2026-06-17-e102009c
One pipeline fire, in full · intel run of 2026-06-17 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-17/2026-06-17-e102009c.md.
Run telemetry
- Items returned
- 5
- Duration
- 22m 54s
- Tool calls
- 18 WebFetch7 WebSearch12 bridge
- Cited sources
- 6 of 9 in slice
- Items returned
- 4
- Duration
- 12m 21s
- Tool calls
- 18 WebFetch11 WebSearch14 bridge
- Cited sources
- 5 of 8 in slice
- Items returned
- 5
- Duration
- 12m 43s
- Tool calls
- 22 WebFetch18 WebSearch16 bridge
- Cited sources
- 6 of 11 in slice
- Items returned
- 4
- Duration
- 8m 49s
- Tool calls
- 14 WebFetch16 WebSearch8 bridge
- Cited sources
- 5 of 9 in slice
Verification
Deep dive
2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch
Entries published (this run)
- Munich: ~120,000 student records suspected on the darknet — terminated employee under investigation incident high
- FishMonger (I-SOON) ports its SprySOCKS backdoor to Windows with a kernel-driver rootkit threat high
- CVE-2026-48907 — Widget Factory Joomla Content Editor (JCE) before version 2.9.99.5: unauthenticated profile-import → PHP RCE (CVSS v4 10.0) vulnerability critical
- Unit 42 "Pickle in the Middle": cross-tenant code execution in Google Vertex AI via predictable staging buckets (CVE-2026-2473) research notable
- Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain research notable
- Huntress: Potemkin loader delivers RMMProject RAT and bypasses Chromium App-Bound Encryption research notable
- Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover research notable
- FortiSandbox — three critical flaws now exploited simultaneously, including the previously disclosure-only CVE-2026-25089 vulnerability high update
- PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory vulnerability high update
- Check Point IKEv1 CVE-2026-50751 — public PoC raises exploitation risk vulnerability notable update
- Novo Nordisk — FulcrumSec claims authorship, $25M demand refused, data offered for private sale incident notable update
- DragonForce abuses Microsoft Teams TURN relays for C2 and chains four vulnerable drivers (BYOVD) threat high
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| sophos-xops | https://news.sophos.com/en-us/ | webfetch → bridge:url | 200 spa-empty-body Next.js SPA shell; article body not extractable; 2026-06-16 post confirmed present but content unrecoverable | none — no alternate carried the same content |
Bridge invocations (this run)
5 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:cisa-kev ×1
- bridge:ncsc-csh.recent ×1
- bridge:ncsc-nl.recent ×1
- bridge:cert-eu.recent ×1
- bridge:url ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 5 findings (truth=1, editorial=1, advisory=3) · Claude Opus 4.8 · 4m 18s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F4 hallucinated-fact | research | Huntress Potemkin/RMMProject footer CVE: CVE-2025-55182 | CVE not in Huntress/THN sources; belongs to React2Shell/FulcrumSec | removed CVE-2025-55182 from § 3 Huntress footer fixed-clean |
| F9 surface-contradiction | updates | PAN-OS CVE-2026-0257 Unit42 no lateral movement vs Arctic Wolf Impacket | brief adopted Arctic Wolf view without noting Unit42 saw none | added Contradiction line to § 7 fixed-clean |
| F11 editorial-advisory | trending-vulnerabilities | JCE citation date 2026-06-03 vs page 06-12 | label uses patch-release date | kept as patch-release date (defensible) deferred |
| F11 editorial-advisory | updates | Check Point hotfix date 06-05 vs HelpNet 06-08 | date discrepancy | softened to early-June (iter3 corrected table/§6) fixed-clean |
| F11 editorial-advisory | active-threats | Munich 120k framing confirmed affecting 120,000 | figure from press reporting; soften | softened opening with press-reporting caveat fixed-clean |
Iteration #2 NEEDS_FIXES · 4 findings (truth=0, editorial=3, advisory=1) · Claude Sonnet 4.6 · 4m 17s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F1 broken-url | updates | Check Point CVE-2026-50751 advisories.ncsc.nl/advisory?id=NCSC-2026-0179 | NCSC-NL Angular SPA returns redirect shell on direct fetch (live via bridge) | promoted Help Net to primary; NCSC-NL retained as additional; § 7 note added fixed-clean |
| F5 missing-citation | research | Rokarolla European banking apps routinely appear on such target lists | European-specific claim not in sources | reworded to general sideloading-risk framing fixed-clean |
| F8 needs-more-research | research | Vertex AI CVE-2026-2473 patched in 1.148.0; affected 1.139.0–1.147.x | omits 1.144.0 partial fix | added 1.144.0 partial / 1.148.0 full nuance to item + § 6 fixed-clean |
| F10 missed-angle | deep-dive | DragonForce Scattered Spider connection | one-line disambiguation could help | not pursued (advisory; avoid unsourced connection) deferred |
Iteration #3 NEEDS_FIXES · 3 findings (truth=2, editorial=0, advisory=1) · Claude Opus 4.8 · 4m 52s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F3 citation-not-support | research | Vertex AI patch mechanism 1.144.0 initial ownership check | inverted: 1.144.0 = UUID4 randomization, 1.148.0 = ownership check | corrected mechanism wording fixed-clean |
| F3 citation-not-support | trending-vulnerabilities | Check Point hotfix date in table/§6 06-05 hotfix | contradicts Help Net (June 8) | changed table + § 6 to early-June, sourced to Help Net fixed-clean |
| F11 editorial-advisory | trending-vulnerabilities | JCE date 2026-06-03 | release date vs article date | left as release date (defensible) deferred |
Iteration #4 NEEDS_FIXES · 2 findings (truth=0, editorial=2, advisory=0) · Claude Sonnet 4.6 · 6m 28s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F5 missing-citation | active-threats | Munich leaving in 2024 | departure year not in fetched sources | dropped 'in 2024' fixed-clean |
| F5 missing-citation | updates | Novo Nordisk FulcrumSec unrotated as far back as 2021 | year qualifier not in MOXFIVE | changed to 'dormant/embedded credentials and API keys' fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-17-e102009c · unknown · 12 entries published
- Items dropped:
- CVE-2026-44963 (Veeam Backup & Replication, authenticated domain-user RCE) — surfaced by both S1 and S2 as significant, but out-of-window: primary sources are 2026-06-09/06-10 and the CVE is already in
cves_seen.json(first 06-10, last 06-14) with no in-window development. Retained here for awareness; if exploitation emerges it returns as a § 4 UPDATE. - CVE-2026-11645 (Google Chrome V8 zero-day) — already covered (
cves_seen06-10→06-14); primary sources 2026-06-08/06-09 are out-of-window with no fresh delta. Dropped. - IT Army of Ukraine — Kaluga Astral disruption — [SINGLE-SOURCE] (The Record, 2026-06-15); no direct CH/EU nexus. Noted for situational awareness only, not carried as an item.
- CVE-2026-44963 (Veeam Backup & Replication, authenticated domain-user RCE) — surfaced by both S1 and S2 as significant, but out-of-window: primary sources are 2026-06-09/06-10 and the CVE is already in
- Single-source / primary-research items: the Sekoia ErrTraffic (§ 3) and Huntress Potemkin (§ 3) analyses are single primary-research-lab disclosures (corroborated by reporting where available); presented as the labs' own findings.
- Reduced confidence: FortiSandbox exploitation (§ 4) is reported by Defused Cyber and relayed via Security Affairs / Help Net Security; Fortinet has not officially confirmed exploitation — attribution of the claim, not the vendor.
- Source dropped on liveness: the watchTowr technical write-up URL for CVE-2026-50751 (§ 4) returned 404 at the mechanical gate and was removed; the mechanism is now described at the level NCSC-NL and Help Net Security support, with watchTowr credited in prose only.
- NCSC-NL advisory rendering (§ 4 Check Point):
advisories.ncsc.nl/advisory?id=NCSC-2026-0179is an Angular SPA that returns a redirect/shell on direct fetch; its content (the public-PoC note) was confirmed via the bridge fetcher and S2's research. The content-readable Help Net Security article is listed first as the primary for the substantive claim; the NCSC-NL advisory is retained as the in-window (06-16) national-CERT reference. - Contradiction (PAN-OS CVE-2026-0257, § 4): Unit 42 (2026-06-09) observed successful auth-bypass VPN sessions but states no post-exploitation activity or lateral movement was observed; Arctic Wolf (2026-06-11) observed Impacket-pattern SMB enumeration and domain-user discovery in a subset of intrusions. The brief reports the Arctic Wolf observation as the lateral-movement signal; the two reflect different victim subsets and observation windows, not a factual conflict.
- Source list: added Zimperium zLabs as a
candidatesource (primary mobile threat research; contributed the Rokarolla item, § 3). Overflow not added this run (one-candidate cap): MOXFIVE (FulcrumSec actor profile, cited in § 4) — re-evaluate next run. - Sub-agents: all four (S1–S4) returned within budget (Claude Sonnet 4.6).
- Coverage gaps: databreaches-net (403, no Wayback snapshot — Novo Nordisk covered via alternates); sophos-xops (Next.js SPA body not extractable; 06-16 post confirmed but content unrecoverable); fortiguard-psirt (Angular SPA shell — FortiSandbox details via Security Affairs / Help Net); cert-at (RSS 404 on both feed URLs); rapid7-research (SPA body unextractable); inside-it-ch (not fetched this run); cnil-fr, edpb, ico-uk, sec-disclosures-edgar (no in-window qualifying items); akamai-sirt, dragos, sans-ics, talos (no in-window content).
Unmatched action items (migrated)
- Patch or isolate JCE-enabled Joomla sites today (see § 0 Immediate Action, § 2). Upgrade to JCE 2.9.99.5/2.9.99.6; on any previously-unpatched site, hunt web logs for unauthenticated
index.php?option=com_jce&task=profiles.importPOSTs and treat the earliest hit as the breach time — exploitation is automated and CISA-KEV-confirmed. - Disable PAN-OS GlobalProtect "Authentication Override" if not required, patch, and hunt for Impacket lateral movement (§ 4). Audit VPN sessions since late May for anonymous NTLM logon and SMB enumeration (EID 4624 Type 3 from unexpected IPs, EID 5140/5145).
- Upgrade
google-cloud-aiplatformto 1.148.0 (the fully hardened release — 1.144.0–1.147.x are only partially protected) and audit Vertex AI jobs for default staging buckets (§ 3); alert on ownership changes for{project-id}-vertex-staging-{region}buckets. - Add the ClickFix PowerShell hunt for the
<# Code Verification: NNNNNNNNNNNN #>artefact and formshta.exespawned bymsiexec.exe; blockmshta.exevia AppLocker/WDAC where feasible (§ 3). - Review offboarding access-revocation for staff with bulk-export rights over citizen/student data (§ 1, Munich). Bind database export credentials to just-in-time access tied to HR offboarding; alert on pre-departure bulk downloads.
- Refresh the Microsoft vulnerable-driver blocklist and enforce WDAC/HVCI driver allow-listing (§ 5, DragonForce BYOVD); constrain and monitor QUIC/UDP-443 egress to Microsoft service tags since Teams-relay C2 defeats IP/domain blocking.
Migrated from briefs/2026-06-17.md (v2).
← Operations dashboard · day page 2026-06-17 · run-record contract: docs/pipeline.md