2026-05-29-c7f56b00
One pipeline fire, in full · intel run of 2026-05-29 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-05-29/2026-05-29-c7f56b00.md.
Run telemetry
- Items returned
- 8
- Duration
- 11m 24s
- Tool calls
- 22 WebFetch9 WebSearch14 bridge
- Cited sources
- 14 of 23 in slice
- Items returned
- 6
- Duration
- 8m 55s
- Tool calls
- 18 WebFetch12 WebSearch10 bridge
- Cited sources
- 13 of 20 in slice
- Items returned
- 6
- Duration
- 9m 48s
- Tool calls
- 12 WebFetch4 WebSearch18 bridge
- Cited sources
- 13 of 26 in slice
- Items returned
- 3
- Duration
- 12m 40s
- Tool calls
- 17 WebFetch22 WebSearch6 bridge
- Cited sources
- 12 of 18 in slice
Verification
Deep dive
2026-05-29/forticlient-ems-cve-2026-35616-ekz-infostealer-kill-chain
Entries published (this run)
- Apereo CAS version 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory CERTFR-2026-AVI-0654 threat notable
- FortiClient EMS CVE-2026-35616 actively exploited to push EKZ Infostealer through trusted endpoint-management channel threat high
- Rapid7 publishes unpatched Gogs argument-injection RCE with a Metasploit module; maintainer non-responsive threat high
- Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands incident high
- Dutch Police + NCSC dismantle Asocks residential-proxy botnet (~17 M devices, 200 NL-hosted servers seized) threat high
- TechCrunch finds 100 K passport scans and selfies on a public-read S3 bucket behind a UK Visa Portal lookalike incident notable
- CVE-2026-4408 & CVE-2026-4480 — Samba: unauthenticated RCE in SAMR RPC and print-command subsystems (CVSS 10.0) vulnerability high
- CVE-2026-44939 (+ CVE-2026-41052, CVE-2026-41053) — SUSE Rancher: command injection on cluster import, PSA label privilege-escalation, GitHub-App over-inclusive team membership vulnerability notable
- CVE-2026-44848 & CVE-2026-44849 — Portainer CE: Docker plugin endpoints unguarded; Swarm-service security checks bypassed (CVSS 9.4) vulnerability notable
- CVE-2026-9170 — IBM HTTP Server / WebSphere Application Server: pre-auth RCE via improper input validation (CVSS 9.8) vulnerability high
- CVE-2026-4868 (+ five further CVEs) — GitLab 19.0.1 / 18.11.4 / 18.10.7 patch release: Duo AI identity impersonation, unauthenticated project enumeration vulnerability notable
- CVE-2026-32996 & CVE-2026-32997 — Veeam Backup & Replication KB4852: LPE in Windows Agent, arbitrary file write in Linux appliance vulnerability notable
- Wiz CIRT names JINX-0164 — LinkedIn-recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD research notable
- WatchGuard documents Grandoreiro's Delphi-DLL-side-loading + WebSocket/STUN C2 against Portuguese & Spanish banks; ESET maps parallel Android BTMOB MaaS research notable
- The Gentlemen ransomware — Microsoft publishes full technical dissection of the Storm-2697 Go-encryptor threat notable
- FortiClient EMS CVE-2026-35616 + EKZ Infostealer kill chain vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| databreaches-net | https://www.databreaches.net/category/breach-incidents/ | webfetch → bridge:url | 403 transport-403 bridge:url returned HTTP 403; no Wayback snapshot usable (seventh consecutive run) | Carnival breach covered via PR Newswire + The Record + The Register + Help Net Security |
| sophos-xops | https://www.sophos.com/en-us/blog/feed?id=blt6f15f4f7deaf4242 | webfetch → bridge:feed | 503 transport-5xx bridge:feed returned HTTP 503 (sixth consecutive run) | WebSearch yielded no qualifying in-window Sophos content |
| inside-it-ch | https://www.inside-it.ch/ | webfetch → bridge:url | 403 transport-403 bridge:url returned HTTP 403 even with desktop UA (fifth consecutive run) | WebSearch yielded no qualifying in-window CH-specific incidents |
Bridge invocations (this run)
16 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:feed ×8
- bridge:ncsc-csh.recent ×1
- bridge:ncsc-csh.post ×1
- bridge:cisa-kev ×1
- bridge:bsi-rss ×1
- bridge:cert-fr.avis-recent ×1
- bridge:enisa-euvd.recent.lastvulnerabilities ×1
- bridge:url ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 14 findings (truth=6, editorial=4, advisory=2) · Claude Opus 4.7 · 8m 39s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | updates | The Gentlemen UPDATE — 320+ victim count attributed to Microsoft | Microsoft article carries no victim count; Check Point article has ~332 | Re-attributed to Check Point Research with approximately 332 framing fixed-clean |
| F3 claim-not-supported | updates | The Gentlemen UPDATE — GPO-spread pathway attributed to Microsoft GPO-spread pathway | Microsoft article doesn't mention GPO; Check Point does | Re-attributed GPO pathway to Check Point Research fixed-clean |
| F3 claim-not-supported | updates | ASR rule GUID d4f940ab not in cited Microsoft article d4f940ab-401b-4efc-aadc-ad5f3c50688a | GUID not in Microsoft article | Replaced GUID with rule name + link to MS Learn ASR rules reference fixed-clean |
| F3 claim-not-supported | active-threats | Asocks inversion — SocksEscort etc framed as migration targets vs prior-disrupte shift to SocksEscort/IPIDEA/FirstVPN | Source frames them as previously-disrupted networks Asocks joins, not migration targets | Rephrased to Asocks joins disrupted list fixed-clean |
| F4 hallucinated-fact | research | BTMOB technical claims not in ESET source WebSocket port 443 / GPS geo-filter / IT-FR overlays | ESET source lacks these claims | Trimmed BTMOB paragraph to Accessibility Service abuse + HTML overlay + keylogging + on-demand screen recording fixed-clean |
| F4 hallucinated-fact | active-threats | Carnival 2026-04-22 exfiltration-confirmed date not in sources exfiltration was confirmed by 2026-04-22 | Date not in PR Newswire / The Record / The Register / Help Net Security | Dropped the date; reworked to Maine AG breach-date framing in iter 2 fixed-clean |
| F5 missing-citation | deep-dive | X-SSL-CLIENT-VERIFY mechanism unbacked by Arctic Wolf / Fortinet PSIRT prose X-SSL-CLIENT-VERIFY | Header mechanism not in Arctic Wolf or PSIRT prose; supported by Nuclei template | Added ProjectDiscovery Nuclei template URL as inline citation at § 5 Vulnerable component fixed-clean |
| F5 missing-citation | active-threats | Carnival 5,995,277 figure not in cited news sources 5,995,277 individuals | Source is Maine AG filing per S4 YAML | Added Maine AG agviewer URL inline fixed-clean |
| F8 needs-more-research | active-threats | Carnival records vs individuals (8.7M HIBP vs 5.99M) 8.7M HIBP records | Distinction meaningful for defender exposure scope | Added reconciliation note fixed-clean |
| F9 surface-contradiction | trending-vulnerabilities | GitLab patch count 6 vs 7 GitLab release notes lists CVE-2026-2710 as a seventh CVE | Brief said six CVEs; vendor page lists seven | Added § 7 contradiction note; added CVE-2026-2710 to cves_seen.json fixed-clean |
| F10 missed-angle | active-threats | Maine AG filing missing inline Maine AG agviewer | Strongest primary for the precise figure | Resolved together with F5 #2 fixed-clean |
| F10 missed-angle | deep-dive | Nuclei template missing inline ProjectDiscovery Nuclei template | Primary support for X-SSL-CLIENT-VERIFY claim | Resolved together with F5 #1 fixed-clean |
| F11 editorial-advisory | trending-vulnerabilities | GitLab footer underplays pre-auth angle Auth: post-auth | CVE-2026-6713 is pre-auth; footer reads single value | no change (taxonomy parser does not accept comma list of Auth values) deferred |
| F11 editorial-advisory | tldr | Carnival records vs individuals TL;DR phrasing 5,995,277-record breach | records implies database rows; figure is affected individuals | Updated TL;DR to breach affecting 5,995,277 individuals fixed-clean |
Iteration #2 NEEDS_FIXES · 3 findings (truth=1, editorial=2, advisory=0) · Claude Sonnet 4.6 · 5m 07s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | active-threats | Carnival initial-access date — April 14 is identification, not initial access Initial access on 2026-04-14 | PR Newswire describes April 14 as identification; Maine AG records breach 2026-04-10 | Reframed to surface Maine AG 2026-04-10 breach date and PR Newswire 2026-04-14 identification date fixed-clean |
| F8 needs-more-research | research | BTMOB framed as Iberian-banking parallel; ESET says Brazil/Argentina parallel Android-targeting half of the same Iberian-banking pressure wave | ESET source focuses on LATAM not Iberia | Reframed as Latin American banking parallel (Brazil and Argentina per ESET) fixed-clean |
| F9 surface-contradiction | active-threats | Carnival breach-date contradiction April 10 vs April 14 | Maine AG and PR Newswire disagree on date framing | Added § 7 contradiction note explaining the breach-date vs discovery-date framing fixed-clean |
Iteration #3 NEEDS_FIXES · 6 findings (truth=3, editorial=1, advisory=2) · Claude Opus 4.7 · 6m 00s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 hallucinated-fact | active-threats / deep-dive | EKZ browser list — Brave vs Microsoft Edge Chrome, Firefox, Brave, LibreWolf, Waterfox, Pale Moon, Thunderbird | Arctic Wolf names Microsoft Edge not Brave; recurs in § 1 and § 5 | Replaced Brave with Microsoft Edge in both paragraphs fixed-clean |
| F2 claim-not-supported | trending-vulnerabilities | GitLab CVE-2026-6713 API name the public projects API | GitLab describes as GraphQL WorkItem API | Reworded to 'incorrect authorization issue in GitLab's GraphQL WorkItem API' fixed-clean |
| F3 claim-not-supported | active-threats | Apereo SAML/Kerberos affirmative statement pure SAML / Kerberos deployments are unaffected | Apereo only scopes the bug to OIDC IdP without affirmative statement on non-OIDC | Reframed as our scoping inference, not Apereo confirmation fixed-clean |
| F4 strengthen-primary-source | active-threats | Apereo reporter attribution Coop Switzerland | Apereo names Artur Stoecklin and David Roth at Coop (Switzerland) via YesWeHack | Added researcher names and YesWeHack channel fixed-clean |
| F6 editorial-advisory | action-items | Action Items density at 10 bullets 10-bullet action list | Upper-bound of reader actionability | no change (F6 advisory) deferred |
| F7 editorial-advisory | deep-dive | CVE-2026-45659 Microsoft comparison reads editorialised same shape as Microsoft's CVE-2026-45659 | Comparison reads as inference | no change (F7 advisory; URL live) deferred |
Iteration #4 NEEDS_FIXES cap-breach · 1 finding (truth=1, editorial=0, advisory=0) · Claude Sonnet 4.6 · 3m 53s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 claim-not-supported | updates | Check Point victim count quantifier — more than 332 vs approximately 332 Check Point counts more than 332 victim organisations | Source says approximately 332 / 332; brief said more than | Best-effort: replaced 'more than 332' with 'approximately 332' in body + delta paragraph (early-exit per v2.50 truth+editorial ≤ 2 AND no F1/F4) fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-05-29-c7f56b00 · Claude Opus 4.7 · window 36 h · 16 entries published
- Items dropped (already-covered, duplicate of in-window prior coverage):
- Tycoon 2FA AiTM detection-engineering analysis (Elastic Security Labs, 2026-05-26) — surfaced by S3 as a candidate, but the same Elastic Security Labs piece and the same eSentire OAuth-Device-Code corroboration were already the substance of the deep dive in 2026-05-27 and of the original Tycoon 2FA deep dive in 2026-05-18. No material new development in window. Drop per PD-8.
- Single-source items kept: none kept as
[SINGLE-SOURCE]in published items this run — both Apereo CAS (Apereo + CERT-FR) and the FortiClient / EKZ campaign (Arctic Wolf + Fortinet PSIRT + The Hacker News + NVD) cleared two-source verification. - Items dropped (low signal-to-noise for this audience):
- BTMOB Android RAT (ESET, 2026-05-26) — surfaced by S1 as SINGLE-SOURCE; folded into the § 3 Grandoreiro item as a corroborating Iberian-banking parallel rather than promoted to its own H3. ESET + WatchGuard via § 3 supply the two-source view.
- Reduced confidence: Apereo CAS patch version 7.3.7.1 carries MEDIUM confidence on technical impact because Apereo withheld full detail pending the security grace window. Tracked for follow-up.
- CVEs that did not clear § 2 inclusion gates (no exploitation, no PoC, no KEV, no pre-auth RCE on internet-exposed software): the lower-severity GitLab batch CVEs (
CVE-2026-1402,CVE-2026-2601,CVE-2026-5296,CVE-2026-8716) are documented inside the parent GitLab item but did not warrant their own H3. - Contradictions surfaced:
- Gogs zero-day CVE id: S1 documented no CVE assigned at publication, while S3 referenced CVE-2026-26194. Rapid7's blog post is unambiguous that the maintainer has not responded and no patch exists; the CVE-id claim from S3 could not be re-verified against an authoritative NVD entry in this run. The brief is written conservatively without the CVE id; verification of
CVE-2026-26194is deferred to the next run. - GitLab patch-release CVE count: the § 2 GitLab item summarises six CVEs (CVE-2026-4868, -6713, -1402, -2601, -5296, -8716) — the GitLab patch-release page enumerates seven (an additional CVE-2026-2710 is listed inline). Brief should be read as covering the six highest-severity / most defender-relevant items in the bundle; CVE-2026-2710 details are left to the vendor page until next-run re-pivot.
- Carnival breach date: the Maine AG filing records the breach as occurring 2026-04-10 with discovery on 2026-04-14, while Carnival's PR Newswire substitute notice describes 2026-04-14 as the day the security team identified unauthorized activity. The brief reports both dates with the breach-vs-discovery distinction surfaced in body text rather than picking one.
- Gogs zero-day CVE id: S1 documented no CVE assigned at publication, while S3 referenced CVE-2026-26194. Rapid7's blog post is unambiguous that the maintainer has not responded and no patch exists; the CVE-id claim from S3 could not be re-verified against an authoritative NVD entry in this run. The brief is written conservatively without the CVE id; verification of
- Sub-agents: all four returned within budget. S1 Sonnet 4.6 (684 s, 22 webfetch / 9 websearch / 14 bridge), S2 Sonnet 4.6 (348 s, 18 / 12 / 10), S3 Sonnet 4.6 (771 s, 12 / 4 / 18), S4 Sonnet 4.6 (753 s, 17 / 22 / 6). No stalled agents.
- Verification (Phase 5.7): four iterations (Opus → Sonnet → Opus → Sonnet). Iter 1 NEEDS_FIXES (truth=6, editorial=4, advisory=2) → iter 2 NEEDS_FIXES (1, 2, 0) → iter 3 NEEDS_FIXES (3, 1, 2) → iter 4 NEEDS_FIXES (1, 0, 0). Iter 4 was published via the v2.50 early-exit rule (truth+editorial ≤ 2 AND no F1/F4); the iter 4 finding ("Check Point count: brief said more than 332, source says approximately 332") was applied as a best-effort remediation in-place but the iteration's NEEDS_FIXES verdict stands.
verification_residual_count = 1. - Coverage gaps: databreaches-net (transport 403, no Wayback snapshot — Carnival breach covered via PR Newswire + The Record + The Register); sophos-xops (HTTP 503 on feed); inside-it-ch (HTTP 403 even via bridge); dragos, shadowserver, sekoia, volexity, greynoise (feeds returned 404 — likely upstream feed-URL drift, candidate for source-list review next run); cert-at, csirt-acn-it (not enumerated in this run); SEC EDGAR Item 1.05 (0 hits in window — Carnival filed substitute notice via PR Newswire and state AGs, not 8-K); CNIL-FR, EDPB, ICO-UK (no in-window enforcement actions); cisa-directives, tenable-research, cisco-psirt, greynoise (quiet in window). Inside-IT.ch's persistent 403 pattern is now the 4th run in 7 — candidate for the next source-list review.
Unmatched action items (migrated)
- Upgrade Fortinet FortiClient EMS 7.4.5 / 7.4.6 → 7.4.7 immediately and assume managed-endpoint compromise where the patch lagged. Active ITW exploitation delivers EKZ Infostealer through the trusted EMS update channel. Apply Fortinet PSIRT FG-IR-26-099 per § 5 above; have the fronting reverse proxy strip / overwrite
X-SSL-CLIENT-VERIFYbefore forwarding to EMS as a defence-in-depth control. Rotate cached browser credentials and treat managed-endpoint session cookies as compromised wherever EMS ran 7.4.5/7.4.6 unpatched. - Patch Samba to 4.22.10 / 4.23.8 / 4.24.3 on every Linux file / member server; AD DCs are unaffected. Compensating mitigation if the upgrade slips: remove
%ufrom anycheck password script, wrap%Jin single quotes insideprint command, and setrpc start on demand helpers = yes(default). Two CVSS 10.0 unauthenticated RCEs make this an immediate change-window candidate. - Patch Portainer CE to 2.33.8 / 2.39.2 / 2.41.0 and revoke Docker / Swarm endpoint access for non-admin users in the interim. CCB Belgium's Patch Immediately warning targets exactly the deployment shape — non-admin users with endpoint access can reach the unguarded plugin endpoints and Swarm-service API and escalate to host code execution.
- Upgrade SUSE Rancher to 2.10.12 / 2.11.14 / 2.12.10 / 2.13.6 / 2.14.2 and audit GitHub-App authentication / project-owner RBAC. Three concurrent paths to host code execution or cluster-admin escalation; the GitHub-App over-inclusive team membership in particular can be quietly abused.
- Patch IBM HTTP Server / WebSphere via APAR PH71265; disable
mod_ibm_uploadandmod_mem_cachewhere unused. Pre-auth RCE at CVSS 9.8 on a middleware widely deployed in Swiss banking, insurance and federal IT — NCSC.ch flagged the advisory specifically for CH consumers. - Mitigate the unpatched Gogs RCE on every self-hosted instance. Set
DISABLE_REGISTRATION = trueinapp.ini, disable Rebase before merging under instance settings, and consider migration to Gitea / Forgejo. Hunt forgitinvocations with--execwhose parent is the Gogs binary (Sysmon EID 1 /auditdEXECVE). - Hunt for The Gentlemen kill-chain artefacts across the AD estate. Look for
wevtutil cl Security|System|Applicationchained withsc stop WinDefendormsconfig;svchost32.exespawned outside%SystemRoot%\System32;CcmExec.exelaunching non-SCCM payloads; GPO modifications (Event ID 5136) and the hidden SMBsharemount (Event ID 5140). Enable the Block process creations originating from PsExec and WMI commands ASR rule per Microsoft's ASR rules reference and run EDR in block mode where possible. - Upgrade Apereo CAS to the fixed version 7.3.7.1 on any deployment configured as an OIDC IdP, even with technical detail withheld. CH-discovered (Coop Switzerland reporter) and CERT-FR-flagged; until detail is public, monitor OIDC token issuance logs for tokens to unregistered clients and anomalous
subclaim values. - Patch GitLab to 19.0.1 / 18.11.4 / 18.10.7 and Veeam B&R / Agent to 13.0.2.29 within the next change window. Highest-severity GitLab issue is the Duo AI identity-impersonation flaw; Veeam's Linux-appliance arbitrary file write is constrained to Backup Administrator role but a viable stepping stone to RCE. Review Veeam backup-administrator least-privilege at the same time.
- Refresh residential-proxy detection logic post-Asocks takedown. Asocks joins a recent sequence of disrupted networks (SocksEscort, Aisuru/Kimwolf, FirstVPN, IPIDEA, RapperBot per Risky Bulletin); retune CGNAT / consumer-ISP-RDNS correlation rules on M365 / Entra ID sign-in logs and on VPN concentrator authentication.
Migrated from briefs/2026-05-29.md (v2).
← Operations dashboard · day page 2026-05-29 · run-record contract: docs/pipeline.md