ctipilot.ch
Fri · 26 Jun 2026
All daily briefs ↗
Daily brief · UTC day

Friday, 26 June 2026

6 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245. Mandiant reconstructs a months-long zero-day compromise of Cisco Catalyst SD-WAN Manager (CVE-2026-20245) — updating our 6 June coverage, GTIG details an authenticated request tenant-upload CLI command-injection path that planted a troot UID-0 account on the controller, reached after a peering-auth-bypass foothold and exploited at a service provider from late 2025 through March 2026, well before the patch (Mandiant/GTIG, 2026-06-24). Today's deep dive (§5). Patch to the fixed trains immediately and audit vManage hosts for OS-level account creation.
  2. 02ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT). ESET's 2025 Gamaredon paper shows the FSB group's exfil and C2 moving entirely onto trusted cloud services — S3-compatible object storage (Wasabi/Tebi/Intercolo) via rclone and Cloudflare-tunnel/Workers/DevTunnel C2 that blends with legitimate egress; targeting stayed exclusively Ukrainian, but the tradecraft is the transferable part (ESET, 2026-06-25).
  3. 03macOS.Gaslight — a DPRK-aligned Rust backdoor that targets the LLM-assisted analyst. macOS.Gaslight — a DPRK-aligned Rust backdoor that aims its evasion at the analyst, not the sandbox — SentinelLABS documents a 3.5 KB blob of 38 fabricated "system" messages embedded to derail LLM-assisted triage, alongside Telegram Bot-API C2 and a com.apple.system.services.activity LaunchAgent (SentinelLABS, 2026-06-23).
  4. 04ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden. ShinyHunters breached Madison Square Garden through a single vishing call into the company's identity platform — 404 Media's review of the stolen data confirms a low-level employee was talked into letting the operators into MSG's systems, the same vishing → identity-platform (Entra/Okta) → MFA-enrollment kill chain that works equally well against EU public-sector tenants (404 Media, 2026-06-24).
01Active threats, incidents & disclosures2 items
NOTABLE

Ukrposhta digital services disrupted by an overnight attack; pro-Russian hacktivists claim a prior data theft

Ukraine's national postal operator Ukrposhta confirmed on 25 June that an overnight "hostile cyberattack" on its IT systems disrupted its mobile app and digital services, with engineers restoring functionality through the day (The Record, 2026-06-25; New Voice of Ukraine, 2026-06-25). A pro-Russian group styling itself the "IT Army of Russia" — distinct from Ukraine's civilian IT Army — separately claimed it had breached Ukrposhta infrastructure weeks earlier and exfiltrated a user database; Recorded Future News states it could not independently verify that claim, and Ukrposhta has not confirmed any data compromise. Treat the exfiltration as an unverified leak-site-style assertion until the operator says otherwise.

incident26 Jun 04:54Zmulti-sourceOpen finding ↗
HIGH

ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden

404 Media's review of the stolen Madison Square Garden data and the attackers' own account confirm the intrusion began with a vishing call — the operators phoned a low-level employee and talked them into letting them into MSG's systems (404 Media, 2026-06-24). Reporting attributes the breach to ShinyHunters; after MSG missed a 15 June ransom deadline, roughly 45 GB / 26M+ records were published (The Next Web, 2026-06-16). The wider pattern this fits — and the one worth detecting — is the vishing → identity-platform (Entra/Okta) → MFA-enrollment → SSO-pivot chain that Abnormal Security documents generically: an IT-impersonation call manufacturing MFA-reset urgency, real-time credential and one-time-code capture on a tenant-branded phishing page, enrollment of an attacker-controlled MFA device, then a pivot into connected SaaS (Abnormal Security, 2026-02-06). Maps to T1566.004 (vishing), T1078.004 (cloud accounts), and T1556.006 (MFA manipulation).

Why it matters to us: the victim is a US private entity, but the kill chain is identity-platform-agnostic and lands the same way against EU public-sector Entra/Okta tenants. Hunt Entra audit logs for new MFA-method registration events correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; the durable control is phishing-resistant FIDO2/passkey MFA that cannot be relayed in real time, plus Conditional Access requiring a compliant device for MFA enrollment.

incident26 Jun 04:54Zmulti-sourceOpen finding ↗
02Research & investigative reporting2 items
HIGH

ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT)

ESET's annual Gamaredon paper documents the FSB-linked group's 2025 toolset — six new PowerShell tools (PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroPaste) plus a resurrected PteroSetup VBScript weaponizer — and, more usefully for defenders elsewhere, a wholesale shift of infrastructure onto trusted services (ESET, 2026-06-25). C2 now rides Cloudflare tunnels (trycloudflare.com), Cloudflare Workers (workers.dev), Microsoft DevTunnels (devtunnels.ms), Loophole, No-IP DDNS, Clever Cloud and Supabase; data is exfiltrated via rclone to S3-compatible object storage (Wasabi, Tebi, and Intercolo — which became the primary destination by December), and hostnames are brokered through dead-drop resolvers spread across Telegram, Telegra.ph, Dropbox, GoFile, Mastodon and a dozen paste services so no fixed IP or domain appears in the implant. ESET also confirms an early-2025 collaboration with Turla. Sekoia independently documented the same 2025 shift toward tunnel-service C2 and S3-compatible cloud-storage exfiltration in its parallel "FSB's Matryoshka" Gamaredon series (Sekoia, 2026-06-04). Targeting stayed exclusively Ukrainian government and military — the report names no EU targets — so the relevance here is the tradecraft, not the victimology.

Why it matters to us: the tunnel-and-cloud-storage model defeats domain/IP blocklists and blends with legitimate egress, and it is exactly the pattern any espionage operator can adopt. Detection concepts: alert on tunnel-service egress (trycloudflare.com / workers.dev / devtunnels.ms) initiated by Office or scripting processes; flag rclone or S3-API PUT/POST from hosts with no backup role; hunt PowerShell that reads paste-site domains and decodes base64 blobs.

annual-report26 Jun 04:54Zmulti-sourceOpen finding ↗
HIGH

macOS.Gaslight — a DPRK-aligned Rust backdoor that targets the LLM-assisted analyst

SentinelLABS analysed macOS.Gaslight, a single-binary Rust implant it ties with high confidence to DPRK-aligned activity (Apple's XProtect detects it as MACOS_BONZAI_COBUCH, with a sibling sample caught by the AIRPIPE rule SentinelLABS also attributes to North Korea) (SentinelLABS, 2026-06-23). Its novel evasion is aimed at the analyst's tooling rather than a sandbox: the binary carries a 3.5 KB Markdown-fenced blob of 38 fabricated "system" messages whose {{DATA}} tokens mimic an LLM triage harness's own prompt scaffold, designed to push an LLM agent into aborting, truncating, or refusing its analysis (Infosecurity Magazine, 2026-06-24). Beyond that, it is a full stealer — staging a CPython interpreter at runtime to harvest Chrome/Brave/Firefox/Safari credentials, terminal history, system_profiler output, and a wholesale copy of login.keychain-db. C2 runs over the Telegram Bot-API getUpdates polling loop with AES-GCM payloads over certificate-pinned TLS; persistence is a LaunchAgent labelled com.apple.system.services.activity (T1543.001).

Why it matters to us: as LLM-assisted triage moves into SOC and MDR workflows, embedding adversarial prompt payloads in samples to corrupt that pipeline is a technique class to expect generalising — treat "benign" LLM verdicts on submitted macOS binaries as provisional pending human review, and flag any binary carrying large role/content message arrays for secondary analysis. Detection concepts: LaunchAgent plists masquerading under com.apple.system.services.* with non-Apple signers; processes spawning Python from non-standard parents; outbound TLS to api.telegram.org from non-user-initiated processes on managed Macs.

research26 Jun 04:54Zmulti-sourceOpen finding ↗
03Updates to prior coverage1 item
HIGHCVE-2026-20245exploitedupdate

Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245

UPDATE · originally covered CVE-2026-20245 — Cisco Catalyst SD-WAN Manager: actively-exploited command-injection to root (no patch) (2026-06-06)

When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail. Mandiant/GTIG has now published the forensic reconstruction, confirming the flaw was used as a zero-day at a communications service provider from late 2025 through March 2026 — months before the patch (Mandiant/GTIG, 2026-06-24).

The new substance is the kill chain: a peering-authentication-bypass foothold (CVE-2026-20127 / CVE-2026-20182) into SSH as vmanage-admin, then a crafted tenant CSV through the request tenant-upload CLI handler injecting commands that planted a backdoor troot UID-0 account, with anti-forensic clean-up (admin-password change-then-revert, history/syslog deletion). Mandiant names no threat actor. Full mechanics, ATT&CK mapping and host-level detection are in §5.

UPDATE (originally covered 2026-06-06): When we first noted CVE-2026-20245 it was a fresh Cisco advisory for a command-injection-to-root flaw in Catalyst SD-WAN Manager with confirmed exploitation but little public detail.

ctipilot v2 brief (migrated)
vulnerability26 Jun 04:54Zmulti-sourceOpen finding ↗
04Deep dive1 item
NOTABLECVE-2026-20245exploited

Cisco Catalyst SD-WAN Manager CVE-2026-20245

Mandiant's Google Threat Intelligence Group published a forensic reconstruction of an intrusion in which Cisco Catalyst SD-WAN Manager (formerly vManage) was compromised through CVE-2026-20245 as a zero-day — exploited at a communications service provider from late 2025 through March 2026, months before Cisco's advisory (Mandiant/GTIG, 2026-06-24). Mandiant attributes the activity to no named actor. The reason this matters beyond one victim: SD-WAN Manager is the control plane for an entire WAN fabric — root on the controller is push-access to every managed edge device — so it warrants the same monitoring tier as a VPN concentrator or firewall, and it is now one of several Cisco SD-WAN flaws confirmed exploited during 2026.

The vulnerability. CVE-2026-20245 (CVSS 7.8, no workaround) is a command-injection weakness in the SD-WAN Manager CLI tenant-upload handler: the feature that ingests a tenant-list CSV fails to sanitise file content before it reaches a shell context, so an authenticated operator can embed OS commands inside a crafted CSV and have them execute as root on the underlying Linux host (Cisco PSIRT, cisco-sa-sdwan-privesc-4uxFrdzx). The injected commands appended a new UID-0 account (troot) to the host's local account databases, giving the actor a persistent root login independent of the vManage application's own user model.

Kill chain (as Mandiant documents it):

  • Initial access — the actor reached an authenticated position by abusing peering-authentication-bypass flaws CVE-2026-20127 / CVE-2026-20182 to enrol unauthorised peering and obtain SSH as the vmanage-admin account, or alternatively by using certificate material stolen in a previous compromise (T1190, T1078.004).
  • Privilege escalation — exploitation of CVE-2026-20245 via the crafted tenant CSV, executing as root (T1068).
  • Persistence — creation of the troot UID-0 account in the host account databases, reachable via su (T1136.001).
  • Defense evasion / anti-forensics — the actor changed the legitimate admin password and then reverted it to its original value to reduce detection probability, and deleted command history, syslog entries, and the uploaded files after use (T1070.003).

Hunt and detection concepts. The decisive gap is that vManage's own health dashboards do not surface OS-level account creation — detection has to happen on the underlying host. Baseline and monitor /etc/passwd and /etc/shadow for accounts added since a known-good snapshot (a UID-0 account other than root is the high-fidelity signal here). Review SD-WAN Manager audit logs for tenant-upload CLI/API invocations and correlate them with subsequent privileged shell activity; alert on child processes spawned by the tenant-upload service, and on shell-history truncation or gaps on the controller host. Because the actor reverted the admin password, an unexplained password-change-then-revert pair in admin account auditing is itself worth investigating.

Hardening. Upgrade to a fixed train — 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2 — as there is no workaround. Restrict which operators hold privileged CLI roles, place the management/northbound interfaces behind a source-IP ACL rather than exposing them broadly, enforce MFA on all administrator accounts, and rotate SD-WAN admin credentials (including the default vmanage-admin) on any controller that may have been exposed before patching. Cisco's Catalyst SD-WAN Hardening Guide carries the vendor's own configuration baseline.

Mandiant's Google Threat Intelligence Group published a forensic reconstruction of an intrusion in which Cisco Catalyst SD-WAN Manager (formerly vManage) was compromised through CVE-2026-20245 as a zero-day — exploited at a communications service provider from late 2025 through March 2026, months …

ctipilot v2 brief (migrated)
vulnerability26 Jun 04:54Zmulti-sourceOpen finding ↗
Verification & coverage notes1 run

2026-06-26-6bbe4619 · Claude Opus 4.8 (1M context) · 6 entries published

Items dropped:

  • Ubiquiti UniFi OS CVE-2026-34908 / -34909 / -34910 (S1) — dropped as a PD-8 duplicate: this exact triple-flaw chain was the deep dive on 2026-06-24. It is also out-of-window (patched 2026-05-21 in UniFi OS Server 5.0.8) and S1's reported product/fixed-version detail ("UniFi OS 4.1.13") was inaccurate against the vendor record. The only fresh hook was today's CISA KEV federal remediation deadline, which is not operational signal for a CH/EU audience (PD-13).
  • GitLab 19.1.1 / 19.0.3 / 18.11.6 (S1, S2) — dropped from §2. Verified against GitLab's release notes (published 2026-06-24): the headline issues are stored XSS CVE-2026-10086 (CVSS 8.7) and CVE-2026-10712 (CVSS 8.0), with lower-severity authorization/SSRF issues (the SSRF, CVE-2026-12635, is only CVSS 3.1). No in-the-wild exploitation, not RCE, below the CVSS-9 threshold — clears no §2 inclusion gate. Self-hosted public-sector instances should still apply on their normal patch cycle. (A sub-agent over-stated this as "code injection / SSRF highest-impact"; corrected.)
  • PixelSmash / CVE-2026-8461 FFmpeg MagicYUV heap OOB (S3) — out-of-window: JFrog disclosure 2026-06-22, outside the 36 h window with no fresh in-window development. Noted for catch-up given Nextcloud/Jellyfin server-side-preview relevance to CH/EU public sector if it develops.
  • Microsoft DART parallel dual-actor SharePoint case study (S3) — out-of-window (2026-06-22) and single-source.
  • Tata Electronics / World Leaks 630 GB leak (S4) — out-of-window (2026-06-22/23).
  • River Financial Corp 8-K (Item 1.05) (S4) — US community bank, no CH/EU nexus; SINGLE-SOURCE (SEC filing recovered via search). Watch for an 8-K/A around 1–2 July.
  • DraftKings credential-stuffing sentencing (S4) — US law-enforcement follow-up; limited CH/EU public-sector relevance.
  • Black Kite Europe ransomware report (S2) — periodic statistics report; declined under the no-vanity-metrics rule. Its one operational nugget (the Miljödata HR-SaaS supply-chain breach cascading to ~200 Swedish municipalities) references a 2025 incident, not in-window.

Corrections resolved during verification (sub-agent conflicts cross-checked against primaries):

  • Cisco SD-WAN CVE-2026-20245 — three sub-agents returned three different fixed-version lists and two different Cisco advisory IDs; resolved against the Mandiant primary and Cisco PSIRT to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 and advisory cisco-sa-sdwan-privesc-4uxFrdzx. Mandiant asserts no actor attribution, so sub-agent "nation-state/espionage" framing was dropped. Primary publication date is 2026-06-24 (one sub-agent reported 06-25).
  • macOS.Gaslight — two sub-agents conflicted on C2 (HTTPS vs Telegram), XProtect signature (BONZAI.D/E vs MACOS_BONZAI_COBUCH) and persistence path; resolved against the SentinelLABS primary (Telegram Bot-API C2; XProtect MACOS_BONZAI_COBUCH; LaunchAgent com.apple.system.services.activity). The fabricated SentinelLABS URL returned by one sub-agent was discarded in favour of the verified one.
  • Gamaredon — ESET and Sekoia both published 2025 Gamaredon research on 2026-06-25; the ESET annual paper was fetched and verified. Sub-agent claims of "EU secondary targeting" were not supported by the report (exclusively Ukrainian targeting) and were dropped.

Single-source / reduced confidence: Ukrposhta data-exfiltration claim is a pro-Russian-hacktivist self-report, unverified by Recorded Future News; the service disruption itself is multi-source.

Stalled sub-agents: none — all four returned within the window.

Coverage gaps: databreaches-net (per-article 403 on the bridge; items recovered via corroborating publishers); cert-fr-avis, cert-fr-actu (feeds stale / nothing in window); ncsc-ch-focus (Week 26 review not yet published — HTTP 404 at run time); mandiant-gtig (Feedburner IncompleteRead — recovered via direct article fetch); bleepingcomputer (403 — recovered via alternates).

Source-health probe: the end-of-run source_health.py snapshot flagged five sources needs-demote — cisa-advisories, cisa-directives, cisa-news, sophos-xops, trellix. No demotion applied this run: the three CISA entries are documented routine-UA transport-blocking (exempt from demotion per the source-lifecycle rules; the cisa-kev bridge recipe itself returned 200 this run), and sophos-xops / trellix are single-probe failures below the 5×404 demotion threshold. Monitoring; will revisit if the failures persist across runs.

Unmatched action items (migrated)

  • Patch Cisco Catalyst SD-WAN Manager now to a fixed train (20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2) — pre-disclosure root exploitation is confirmed and there is no workaround. On any controller potentially exposed before patching, baseline /etc/passwd//etc/shadow for non-root UID-0 accounts, review tenant-upload audit logs, and rotate admin credentials including default vmanage-admin. See §4 and §5.
  • Hunt the vishing → Entra kill chain. Alert on new MFA-method registration events in Entra audit logs correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; move privileged and helpdesk-reachable identities to phishing-resistant FIDO2/passkey MFA and require a compliant device for MFA enrollment via Conditional Access. See §1.
  • Add detection for trusted-service abuse in exfil/C2. Flag tunnel-service egress (trycloudflare.com / workers.dev / devtunnels.ms) from Office or scripting processes, and rclone/S3-API PUT/POST from hosts with no backup role — the Gamaredon model that any espionage operator can copy. See §3.
  • Treat LLM triage verdicts as provisional on submitted macOS samples. Until human review, do not trust an automated "benign" verdict on a macOS binary, and hunt LaunchAgents under com.apple.system.services.* signed by non-Apple identities. See §3.

Migrated from briefs/2026-06-26.md (v2).