ctipilot.ch

DHS HSIN information-sharing network breach (SharePoint collaboration system)

incident · incident:dhs-hsin-breach-2026

Coverage timeline
1
first 2026-07-02 → last 2026-07-02
Briefs
1
1 distinct
Sources cited
40
21 hosts
Sections touched
1
active_threats
Co-occurring entities
8
see Related entities below

Story timeline

  1. 2026-07-02CTI Daily Brief — 2026-07-02
    active_threatsFirst coverage: DHS confirms HSIN intrusion late May–early June 2026; no vector/CVE/attribution disclosed

Where this entity is cited

  • active_threats1

Source distribution

  • attack.mitre.org14 (35%)
  • thehackernews.com3 (8%)
  • bleepingcomputer.com2 (5%)
  • helpnetsecurity.com2 (5%)
  • msrc.microsoft.com2 (5%)
  • cyberscoop.com2 (5%)
  • cisa.gov1 (2%)
  • cloud.google.com1 (2%)
  • other13 (32%)

Related entities

All cited sources (40)

Items in briefs about DHS HSIN information-sharing network breach (SharePoint collaboration system) (3)

DHS confirms a breach of the Homeland Security Information Network (HSIN)

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

DHS confirmed a cyber incident affecting the Homeland Security Information Network — a platform federal, state, local, international and private-sector partners use to exchange sensitive-but-unclassified information and coordinate incident response. Nextgov/FCW first reported (citing two people familiar) that an unknown actor accessed HSIN servers and a SharePoint collaboration system, with the intrusion believed to have occurred between late May and early June 2026 (Nextgov/FCW, 2026-06-30). DHS told BleepingComputer it "immediately took action to isolate the affected systems, mitigate the vulnerability, and launch a comprehensive forensic investigation," stated there is "no indication that classified networks were impacted," and that the system remains operational (BleepingComputer, 2026-07-01). No initial-access vector, CVE or attribution has been disclosed; whether documents were exfiltrated remains undetermined. HSIN previously suffered a 2023 access-misconfiguration incident that exposed US-person PII.

Why it matters to us: no vulnerable component was named, so there is no patch action — but both this event and HSIN's 2023 incident trace to information-sharing / collaboration-platform trust boundaries (SharePoint, cross-org portals) rather than perimeter exploitation. Public-sector SOCs should review who holds standing access to their own cross-agency information-sharing portals and whether access reviews and anomalous-download alerting cover them.

CVE-2026-45659 — Microsoft SharePoint Server: authenticated deserialization RCE, now KEV-listed

From CTI Daily Brief — 2026-07-02 · published 2026-07-02 · view item permalink →

CISA added CVE-2026-45659 to its Known Exploited Vulnerabilities catalog on 2026-07-01 (CISA KEV feed, 2026-07-01) — the operationally significant signal here, because it is the first public confirmation that this deserialization path is under active exploitation. The flaw (CWE-502, deserialization of untrusted data, CVSS 8.8) lets an attacker holding a minimum of Site Member permissions execute code on the SharePoint Server backend with no further user interaction (Microsoft MSRC). It affects SharePoint Server Subscription Edition, 2019 and Enterprise Server 2016, and Microsoft shipped the fix on 2026-05-21 (Microsoft MSRC) — the CVE having initially been omitted from the May 2026 Security Updates before publication, per Help Net Security's coverage (Help Net Security, 2026-05-26). Notably, Microsoft's own advisory still rates the CVE "Exploitation Less Likely" — a contradiction defenders should resolve in favour of the exploitation evidence. On-prem operators who deferred the May update because of that low rating should apply it now; hunt SharePoint/IIS logs for anomalous POST bodies to the SharePoint object-model / API endpoints from low-privileged Site-Member sessions followed by unexpected w3wp.exe child-process spawns (T1190, with T1505.003-style web-shell follow-on typical of prior SharePoint deserialization waves).

GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand [SINGLE-SOURCE]

From CTI Daily Brief — 2026-05-16 · published 2026-05-16 · view item permalink →

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration (Google Threat Intelligence Group, 2026-05-15). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the <org>.enrollms[.]com and <org>.passkeyms[.]com namespaces); the operator captures credentials and TOTP / push approvals live and immediately registers a new attacker-controlled MFA device for persistent post-vishing access, mapping to T1556 Modify Authentication Process. Post-compromise, BlackFile uses Python requests and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's ClientAppId (d3590ed6-52b3-4102-aeff-aad2292ab01c) in the M365 audit log AppAccessContext field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present python-requests/2.28.1 or WindowsPowerShell/5.1 as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the FileAccessed audit event distinguishes the bulk-API extraction pattern from interactive FileDownloaded events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: T1566.004 Spearphishing Voice, T1557 Adversary-in-the-Middle, T1528 Steal Application Access Token. Detection priorities: alert on Okta system.multifactor.factor.setup events not preceded by a user-initiated session; flag M365 audit FileAccessed events with AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c AND a user-agent containing python-requests or PowerShell; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.