🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• CVE-2026-0300 - CISA KEV 🔍 Show Kagi Synopsis
  **CVE-2026-0300** is a critical **buffer overflow vulnerability** affecting **Palo Alto Networks' PAN-OS software** . This vulnerability specifically targets the **User-ID™ Authentication Portal** (also known as the Captive Portal) service .
  
  **What the vulnerability allows attackers to do:**
  An unauthenticated attacker can exploit this vulnerability to **execute arbitrary code with root privileges** on affected PA-Series and VM-Series firewalls . This level of access can lead to complete compromise of the device, enabling espionage and lateral movement within a network .
  
  **Exploitation against internet-facing applications (MITRE ATT&CK T1190):**
  The vulnerability is actively being exploited against internet-facing applications . Attackers can exploit it by sending specially crafted packets to the User-ID™ Authentication Portal . The exploit maturity is rated as "ATTACKED," indicating active exploitation .
  
  **Known threat actors or campaigns:**
  While specific threat actors or campaigns are not detailed in the provided information, the vulnerability has been exploited in the wild since at least April 9, 2026 . The exploitation enables stealth espionage and lateral movement .
  
  **Affected versions:**
  The vulnerability affects specific versions of PAN-OS. Palo Alto Networks has provided a table detailing affected and unaffected versions :
  
  * **PAN-OS 12.1:** Versions prior to `12.1.4-h5` and `12.1.7` are affected.
  * **PAN-OS 11.2:** Versions prior to `11.2.4-h5` and `11.2.7` are affected.
  * **PAN-OS 11.1:** Versions prior to `11.1.2-h4` and `11.1.6` are affected.
  * **PAN-OS 10.2:** Versions prior to `10.2.7-h10` and `10.2.10-h31` are affected.
  * **PAN-OS 10.1:** Versions prior to `10.1.13-h10` and `10.1.16` are affected.
  * **PAN-OS 10.0:** Versions prior to `10.0.11-h1` and `10.0.14` are affected.
  
  Cloud NGFW is not affected .
  
  **Immediate actions for defenders:**
  Defenders should **immediately apply mitigations** provided by Palo Alto Networks . This includes:
  
  * **Upgrading PAN-OS** to a fixed version as soon as possible .
  * Customers with a **Threat Prevention subscription** can enable **Threat ID 510019** from Applications and Threats content version 9097-10022 to block attacks . Note that decoder capabilities require PAN-OS 11.1 or later for Threat ID support .
  * If immediate upgrades are not possible, follow applicable guidance for cloud services or consider discontinuing the use of the product if mitigations are unavailable .
• CVE-2026-6973 - CISA KEV 🔍 Show Kagi Synopsis
  **CVE-2026-6973** is a critical vulnerability affecting **Ivanti Endpoint Manager Mobile (EPMM)**. The vulnerability, which has a CVSS score of 7.2, stems from **improper input validation** .
  
  **What the vulnerability allows attackers to do:**
  This vulnerability allows a **remotely authenticated user with administrative access to achieve remote code execution (RCE)** .
  
  **Exploitation against internet-facing applications (MITRE ATT&CK T1190):**
  While specific details on how CVE-2026-6973 is being exploited against internet-facing applications are not extensively detailed, the nature of the vulnerability (remote code execution) makes it a prime candidate for exploitation via public-facing applications, aligning with the **MITRE ATT&CK technique T1190: Exploit Public-Facing Application** . Attackers can leverage this vulnerability to gain unauthorized administrative access and execute arbitrary code on affected systems .
  
  **Known threat actors or campaigns:**
  While no specific threat actors or campaigns have been definitively attributed to CVE-2026-6973, Ivanti has noted that a **very limited number of customers have been exploited** . It's worth noting that other recent Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340) have been exploited by threat actors attributed to **China and Iran** .
  
  **Affected versions:**
  The vulnerability affects **Ivanti EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1** .
  
  **Immediate actions for defenders:**
  Given that this vulnerability is actively being exploited, defenders should prioritize the following actions:
  * **Apply patches immediately:** Ivanti has released security updates to address this vulnerability. It is crucial to apply these patches as soon as possible .
  * **Rotate credentials:** If customers were previously exploited by earlier Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340), Ivanti recommends rotating credentials, as this may reduce the risk of exploitation for CVE-2026-6973 .
  * **Monitor for suspicious activity:** Continuously monitor network traffic and system logs for any signs of compromise or unusual activity that could indicate exploitation.
• We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. - Ivanti 🔍 Show Kagi Synopsis
  Ivanti has released updates for **Ivanti Endpoint Manager Mobile (EPMM)** to address **five high-severity vulnerabilities** 【1】.
  
  **Who is Affected:**
  The vulnerabilities affect Ivanti EPMM versions prior to 12.6.1.1, 12.7.0.1, and 12.8.0.1 【1】. Ivanti is aware of a limited number of customers being exploited by **CVE-2026-6973**, which requires administrative authentication 【1】. They are not aware of any customers being exploited by CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, or CVE-2026-7821 at the time of disclosure 【1】.
  
  **Security Implications:**
  The vulnerabilities have significant security implications, including:
  - **CVE-2026-5786**: Allows a remote authenticated attacker to gain administrative access 【1】.
  - **CVE-2026-5787**: Enables a remote unauthenticated attacker to impersonate registered Sentry hosts and obtain valid CA-signed client certificates 【1】.
  - **CVE-2026-5788**: Permits a remote unauthenticated attacker to invoke arbitrary methods 【1】.
  - **CVE-2026-6973**: Allows a remotely authenticated user with administrative access to achieve remote code execution 【1】.
  - **CVE-2026-7821**: Allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, potentially leading to information disclosure and impacting device identity integrity 【1】.
  
  **Technical Details:**
  The vulnerabilities are categorized as follows:
  - **CVE-2026-5786**: Improper Access Control 【1】.
  - **CVE-2026-5787**: Improper Certificate Validation 【1】.
  - **CVE-2026-5788**: Improper Access Control 【1】.
  - **CVE-2026-6973**: Improper Input Validation 【1】.
  - **CVE-2026-7821**: Improper certificate validation 【1】.
  
  The Common Vulnerability Scoring System (CVSS) scores range from 7.0 to 8.9, all classified as High severity 【1】.
  
  **What Defenders Should Know:**
  - **Update Ivanti EPMM**: Customers should update to the latest versions: 12.6.1.1, 12.7.0.1, or 12.8.0.1 to remediate these vulnerabilities 【1】.
  - **Review Admin Accounts**: It is recommended to review accounts with administrative rights and rotate credentials where necessary 【1】. If customers previously rotated credentials due to CVE-2026-1281 and CVE-2026-1340, their risk from CVE-2026-6973 is reduced 【1】.
  - **Apple Device Enrollment**: For CVE-2026-7821, customers not using Apple Device Enrollment are not at risk 【1】.
  - **Indicators of Compromise**: Currently, there are no reliable atomic indicators of compromise available 【1】.
• Unpacking Russian-Iranian Private-Sector Cyber Connections - Margin Research 🔍 Show Kagi Synopsis
  The article details alleged cyber connections between Russia and Iran, primarily through their private cybersecurity sectors. Ukraine claims Russia is providing "cyber support" to Iran, citing interactions between Russian cybercriminals and Iranian hacker groups, though Russia denies this 【1】.
  
  **Who is Affected:**
  The primary entities affected are **Iranian citizens**, whose mobile communications could be monitored, intercepted, or disrupted 【1】. Additionally, **Ukraine** is implicated as the claimant of this cyber support, suggesting a geopolitical dimension to these connections 【1】.
  
  **Security Implications:**
  The security implications are significant, involving the potential for **enhanced surveillance and control over Iranian citizens' communications** by the Iranian government, facilitated by Russian technology and expertise 【1】. There's also the possibility of **offensive cyber capabilities** being shared or developed through these partnerships 【1】. The involvement of companies with close ties to state security services in both countries raises concerns about **state-sponsored cyber activities** 【1】.
  
  **Technical Details:**
  - **Protey (Protei Ltd.)**: A Russian telecommunications firm hired by Iranian mobile provider Ariantel. It provides capabilities such as user authentication, deep packet inspection (DPI), and mobile network signaling. Protey is integrated into Iran's legal intercept system, enabling direct monitoring, interception, redirection, degradation, or denial of mobile communications 【1】.
  - **Positive Technologies**: This Russian company, along with Indian and Chinese firms, was approved by the Iranian government in July 2024 to provide managed threat detection and response services 【1】. Positive Technologies also hosts a conference (Positive Hack Days) that Russian intelligence services reportedly use for hacker recruitment 【1】.
  - **Ravin Academy**: An Iranian cybersecurity company that attended Positive Hack Days. The US government has sanctioned Ravin Academy, stating it was founded by members of Iran's Ministry of Intelligence and Security (MOIS) to train and recruit hackers, and provides various cybersecurity services to the MOIS 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that **private-sector cybersecurity firms are integral to both Russian and Iranian cyber ecosystems** 【1】. These companies are involved in offensive capabilities, talent cultivation, recruitment, providing defensive services, and establishing international connections 【1】. The expansion of engagements between Russian and Iranian cybersecurity companies, particularly those with state ties, indicates a growing and potentially sophisticated cyber landscape that requires vigilance 【1】. The use of technologies like DPI and legal intercept systems highlights the potential for deep network visibility and control 【1】.
• OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI - Kaspersky Global Research and Analysis Team (GReAT) 🔍 Show Kagi Synopsis
  A cybersecurity campaign, suspected to be orchestrated by the **OceanLotus APT group**, has been identified distributing a new malware family named **ZiChatBot** through malicious Python Package Index (PyPI) wheel packages 【1】. This campaign represents a **supply chain attack**, where legitimate-looking packages were compromised to deliver the malware 【1】.
  
  **What Happened:**
  Beginning in July 2025, attackers uploaded malicious wheel packages to PyPI, disguised as popular libraries such as `uuid32-utils`, `colorinal`, and `termncolor` 【1】. These packages contained a dropper (`terminate.dll` on Windows, `terminate.so` on Linux) that, upon installation and import of the compromised library, would deploy the ZiChatBot malware 【1】. The dropper also establishes persistence and self-deletes to cover its tracks 【1】.
  
  **Who is Affected:**
  The campaign affects **Python developers and users** who might download and install these malicious packages from PyPI. Both **Windows and Linux** platforms are targeted by the ZiChatBot malware 【1】.
  
  **Security Implications:**
  The primary security implication is the **compromise of systems through a trusted software repository**. This supply chain attack allows attackers to bypass traditional security measures by leveraging the trust placed in package managers like PyPI. Once installed, ZiChatBot can execute arbitrary shellcode commands received from its command and control (C2) infrastructure, posing a significant risk of further system compromise, data theft, or espionage 【1】.
  
  **Technical Details:**
  - **Malware Distribution:** Malicious wheel packages were uploaded to PyPI, often concealed within a seemingly benign package that listed the malicious one as a dependency 【1】.
  - **Dropper Functionality:** On Windows, `terminate.dll` is extracted and loaded into the Python process via a script (`unicode.py`). On Linux, a similar process occurs with `terminate.so` 【1】. The dropper decrypts embedded payloads using AES and LZMA, deploys ZiChatBot, establishes persistence (via Windows Registry or Linux `crontab`), and then self-deletes 【1】.
  - **ZiChatBot Malware:** The final payload, ZiChatBot, is a DLL on Windows (`libcef.dll`) loaded by a legitimate executable (`vcpktsvr.exe`) 【1】.
  - **Command and Control (C2):** ZiChatBot uniquely uses **REST APIs from the public team chat app Zulip** (`helper.zulipchat.com`) as its C2 infrastructure, rather than a dedicated C2 server 【1】. It receives shellcode commands and reports successful execution by sending a "heart" emoji 【1】.
  - **Attribution:** Kaspersky attributes this campaign to the **OceanLotus APT group** due to a 64% similarity in the dropper's logic and algorithms to previously analyzed OceanLotus malware 【1】.
  
  **What Defenders Should Know:**
  - **Denylist Zulip URL:** Defenders should add the URL `helper.zulipchat.com` to their denylist to prevent infected devices from communicating with the ZiChatBot C2 service 【1】. Although this specific Zulip instance has been deactivated, infected systems may still attempt to connect.
  - **Monitor PyPI Activity:** Be vigilant about suspicious packages appearing on PyPI, especially those mimicking popular libraries or having unusual upload patterns.
  - **Supply Chain Security:** Implement robust security practices for software supply chains, including dependency scanning and vetting of third-party libraries.
  - **Endpoint Detection:** Utilize endpoint detection and response (EDR) solutions to identify and mitigate the dropper and ZiChatBot malware on affected systems.
• Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack - **RTL-SDR.com** is a blog that started as a hobby to share tutorials and curate content related to RTL-SDR dongles . The website itself is not controlled by a large media conglomerate like RTL Group , but rather by the individuals who contribute to and manage the blog . 🔍 Show Kagi Synopsis
  A 23-year-old university student in Taiwan was arrested for **hacking into the Taiwan High Speed Rail Corporation's (THSRC) internal TETRA radio communications**, causing four high-speed trains to halt mid-service 【1】. The incident occurred on April 5, 2026, when the student transmitted a "General Alarm" (GA) signal, the highest-priority TETRA alert 【1】. This signal automatically triggered manual emergency braking on trains in the vicinity, resulting in the four trains being stopped for 48 minutes 【1】.
  
  **Who is affected:**
  The primary individuals affected were the **passengers and crew on the four halted high-speed trains**. The THSRC also experienced operational disruption and had to investigate the security breach.
  
  **Security Implications:**
  This incident highlights significant security vulnerabilities in critical infrastructure communication systems. The THSRC's TETRA radio system, in service for 19 years, apparently had security parameters that were **never meaningfully rotated** 【1】. The article suggests the system may have been **unencrypted or used the known-broken TEA1 encryption**, allowing the student to spoof a legitimate signal 【1】. This demonstrates how outdated security practices and potential weaknesses in encryption can be exploited to disrupt essential services. The case also draws parallels to other vulnerabilities, such as unauthenticated police TETRA terminals in Slovenia and unauthenticated braking commands on US freight trains, indicating a broader systemic risk 【1】.
  
  **Technical Details:**
  The student utilized a **software-defined radio (SDR) connected to a laptop** to capture and decode THSRC traffic 【1】. The captured parameters were then programmed into one of his eleven handheld radios, which he used to transmit the GA signal 【1】. A 21-year-old friend allegedly assisted by providing some of the critical THSRC parameters 【1】. Police identified the student through network-side TETRA logs and CCTV footage, and by auditing the THSRC fleet to confirm cloned parameters 【1】.
  
  **What Defenders Should Know:**
  This incident underscores the critical need for **regular security audits and updates of communication systems**, especially those in safety-of-life applications. **Security parameters, such as encryption keys and authentication protocols, must be regularly rotated** to prevent exploitation of outdated or compromised credentials 【1】. Defenders should be aware of the potential for SDRs and readily available decryption tools to be used in attacks against radio systems 【1】. Furthermore, **robust logging and monitoring capabilities** are essential for detecting and tracing unauthorized transmissions, as demonstrated by the use of TETRA logs and CCTV in identifying the suspect 【1】. The legal consequences for such actions are severe, with the student facing up to ten years in prison under Taiwan's Railway Act and Criminal Code 【1】.
• Dirty Frag: Universal Linux LPE - Hyunwoo Kim 🔍 Show Kagi Synopsis
  The **Dirty Frag** vulnerability class allows attackers to gain **root privileges** on major Linux distributions by chaining two separate vulnerabilities: `xfrm-ESP Page-Cache Write` and `RxRPC Page-Cache Write` 【1】.
  
  **What Happened:**
  Dirty Frag is a deterministic logic bug that does not require a race condition, leading to a high success rate for exploits. It extends the bug class of Dirty Pipe and Copy Fail 【1】.
  
  **Who is Affected:**
  The vulnerabilities affect major Linux distributions. The `xfrm-ESP Page-Cache Write` vulnerability has been present since January 17, 2017, and the `RxRPC Page-Cache Write` vulnerability since June 2023, giving these vulnerabilities an effective lifetime of approximately 9 years 【1】. While `xfrm-ESP Page-Cache Write` is widely available, it requires the privilege to create a namespace, which Ubuntu sometimes blocks via AppArmor. The `RxRPC Page-Cache Write` vulnerability does not require namespace creation privileges, but its associated module (`rxrpc.ko`) is not typically included in most distributions, except for Ubuntu where it's loaded by default 【1】. By chaining these two, the vulnerabilities cover each other's limitations, enabling root privilege escalation on all major distributions 【1】.
  
  **Security Implications:**
  The primary security implication is the ability for an attacker to gain **complete control** over a system by escalating privileges to root. This allows for data theft, system modification, malware installation, and disruption of services.
  
  **Technical Details:**
  - **`xfrm-ESP Page-Cache Write`**: This vulnerability provides an arbitrary 4-byte STORE primitive, similar to Copy Fail. It requires the ability to create user namespaces 【1】.
  - **`RxRPC Page-Cache Write`**: This vulnerability does not require namespace creation privileges. Its module (`rxrpc.ko`) is not universally present but is loaded by default on Ubuntu 【1】.
  - **Chaining**: Combining these two vulnerabilities bypasses individual limitations, making the exploit effective across various Linux distributions 【1】.
  
  **What Defenders Should Know:**
  - **No Patch Available**: Due to a broken disclosure schedule and embargo, there is **no official patch** available for any distribution 【1】.
  - **Mitigation**: Defenders can mitigate the vulnerabilities by removing the affected modules. This can be achieved by running the following command:
  ```bash
  sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
  ```
  This command prevents the modules (`esp4`, `esp6`, and `rxrpc`) from being loaded in the future and attempts to remove them if they are currently loaded 【1】.
• Two U.S. Nationals Sentenced for Facilitating Fraudulent Remote Information Technology Worker Schemes to Generate Revenue for the Democratic People’s Republic of Korea - United States Department of Justice 🔍 Show Kagi Synopsis
  **Two U.S. Nationals Sentenced for Facilitating North Korean IT Worker Schemes**
  
  **What Happened:**
  Matthew Issac Knoot and Erick Ntekereze Prince, both U.S. nationals, have been sentenced to 18 months in prison for their involvement in schemes that facilitated remote information technology (IT) workers from the Democratic People’s Republic of Korea (DPRK). They received and hosted laptop computers at their residences, which were then used by North Korean IT workers. These workers, operating from overseas, were able to access U.S. company networks by appearing to be located at the defendants' homes. These fraudulent activities generated over $1.2 million for the DPRK and affected nearly 70 U.S. companies 【1】.
  
  **Who is Affected:**
  The primary victims are **U.S. companies** that hired these IT workers, believing them to be legitimate employees located within the United States. Nearly **70 U.S. companies** were impacted by these schemes 【1】. The schemes also indirectly affect the **U.S. national security** by allowing foreign actors to infiltrate corporate networks 【1】.
  
  **Security Implications:**
  These schemes pose a significant **national security threat** by enabling foreign adversaries to infiltrate U.S. corporate networks 【1】. North Korean IT workers have been known to engage in **data extortion** and **exfiltrate proprietary and sensitive data** from victim companies 【1】. The use of U.S.-based individuals as intermediaries allows these foreign actors to bypass security measures and gain fraudulent employment and access to sensitive systems, ultimately generating revenue for a sanctioned regime involved in weapons programs 【1】.
  
  **Technical Details:**
  The fraudulent schemes involved the use of **remote desktop applications** installed on the laptops. These applications allowed North Korean IT workers to operate from overseas while appearing to be at the defendants' residences 【1】. North Korean remote IT workers typically employ a range of tactics, including the use of **stolen identities, alias emails, social media, online payment platforms, false websites, proxy computers, and both witting and unwitting third parties** to gain fraudulent employment and access to U.S. company networks 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that North Korean IT workers are actively seeking to gain fraudulent employment with U.S. companies. They utilize sophisticated methods, including stolen identities and third-party facilitators, to bypass security protocols 【1】. Companies should be vigilant about **unusual network activity** and **potential data exfiltration**. Public advisories have been issued by various U.S. government agencies, including the FBI, Department of the Treasury, and Department of State, detailing red flag indicators and mitigation measures for these schemes 【1】. It is crucial to implement robust **vetting processes** for remote workers and to monitor for any signs of compromised credentials or unauthorized access.
• Revealed: Russia’s top secret spy school teaching hacking and election meddling - The Guardian 🔍 Show Kagi Synopsis
  A secret faculty at the **Bauman Moscow State Technical University**, known as "Department 4" or "Special Training," is reportedly preparing students for careers in Russia's **GRU (military intelligence directorate)** 【1】. This faculty acts as a direct pipeline from a prestigious academic institution into the Russian military intelligence apparatus 【1】.
  
  **What Happened:**
  Internal documents obtained by a consortium of journalists reveal the existence and operations of Department 4. The GRU has direct control over the recruitment and grading process, with GRU officers conducting exams, approving candidates, and overseeing placements, blurring the lines between academic and intelligence work 【1】.
  
  **Who is Affected:**
  The primary targets of the training at Department 4 are **Western democracies**, with operatives being prepared for activities such as hacking western parliaments, interfering in elections, and conducting covert surveillance 【1】. Graduates have been assigned to notorious cyber-units like **Fancy Bear (Unit 26165)** and **Sandworm (Unit 74455)**, which have been linked to significant international cyber-attacks, including interference in the 2016 US presidential election and attacks on Ukraine's power grid 【1】. Western intelligence agencies have also warned of increased Russian hybrid activities targeting **critical infrastructure and EU institutions** 【1】.
  
  **Security Implications:**
  The existence of this program signifies a sophisticated and institutionalized approach by Russia to cultivate cyber warfare and intelligence capabilities. The training encompasses a wide range of offensive cyber operations, including hacking, espionage, and information warfare, posing a significant threat to the cybersecurity and democratic processes of Western nations. The direct involvement of the GRU in academic settings suggests a long-term strategy for developing a skilled cyber workforce for intelligence operations.
  
  **Technical Details:**
  The curriculum includes training in **electronic eavesdropping and covert surveillance** using devices like modified smoke detectors (cameras), hardware keyloggers, and malicious monitor cables that capture screenshots 【1】. A significant portion of the training is dedicated to a 144-hour course on "Defence against technical reconnaissance," which covers **password attacks, software vulnerabilities, and the development of computer viruses and trojans** 【1】. Students are required to conduct "practical penetration tests" and develop their own computer viruses as part of their assessment 【1】. Additionally, students are trained in **information warfare**, including the development of **disinformation campaigns and psychological manipulation** techniques to influence public perception 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the sophisticated and multi-faceted nature of Russian cyber threats, which extend beyond technical hacking to include influence operations and disinformation campaigns 【1】. The training at Department 4 indicates a focus on developing custom malware, exploiting software vulnerabilities, and employing advanced surveillance techniques 【1】. Western intelligence agencies have noted an increase in Russian hybrid activities, emphasizing the need for robust defenses against cyber-attacks, sabotage, and influence operations targeting critical infrastructure and democratic institutions 【1】.