BORDER CYBER GROUP — SPECIAL REPORT FRIDAY

Friday, June 26, 2026 By Jonathan Brown

Four stories crossed the wire this week that deserved more than a two-sentence mention. One is a vulnerability we already flagged Tuesday that just crossed the line from "watch this" to "patch now." One is a Russian intelligence service quietly getting better at its job. One is a single ransom note that's become the year's clearest data point on what SaaS extortion actually costs a sector. And one is the uncomfortable arithmetic of trying to police an industry that local police are sometimes paid to protect. Here's the deeper version of each.

───────────────────────────────────────────────────

Cisco's CUCM Flaw Went From PoC to CISA Emergency Directive in 72 Hours — Here's the Exploit Chain

Status update: We flagged CVE-2026-20230 on June 24 with a "watch for" pointing at three triggers — a KEV addition, a Cisco advisory update, or a confirmed victim. Two of those three have now happened, and the timeline is worth walking through because it's a clean case study in how fast the gap between disclosure and exploitation has compressed.

Cisco patched the bug — an unauthenticated SSRF in Unified CM and Unified CM SME that escalates to root via arbitrary file write — on June 3, and explicitly told customers to treat it as critical despite an 8.6 CVSS score that would normally read as "high." The reason: it's pre-authentication, and CUCM sits at the center of voice, video, and messaging infrastructure for an installed base Cisco puts at roughly 30 million users. Exploitation requires the WebDialer service to be enabled — off by default, but commonly turned on wherever an org wants browser-initiated calling.

What's new since Tuesday: SSD Secure Disclosure, credited with the original report, published a full technical write-up and working exploit code this week. Exploit-intelligence firm Defused says weaponization followed within 24 hours of that publication, and the resulting attack chain — abusing the WebDialer SSRF to stand up a rogue Apache Axis SOAP service, using that to write a first-stage JSP file-writer, then dropping a second-stage command-execution shell protected by a password lifted directly from the published PoC — closely mirrors SSD's own disclosure. CISA added the flaw to its KEV catalog on June 25 with a remediation deadline of June 28. Neither Cisco nor Defused has attributed the activity to a named actor, and no confirmed victim organization has been disclosed as of this writing — so "confirmed exploitation, unconfirmed attribution and impact" is the precise state of play, not "confirmed breach."

The mechanism-level point: this is now the second Unified CM vulnerability exploited in 2026, following CVE-2026-20045 in January. A pattern of two exploited CUCM bugs in six months is a small sample, but it's consistent with communications infrastructure becoming a more frequent pivot target rather than an endpoint afterthought — worth tracking as a third data point if one emerges, not yet enough to call a trend.

Watch for: Whether Cisco updates its advisory to formally acknowledge active exploitation, and whether any named IR firm discloses the first confirmed compromised organization before the June 28 KEV deadline passes.

Sources: SecurityWeek, June 23, 2026; BleepingComputer, June 23–24, 2026; CSO Online, June 24, 2026; SecurityAffairs, June 24, 2026; Dark Reading, June 25, 2026; CybersecurityNews, June 26, 2026 (CISA KEV addition and remediation deadline).

───────────────────────────────────────────────────

ESET's 2025 Gamaredon Retrospective Shows an FSB Unit That Stopped Buying Off-the-Shelf and Started Building

ESET Research published its annual Gamaredon retrospective this week, and the headline finding isn't any single new tool — it's the shape of the year. The group, attributed by Ukraine's Security Service to the 18th Center for Information Security within Russia's FSB, spent the first half of 2025 building and the second half deploying: six new PowerShell tools developed between January and early summer, then a marked jump in spearphishing tempo and scale in the back half of the year, with ESET counting 35 distinct campaigns against Ukrainian government and military targets across the full year.

The standout new tool is PteroPaste, which bundles a downloader, a USB-propagation weaponizer, and a persistence/orchestration component — meaningfully more capable than the five other new tools, which ESET characterizes as simple downloaders. Its infrastructure-hiding evolution is arguably the more consequential development for defenders: Gamaredon began routing C2 traffic behind Cloudflare tunnels and serverless workers, then layered "dead drop" tradecraf on top — hiding tunnel domains inside legitimate platforms (Telegram, Telegra.ph, Dropbox, GoFile, Mastodon) so the malware reads a staged value off a public page before ever contacting the real C2 server. Two of its file-stealers were separately upgraded to exfiltrate to S3-compatible cloud storage, rotating destinations from Wasabi to Tebi to Intercolo over the year — moving both inbound instructions and outbound stolen data behind infrastructure that looks, to a defender, like ordinary traffic to a trusted platform.

ESET's report also reiterates Gamaredon's documented collaboration with fellow FSB-linked group Turla — first disclosed by ESET in September 2025, not new this week, but worth restating as context: Gamaredon's loaders (PteroOdd, PteroPaste) have been used to deploy and restart Turla's Kazuar backdoor on at least seven machines in Ukraine since February 2025, with ESET assessing high confidence that Gamaredon is providing initial access to a more selective Turla. Separately, French firm Sekoia has been running its own independent technical thread on Gamaredon's January 2026 infection chain (tracked as the "FSB's matryoshka" series), documenting a VBScript worm — GammaWorm — that abuses NTFS Alternate Data Streams to hide its modules from standard directory listings. That's a distinct research effort from ESET's annual review, covering a different window, and should be read as corroborating evidence that the group's tradecraft kept evolving into 2026 rather than as part of the same report.

ColorTokens federal CTO Louis Eichenbaum, commenting to Dark Reading on the dead-drop pattern, made the operationally relevant point plainly: "Defenders can no longer assume that traffic to a trusted platform is inherently safe." That's the actionable takeaway here, more than any single IOC — Gamaredon's strategic bet for 2025 was that organizations would rather not block Cloudflare, Telegram, or Dropbox outright, and the bet largely paid off.

Watch for: Whether ESET or Sekoia documents Gamaredon adopting AI-assisted code generation for its PowerShell tooling — a pattern already confirmed elsewhere this year in financially motivated groups like TA4922 — and whether the Turla/Kazuar handoff cadence increases now that the collaboration is over nine months old.

Sources: ESET Research / WeLiveSecurity, June 25, 2026; Dark Reading, June 25, 2026; GovInfoSecurity, June 25, 2026; TechNadu, June 25, 2026; Sekoia.io ("FSB's matryoshka" series, parts 1–2), January–June 2026; ESET Research, September 19, 2025 (Gamaredon-Turla collaboration, cited as established context).

───────────────────────────────────────────────────

The Instructure/Canvas Breach Is Becoming EdTech's Reference Case for SaaS Extortion Economics

Dark Reading's Reporters' Notebook video this week — a three-way conversation between Dark Reading's Arielle Waldman, TechTarget SearchSecurity's Sharon Shea, and Cybersecurity Dive's Eric Geller — uses the late-April/early-May Instructure Canvas breach as the organizing example for a broader argument: edtech's concentration risk (a handful of platforms serving thousands of institutions) combined with chronically under-resourced school IT teams makes the sector structurally attractive to extortion actors, regardless of how sophisticated any single attack actually is. That's an analytical framing from named reporters speaking to industry sources, not a new technical disclosure — worth stating plainly since the underlying incident itself is now well-documented elsewhere.

On the incident itself: ShinyHunters gained unauthorized access to Canvas's production environment around April 29–30, exploiting a gap tied to the platform's Free-for-Teacher (FFT) accounts, which allowed account creation without institutional verification — a lower-trust onboarding path sitting inside the same multi-tenant infrastructure as verified institutional accounts. Instructure has confirmed exfiltrated data included names, email addresses, student ID numbers, and platform messages, and says it found no evidence passwords, birth dates, or financial data were taken. The incident escalated on May 7 when ShinyHunters defaced Canvas login pages directly, forcing Instructure to take the platform offline mid-finals-week at many institutions; Instructure permanently discontinued the FFT program as a result.

This is where sourcing discipline matters: ShinyHunters' own claims — 275 million users, 3.65 TB of data, nearly 9,000 schools — are widely repeated but unverified by Instructure, and figures vary meaningfully across secondary reporting (TechCrunch reported 231 million unique email addresses on May 5, a different and lower figure than the threat actor's later claim). Treat the scale figures as threat-actor-asserted and independently uncorroborated, not as confirmed scope. Instructure reached an agreement with the actor on May 11 and represented that the data was destroyed with "shred log" confirmation; the reported $10 million ransom figure circulating in coverage is explicitly flagged by those same outlets as an unconfirmed rumor, not a disclosed term. Separately, this was Instructure's second confirmed compromise by ShinyHunters within roughly eight months — a September 2025 incident involved social engineering against the company's Salesforce environment and did not touch Canvas product data, per Instructure's own statement.

The Reporters' Notebook panel grounds this in two prior incidents for context: the 2023 Progress Software MOVEit campaign, which hit schools as part of its broad ransomware-adjacent sweep, and the PowerSchool breach, in which attackers exfiltrated student names, addresses, birth dates, academic records, and medical information, with PowerSchool confirmed to have paid a ransom for deletion. The throughline the panelists draw, and one the public record now supports independent of their framing, is that edtech vendors are increasingly the point of compromise rather than the schools themselves — which shifts the meaningful security question from "is this district's network secure" to "what's actually in our contract with this vendor."

Watch for: The House Homeland Security Committee's closed-door briefing with Instructure (requested for no later than May 21; outcome undisclosed as of this writing), and whether any forthcoming forensic disclosure narrows the user-count discrepancy between TechCrunch's and ShinyHunters' figures.

Sources: Dark Reading (Reporters' Notebook, Waldman/Shea/Geller), June 25, 2026; Instructure Incident Update page, May 2026; Education Week, May 11, 2026; TechCrunch, May 5, 2026 (231 million figure, via secondary citation); Reed Smith client alert, May 14, 2026; Rescana technical analysis, May 11, 2026.

───────────────────────────────────────────────────

Two New Reports Make the Strongest Case Yet That Local Corruption, Not Capability, Is the Bottleneck on Asian Scam Center Enforcement

Interpol's latest regional review and a new Amnesty International field investigation, both released this month, converge — and here the convergence is directly supported by both organizations' own sourcing, not BCG inference — on a specific claim: the bottleneck on dismantling Southeast Asia's scam compound economy is not international will or law-enforcement capability, but local corruption that blunts enforcement at the point of contact.

Interpol's review found that cybercrime now accounts for at least 30% of all nationally recorded incidents in more than half of its member countries across Asia and the South Pacific, and estimates that scam operations concentrated in Cambodia, Myanmar, Laos, and the Philippines — many staffed by trafficking victims — generate roughly $40 billion annually through romance fraud and investment scams. Pressure has produced real, named enforcement actions: China extradited Prince Holding Group founder Chen Zhi in January, with a second high-ranking member following this month; the US has sanctioned networks in Cambodia, the Philippines, and Myanmar and worked with international partners to seize more than $14 billion in cryptocurrency tied to Chen Zhi's assets.

Amnesty International's report is the sharper instrument here. Its investigators visited 75 of 86 confirmed scam compounds in Cambodia and interviewed 73 survivors directly — none of whom, per Amnesty, were treated by Cambodian authorities as trafficking victims; instead they were processed as irregular migrants, in some cases unable to leave the country without paying fines. Amnesty explicitly disputes the Cambodian government's claim of having shuttered 250 scam centers and charged more than 1,000 people, characterizing the stated "crackdown" — their quotation marks — as failing on both the enforcement and victim-protection fronts. That assessment is consistent with independent reporting from late 2025 and earlier this year on Myanmar's KK Park raid, where satellite imagery analysis by C4ADS found construction or expansion at 14 of 21 surveyed compounds in Myawaddy Township after the supposed crackdown, and where survivor interviews described displaced workers relocating to other compounds within days rather than being freed from the industry.

A rough scorecard of where enforcement claims and independent verification currently stand:

This is an analytical inference from the public record, not a confirmed finding: the pattern across both reports suggests that high-profile leadership-level enforcement (extraditions, sanctions, asset seizures) and ground-level compound enforcement are operating on almost entirely separate tracks, with the former generating headlines and the latter consistently undermined by the same local actors nominally tasked with carrying it out. Interpol's own framing — that the cybercriminal ecosystem "remains resilient and continues to expand to other jurisdictions globally" despite the high-profile wins — is consistent with that read, though Interpol officials made that statement to Dark Reading rather than in the published report itself, so it's worth flagging as attributed commentary alongside, not inside, the formal review.

Watch for: Whether Amnesty's findings prompt any formal response or counter-data from Cambodian authorities, and whether the scam-center economy's reported expansion into new jurisdictions outside Southeast Asia — previously noted in passing by Interpol — gets a dedicated follow-up report from either organization.

Sources: Interpol regional cybercrime review (cited via Dark Reading), June 2026; Amnesty International Cambodia investigation, June 2026; Dark Reading, June 25, 2026; Fortune, November 2025 (Prince Group sanctions background); PBS/FRONTLINE, December 2025 (C4ADS satellite analysis, KK Park); Al Jazeera, June 23, 2026 (ongoing Myanmar detention figures).

Strategic Takeaway

Three of this week's stories point toward the same structural shift. Attackers continue moving away from endpoint compromise toward exploiting trusted infrastructure—whether enterprise communications systems, mainstream cloud services, or multi-tenant SaaS platforms. Defenders increasingly face adversaries who hide inside technologies organizations cannot realistically block outright, placing greater emphasis on behavioral detection, vendor risk management, and rapid response over traditional perimeter controls.

───────────────────────────────────────────────────

Jonathan Brown | Border Cyber Group bordercybergroup.com ~ Support independent cybersecurity research and investigative journalism.