2026-06-26-6bbe4619
One pipeline fire, in full · intel run of 2026-06-26 · sub-agent allocation and telemetry, per-iteration verification verdicts and findings, source-list edits, coverage gaps, bridge invocations — and the run's own verification & coverage notes: what was published, what was dropped at the borderline or judged not relevant (and why), single-source carve-outs, and contradictions. Rendered from runs/2026-06-26/2026-06-26-6bbe4619.md.
Run telemetry
- Items returned
- 4
- Duration
- 8m 11s
- Tool calls
- 14 WebFetch9 WebSearch6 bridge
- Cited sources
- 3 of 49 in slice
- Items returned
- 4
- Duration
- 10m 43s
- Tool calls
- 6 WebFetch9 WebSearch18 bridge
- Cited sources
- 3 of 40 in slice
- Items returned
- 5
- Duration
- 9m 27s
- Tool calls
- 9 WebFetch10 WebSearch12 bridge
- Cited sources
- 3 of 99 in slice
- Items returned
- 5
- Duration
- 9m 48s
- Tool calls
- 3 WebFetch14 WebSearch22 bridge
- Cited sources
- 1 of 8 in slice
Verification
Deep dive
2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245
Entries published (this run)
- Ukrposhta digital services disrupted by an overnight attack; pro-Russian hacktivists claim a prior data theft incident notable
- ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden incident high
- macOS.Gaslight — a DPRK-aligned Rust backdoor that targets the LLM-assisted analyst research high
- ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT) annual-report high
- Mandiant publishes the forensic reconstruction behind Cisco SD-WAN Manager CVE-2026-20245 vulnerability high update
- Cisco Catalyst SD-WAN Manager CVE-2026-20245 vulnerability notable
Sources changed (this run)
Edits this run made to sources/sources.json · promotions, demotions, new candidates, and fetch-method / category / reliability / url corrections (the run record's sources_changed[]). Paginated; 10 per page.
No source-list edits recorded for this run.
Coverage gaps (this run)
Sources this run's brief needed that returned no usable content via any documented recipe. Bridge-recovered or quiet-day sources do NOT appear here. (Distinct from the independent source-accessibility probe at the foot of this section, which probes all active sources regardless of what any run needed.)
| Source (uncovered) | URL tried | Method chain | Status / class | What the agent did instead |
|---|---|---|---|---|
| ncsc-ch-focus | https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2026/wochenrueckblick_26 | bridge:ncsc-csh → webfetch | 404 NCSC-CH Week 26 weekly review not yet published (HTTP 404 at run time) | none — no in-window Swiss-specific item this run |
| cert-fr-actu | https://www.cert.ssi.gouv.fr/actualite/ | bridge:url | 200 CERT-FR actualite feed appears stuck — newest items dated December 2025 | none — no in-window CERT-FR content |
Bridge invocations (this run)
3 bridge calls this run · these are successful bridge fetches (separate from "Coverage gaps" above).
- bridge:cisa-kev ×1
- bridge:ncsc-nl.csaf ×1
- bridge:url ×1
Verification findings · all iterations
Per-iteration finding detail. Each table is one verifier pass · what was flagged, how the main agent remediated it, and the outcome. Walking the tables top-to-bottom shows the verifier's debugging trail across iterations.
Iteration #1 NEEDS_FIXES · 2 findings (truth=1, editorial=1, advisory=0) · Claude Opus 4.8 · 2m 52s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F13 analytical-link-as-fact | active-threats | ShinyHunters/MSG vishing into identity platform granting access to Microsoft Entra, the platform MSG uses for identity and network access | Microsoft Entra asserted as MSG-incident fact; cited sources support only generic Abnormal pattern | Rewrote item + TL;DR: vishing foothold attributed to 404 Media; Entra/Okta reframed as Abnormal's generic pattern; softened to 'the company's identity platform' fixed-clean |
| F2 citation-date-drift | active-threats / research | Abnormal + Sekoia citation dates [Abnormal,2026-06-24]; [Sekoia,2026-06-25] | Citation dates did not match fetched pages (Abnormal=2026-02-06; Sekoia=2026-06-04) | Corrected both dates fixed-clean |
Iteration #2 NEEDS_FIXES · 1 finding (truth=1, editorial=0, advisory=0) · Claude Sonnet 4.6 · 2m 15s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F13 analytical-link-as-fact | active-threats | ShinyHunters/MSG heading heading: 'used a single vishing call into Microsoft Entra' | Body+TL;DR fixed but the §1 heading still asserted Microsoft Entra as the MSG foothold | Changed heading to 'into the company's identity platform' fixed-clean |
Iteration #3 CLEAN · 2 findings (truth=0, editorial=0, advisory=2) · Claude Opus 4.8 · 1m 59s
| F-code | Section | Item · URL/quote | Verifier summary | Remediation · outcome |
|---|---|---|---|---|
| F11 editorial-advisory | active-threats | ShinyHunters/MSG foothold clause places the foothold at the company's identity and network-access platform | Clause still mildly over-asserted vs cited sources; self-mitigated by following sentences | Removed the foothold-platform clause fixed-clean |
| F11 editorial-advisory | research | Sekoia corroboration URL blog.sekoia.io/...gammasteel/ | 301 redirect to canonical www.sekoia.com URL; content matches | Updated to canonical www.sekoia.com URL fixed-clean |
Verification & coverage notes
The run record's narrative body, verbatim. This is where the run accounts for its own judgement calls — every borderline drop and judged-not-relevant item with its reason, dedup decisions, single-source items and their carve-outs, contradictions, and per-source coverage gaps — so nothing the run considered disappears silently.
Verification & coverage notesrun record body
2026-06-26-6bbe4619 · Claude Opus 4.8 (1M context) · 6 entries published
Items dropped:
- Ubiquiti UniFi OS CVE-2026-34908 / -34909 / -34910 (S1) — dropped as a PD-8 duplicate: this exact triple-flaw chain was the deep dive on 2026-06-24. It is also out-of-window (patched 2026-05-21 in UniFi OS Server 5.0.8) and S1's reported product/fixed-version detail ("UniFi OS 4.1.13") was inaccurate against the vendor record. The only fresh hook was today's CISA KEV federal remediation deadline, which is not operational signal for a CH/EU audience (PD-13).
- GitLab 19.1.1 / 19.0.3 / 18.11.6 (S1, S2) — dropped from §2. Verified against GitLab's release notes (published 2026-06-24): the headline issues are stored XSS CVE-2026-10086 (CVSS 8.7) and CVE-2026-10712 (CVSS 8.0), with lower-severity authorization/SSRF issues (the SSRF, CVE-2026-12635, is only CVSS 3.1). No in-the-wild exploitation, not RCE, below the CVSS-9 threshold — clears no §2 inclusion gate. Self-hosted public-sector instances should still apply on their normal patch cycle. (A sub-agent over-stated this as "code injection / SSRF highest-impact"; corrected.)
- PixelSmash / CVE-2026-8461 FFmpeg MagicYUV heap OOB (S3) — out-of-window: JFrog disclosure 2026-06-22, outside the 36 h window with no fresh in-window development. Noted for catch-up given Nextcloud/Jellyfin server-side-preview relevance to CH/EU public sector if it develops.
- Microsoft DART parallel dual-actor SharePoint case study (S3) — out-of-window (2026-06-22) and single-source.
- Tata Electronics / World Leaks 630 GB leak (S4) — out-of-window (2026-06-22/23).
- River Financial Corp 8-K (Item 1.05) (S4) — US community bank, no CH/EU nexus; SINGLE-SOURCE (SEC filing recovered via search). Watch for an 8-K/A around 1–2 July.
- DraftKings credential-stuffing sentencing (S4) — US law-enforcement follow-up; limited CH/EU public-sector relevance.
- Black Kite Europe ransomware report (S2) — periodic statistics report; declined under the no-vanity-metrics rule. Its one operational nugget (the Miljödata HR-SaaS supply-chain breach cascading to ~200 Swedish municipalities) references a 2025 incident, not in-window.
Corrections resolved during verification (sub-agent conflicts cross-checked against primaries):
- Cisco SD-WAN CVE-2026-20245 — three sub-agents returned three different fixed-version lists and two different Cisco advisory IDs; resolved against the Mandiant primary and Cisco PSIRT to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 and advisory
cisco-sa-sdwan-privesc-4uxFrdzx. Mandiant asserts no actor attribution, so sub-agent "nation-state/espionage" framing was dropped. Primary publication date is 2026-06-24 (one sub-agent reported 06-25). - macOS.Gaslight — two sub-agents conflicted on C2 (HTTPS vs Telegram), XProtect signature (BONZAI.D/E vs MACOS_BONZAI_COBUCH) and persistence path; resolved against the SentinelLABS primary (Telegram Bot-API C2; XProtect
MACOS_BONZAI_COBUCH; LaunchAgentcom.apple.system.services.activity). The fabricated SentinelLABS URL returned by one sub-agent was discarded in favour of the verified one. - Gamaredon — ESET and Sekoia both published 2025 Gamaredon research on 2026-06-25; the ESET annual paper was fetched and verified. Sub-agent claims of "EU secondary targeting" were not supported by the report (exclusively Ukrainian targeting) and were dropped.
Single-source / reduced confidence: Ukrposhta data-exfiltration claim is a pro-Russian-hacktivist self-report, unverified by Recorded Future News; the service disruption itself is multi-source.
Stalled sub-agents: none — all four returned within the window.
Coverage gaps: databreaches-net (per-article 403 on the bridge; items recovered via corroborating publishers); cert-fr-avis, cert-fr-actu (feeds stale / nothing in window); ncsc-ch-focus (Week 26 review not yet published — HTTP 404 at run time); mandiant-gtig (Feedburner IncompleteRead — recovered via direct article fetch); bleepingcomputer (403 — recovered via alternates).
Source-health probe: the end-of-run source_health.py snapshot flagged five sources needs-demote — cisa-advisories, cisa-directives, cisa-news, sophos-xops, trellix. No demotion applied this run: the three CISA entries are documented routine-UA transport-blocking (exempt from demotion per the source-lifecycle rules; the cisa-kev bridge recipe itself returned 200 this run), and sophos-xops / trellix are single-probe failures below the 5×404 demotion threshold. Monitoring; will revisit if the failures persist across runs.
Unmatched action items (migrated)
- Patch Cisco Catalyst SD-WAN Manager now to a fixed train (20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, or 26.1.1.2) — pre-disclosure root exploitation is confirmed and there is no workaround. On any controller potentially exposed before patching, baseline
/etc/passwd//etc/shadowfor non-rootUID-0 accounts, review tenant-upload audit logs, and rotate admin credentials including defaultvmanage-admin. See §4 and §5. - Hunt the vishing → Entra kill chain. Alert on new MFA-method registration events in Entra audit logs correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; move privileged and helpdesk-reachable identities to phishing-resistant FIDO2/passkey MFA and require a compliant device for MFA enrollment via Conditional Access. See §1.
- Add detection for trusted-service abuse in exfil/C2. Flag tunnel-service egress (
trycloudflare.com/workers.dev/devtunnels.ms) from Office or scripting processes, andrclone/S3-APIPUT/POSTfrom hosts with no backup role — the Gamaredon model that any espionage operator can copy. See §3. - Treat LLM triage verdicts as provisional on submitted macOS samples. Until human review, do not trust an automated "benign" verdict on a macOS binary, and hunt LaunchAgents under
com.apple.system.services.*signed by non-Apple identities. See §3.
Migrated from briefs/2026-06-26.md (v2).
← Operations dashboard · day page 2026-06-26 · run-record contract: docs/pipeline.md