ctipilot.ch

2026-06-17-e102009c

One pipeline fire, in full · intel run of 2026-06-17 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-17/2026-06-17-e102009c.md.

Run telemetry

2026-06-17-e102009c intel prompt v2.60
28m 13s duration 12 published 4 updates
unknown (unknown) main agent
S1 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
22m 54s
Tool calls
18 WebFetch7 WebSearch12 bridge
Cited sources
6 of 9 in slice
S2 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
12m 21s
Tool calls
18 WebFetch11 WebSearch14 bridge
Cited sources
5 of 8 in slice
S3 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
5
Duration
12m 43s
Tool calls
22 WebFetch18 WebSearch16 bridge
Cited sources
6 of 11 in slice
S4 Claude Sonnet 4.6 (claude-sonnet-4-6)
Items returned
4
Duration
8m 49s
Tool calls
14 WebFetch16 WebSearch8 bridge
Cited sources
5 of 9 in slice

Verification

#1 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=1 e=1 a=3 #2 NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=3 a=1 #3 NEEDS_FIXES · Claude Opus 4.8 (1M context) · t=2 e=0 a=1 #4 NEEDS_FIXES · Claude Sonnet 4.6 · t=0 e=2 a=0 #5 CLEAN · Claude Opus 4.8 (1M context) · t=0 e=0 a=0

Deep dive

2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch

Entries published (this run)

Sources changed (this run)

Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.

No source-list edits recorded for this run.

Coverage gaps (this run)

Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)

Source (uncovered)URL triedMethod chainStatus / classWhat the agent did instead
sophos-xopshttps://news.sophos.com/en-us/webfetchbridge:url200 spa-empty-body
Next.js SPA shell; article body not extractable; 2026-06-16 post confirmed present but content unrecoverable
none — no alternate carried the same content

Bridge invocations (this run)

5 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).

4 ok1 item not found
  • bridge:cisa-kev ×1
  • bridge:ncsc-csh.recent ×1
  • bridge:ncsc-nl.recent ×1
  • bridge:cert-eu.recent ×1
  • bridge:url ×1

Verification findings · all iterations

Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.

Iteration #1 NEEDS_FIXES · 5 findings (truth=1, editorial=1, advisory=3) · Claude Opus 4.8 · 4m 18s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F4
hallucinated-fact
researchHuntress Potemkin/RMMProject
footer CVE: CVE-2025-55182
CVE not in Huntress/THN sources; belongs to React2Shell/FulcrumSecremoved CVE-2025-55182 from § 3 Huntress footer fixed-clean
F9
surface-contradiction
updatesPAN-OS CVE-2026-0257
Unit42 no lateral movement vs Arctic Wolf Impacket
brief adopted Arctic Wolf view without noting Unit42 saw noneadded Contradiction line to § 7 fixed-clean
F11
editorial-advisory
trending-vulnerabilitiesJCE citation date
2026-06-03 vs page 06-12
label uses patch-release datekept as patch-release date (defensible) deferred
F11
editorial-advisory
updatesCheck Point hotfix date
06-05 vs HelpNet 06-08
date discrepancysoftened to early-June (iter3 corrected table/§6) fixed-clean
F11
editorial-advisory
active-threatsMunich 120k framing
confirmed affecting 120,000
figure from press reporting; softensoftened opening with press-reporting caveat fixed-clean

Iteration #2 NEEDS_FIXES · 4 findings (truth=0, editorial=3, advisory=1) · Claude Sonnet 4.6 · 4m 17s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F1
broken-url
updatesCheck Point CVE-2026-50751
advisories.ncsc.nl/advisory?id=NCSC-2026-0179
NCSC-NL Angular SPA returns redirect shell on direct fetch (live via bridge)promoted Help Net to primary; NCSC-NL retained as additional; § 7 note added fixed-clean
F5
missing-citation
researchRokarolla
European banking apps routinely appear on such target lists
European-specific claim not in sourcesreworded to general sideloading-risk framing fixed-clean
F8
needs-more-research
researchVertex AI CVE-2026-2473
patched in 1.148.0; affected 1.139.0–1.147.x
omits 1.144.0 partial fixadded 1.144.0 partial / 1.148.0 full nuance to item + § 6 fixed-clean
F10
missed-angle
deep-diveDragonForce
Scattered Spider connection
one-line disambiguation could helpnot pursued (advisory; avoid unsourced connection) deferred

Iteration #3 NEEDS_FIXES · 3 findings (truth=2, editorial=0, advisory=1) · Claude Opus 4.8 · 4m 52s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F3
citation-not-support
researchVertex AI patch mechanism
1.144.0 initial ownership check
inverted: 1.144.0 = UUID4 randomization, 1.148.0 = ownership checkcorrected mechanism wording fixed-clean
F3
citation-not-support
trending-vulnerabilitiesCheck Point hotfix date in table/§6
06-05 hotfix
contradicts Help Net (June 8)changed table + § 6 to early-June, sourced to Help Net fixed-clean
F11
editorial-advisory
trending-vulnerabilitiesJCE date
2026-06-03
release date vs article dateleft as release date (defensible) deferred

Iteration #4 NEEDS_FIXES · 2 findings (truth=0, editorial=2, advisory=0) · Claude Sonnet 4.6 · 6m 28s

F-codeSectionItem · URL/quoteVerifier summaryRemediation · outcome
F5
missing-citation
active-threatsMunich
leaving in 2024
departure year not in fetched sourcesdropped 'in 2024' fixed-clean
F5
missing-citation
updatesNovo Nordisk FulcrumSec
unrotated as far back as 2021
year qualifier not in MOXFIVEchanged to 'dormant/embedded credentials and API keys' fixed-clean

Verification & coverage notes

The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.

Verification & coverage notesrun record body

2026-06-17-e102009c · unknown · 12 entries published

  • Items dropped:
    • CVE-2026-44963 (Veeam Backup & Replication, authenticated domain-user RCE) — surfaced by both S1 and S2 as significant, but out-of-window: primary sources are 2026-06-09/06-10 and the CVE is already in cves_seen.json (first 06-10, last 06-14) with no in-window development. Retained here for awareness; if exploitation emerges it returns as a § 4 UPDATE.
    • CVE-2026-11645 (Google Chrome V8 zero-day) — already covered (cves_seen 06-10→06-14); primary sources 2026-06-08/06-09 are out-of-window with no fresh delta. Dropped.
    • IT Army of Ukraine — Kaluga Astral disruption[SINGLE-SOURCE] (The Record, 2026-06-15); no direct CH/EU nexus. Noted for situational awareness only, not carried as an item.
  • Single-source / primary-research items: the Sekoia ErrTraffic (§ 3) and Huntress Potemkin (§ 3) analyses are single primary-research-lab disclosures (corroborated by reporting where available); presented as the labs' own findings.
  • Reduced confidence: FortiSandbox exploitation (§ 4) is reported by Defused Cyber and relayed via Security Affairs / Help Net Security; Fortinet has not officially confirmed exploitation — attribution of the claim, not the vendor.
  • Source dropped on liveness: the watchTowr technical write-up URL for CVE-2026-50751 (§ 4) returned 404 at the mechanical gate and was removed; the mechanism is now described at the level NCSC-NL and Help Net Security support, with watchTowr credited in prose only.
  • NCSC-NL advisory rendering (§ 4 Check Point): advisories.ncsc.nl/advisory?id=NCSC-2026-0179 is an Angular SPA that returns a redirect/shell on direct fetch; its content (the public-PoC note) was confirmed via the bridge fetcher and S2's research. The content-readable Help Net Security article is listed first as the primary for the substantive claim; the NCSC-NL advisory is retained as the in-window (06-16) national-CERT reference.
  • Contradiction (PAN-OS CVE-2026-0257, § 4): Unit 42 (2026-06-09) observed successful auth-bypass VPN sessions but states no post-exploitation activity or lateral movement was observed; Arctic Wolf (2026-06-11) observed Impacket-pattern SMB enumeration and domain-user discovery in a subset of intrusions. The brief reports the Arctic Wolf observation as the lateral-movement signal; the two reflect different victim subsets and observation windows, not a factual conflict.
  • Source list: added Zimperium zLabs as a candidate source (primary mobile threat research; contributed the Rokarolla item, § 3). Overflow not added this run (one-candidate cap): MOXFIVE (FulcrumSec actor profile, cited in § 4) — re-evaluate next run.
  • Sub-agents: all four (S1–S4) returned within budget (Claude Sonnet 4.6).
  • Coverage gaps: databreaches-net (403, no Wayback snapshot — Novo Nordisk covered via alternates); sophos-xops (Next.js SPA body not extractable; 06-16 post confirmed but content unrecoverable); fortiguard-psirt (Angular SPA shell — FortiSandbox details via Security Affairs / Help Net); cert-at (RSS 404 on both feed URLs); rapid7-research (SPA body unextractable); inside-it-ch (not fetched this run); cnil-fr, edpb, ico-uk, sec-disclosures-edgar (no in-window qualifying items); akamai-sirt, dragos, sans-ics, talos (no in-window content).

Unmatched action items (migrated)

  • Patch or isolate JCE-enabled Joomla sites today (see § 0 Immediate Action, § 2). Upgrade to JCE 2.9.99.5/2.9.99.6; on any previously-unpatched site, hunt web logs for unauthenticated index.php?option=com_jce&task=profiles.import POSTs and treat the earliest hit as the breach time — exploitation is automated and CISA-KEV-confirmed.
  • Disable PAN-OS GlobalProtect "Authentication Override" if not required, patch, and hunt for Impacket lateral movement (§ 4). Audit VPN sessions since late May for anonymous NTLM logon and SMB enumeration (EID 4624 Type 3 from unexpected IPs, EID 5140/5145).
  • Upgrade google-cloud-aiplatform to 1.148.0 (the fully hardened release — 1.144.0–1.147.x are only partially protected) and audit Vertex AI jobs for default staging buckets (§ 3); alert on ownership changes for {project-id}-vertex-staging-{region} buckets.
  • Add the ClickFix PowerShell hunt for the <# Code Verification: NNNNNNNNNNNN #> artefact and for mshta.exe spawned by msiexec.exe; block mshta.exe via AppLocker/WDAC where feasible (§ 3).
  • Review offboarding access-revocation for staff with bulk-export rights over citizen/student data (§ 1, Munich). Bind database export credentials to just-in-time access tied to HR offboarding; alert on pre-departure bulk downloads.
  • Refresh the Microsoft vulnerable-driver blocklist and enforce WDAC/HVCI driver allow-listing (§ 5, DragonForce BYOVD); constrain and monitor QUIC/UDP-443 egress to Microsoft service tags since Teams-relay C2 defeats IP/domain blocking.

Migrated from briefs/2026-06-17.md (v2).

← Operations dashboard · day page 2026-06-17 · run-record contract: docs/pipeline.md