InfoSec Briefing - June 17, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Wednesday the 17th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 4 articles to cover. All attribution is by the article authors. All article analysis is automated.

Hunt Intelligence discovered an exposed staging server belonging to an Iran-linked actor called Ababil of Minab, containing five gigabytes of exfiltrated data from destructive attacks since March. The cache includes SCADA configurations and personnel records from LA Metro, alongside credentials from Israeli and Turkish victims — the attackers were wiping SQL databases, VM partitions, and backups before someone left the door to their own server wide open.

BushidoUK has updated the Ransomware Tool Matrix and Vulnerability Matrix with profiles for three active groups: TheGentlemen, DragonForce, and WarLock. All three are using bring-your-own-driver techniques to disable EDR, exploiting internet-facing vulnerabilities in Fortinet, Ivanti, and SonicWall, and WarLock in particular is notable for deploying zero-days in products like ToolShell SharePoint with suspected Chinese origins.

ENISA has published its 2026 report on Software Bill of Materials adoption, based on a survey from late last year. The EU Cyber Resilience Act is pushing organisations to move beyond pilot programmes toward automated, dynamic tracking integrated throughout the development lifecycle — useful context if you're working out what good SBOM practice looks like under the new regime.

Security researcher Adam Zypherion has released HallWatch, a usermode defensive tool that detects indirect syscall evasion techniques by hooking the syscall instruction itself rather than function prologues. It uses breakpoints and exception handling to catch advanced malware techniques like Hell's Gate, Tartarus' Gate, and RecycledGate that slip past traditional EDR hooks — one for endpoint detection researchers.

That concludes today's briefing.

📰 Articles Covered

Ababil of Minab Exposed: LA Metro SCADA Backups and Israeli Victim Data Left Open on an Iranian Staging Server - Hunt Intelligence, Inc.

The "Ababil of Minab" campaign represents a significant, ongoing cyber intrusion effort attributed to an Iran-linked threat actor. The campaign was brought to light after Hunt.io discovered an exposed, unprotected staging server used by the attackers, which contained substantial evidence of their operations and exfiltrated data.

### Overview of the Incident
Since March 2026, this threat actor has engaged in destructive cyberattacks characterized by the deletion of SQL servers, the wiping of virtual machine partitions, and the destruction of system backups. While these activities had been previously documented by other security researchers, the specific list of victims remained undisclosed until the discovery of the open staging server at `5.255.127.55:8020`, which contained 5 GB of stolen data and internal operational materials.

### Affected Entities
The exposed data confirms successful breaches at several organizations across multiple countries, including:
* **LA Metro (Los Angeles County Metropolitan Transportation Authority):** The breach included personnel records, transit operations backups, and highly sensitive SCADA (Supervisory Control and Data Acquisition) configurations.
* **Academic and Corporate Targets:** Impacted entities include the Ruppin Academic Center, Ifat Media Group (exposing VPN credentials and network infrastructure configurations), Adabroker.com.tr (Turkish insurance data), and various other Israeli-based organizations.

### Security Implications
The exposure of the staging server highlights a high-severity risk to the victim organizations. The server contained:
* **Credential Exposure:** Plaintext password dumps from web browsers and various VPN credentials.
* **Infrastructure Sensitivity:** Network switch running configurations (including passwords) and highly sensitive SCADA configurations that could facilitate further, more critical attacks on industrial control systems.
* **Operational Data:** Personal archives (Outlook PST files) and internal operational logs.

### Technical Details
* **Infrastructure:** The threat actor utilized a Python-based SimpleHTTP directory for listing files and a custom Flask application (`http.flask.py`) designed to receive chunked, AES-CBC encrypted file uploads.
* **Exfiltration Tactics:** The group employed both "pull-based" methods (archiving data into RAR files on the target machine and downloading them via `proxychains axel`) and "push-based" methods (transferring data directly via their custom tool).
* **Attribution:** The campaign infrastructure is linked to past operations, specifically the `nefeshhope.com` phishing campaign that targeted IDF soldiers.

### Guidance for Defenders
Defenders should take the following steps to mitigate risks associated with this campaign:
* **Immediate Blocks:** Proactively block and monitor traffic for the identified C2 IPs: `5.255.127.55` and `31.172.87.20`.
* **Credential Hygiene:** Immediately rotate all credentials—specifically VPN and network administration passwords—for systems that may have been accessed by these attackers.
* **Detection & Monitoring:**
* Search for indicators of compromise (IoCs) such as `Exchangedb.exe` and known FileFiend hashes.
* Monitor logs for anomalous network activity, particularly sequential multi-part archive downloads.
* Alert on outbound connections to port 443 that utilize the TLS certificate subject `admin@acmecloud.example`.
* **Hardening:** Ensure that web service accounts lack write permissions to the web root and verify that critical database backups are never stored in publicly accessible web directories.
Ransomware Tool Matrix Project Updates: Three Groups To Track - BushidoUK

The following precis outlines the recent updates to the Ransomware Tool Matrix (RTM) and Ransomware Vulnerability Matrix (RVM), providing actionable intelligence regarding emerging ransomware threats.

### Executive Summary: What Happened
The Ransomware Tool Matrix (RTM) and Ransomware Vulnerability Matrix (RVM) have been updated to include comprehensive profiles for three active ransomware groups: **TheGentlemen**, **DragonForce**, and **WarLock**. These projects serve as open-source resources designed to assist security teams in threat hunting, engineering detections, and prioritizing vulnerabilities based on real-world adversary behavior.

### Affected Parties and Targeted Threats
The intelligence focuses on the tactics and infrastructure of these specific groups:
* **TheGentlemen:** A group that has matured rapidly; its capabilities were largely uncovered through the analysis of internal chat leaks.
* **DragonForce:** An escalating threat that operates via a "cartel" model for affiliates and focuses specifically on attacking Managed Service Providers (MSPs).
* **WarLock:** A threat actor, likely operating out of China, that distinguishes itself by leveraging zero-day vulnerabilities in internet-facing applications, specifically targeting platforms like ToolShell SharePoint, SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack.

### Security Implications and Technical Trends
The updates highlight several critical trends that broaden the attack surface and complicate defensive efforts:
* **Widespread BYOVD:** The "Bring Your Own Vulnerable Driver" (BYOVD) technique has become a standardized method for these groups to disable or blind Endpoint Detection and Response (EDR) solutions. Known exploited drivers include ThrottleStop, TrueSight, Hangzhou Shunwang, Antiy, NsecSoft, Rising, and VMTools.
* **Focus on Network Edges:** Initial access is consistently gained through vulnerabilities in internet-facing appliances and software, including products from Fortinet, Ivanti, SonicWall, and RMM tools such as SimpleHelp.
* **Dual-Use Tooling:** Adversaries are increasingly masking their malicious activities by repurposing legitimate software for command-and-control and lateral movement. Commonly misused tools include `Cloudflared`, `VSCode Tunnels`, `AnyDesk`, `MeshCentral`, and `PuTTY`.

### Guidance for Defenders
To mitigate the risks posed by these groups, defenders should leverage the updated RTM and RVM profiles to map their specific organizational exposure. Recommended defensive actions include:
* **BYOVD Mitigation:** Develop and deploy detection rules that monitor for the loading of suspicious or known-bad drivers. Establishing an allow-list for drivers is a high-priority countermeasure.
* **Vulnerability Management:** Prioritize patching for all internet-exposed appliances and administrative tools, which remain the primary entry points for these threat actors.
* **Environment Baselining:** Implement strict baselining for legitimate administrative and remote access tools. Monitor for the unauthorized or anomalous use of tools like AnyDesk or VSCode Tunnels, which are being increasingly weaponized.
* **Operationalizing Intelligence:** Organizations can use resources such as `rulehound.com`, `detection.fyi`, and `snapattack.com` to operationalize the threat intelligence provided in the updated matrices.

Full profiles for these groups are available through the projects' GitHub repositories.
SBOM Adoption State of Play - 2026 | ENISA - European Union Agency for Cybersecurity

The ENISA report, *SBOM Adoption: State of Play 2026*, details the findings of a survey conducted at the end of 2025 regarding the industry-wide adoption of Software Bill of Materials (SBOM) in light of the EU Cyber Resilience Act (CRA).

### **Executive Summary: What Happened**
ENISA surveyed organizations across diverse sectors and sizes to assess their current progress with SBOM integration. The results confirm that the EU Cyber Resilience Act is serving as a primary catalyst for adoption, compelling organizations to move beyond pilot programs into formalized implementation 【1】.

### **Who Is Affected**
* **Software Vendors & Manufacturers:** Companies subject to the EU CRA are under direct regulatory pressure to implement SBOMs.
* **Cross-Industry Organizations:** The survey captures data from a broad spectrum of industries, indicating that SBOM adoption is no longer limited to niche cybersecurity firms but is becoming a standard requirement for broad software development ecosystems.

### **Security Implications**
The move toward mandated SBOMs represents a shift toward greater transparency in the software supply chain. By maintaining a comprehensive inventory of software components, organizations can significantly improve their vulnerability management, allowing for faster identification and mitigation of risks when new vulnerabilities (such as those in open-source libraries) are disclosed.

### **Technical Details**
* **Integration:** Organizations are prioritizing the automation of SBOM generation to ensure that these inventories remain accurate throughout the Software Development Life Cycle (SDLC).
* **Maturity Levels:** Companies are actively accelerating their technical roadmaps to align with the specific maturity benchmarks required by the CRA, moving from manual, static documentation toward dynamic, automated tracking mechanisms.

### **What Defenders Should Know**
* **Regulatory Alignment:** Defenders should view the CRA not just as a compliance requirement, but as a framework to enhance security posture. SBOMs are becoming essential for effective "Software Supply Chain Security."
* **Focus on Automation:** Organizations that rely on manual processes are increasingly at a disadvantage. Defenders should advocate for and invest in tooling that integrates SBOM generation directly into existing CI/CD pipelines to ensure continuous, reliable visibility into their software components.
* **Proactive Adoption:** Since the report confirms an industry-wide acceleration of timelines, defenders should ensure that their current implementation strategies are robust enough to meet impending regulatory maturity requirements.
HallWatch: Usermode detector that catches indirect syscalls. Traps Hell's Hall, Tartarus' Gate, RecycledGate, and VEH syscalls & Many more. - Adam Zypherion

Based on the documentation for **HallWatch**, here is a detailed overview of this defensive tool and its technical approach to modern malware evasion.

### What is HallWatch?
HallWatch is a specialized defensive security tool designed to detect and neutralize **indirect syscall-based evasion techniques**. It is not an incident report, but rather a functional component intended to counter malware that attempts to bypass Endpoint Detection and Response (EDR) monitoring.

### The Problem: Indirect Syscalls
Modern security products typically monitor malicious activity by hooking the beginning of common `ntdll` functions. Malware developers frequently circumvent these hooks using **indirect syscalls**. By locating the System Service Number (SSN) and manually jumping to the `syscall` instruction (`0F 05`) within the original `ntdll` stub, malware bypasses the hooked prologue, preventing the EDR from ever detecting the execution.

### Technical Details: How it Works
HallWatch shifts the detection focus from the function prologue to the final syscall instruction, using a multi-layered approach:

| Component | Function |
| :--- | :--- |
| **`INT3` Hooking** | Replaces the first byte of the `0F 05` (syscall) instruction in `ntdll` with `0xCC` (`INT3`). Any execution path reaching this instruction triggers an `EXCEPTION_BREAKPOINT`. |
| **VEH (Vectored Exception Handling)** | Intercepts the generated `INT3` breakpoint, validates the execution context (caller, return address, and SSN), and redirects to a trampoline to safely execute the legitimate syscall. |
| **Integrity Worker** | A background process that scans for alternative execution mappings (e.g., "Hell's Gate," "shadow ntdll"), ensures the `INT3` patches remain intact, and re-registers the VEH to prevent tampering. |

### Implications
* **For Malware:** Techniques that rely on skipping function prologues—such as advanced gate variants (Hell's Gate, RecycledGate, Tartarus' Gate)—are now effectively caught, as the syscall instruction itself is monitored. This forces malware authors to develop significantly more complex evasion strategies.
* **For Defenders:** HallWatch provides a more reliable method for monitoring syscalls compared to traditional `PAGE_GUARD` approaches. It achieves broad coverage by capturing syscall execution regardless of the path taken, making it a robust addition to a defensive stack.

### Important Considerations for Defenders
While HallWatch significantly raises the bar for evasion, defenders should note its current limitations:
* **Integrity Checks:** The tool may struggle against malware that implements its own aggressive integrity checks against its memory space.
* **Coverage:** It is limited to the stubs currently included in the allowlist; it may not cover non-standard or custom syscall paths.
* **Privilege Level:** It is generally ineffective against malware operating with kernel-level privileges.