EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
SUMMARY
A local privilege escalation vulnerability named 'CIFSwitch' (CVE-2026-46243) in the Linux kernel allows attackers to forge CIFS authentication key descriptions. By abusing the kernel's key request mechanism and lack of validation for the origin of cifs.spnego key requests, an attacker can escalate privileges to root.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://www.openwall.com/lists/oss-security/2026/06/01/6
https://heyitsas.im/posts/cifswitch
ANALYST COMMENTS
A local privilege escalation vulnerability named 'CIFSwitch' (CVE-2026-46243) in the Linux kernel allows attackers to forge CIFS authentication key descriptions and gain root privileges. This flaw affects Linux distributions with vulnerable kernel CIFS and cifs-utils versions 6.14 or later. The kernel fails to verify the origin of cifs.spnego key requests, enabling unprivileged users to create forged requests and trigger the authentication workflow, leading to root code execution. The vulnerability can be exploited under specific conditions, including vulnerable kernel and cifs-utils versions, user namespaces availability, and permissive SELinux/AppArmor policies.
# Stock Exploitable Systems
Linux Mint 21.3/22.3 Cinnamon Exploitable with AppArmor active
CentOS Stream 9 GNOME Exploitable with SELinux enforcing
Rocky Linux 9 Workstation Exploitable with SELinux enforcing
Kali Linux 2021.4/2022.4/2023.4/2024.4/2025.4/2026.1 headless Exploitable with AppArmor active
AlmaLinux 9.7 Workstation/Azure cloud image Exploitable with SELinux enforcing SLES 15 SP7/SAP 15 SP7 Exploitable with AppArmor active
SLES SAP 16 Exploitable with SELinux permissive
# Requiring cifs-utils installed
Ubuntu 18.04/20.04/22.04 Desktop/Server Exploitable with AppArmor active
Pop!_OS 22.04 Intel/24.04 Generic Exploitable with AppArmor active
Ubuntu 24.04 Desktop minimal/full and Server Direct unshare is blocked by AppArmor userns policy; exploitable through aa-exec -p trinity ‘trick’
Debian 11/12/13 netinst standard and GNOME/KDE/standard/XFCE Exploitable with AppArmor active
CentOS Stream 9 Cinnamon/KDE/MATE/XFCE Exploitable with SELinux enforcing
Rocky Linux 9 KDE/Workstation-Lite Exploitable with SELinux enforcing
openSUSE Leap 15.6 GNOME/KDE Exploitable with AppArmor active
Rocky Linux 8 GenericCloud Exploitable with SELinux enforcing
Oracle Linux 8/9 KVM Exploitable with SELinux enforcing
Amazon Linux 2023 KVM Exploitable with SELinux permissiveGCC was required on our lab systems to execute the PoC. However, the PoC could likely be adapted to a more weaponized format with a single malicious binary if necessary. Most systems tested within our lab environment required cifs-utils to be installed before the vulnerability could be successfully exploited.Given that cifs-utils is common amongst enterprise connected systems, this is likely a credible threat inline with a similar vulnerability such as Copy.Fail. To our knowledge, this vulnerability has not yet been exploited in the wild.
ACTIONABLE GUIDANCE
Kernel patches are available and should be applied to affected versions of deployed Linux distributions. Alternatively, mitigations include blocking the CIFS module from loading, removing the cifs-utils package where it is not needed, and disabling unprivileged user namespaces until the kernel patch can be applied. Removing cifs-utils is most appropriate for systems that do not require integration with Windows file shares.
SUMMARY
Palo Alto Networks has warned that hackers are exploiting a critical authentication bypass flaw (CVE-2026-0257) in PAN-OS GlobalProtect. The flaw allows unauthorized VPN connections and has been actively targeted since May 17, 2026.
Category
Known Exploited Vulnerabilities
Industry
Multiple
Sources
https://nvd.nist.gov/vuln/detail/CVE-2026-0257
https://security.paloaltonetworks.com/CVE-2026-0257
https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/
ANALYST COMMENTS
Palo Alto Networks has identified an authentication bypass flaw in PAN-OS GlobalProtect, tracked as CVE-2026-0257. The flaw allows attackers to establish unauthorized VPN connections if devices are configured with authentication override cookies enabled and a specific certificate configuration. Attackers exploit this vulnerability by forging authentication override cookies. Affected devices may accept these cookies due to improper validation, where the configured private key is used without signature verification. CISA has added the flaw to its Known Exploited Vulnerability catalog, mandating federal agencies to remediate the issue by June 1, 2026.
The vulnerability affects the /ssl-vpn/login.esp endpoint and can be exploited through a crafted POST request with a forged cookie within the userauthcookie parameter. Once PoC code is publicly released, exploitation is unlikely to remain limited to specific threat actors. Based on currently known IPs and hosts, there is not enough evidence to attribute this activity to a known threat actor at this time.
ACTIONABLE GUIDANCE
The patch released by the vendor is the best strategy for remediating this vulnerability. Workarounds are available for organizations that cannot apply patches immediately. These include the following:
Monitor the source origins of connecting hosts to identify unusual or unauthorized access attempts. Suspicious connections should be flagged, blocked, and reported to incident responders for further investigation and analysis.
The following versions are affected by this vulnerability:
PAN-OS 12.1
Affected: <12.1.4-h6, <12.1.7
Unaffected: >=12.1.4-h6, >=12.1.7
PAN-OS 11.2
Affected: <11.2.4-h17, <11.2.7-h14, <11.2.10-h7, <11.2.12
Unaffected: >=11.2.4-h17, >=11.2.7-h14, >=11.2.10-h7, >=11.2.12
PAN-OS 11.1
Affected: <11.1.4-h33, <11.1.6-h32, <11.1.7-h6, <11.1.10-h25, <11.1.13-h5, <11.1.15
Unaffected: >=11.1.4-h33, >=11.1.6-h32, >=11.1.7-h6, >=11.1.10-h25, >=11.1.13-h5, >=11.1.15
PAN-OS 10.2
Affected: <10.2.7-h34, <10.2.10-h36, <10.2.13-h21, <10.2.16-h7, <10.2.18-h6
Unaffected: >=10.2.7-h34, >=10.2.10-h36, >=10.2.13-h21, >=10.2.16-h7, >=10.2.18-h6
Prisma Access 11.2.0
Affected: <11.2.7-h13
Unaffected: >=11.2.7-h13
Prisma Access 10.2.0
Affected: <10.2.10-h36
Unaffected: >=10.2.10-h36 SUMMARY
A Chinese-speaking cybercrime group tracked as TA4922 has expanded its operations to Europe. The group is deploying new malware, including Atlas RAT, and continues to run frequent, financially motivated phishing campaigns.
Category
Threat Actor Activities
Industry
Finance, Business Services
Sources
https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global
Internal OSec Research
ANALYST COMMENTS
TA4922, a financially motivated cybercrime group with Chinese origins, has expanded its operations into Europe, deploying new malware and the Atlas RAT backdoor. The group previously targeted East Asian organizations but has since shifted focus to entities in Germany, Italy, the UK, and South Africa. Its campaigns use localized phishing lures and communication through popular messaging apps. TA4922’s malware arsenal includes the Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0 (ValleyRAT), each offering various capabilities from reconnaissance to surveillance, indicating potential for both financial crime and espionage.
The group has seen some overlap with the Silverfox APT, especially with using shared malware such as ValleyRAT, Winos malware, RomulusLoader, and AtlasRat. The motivations appear to differ, as current research indicates the victimology is more consistent with financially motivated activity than espionage.
ACTIONABLE GUIDANCE
Guarding against this threat actor requires several key strategies. First, block TCP ports 1234 and 886 within your environment. This prevents the malware from communicating with its command servers.
The primary infection vector involves phishing emails. These messages often use tax, HR, or invoice-related lures. Users should be cautious with external emails that direct them to download files from another location or include ZIP attachments containing executable files. These messages should be reported to security staff immediately.
Analysis of the malware samples shows PowerShell usage. Therefore, restrict PowerShell access for non-IT staff via Group Policy, as this may disrupt malware execution.
Finally, monitor registry changes made by non-IT users. Alerts should trigger on any modifications that could indicate persistence mechanisms. These mechanisms often attempt to run during startup or are triggered by specific user actions. Examples include changes to the Run and RunOnce registry for running executables at startup, files dropped into the Windows startup folder, or trojanized applications that might sideload a malicious DLL file.
SUMMARY
Cisco has released critical security updates for a severe vulnerability in its Unified Communications Manager (CUCM). The issue affects systems with the WebDialer service enabled and could allow attackers to gain root privileges through low-complexity server-side request forgery attacks.
Category
Critical Vulnerabilities
Industry
Multiple
Sources
https://developer.cisco.com/docs/webdialer/webdialer-developer-guide/
Internal OSec Research
ANALYST COMMENTS
Cisco has released security updates to address a critical vulnerability (CVE-2026-20230) in its Unified Communications Manager that could allow attackers to gain root privileges through server-side request forgery (SSRF) attacks. The vulnerability requires the WebDialer to be enabled which is disabled by default on Cisco Unified CM devices. Therefore, organizations using CUCM with WebDialer configured are the most at-risk of exploitation. Currently we are not aware of any in-the-wild exploitation of this vulnerability against affected devices.
ACTIONABLE GUIDANCE
Applying the vendor issued patch is the best remediation strategy for this issue. Organizations that cannot patch immediately should disable the WebDialer service through the CUCM Administration interface, which should also remediate the exposure.
As exploitation has not been observed as of this writing, monitoring for this vulnerability is not a critical priority. However, if exploitation occurs, activity will likely target the /webdialer endpoint and may involve the destination parameter or one of the makeCallSOAP endpoints with input pointing to a malicious file or network location.
SUMMARY
A security researcher publicly disclosed a working exploit for a VS Code flaw, bypassing Microsoft's official reporting process. The disclosure appears to stem from prior frustration with Microsoft’s vulnerability handling process and reflects broader concerns from some researchers about disclosure coordination and vendor response.
Category
Known Exploited Vulnerabilities
Industry
Technology, Multiple
Sources
https://blog.ammaraskar.com/github-token-stealing/
https://therecord.media/researcher-publishes-github-token-stealing-exploit-microsoft
Internal OSec Research
ANALYST COMMENTS
A security researcher named Ammar Askar publicly disclosed a working exploit for a flaw in Microsoft's VS Code that allows attackers to steal GitHub access tokens. The disclosure occurred outside of Microsoft’s standard reporting process and appears to be tied to the researcher’s prior concerns with Microsoft’s vulnerability handling practices.
This disclosure also comes amid broader concern around VS Code related supply chain risks, including the recent compromise of GitHub internal repositories by the TeamPCP cybercrime group through a poisoned VS Code extension.
Askar made the disclosure following Microsoft's silent fix of a previously reported issue without crediting him or acknowledging its security impact. This has been a recently growing trend amongst security researchers who have been frustrated by Microsoft’s process or their refusal to not credit researchers, despite fixing the vulnerabilities. We have observed discussions on social media platforms and in the comment sections of Nightmare Eclipse’s blog. Nightmare Eclipse is another researcher who recently drew attention for publishing PoCs related to BlueHammer and YellowKey. Several researchers have expressed frustration with Microsoft’s disclosure process, with some stating that they may fully disclose PoCs in the future or stop reporting findings through official channels. If this sentiment continues, it could reduce researcher participation in coordinated disclosure and increase the likelihood that PoC code is publicly released, misused by threat actors, or sold through markets that serve malicious groups.
Based on the available evidence, exploitation in the wild appears unlikely at this time, including in the period following public disclosure on June 2.
ACTIONABLE GUIDANCE
A fix has been applied to github[.]dev that prevents abuse of the root cause of forwarding untrusted key press events via JavaScript in the webview. Exploitation in the wild is unlikely given the short window between disclosure and remediation. Organizations should still review repositories and accounts for potential exploitation between June 2nd and June 3rd, however this can be set as a lower priority in relation to more critical security events.
SUMMARY
Researchers identified a sophisticated cyber attack using Microsoft Teams vishing to deploy Nimbus RAT, a Java-based malware that leverages Google Drive for C2 communications. The activity highlights the need for multi-layered security controls and user awareness to mitigate such threats.
Category
Threat Actor Activities
Industry
Business Services, Legal
Sources
https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware
ANALYST COMMENTS
In early April 2026, researchers identified a sophisticated cyberattack targeting a legal industry customer. The threat actors exploited Microsoft Teams for voice phishing to deploy Nimbus RAT, a Java-based malware using Google Drive for command-and-control. The attack began with an inbox flooding technique to overwhelm the victim's email, followed by a vishing call that tricked the user into granting remote access via Quick Assist. This allowed the actors to download and execute the RAT within minutes. The malware uses Google Drive for C2 operations, making network traffic appear benign, and it uses randomized package names as an obfuscation technique. Additionally, the threat actors utilized compromised legitimate Microsoft 365 tenants and Pastebin to deliver instructions. By layering multiple trusted platforms into the attack chain, they were able to reduce detection opportunities and make the activity appear less suspicious.
Researchers also state that the threat actor uses hands-on keyboard activity to establish persistence. Coupled with the domain and infrastructure setup typically days before execution of an attack, this indicates a targeted and deliberate operation. The actor likely focuses on one or a small number of targets at a time, indicating that the activity is not operating at the same scale as other broader threat campaigns.
Several other groups have used similar tactics, including email bombing and Quick Assist exploitation. Most of the initial social engineering aspects of this campaign appear to follow the BlackBasta playbook, which has since been adopted by several threat actors, including other ransomware groups. In April of this year, UNC6692 has also used similar QuickAssist and email bombing tactics, however with a differing malware family deployed.
ACTIONABLE GUIDANCE
Users should be trained to contact IT support directly, rather than accept phone calls from someone claiming to be support staff, especially after unusual workstation activity. If a user receives a call from someone claiming to be from IT, they should hang up and call the official IT support line.
Mass email activity is a common symptom of this attack and related social engineering campaigns. It should be treated as a strong indicator of active targeting.
Microsoft Teams should block external messaging from unrecognized tenants. Quick Assist and other remote management tools should be restricted, or limited to pre-approved helpdesk accounts when there is a valid business need.
Organizations should consider blocking pastebin[.]com, unknown *.onmicrosoft.com tenants, and suspicious top level domains such as .top, especially when domains reference security, IT support, cloud services, scanning activity, or use intentional misspellings.
If compromise is suspected, files dropped to the filesystem may include %TEMP%\java_app.lock, which is a potential indicator of this malware family.
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS