🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Russian Hacker Pleads Guilty in Oil and Gas Facility Attacks - **Bloomberg L.P.** controls the content posted at the provided URL . Bloomberg L.P. is a privately held financial, software, data, and media company co-founded by **Michael Bloomberg** . Michael Bloomberg is the majority owner of Bloomberg L.P. . Bloomberg News is a division of Bloomberg L.P. . 🔍 Show Kagi Synopsis
  I am sorry, but I was unable to access the content of the article at the provided URL. The website returned a CAPTCHA page, indicating that automated access is blocked. Therefore, I cannot provide a precis of the cybersecurity article.
• South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) - Ctrl-Alt-Intel 🔍 Show Kagi Synopsis
  A cybersecurity incident involving the exploitation of a critical vulnerability in **cPanel & WHM (CVE-2026-41940)** has led to the targeting of various entities, primarily in South-East Asia. The vulnerability allows for an **authentication bypass**, granting attackers unauthorized root access.
  
  **What Happened:**
  Following the public disclosure of CVE-2026-41940, an unknown threat actor quickly weaponized proof-of-concept code. This actor targeted government and military entities in South-East Asia, along with Managed Service Providers (MSPs) and hosting providers. In addition to this opportunistic activity, the actor engaged in a sophisticated, persistent operation that included custom exploit chains and the exfiltration of sensitive data from Chinese railway-sector organizations.
  
  **Who is Affected:**
  * **South-East Asian Government and Military Entities:** Notable targets include the Philippine Coast Guard, Philippine Air Force (15th Strike Wing), Philippine Government Arsenal, and the Lao Ministry of National Defence and Ministry of Natural Resources and Environment.
  * **Infrastructure and Service Providers:** Various MSPs and hosting providers across the Philippines, Laos, Canada, South Africa, and the United States have been affected.
  * **Chinese Railway Sector:** Organizations such as the China Railway Society Electrification Committee and related entities were targeted.
  
  **Security Implications:**
  The threat actor demonstrated a high level of capability, achieving initial access and establishing persistent network access. This allowed for lateral movement within internal networks and the theft of approximately **4.37GB of sensitive data**. This data included technical documentation, meeting materials, and personal information of railway scientific and technical workers, such as PRC national IDs and bank details.
  
  **Technical Details:**
  * **CVE-2026-41940:** This critical vulnerability in cPanel & WHM allows attackers to forge session states and gain unauthorized root access 【1】.
  * **Custom Exploit Chain:** The actor developed a novel exploit chain that combined authenticated SQL injection with Remote Code Execution (RCE). This chain was used against an Indonesian defense-sector training portal by abusing PostgreSQL's `COPY ... TO PROGRAM` feature 【1】.
  * **Persistence and Pivoting:** The actor established robust persistence and pivoting mechanisms using OpenVPN and Ligolo. They maintained access through masqueraded systemd services, such as `systemd-update.service` running a helper process 【1】.
  * **Data Exfiltration:** Sensitive data was exfiltrated using custom scripts, like `exfil_docs_v2.sh`, over SFTP and lftp 【1】.
  
  **What Defenders Should Know:**
  * **Indicators of Compromise (IOCs):** Defenders should monitor for the attacker IP address `95.111.250[.]175` and the domain `delicate-dew.serveftp[.]com` 【1】.
  * **Persistence Mechanisms:** It is crucial to inspect systems for hidden directories, such as `/usr/local/bin/.netmon`, and for suspicious systemd units that may be masquerading as legitimate system updates 【1】.
  * **Tooling:** Be aware of the attacker's use of Ligolo-ng for pivoting and PowerShell reverse shells, often initiated by scripts like `init.ps1` 【1】.
  * **Attribution:** While Vietnamese comments were found in some scripts, these could be a deliberate attempt to mislead attribution efforts 【1】.
• Two Americans Who Attacked Multiple U.S. Victims Using ALPHV BlackCat Ransomware Sentenced to Prison - United States Department of Justice 🔍 Show Kagi Synopsis
  Two American cybersecurity professionals, **Ryan Goldberg** and **Kevin Martin**, have been sentenced to four years in prison for their involvement in a conspiracy to extort victims using the **ALPHV BlackCat ransomware** 【1】. The ransomware attacks occurred between April and December 2023, targeting multiple victims across the United States 【1】.
  
  **What Happened:**
  Goldberg, Martin, and a third co-conspirator, Angelo Martino, deployed the ALPHV BlackCat ransomware against numerous victims 【1】. The ALPHV BlackCat group operated on a ransomware-as-a-service model, where developers created and maintained the ransomware and its infrastructure, while affiliates like Goldberg and Martin identified and attacked high-value targets 【1】. After a ransom was paid, the developers and affiliates would share the proceeds 【1】. In addition to deploying the ransomware, Martino also acted as a negotiator and shared confidential victim information with threat actors to inflate ransom demands 【1】.
  
  **Who is Affected:**
  The ALPHV BlackCat ransomware campaign impacted over 1,000 victims globally 【1】. Specifically, the group targeted critical firms providing **medical and engineering services** 【1】. In one instance, they leaked patient data from a doctor's office 【1】.
  
  **Security Implications:**
  This case highlights the significant threat posed by ransomware-as-a-service models, which lower the barrier to entry for cybercriminals. The targeting of critical infrastructure sectors like healthcare and engineering demonstrates the potential for widespread disruption and harm. The exfiltration and potential leak of sensitive data, such as patient information, underscore the severe privacy and security risks associated with these attacks.
  
  **Technical Details:**
  The ALPHV BlackCat ransomware was used in these attacks. The group utilized a ransomware-as-a-service model, indicating a division of labor between ransomware developers and those who carry out the attacks 【1】. Further technical details regarding the specific vulnerabilities exploited or the ransomware's operational mechanisms are not detailed in the provided article.
  
  **What Defenders Should Know:**
  Organizations should be aware of the ransomware-as-a-service model and its implications for the evolving threat landscape. It is crucial for private sector organizations to report suspicious activities and threats to the FBI's National Threat Operations Center 【1】. Victims of ransomware are advised to contact their local FBI field office or file a report at ic3.gov 【1】. Proactive cybersecurity measures, including robust network defenses, regular data backups, and employee training, are essential to mitigate the risk of ransomware attacks.
• April 27th - What happened with our feature flag configuration | The ClickUp Blog - ClickUp 🔍 Show Kagi Synopsis
  On **April 27, 2026**, a security researcher publicly disclosed a vulnerability in **ClickUp's** client-side feature flag configuration that exposed personally identifiable information (PII) 【1】.
  
  ### What Happened
  
  The vulnerability stemmed from the way ClickUp engineers embedded customer email addresses directly into feature flag targeting rules. These rules are used to control which users see specific features during rollouts 【1】. ClickUp uses Split.io for feature flag management, which requires a client-side SDK key embedded in the application's JavaScript bundle. This key is intentionally public and allows the SDK to evaluate flags in the user's browser 【1】. The Split.io SDK's `splitChanges` endpoint, which is publicly queryable, returned these flag definitions, including the embedded email addresses 【1】.
  
  In one instance, an on-call engineer also improperly referenced a customer's API token in a rate-limiting flag configuration, making it potentially readable through the same SDK endpoint 【1】.
  
  ### Who is Affected
  
  The exposure was limited to **893 customer email addresses** that were used in feature flag targeting rules 【1】. Customers whose email addresses were exposed have been directly contacted by ClickUp 【1】. ClickUp stated that **no workspace content, passwords, billing data, or account credentials were exposed**, and no authentication systems were compromised 【1】.
  
  ### Security Implications
  
  The primary security implication was the **unauthorized exposure of customer email addresses** 【1】. While no sensitive account information or workspace data was compromised, the exposed email addresses could potentially be used for phishing attacks or other malicious activities. The exposure of an API token, though immediately disabled, also presented a risk of unauthorized access or misuse 【1】.
  
  ### Technical Details
  
  ClickUp utilizes **Split.io** (now part of Harness) for its feature flag management. The vulnerability arose because engineers embedded email addresses directly into flag targeting rules, treating these configurations as internal tooling rather than public data 【1】. The Split.io SDK's client-side SDK key, which is intentionally public and embedded in the JavaScript bundle, allowed for the extraction of these email addresses via the `splitChanges` endpoint 【1】. The API token was exposed due to an engineer's improper use in a rate-limiting flag configuration 【1】.
  
  The incident was exacerbated by process failures, including a lack of follow-through on a previous bug bounty report, incorrect duplicate closure of a subsequent report by HackerOne, and security-related communications from the researcher being caught by spam filters 【1】.
  
  ### What Defenders Should Know
  
  Defenders should be aware of the risks associated with embedding Personally Identifiable Information (PII) or credentials within client-side configurations, even those intended for feature flagging 【1】. Key takeaways include:
  
  * **Treat all client-side data as potentially public:** SDKs embedded in front-end code can expose data to anyone with the client-side key 【1】.
  * **Strict access controls and review processes:** Implement robust peer review processes for all configuration changes, especially those involving sensitive data 【1】.
  * **Automated scanning for sensitive data:** Employ automated tools to scan configurations for PII and credentials before deployment, with blocking enforcement 【1】.
  * **Secure communication channels:** Ensure that security-related communications, including bug bounty reports and escalations, are not missed due to spam filters or other notification issues 【1】.
  * **Regular audits:** Conduct thorough audits of all feature flags and configurations to identify and remove any inadvertently exposed sensitive data 【1】.
  * **Separation of concerns:** Consider technical measures to separate front-end and back-end flags to mitigate risks 【1】.
  
  ClickUp has implemented immediate, short-term, and long-term remediation measures, including invalidating the exposed token, removing email addresses from flags, issuing directives against PII in flags, updating email filtering, reviewing bug bounty processes, and implementing automated scanning 【1】.
• VECT: Ransomware by design, Wiper by accident - Check Point Research - Check Point Research 🔍 Show Kagi Synopsis
  **VECT 2.0**, a Ransomware-as-a-Service (RaaS) program, has been identified as a **data wiper** due to a critical design flaw, despite its ransomware facade 【1】.
  
  **What Happened:**
  The malware, VECT 2.0, contains a fundamental cryptographic error. When attempting to encrypt files larger than 128 KB in four chunks, it only saves the final nonce. The first three nonces are lost, rendering the initial 75% of any large file permanently unrecoverable, even if a ransom is paid 【1】.
  
  **Who is Affected:**
  VECT 2.0 targets **Windows, Linux, and VMware ESXi systems**. Due to the low 128 KB threshold for the encryption flaw, it impacts a wide range of critical enterprise data, including databases, virtual machine disks, backups, and standard office documents 【1】.
  
  **Security Implications:**
  - **Data Destruction:** VECT 2.0 effectively acts as a data wiper for most significant files 【1】.
  - **Misleading Capabilities:** The ransomware exhibits broken features, such as ignored encryption speed modes, self-cancelling string obfuscation, and unreachable anti-analysis code, indicating it is not as sophisticated as it appears 【1】.
  - **Incorrect Identification:** Public reports misidentified the encryption cipher as ChaCha20-Poly1305; however, it actually uses raw, unauthenticated ChaCha20-IETF 【1】.
  
  **Technical Details:**
  - **Encryption Algorithm:** The malware utilizes raw ChaCha20-IETF (RFC 8439) 【1】.
  - **Core Flaw:** A shared buffer for nonces is overwritten during the encryption of large files, resulting in only the final nonce being saved to disk 【1】.
  - **Distribution:** The threat actors employ an open-affiliate model through BreachForums and have collaborated with "TeamPCP" for supply-chain attacks 【1】.
  
  **What Defenders Should Know:**
  - **Detection:** **Check Point Threat Emulation and Harmony Endpoint** offer protection against VECT 【1】.
  - **Malware Behavior:** VECT performs extensive service disruption, including terminating databases, hypervisors, and security tools. It also wipes logs and shell history and attempts lateral movement using methods like SSH, WMI, and DCOM 【1】.
  - **Recovery:** **Do not rely on the attackers' decryption tools** for large files, as it is mathematically impossible for them to provide a functional decryption solution due to the inherent flaw 【1】.
• Qilin Ransomware Enumerates RDP Authentication History on a Compromised Server | Cryptika Cybersecurity - Cryptika 🔍 Show Kagi Synopsis
  **Qilin ransomware** has evolved its tactics to include enumerating Remote Desktop Protocol (RDP) authentication history on compromised servers, allowing for faster and quieter network mapping to identify new targets 【1】.
  
  **What Happened:**
  The Qilin ransomware group is employing a new technique where they use a PowerShell command to extract Event ID 1149 from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log 【1】. This log contains information about RDP authentication events. By querying this specific log, attackers can gain a clear understanding of which accounts have used RDP on a host, which client systems have connected, and which accounts appear to have privileged access, making them prime targets 【1】. This script is typically delivered via a compromised ScreenConnect installation during the initial intrusion 【1】.
  
  **Who is Affected:**
  Qilin ransomware has been active since 2022 and has significantly increased its attacks. By 2023, it claimed 45 attacks against critical sectors including **healthcare, manufacturing, finance, and government agencies**. By 2025, it had surpassed 700 confirmed attacks in a single year 【1】. Notable victims include **NHS hospitals in London** and **county government systems in the United States**, indicating that no sector is immune 【1】.
  
  **Security Implications:**
  This method is effective because Event ID 1149 resides in the RemoteConnectionManager Operational log, which is often not forwarded to Security Information and Event Management (SIEM) systems or is treated as low priority by many organizations 【1】. This oversight creates a window for attackers to gather crucial intelligence undetected before initiating encryption 【1】. The ability to quickly map out network connections and identify privileged accounts allows Qilin to move laterally and escalate privileges efficiently.
  
  **Technical Details:**
  The core of this technique involves a PowerShell command targeting **Event ID 1149** within the `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` log 【1】. This event logs RDP connection attempts, providing details about the user account, the connecting client, and the success or failure of the authentication 【1】. The attackers leverage this data to identify valuable targets for further exploitation. The initial access vector often involves a rogue **ScreenConnect** installation 【1】.
  
  **What Defenders Should Know:**
  Security teams should implement **PowerShell ScriptBlock Logging** across their entire environment, as there is no legitimate reason for non-administrative processes to perform RDP enumeration queries 【1】. Additionally, organizations should monitor for **unauthorized installations of remote access tools** such as ScreenConnect, AnyDesk, Atera, or Total Software Deployment on compromised hosts 【1】. Combining these detection methods with monitoring for **Windows Defender tampering events** can provide a robust defense against Qilin intrusions, offering signals that can be observed in the hours before encryption begins 【1】.
• Seven Queries to Audit the Sentinel Detections Your SOC May Have Missed. - Rohitashokgowd 🔍 Show Kagi Synopsis
  The cybersecurity article "Seven Queries to Audit the Sentinel Detections Your SOC May Have Missed" by Rohitashokgowd discusses the problem of **"detection rot"** in Microsoft Sentinel workspaces. This occurs when detection rules are enabled and appear to be functioning correctly ("healthy"), but are actually **ineffective at detecting threats**.
  
  ### What Happened
  The core issue is the accumulation of **"ghost" rules** within Sentinel workspaces. These are rules that are active but fail to provide actual security value due to various reasons such as broken data feeds, misconfigurations, or a lack of relevance to current threats. These ineffective rules consume resources and create a **false sense of security** because they show as "green" or "healthy" in monitoring dashboards, despite not generating any useful alerts.
  
  ### Who is Affected
  This problem primarily affects **Security Operations Center (SOC) teams** and **detection engineers** who depend on Microsoft Sentinel for identifying and responding to security threats.
  
  ### Security Implications
  - **False Sense of Security:** The appearance of "healthy" rules that do not generate alerts can mask critical gaps in an organization's threat detection capabilities.
  - **Operational Inefficiency:** SOC analysts may waste time investigating noisy, benign rules, while broken rules create blind spots, leaving the organization vulnerable.
  - **Technical Debt:** The accumulation of unused or malfunctioning rules complicates the management and auditing of the security environment.
  
  ### Technical Details
  The article proposes using **seven Kusto Query Language (KQL) queries** to identify these issues. A key technical detail involves creating a **"rule inventory"** by pulling rule definitions from ARM resources into a custom Log Analytics table (`SentinelAnalyticalRules_CL`) using a Logic App. The seven categories of detection rule issues identified are:
  1. **Silent Zombies:** Rules that run without errors but never produce results.
  2. **Shadow Detectors:** Rules that generate alerts but fail to create incidents, often due to suppression or misconfiguration.
  3. **"Everything is Benign" Rules:** Rules that are frequently closed as false positives by analysts.
  4. **Broken Feeds:** Rules that query data tables that have stopped receiving new data.
  5. **Forgotten-Disabled:** Rules that were intentionally disabled for past incidents or migrations and never re-enabled.
  6. **Untracked Detections:** Rules that lack essential metadata, such as MITRE ATT&CK tactics/techniques or entity mappings.
  7. **Coverage Drift:** MITRE techniques that previously generated alerts but have seen a significant decrease in alert volume.
  
  ### What Defenders Should Know
  - **Verify Rule Effectiveness:** Defenders should not solely rely on the "health" status of Sentinel rules. It is crucial to **verify that rules are actively producing actionable data** and alerts.
  - **Leverage Human Intelligence:** The classification of alerts by analysts (as true or false positives) is the most reliable indicator of a rule's quality and effectiveness.
  - **Proactive Maintenance is Essential:** Detection engineering is an ongoing process, not a one-time setup. **Regularly auditing the rule library** is necessary to retire, tune, or redirect ineffective detections.
  - **Utilize Tooling:** Tools like the **"Sentinel Assessment Tool"** (a PowerShell module) can automate the creation of coverage reports, aiding in the proactive maintenance of detection rules.
• month-of-bypasses: Proof-of-Concepts for Detection Engineering Purposes Only - Persistent Security 🔍 Show Kagi Synopsis
  The "Month of Bypasses" project, hosted on GitHub by the Persistent Security Research Team, showcases proof-of-concept (POC) techniques designed to bypass Microsoft Defender's detection capabilities 【1】. These bypasses target the same MITRE ATT&CK techniques and attack objectives as known threats but utilize different execution paths 【1】. The primary goal is to aid defenders in identifying gaps in their security protections before adversaries can exploit them 【1】.
  
  **What Happened:**
  The project details various methods that circumvent Microsoft Defender's detection. Each bypass is a variation of a technique that Defender typically catches, demonstrating alternative ways to achieve the same malicious outcome 【1】.
  
  **Who is Affected:**
  Organizations relying on **Microsoft Defender** for endpoint protection are potentially affected. The bypasses highlight scenarios where Defender might not detect malicious activities, leaving systems vulnerable 【1】.
  
  **Security Implications:**
  The security implications are significant, as these bypasses demonstrate that even with a robust security solution like Microsoft Defender, adversaries can find ways to execute malicious actions undetected. This underscores the need for continuous vigilance and advanced detection engineering 【1】.
  
  **Technical Details:**
  The POCs are discovered using AI-driven variant analysis on the Nemesis BAS platform 【1】. Examples of techniques covered include:
  - **T1003.002 (OS Credential Dumping: Security Account Manager):** This bypass involves using `esentutl.exe /y /vss` to copy SAM and SYSTEM hives without triggering Defender 【1】.
  - **T1055.002 (Portable Executable Injection):** This technique is referred to as "You Can't Escape The Katz!" 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that standard detection methods may not be sufficient. The "Month of Bypasses" project serves as a resource for **detection engineering and defensive research** 【1】. It helps security teams understand where their current protections might have blind spots and encourages the development of more sophisticated detection strategies to counter these evolving bypass techniques 【1】. Any findings based on actual vulnerabilities are disclosed through the Belgian Coordinated Vulnerability Disclosure (CVD) framework 【1】.
• Blog: Evolving the Android & Chrome VRPs for the AI Era - Google Bug Hunters 🔍 Show Kagi Synopsis
  The Google Bug Hunters program has evolved its Vulnerability Reward Programs (VRPs) for Android and Chrome to address the challenges posed by the AI era. This evolution aims to incentivize the discovery of vulnerabilities in AI-powered features and systems.
  
  **Who is Affected:**
  The primary beneficiaries of these enhanced VRPs are **Google users** who rely on Android and Chrome for their daily activities. By encouraging security researchers to find and report vulnerabilities, Google aims to protect users from potential exploits that could compromise their data or privacy. Additionally, **security researchers** are directly affected as the program offers rewards for their findings, fostering a more robust security ecosystem.
  
  **Security Implications:**
  The integration of AI into software like Android and Chrome introduces new attack surfaces and potential vulnerabilities. These can range from **data poisoning attacks** that manipulate AI models to produce incorrect or malicious outputs, to **model extraction attacks** where attackers attempt to steal proprietary AI models. Furthermore, AI systems can be susceptible to **adversarial attacks**, where subtle, often imperceptible changes to input data can cause the AI to misclassify or behave unexpectedly. The evolving VRPs aim to mitigate these risks by proactively identifying and addressing such security flaws before they can be exploited.
  
  **Technical Details:**
  While the article doesn't delve into specific technical details of newly discovered vulnerabilities, it highlights the program's focus on AI-specific security concerns. This includes:
  - **AI Model Security:** Protecting the integrity and confidentiality of AI models used within Android and Chrome.
  - **Data Security in AI:** Ensuring the secure handling of data used for training and operating AI features.
  - **Adversarial Robustness:** Identifying and mitigating vulnerabilities that allow for adversarial attacks against AI components.
  - **New Attack Vectors:** Investigating novel attack methods that leverage or target AI functionalities.
  
  **What Defenders Should Know:**
  Defenders need to be aware that traditional security approaches may not be sufficient for AI-integrated systems. Key considerations include:
  - **Understanding AI Vulnerabilities:** Familiarizing themselves with common AI attack vectors such as data poisoning, model extraction, and adversarial attacks.
  - **Proactive Threat Hunting:** Actively searching for vulnerabilities in AI models and data pipelines, not just traditional software components.
  - **Continuous Monitoring:** Implementing robust monitoring systems to detect anomalous behavior that could indicate an AI-based attack.
  - **Collaboration with Researchers:** Engaging with the security research community through programs like the VRPs to leverage their expertise in identifying emerging threats.
  - **Secure AI Development Practices:** Adopting secure coding and development practices specifically tailored for AI systems.
  
  The evolution of Google's VRPs signifies a proactive approach to securing AI-powered technologies, encouraging a collaborative effort to maintain user safety in an increasingly AI-driven digital landscape 【1】.
• pydep-vector-runner: A lightweight runner that guards against weird startup behaviors in python. Lightweight version of PyDepGuard's coderunner. - The content posted at the URL is controlled by **Ikari**. 🔍 Show Kagi Synopsis
  The cybersecurity article discusses **pydepgate**, a static analysis tool designed to detect malicious code that executes during Python interpreter startup. This attack vector, known as **MITRE ATT&CK T1546.018**, was exploited in the March 2026 LiteLLM supply-chain compromise.
  
  **What Happened:**
  Attackers leverage legitimate Python startup mechanisms, such as `.pth` files, `sitecustomize.py`, `usercustomize.py`, `__init__.py`, `setup.py`, and console-script entry points, to inject and execute malicious code before user scripts run.
  
  **Who is Affected:**
  **Developers and CI/CD pipelines** are vulnerable to supply-chain attacks that exploit these startup vectors.
  
  **Security Implications:**
  Malicious code executed during startup can perform various unauthorized actions, including **data exfiltration, establishing persistence, and downloading further payloads**, all without explicit user interaction. This can compromise environments during package installations or interpreter initialization.
  
  **Technical Details:**
  pydepgate uses a layered static analysis engine to identify suspicious patterns, including:
  - **Encoding Abuse:** Detecting patterns like `exec(base64.b64decode(...))`.
  - **Dynamic Execution:** Identifying calls to `exec`, `eval`, `compile`, and `__import__`, whether direct or obfuscated.
  - **String Obfuscation:** Resolving obfuscated strings (e.g., `'ev' + 'al'`) using a safe partial evaluator.
  - **Suspicious Standard Library Usage:** Flagging unusual calls related to process spawning, network operations, or native code loading.
  - **Code Density Analysis:** Examining lexical, structural, and Unicode patterns to detect obfuscated or machine-generated code.
  
  The tool also features a "payload-peek" enricher for safe decoding of obfuscated literals and supports recursive decoding. It is built using only the Python standard library to avoid executing untrusted code.
  
  **What Defenders Should Know:**
  - **Defense in Depth:** pydepgate employs multiple analysis layers to make evasion more difficult for attackers.
  - **Customizable Rules:** A data-driven rules engine (TOML/JSON) allows users to adjust severity ratings, suppress false positives, and prioritize specific signals.
  - **CI/CD Integration:** The tool supports CI-friendly output formats (JSON, with SARIF planned) and can be used with pre-commit hooks and exit codes to block builds.
  - **Forensic Capabilities:** It can recursively decode and extract payloads into encrypted archives for safe investigation.
  - **Limitations:** Defenders should be aware of potential limitations, such as incomplete tracking of function return values and aliased imports. The tool may also generate false positives on legitimate machine-generated code, like that produced by Cython 【1】.
• How to block CVE-2026-31431 (Copy Fail) - SEC West 🔍 Show Kagi Synopsis
  The cybersecurity article details a vulnerability known as **CVE-2026-31431**, nicknamed "Copy Fail," which is a **local privilege escalation and container escape vulnerability** affecting the Linux kernel's `algif_aead` component.
  
  **What Happened:**
  The vulnerability arises from an in-place optimization within the `algif_aead` component, introduced in 2017. This optimization allows for the corruption of shared page cache pages. When the kernel subsequently uses these corrupted pages for execution, it can lead to the overwriting of in-memory setuid binaries, such as `/usr/bin/su`, without modifying the actual files on disk. This manipulation grants attackers root privileges. 【1】
  
  **Who is Affected:**
  This vulnerability impacts **all major Linux distributions** that utilize mainline kernels from version **4.14 (released August 2017) up to April 2026**. This includes both module-based kernels (common in distributions like Debian and Ubuntu) and built-in kernels (found in RHEL, Alma, and Rocky Linux). 【1】
  
  **Security Implications:**
  The primary security implications are:
  - **Local Privilege Escalation:** An attacker with initial access to a compromised host can escalate their privileges to root. 【1】
  - **Container Escape:** The vulnerability can be exploited to break out of containerized environments. 【1】
  - **Stealthy Exploitation:** Since the exploit operates in memory (specifically the page cache), traditional file integrity monitoring tools will not detect the malicious changes. 【1】
  
  **Technical Details:**
  The exploitation process involves opening an `AF_ALG` socket, triggering the `algif_aead` path to induce the corruption, and then executing a target setuid binary. While a proof-of-concept (PoC) currently exists for x86_64 systems with 4KiB page sizes, the underlying bug is not architecture-specific. Exploits for other architectures or systems with different page sizes (e.g., 64KiB) would require adjustments to the payload and offsets but are feasible. 【1】
  
  **What Defenders Should Know:**
  Defenders should be aware of the following:
  - **Immediate Patching:** It is crucial to **apply the kernel update provided by your distribution and reboot the system immediately**. 【1】
  - **Interim Mitigations:**
  - For module-based kernels, use `install algif_aead /bin/false` in `modprobe.d` and remove or divert the `.ko` files. 【1】
  - For built-in kernels, use `initcall_blacklist=algif_aead_init` via `grubby` and reboot. 【1】
  - Container runtimes can be secured by deploying a seccomp profile that blocks `socket(AF_ALG, ...)` (syscall 38) with `EAFNOSUPPORT`. 【1】
  - **Detection Strategies:**
  - Monitor for the loading of the `algif_aead` module, as it is not commonly used on general-purpose servers. 【1】
  - Utilize `auditd` to track `init_module`, `finit_module`, and `delete_module` syscalls. 【1】
  - Employ tools like Falco to generate alerts for `AF_ALG` socket creation by unauthorized processes. 【1】
  - **Do not rely solely on file integrity monitoring** for setuid binaries; prioritize process telemetry and audit logs for detection. 【1】
• wg.copyfail.patch: CVE-2026-31431 eBPF fix - Copy.fail - The content posted at the URL is controlled by **wgnet**. 🔍 Show Kagi Synopsis
  The cybersecurity article details **CVE-2026-31431**, nicknamed **"Copy.Fail"**, a vulnerability that allows an authorized user to alter the cached copy of any readable file 【1】.
  
  - **What Happened**: The vulnerability exploits the **AF_ALG socket** provided by `algif*` kernel modules. This allows an attacker to modify cached file data, leading to privilege escalation and potential system compromise 【1】.
  - **Who is Affected**: Systems are particularly vulnerable if the `algif_aead` module is built into the kernel, as is common in distributions like Fedora, Oracle Linux, and other RHEL-based systems. Systems are also at risk if they are missing the upstream kernel patch for this vulnerability 【1】.
  - **Security Implications**: The primary security implication is **Local Privilege Escalation**, allowing an attacker to gain root access. It can also facilitate **sandbox or container escapes** and other security breaches 【1】.
  - **Technical Details**: The exploit leverages the **AF_ALG socket** mechanism within the Linux kernel. The vulnerability lies in the ability to manipulate the cached copy of files through this socket interface 【1】.
  - **What Defenders Should Know**:
  - **Patching is Crucial**: The most effective solution is to patch the kernel to address the vulnerability 【1】.
  - **eBPF Workarounds**: Two eBPF (extended Berkeley Packet Filter) programs are provided as workarounds 【1】:
  - `ebpf-alg-socket-filter`: This program filters AF_ALG socket creation using the eBPF/LSM kernel mechanism. It's recommended if the kernel has eBPF LSM enabled, which can be verified by checking if `bpf` is listed in `/sys/kernel/security/lsm` 【1】.
  - `ebpf-alg-socket-killer`: A more aggressive option that terminates any process attempting to create an AF_ALG socket. This is suitable for systems without eBPF LSM support 【1】.
  - **Building and Running**: Defenders can build these eBPF programs by installing dependencies like `clang`, `kernel-headers`, `libbpf-devel`, and `bpftool`, copying `vmlinux.h`, and running `build.sh`. The `apply.sh` script can then be used to load, unload, and check the status of these eBPF programs 【1】.
• Auditing Application Permissions in Microsoft Entra ID: Hidden Risks, Pitfalls, and Quarkslab's QAZPT Tool - Quarkslab 🔍 Show Kagi Synopsis
  The cybersecurity article discusses the hidden risks and complexities of auditing application permissions in Microsoft Entra ID, highlighting how permissions can propagate transitively through various relationships, making them difficult to track and manage 【1】.
  
  **What Happened:**
  The article identifies a significant challenge in understanding the full scope of permissions within Microsoft Entra ID. Permissions are not static; they can be inherited through ownership, federated identity, group memberships, and other indirect paths. This transitive nature means that the effective permissions an entity has can be much broader than initially configured, creating a gap between intended and actual access 【1】. Existing tools often fall short in providing a complete picture of these propagated permissions 【1】.
  
  **Who is Affected:**
  Organizations using Microsoft Entra ID are affected by these complexities. Any entity within an Entra ID tenant, including users, applications, and service principals, can be subject to inherited permissions. This broad reach means that misconfigurations or overlooked inheritance paths can expose sensitive data or functionalities to unintended actors 【1】.
  
  **Security Implications:**
  The primary security implication is the **increased risk of unauthorized access and privilege escalation**. The indirect and transitive nature of permission inheritance can lead to a situation where an attacker, by compromising a less privileged entity, can gain access to resources they should not have 【1】. This makes it difficult for security teams to accurately assess the security posture of their Entra ID environment and identify potential vulnerabilities.
  
  **Technical Details:**
  Permissions in Entra ID propagate through various relationships, including:
  - Ownership
  - Service Principal of an App Registration
  - Federated Identity Credentials
  - Privileged Entra ID roles
  - Privileged Microsoft Graph application roles
  - Group membership (partially supported) 【1】
  
  The data required to map these inheritance paths is dispersed across multiple APIs and portal sections, making manual auditing a daunting task 【1】. The "gap between what is configured and what is effectively reachable through inheritance" is identified as the core area of practical risk 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that **direct permission assignments are only part of the story**. They must understand and account for the transitive nature of permissions in Entra ID 【1】. This requires a comprehensive approach to auditing that goes beyond simply looking at direct assignments. Tools like **QAZPT (Quarkslab Azure Permission Tracker)** are introduced as an open-source CLI solution designed to address this by analyzing and visualizing permission inheritance, computing effective permissions for each entity, and providing a more complete view of how permissions propagate within a tenant 【1】. Defenders should consider implementing such tools to gain better visibility and control over their Entra ID permission landscape.
• VisualSploit: Backdoor Visual Studio project files with custom shellcode, which executes whenever the project is opened or built. - Meltedd 🔍 Show Kagi Synopsis
  **VisualSploit** is a cybersecurity tool that weaponizes **MSBuild project files** to execute embedded shellcode, posing a significant risk to developers and organizations using Visual Studio 【1】.
  
  **What Happened:**
  VisualSploit injects a loader into MSBuild project files (`.csproj`, `.vbproj`, `Directory.Build.props/targets`). This loader executes embedded shellcode automatically whenever the project is built, restored, or opened in Visual Studio 【1】. The execution can occur without user interaction, especially when cloning a repository containing these backdoored project files 【1】.
  
  **Who is Affected:**
  Developers and organizations using **Visual Studio** are potentially affected. Specifically, users who clone repositories containing malicious MSBuild project files are at risk, as the shellcode can execute silently due to the absence of the Mark-of-the-Web (MOTW) on cloned files 【1】. Projects within a repository can be compromised by injecting malicious code into `Directory.Build.props` or `Directory.Build.targets` files at the repository root 【1】.
  
  **Security Implications:**
  The primary security implication is **unauthorized code execution**. Attackers can leverage this to:
  - **Gain initial access** to developer machines or build servers.
  - **Exfiltrate sensitive data** from development environments.
  - **Deploy further malware** or ransomware.
  - **Disrupt development workflows** by compromising build processes.
  
  The silent nature of the execution, bypassing Visual Studio's "trust this project?" prompt, makes it particularly dangerous 【1】.
  
  **Technical Details:**
  VisualSploit exploits MSBuild's `InitialTargets` and `RoslynCodeTaskFactory` 【1】. It injects a `<UsingTask>` element containing a shellcode loader and a `<Target>` that invokes it, adding this target to `InitialTargets` 【1】. This ensures the payload runs during any project evaluation, including design-time builds for IntelliSense 【1】.
  
  The injected C# code performs the following actions:
  1. **Decrypts the embedded payload** using XOR 【1】.
  2. **Allocates a Read-Write-Execute (RWX) memory page** using `VirtualAlloc` 【1】.
  3. **Executes the shellcode** in a new thread using `CreateThread` and then waits for it 【1】.
  
  For successful execution, the shellcode must meet specific requirements:
  - **Bitness must match the MSBuild host** (typically x64) 【1】.
  - **Must be position-independent** 【1】.
  - **Must terminate on its own** (e.g., using `EXITFUNC=thread`) to prevent the build process from hanging 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the following:
  - **MSBuild project files can be a vector for shellcode execution.** Developers and security teams should scrutinize project files, especially those from untrusted sources.
  - **The Mark-of-the-Web (MOTW) bypass is critical.** Cloned repositories do not trigger Visual Studio's trust prompts, enabling silent execution.
  - **`Directory.Build.props` and `Directory.Build.targets` are high-impact targets.** Compromising these files at the repository root can affect all projects within that subtree 【1】.
  - **Monitor build processes and Visual Studio activity** for any unusual behavior or unexpected process execution.
  - **Educate developers** about the risks associated with cloning and building projects from untrusted sources.
  - **Consider implementing stricter code-signing or integrity checks** for build artifacts and project files.
• DoomSyscalls: Clean Indirect Syscalls with Hook Evasion & Return Address Spoofing. - SilentisVox 🔍 Show Kagi Synopsis
  DoomSyscalls is a novel technique for executing clean indirect system calls, designed to bypass Endpoint Detection and Response (EDR) systems and kernel-level security checks 【1】.
  
  **What Happened:**
  DoomSyscalls introduces a method to dynamically resolve System Service Numbers (SSNs) and the addresses of the `syscall` instruction. It also employs RIP spoofing using addresses found within `ntdll.dll` 【1】. This combination aims to evade both userland hooks and kernel-level security validations 【1】.
  
  **Who is Affected:**
  This technique primarily affects systems protected by EDR solutions that hook into `ntdll.dll` to monitor system calls 【1】. By bypassing these hooks, DoomSyscalls can be used to execute malicious code undetected. Researchers and red-teamers can leverage this method to bypass security measures 【1】.
  
  **Security Implications:**
  The primary security implication is the ability to bypass EDRs and other security solutions that rely on inspecting system call parameters or return addresses in userland 【1】. By dynamically resolving SSNs and `syscall` instruction addresses, and by spoofing the return address to appear as a legitimate function within `ntdll.dll`, DoomSyscalls can execute kernel operations without triggering alerts 【1】. This could allow attackers to perform a wide range of malicious activities, such as privilege escalation, data exfiltration, or malware deployment, with a reduced risk of detection.
  
  **Technical Details:**
  DoomSyscalls operates in two main parts:
  1. **Dynamic Resolution of SSNs and Syscall Addresses:** The tool parses `ntdll.dll` to find the exports, specifically looking for the desired SSN and the address of the `syscall` instruction 【1】. This is achieved by locating `ntdll.dll` via the PEB, parsing its export directory, and then iterating through exported functions to find the relevant information 【1】.
  2. **RIP Spoofing:** The technique searches for specific instruction sequences (`ADD RSP, 0xXX; RET`) within exported functions in `ntdll.dll`. The address of such a sequence is used as a spoofed return address. This bypasses userland hooks because the return address appears legitimate, and it obfuscates the true origin of the execution flow 【1】. When a syscall is executed, the control flow returns to this "landing pad" within `ntdll.dll`, which then returns control back to the attacker's code 【1】.
  
  The process involves:
  * Locating `ntdll.dll` and its export directory 【1】.
  * Parsing export data to find SSNs and `syscall` instruction addresses 【1】.
  * Searching for "dummy" return addresses in `ntdll.dll` that adjust the stack pointer (`ADD RSP, 0xXX`) and then return 【1】.
  * Adjusting the stack pointer and copying arguments to a new stack location before executing the `syscall` instruction 【1】.
  * The `syscall` instruction hands execution to the kernel. Upon return, execution resumes at the unique landing pad, the stack pointer is adjusted, and a final `ret` instruction returns control to the attacker's code 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that traditional EDR solutions that rely solely on hooking `ntdll.dll` may be bypassed 【1】. Security measures need to go beyond simply inspecting the return address in userland. Techniques that monitor for dynamic resolution of system calls, unusual stack manipulation, or deviations from expected `ntdll.dll` behavior might be necessary. Kernel-level monitoring and behavioral analysis could provide more robust detection capabilities against such advanced evasion techniques 【1】.
• Agentic Malware Analysis: From Task Automation to Deep Analysis - github.com 🔍 Show Kagi Synopsis
  The cybersecurity article discusses the use of **AI agents in malware analysis**, focusing on how they can automate and deepen the reverse engineering process 【1】.
  
  **What Happened:**
  The article describes a webinar that explored "Agentic Malware Analysis," demonstrating how AI agents can assist in malware reverse engineering. These agents go beyond simple explanations to recover hidden data, trace complex logic, and automate repetitive tasks, leading to a more iterative and in-depth analysis 【1】. The webinar featured live examples, starting with string decryption, progressing to API-resolving logic, and culminating in the analysis of multi-stage samples with embedded modules and configuration data 【1】.
  
  **Who is Affected:**
  The content is targeted towards **security professionals, reverse engineers, malware analysts**, and anyone working with binaries or low-level software 【1】. While the article doesn't specify particular victims of malware, it implies that organizations and individuals relying on software are indirectly affected by the advancements in malware analysis techniques.
  
  **Security Implications:**
  The primary implication is the **acceleration and enhancement of malware analysis**. By automating tedious tasks and uncovering hidden information, AI agents can help security professionals understand malware more quickly and thoroughly. This could lead to faster detection, better threat intelligence, and more effective defenses against sophisticated threats. However, the article also notes that agents have limitations, especially with highly layered or obfuscated malware, indicating that human expertise remains crucial 【1】.
  
  **Technical Details:**
  The technical environment used for the demonstrations is a **Kali-based Docker container** equipped with standard reverse-engineering and malware analysis tools (e.g., gdb, radare2, floss, capa, yara) 【1】. It also includes wrappers for Codex and Claude CLI. The system supports either a **Binary Ninja or Ghidra backend** through an MCP (Model Context Protocol) setup 【1】. The approach emphasizes structured agent workflows, persistent case state, staged artifact generation, and deeper analysis planning 【1】.
  
  **What Defenders Should Know:**
  Defenders should understand that while AI agents are powerful tools for malware analysis, they are not a complete solution. **Agents require analyst guidance and structured workflows** to be effective, especially when dealing with complex or obfuscated malware 【1】. They can recover artifacts and overcome obstacles but do not autonomously solve every analysis challenge. Therefore, human expertise remains indispensable in the fight against evolving cyber threats 【1】.