Thursday, 7 May 2026
0 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.
Verification & coverage notes1 run
2026-05-07-migrated · unknown · 0 entries published
Items verified multi-source: CVE-2026-0300 (Palo Alto vendor advisory, CERT-EU Advisory 2026-006, CERT-FR CERTFR-2026-AVI-0537, CISA KEV via secondary sources, Unit 42 primary research, Help Net Security, BleepingComputer, SecurityWeek); CVE-2024-57726/57728 (NVD, CISA KEV via Security Boulevard/WindowsForum); CVE-2024-7399 (NVD, CISA KEV, Help Net Security); CVE-2026-6023/6022 (CERT-FR, NVD); CVE-2026-23926/27/28 (CERT-FR); DAEMON Tools supply chain (Kaspersky Securelist primary, Kaspersky press release, The Record, BleepingComputer, TechCrunch, Disc Soft vendor acknowledgement); Europol Shadow IT (Correctiv, Computer Weekly, heise Security); ChipSoft/Embargo (The Record original, NL Times, DutchNews.nl, Dutch DPA 66 notifications confirmed); Vimeo/Anodot (Vimeo official blog, BleepingComputer, The Register); QLNX Quasar Linux (Trend Micro primary, BleepingComputer, SecurityWeek); InstallFix/Amatera (Trend Micro, Push Security, Malwarebytes); CVE-2026-31431 update (The Hacker News, SecurityOnline confirming Kaspersky analysis of multi-language PoC variants).
Items marked [SINGLE-SOURCE-NATIONAL-CERT]: ENISA CVE ecosystem expansion (ENISA official announcement, 2026-05-06); CVE-2026-6023/6022 Telerik (CERT-FR CERTFR-2026-AVI-0542 — NVD confirms CVE IDs and scores; no independent corroboration of exploitation status); CVE-2026-23926/27/28 Zabbix (CERT-FR CERTFR-2026-AVI-0541).
Items marked [SINGLE-SOURCE-OTHER]: Germany ransomware surge/GTIG Europe data-leak landscape (Mandiant GTIG, 2026-04-15); OceanLotus PyPI/ZiChatBot (Kaspersky Securelist, 2026-05-06); CloudZ RAT/Pheno (Cisco Talos, 2026-05-05); Dragos AI-assisted water utility attack (Dragos, 2026-05-06); CVE-2026-33725 Metabase Enterprise (GBHackers/Hakai Security; NVD confirms CVE ID and CVSS 7.2); M-Trends 2026 annual report (Google Cloud/Mandiant, 2026-03-23).
Items dropped:
- Microsoft AiTM "Code of Conduct" phishing — surfaced again by sub-agent research. Already covered 2026-05-06 § 4; no material delta confirmed. Discarded.
- France ANTS fresh coverage from sub-agent 4 — already covered 2026-05-06 § 2. Minor delta (11.7M confirmed count) placed in § 6.
- CVE-2026-31431 full coverage from sub-agent 3 — already covered 2026-05-06 as the full deep dive. Material delta (multi-language PoC, container escape validation) placed in § 6.
- Sophos: Checkmarx KICS and Bitwarden CLI supply chain attacks — published 2026-04-24, 13 days before this brief. Outside primary and extended recency windows with no specific new development justifying inclusion. Available for a future brief if new developments emerge.
- TCLBANKER Brazilian banking trojan (Elastic Security Labs) — Brazil-only geofenced targeting confirmed; no EU/CH nexus; Outlook COM propagation technique is noted but insufficient public-sector relevance to include.
- Juniper Secure Analytics CERT-FR advisory (CERTFR-2026-AVI-0539) — covers 17 CVEs across Juniper SA versions; the CVEs span 2025–2026 and were not individually NVD-verified in this run. Defenders should consult the CERT-FR advisory directly for CVE listings and severity ratings.
Recency window notes:
- Germany ransomware surge (GTIG, 2026-04-15): 22 days old, outside both recency windows. Included as first coverage for this series given direct EU audience relevance.
- M-Trends 2026 (2026-03-23): 45 days old, well outside recency window. Included as first and final treatment per the annual-report rule (Prime Directive 9). Logged in state files.
- Vimeo/Anodot (primary disclosure 2026-04-27): 10 days old; BleepingComputer and The Register coverage on 2026-05-05/06 brought it into the brief window as first coverage.
- ChipSoft Netherlands attack (incident 2026-04-07): 30 days old; Embargo group identification and 66 Dutch DPA notifications (reported 2026-04-29) constitute the material new development justifying inclusion as first coverage.
Source failures — consecutive_failures incremented:
- cisa-kev: HTTP 403 second consecutive day → consecutive_failures now 2
- cisa-advisories: HTTP 403 second consecutive day → consecutive_failures now 2
- csirt-acn-it: HTTP 403 second consecutive day → consecutive_failures now 2
- inside-it-ch: HTTP 403 second consecutive day → consecutive_failures now 2
- ico-uk: HTTP 403 second consecutive day → consecutive_failures now 2
- ccn-cert-es: HTTP 403 confirmed again this run → consecutive_failures now 1
- ncsc-ch-security-hub: SPA API not queryable (HTTP 404 on /api/ root); content not accessible via WebFetch → consecutive_failures now 1
Sources successfully fetched this run (failures reset or confirmed active): talos (consecutive_failures reset to 0; CloudZ/Pheno content confirmed), kaspersky-securelist (DAEMON Tools, OceanLotus), trendmicro-research (QLNX, InstallFix), elastic-seclabs (TCLBANKER), dragos (AI-assisted OT attack), sophos-xops (Checkmarx/Bitwarden supply chain for research, not included in brief). Secureworks CTU now redirects to Sophos blog post-acquisition; source URL requires update.
Coverage gaps: CCN-CERT Spain (ccn-cert-es, HTTP 403 — 2 consecutive runs); GovCERT.ch (navigation page only — 2 consecutive runs); CERT.at Austria (navigation and /en/warnings/ 404 — 2 consecutive runs); GovCERT Austria (navigation/contact only — 2 consecutive runs); CSIRT Italia (csirt-acn-it, HTTP 403 — 2 consecutive runs); Inside IT Switzerland (inside-it-ch, HTTP 403 — 2 consecutive runs); UK ICO (ico-uk, HTTP 403 — 2 consecutive runs); CISA KEV and CISA Advisories (HTTP 403 — 2 consecutive runs); NCC Group Research, Cloudflare Cloudforce One, IBM X-Force, Akamai SIRT, Red Canary, Huntress — not fetched in this run.
Migrated from briefs/2026-05-07.md (v2).