ctipilot.ch
Thu · 07 May 2026
All daily briefs ↗
Daily brief · UTC day

Thursday, 7 May 2026

0 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Verification & coverage notes1 run

2026-05-07-migrated · unknown · 0 entries published

Items verified multi-source: CVE-2026-0300 (Palo Alto vendor advisory, CERT-EU Advisory 2026-006, CERT-FR CERTFR-2026-AVI-0537, CISA KEV via secondary sources, Unit 42 primary research, Help Net Security, BleepingComputer, SecurityWeek); CVE-2024-57726/57728 (NVD, CISA KEV via Security Boulevard/WindowsForum); CVE-2024-7399 (NVD, CISA KEV, Help Net Security); CVE-2026-6023/6022 (CERT-FR, NVD); CVE-2026-23926/27/28 (CERT-FR); DAEMON Tools supply chain (Kaspersky Securelist primary, Kaspersky press release, The Record, BleepingComputer, TechCrunch, Disc Soft vendor acknowledgement); Europol Shadow IT (Correctiv, Computer Weekly, heise Security); ChipSoft/Embargo (The Record original, NL Times, DutchNews.nl, Dutch DPA 66 notifications confirmed); Vimeo/Anodot (Vimeo official blog, BleepingComputer, The Register); QLNX Quasar Linux (Trend Micro primary, BleepingComputer, SecurityWeek); InstallFix/Amatera (Trend Micro, Push Security, Malwarebytes); CVE-2026-31431 update (The Hacker News, SecurityOnline confirming Kaspersky analysis of multi-language PoC variants).

Items marked [SINGLE-SOURCE-NATIONAL-CERT]: ENISA CVE ecosystem expansion (ENISA official announcement, 2026-05-06); CVE-2026-6023/6022 Telerik (CERT-FR CERTFR-2026-AVI-0542 — NVD confirms CVE IDs and scores; no independent corroboration of exploitation status); CVE-2026-23926/27/28 Zabbix (CERT-FR CERTFR-2026-AVI-0541).

Items marked [SINGLE-SOURCE-OTHER]: Germany ransomware surge/GTIG Europe data-leak landscape (Mandiant GTIG, 2026-04-15); OceanLotus PyPI/ZiChatBot (Kaspersky Securelist, 2026-05-06); CloudZ RAT/Pheno (Cisco Talos, 2026-05-05); Dragos AI-assisted water utility attack (Dragos, 2026-05-06); CVE-2026-33725 Metabase Enterprise (GBHackers/Hakai Security; NVD confirms CVE ID and CVSS 7.2); M-Trends 2026 annual report (Google Cloud/Mandiant, 2026-03-23).

Items dropped:

  • Microsoft AiTM "Code of Conduct" phishing — surfaced again by sub-agent research. Already covered 2026-05-06 § 4; no material delta confirmed. Discarded.
  • France ANTS fresh coverage from sub-agent 4 — already covered 2026-05-06 § 2. Minor delta (11.7M confirmed count) placed in § 6.
  • CVE-2026-31431 full coverage from sub-agent 3 — already covered 2026-05-06 as the full deep dive. Material delta (multi-language PoC, container escape validation) placed in § 6.
  • Sophos: Checkmarx KICS and Bitwarden CLI supply chain attacks — published 2026-04-24, 13 days before this brief. Outside primary and extended recency windows with no specific new development justifying inclusion. Available for a future brief if new developments emerge.
  • TCLBANKER Brazilian banking trojan (Elastic Security Labs) — Brazil-only geofenced targeting confirmed; no EU/CH nexus; Outlook COM propagation technique is noted but insufficient public-sector relevance to include.
  • Juniper Secure Analytics CERT-FR advisory (CERTFR-2026-AVI-0539) — covers 17 CVEs across Juniper SA versions; the CVEs span 2025–2026 and were not individually NVD-verified in this run. Defenders should consult the CERT-FR advisory directly for CVE listings and severity ratings.

Recency window notes:

  • Germany ransomware surge (GTIG, 2026-04-15): 22 days old, outside both recency windows. Included as first coverage for this series given direct EU audience relevance.
  • M-Trends 2026 (2026-03-23): 45 days old, well outside recency window. Included as first and final treatment per the annual-report rule (Prime Directive 9). Logged in state files.
  • Vimeo/Anodot (primary disclosure 2026-04-27): 10 days old; BleepingComputer and The Register coverage on 2026-05-05/06 brought it into the brief window as first coverage.
  • ChipSoft Netherlands attack (incident 2026-04-07): 30 days old; Embargo group identification and 66 Dutch DPA notifications (reported 2026-04-29) constitute the material new development justifying inclusion as first coverage.

Source failures — consecutive_failures incremented:

  • cisa-kev: HTTP 403 second consecutive day → consecutive_failures now 2
  • cisa-advisories: HTTP 403 second consecutive day → consecutive_failures now 2
  • csirt-acn-it: HTTP 403 second consecutive day → consecutive_failures now 2
  • inside-it-ch: HTTP 403 second consecutive day → consecutive_failures now 2
  • ico-uk: HTTP 403 second consecutive day → consecutive_failures now 2
  • ccn-cert-es: HTTP 403 confirmed again this run → consecutive_failures now 1
  • ncsc-ch-security-hub: SPA API not queryable (HTTP 404 on /api/ root); content not accessible via WebFetch → consecutive_failures now 1

Sources successfully fetched this run (failures reset or confirmed active): talos (consecutive_failures reset to 0; CloudZ/Pheno content confirmed), kaspersky-securelist (DAEMON Tools, OceanLotus), trendmicro-research (QLNX, InstallFix), elastic-seclabs (TCLBANKER), dragos (AI-assisted OT attack), sophos-xops (Checkmarx/Bitwarden supply chain for research, not included in brief). Secureworks CTU now redirects to Sophos blog post-acquisition; source URL requires update.

Coverage gaps: CCN-CERT Spain (ccn-cert-es, HTTP 403 — 2 consecutive runs); GovCERT.ch (navigation page only — 2 consecutive runs); CERT.at Austria (navigation and /en/warnings/ 404 — 2 consecutive runs); GovCERT Austria (navigation/contact only — 2 consecutive runs); CSIRT Italia (csirt-acn-it, HTTP 403 — 2 consecutive runs); Inside IT Switzerland (inside-it-ch, HTTP 403 — 2 consecutive runs); UK ICO (ico-uk, HTTP 403 — 2 consecutive runs); CISA KEV and CISA Advisories (HTTP 403 — 2 consecutive runs); NCC Group Research, Cloudflare Cloudforce One, IBM X-Force, Akamai SIRT, Red Canary, Huntress — not fetched in this run.

Migrated from briefs/2026-05-07.md (v2).