ctipilot.ch
Thu · 16 Jul 2026
All daily briefs ↗
Daily brief · UTC day

Thursday, 16 July 2026

7 verified findings from 1 run · the settled record for this UTC day, in the classic brief order.

Criticality
Kind
Topic
Region
TL;DR · the day in one read
  1. 01Oracle E-Business Suite Payments pre-auth takeover (CVE-2026-46817) confirmed exploited and KEV-listed — patch or pull exposed instances off the internet. CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog on 2026-07-15, the first formal confirmation of active exploitation for an unauthenticated flaw in the File Transmission component of Oracle Payments (the payment engine inside Oracle E-Business Suite 12.2.3–12.2.15) that Oracle patched quietly in its May 2026 Critical Patch Update. It is reachable over plain HTTP with no authentication (CVSS 9.8); any internet-facing EBS instance not on the May fix should be patched or taken off the public internet now, and treated as potentially compromised if it was exposed after 2026-05-28.
  2. 02AsyncAPI npm compromise: Microsoft finds the malicious versions carried valid npm/OIDC provenance attestations, with an import-time (not install-hook) trigger. Microsoft Threat Intelligence's forensic timeline of the 2026-07-14 AsyncAPI npm compromise adds a load-bearing detail: because the attacker pushed to a branch that triggered AsyncAPI's own legitimate release workflow, the five trojanized versions were published via npm trusted publishing over GitHub OIDC and carry cryptographically valid provenance attestations that correctly name the real repo, commit and workflow — even though the triggering commit was unauthorized. The payload also executes at import time, not through an install lifecycle hook, so --ignore-scripts does not stop it. Provenance verification confirms which pipeline built an artifact, not that the triggering commit was authorized.
  3. 03World Leaks leaks ~858k files from a Kudankulam nuclear-plant contractor breached at a third-party data-centre host — a lesson for energy-CI operators. The data-theft-extortion group World Leaks (a Hunters International rebrand) posted roughly 858,000 files on its leak site attributed to Reliance Group, a contractor to India's Kudankulam Nuclear Power Plant; Reuters reviewed ~19,000 sensitive files (2016–2025) purporting to show blueprints, supplier and inspection records. Reliance confirmed a "partial breach" from a server hosted by third-party Indian data-centre provider Yotta; India's CERT-In is investigating and the leaked files are only claimed — not established — to be authentic. Out-of-nexus (India) but carried for its global critical-infrastructure significance and a transferable third-party-hosting lesson for European energy-CI operators.
01Active threats, incidents & disclosures3 items
NOTABLENATOB2

Basel utility IWB: ~40,000 customer records exfiltrated in a breach of a third-party service provider

Industrielle Werke Basel (IWB) — the canton-owned Basel multi-utility supplying electricity, gas, water, district heating and telecom/fibre — disclosed on 15 July 2026 that an external service provider it uses was compromised and roughly 40,000 customer records were exfiltrated from the provider's environment (Netzwoche, 2026-07-15). The stolen data comprises customer names and addresses plus technical smart-meter attributes (meter serial numbers and installation characteristics); IWB states that email addresses, phone numbers, energy-consumption data and billing/payment data were not part of the exposure, so no consumption-pattern inference is possible from what was taken (SwissCybersecurity.net, 2026-07-15). IWB's own IT and OT/grid systems were unaffected and energy/water supply continuity was not disrupted — the compromise is scoped to the provider's systems and the customer-data feed IWB shares with it (Netzwoche, 2026-07-15). The provider detected and notified IWB, which audited access, reviewed logs and pre-emptively restricted its data exchange with the affected provider; the Basel-Stadt cantonal data protection officer assessed the misuse risk as low (Watson.ch, 2026-07-15). No provider name, threat-actor claim or initial-access vector has been disclosed, and no matching leak-site listing was found for Switzerland in-window.

Bei einem Cyberangriff auf einen Dienstleister der Industriellen Werke Basel (IWB) haben Cyberkriminelle rund 40'000 Datensätze von Kundinnen und Kunden des Energieversorgers entwendet.

Die IWB-Systeme blieben unversehrt, wie das Unternehmen mitteilt. Auch die Energieversorgung sei nicht beeinträchtigt gewesen.

Netzwoche 2026-07-15
incident16 Jul 04:38Zmulti-sourceOpen finding ↗
NOTABLENATOB2

World Leaks posts ~858,000 files tied to India's Kudankulam nuclear-plant contractor; Reliance confirms a third-party-hosting breach

The data-theft-extortion group World Leaks — the rebrand of Hunters International already tracked in this store — posted roughly 858,000 files on its dark-web leak site attributed to Reliance Group, a contractor involved in India's Kudankulam Nuclear Power Plant (KNPP), the country's largest nuclear facility (The Week / Reuters, 2026-07-15). Reuters reviewed a subset of about 19,000 files dated 2016–2025 that purport to show facility blueprints, supplier details, meeting and inspection records, equipment reviews and insurance policies; the files are only claimed to originate from the plant and their authenticity is not established. Reliance Group confirmed to Reuters that a "partial breach" of its data occurred from a server hosted by Yotta, a third-party Indian data-centre provider, and that the government has been informed; India's CERT-In is investigating and a Nuclear Threat Initiative expert warned the exposure could pose a serious plant-safety risk.

They admitted to Reuters that a "partial breach" of its data had taken place from a server hosted by Yotta, a third-party Indian data centre service provider, and that the government has been informed about the incident.

19,000 of these files appeared to be highly sensitive, the report added, noting that the documents were dated between 2016 and 2025, and reportedly featured blueprints, supplier details, meeting and inspection records, equipment reviews and insurance policies.

The Week (India), relaying Reuters 2026-07-15
incident16 Jul 04:42Zsingle-sourceOpen finding ↗
NOTABLENATOB2

TELEPUZ — a modular Windows RAT/MaaS spread through ClickFix→Vidar chains, executing syscalls from patched trusted DLLs

Elastic Security Labs is tracking TELEPUZ, a full-featured, fast-evolving modular Windows RAT active since late April 2026 and, on Elastic's telemetry, a likely malware-as-a-service given the daily volume of new builds uploaded to VirusTotal (Elastic Security Labs, 2026-07-16). Delivery runs through a ClickFix social-engineering lure that pastes a PowerShell one-liner into the Run dialog, which downloads a Go variant of the Vidar stealer; Vidar then fetches a small stager (install.exe) that loads the main payload — a 64-bit DLL executed via rundll32 from domain-rotating staging infrastructure (Elastic Security Labs, 2026-07-16).

The payload's headline evasion is an indirect-syscall engine: it maps a fresh copy of ntdll.dll, parses syscall numbers from its export table, then patches the .text section of a randomly chosen legitimate DLL (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll or secur32.dll) with syscall trampolines so calls execute from inside a trusted-looking module, defeating user-mode API hooking and ETW (Elastic Security Labs, 2026-07-16). It additionally patches AMSI/ETW to neutered return values, unhooks NTDLL, reflectively loads modules and runs downloaded PEs via process hollowing, escalates through two UAC-bypass techniques and SYSTEM token theft, and persists as a service named CipherAllocator. Command-and-control runs over WebSocket (optionally SChannel TLS) at a /cdn/health?sid= URI, with four fallback address-discovery channels — a Telegram channel bio, a Steam profile, a DNS TXT record and a Polygon smart-contract call (also a kill switch). Modules include a keylogger, an infostealer with a Chrome App-Bound-Encryption cookie helper, and a browser web-injection module that uses Chrome DevTools Protocol / Firefox WebDriver BiDi (not code injection) to swap IBAN/amount fields in banking web forms; the malware also runs anti-analysis checks — debugger evasion (ProcessDebugPort/ThreadHideFromDebugger) and sandbox/host geofencing on CIS country, sandbox hostnames and usernames.

Given the significant number of builds uploaded to VirusTotal daily, it is likely that we are dealing with a MaaS.

Finally, the malware selects a random library from a set of standard libraries (dfscli.dll, davhlpr.dll, msdtclog.dll, dsrole.dll, and secur32.dll) and loads it via LoadLibrary. It then patches the library's .text section with the previously generated trampolines, so indirect syscalls are now executed from this location.

Elastic Security Labs 2026-07-16
threat16 Jul 04:40Zsingle-sourceOpen finding ↗
NOTABLECVE-2023-4346exploitedNATOA2

CVE-2023-4346 — KNX building-automation protocol: account-lockout DoS added to CISA KEV, no software patch (CVSS 7.5)

CISA added CVE-2023-4346 to its Known Exploited Vulnerabilities catalog on 15 July 2026, alongside the Oracle E-Business Suite flaw, and updated the underlying ICS advisory to carry a "known public exploitation" note (CISA ICSA-23-236-01, 2026-07-15; CISA KEV alert, 2026-07-15). The flaw itself is three years old — reported by Felix Eberstaller of Limes Security and published in August 2023 — and had no prior KEV listing until this update. KNX is a widely deployed European building-automation bus protocol (KNX Association is headquartered in Belgium) used for HVAC, lighting, access control and BMS integration, so the exposure sits under any large public-sector or critical-infrastructure estate with smart-building controls.

The design flaw (CWE-645, overly restrictive account-lockout mechanism, CVSS 7.5, availability-only) is in KNX Connection Authorization Option 1: any device that has never had its BCU (Bus Coupling Unit) key set can be purged by an attacker with network access to the KNX installation, who then sets a new BCU key and permanently locks legitimate operators out — with no reset path short of the current password (CISA ICSA-23-236-01, 2026-07-15). An attacker with only physical access to the bus can do the same. KNX Association has issued no software fix in three years; the remediation is entirely procedural — set the BCU key during commissioning.

Exploitable remotely/low attack complexity/known public exploitation

If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device.

CISA (ICS Advisory ICSA-23-236-01) 2026-07-15
vulnerability16 Jul 04:36Zsingle-source · national CERTOpen finding ↗
HIGHCVE-2026-46817exploitedNATOA1

CVE-2026-46817 — Oracle E-Business Suite (Payments): unauthenticated RCE now CISA KEV-listed after quiet in-the-wild exploitation (CVSS 9.8)

CISA added CVE-2026-46817 to its Known Exploited Vulnerabilities catalog on 15 July 2026, the first formal confirmation of active exploitation for a flaw Oracle patched without fanfare in its May 2026 Critical Patch Update (CISA, 2026-07-15). The bug sits in the File Transmission component of Oracle Payments — the payment-processing engine built into Oracle E-Business Suite — and Oracle characterises it as improper privilege management, improper authentication and missing authentication for a critical function that an unauthenticated attacker with HTTP network access can use to compromise and take over Oracle Payments (CVSS 9.8; Oracle CPU, 2026-05-28). Affected releases are EBS 12.2.3 through 12.2.15.

Threat-intelligence firm Defused recorded the first in-the-wild exploitation against its EBS honeypot decoys on 27 June 2026 — roughly six weeks after the patch and before any public proof-of-concept existed — as a single source running an unauthenticated file read against the Payments component rather than broad scanning (Help Net Security, 2026-06-30). The observed technique calls the ibytransmit endpoint in the File Transmission component, invoking an internal Oracle Java function directly and redirecting it to read /etc/passwd; the same primitive can be pointed at configuration files holding database credentials, encryption keys or payment-processor API keys (Help Net Security, 2026-06-30). This is the same EBS product family already under sustained ShinyHunters/UNC6240 extortion pressure and the latest in a now-annual cadence of critical, remotely exploitable EBS flaws.

On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle's May 2026 patch and before any public proof-of-concept existed.

Help Net Security (citing Defused) 2026-06-30

The exploit targets the ibytransmit endpoint in Oracle Payments' File Transmission component, and calls an internal Oracle Java function directly, redirecting it to read a file (/etc/passwd) from the server.

Help Net Security

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CISA 2026-07-15
vulnerability16 Jul 04:35Zmulti-sourceOpen finding ↗
03Updates to prior coverage2 items
ROUTINEupdateNATOA2

Nayax refuses The Syndicate's extortion demand and narrows its disclosed breach scope

UPDATE · originally covered Nayax (Bank-of-Lithuania-licensed EEA payment institution) discloses a cloud-account incident; "The Syndicate" claims 1B card records — claim unverified and contradicted by the filing (2026-07-09)

Nayax Ltd. — whose Nayax Europe UAB subsidiary is a Bank-of-Lithuania-licensed payment institution serving EEA enterprises — issued a 14 July status update on the cloud-account incident The Syndicate claimed. Its board of directors "has resolved not to comply with criminal extortion demands," on the stated grounds that compliance would not serve customers', partners', employees' or shareholders' long-term interests (Nayax Ltd., 2026-07-14). Nayax narrowed the disclosed exfiltrated data to a backup of scanned documents, other business information, and mainly a backup of payment-transaction records that it says excludes sensitive payment-authentication data (cardholder names, CVV, ID information), adding that most affected transactions used digital-wallet single-use tokens it describes as valueless if disclosed. It also states remediation is complete and its systems are confirmed free of unauthorized access (Nayax Ltd., 2026-07-14).

The Company's Board of Directors has resolved not to comply with criminal extortion demands.

The Company's systems have been cleared and based on its investigation to date, confirmed to be free of unauthorized access.

Nayax Ltd.
incident16 Jul 04:46Zsingle-source · victim disclosureOpen finding ↗
NOTABLEupdateNATOB1

AsyncAPI npm compromise — the trojanized packages shipped valid npm/OIDC provenance attestations (Microsoft forensic timeline)

UPDATE · originally covered AsyncAPI npm packages backdoored via a GitHub Actions pull_request_target token theft, delivering a multi-stage IPFS implant (M-RED-TEAM) (2026-07-14)

Microsoft Threat Intelligence published a forensic timeline of the AsyncAPI npm compromise that adds a detail with broad supply-chain-defence implications (Microsoft Threat Intelligence, 2026-07-15). Once the attacker held push access as the AsyncAPI service account (via the pull_request_target misconfiguration covered in the original entry), no npm-token theft was needed: a direct push to a release-triggering branch ran the project's own legitimate release-with-changesets workflow, which published the packages via npm trusted publishing over GitHub OIDC. As a result the five trojanized versions carry cryptographically valid provenance attestations that correctly identify the real repository, commit and workflow — even though the triggering commit was unauthorized (Microsoft Threat Intelligence, 2026-07-15).

Two further deltas: the payload triggers at import time (embedded in one file per package — index.js for the specs package, validator.js/utils.js/ErrorHandling.js for the generator family) and unwraps an IPFS-fetched bundle through three static-key crypto layers to an eval(), so npm install --ignore-scripts provides no protection; and Microsoft recovered all three self-identifying strings — M-RED-TEAM v6.4, miasma-train-p1 and miasma-test-org — from one binary, resolving the identifier ambiguity across the original reporting. Unit 42 independently corroborates the timeline and identifies the payload as a descendant of the same Miasma RAT deployed in the June 2026 Red Hat supply-chain operation (Unit 42, 2026-07-15).

All five malicious versions were published through npm trusted publishing using GitHub OIDC and carried valid provenance attestations. The attestations accurately identified the legitimate repositories, commits, and workflows that created the packages, even though the triggering commits were unauthorized.

Do not rely on npm install –ignore-scripts as a mitigation; this campaign executes when the module is imported, not through a lifecycle hook.

Microsoft Threat Intelligence 2026-07-15
incident16 Jul 04:44Zmulti-sourceOpen finding ↗
04Action items4 items
Verification & coverage notes1 run

2026-07-16T0409Z-intel · Claude Opus 4.8 · window 26 h · 7 entries published

Verification & coverage notes

Standard daily fire — gap ≈ 24 h from the previous run 2026-07-15T0409Z-intel (which published cleanly), window 26 h. No scheduler outage, so no research-blog backfill sweep. No closed-source intel drops (intel/ carried only its README) — no S5 spawned. Product/supplier watchlists are unconfigured in this deployment, so both sweeps are no-ops and no Watchlist: line is emitted.

Fifteen candidate items surfaced across S1–S4; 7 published (5 new + 2 updates), 8 dropped. All published entries cleared the relevance/actionability gate and the completeness sweep re-read every returned item (including the borderline-flagged ones) before finalising.

Published (new):

  • CVE-2026-46817 Oracle E-Business Suite / Payments pre-auth RCE — CISA KEV 2026-07-15 (in-window trigger), ITW since 2026-06-27; high. First dedicated per-CVE entry (the 2026-07-05 weekly mentioned it only in prose, cves: [] — no dedup collision).
  • CVE-2023-4346 KNX building-automation account-lockout DoS — newly KEV-listed 2026-07-15, no software patch; notable. CVE new to the store.
  • IWB Basel third-party-provider breach — home-region CI/public-sector incident (S2 + S4 merged); notable.
  • TELEPUZ modular Windows RAT/MaaS (Elastic) — ClickFix-Vidar delivery, indirect syscalls from patched trusted DLLs; notable.
  • World Leaks / Kudankulam nuclear-contractor third-party-hosting breach — out-of-nexus, cleared the breach gate on (a) global CI significance + (d) transferable third-party-hosting lesson for energy-CI operators; notable.

Published (updates):

  • AsyncAPI npm compromise — update_of 2026-07-14: Microsoft's forensic timeline shows the trojanized versions carry valid npm/OIDC provenance attestations (provenance verifies which pipeline built an artifact, not that the triggering commit was authorized) and the payload triggers at import time; notable.
  • Nayax / The Syndicate — update_of 2026-07-09: board refuses the extortion demand, narrows disclosed scope, confirms remediation; routine.

borderline-drop: Veeam appliance updater LPE (CVSS 8.4, no CVE) — local-to-root (AV:L, PR:H), no exploitation, no public PoC, auto-patching; routine patch-cycle item that does not clear the beyond-patch-cycle vulnerability bar despite backup-infra sensitivity. borderline-drop: TuxBot v3 LLM IoT botnet (Unit 42) — single-source; generic IoT-botnet detection value; the AI-written-malware angle is already saturated in-store; no material detection improvement for the constituency. borderline-drop: OkoBot crypto-theft framework (Kaspersky) — off-nexus (targets individual cryptocurrency holders, no CI/gov/CH-EU concentration); the reusable techniques are known classes. borderline-drop: Lidl third-party breach (DE/BE/NL) — breach inclusion gate not cleared: retail/consumer sector (not profiled), no new/evolved TTP, no named actor targeting the constituency, no imminent shared threat. borderline-drop: D1R vs Bosch/Synopsys — unconfirmed leak-site claim disputed by the named vendor (Synopsys found no evidence); posted "proof" is an already-public user manual; fails the fake-news guard for standalone publication. borderline-drop: AiLock claims Ferrovial — single-source leak-site claim only (Ransomware.live / HudsonRock telemetry); no victim disclosure, no regulator filing, no A/B journalism; fails the breach/verification gate. S4 itself recommended against publication. out-of-window: xAI Grok Build CLI repo/secrets over-upload — freshest primary (The Hacker News 2026-07-14) predates the previous run (2026-07-15T04:09Z), which already triaged it (it registered incident:xai-grok-build-cli-repo-exfiltration-2026-07 but did not publish); outside window_hours=26 and not a fresh in-window delta.

Single-source items: KNX (single-source-national-cert — CISA is the disclosing authority); TELEPUZ (single-source Elastic research lab, with public YARA + ATT&CK); Kudankulam (single Reuters wire relayed by The Week; Reliance confirmed the breach, and the leaked files' authenticity is not established in the cited reporting); Nayax (single-source-victim — Nayax's own press release).

Deep dive: none. No candidate cleared the Phase 3 bar — Oracle EBS is actively exploited but public technical detail is thin (no full kill chain / PoC); TELEPUZ is technically rich but single-source commodity MaaS, not ITW exploitation against the constituency. deep_dives_today was 0; depth was not manufactured to fill the slot.

CVE id provenance: CVE-2026-46817 and CVE-2023-4346 both confirmed against the CISA KEV alert and their owning advisories (Oracle May 2026 CPU; CISA ICSA-23-236-01) and cross-checked on NVD.

Coverage gaps: cert-eu (feed current per its own cadence, newest advisory 2026-06-10, no in-window item); ncsc-uk, truesec, withsecure-labs, enisa, govcert-at (cookie-consent/JS-shell listing pages surfaced no in-window content via reader — recipe review candidates); intel471, cloudflare-cf1, kela-cyber, group-ib, depthfirst (reachable, no in-window qualifying content); databreaches-net, inside-it-ch (article pages 403 — routed via RSS feed / search-snippet corroboration).