ctipilot.ch

Embargo

actor · actor:embargo single-source

Embargo — ransomware group; responsible for ChipSoft Netherlands attack

Coverage timeline
10
first 2026-05-04 → last 2026-06-29
Entries
10
6 distinct days
Sources cited
38
30 hosts
Sections touched
7
active-threats, deep-dive, trending-vulnerabilities
Co-occurring entities
8
see Related entities below
2026-05-0410 appearances2026-06-29

Story timeline

  1. 2026-06-29ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report
    weekly-annual-reportsESET "Killing me gently" — a de-facto mid-year RaaS-tooling report
  2. 2026-05-20Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC
    active-threatsDrupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC
  3. 2026-05-17Pwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders
    deep-divePwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders
  4. 2026-05-17Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
    trending-vulnerabilitiesExchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation
  5. 2026-05-10cPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS 4.3)
    trending-vulnerabilitiescPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS
  6. 2026-05-09CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed
    trending-vulnerabilitiesCVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation
  7. 2026-05-04Mandiant M-Trends 2026
    weekly-annual-reportsMandiant M-Trends 2026
  8. 2026-05-04Healthcare (CH, NL)
    weekly-sector-patternsHealthcare (CH, NL)
  9. 2026-05-04CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns
    weekly-top-storiesCVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns
  10. 2026-05-04cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203
    weekly-multi-daycPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203

Where this entity is cited

  • trending-vulnerabilities3
  • weekly-annual-reports2
  • weekly-multi-day1
  • weekly-top-stories1
  • weekly-sector-patterns1
  • deep-dive1
  • active-threats1

Source distribution

  • security-hub.ncsc.admin.ch3 (8%)
  • attack.mitre.org2 (5%)
  • drupal.org2 (5%)
  • helpnetsecurity.com2 (5%)
  • thehackernews.com2 (5%)
  • thezdi.com2 (5%)
  • wid.cert-bund.de2 (5%)
  • access.redhat.com1 (3%)
  • other22 (58%)

Related entities

All cited sources (38)

Entries about Embargo (10)

2026-06-29 · view entry permalink →

ESET "Killing me gently" — a de-facto mid-year RaaS-tooling report

notable annual-report discovered 2026-06-29 00:21 UTC

Background. The Gentlemen emerged in late 2025 as a RaaS operation founded by "hastalamuerte" (a former Qilin affiliate per Group-IB, previously affiliated with Embargo, LockBit, Medusa and BlackLock per PRODAFT). ESET first hypothesised an in-house EDR-killer in February 2026; Group-IB and Check Point independently corroborated before the gang's own internal data leaked. By April 2026 the group accounted for ~10% of global ransomware activity, and Krebs (06-10) linked the alias to a named individual in Izhevsk, Russia.

ESET's 06-26 deep-dive into the leaked internal data is the most substantive published-in-window documentation of RaaS tooling structure, and reads as a mid-year complement to the W25 Check Point State of Ransomware Q1 2026. Three structural findings a detection engineer should register: (1) GentleKiller is a modular in-house framework with at least eight BYOVD variants, each impersonating a different vendor and abusing a different kernel driver — driver allow-listing alone is insufficient without process-injection-chain detection; (2) the group integrates rival gangs' EDR killers (HexKiller from Warlock, ThrottleBlood shared with MedusaLocker/DragonForce, HavocKiller), so tooling overlap no longer implies operational overlap; (3) victims are selected centrally on FortiGate misconfiguration rather than geography, tying the Gentlemen victim pipeline directly to FortiBleed-style reconnaissance (§ 8). New BYOVD PoCs are operationalised within days of public release. (daily 06-27)

ransomware organized-crime russia-nexus global europe switzerland

2026-05-20 · view entry permalink →

Drupal core "highly critical" pre-patch warning — unauthenticated, zero-complexity, patch window today 17:00–21:00 UTC

notable threat discovered 2026-05-20 05:00 UTC

On 2026-05-18 the Drupal Security Team published PSA-2026-05-18 reserving an emergency out-of-band release for today, 2026-05-20, 17:00–21:00 UTC. The pre-advisory scores the flaw 20/25 on Drupal's own published security scale — the second-highest tier — with Access Complexity "None" and Authentication "None", meaning exploitation is unauthenticated and requires no special conditions; the chained score sits below the theoretical 25/25 only because the Drupal Security Team rates the affected configuration as "Uncommon". CVE assignment and class are embargoed until release. Affected branches: 10.5.x, 10.6.x, 11.2.x, 11.3.x receive official patches; Drupal also reserved manual emergency patch files for EOL branches 8.9, 9.5, 10.4 (→ 10.4.9) and 11.1 (→ 11.1.9) — an unusual step that itself signals severity. Drupal 7 is not affected. The Security Team explicitly notes "exploits might be developed within hours or days". NCSC.ch's Security Hub corroborates the urgency, reiterating that "Successful exploitation could allow unauthenticated attackers to fully compromise affected Drupal installations". BSI WID-SEC-2026-1579 carries the same advance warning (BSI CERT-Bund).

Why it matters to us: Drupal is the dominant CMS for Swiss federal / cantonal / municipal portals, European Commission and EU-agency sites, universities, and public-sector NGOs. No technical mitigation exists pre-patch. Schedule the patch window now and monitor the Drupal Security Advisories feed for the CVE and patch links the moment they publish at 17:00 UTC.

vulnerabilities pre-auth no-patch switzerland europe global

2026-05-17 · view entry permalink →

Pwn2Own Berlin 2026: Master-of-Pwn outcomes, the new AI Agents category, and the compound-Exchange-threat picture for European defenders

high threat discovered 2026-05-17 05:00 UTC deep dive

Background. Pwn2Own Berlin (run alongside OffensiveCon, 2026-05-14 → 2026-05-16) is the second Berlin edition since Trend Micro / Zero Day Initiative moved the European event off the Vancouver-only schedule in 2025. It runs the standard Pwn2Own rules: original-research, full-chain, time-boxed in-room exploitation against current-patched production targets, with vendor-disclosure happening within minutes of a successful pop and a 90-day Pwn2Own embargo before ZDI publishes technical detail. The Berlin contest historically draws a heavier European researcher field than Vancouver — relevant this year because Swiss firm Compass Security fielded a five-researcher team and took prizes against multiple AI agent targets. Prior Pwn2Own competitions established the cadence: bugs popped in May surface as advisory-tagged CVEs in vendor August or September advisories. The May 2026 contest is meaningful for European public-sector defenders for three reasons covered below — the DEVCORE Exchange chain landing while CVE-2026-42897 is actively exploited, the new AI Agents category dragging dev-toolchain inference platforms into the public-vulnerability ecosystem, and the contest's capacity overflow which produced an unprecedented wave of rejected-researcher public PoC releases.

Day-by-day outcomes — what was actually demonstrated. Day 1 (ZDI, 2026-05-13): Orange Tsai (DEVCORE) opened the day with a four-bug Microsoft Edge sandbox escape for $175,000 — the day's biggest single award and the foundation of DEVCORE's eventual Master of Pwn victory; Compass Security exploited OpenAI Codex through a CWE-150 "improper neutralization of special elements" bug for $40,000 — the first publicly-known weaponised exploit of OpenAI's coding agent; Satoki Tsuji (Ikotas Labs) exploited NVIDIA Megatron Bridge via an overly permissive allowed-list bug for $20,000; Ikotas Labs separately collided against LiteLLM ($8,000 reduced reward); maitai (Doyensec) collided against OpenAI Codex ($10,000); Nguyen Thanh Dat (Viettel) collided against Claude Code ($20,000); k3vg3n landed an SSRF-plus-code-injection chain against LiteLLM (separate from the Ikotas Labs LiteLLM collision); Le Duc Anh Vu (Viettel) failed his attempt against Codex; STARLabs SG demonstrated a five-bug SSRF + code-injection chain against LM Studio. Day 2 (ZDI, 2026-05-15): the Exchange chain landed — Orange Tsai of DEVCORE chained three undisclosed bugs to unauthenticated SYSTEM RCE on a patched Exchange Server installation, earning $200,000 and a Master-of-Pwn step toward DEVCORE's overall victory; OtterSec popped LM Studio via a code-injection bug; 0xDACA / Noam Trobinski took the NVIDIA Container Toolkit via a use-after-free ($25,000); Compass Security took Cursor for an additional $15,000. Day 3 (ZDI, 2026-05-16; Hackread, 2026-05-16): STARLabs SG's Nguyen Hoang Thach burned a memory-corruption vulnerability for a full VMware ESXi hypervisor escape ($200,000, 20 Master-of-Pwn points); Windows 11 LPE chains landed; Compass Security attempted Claude Code but collided with a vulnerability ZDI already had on file. Master of Pwn final: DEVCORE 50.5 points / $505,000; STARLabs SG 25 points. Across three days: 47 unique zero-days, $1,298,250 paid out — ZDI's largest Berlin payout to date.

Exchange — compounding the in-the-wild picture. The DEVCORE three-bug chain attacks a different surface from CVE-2026-42897 (yesterday's deep dive) — OWA stored XSS is browser-context exploitation against authenticated users; the DEVCORE chain achieves SYSTEM-level direct RCE without authentication. Technique-class map: T1190 Exploit Public-Facing Application → T1059.003 Windows Command Shell → T1068 Exploitation for Privilege Escalation, with the EWS / RPC / RemotePS attack surface as the most plausible target set given Orange Tsai's prior ProxyLogon / ProxyShell / ProxyNotShell work. Embargo window: ZDI rules require vendors to ship patches within 90 days; expect Microsoft advisories around 2026-08-14, possibly bundled into August Patch Tuesday. Operational implication for the next ~12 weeks: on-premises Exchange faces (a) the currently-exploited XSS without permanent patch, (b) an unpatched unauthenticated SYSTEM RCE class proven viable on hardened production builds, and (c) the residual ProxyShell/NotShell attack surface that the FamousSparrow Azerbaijani campaign covered in the 2026-05-14 deep dive showed is still being weaponised against unpatched installs. The defender posture published with the 2026-05-16 deep dive (verify EEMS service, monitor OWA access patterns, restrict ECP/EWS from the internet, accelerate Exchange Online migration where possible) becomes harder to argue against given the Pwn2Own evidence.

AI Agents category — the new public-vulnerability surface for dev toolchains. Pwn2Own Berlin 2026 was the first year ZDI ran an AI Agents track. The result across the AI-Agents and adjacent inference-stack targets — OpenAI Codex, Cursor, LM Studio, LiteLLM, Claude Code, Claude Desktop, Chroma, Megatron Bridge, Ollama — was that the entries either landed exploits or collided with bugs ZDI already had on file (the latter still confirms the vuln exists). The recurring pattern across LiteLLM, LM Studio, Cursor and the OpenAI Codex attempts is agent-instruction-injection → server-side request forgery → arbitrary code execution, mapped to T1059.007 (JavaScript / scripting) and T1090 (Proxy abuse) — the agent runtime takes adversary-supplied content (a tool invocation, a file the agent is asked to summarise, a URL), treats it as a privileged instruction, and either fetches an attacker-controlled resource SSRF-style from inside the corporate network or executes attacker-shaped code in the agent's runtime container. STARLabs SG's five-bug LM Studio chain (Day 1) and k3vg3n's LiteLLM chain (Day 1) both follow exactly that pattern — SSRF→code-injection. OtterSec's Day 2 LM Studio pop was a code-injection bug only (no SSRF prefix), demonstrating the same target falls to two distinct attack-class roots. The OpenAI Codex CWE-150 vulnerability Compass Security exploited centres on improper neutralisation of special characters in tool-invocation arguments. Defender concepts that translate without IOCs: (1) treat self-hosted inference services (Ollama, LM Studio, LiteLLM, vLLM gateways) as untrusted public-facing applications even when bound to localhost — they are reachable from any browser tab the developer opens; (2) constrain outbound egress from inference containers to only the model-update endpoints they need (RFC-1918-range alerts from agent containers are a high-signal SSRF indicator); (3) require code-signing on tool plugins loaded by Cursor / Codex / Claude Code; (4) inventory developer endpoints that have agent tooling installed and ensure EDR coverage extends to the agent's runtime processes — these are not yet routinely covered by SOC tooling baselines. For Swiss/EU public-sector environments specifically: agentic coding tools are entering federal and cantonal developer workflows ahead of any procurement-grade evaluation; the Pwn2Own results give a documented evidence base for SOC managers asking developer-tooling owners for inventory and egress controls.

Capacity-overflow rejected-researcher PoC wave. A distinctive feature of Berlin 2026: Pwn2Own contest slots filled before all submitted research could be staged. ZDI's response — public disclosure of full PoC chains by researchers whose submissions were rejected for slot reasons — produced an unprecedented PoC release wave covering Firefox full-chain RCE, additional Ollama / LM Studio exploitation, NVIDIA driver chains, and at least one researcher's Claude Code exploitation attempt. Operationally, defenders cannot rely on the standard Pwn2Own embargo for any of these — the technical detail is in the wild now. Browser/inference/dev-tool teams should monitor researcher Twitter/Mastodon disclosure channels and triage against their own deployment surface immediately rather than waiting for vendor advisories.

Hardening / mitigation summary (citing the contest blogs for each piece):

  • Exchange on-premises: treat as severely threatened; verify EEMS M2.1.x; restrict OWA/ECP/EWS internet reachability; plan for an August Patch Tuesday emergency cycle when the DEVCORE embargo expires (ZDI Day 2).
  • VMware ESXi: assume the hypervisor escape class is exploitable on hardened production builds until Broadcom ships a patch; restrict ESXi management network reach; monitor for atypical guest-to-host process spawn patterns (ZDI Day 3).
  • AI Agents (Codex / Cursor / LM Studio / LiteLLM / Claude Code): treat inference containers as untrusted; egress-restrict to model-update endpoints; require tool-plugin code signing; inventory developer endpoints with agent tooling and ensure EDR coverage of agent runtime processes (ZDI Day 1, ZDI Day 2).
  • Windows 11 LPE candidates: track Patch Tuesday cadence ahead of August disclosure window; nothing actionable until vendors ship advisories (ZDI Day 3).
vulnerabilities zero-day ai-abuse supply-chain cloud europe switzerland global

2026-05-17 · view entry permalink →

Exchange CVE-2026-42897 — Pwn2Own DEVCORE three-bug SYSTEM RCE chain emerges alongside active OWA-XSS exploitation

notable vulnerability discovered 2026-05-17 05:00 UTC

UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15; BleepingComputer, 2026-05-15). This chain is separate from the actively-exploited CVE-2026-42897 (OWA stored XSS, no permanent patch; EEMS mitigation M2.1.x only) that the 2026-05-16 deep dive covered. ZDI verbatim: "Orange Tsai (DEVCORE Research Team) earned $200,000 after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange."

The three bugs are under a 90-day Pwn2Own embargo — Microsoft must patch by approximately 2026-08-14 before ZDI publishes technical detail. Operationally, the compound risk for on-premises Exchange has materially worsened in 48 h: one actively exploited XSS without a permanent patch (M2 mitigation only, with known OWA Calendar Print / inline-image side-effects), plus a fresh unauthenticated SYSTEM RCE class that defenders cannot pre-emptively patch. CVE-2026-42897 remains in CISA KEV (added 2026-05-15) with EEMS as the only listed mitigation; the Microsoft Exchange blog post addressing-exchange-server-may-2026-vulnerability-cve-2026-42897 linked from the MSRC advisory returns 502 on direct fetch and the MSRC entry itself is the operational primary (MSRC CVE-2026-42897).

Defender response shift for on-premises Exchange 2016/2019/SE: treat the platform as severely threatened. Verify EEMS service is enabled (Get-ExchangeDiagnosticInfo, mitigation M2.1.x present in applied list); restrict ECP/EWS/OWA reachability from the internet at the WAF or reverse proxy where business-feasible; accelerate any in-progress Exchange Online migration; assume hypothetical compromise paths through both OWA-browser-context attacks (CVE-2026-42897) and a direct service-account SYSTEM RCE chain (Pwn2Own DEVCORE) until Microsoft ships permanent fixes for both. Exchange Online tenants are not in scope for either.

“UPDATE (originally covered 2026-05-15 and 2026-05-16 deep dive): DEVCORE's Orange Tsai chained three undisclosed Exchange Server bugs on Pwn2Own Berlin 2026 Day 2 to achieve unauthenticated remote code execution at SYSTEM privilege level, earning $200,000 (Zero Day Initiative, 2026-05-15 …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited rce zero-day cisa-kev no-patch global europe switzerland CVE-2026-42897

2026-05-10 · view entry permalink →

cPanel/WHM second emergency TSR in 10 days — embargo lifted on CVE-2026-29202 (post-auth Perl RCE, CVSS 8.8), CVE-2026-29203 (CVSS 8.8), CVE-2026-29201 (CVSS 4.3)

high vulnerability discovered 2026-05-10 05:00 UTC

UPDATE (originally noted as embargoed-and-dropped 2026-05-09): Technical details for the three CVEs cPanel patched on 2026-05-08 emerged on 2026-05-09 (The Hacker News, 2026-05-09 · NCSC-CH Security Hub post 12550, 2026-05-08 · Panelica technical analysis, 2026-05-08).

CVE-2026-29202 (CVSS 8.8) is the highest-severity item: insufficient input validation of the plugin parameter in the create_user API allows an authenticated cPanel user to inject and execute arbitrary Perl code in the context of their system account — post-authentication RCE for any cPanel user with API access. CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse on arbitrary files (privilege escalation or denial-of-service). CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure. None have confirmed in-the-wild exploitation as of 2026-05-09.

The compounding risk: cPanel hosts that were compromised through the still-recent CVE-2026-41940 authentication-bypass wave (~44 000 hosting servers exploited over February–May 2026) now face a fresh post-auth Perl-execution primitive. An attacker who already used the auth bypass can pivot to CVE-2026-29202 to escalate privilege or persist. Fixed: cPanel/WHM 11.136.0.9+, 11.134.0.25+, 11.132.0.31+. Operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually.

vulnerabilities rce patch-available global CVE-2026-29202 CVE-2026-29203 CVE-2026-29201

2026-05-09 · view entry permalink →

CVE-2026-43284 / CVE-2026-43500 — Linux "Dirty Frag": deterministic LPE chain via page-cache write primitives in xfrm-ESP and RxRPC, active exploitation confirmed

high vulnerability discovered 2026-05-09 05:00 UTC

Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch. The chain exploits two page-cache write primitives: CVE-2026-43284 (xfrm-ESP/IPsec subsystem, introduced ~2017, kernel mainline patch merged 2026-05-08) and CVE-2026-43500 (RxRPC subsystem, introduced ~2023, patch still pending at disclosure). Unlike race-condition kernel exploits, this chain is deterministic and near-100% reliable: both primitives allow userland code to write arbitrary values into read-only page-cache pages (e.g., /etc/passwd, /usr/bin/su, setuid binaries) via memory aliasing caused by DMA remapping. The combined primitive produces a stable root primitive without timing windows. Exploitation requires CAP_NET_ADMIN — available by default in Linux user namespaces on Ubuntu, Fedora, and most Arch-based distributions; restricted on RHEL 8/9 and some hardened configs. Public PoC was published alongside disclosure. Microsoft Defender telemetry confirms limited active campaigns in which threat actors escalated from SSH-compromised user accounts, modified LDAP authentication files, exfiltrated PHP session contents, and disrupted active sessions (Microsoft Security Blog, 2026-05-08 · Wiz Research, 2026-05-08 · NCSC-CH advisory 12547, 2026-05-08).

Affected distributions with confirmed exposure: Ubuntu 22.04/24.04/24.10, RHEL 8/9/10, Fedora, CentOS Stream, AlmaLinux, openSUSE Tumbleweed. Red Hat published RHSB-2026-003 (Red Hat security bulletin); Ubuntu published a fixes-available blog (Ubuntu blog). Mitigation until patches land: modprobe -r esp4 esp6 rxrpc (breaks IPsec VPNs and AFS filesystems). This is a distinct chain from CVE-2026-31431 ("Copy Fail"), also by Kim; the two vulnerabilities are not the same primitive.

“Researcher Hyunwoo Kim disclosed "Dirty Frag" on 2026-05-07/08 after a third party inadvertently broke embargo by reverse-engineering the upstream patch.” — ctipilot v2 brief (migrated)

vulnerabilities lpe actively-exploited poc-public patch-available global CVE-2026-43284 CVE-2026-43500

2026-05-04 · view entry permalink →

notable annual-report discovered 2026-05-04 05:00 UTC single-source

M-Trends 2026 (published 2026-03-23, first covered 2026-05-07) reinforces three cross-cutting trends visible in this week's incidents: voice phishing surged to the second most prevalent initial-access vector at 11% (overtaking email phishing at 6%) driven by IT help-desk impersonation and SaaS OAuth token theft — directly evidenced this week in the ADT vishing → Okta SSO → Salesforce pivot and in MuddyWater's Teams external-access helpdesk pretext (§ 7); ransomware initial access via prior compromise doubled to 30% — implicit in the access-broker / ransomware-affiliate model behind Akira, Embargo, and Qilin's targeting of European victims; and edge-device persistence on VPNs, routers, and network appliances without EDR coverage remains the dominant initial-access technique for state-sponsored espionage — directly mirrored in CL-STA-1132's PAN-OS exploitation and in Ivanti EPMM's named EU victims. The reframe IOCTA does not give but M-Trends does: median dwell time globally has increased to 14 days (up from 11 in 2024) and espionage-focused intrusions average 122-day median dwell — i.e. when the Ivanti EPMM and PAN-OS post-compromise hunting horizons land on retrospective log review back to March/April, that horizon is consistent with Mandiant's observed espionage dwell envelope. (Google Cloud / Mandiant M-Trends 2026, 2026-03-23; daily 2026-05-07).

nation-state espionage ransomware global

2026-05-04 · view entry permalink →

Healthcare (CH, NL)

notable synthesis discovered 2026-05-04 05:00 UTC

Two healthcare incidents define the sector picture this week, both with European public-sector concentration. Groupe 3R (Switzerland) — Akira leak-site listing on a Romandie medical-imaging operator running 20 centres across seven cantons; the operator confirmed publicly on 2026-04-30, will not pay ransom, and is operating with legacy examination data still inaccessible at week-end (Groupe 3R victim statement · daily 2026-05-10). ChipSoft (Netherlands) — The 7 April 2026 attack on the Dutch healthcare software vendor — whose HiX platform serves roughly 70% of Dutch hospitals — was first reported with attacker identity unknown (The Record, 2026-04-09); the Embargo ransomware group's claim of responsibility, alongside the 66 Dutch DPA notifications, was reported in the subsequent NL Times follow-up. On 28–29 April ChipSoft stated the exfiltrated data had been destroyed in language Dutch security experts noted strongly implies a ransom was paid (ChipSoft did not confirm) (NL Times, 2026-04-29 · daily 2026-05-07). Both incidents reinforce the same cross-finding pattern: ransomware operators' claims of data destruction are inherently unverifiable; GDPR breach-notification obligations and long-term breach-response posture do not expire when an attacker says they deleted the copy.

ransomware data-breach organized-crime switzerland europe

2026-05-04 · view entry permalink →

cPanel / WHM — two emergency TSRs inside ten days: post-CVE-2026-41940 fleet now facing CVE-2026-29201/29202/29203

notable synthesis discovered 2026-05-04 05:00 UTC

cPanel / WHM saw two emergency Targeted Security Releases inside ten days, with the second arriving against a fleet that had not yet recovered from the first. CVE-2026-41940 (CRLF cookie-forge unauthenticated bypass) drove mass exploitation from approximately 2026-02-23 through the emergency patch on 2026-04-28 — roughly two months of zero-day exposure during which Shadowserver telemetry estimated ~44,000 IP addresses likely compromised; multiple distinct threat-actor campaigns deployed payloads, including a "Sorry" Go-based Linux encryptor and AdaptixC2 against government and military entities (watchTowr Labs · Rapid7 ETR · Help Net Security, 2026-05-04 · daily 2026-05-06 first coverage). The second TSR landed 2026-05-08 with three CVEs initially under responsible-disclosure embargo (and dropped from § 3 of the daily that day for that reason); the embargo lifted 2026-05-09 with technical analyses from The Hacker News and Panelica (daily 2026-05-09, daily 2026-05-10 UPDATE).

The compounding pattern is what makes this a multi-day-chain entry: cPanel hosts that recovered from the ~February–April CVE-2026-41940 wave now face fresh primitives — CVE-2026-29202 (CVSS 8.8) is post-auth Perl execution in the create_user API (any authenticated cPanel user with API access can inject and execute arbitrary Perl code in their system account context); CVE-2026-29203 (CVSS 8.8) is unsafe symlink handling enabling chmod abuse for privilege escalation or denial of service; CVE-2026-29201 (CVSS 4.3) is arbitrary feature-file disclosure (The Hacker News, 2026-05-09 · NCSC-CH 12550, 2026-05-08 · Panelica, 2026-05-08). An attacker who used CVE-2026-41940 to obtain unauthenticated cPanel access can pivot to CVE-2026-29202 to escalate privilege or persist inside the same compromised host. No confirmed in-the-wild exploitation of the second batch at week-end, but the population of unpatched hosts overlaps materially with the recovering CVE-2026-41940 fleet. Patch path: cPanel/WHM patched builds 11.136.0.9+, 11.134.0.25+, 11.132.0.31+; operators with auto-update disabled or version-pinned builds must run /scripts/upcp manually. European hosting providers and MSPs serving public-sector clients remain the structural exposure concentration.

vulnerabilities rce actively-exploited cisa-kev auth-bypass patch-available global CVE-2026-29202 CVE-2026-29203 CVE-2026-29201

2026-05-04 · view entry permalink →

CVE-2026-31431 "Copy Fail" + CVE-2026-43284 / CVE-2026-43500 "Dirty Frag" — Linux kernel LPE pair confirmed in complementary post-compromise campaigns

high synthesis discovered 2026-05-04 05:00 UTC

If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty Frag (xfrm-ESP and RxRPC page-cache writes) on hosts where user namespaces are enabled without algif_aead. Microsoft documents the same initial-access vector (SSH credential stuffing on exposed management ports) feeding both chains, and both defeat conventional on-disk file-integrity monitoring because the write lands in the kernel page cache rather than on disk (Microsoft Security Blog, 2026-05-08 · daily 2026-05-09 update).

Copy Fail (CVE-2026-31431, CVSS 7.8) is deterministic — no kernel-version offsets, no timing windows. A public 732-byte Python exploit exists; Go and Rust reimplementations have appeared in public code repositories; Kaspersky validated the container-to-host escape vector on Docker / LXC / Kubernetes when algif_aead is loaded on the host kernel (default on most distributions) (CERT-EU Advisory 2026-005, 2026-04-30 · Unit 42 — Copy Fail · BSI WID-SEC-2026-1232 · daily 2026-05-06 deep dive). Dirty Frag chains CVE-2026-43284 (xfrm-ESP / IPsec) with CVE-2026-43500 (RxRPC) into another deterministic root primitive via page-cache write primitives in both subsystems; researcher Hyunwoo Kim disclosed it 2026-05-07/08 after a third party reverse-engineered the upstream patch and broke embargo. CVE-2026-43500 distro patches remain pending at week-end (Wiz Research, 2026-05-08 · Red Hat RHSB-2026-003 · Ubuntu — Dirty Frag fixes-available · NCSC-CH 12547 · daily 2026-05-09). Both map to T1068 Exploitation for Privilege Escalation and T1548.001 Setuid and Setgid Abuse. Defenders should treat file-integrity monitoring as insufficient detection for either family — runtime detection lands on auditd execve of /usr/bin/su / /usr/bin/sudo / /usr/bin/passwd from anomalous parent processes, EDR process-ancestry rules for root from non-root contexts, and (for Copy Fail specifically) eBPF or EDR alerts on AF_ALG socket creation in container namespaces.

Mitigation hierarchy when patches are not yet deployable: kernel patches first (Ubuntu 6.1.98-1ubuntu1, RHEL kernel-5.14.0-503.14.1, Debian 12 pending at week-end; upstream 6.18.22 / 6.19.12 / 7.0 for Copy Fail); blacklist algif_aead via modprobe.d and update-initramfs -u; modprobe -r esp4 esp6 rxrpc for Dirty Frag (breaks IPsec VPNs and AFS); seccomp profiles blocking AF_ALG socket creation for containerised workloads; disable unprivileged user namespaces (sysctl kernel.unprivileged_userns_clone=0 on Ubuntu / Debian, user.max_user_namespaces=0 on RHEL) to remove CAP_NET_ADMIN as a default acquisition path for Dirty Frag.

“If you did nothing this week: Microsoft Security Blog observed active campaigns deploying both Linux LPE families post-compromise; the daily 2026-05-09 UPDATE synthesised the operator-side selection logic as Copy Fail (algif_aead page-cache write) used on hosts where the module is available, Dirty …” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited cisa-kev lpe poc-public global CVE-2026-31431 CVE-2026-43284 CVE-2026-43500