Tuesday, June 9, 2026
Editorial notice: Analysis and defender guidance in this digest are informational only. BORDER CYBER GROUP has no visibility into reader environments, patch states, or operational constraints. Nothing published here constitutes professional cybersecurity, legal, or compliance advice. All remediation and response decisions should be evaluated by qualified personnel against your organization's specific context. BCG assumes no responsibility for actions taken or not taken in reliance on this content.
Check Point VPN Authentication Bypass Actively Exploited — Suspected Qilin Affiliate Involvement (CVE-2026-50751)
CVSS 9.3 | KEV added 2026-06-08 | FCEB patch deadline: June 11 Source basis: Vendor advisory (Check Point) + independent corroboration (Rapid7). Confidence: High on exploitation facts; Medium on Qilin attribution — single vendor source, no independent confirmation at time of publication.
Check Point disclosed and patched a critical authentication bypass in its Remote Access VPN and Mobile Access products on June 8. The flaw is a logic error in certificate validation during IKEv1 key exchange: an unauthenticated remote attacker can establish a VPN session without a valid password. Affected versions span R80.20.X through R82.10 across Mobile Access / SSL VPN, Remote Access VPN, and Spark Firewall products. The vulnerability applies only to deployments using the deprecated IKEv1 protocol where gateways accept legacy Remote Access clients and do not require a machine certificate.
Check Point traced the earliest observed exploitation to May 7, with a marked escalation in early June. The PSIRT investigation launched June 4. The campaign has affected a few dozen organizations globally. CISA added the flaw to KEV on June 8 with a June 11 remediation deadline for FCEB agencies.
Rapid7 independently corroborated at least one incident with high confidence as linked to CVE-2026-50751.
Check Point assesses with medium confidence that one confirmed post-compromise case involved a Qilin ransomware affiliate. This attribution comes from a single vendor source; no independent confirmation from a second party has been published at time of writing.
A companion flaw, CVE-2026-50752 (CVSS 7.4), affecting the same IKEv1 code path and enabling potential MitM interference against site-to-site VPN tunnels, was identified during the same internal review. No exploitation of CVE-2026-50752 has been observed.
Defender actions: Apply Check Point's hotfix immediately for all IKEv1 configurations. Interim mitigations: disable legacy Remote Access client support; enforce IKEv2-only authentication; require machine certificates. Audit VPN session logs from May 7 forward for anomalous session establishment patterns.
Primary source: Check Point Security Advisory, blog.checkpoint.com (2026-06-08) | Corroborated: Rapid7 ETR (independent, high confidence), BleepingComputer, Help Net Security, CISA KEV
#vuln #crimeware
Miasma Worm: IDE Workspace Config Files Used to Harvest Credentials Across 73 Microsoft GitHub Repos
Supply chain | Developer credential theft | No patch — operational response required Source basis: StepSecurity technical analysis + GitHub API verification. Confidence: High on technical facts; Medium on re-compromise hypothesis — two plausible explanations exist, neither confirmed.
On June 5, a compromised contributor account pushed malicious commit 5f456b8 to Microsoft's Azure/durabletask GitHub repository. The commit planted five configuration files targeting four developer environments: Claude Code, Gemini CLI, Cursor, and VS Code. When a developer opens the repository in any of those tools, the configuration files trigger automatic execution of a 4.6 MB obfuscated JavaScript credential harvester. GitHub's automated enforcement disabled 73 repositories across four Microsoft GitHub organizations (Azure, Azure-Samples, Microsoft, MicrosoftDocs) in a 105-second window, including Azure/functions-action, breaking CI/CD pipelines for dependent workflows.
StepSecurity confirmed via the GitHub API that the same compromised contributor account was used in a May 19 attack on the durabletask PyPI package, where malicious package versions were uploaded using a compromised publishing token, planting a credential harvester targeting cloud, Kubernetes, and developer-tool secrets.
This attack mechanism represents a distinct departure from conventional supply-chain poisoning. Rather than exploiting package installation hooks — the focus of most existing supply-chain monitoring — the campaign plants IDE and agent workspace configuration files that execute on folder open, with no install step required. If this technique proves repeatable, defenders may need to extend supply-chain monitoring to repository-level workspace configuration artifacts, not only package manifests and install scripts.
Two plausible explanations exist for the account's reuse between May 19 and June 5: either the account's credentials were never fully rotated after the May incident, leaving the attacker with a working GitHub token; or the Miasma worm's own propagation mechanism re-compromised the account when the contributor opened an infected repository in an AI coding tool. Current evidence is consistent with either explanation; StepSecurity has not publicly resolved the question.
Exfiltration used ephemeral public GitHub repositories with liuende501 identified as the primary dead-drop account holding 236 such repositories. The campaign also included 37 malicious PyPI packages across 19 package names attributed to the same Miasma/Shai-Hulud lineage, some abusing the Bun JavaScript runtime to execute credential stealers.
Defender actions: Any developer who opened an affected Microsoft Azure repository between June 3–5 in Claude Code, Gemini CLI, Cursor, or VS Code should rotate all credentials stored in those environments and audit CI/CD pipeline secrets. Review AI coding tool workspace settings to restrict automatic execution of repository configuration files. Audit GitHub Actions workflows depending on Azure/functions-action.
Primary source: StepSecurity technical analysis, stepsecurity.io (2026-06-05) | Corroborated: The Hacker News, multiple independent researcher analyses. Note: Microsoft's public statement confirmed temporary repository removal but did not provide independent technical detail beyond StepSecurity's findings.
#supplychain #malware #detection
VerdantBamboo (UNC5221 / Clay Typhoon) Sustains 18-Month Undetected Access via BRICKSTORM and Two Previously Undocumented Implants
APT | China-nexus espionage | Edge appliance persistence Source basis: Volexity incident response report (primary, direct IR engagement). Confidence: High. All facts below are sourced from Volexity's published findings unless labeled otherwise.
Volexity published incident response findings on June 4 documenting a Chinese espionage intrusion that remained undetected for at least 18 months. The actor, tracked as VerdantBamboo (also: Clay Typhoon/Microsoft, UNC5221/Google, Warp Panda/CrowdStrike), gained initial access to a victim's Egnyte Storage Sync appliance by exploiting an overpermissive sudo configuration on the default egnyteservice account. The misconfigured sudo entry allowed the low-privileged service account to invoke tee as root, enabling the attackers to write files to protected locations and install a cron job persisting BRICKSTORM at /usr/sbin. Egnyte patched the underlying privilege escalation condition in Storage Sync v13.13 (March 2026).
[Volexity IR finding] The actor also compromised the victim organization's managed service provider (MSP), deploying a FreeBSD variant of BRICKSTORM on the MSP's pfSense firewall. From this position, the actor stole administrative credentials, mapped network infrastructure, and maintained re-entry capability into the primary victim network even after initial remediation efforts.
Two previously undocumented malware families were identified during the investigation:
- PLENET (also tracked as GRIMBOLT by Google): a cross-platform backdoor written in .NET Core, compiled via Native AOT to frustrate static analysis. Supports interactive shell, remote command execution, file manipulation, and C2 server switching. Google separately reported PLENET in February 2026 in connection with UNC6201 activity targeting Dell RecoverPoint for Virtual Machines.
- AGENTPSD: a Python reverse shell packaged via PyInstaller, assessed by Volexity as a fallback implant in the event the primary implant is disrupted.
VerdantBamboo accessed the victim's Microsoft 365 environment from the appliance foothold, routing traffic through BRICKSTORM's SOCKS5 proxy capability. Volexity assesses this was done to blend with legitimate network traffic and circumvent Conditional Access policies that would otherwise have flagged the access.
The actor used separate C2 domains for primary and fallback tools, a deliberate operational security decision ensuring that defenders blocking the primary BRICKSTORM infrastructure would not expose the secondary persistence layer.
The target selection logic documented here — proprietary network appliances and edge devices specifically chosen because they lack EDR coverage — is consistent with a broader pattern visible across multiple China-nexus espionage campaigns against Western enterprise infrastructure. Defenders should treat Linux/BSD appliances as a persistence risk class requiring explicit monitoring, not merely as network infrastructure.
Defender actions: Audit sudo configurations on all vendor-deployed service accounts on network appliances. Restrict web management interface exposure for firewalls and NAS devices to dedicated management network segments. Review Conditional Access policies for device-compliance enforcement beyond IP reputation. Review Volexity's published report for BRICKSTORM C2 infrastructure indicators.
Primary source: Volexity, "VerdantBamboo: Just Another BRICKSTORM in the Firewall," volexity.com (2026-06-04) | Corroborated: BleepingComputer, The Hacker News
#apt #malware #dfir
Cisco Catalyst SD-WAN Manager Zero-Day: Root Command Execution, No Patch Available (CVE-2026-20245)
Unpatched | Command injection → root | Mandiant-reported | Active exploitation confirmed Source basis: Cisco Security Advisory (vendor) + Mandiant discovery notice. Confidence: High on technical facts and exploitation confirmation; no public technical detail beyond Cisco's advisory available at time of publication.
Cisco disclosed CVE-2026-20245 on June 5 — the seventh Catalyst SD-WAN zero-day exploited in 2026. The flaw is a command injection vulnerability in the Catalyst SD-WAN Manager CLI caused by insufficient validation of user-supplied input. An attacker with netadmin privileges can upload a specially crafted file that triggers shell command execution as root. All deployment types are affected: on-premises, Cloud-Pro, Cisco-Managed Cloud, and FedRAMP environments. No patch is available and Cisco has not identified a workaround.
Exploitation requires netadmin-level access as a precondition. Cisco's advisory names two previously disclosed SD-WAN vulnerabilities — CVE-2026-20182 (CVSS 10.0, authentication bypass, disclosed by Rapid7 last month) and CVE-2026-20127 (authentication bypass, exploited in the wild by UAT-8616 as far back as 2023) — as established paths to acquire that access.
Mandiant reported the vulnerability to Cisco after observing exploitation in the wild. Cisco confirmed limited cases in which successful exploitation resulted in configuration changes being pushed to managed edge devices.
In environments where CVE-2026-20182 or CVE-2026-20127 remain unremediated, these three vulnerabilities form a documented chained attack path from unauthenticated network access to root-level code execution on SD-WAN Manager. Once root access is obtained, an attacker can alter routing behavior, modify security policy enforcement, and push configuration changes across all managed edge devices in the WAN fabric. In environments where prior SD-WAN authentication bypasses have been fully remediated, the netadmin precondition may not be easily satisfied from an unauthenticated starting position.
Defender actions: Restrict SD-WAN Manager admin interface access to trusted management networks. Collect admin-tech diagnostic logs before any remediation activity — post-exploit configuration changes to edge devices may not be obvious from SD-WAN Manager logs alone. When a patch ships, verify edge device configurations against known-good baselines and treat remediation as an incident response exercise. Engage Cisco TAC if logs indicate exploitation.
Primary source: Cisco Security Advisory, cisco.com (2026-06-05) | Discovery: Mandiant (Google Cloud) | Corroborated: SecurityWeek, BleepingComputer, Help Net Security
#vuln #apt #detection
Linux Kernel nf_tables Use-After-Free: Working Exploit Published, Container Escape Confirmed (CVE-2026-23111)
CVSS 7.8 | LPE + container escape | Full PoC published June 8 (Exodus Intelligence) Source basis: Exodus Intelligence technical writeup + independent FuzzingLabs reproduction. Confidence: High.
Exodus Intelligence published a detailed working exploit on June 8 for CVE-2026-23111, a use-after-free in the Linux kernel nf_tables Netfilter subsystem. The root cause is a single inverted conditional check — a stray ! operator — in nft_map_catchall_activate(). During an nf_tables transaction abort, the inverted condition causes the kernel to incorrectly process catchall map elements, allowing access to a freed memory region and yielding a UAF primitive. The upstream patch (removing the single character) landed February 5, 2026.
Exodus Intelligence's exploit chains the UAF to local root privilege escalation and container escape. An independent reproduction by FuzzingLabs (published April 2026, developed targeting RHEL 10 ahead of Pwn2Own Berlin) used a different ROP approach: triggering nft_chain_validate on the freed chain to walk expression function pointers, then overwriting modprobe_path and zeroing the SELinux enforcing field to achieve root. Ubuntu rates the flaw CVSS 7.8 (high).
The attack requires user namespaces (CONFIG_USER_NS) and nftables (CONFIG_NF_TABLES), both enabled by default on most desktop and many server distributions. There is no remote vector — this is a local privilege escalation requiring an existing foothold, a container escape context, or a compromised service account.
The container escape capability materially elevates the practical significance of this flaw for multi-tenant cloud environments, where container isolation is a core boundary assumption. Defenders running multi-tenant infrastructure on unpatched kernel versions should treat this as a higher priority than the CVSS base score alone implies.
Defender actions: Update kernel packages and reboot. If patching is delayed, disable unprivileged user namespaces (kernel.unprivileged_userns_clone=0) as an interim mitigation — this blocks the primary exploit path. Monitor for anomalous nftables operations from unprivileged accounts.
Primary sources: Exodus Intelligence technical writeup (2026-06-08); FuzzingLabs independent reproduction (April 2026, Pwn2Own Berlin research); Security Affairs technical analysis. No in-the-wild exploitation confirmed at time of publication.
#vuln #detection
UNC3753 (Silent Ransom Group) Escalates U.S. Law Firm Campaign to In-Person Data Theft — Mandiant Report and FBI FLASH
Crimeware | Vishing + physical office intrusion | No malware required Source basis: Mandiant IR report (direct engagement findings) + FBI Cyber FLASH. Confidence: High on TTPs and campaign scope; Medium on attribution of physical incidents to UNC3753 specifically — forensic evidence basis described as limited.
Mandiant published findings on June 7 documenting a campaign by UNC3753 (Silent Ransom Group / Luna Moth / Chatty Spider) targeting U.S. law firms and professional services organizations from January through May 2026, covering dozens of victims. The group initiates contact with invoice-themed phishing emails carrying no malicious links or attachments — the emails exist to establish a pretext — then follows up with phone calls in which operators impersonate IT support staff and convince targets to initiate screen-sharing sessions and install RMM tools (Teams Quick Assist, Zoom, AnyDesk). Exfiltration typically completes within hours of initial access.
An FBI Cyber FLASH Alert (May 23, 2026) warned that members of the group have physically attended victim premises posing as IT technicians, inserting USB storage devices to exfiltrate data directly from endpoints.
Mandiant's report includes observations consistent with the FBI warning. The physical intrusion incidents are assessed by Mandiant and the FBI as likely linked to UNC3753 based on timing, victim selection, and TTP overlap. Forensic evidence for the in-person component is, by the nature of the activity, described as limited. BCG treats this as an assessed connection, not a confirmed attribution.
Mandiant assesses that law firms are disproportionately targeted because they hold concentrated repositories of client M&A plans, trade secrets, and corporate regulatory filings, and because reputational and legal exposure creates strong incentive to resolve extortion demands without public disclosure.
The group does not deploy file-encrypting ransomware. Operations are exclusively data theft and extortion, with threatened publication to the LEAKEDDATA data leak site. UNC3753 has TTP overlaps with UNC2686 (Bazarcall-era campaigns from 2021) and previously deployed LockBit.BLACK in 2022 before shifting to extortion-only operations following the Conti syndicate collapse.
Defender actions: Security awareness training should explicitly address IT-impersonation vishing, not only email phishing — most email-security tooling will not flag UNC3753's initial contact. Implement callback verification procedures for all unsolicited IT support contact. Restrict RMM tool installation to IT-authorized endpoints and accounts. Physical security: challenge unescorted visitors in server and endpoint areas; require badge verification for any claimed IT personnel. Require credential challenges for any remote support session initiated by external request.
Primary source: Mandiant / Google Cloud Blog, cloud.google.com (2026-06-07); FBI Cyber FLASH, ic3.gov (2026-05-23) | Corroborated: BleepingComputer, Dark Reading, SecurityWeek
#crimeware #dfir
Windows Netlogon Pre-Auth RCE Actively Exploited — Patch All Domain Controllers (CVE-2026-41089)
CVSS 9.8 | Active exploitation confirmed May 29 | PoC public | May 2026 Patch Tuesday Source basis: Microsoft MSRC + Centre for Cybersecurity Belgium advisory. Confidence: High.
CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon Remote Protocol (MS-NRPC) service, affecting all supported Windows Server versions (2012 through 2025) configured as domain controllers. Exploitation requires only network reachability to the Netlogon RPC port — no authentication, credentials, user interaction, or local access is required. Successful exploitation yields SYSTEM-level code execution in the LSASS process context on the targeted domain controller. The vulnerability was discovered and reported by Microsoft's Windows Attack Research & Protection (WARP) team and patched in the May 12 Patch Tuesday release.
Microsoft's original exploitability assessment was rated "Less Likely." Belgium's Centre for Cybersecurity (CCB) publicly contradicted that assessment on May 29, confirming active in-the-wild exploitation 17 days after the patch shipped. Public PoC code is available. No specific threat actor has been attributed at time of publication.
LSASS-context code execution on a domain controller provides access to credential material and directory objects that in practice allows extension of control across the entire Active Directory forest. Defenders should treat unpatched domain controllers as a forest-wide exposure, not a single-host one.
Defender actions: Patch all domain controllers in a single maintenance window — patching a subset of DCs leaves exploitable attack paths available for a pre-auth vulnerability of this class. Restrict Netlogon RPC traffic at the network layer; DCs should not be reachable from arbitrary network segments. Detection indicators: unexpected Netlogon service crashes or restarts; anomalous Netlogon RPC traffic from non-DC source addresses; irregular authentication event patterns in security logs.
Primary source: Microsoft MSRC (CVE-2026-41089, 2026-05-12); Centre for Cybersecurity Belgium advisory (2026-05-29) | Corroborated: BleepingComputer, Help Net Security
#vuln #detection
SolarWinds Serv-U DoS Flaw Added to CISA KEV (CVE-2026-28318)
CVSS 7.5 | KEV added 2026-06-06 | DoS via unauthenticated POST Source basis: CISA KEV catalog. Confidence: High on KEV addition; Limited — no detailed technical analysis of the active exploitation campaign has been published at time of writing.
CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog on June 6, citing evidence of active exploitation. The flaw is an uncontrolled resource consumption vulnerability in SolarWinds Serv-U multi-protocol file server software: unauthenticated attackers can send specially crafted POST requests that crash the Serv-U service. Reporting indicates the vulnerability has been exploited in the wild for approximately two months prior to the KEV addition.
No detailed technical analysis of the exploitation campaign — including threat actor attribution, campaign scope, or target profile — has been published at time of writing. BCG will update if substantive technical reporting emerges.
Defender actions: Apply available Serv-U patches. If patching is delayed, restrict Serv-U's public internet exposure and review network access controls on management interfaces.
Primary source: CISA KEV, cisa.gov (2026-06-06) | Corroborated: The Hacker News, SecurityWeek
#vuln
Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting
If you find our work helpful... Buy us a coffee!: https://bordercybergroup.com/#/portal/support
Member discussion: