ctipilot.ch
Sun · 05 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Sunday, 5 July 2026

2 verified findings from 4 runs · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01cve-search patches a pre-auth flaw that reads admin credential hashes via /fetch_cve_data. An unauthenticated improper-input-validation flaw (CVE-2026-59509, CVSS 4.0 9.2) in cve-search's POST /fetch_cve_data endpoint lets a remote attacker redirect the MongoDB query to arbitrary application collections and read administrative usernames and password hashes from the mgmt_users collection. cve-search v4.0 through v6.0.0 are affected; the fix landed in v6.0.1. cve-search is CIRCL's open-source CVE/CPE search tool run internally by many European CERTs, CSIRTs and MISP-adjacent CTI teams — no in-the-wild exploitation is reported.
  2. 02Ransom-ISAC case study: a US county paid ~$1M to data-theft extortion actor Kairos — no encryptor was ever deployed. Ransom-ISAC published a case study of "Kairos", a data-theft-only extortion actor that exfiltrated ~2 TB / ~1.6M files from a small US county government and was paid ~$1M in June 2025 without ever deploying a ransomware encryptor. Kairos claimed initial access via a brute-force credential attack; no locker binary has been obtained or confidently linked to the group, and Ransom-ISAC warns the actor's "proof of deletion" was not technically verifiable. The case is a reminder that pure-exfiltration extortion evades encryption-centric ransomware detection.
01Trending vulnerabilities1 item

CVE-2026-59509 — cve-search: unauthenticated /fetch_cve_data parameter manipulation exposes admin credential hashes (CVSS 9.2)

CVE-2026-59509 is an unauthenticated improper-input-validation flaw (CWE-20, CVSS 4.0 9.2, vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N) in the POST /fetch_cve_data endpoint of cve-search, the open-source CVE/CPE aggregation and search tool maintained by CIRCL (Luxembourg's CSIRT) and widely run internally by European CERTs, CSIRTs and MISP-adjacent CTI teams. The handler trusted attacker-controlled request parameters to select the target MongoDB collection, the projected fields, and the regex filters rather than restricting queries to the CVE collection, so a remote unauthenticated caller could redirect the query to arbitrary application collections — including mgmt_users — and read administrative usernames and password hashes, enabling offline cracking and admin-account takeover of the instance (CIRCL/NVD, 2026-07-05). Versions v4.0 through v6.0.0 are affected; the project's own fix (fix(web): add server-side validations for /fetch_cve_data inputs) was merged 2026-06-22 and shipped in v6.0.1, adding a CVE-only collection restriction, an allowlist for DataTables column fields, and enforced pagination bounds — all invalid requests now return HTTP 400 (cve-search project, GitHub PR #1218). No in-the-wild exploitation has been reported by either source and EPSS is not yet published, consistent with a same-day CVE assignment on an already-merged fix.

An unauthenticated improper input validation vulnerability in the POST /fetch_cve_data endpoint in cve-search. A remote attacker can manipulate request parameters controlling the MongoDB collection, projected fields, and regular-expression filters to read arbitrary application MongoDB collections. This can expose administrative usernames and password hashes from the mgmt_users collection, enabling offline password cracking and potential administrative account compromise.

ThreatInt.eu (CVE aggregator) 2026-07-05

fix(web): add server-side validations for /fetch_cve_data inputs

cve-search project (GitHub PR #1218 — fix) 2026-06-22
vulnerability05 Jul 18:16Zmulti-sourceOpen finding ↗
02Research & investigative reporting1 item
NOTABLE

Kairos data-theft-only extortion — a US county paid ~$1M with no ransomware encryptor ever recovered

Ransom-ISAC has published a post-incident case study reconstructing a data-theft extortion case against a small US county government body, in which the victim paid roughly $1M after a May 2025 intrusion (Ransom-ISAC, 2026-07-03; The Hacker News, 2026-07-04). The distinguishing feature of the actor, self-styled "Kairos", is that it is a pure data-theft-and-leak extortion operation — Ransom-ISAC states "No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos", so its leverage rested entirely on the threat to publish stolen data rather than on file encryption (Ransom-ISAC, 2026-07-03). Kairos itself claimed the intrusion was achieved through a brute-force credential attack — "We accessed your network using a bruteforce attack" — mapping to T1110 Brute Force and T1078 Valid Accounts; the report does not independently confirm the access method beyond the actor's own statement (Ransom-ISAC, 2026-07-03).

Kairos claimed access to more than 2 TB of data — approximately 1.6 million files — and exfiltrated it for leak-site leverage (T1567 Exfiltration Over Web Service); after roughly a month of negotiation the victim paid about $1M on 13 June 2025 (Ransom-ISAC, 2026-07-03; Security Affairs, 2026-07-04). Ransom-ISAC explicitly cautions that "The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed", noting there was nothing cryptographically binding the actor's deletion log to an actual deletion event (Ransom-ISAC, 2026-07-03).

We accessed your network using a bruteforce attack.

Kairos (quoted by Ransom-ISAC)

No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos

The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed

Ransom-ISAC 2026-07-03
research05 Jul 00:25Zmulti-sourceOpen finding ↗
03Action items6 items
Verification & coverage notes4 runs

2026-07-05T1809Z-intel · Anthropic Claude (specific model not determined) · window 24 h · 1 entry published

Verification & coverage notes

Intraday intel run — 4th fire of the day, gap 6 h since the 2026-07-05T12:08Z run; window_hours=24 (hard floor; most of it re-scanned ground already covered by the 00:09/06:09/12:08 fires, so the new signal tracks the ~6 h gap per PD-7). All four research sub-agents (S1–S4) swept their essential + standard-rotation slices; S2 and S3 returned zero in-window candidates (a healthy quiet weekend intraday window — the day's threat, home-region and research signal was already absorbed by earlier runs). S1 and S4 each surfaced one borderline candidate; one was published, one dropped.

  • Included (1):
    • entries/2026-07-05/cve-2026-59509-cve-search-fetch-cve-data-nosql.mdCVE-2026-59509 (cve-search, CVSS 4.0 9.2, pre-auth admin-credential exposure via /fetch_cve_data; fixed v6.0.1). Borderline include — org-relevance in one clause: cve-search is CIRCL/MISP-ecosystem tooling that European national CERTs, CSIRTs and CTI teams (this constituency's own analytical stack) run internally, so a pre-auth credential-read flaw in it is a concrete verify-exposure / upgrade / rotate-creds decision for the reader (PD-11 criterion a for this constituency). Priority held to notableno confirmed in-the-wild exploitation, no public PoC, EPSS unpublished, internal-tooling-by-design — deliberately not high/critical. Verification multi-source, confidence: medium: first-party disclosure+fix by the cve-search project (GitHub issue #1217 / PR #1218, merged 2026-06-22, released v6.0.1) corroborated by the CIRCL-assigned CVE record on the independent ThreatInt.eu aggregator; CVE id + CVSS re-verified against NVD (verification-only, not cited).
  • borderline-drop: Ransomware group "unsafe" claims a Deutsche Bank breach (2026-07-04) — fails the PD-6 leak-site gate (single Admiralty-C aggregator Ransomware.live + one unranked mirror blog; no Deutsche Bank statement, no BaFin notice, no Admiralty A/B journalism 24 h+ on; the claimed "€30 bn revenue impact" is extortion-site puffery). No Swiss/home-region nexus (DE/EU finance only). Already examined and dropped by the 12:08Z run with no change since — dropped again as a no-delta re-surfacing. The suggested actor:unsafe-extortion entity was NOT registered (unconfirmed/fabricated claim).
  • Out-of-window / already-covered leads examined (no in-window delta): every essential CERT/regulator source (NCSC-CH, BSI/CERT-Bund, ANSSI/CERT-FR, CERT-EU, ENISA, NCSC-NL, CERT-PL, CERT-AT, NCSC-UK) topped out at 2026-07-01…2026-07-03; every CVE surfaced (CVE-2026-8451 Citrix NetScaler, CVE-2026-8037 Kemp LoadMaster, Argo CD unauth RCE, CVE-2026-45659 SharePoint, CVE-2026-48558 SimpleHelp) already in prior_coverage.json. SEC EDGAR Item 1.05 surfaced only River Financial Corp (out-of-nexus, dropped). All major research feeds (BleepingComputer, Securelist, Talos, Unit42, ESET, Recorded Future) topped out at ≤2026-07-04T18:17Z with nothing clearing the S3 bar in-window.
  • Single-source: none (the one published entry is multi-source).
  • Contradictions: none.
  • CISA transport note: the recurring cisa-advisories / cisa-directives / cisa-news direct-403 was bridged successfully this run via the reader-proxy recipe (listing pages returned 200) — no fetch failure recorded; the pages were simply quiet in-window.
  • Coverage gaps: cert-eu (slow-cadence bulletin, newest 2026-06-10); anssi-fr (avis newest CERTFR-2026-06-26); enisa/cert-pl/cert-at (200, nothing in-window); ncsc-uk, claroty-team82, projectzero, prodaft (JS-rendered SPA shells or no in-window dated items); group-ib (Cloudflare-challenge, not attempted per recipe); jpcert, morphisec, mozilla-mfsa, resecurity, shadowserver, socprime, trail-of-bits, trendmicro-research, truesec, depthfirst — standard-tier, not fetched under intraday time-budget triage (deprioritised after essential-tier showed no fresh signal since 2026-07-03).
  • Watchlist: not reported — config/org-profile.yaml configures no product or supplier watchlists; S1/S4 sweep duties were documented no-ops.
  • Essential-coverage: no miss — every essential-tier source was attempted and resolved (CISA listing pages bridged via reader proxy; all others fetched).

2026-07-05T1208Z-intel · Anthropic Claude (specific model not determined) · window 8 h · 0 entries published

Verification & coverage notes

Quiet 8 h intraday intel run (gap 6 h since the 2026-07-05T06:09Z fire; window_hours=8, opening ~2026-07-05T04:09Z with the +2 h overlap). All four research sub-agents (S1–S4) swept their full essential + standard-rotation slices and each returned zero in-window candidates — a healthy quiet intraday window (PD-7: ≤12 h gap ⇒ 0–4 entries, zero expected on most intraday fires). No entry composed; no deep-dive candidate. This is the correct outcome, not a coverage failure — the mission is minimum-latency publication of new signal and nothing else. Independently corroborated by the immediately preceding 06:09Z run, which also returned zero across S1–S4 on an overlapping slice.

  • Included (0): nothing cleared the recency gate. Every lead surfaced across the four domains was either already in prior_coverage.json or had its freshest available source published before the ~2026-07-05T04:09Z window floor with no in-window delta.
  • Out-of-window / already-covered leads examined and dropped (no in-window delta):
    • out-of-window: Adobe ColdFusion / Campaign Classic exploitation follow-up (CVE-2026-48282 active exploitation "within hours", plus CVE-2026-48313/-48315/-48286) — primary source 2026-07-01, window_hours=8 (S1) — a genuine delta on the 2026-07-02 ColdFusion entry, but its freshest available source is older than the entry it would update and outside the 72 h developing-window floor (2026-07-02T12:08Z); flagged for a future run if a fresher source appears.
    • out-of-window: FortiBleed → INC/Lynx ransomware attribution (SOCRadar STRU + press) — primary source 2026-07-01/02, window_hours=8 (S1) — first confirmed link between mass FortiGate credential harvesting and ransomware deployment; materially new on incident:fortibleed-fortigate-credential-exposure but 3+ days stale and outside the 72 h developing-window. Flagged for the next run / the weekly W1 long-running-campaign sweep.
    • out-of-window: Romania Hipocrate hospital ransomware retrospective — underlying event Feb 2024, resurfaced 2026-07-02 blog (S2) — recycled anniversary rewrite, not fresh signal.
    • ToddyCat/Umbrij OAuth-token theft (Securelist 2026-06-30), Armored Likho/BusySnake (Securelist 2026-07-03), JADEPUFFER agentic-ransomware (already covered 2026-07-04), ChocoPoC trojanized-PoC campaign (2026-07-01/02), PRODAFT "The Gentlemen" RaaS deep-dive (~10 days old, entity actor:thegentlemen already tracked), OneConsult "BravoX" DACH ransomware note (2026-06-29) — all S3, all freshest sources outside the 8 h window with no delta on prior coverage.
    • MedusaLocker / Canton Zürich Baudirektion leak-site listing (S2) — already covered 2026-07-02; no material delta (claim status unchanged, no victim statement located).
    • AdaptHealth / Navient / 8x8 / River Financial 8-K filings, Medtronic, Kairos extortion (S4) — all already in prior_coverage.json or their underlying incidents out-of-window; SEC EDGAR Item 1.05 search surfaced no new in-window filer.
  • Fake-news / leak-site claims investigated and dropped (PD-6):
    • Ferrum AG (Rupperswil, CH; industrial-machinery manufacturer) on the Anubis leak site (attackdate 2026-07-03) — no victim statement (ferrum.net, Swiss press incl. watson.ch checked) and no HIGH-reliability journalism; only low-reliability aggregator mirrors. Per verification.md's leak-site rule this cannot run as more than "group X claims"; combined with the 2+-day-stale, no-in-window-delta status it does not clear this run's gate. Flagged for a future run's pickup if Swiss press (inside-it.ch, NZZ, watson.ch) or NCSC-CH corroborates — this is the one home-region lead worth watching.
    • A "Deutsche Bank" claim by a previously-unseen leak-site actor ("unsafe", attackdate 2026-07-04) — dropped outright as a textbook inflated/fabricated leak-site claim (G-SIB target + unknown extortion brand + zero corroboration beyond leak-site mirrors).
  • Single-source: none (no entries).
  • Contradictions: none.
  • Sources changed: inside-it-chrss_url set to the confirmed-working https://www.inside-it.ch/rss.xml (S2 re-confirmed /feed 403s, /rss.xml returns dated items via bridge); metadata-drift correction only, no tier/status change. No new candidate surfaced (one-per-run cap unused this quiet window); no demotions (all misses this run are transport-403 blocks, which never demote per the lifecycle rules).
  • Coverage gaps: cisa-advisories, cisa-directives, cisa-news (403 on the listing-page bridge recipe — KEV JSON API substituted for exploitation ground truth; the HTML listing pages still need a working sub-path recipe); industrialcyber-co (403 on both plain WebFetch and the bridge — recipe re-check recommended); ncsc-uk (client-side-rendered SPA shell, server body carries only nav chrome — needs a structured endpoint/RSS investigated); govcert-at (rss.xml 404; German-only daily reports not linked from the fetched shell); cert-eu (feed ~monthly, newest 2026-006/2026-06-10); cert-fr (avis newest CERTFR-2026-06-26; actualité feed stuck on an Oct-2025 backlog — noted for source-health review, bridge call returned 200); enisa / cert-pl (200 but nothing in-window); prodaft, sans-newsbites, claroty-team82, projectzero (JS-rendered SPA shells or no in-window dated items — recipe gaps).
  • Watchlist: not reported — config/org-profile.yaml configures no product or supplier watchlists; S1/S4 sweep duties were documented no-ops.
  • Essential-coverage: cisa-advisories, cisa-directives missed (403 transport-block; KEV API substituted for the exploitation signal). All other essential sources (advisories-ncsc-nl, anssi-fr, bsi-de, cert-at, cert-eu, cert-pl, cisa-kev, enisa, ncsc-ch-focus, ncsc-ch-incidents, ncsc-ch-security-hub, ncsc-uk) were attempted and resolved.

2026-07-05T0609Z-intel · Anthropic Claude (specific model not determined) · window 8 h · 0 entries published

Verification & coverage notes

Quiet 8 h intraday intel run (gap 6 h since the 2026-07-05T00:09Z fire; window_hours=8, opening ~2026-07-04T22:09Z). All four research sub-agents (S1–S4) swept their full essential + standard-rotation slices and each returned zero in-window candidates — a healthy quiet intraday window (PD-7: ≤12 h gap ⇒ 0–4 entries, zero expected on most intraday fires). No entry composed; no deep-dive candidate. This is the correct outcome, not a coverage failure — the mission is minimum-latency publication of new signal and nothing else.

  • Included (0): nothing cleared the recency gate. Every lead surfaced across the four domains was either already in prior_coverage.json or had its freshest available source published before the ~2026-07-04T22:09Z window floor with no in-window delta.
  • Out-of-window / already-covered leads examined and dropped (no in-window delta):
    • out-of-window: CISA/FBI/NSA/DOE Automatic Tank Gauge (ATG) critical-infra advisory — primary source 2026-06-02, window_hours=8 (S1; ~33 days stale — would be a viable OT/critical-infra candidate on a major-gap window, not admissible here).
    • TaskWeaver / Djinn Stealer via SimpleHelp CVE-2026-48558 (S1) — traced to Blackpoint Cyber 2026-06-29 original disclosure, already covered as the 2026-06-30 SimpleHelp entry; no fresh in-window delta.
    • NetNut / Popa residential-proxy botnet takedown (S3/S4 via Krebs 2026-07-02) — already covered campaign:popa-vo1d-residential-proxy-botnet (2026-07-04 incident entry); no in-window delta.
    • AdaptHealth / Navient SEC 8-K, Kairos extortion, ShinyHunters/PeopleSoft thread, Medtronic notification, Citizen Lab Pegasus/MEP (S4) — all already in prior_coverage.json; SEC EDGAR full-text search for 8-K Item 1.05 filings 2026-07-04→07-05 returned 0 hits.
    • out-of-window: TeamPCP FBI FLASH (FLASH-20260702-01, ic3.gov) — primary source 2026-07-02, window_hours=8 (S4) — a distinct new document (not in the 7-day prior-coverage index, whose latest TeamPCP entry is 2026-06-27) but published before the ~2026-07-04T22:09Z floor, and its dev-tool-poisoning campaign is already covered; no in-window delta.
  • Single-source: none (no entries).
  • Contradictions: none.
  • Sources: no changes — no new candidate surfaced (one-per-run cap unused this quiet window); no demotions (all misses this run are transport-403 blocks, which never demote per the lifecycle rules).
  • Coverage gaps: cisa-advisories, cisa-directives (403 on the listing-page bridge recipe — KEV JSON API substituted for exploitation ground-truth; HTML listing pages still need a working sub-path recipe); cisa-news (403, no working bridge recipe — hit by S3 + S4); industrialcyber-co (403 on plain WebFetch — contradicts sources.json note, recipe re-check recommended); cert-eu (api feed lagging, newest 2026-006 / 2026-06-10); anssi-fr / cert-fr (avis newest CERTFR-2026-AVI-0799 2026-06-25; actu feed stale to Oct/Nov 2025); ncsc-uk (JS shell, only previously-covered stories visible); prodaft, sans-newsbites (JS-rendered Next.js SPA shells, no server-side listing — recipe gap).
  • Watchlist: not reported — config/org-profile.yaml configures no product or supplier watchlists; S1/S4 sweep duties were no-ops.
  • Essential-coverage: cisa-advisories, cisa-directives missed (403 transport-block; KEV API substituted for the exploitation signal). All other essential sources (advisories-ncsc-nl, anssi-fr, bsi-de, cert-at, cert-eu, cert-pl, cisa-kev, enisa, ncsc-ch-focus, ncsc-ch-incidents, ncsc-ch-security-hub, ncsc-uk) were attempted and resolved.

2026-07-05T0009Z-intel · Anthropic Claude (specific model not determined) · window 14 h · 1 entry published

Verification & coverage notes

Standard-window intel run (gap 12 h since the 2026-07-04T12:09Z fire; window_hours=14, opening ~2026-07-04T10:09Z). All four research sub-agents (S1–S4) swept their full essential + rotation slices and returned a combined 1 in-window candidate, which was composed into a single research entry. The home-region/sector lens (S2), the active-threats/vulns lens (S1) and the research lens (S3) were all genuinely quiet for the window — every CVE / advisory / report surfaced (CVE-2026-45659 SharePoint, CVE-2026-48558 SimpleHelp, CVE-2026-8451 Citrix NetScaler, CVE-2026-8037 Kemp LoadMaster, CVE-2026-20230 Cisco Unified CM, Argo CD unauth RCE, CVE-2026-46242 "Bad Epoll" Linux LPE, FatFs disclosures; ChocoPoC RAT, Huntress Azure CLI ROPC research, OneConsult BravoX DACH ransomware, Dragos 2026 OT/ICS Year-in-Review) was either already in prior_coverage.json or had its freshest source published before the window boundary with no in-window delta.

  • Included (1): kairos-data-theft-extortion-case-us-county-govt-1m-payout (research, notable) — Ransom-ISAC case study of the "Kairos" data-theft-only extortion actor. Org-relevance (PD-11d): substantive primary analysis of an actor model plus a detection-model gap (pure-exfiltration extortion evades encryption-centric ransomware telemetry) with transferable hunt / negotiation lessons for CH/EU public-sector SOCs. Genuinely new — no kairos key in the registry, not in prior coverage.
  • Recency note (transparency): the Ransom-ISAC primary is dated 2026-07-03 (~21 h before the window start), but the item was surfaced/syndicated in-window by The Hacker News (2026-07-04T12:47Z) and Security Affairs (2026-07-04T16:53Z) — the freshest available source is in-window, so it clears the recency gate on the freshest-source rule. event_date: 2025-05-19 records the underlying incident so the reader is not misled about the age of the events described.
  • Spot-check corrections (PD-1 anti-embellishment): main-agent WebFetch of the Ransom-ISAC primary confirmed the publication date and claims (data-theft-only / no encryptor, ~2 TB / ~1.6 M files, ~$1 M paid 2025-06-13, the brute-force quote, the non-verifiable "proof of deletion"). Three corrections were applied before composing: (a) the brute-force access is Kairos's own claim, not independently verified — framed as such, not as fact; (b) the primary does not confirm "no MFA / no VPN" — dropped as a stated fact, the MFA point reframed as a defender recommendation; (c) the primary names only "a small US county government body" and does not confirm Union County, Ohio — the victim is kept vague; blockchain-tracing / SBU-seizure / exact-BTC-split specifics were not confirmed in the spot-check and were omitted.
  • Single-source: none — the Kairos entry is verification: multi-source (Ransom-ISAC primary + Security Affairs + The Hacker News).
  • Dropped: FBI/TeamPCP supply-chain credential-theft (Security Affairs 2026-07-04T07:55Z) — out-of-window (before the 10:09Z boundary) and overlaps the already-covered npm supply-chain-worm campaign; ChocoPoC RAT / Huntress Azure CLI ROPC / OneConsult BravoX / Dragos 2026 YiR — out-of-window (2026-07-01/-02 / 2026-06-29 / 2026-02-17), no in-window delta.
  • New candidate source (1, cap respected): ransom-isac added as candidate.
  • Coverage gaps: cisa-advisories, cisa-directives (403 on the listing-page bridge recipe — KEV API endpoint substituted for exploitation ground-truth; the HTML listing pages still need a working sub-path recipe); cisa-news, industrialcyber-co, inside-it-ch (403, no working bridge recipe this run — recipe check recommended for inside-it-ch which now 403s both feed and page); safeonweb-be (200 but Drupal SPA shell, no parseable listing); prodaft, sans-newsbites (JS-rendered SPAs, no structured endpoint); ncsc-uk (200 but static curated-links block, freshest advisory 2026-06-22); cert-fr avis-recent (freshest 2026-06-26, stale); jpcert (freshest 2026-06-10, stale); shadowserver (feed 404 — recipe revalidation needed).
  • Watchlist: not reported — config/org-profile.yaml configures no product or supplier watchlists; S1/S4 sweep duties were no-ops.
  • Essential-coverage: cisa-advisories, cisa-directives missed (403 transport-block; KEV API substituted for the exploitation signal). All other essential sources (advisories-ncsc-nl, anssi-fr, bsi-de, cert-at, cert-eu, cert-pl, cisa-kev, enisa, ncsc-ch-focus, ncsc-ch-incidents, ncsc-ch-security-hub, ncsc-uk) were attempted and resolved.