Wednesday, June 10, 2026

Today in brief: Two CVEs hit the KEV simultaneously (Check Point VPN auth bypass, LiteLLM command injection). A critical Veeam RCE has a public PoC within hours of disclosure. A full working exploit is now public for a Linux kernel LPE patched four months ago. Patch these four before anything else today.

Veeam Backup & Replication — Critical RCE, PoC Already on GitHub

Bottom line: Patch Veeam B&R v12 to 12.3.2.4854 immediately on any domain-joined backup server accessible to ordinary domain users. Public PoC code is already circulating.

CVE-2026-44963 (CVSS 9.4) — The flaw requires an authenticated domain user account — not a privileged one — to execute arbitrary code on a Veeam Backup Server. Discovered and responsibly disclosed by Sina Kheirkhah (watchTowr). Affects all v12 builds up to 12.3.2.4465; fixed in 12.3.2.4854. Version 13.x is unaffected due to architectural changes introduced in that release. Critically, exploitation is scoped to domain-joined deployments — workgroup configurations are not vulnerable to this specific flaw — though domain-joined describes the majority of enterprise environments. A public PoC appeared on GitHub within hours of disclosure.

Backup servers are high-value targets for ransomware operators; compromise before encryption can severely degrade or eliminate an organization's primary recovery path.

Defender actions:

  • Patch immediately to 12.3.2.4854
  • If immediate patching is blocked, audit domain user access to the backup server and restrict to the minimum required set
  • Evaluate whether the backup server is unnecessarily domain-joined; Veeam's own best practice guidance recommends assessing workgroup vs. domain configurations
  • Verify v13 builds are also on current patch levels

Sources: Veeam advisory KB4696; watchTowr (Sina Kheirkhah); BleepingComputer

#vuln #crimeware #dfir

Check Point VPN Zero-Day — Qilin Ransomware Affiliate, Active Since May 7

Bottom line: If your Check Point gateway uses IKEv1 for remote access, apply the vendor hotfix now. A Qilin affiliate has been inside networks via this flaw for over a month.

CVE-2026-50751 (CVSS 9.3, KEV Jun 8) — A logic flaw in IKEv1 certificate validation allows unauthenticated remote attackers to bypass password authentication entirely and establish a VPN session against Check Point Remote Access and Mobile Access products. Exploitation dates to May 7 — roughly a month before vendor disclosure on June 8. Check Point confirmed at least one post-compromise incident tied to a Qilin ransomware affiliate, with attacker infrastructure across Kaupo Cloud HK, Shock Hosting, and Vultr VPS providers. Rapid7 independently confirmed in-the-wild exploitation. A companion flaw, CVE-2026-50752 (CVSS 7.4), enables MitM against site-to-site VPN tunnels in certain configurations; no observed exploitation of that one yet.

Affected scope: Security Gateways on R82.10 through R80.40 (EOS), and Spark firewalls on R80.20.X–R82.00.X — but only when IKEv1 is active.

Exploitation requires all four conditions simultaneously:

  • Remote Access VPN or Mobile Access is enabled
  • IKEv1 is active for remote access
  • Gateway accepts legacy remote access clients
  • Machine certificate authentication is not mandatory

Watch for:

  • Attacker infrastructure in some incidents was geolocated to match the target's geography (e.g., Taiwan-targeting activity used Taiwan-geolocated VPS nodes)
  • Post-exploit attempts to retrieve ELF payloads from actor-controlled servers
  • IOCs (IPs added June 9): 45.63.104[.]106, 45.61.136[.]173 — full list in the Check Point advisory

Defender actions:

  • Apply vendor hotfix immediately; do not wait for a maintenance window
  • If patching is blocked: remove legacy remote access client support; force IKEv2 only in global Remote Access VPN Authentication properties; mandate machine certificate authentication
  • Review forensic logs from May 7 forward (earliest confirmed exploitation date)

Sources: Check Point advisory (blog.checkpoint.com, Jun 8); Rapid7 ETR; BleepingComputer; Help Net Security

#vuln #crimeware #apt

LiteLLM Command Injection — AI Infrastructure Hits the KEV

Bottom line: LiteLLM ≤1.83.6 has an actively exploited command injection that can be escalated to fully unauthenticated RCE when Starlette ≤1.0.0 is in the dependency tree. Patch both components.

CVE-2026-42271 (CVSS 8.7, KEV Jun 8) — Two MCP server preview/test endpoints (POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list) accepted raw server configuration including command, args, and env fields used by the stdio transport without validating or sandboxing input. Before the fix, these endpoints did not require admin role — any authenticated user, including low-privilege internal-user key holders, could reach them.

The auth-bypass escalation: Horizon3.ai demonstrated that CVE-2026-48710, a Host header validation bypass in Starlette ≤1.0.0 (the "BadHost" flaw), can be chained with CVE-2026-42271 to eliminate the authentication requirement entirely — yielding unauthenticated RCE against LiteLLM deployments whose dependency tree includes a vulnerable Starlette version. CVE-2026-48710 does not independently make all older Starlette deployments vulnerable in this chain; the exploit requires LiteLLM to be present and unpatched. The fix in LiteLLM 1.83.7 restricts the test endpoints to the PROXY_ADMIN role.

This is the second major LiteLLM CVE exploited in short succession: CVE-2026-42208 (SQL injection, CVSS 9.3) was weaponized within 36 hours of public disclosure last month. LiteLLM commonly sits as a proxy between applications and multiple LLM backends, meaning a compromise can expose API keys, secrets, internal AI workflows, and downstream systems accessible from the proxy host.

Watch for: Automated scanning for exposed LiteLLM deployments is confirmed. Any LiteLLM instance reachable from the internet should be treated as actively targeted.

Defender actions:

  • Patch to LiteLLM 1.83.7 or later
  • Update Starlette to >1.0.0
  • LiteLLM proxies should not be internet-facing; place behind an authenticated API gateway
  • Audit credentials and API keys that were accessible to the process environment

Sources: CISA KEV (Jun 8); BerriAI advisory; Horizon3.ai; The Hacker News

#vuln #crimeware

Linux Kernel nf_tables — One-Character Bug, Full Working Exploit Public

Bottom line: A four-month-old upstream patch for a Linux LPE + container escape now has a detailed public exploit. Check your distribution's kernel package status — upstream patch does not mean your distro shipped it.

CVE-2026-23111 (CVSS 7.8) — A use-after-free in the Linux kernel's nf_tables packet filtering framework, caused by a single inverted condition (!) in the abort phase of nf_tables transactions. An unprivileged local user can exploit it to escalate to root and break out of containers. The upstream fix removed one character from the source code on February 5, 2026.

Exodus Intelligence researcher Oliver Sieber published a full technical walkthrough and working exploit on June 8, demonstrating greater than 99% reliability on idle systems on Debian Bookworm/Trixie and Ubuntu 22.04/24.04 LTS (dropping to approximately 80% under heavy load, per Exodus's own stability testing — still considered operationally usable). This is not the first public exploit: FuzzingLabs independently reproduced it in April targeting RHEL 10, using a different ROP approach via nft_chain_validate. The technique is now documented across Debian, Ubuntu, and Red Hat.

The reachable setup — nf_tables plus unprivileged user namespaces — is commonly present on modern Linux distributions, though actual exposure depends on distribution defaults and namespace configuration settings. This arrives in the middle of a dense run of Linux LPE disclosures: Copy Fail, Dirty Frag, Fragnesia, DirtyDecrypt, and a nine-year-old ptrace flaw have all surfaced in recent weeks.

Analysis: The four-month gap between upstream patch availability and the publication of a detailed working exploit left a substantial exposure window for organizations that had not yet deployed updated kernels. With the exploit now fully documented, that window is closed for defenders who patch — and fully open for attackers against those who haven't.

Defender actions:

  • Patch and reboot; verify the distribution-specific kernel package (not just upstream) has been updated
  • If patching is delayed, consider restricting unprivileged user namespaces via kernel.unprivileged_userns_clone=0 — note this breaks some applications and should be tested before deployment
  • Container environments are at elevated risk: a compromised container process can now reach host root on unpatched kernels

Sources: Exodus Intelligence (full technical walkthrough, Jun 8); FuzzingLabs (April reproduction); The Hacker News; Security Affairs

#vuln #dfir

Russian APTs Converge on WinRAR CVE-2025-8088 Against Ukraine

Bottom line: Two independent Russia-aligned APT clusters are still building fresh exploit samples against a WinRAR flaw patched nearly a year ago. If WinRAR is in your environment and not on 7.13+, it is an active initial-access risk.

Trend Micro published detailed technical analysis of two Russia-aligned intrusion sets independently exploiting CVE-2025-8088, a path traversal flaw in WinRAR patched in v7.13 in July 2025, against Ukrainian government, military, and law enforcement targets through at least April 2026.

SHADOW-EARTH-066 (CERT-UA: UAC-0226) shifted from Excel macro droppers to this exploit chain by February 2026 and is deploying an evolved GIFTEDCROOK variant: crafted RAR archives use NTFS Alternate Data Streams to place a LNK payload into the Windows Startup folder, which spawns a PowerShell loader that uses in-memory DLL execution to launch result.dll. GIFTEDCROOK harvests browser passwords, session cookies, and files matching 35 extensions (including KeePass and OpenVPN configs), bypasses Chrome App-Bound Encryption, and self-deletes after HTTPS exfil with RC4-encrypted payloads. Build timestamps across four DLL versions (Feb 3, Feb 17, Mar 16, Apr 9) share a single builder identifier (desktop-hagd25b), confirming a common build environment. Earth Dahu (Gamaredon/UAC-0010) uses the same initial access vector but delivers HTA/VBS payloads for espionage and wiper capability.

Analysis: The observed convergence of two separately tracked intrusion sets on a single unpatched vulnerability is consistent with either intelligence sharing between groups or parallel, independent target prioritization. The current reporting does not establish which mechanism is responsible.

Watch for:

  • Exfiltration has shifted away from Telegram (throttled by Russia) toward dedicated C2 servers using Cloudflare Workers and dynamic DNS with short TTLs
  • In-memory DLL loading substantially reduces file-based detection signal
  • LNK files placed into Startup folder paths via archive extraction are a behavioral detection opportunity

Defender actions:

  • Update WinRAR to 7.13+ enterprise-wide — this is the primary control
  • Behavioral detection: cmd.exe spawned from WinRAR, PowerShell in-memory DLL loading, LNK creation in Startup folder paths via archiver processes
  • Full IOCs in the Trend Micro report

Sources: Trend Micro research (Hiroyuki Kakara, Feike Hacquebord, Jun 2026 — primary); CERT-UA UAC-0226 attribution

#apt #crimeware #dfir

Miasma Worm — Self-Replicating Campaign Hits 73 Microsoft GitHub Repos

Bottom line: If any developer on your team opened an Azure, Azure-Samples, Microsoft, or MicrosoftDocs repository between June 3–5 in Claude Code, Gemini CLI, Cursor, or VS Code, treat their credentials as potentially compromised and rotate now.

On June 5, GitHub disabled 73 repositories across four Microsoft GitHub organizations in a 105-second automated sweep after the Miasma self-replicating worm planted malicious commits. Miasma is a variant of the Mini Shai-Hulud worm framework that TeamPCP publicly released in mid-May 2026. The June 5 incident is the third escalation in a campaign running since June 1: that date saw 32 @redhat-cloud-services npm packages compromised; June 3 saw 57 npm packages hit via a "Phantom Gyp" technique abusing binding.gyp files to trigger execution during npm install.

The GitHub vector was a compromised contributor personal access token with broad scope. Malicious commits introduced repository-level configuration files that trigger credential harvesting when a developer opens the repository in an affected AI coding tool or IDE — execution occurs on open, via configuration files interpreted by those tools, not on compile or test run. The attack re-compromised the durabletask PyPI package previously hit in May, with StepSecurity assessing the same contributor credentials were never fully invalidated. The self-replicating component used legitimate token signatures, making standard branch protections blind to the malicious commits.

Watch for:

  • binding.gyp-triggered execution in npm install processes — conventional monitoring may not flag this
  • Repository-level configuration files in AI coding tool workspace directories (.cursor/, .vscode/, Claude Code workspace configs)
  • Commits from legitimate-looking contributor accounts that introduce only configuration files and no functional code changes

Defender actions:

  • Audit developer credentials with access to affected organizations during June 3–5; treat as potentially compromised
  • Rotate all GitHub PATs, cloud platform credentials (AWS, Azure, GCP), and developer tool session tokens for affected developers
  • Review and harden AI coding tool workspace settings to restrict automatic execution of repository-level configuration files
  • Add monitoring for binding.gyp-triggered execution in npm install processes

Sources: StepSecurity forensic analysis (Jun 5 — primary); The Hacker News; Dark Reading; JFrog

#vuln #dfir #crimeware

UNC3753 (Silent Ransom Group) — Vishing + Physical Intrusion Against US Law Firms

Bottom line: Google Mandiant documented a campaign that goes from first phone call to data exfiltration within a single business day, with no malware and no CVEs. Physical office intrusion is confirmed as an escalation tactic. Legal and financial firms are the primary target.

Google Mandiant / GTIG published a detailed report on a January–May 2026 campaign by UNC3753 — also tracked as Luna Moth, Chatty Spider, and Silent Ransom Group — against dozens of US legal, professional, and financial services firms. The operation uses no malware in the traditional sense and exploits no vulnerabilities.

Attack chain: An invoice-themed email from an actor-controlled consumer account primes the target (no malicious links or attachments). A follow-up voice-phishing (vishing) call — impersonating IT support — convinces the target to launch a screen-sharing session and install a legitimate RMM tool (AnyDesk, Bomgar, Zoho Assist, or SuperOps). Installation links arrive via Privnote (self-destructing message; leaves no URL artifact in logs). From screen share access, actors search document management systems including iManage for tax records, SSNs, and legal agreements, stage files in the Downloads folder, and exfiltrate. In multiple Mandiant-investigated incidents, the full sequence from initial contact to data theft was completed within a business day; staging and exfil in under an hour in some cases. Extortion demand arrives within 30 minutes of exit, with a three-day deadline and threat of publication on the LEAKEDDATA site.

GTIG assessed that potentially related actors physically entered corporate offices posing as IT technicians to copy data to USB drives, consistent with an FBI Cyber FLASH Alert. CrowdStrike assesses UNC3753 is likely Russia-based; the group partially overlaps with UNC2686 (Bazarcall-style campaigns dating to 2021).

Watch for:

  • Phishing domains: [organization]-itdesk.com / [organization]-helpdesk.com pattern
  • Data staging infrastructure: ep6pheij[.]com
  • Leak site: business-data-leaks[.]com (~100 victims listed as of June 2026)
  • DNS fast-flux with short TTLs on attacker infrastructure

Defender actions:

  • User awareness training specifically on the IT-support vishing pretext and screen-sharing social engineering sequence
  • Out-of-band identity verification for all external technical personnel and facilities visitors; mandatory physical escort required
  • Restrict RMM tools to a managed allowlist; alert on any new RMM software installation
  • Conditional access policies requiring corporate-owned devices for VDI and VPN access
  • Disable USB storage on BYOD endpoints
  • Alert on mass downloads from document management systems (iManage, SharePoint, etc.)

Sources: Google Cloud Blog / GTIG (primary, Jun 2026); Google Mandiant; The Hacker News; Dark Reading

#crimeware #dfir #apt

PCPJack — Exposed C2 Reveals 230-Node Cloud SMTP Relay Infrastructure

Bottom line: Hunt.io's discovery of an open C2 directory confirms PCPJack's operational scale. If Docker, Kubernetes, Redis, or MongoDB are internet-exposed in your environment, they are under active attack from multiple frameworks simultaneously.

SentinelLABS published the initial PCPJack analysis in May 2026, identifying a modular credential theft framework that propagates worm-like through exposed cloud infrastructure — specifically evicting TeamPCP artifacts from compromised hosts before installing its own toolset. The June update: Hunt.io researchers found the operator left two unauthenticated open directories on a live C2 server (213.136.80[.]73), exposing source code, compiled binaries, deployment state logs, exploitation tooling, and a live Sliver C2 configuration. The deployment state file confirms 230 successful uploads and executions in a single March 2026 run.

PCPJack propagates by exploiting five CVEs against specific vulnerable services and web applications — CVE-2025-55182, CVE-2025-29927, CVE-2026-1357, CVE-2025-9501, and CVE-2025-48703 — rather than against Docker or Kubernetes themselves. Targeted services include Docker, Kubernetes, Redis, MongoDB, RayML, and various web applications running on cloud-hosted Linux infrastructure. Unlike most cloud malware, PCPJack deploys no cryptominer; harvested credentials, spam relay infrastructure, and fraud or credential resale appear to be the monetization model. A metric baked into the framework — "PCP replaced" — tracks how often it displaces a competing intrusion from the host. SentinelOne analysts assess PCPJack is likely operated by a former TeamPCP member with insider knowledge of the group's tooling.

Analysis: The exposed C2 confirms an operational footprint substantially larger than May telemetry alone suggested. A 230-node SMTP relay built in a single March deployment run represents functional spam and abuse infrastructure at scale.

Watch for: A PCPJack infection on a host believed clean may indicate a prior TeamPCP compromise that PCPJack removed before internal detection occurred — the infection chain rewrites its own forensic history.

Defender actions:

  • Remove Docker, Kubernetes, Redis, and MongoDB from public internet exposure; require authentication and firewall enforcement if exposure is necessary
  • Patch the five CVEs exploited by PCPJack against the specific services in your environment
  • Rotate API keys and cloud credentials on any host with confirmed or suspected exposure
  • Review for TeamPCP indicators on hosts where PCPJack is found — the prior compromise may predate PCPJack's arrival

Sources: SentinelLABS (Alex Delamotte, primary — May 7, 2026); Hunt.io (C2 exposure analysis, Jun 2026)

#crimeware #dfir

AI Worm Research — Toronto Team Demonstrates LLM-Driven Adaptive Propagation

Bottom line: A University of Toronto team demonstrated lab-environment propagation across 73.8% of a 33-machine simulated enterprise network using a free, publicly available open-weight LLM. The attack surface is ordinary known vulnerabilities and misconfigurations — not zero-days.

Researchers from the University of Toronto (CleverHans Lab, Prof. Nicolas Papernot), Vector Institute, and the University of Cambridge published a preprint on June 2, 2026, demonstrating a proof-of-concept worm that uses a locally hosted open-weight LLM to analyze targets, generate per-target attack strategies at runtime, and self-replicate without human intervention and without using any commercial AI service.

Tested across 33 machines spanning Linux distributions (Ubuntu 16.04–24.04, Debian, Alpine, Rocky Linux, CentOS), Windows Server (2008 R2–2022), and IoT devices, the worm identified an average of 31.3 vulnerabilities, gained elevated access on 23.1 hosts, and propagated to 20.4 hosts across 15 test runs — 73.8% network compromise rate. On three hosts carrying vulnerabilities disclosed after the model's training cutoff (CopyFail, DirtyFrag, CVE-2026-39987), it achieved elevated access in 61.2% of attempts by ingesting live public advisory data at runtime. Compromised GPU nodes serve as inference hosts; the marginal per-infection compute cost to the attacker is effectively zero once initial nodes are established. The researchers withheld the model name, agent architecture, and full toolset from the public paper, coordinated disclosure with Canadian defense and security authorities, and have made the prototype available to vetted security researchers on request.

Analysis: The defensively significant result is not the worm's sophistication but its requirements: known vulnerabilities, default credentials, and configuration drift were sufficient for near-three-quarter network penetration in a simulated enterprise environment. That is an ordinary patch and hardening problem, not an advanced AI capability problem.

Separately, Google GTIG assessed with high confidence in May 2026 that the first zero-day exploit developed with AI assistance appeared in a criminal group's toolset ahead of a planned mass exploitation event. That assessment is GTIG's own, cited here as attributed intelligence — not independently verified by BCG.

Watch for: Compromised GPU hosts on flat network segments can function as reasoning infrastructure for every other infected node on the subnet — isolating ML workloads from production segments limits this propagation vector.

Sources: ArXiv preprint (CleverHans Lab / University of Toronto, Jun 2, 2026 — primary); The Register; Help Net Security; TechTarget; Google GTIG (May 2026, attributed)

#vuln #apt #dfir

CISA + Seven Agencies Warn of Active Exploitation Targeting Automatic Tank Gauge Systems

Bottom line: Internet-exposed ATG systems across US energy, chemical, food/agriculture, and transportation infrastructure are being actively compromised. No attribution yet. Take them off the internet today.

A joint advisory from CISA, FBI, NSA, DOE, EPA, TSA, DOT, and USDA — eight agencies co-signing is unusual and signals elevated concern — documents active exploitation of internet-exposed automatic tank gauge (ATG) systems. ATGs handle automated monitoring of storage tank parameters: fuel levels, temperature, leak detection, and pump controls. The advisory does not attribute the activity to a nation-state or specific threat actor group.

Observed TTPs include authentication bypass via hardcoded credentials, OS command execution, SQL injection, and privilege escalation to full administrator access over the device OS. Successful compromise gives an attacker functional equivalence to physical console access: they can alter network settings, product identifiers, tank volumes, and pump controls; disable safety alerts; create denial-of-view conditions for fill levels; and compound operational malfunctions that risk environmental damage or physical hazards including leaks and relay failures.

Default exposed ports: TCP 8001, 9001, and 10001. Per Shodan research published by Bitsight in 2023, these interfaces have historically had significant internet exposure across all four affected sectors.

Watch for:

  • Unauthorized connections to ATG serial port interfaces
  • Alarm threshold modifications or tank label changes not initiated by operations staff
  • Disabled or suppressed system alerts
  • Anomalous network connections to ATG management interfaces

Defender actions:

  • Remove ATG interfaces from public internet exposure immediately — this is the primary control
  • If remote access is operationally required, gate it behind a firewall, ACL, or VPN
  • Change all default passwords; implement strong unique credentials on all interfaces including the serial port
  • Apply available manufacturer patches through certified ATG service providers
  • Enable logging on ATG device interfaces; audit for unauthorized connections and system modifications
  • Report suspected incidents to CISA (report@cisa.gov / 888-282-0870)

Source: CISA joint advisory (CISA, FBI, NSA, DOE, EPA, TSA, DOT, USDA — June 2, 2026 — primary)

#ics #ot #criticalinfrastructure #crimeware #detection #patch #network #dfir

Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting

If you find our work helpful... Buy us a coffee!: https://bordercybergroup.com/#/portal/support

Analysis and defender guidance in this digest are informational only. BORDER CYBER GROUP has no visibility into reader environments, patch states, or operational constraints. Nothing published here constitutes professional cybersecurity, legal, or compliance advice. All remediation and response decisions should be evaluated by qualified personnel against your organization's specific context. BCG assumes no responsibility for actions taken or not taken in reliance on this content.