window. The day's most technically detailed item (CVE-2026-34038, Coolify) carries no in-the-wild exploitation and only moderate constituency exposure; the FortiBleed development is a single-vendor claim with no public technical detail (SOCRadar deferred it to a forthcoming whitepaper). Depth was not invented to fill the section.

## 6. Action Items

- **If you self-host Coolify, patch to ≥ v4.0.0-beta.469 now** and rotate any secrets referenced in deployment environment variables that were reachable before patching — the flaw exfiltrates them via deployment logs. Restrict application "write" grants to trusted users given the permission-bypass path. See [§ 2 CVE-2026-34038](#2-trending-vulnerabilities).
- **For FortiGate operators: treat any historically internet-exposed FortiGate management/VPN interface as credential-compromised** given the confirmed credential-theft-to-ransomware link — rotate local/VPN and downstream domain credentials and hunt the VPN → domain-controller → domain-admin escalation path. Nextcloud operators should track the coordinated zero-day disclosure. See [§ 4 FortiBleed UPDATE](#4-updates-to-prior-coverage).
- **Review the contractor/third-party session trust boundary** into cloud EHR/document SaaS: enforce phishing-resistant MFA + token-theft-resistant session binding on contractor identities and scope CASB impossible-travel / new-device alerts to guest/contractor principals. See [§ 1 AdaptHealth](#1-active-threats-trending-actors-notable-incidents-disclosures).
- **Reassess vendor/fourth-party risk for outside counsel and collections firms holding SSN-class identifiers** — mandate encryption-at-rest, short breach-notification SLAs, and independent assessment. See [§ 1 Navient](#1-active-threats-trending-actors-notable-incidents-disclosures).
- **If you run Cisco Catalyst Center, upgrade to 3.1.6-GSMU200** for the unauthenticated file-read CVE-2026-20191 ([Cisco PSIRT, 2026-07-01](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-file-read-wLH2vf8X)) and confirm the management plane is not internet-reachable. See § 7.

— *Source: [coollabsio GHSA-qqrq-r9h4-x6wp](https://github.com/coollabsio/coolify/security/advisories/GHSA-qqrq-r9h4-x6wp) · Additional source: [SOCRadar](https://socradar.io/blog/fortibleed-inc-lynx-ransomware-link/) · Tags: vulnerabilities, ransomware, identity · Region: global*

## 7. Verification Notes

- **Dropped CVE (did not clear a § 2 inclusion gate):** CVE-2026-20191 — Cisco Catalyst Center unauthenticated path-traversal arbitrary file read (CVSS 7.5, confidentiality-only). Not in CISA KEV, not ENISA-EUVD-exploited, CVSS < 9.0, no reported in-the-wild exploitation, no public PoC, and it is a file-read primitive rather than RCE — so it clears none of the § 2 gates. Flagged by NCSC-NL (NCSC-2026-0218) and BSI CERT-Bund (WID-SEC-2026-2174) citing Cisco's PSIRT advisory ([Cisco, 2026-07-01](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-catc-file-read-wLH2vf8X)); fixed in 3.1.6-GSMU200. Retained here for awareness and carried in § 6 as a hygiene action.
- **borderline-drop:** Kubota North America 35-day-dwell breach (employee SSN/DOB/driver's-license/bank data; BleepingComputer + victim notice, 2026-07-01) — real disclosed breach, but no threat actor named, no initial-access vector disclosed, off primary sector (manufacturing), US-only; the transferable lesson (DLP scoping on HR/payroll shares) is generic. A Tier 2/3 responder in this constituency would not act differently in the next 7 days. Dropped for signal.
- **Single-source / reduced confidence:** Navient 8-K (§ 1) — victim's own SEC regulatory filing; no independent press coverage of the filing found in-window. Included under the victim-own-disclosure carve-out. AdaptHealth 8-K (§ 1) is likewise effectively single-origin — the StockTitan citation is a digest of the same filing, not an independent source — and carries the `[SINGLE-SOURCE]` flag under the same victim-own-disclosure carve-out.
- **Single-origin investigative claim (§ 4 FortiBleed):** the ransomware-link, 430,000+ device count, ~20-person operator structure, and Nextcloud-zero-day claims all trace to SOCRadar's analysis of one exposed staging server. Corroborating outlets (The Hacker News, and separately Dark Reading's RSS headline) relay SOCRadar without independent verification. Claims are attributed to SOCRadar in-text and not stated as established fact; the Nextcloud zero-day has no CVE and withheld technical detail. Dark Reading's article page was surfaced via RSS but not fetched this run, so it is not cited as a Source.
- **§ 3 Research and § 5 Deep Dive** are intentionally empty/negative — quiet day; no qualifying research item and no candidate cleared the deep-dive bar.
- **No Immediate Action callout** — nothing in window is a freshly-weaponised, actively-exploited-right-now, patch-to-the-hour item.
- **The home-region & sector research pass returned zero qualifying items:** all four essential CH-EU sources (cert-at, enisa, ncsc-ch-focus, ncsc-ch-incidents) were fetched successfully but carried only out-of-window or non-technical content. Near-miss for next run: a Kudelski Security DPRK "Contagious Interview" write-up (2026-06-30) trojanizing a GitHub repo impersonating the Swiss firm Ajuna-network — genuine Swiss nexus but published outside this run's 36 h window.
- **Watchlist:** not configured (org profile defines no product/supplier watchlist) — sweep line omitted.
- **Essential-coverage:** cisa-advisories and cisa-directives were attempted but returned HTTP 403 via both direct WebFetch and the `cisa page` bridge subcommand; no working recipe this run. CISA KEV (separate essential source, api subcommand) was fetched successfully and cross-checked — its only in-window addition (CVE-2026-45659, SharePoint) was already covered on 2026-07-02. All other essential sources were attempted.
- **Coverage gaps:** cisa-advisories (bridge+webfetch 403); cisa-directives (bridge+webfetch 403); cisa-news (bridge 403); govcert-at (documented RSS path 404 — stale recipe, flagged for metadata-drift fix); ibm-xforce (generic `url` bridge returns CMS shell only — needs a dedicated subcommand); kela-cyber (per-article pages exceed fetch size caps even via bridge); cert-eu, anssi-fr, cert-pl, ncsc-uk, 0patch-blog, chrome-releases, greynoise, censys-blog (fetched successfully, no in-window items — quiet, not failures).
