UK Visa Portal lookalike (ukvisaportal.com) — 100K passport scans/selfies exposed via misconfigured S3 bucket

TechCrunch reported on 2026-05-27 that ukvisaportal.com — a third-party site marketed as an immigration portal but not affiliated with the UK Government — exposed roughly 100,000 documents via a misconfigured Amazon S3 bucket. The bucket was not publicly listed, but a backend bug exposed directory listing, enabling enumeration of every object; individual files were readable to anyone with the URL. Exposed material included full passport pages (passport number, nationality, DOB, place of birth, issue / expiry dates), accompanying address documents and selfie photographs whose EXIF GPS metadata could pinpoint the applicant's home address. The operator — UAE-registered Active Leadgen LLC — marketed under brand names including "UK Visit" and "ETA-Pass" and impersonated the official GOV.UK service; some applicants told TechCrunch they paid fees believing it was the genuine government portal. TechCrunch and TechRadar report the bucket was secured overnight after publication; no ICO breach notification has surfaced in-window.

Defender takeaway: the lookalike-government-service pattern matters operationally even outside immigration. Where the public-sector security team is responsible for citizen-facing brand integrity (federal / cantonal IT, KAPO digital-services teams), the relevant action is to scan for lookalike domains and S3 / blob buckets carrying passport / ID-document keys — Trufflehog-style scanning of cloud-storage namespaces for passport, national-id, eta filename patterns. EU residents who used the service trigger UK GDPR Art. 33 notification on the operator's side.

UPDATE (originally covered 2026-05-07 deep dive): The Palo Alto Networks PSIRT advisory for CVE-2026-0300 was revised on 2026-05-16 to update the per-build fix-release schedule: PAN-OS 10.2.13-h21 was retimed on 2026-05-16, 10.2.16-h7 on 2026-05-14. Both are commonly deployed LTS branches in large enterprise and government estates; PA-Series and VM-Series devices on those two specific builds remain mitigation-only.

The wave-2 patch target for the remaining outstanding builds remains 2026-05-28. No new exploitation evidence accompanied the revision; the actively-exploited posture (unauthenticated heap overflow in the User-ID Authentication Portal / Captive Portal service, CVSS 9.3, pre-auth root RCE) reported in prior briefs continues. Defender action: verify each PA / VM appliance's installed PAN-OS build against the advisory's per-version patch matrix; if the installed build is 10.2.13-h21 or 10.2.16-h7, confirm the Captive Portal / User-ID Authentication Portal mitigation (disable the feature if unused, or apply the published Threat Prevention rule) remains active until the wave-2 fix lands.

Socket's Threat Research Team disclosed on 2026-05-13 a campaign it dubs GemStuffer, in which 155+ malicious Ruby packages were published to the public RubyGems registry — not as a malware-delivery vehicle but as a covert one-way data-exfiltration channel (Socket, 2026-05-13; The Hacker News, 2026-05-13). The technique is new enough to warrant a defender's attention regardless of jurisdiction: a public package registry's push API has hitherto been monitored for malware distribution, not for outbound data leakage. Socket notes RubyGems temporarily disabled new account registration in connection with the broader account-abuse pattern that GemStuffer is part of.

Attack-chain steps as reported by Socket: (1) reconnaissance of the execution environment to confirm gem CLI presence and writeable temp space; (2) HTTP scraping of UK local-government democratic-services portals running ModernGov — Lambeth, Wandsworth and Southwark councils — using Ruby's stdlib Net::HTTP with SSL verification suppressed; (3) packaging of scraped HTML responses (committee calendars, agenda items, officer contact data, linked PDFs) into syntactically valid .gem archives with the captured data placed in lib/result.txt or in README fields; (4) credential injection — three OAuth-format RubyGems API keys hard-coded as plaintext in the payloads, with ENV['HOME'] overridden to an attacker-controlled /tmp/gemhome/ directory containing fabricated .gem/credentials files (permissions 0600) so the CLI's credential lookup resolves to attacker values without touching the operator's real home directory; (5) exfiltration via gem push to the RubyGems API.

The scraped data is itself public (council democratic-services portals are by design public), so the operational significance is not the confidentiality of the data but the channel pattern. Socket flagged the possibility that "council portal access as a pivot to demonstrate capability against government infrastructure" is the actual objective. The defender-critical generalisation: most CI/CD pipeline monitoring instruments npm install / bundle install / pip install inbound; few instrument outbound npm publish / gem push / pip upload from non-publisher contexts. Analyst-derived ATT&CK mapping for the chain (not cited in Socket's write-up): T1583.001 Domains (registry abuse), T1027 Obfuscated Files (data embedded inside .gem structure), T1567.004 Exfiltration to Web Service, T1552.001 Credentials In Files (hard-coded API keys).

Detection priorities for any organisation with Ruby tool-chains in its development surface: (a) audit gem push and bundle exec gem push invocations from CI runners and developer workstations that do not have a publish role assigned; (b) flag new RubyGems publisher accounts with high version churn (>10 versions/day on a freshly created package); (c) inspect outbound HTTPS POST traffic from build agents to rubygems.org (POST = publish, GET = read); (d) extend the same lens to npm publish and pip upload. The asymmetric-monitoring-gap pattern generalises trivially across registries; the GemStuffer write-up is the lever for security teams to fund that monitoring asymmetry now rather than after a CH/EU-equivalent variant lands. RubyGems' temporary signup suspension is signal that the registry operator already considers this a structural rather than a single-actor problem.

UPDATE (originally covered 2026-05-07 deep dive, last updated 2026-05-13): Palo Alto Networks PSIRT updated its CVE-2026-0300 advisory on 2026-05-13 to reflect first-wave patch availability but to also disclose a second patch wave with an ETA of 2026-05-28 for eight commonly-deployed build streams: PAN-OS 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21 and 10.2.16-h7 (Palo Alto Networks PSIRT, updated 2026-05-13). Operators running any of those builds cannot patch yet; the interim mitigation — restrict User-ID Authentication Portal to trusted zones, or disable Captive Portal if unused — is the only option until 28 May. CL-STA-1132 in-the-wild exploitation continues; the cluster's tradecraft (EarthWorm / ReverseSocks5 tunnels, AD enumeration via firewall service account, deliberate log destruction) is unchanged from prior coverage (Unit 42 — Captive Portal Zero-Day, 2026-05-06).

The CISA KEV entry was updated on 2026-05-13 to note "Palo Alto has released a variety of patches"; the FCEB remediation deadline (2026-05-09) has already expired. Per PD-13 the KEV deadline is not the operational driver in CH/EU — the active-exploitation status, the affected-build delay, and the CL-STA-1132 attribution are. The wave-2 delay specifics are documented in the vendor PSIRT advisory and were not independently corroborated by HIGH-reliability third-party reporting in window; treat the eight-build "ETA 05/28" list as vendor-primary and verify against the live PSIRT entry before any rollout planning.

For any PA-Series / VM-Series perimeter device on PAN-OS 12.1, 11.2, 11.1, or 10.2 that has User-ID Authentication Portal or Captive Portal enabled, prepare today for the 2026-05-13 first-wave build release per Palo Alto's PSIRT advisory for CVE-2026-0300: confirm a tested rollback path, validate the change window for tomorrow, and pre-fetch release notes the moment the fixed builds publish. Until the first-wave builds ship, keep Threat Prevention signature 510019 enforced (requires Threat Prevention licence) and restrict the captive-portal listener to trusted internal source ranges. The second wave is expected around 2026-05-28 for the remaining branches (12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7); plan a second deployment window then. The CISA KEV deadline has expired but the operational driver here is active ITW exploitation per Unit 42 — Captive Portal Zero-Day, not the FCEB compliance date.

If you did nothing this week: any PA-Series or VM-Series firewall with the User-ID Authentication Portal enabled and internet-reachable has been within the attack window since 2026-04-09 — three weeks before public disclosure (2026-05-06) and four-and-a-half weeks before the first staged patch becomes available (2026-05-13). The daily 2026-05-09 UPDATE recorded an observed dwell time of approximately 20 days from initial compromise to second-device exploitation on at least one tracked victim; the relevant retrospective-log question is whether your firewall has been compromised since mid-April, not whether it might be compromised next week.

CVE-2026-0300 (CVSS 9.3, CWE-121 stack-based buffer overflow) is an unauthenticated remote code execution in the PAN-OS User-ID Authentication Portal — a network-accessible service that a single crafted packet exploits to root on the firewall's management plane (Palo Alto Networks Security Advisory, 2026-05-06 · Unit 42 primary research, 2026-05-06). CERT-EU issued a Critical Advisory (rare designation) on disclosure day (CERT-EU 2026-006, 2026-05-06); CERT-FR followed with CERTFR-2026-AVI-0537 (CERT-FR, 2026-05-06). Unit 42 tracks the active exploitation cluster as CL-STA-1132 and characterises it as likely state-sponsored activity. Unit 42's primary research records shellcode injection into nginx worker processes, EarthWorm / ReverseSocks5 tunnelling, and Python implants under /var/tmp/linuxupdate and /tmp/.c; the daily 2026-05-09 UPDATE additionally surfaces a rogue admin name pattern svc-health-check-[6-digit-numeric] (bypassing normal admin-role RBAC), running-configuration export including pre-shared keys, and OSPF-based internal AD enumeration — a profile consistent with T1190 Exploit Public-Facing Application, T1055 Process Injection, T1003 OS Credential Dumping, and T1572 Protocol Tunneling. Patch availability is staged 2026-05-13 → 2026-05-28 across PAN-OS branches 10.2.x / 11.1.x / 11.2.x / 12.1.x; Cloud NGFW and Prisma Access are not affected. Until patches land, the operational expectations are (1) disable the Authentication Portal entirely where it is not required, (2) restrict it to trusted internal IP ranges via security policy where it is, (3) PAN-OS 11.1+ users should confirm Threat ID 510019 is in blocking mode, and (4) review authentication-portal logs and admin-account listings from 2026-04-09 onward for retrospective compromise evidence (daily 2026-05-07 deep dive; daily 2026-05-09 update).

DigiCert confirmed on 2026-05-04 that a targeted social-engineering attack on its Salesforce-based customer-support portal in early April 2026 resulted in the fraudulent generation of 60 Extended Validation code-signing certificates. Two analyst endpoints were infected via a malicious Windows screensaver (.scr) repeatedly submitted via support chat; the second analyst's endpoint went undetected for approximately twelve days due to absent or degraded EDR coverage. The attacker used portal access to obtain certificate initialization codes and generated 60 EV certificates across multiple customer accounts; DigiCert confirmed 27 were directly attacker-linked; a community member subsequently identified 11 used to sign the Zhong Stealer malware family (Chinese e-crime, cryptocurrency-asset targeting). All 60 certificates revoked; MFA now mandatory on portal access; file upload functionality restricted (Help Net Security, 2026-05-04 · SecurityWeek, 2026-05-04 · daily 2026-05-06). Defender takeaway: software signed with DigiCert-backed EV certificates during early April through 2026-05-04 warrants validation against the revoked certificate list; the recurring root cause across this and the third-party-analytics incidents in § 2 is that support-tier and analyst-tier endpoints frequently receive lower EDR-coverage bar than production endpoints despite holding equivalent or higher operational privilege.

UPDATE (originally covered 2026-05-07):

The CISA KEV deadline for CVE-2026-0300 (Palo Alto PAN-OS Captive Portal unauthenticated root RCE, CVSS 9.3) is today, 2026-05-09. Palo Alto Networks has not yet released a firmware patch; the vendor statement from 2026-05-08 confirmed the earliest expected maintenance release containing a code fix is PAN-OS 10.1.14 / 10.2.12 / 11.0.5 / 11.1.4, expected 2026-05-13. Organisations in US federal scope that cannot meet the KEV deadline through mitigating action face a compliance gap until that release.

Palo Alto's mitigation guidance remains: disable Captive Portal (Device > User Identification > Captive Portal Settings > uncheck Enable Captive Portal) or disable GlobalProtect and Captive Portal if not operationally needed. Threat Prevention signatures 95817/95818/95820 block the known exploitation chain. PA-Series hardware appliances running content update < 8765-9032 are not covered by the signatures.

Post-exploitation detail added: Palo Alto Unit 42 published a threat bulletin on 2026-05-08 confirming CL-STA-1132 (a China-nexus cluster it tracks separately from previous PAN-OS attackers) as the primary exploitation actor. Unit 42 observed this cluster: creating rogue admin accounts via the GlobalProtect daemon (bypassing normal admin-role RBAC), exporting full running configurations including pre-shared keys, installing Python-based tunnelling implants under /tmp/.update-service, and performing internal reconnaissance via OSPF route table queries. The cluster's dwell time before detection was 4–17 days across confirmed victims. The rogue admin account naming pattern (svc-health-check-[6-digit-numeric]) has been observed consistently and can be used as a hunting indicator.

(First covered and deep-dived 2026-05-07.) The CISA KEV federal remediation deadline for CVE-2026-0300 is 2026-05-09 — today. Palo Alto Networks has not released a permanent patch for any PAN-OS branch; the earliest patch ETA is 2026-05-13. The mandated mitigation remains: disable the Captive Portal / Authentication Portal feature on internet-facing GlobalProtect gateway interfaces, or restrict access exclusively to trusted internal management IP ranges. PAN-OS 11.1+ deployments should confirm Threat Prevention profile with Threat ID 510019 is active on the internet-facing zone. Organisations that have not yet applied the mitigation should treat this as a P0 action today before business opens.