InfoSec Briefing - June 24, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Wednesday the 24th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 13 articles to cover. All attribution is by the article authors. All article analysis is automated.

CISA has issued an urgent advisory on the FortiBleed credential exposure incident affecting roughly 74,000 Fortinet firewalls and VPN gateways. Attackers are actively exploiting leaked credentials to gain unauthorised access, so immediate password resets, phishing-resistant MFA, and removing public internet access to management interfaces are all recommended.

Fortinet have written up the technical side of FortiBleed — essentially credential stuffing and brute-force attacks targeting devices with weak passwords and no MFA on internet-facing management interfaces. Once inside, attackers can create malicious VPN users and move laterally into internal networks, which is about as unpleasant as it sounds.

Synaptic Systems have documented GhostShell, a multi-stage espionage campaign running since February targeting Ukraine's drone ecosystem by impersonating the Besomar manufacturer. The operation exploits a pair of vulnerabilities for initial access, then deploys an mTLS-authenticated implant, a Telegram-based stager with evasion capabilities, and the Vidar info-stealer via tunnelling. The goal is intelligence on drone logistics and military supply chains.

Microsoft have attributed the Mastra npm supply chain compromise to Sapphire Sleet, a North Korean group. Following on from the story we covered earlier this week, this article provides the full technical detail: 140-plus malicious packages published after compromising a maintainer account, with a typosquatting dependency called easy-day-js that dropped obfuscated payloads, established command-and-control, and installed PowerShell backdoors with system-level persistence on developer machines and CI pipelines.

And staying with supply chain incidents, we have three separate disclosures related to the Klue breach from earlier this month. Tanium, Jamf, and the BBC have all confirmed that attackers used compromised legacy credentials to access Klue's integration infrastructure, harvest OAuth tokens, and exfiltrate data from multiple customers' Salesforce instances. The threat actor Icarus subsequently leaked the stolen data, and the BBC report notes that two members of Scattered Spider have pleaded guilty to a separate £39 million attack on Transport for London. Ongoing phishing and social engineering risks apply to anyone affected.

JFrog have documented a typosquatting campaign where a threat actor published three malicious npm packages masquerading as postcss dependencies. The packages delivered a multi-stage infection chain ending in a Python-based Windows remote access tool with persistence and data exfiltration capabilities. One for teams running npm security scans on developer workstations.

Spur Intelligence Labs analysed over 6,000 smart TV applications and found that more than a third contain residential proxy SDKs that turn consumer devices into proxy network nodes, routing third-party traffic through users' home networks without their knowledge. LG and Samsung are the most affected due to lack of platform oversight, and the embedded SDKs from providers like Bright Data and Massive create potential security risks including unauthorised network access and lateral movement opportunities.

Security researcher Dirk-jan Mollema has disclosed a technique to bypass Microsoft Entra ID Conditional Access policies that use resource exclusions. The attack exploits a design choice where low-privileged tokens — those with only basic scopes like openid or profile — bypass CA policies, yet can still access high-value resources like Microsoft Graph. Microsoft recommend enabling Baseline Scope Enforcement and avoiding all-cloud-apps policies with exclusions as mitigation.

AWS have published guidance on egress traffic controls to prevent data exfiltration from cloud workloads. The piece covers risks to traditional applications vulnerable to exploits like React2Shell, as well as modern AI agentic systems susceptible to goal hijacking and unexpected code execution. The central point is that organisations not monitoring outbound traffic can't detect unauthorised data movement to attacker-controlled endpoints, which is a fairly sizeable blind spot.

The White House issued an Executive Order on the 22nd of June mandating Federal agencies transition to Post-Quantum Cryptography by 2030 to 2031 to defend against future quantum computing threats and harvest-now-decrypt-later attacks. Agencies have 90 days to complete cryptographic asset inventories, and compliance requirements will be added to Federal procurement standards. Essentially a state-level forcing function for PQC adoption.

And finally, Rogue Authority have noted that the Cert Graveyard, a public database tracking code-signing certificates abused by malicious actors, has seen over 1.3 million requests in 14 days. It's a useful resource for documenting certificates used in malicious campaigns, and the traffic numbers suggest increasing adoption across the security community.

That concludes today's briefing.

📰 Articles Covered

CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure - Cybersecurity and Infrastructure Security Agency

The following precis details the "FortiBleed" activity and the associated CISA advisory regarding the credential exposure of Fortinet devices.

### What Happened
CISA has issued an urgent advisory following reports of widespread credential exposure affecting Fortinet devices. This malicious activity, referred to as **FortiBleed**, involves the exploitation of leaked credentials to gain unauthorized access to vulnerable systems 【1】.

### Who Is Affected
The compromise impacts approximately **74,000 Fortinet devices**. The affected infrastructure primarily includes:
* Firewalls
* Virtual Private Network (VPN) gateways 【1】.

### Security Implications
The exposure of administrator credentials on these internet-facing devices creates a significant risk of unauthorized access, potential lateral movement within corporate networks, and unauthorized configuration changes. This compromise poses a severe threat to the security and integrity of the organizations utilizing these devices for secure remote access and perimeter defense.

### Technical Details
* **Credential Exposure:** The incident stems from the exposure of leaked credentials, allowing attackers to authenticate as legitimate users.
* **Credential Storage:** Investigations have highlighted concerns regarding legacy credential hashing. Fortinet and CISA recommend transitioning to the **Password-Based Key Derivation Function 2 (PBKDF2)** algorithm for storing administrator credentials, as it offers stronger security than legacy alternatives 【1】.

### What Defenders Should Know
Defenders should take immediate action to secure their environments by following these CISA-recommended steps:

| Recommendation | Action Details |
| :--- | :--- |
| **Reset and Terminate** | Terminate all active SSL VPN and administrative sessions immediately. Reset all administrative and VPN passwords, enforcing strong password policies 【1】. |
| **Enforce Phishing-Resistant MFA** | Implement phishing-resistant multifactor authentication on all remote access and administrative accounts, particularly those exposed to the internet 【1】. |
| **Harden Credential Storage** | Ensure the use of PBKDF2 for password hashing and purge any legacy hashes 【1】. |
| **Reduce Attack Surface** | Remove public internet access to firewall management interfaces. Restrict management access to trusted internal networks only and audit accounts to remove any unauthorized or unnecessary users 【1】. |
| **Log Review** | Actively monitor logs for firewall, VPN, authentication, and domain controller activity to identify signs of lateral movement, suspicious logins, or unauthorized configuration modifications 【1】. |
Analysis of Reported Credential Compromise of FortiGate Devices - Fortinet, Inc.

This analysis provides a precis of the "FortiBleed" credential-harvesting campaign affecting FortiGate devices, based on technical guidance from Fortinet.

### What Happened
Threat actors are executing a credential-harvesting campaign—dubbed "FortiBleed"—targeting FortiGate devices 【1】. The campaign is not the result of a new vulnerability, but rather the exploitation of existing credentials and weak authentication practices.

### Who Is Affected
The campaign targets FortiGate devices, specifically those with:
* Weak password hygiene.
* No multi-factor authentication (MFA) enabled.
* Internet-facing management interfaces.

### Technical Details
The attack relies on two primary methods to gain unauthorized access:
* **Credential Stuffing/Re-use:** Actors are leveraging credentials leaked from previous security incidents (specifically citing FG-IR-26-060 and FG-IR-25-647) 【1】.
* **Brute-Force Techniques:** Attackers are employing automated brute-force methods to guess passwords on exposed interfaces 【1】.

### Security Implications
Successful compromise grants the attacker administrative access to the FortiGate device. This allows for:
* Unauthorized configuration changes.
* Creation of malicious VPN users, potentially enabling lateral movement into the internal network 【1】.
* Potential compromise of integrated authentication services (e.g., AD/LDAP) if the device credentials were used elsewhere 【1】.

### Advice for Defenders
Fortinet advises organizations to take the following immediate steps to secure their infrastructure:

| Action Category | Recommended Steps |
| :--- | :--- |
| **Immediate Remediation** | Terminate all active admin/VPN sessions; reset all admin and VPN passwords immediately 【1】. |
| **Authentication** | Enforce multi-factor authentication (MFA) for all administrator and VPN accounts 【1】. |
| **System Hardening** | Upgrade to the latest versions of 7.4, 7.6, or 8.0 to support stronger PBKDF2 credential hashing; remove legacy password settings 【1】. |
| **Audit & Validation** | Inspect configurations for unauthorized changes or unrecognized accounts (e.g., `forticloud`, `fortiuser`); compare against a "known good" backup 【1】. |
| **Monitoring** | Check logs for unexpected admin access from unknown IPs and monitor domain controllers for signs of lateral movement 【1】. |
| **Attack Surface Reduction** | Restrict remote management to trusted hosts only, or remove internet-based administration entirely 【1】. |

If evidence of compromise is discovered, treat the device as breached and initiate official recovery procedures. If lateral movement into the internal network is suspected, contact Fortinet support for further assistance 【1】.
From package to postinstall payload: Inside the Mastra npm supply chain compromise by Sapphire Sleet - Microsoft

This incident involved a sophisticated npm supply chain attack orchestrated by the threat actor **Sapphire Sleet**, which compromised over 140 packages within the `mastra` and `@mastra` scopes 【1】.

### Incident Overview
The threat actor gained unauthorized access to the `ehindero` npm account, a maintainer with administrative publish rights for the Mastra ecosystem. This account was used to publish "poisoned" versions of 140+ packages, all tagged as `latest` 【1】. The malicious versions introduced a dependency on `easy-day-js`, a typosquatting package masquerading as the popular `dayjs` library. The npm security team has since removed the compromised packages and revoked the attacker's access 【1】.

### Who Is Affected
Any developer workstation, server, or CI/CD pipeline that executed `npm install` or `npm update` while the compromised versions were live was potentially exposed. Because the attack utilizes an npm `postinstall` hook, exposure occurs automatically upon package installation, regardless of whether the package code is ever imported or executed in the final application 【1】.

### Technical Details
* **Execution Vector:** The `postinstall` hook of the malicious `easy-day-js` dependency triggered an obfuscated 4,572-byte dropper script 【1】.
* **Payload Behavior:** The dropper disabled TLS certificate verification, established communication with attacker-controlled C2 infrastructure, and downloaded a second-stage payload, which was executed as a detached, hidden Node.js process 【1】.
* **Persistence & Escalation:** On successfully compromised systems, the attacker deployed a PowerShell backdoor, established additional persistence, added antivirus exclusions, and installed a service-level implant to achieve `SYSTEM` context access 【1】.

### Security Implications
The attack poses a significant threat to software integrity and environmental security. Compromised systems risk the exposure of sensitive developer credentials, API tokens, and environmental secrets present on workstations or CI/CD pipelines. Furthermore, the installation of high-privilege implants potentially allows the threat actor persistent control over affected infrastructure 【1】.

### Recommendations for Defenders
* **Immediate Remediation:** Rotate all credentials, tokens, and API keys that were present on potentially compromised systems 【1】.
* **Audit & Review:** Check `node_modules/` and `package-lock.json` files for the presence of `easy-day-js`. Review CI/CD logs for outbound connections to C2 IPs `23.254.164.92` and `23.254.164.123`, which should be blocked at the network perimeter 【1】.
* **Indicators of Compromise (IOCs):** Scan for unusual files such as `$TMPDIR/.pkg_history`, `$TMPDIR/.pkg_logs`, or unexpected `.js` files in temp/home directories 【1】.
* **Proactive Defense:** Use `npm install --ignore-scripts` to prevent automatic execution of `postinstall` hooks. Ensure package versions are pinned; specifically, ensure projects use `mastra` version 1.13.0 or earlier, and `@mastra/core` version 1.42.0 or earlier 【1】.
Klue Third-Party Cybersecurity Incident - Jamf

This incident involved unauthorized access to a third-party vendor environment that subsequently impacted Jamf’s internal data. Below is a detailed summary based on the provided report.

### **What Happened**
A third-party actor gained unauthorized access to the environment of **Klue**, a vendor Jamf utilizes for competitive intelligence services. This breach allowed the unauthorized party to exploit Klue’s integration with Jamf’s Salesforce instance, resulting in unauthorized access to data within that instance 【1】.

### **Who Is Affected**
* **Jamf:** The organization's Salesforce data was accessed.
* **Data Subjects:** The breach potentially exposed contact information and business data fields contained within Jamf’s Salesforce environment. There is a risk that this information could be used for follow-up malicious activities 【1】.
* **Status of Products:** Jamf has explicitly stated that its products were not affected, and the company's ability to serve customers remained intact 【1】.

### **Security Implications**
The primary security risk identified is the potential for **targeted phishing campaigns**. Because the attackers obtained contact information from the compromised Salesforce data, they may pose as legitimate Jamf employees or IT professionals to deceive recipients. There is an ongoing risk of social engineering or credential harvesting targeting those whose information was contained in the affected environment 【1】.

### **Technical Details & Response**
* **Containment:** Upon notification, Jamf immediately disabled the Klue integration within their Salesforce environment 【1】.
* **Evidence:** As of the time of the report, Jamf indicated there was no evidence of lateral movement within their systems 【1】.
* **Scope:** The investigation remains ongoing, but the impact appears to have been limited primarily to business data fields within the Salesforce environment 【1】.
* **Actions Taken:** Jamf engaged cybersecurity experts to assist in the investigation and has notified law enforcement 【1】.

### **What Defenders Should Know**
* **Vendor Risk:** This incident highlights the critical importance of vetting and monitoring the security posture of third-party integrations. Even if a vendor is trusted, their connection to your internal environment serves as a potential attack vector.
* **Vigilance Against Impersonation:** Defenders should warn users—especially those in contact with Jamf—to remain highly skeptical of unsolicited communications. Phishing attempts may leverage the specific business context stolen from the Salesforce data to appear more credible.
* **Best Practices:** Encourage staff to follow standard security hygiene: do not share sensitive information or credentials with unknown senders, and report any suspicious emails through official channels immediately 【1】.
Two men plead guilty over £39m Transport for London cyber attack - BBC

This report summarizes the cyber attack on Transport for London (TfL), based on reporting by the BBC.

### **What Happened**
On 31 August 2024, Transport for London (TfL) suffered a major "network intrusion" that resulted in three months of operational disruption and an estimated £39 million in financial losses 【1】. Two individuals, Thalha Jubair (20) and Owen Flowers (18), have since pleaded guilty to conspiring to commit unauthorised acts against TfL under the Computer Misuse Act 【1】. The attack has been attributed to the criminal group "Scattered Spider," which is also linked to breaches at other major organizations, including Jaguar Land Rover and Marks and Spencer 【1】.

### **Who is Affected**
* **Customers:** Approximately 10 million customers were affected by the breach, with thousands notified by TfL that their personal information had been accessed 【1】.
* **Operations:** The attack significantly impacted TfL’s online services, took information boards offline, disrupted the Oyster refund system (causing delays for users), and shut down the application process for children’s and young people’s Oyster photocards 【1】.

### **Technical Details**
* **Methodology:** The perpetrators used Telegram and an online collaborative workspace to communicate during the attack 【1】.
* **Evidence:** Investigators discovered that Flowers had accessed an online tool used to purchase breached credentials 【1】. Seized hardware, including laptops, contained incriminating evidence such as screenshots confirming connectivity to TfL infrastructure and video footage showing Jubair actively accessing TfL systems 【1】.

### **Security Implications & Lessons for Defenders**
* **Critical Infrastructure Risk:** The case highlights the severe operational and financial risks cyber attacks pose to critical national infrastructure. The £39 million loss and sustained service disruption underscore the need for high-resilience security architectures 【1】.
* **Credential Management:** The use of purchased breached credentials by the attackers emphasizes the importance of robust identity and access management (IAM), including multi-factor authentication (MFA) and continuous monitoring for suspicious credential use.
* **Proactive Monitoring:** TfL officials stressed that maintaining system security requires continuous, vigilant monitoring to identify and block unauthorized access attempts in real time 【1】.
* **Collaborative Threat Actor Profiles:** The attribution to "Scattered Spider"—a group known for targeting large retail and industrial entities—demonstrates that defenders should monitor for threat intelligence related to this specific group’s tactics, techniques, and procedures (TTPs) 【1】.
From PostCSS Masquerading to Windows RAT - JFrog

The provided summary accurately captures the core technical findings of the JFrog research report regarding the supply-chain attack. Here is the requested detailed precis structured for clarity:

### What Happened
A threat actor, operating under the npm handle `abdrizak`, performed a malicious typosquatting supply-chain attack. By publishing three packages—`postcss-minify-selector-parser`, `postcss-minify-selector`, and `aes-decode-runner-pro`—the actor tricked developers into installing packages that appeared to be legitimate dependencies for the `postcss` ecosystem. These packages contained a multi-stage infection chain designed to drop a sophisticated Remote Access Trojan (RAT) on Windows developer machines.

### Who is Affected
* **Targeted Audience:** Primarily web developers and DevOps engineers using JavaScript/Node.js build pipelines, specifically those relying on `postcss` and related build tools.
* **System Impact:** Developers working on Windows environments, as the final payload is specifically engineered to operate within the Windows ecosystem.

### Security Implications
This incident underscores the persistent danger of dependency confusion and typosquatting in software supply chains. By masquerading as useful tools, the attackers achieved:
* **Execution in Development Environments:** Compromise of the developer’s workstation, which often holds sensitive access tokens, secrets, and internal source code.
* **Persistence:** Establishing long-term access via registry keys.
* **Data Exfiltration:** Access to saved browser credentials, extensions, and the ability to transfer files or gain shell access.

### Technical Details
The attack utilizes a complex, multi-stage delivery pipeline:
1. **Obfuscation:** Encoded payloads (AES-256-GCM) are embedded directly within the malicious npm packages.
2. **Dropper/Downloader:** Upon installation/execution, a JavaScript dropper initiates a PowerShell script that fetches a secondary payload (`winpatch-xd7d.win`) from the attacker-controlled domain `nvidiadriver[.]net`.
3. **RAT Architecture:** The final RAT is a Python-based agent utilizing Nuitka-compiled modules (`.pyd`). It uses a VBScript bootstrapper to maintain execution.
4. **C2 & Functionality:** The RAT communicates with its Command and Control (C2) server (`95[.]216[.]92[.]207:8080`) using encrypted HTTP traffic to receive commands, exfiltrate data, and profile the victim machine.

### Guidance for Defenders
To mitigate and investigate potential compromises, defenders should perform the following:
* **Immediate Removal:** Audit `package.json` and lock files to identify and remove the identified malicious packages.
* **Indicator of Compromise (IoC) Blocking:** Block all network communications to:
* **Domain:** `nvidiadriver[.]net`
* **IP:** `95[.]216[.]92[.]207`
* **Endpoint Hunting:** Scan Windows machines for:
* **Files/Paths:** `%TEMP%\winPatch` directory; `%TEMP%\.store` and `%TEMP%\.host` files; `chost.exe`; `loader.py`.
* **Registry:** Persistence via `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\csshost`.
* **Credential Hygiene:** If a developer machine was compromised, treat all stored credentials (browser logins, API keys, development tokens) as stolen and initiate an immediate rotation.
Nearly Half of LG Smart TV Apps Contain Residential Proxy SDKs - Spur Intelligence Labs

The article from Spur Intelligence Labs outlines a significant security and privacy concern involving the monetization of smart TVs through residential proxy software development kits (SDKs). Below is a detailed precis of the findings.

### Executive Summary: The "Smart TV Proxy" Problem
Researchers identified a widespread practice where smart TV application developers integrate residential proxy SDKs to turn consumer devices into nodes within a global proxy network. This allows third parties to route internet traffic through the user's home network, effectively monetizing the user's IP address and bandwidth without clear, ongoing consent or awareness.

### Key Aspects
* **What Happened:** Spur analyzed 6,038 smart TV applications and discovered that 2,058 (over 34%) contained residential proxy SDKs. These SDKs allow the application to function as a gateway for external traffic, often running silently in the background long after the primary application is closed.
* **Who is Affected:** Consumers using LG and Samsung smart TVs are currently the most vulnerable. Unlike platforms such as Roku and Amazon Fire TV, which have implemented stricter policies against these services, LG and Samsung platforms currently lack sufficient oversight, allowing these proxy networks to proliferate.
* **Security Implications:** The integration of these SDKs places a third-party gateway inside the user's home network. While these SDKs typically include internal policies meant to prevent access to private IP ranges (e.g., `192.168.x.x`), these protections are self-imposed by the vendor. If these boundaries fail or are bypassed, the smart TV could become an entry point for attackers to perform reconnaissance or lateral movement, potentially exposing other devices like routers, NAS systems, and security cameras.
* **Technical Details:** The research identified artifacts from known proxy providers such as Bright Data, Massive, and Honeygain/Oxylabs. A critical technical concern is the persistence of these connections; the SDKs maintain background activity, making the TV a permanent proxy node. Security is fundamentally delegated to the proxy provider’s internal vetting and filtering, rather than being enforced by the TV’s operating system.
* **What Defenders Should Know:**
* **Visibility Issues:** Smart TVs are rarely monitored like traditional computers. They lack intuitive interfaces for auditing background network activity or energy consumption, making them ideal, "hidden" hosts for proxy traffic.
* **Inadequate Consent:** While users may provide initial consent, the persistent nature of these background proxies means that the scope of what the user agreed to is often misrepresented or misunderstood.
* **Platform Disparity:** Organizations managing device fleets (e.g., in corporate or guest environments) should be aware that LG and Samsung platforms are currently less restrictive regarding this activity than other popular streaming platforms.
* **Provider Claims:** While proxy vendors claim to utilize "Know Your Customer" (KYC) processes and traffic filtering to mitigate abuse, the fundamental architecture places the responsibility for network integrity on an external party, rather than the device owner.
Bypassing Conditional Access policies that have a resource exclusion - Dirk-jan Mollema

You have accurately captured the essence of the vulnerability detailed by Dirk-jan Mollema. To round out the technical understanding, it is important to emphasize that the core issue stems from a historical design choice in Entra ID to ensure interoperability: by default, the system allows "low-privileged" tokens (such as those containing only `openid`, `profile`, or `email` scopes) to bypass Conditional Access policies to prevent breaking common authentication flows for legacy or third-party applications.

The severity highlighted in the research arises from the fact that this "low-privileged" bypass can be weaponized against high-value Microsoft-owned resource applications (like the Microsoft Graph). Because the backend services for these apps frequently do not strictly validate the limited scopes against the intended access, an attacker who obtains a token that successfully bypassed MFA—because it claimed to be for a "safe," non-CA-protected resource—can then use that same token to query sensitive data through the Graph.

For defenders, the key takeaways are:

* **Move away from "All Cloud Apps" with Exclusions:** If possible, structure Conditional Access policies to include specific, necessary applications rather than using "All Cloud Apps" with resource exclusions, which is inherently brittle.
* **Prioritize the "Baseline Scope" Mitigation:** As you noted, the recommended path forward is enabling **Baseline Scope Enforcement**. Microsoft has introduced this specifically to address the issue where token scopes were not being properly evaluated against CA policy requirements.
* **Audit for Misconfigurations:** Organizations should periodically audit their CA policies to identify where resource exclusions are currently in use, as these represent potential "blind spots" in the security posture that attackers actively scan for.

The information provided in your precis is comprehensive and aligns with the findings in the article. No further research is required at this time.
Prevent data exfiltration: AWS egress controls for cloud workloads | Amazon Web Services - Amazon Web Services

The provided summary accurately captures the essential elements of the AWS security blog post regarding egress controls. Below is the detailed precis requested based on that analysis.

### Detailed Precis: Preventing Data Exfiltration via AWS Egress Controls

#### Context & Scope
The article addresses a critical imbalance in cloud security: while inbound traffic is heavily scrutinized, **outbound (egress) traffic** is frequently overlooked, creating massive opportunities for data exfiltration. This risk spans both traditional enterprise applications and modern AI-driven agentic systems.

#### Who is Affected & How
* **Traditional Workloads:** Organizations operating standard web applications remain vulnerable to exploitation of known vulnerabilities (e.g., CVE-2025-55182, "React2Shell"). Attackers exploit these to establish Command-and-Control (C2) channels for exfiltration.
* **Agentic AI Systems:** Organizations deploying AI agents are at risk from specific threats such as **Agent Goal Hijacking** and **Unexpected Code Execution**. Here, attackers manipulate the agent into exfiltrating sensitive data to unauthorized external endpoints.

#### Security Implications
Failing to secure egress traffic results in a "blind spot" where organizations cannot detect unauthorized data movement. Even with secure perimeters, if a workload is compromised or an AI agent is manipulated, the lack of outbound restrictions allows data to be moved out of the environment undetected.

#### Technical Implementation Details
Defenders are encouraged to move away from permissive egress policies toward a **layered security model**:
* **Traffic Filtering (L3–L7):** Deploy **AWS Network Firewall** to perform deep packet inspection, domain filtering, and TLS decryption for traffic traversing transit gateways.
* **DNS Protection:** Utilize **Route 53 Resolver DNS Firewall** to intercept and block DNS-based exfiltration (e.g., DNS tunneling) at the source.
* **Data Perimeter Enforcement:** Use **Service Control Policies (SCPs)**, **Resource Control Policies (RCPs)**, and **VPC Endpoint Policies** to ensure data can only interact with authorized, trusted resources and accounts.
* **Detection & Visibility:** Maintain continuous monitoring using **Amazon GuardDuty** (for anomaly detection), **IAM Access Analyzer** (for policy drift and external access), and **AWS Security Hub** (for consolidated reporting).

#### Strategic Guidance for Defenders
The article advocates for a structured, phased maturation of security posture:
1. **Immediate Baseline:** Implement Route 53 DNS Firewall and enable Amazon GuardDuty for instant visibility into common exfiltration patterns.
2. **Infrastructure Hardening:** Establish organization-wide data perimeters and deploy AWS Network Firewall for granular traffic control.
3. **Automation & Response:** Utilize **Amazon EventBridge** and **AWS Lambda** to build automated remediation loops that update security rules dynamically based on threat intelligence.
4. **Validation:** Regularly conduct red-teaming or simulated exfiltration exercises to verify that egress controls are correctly configured and functional.
Securing the Nation Against Advanced Cryptographic Attacks - The White House

The information you provided offers a comprehensive overview of the Executive Order issued on June 22, 2026. Based on that summary, here is the requested precis:

### Executive Order: Securing the Nation Against Advanced Cryptographic Attacks

**What Happened**
On June 22, 2026, President Donald J. Trump issued an Executive Order mandating a national transition to Post-Quantum Cryptography (PQC). The order aims to safeguard Federal information systems, critical infrastructure, and the digital economy against emerging threats posed by future large-scale quantum computing capabilities.

**Who is Affected**
* **Federal Agencies:** Specifically those managing high-value assets (HVAs) and "high-impact" information systems (excluding National Security Systems).
* **Critical Infrastructure:** Owners and operators, who will receive assistance from Sector Risk Management Agencies during the migration.
* **Contractors:** Covered contractors will be required to meet new PQC-compliant Federal Acquisition Regulation (FAR) standards.

**Security Implications**
The primary driver for this mandate is the threat of "harvest now, decrypt later" attacks, where adversaries collect sensitive data today to decrypt it once quantum computing technology matures. This transition is framed as essential for preserving national security, economic stability, and technological dominance.

**Technical Details**
* **PQC Standards:** Agencies are required to adopt NIST-approved Federal Information Processing Standards (FIPS) for PQC.
* **Implementation Timelines:**
* **Key Establishment:** Deadline of December 31, 2030.
* **Digital Signatures:** Deadline of December 31, 2031.
* **Asset Management:** The Department of Homeland Security is tasked with developing a Cryptographic Bill of Materials (CBOM) to allow for the automated auditing of cryptographic assets.

**What Defenders Should Know**
* **Immediate Governance:** Agency heads must appoint a PQC migration lead within 30 days of the order.
* **Inventory Phase:** Agencies must complete an inventory of HVAs and high-impact systems within 90 days.
* **Contractual Compliance:** The FAR Council will establish rules mandating PQC compliance for contractors by the end of 2030. Additionally, contractors must implement vulnerability disclosure policies that explicitly cover cryptographic weaknesses.
* **Support Ecosystem:** NIST, in collaboration with the NSA and CISA, will provide technical resources. The government is also exploring centralized procurement and support models to mitigate migration costs.
Using the Cert Graveyard - Rogue Authority LLC

The article "Using the Cert Graveyard" details the growing utility and adoption of the **Cert Graveyard**, a public database focused on documenting code-signing certificates abused by malicious actors.

### Executive Summary: What Happened
The author reports that the Cert Graveyard has experienced a massive surge in legitimate traffic, handling over 1.3 million requests in a 14-day window. While this initially sparked concerns of a potential DDoS attack—reminiscent of an incident in May 2025—it was determined that the traffic was driven by increased adoption and integration of the service by security teams and platforms like MalwareBazaar, which accounts for roughly 40,000 lookups per day.

### Who is Affected
The database is a resource for:
* **Security Operations Centers (SOCs) and Incident Responders:** Using the data to hunt for and block malicious files.
* **Malware Analysts:** Leveraging the database to cross-reference samples.
* **Platforms/Services:** Such as MalwareBazaar, which integrates the feed to provide context on sample signatures.

### Security Implications
* **Proactive Defense:** By blocking certificates identified in the Graveyard, organizations can prevent the execution of known-malicious signed binaries.
* **Attribution and Intelligence:** The data helps analysts identify that certificates often appear to be issued to legitimate entities (e.g., Lenovo, Kingston Technologies) but are being actively exploited by threat actors to bypass security controls.
* **Visibility:** It provides a centralized repository for tracking the lifecycle and abuse of code-signing certificates, which is critical when threat actors frequently switch certificates to maintain persistence or avoid detection.

### Technical Details
* **Scale:** The database currently tracks 2,400 unique abused code-signing certificates.
* **Integration Capabilities:**
* **MagicSword:** A tool for Windows Defender Access Control (WDAC) that allows administrators to automatically block drivers and files signed by listed certificates.
* **Hunting:** Defenders can utilize KQL queries or YARA rules (e.g., `Certgraveyard_YARA`) to scan their environments for matching signatures.
* **Consumption:** Data is accessible via direct API lookups, RSS/Atom feeds, or full database downloads (the total size is approximately 1.5MB).

### What Defenders Should Know
* **Value of Serial Numbers:** The serial number of a certificate is identified as the most reliable indicator for identifying malware signed by abused entities.
* **Operationalizing:** Defenders should integrate the Cert Graveyard feed into their existing threat hunting and endpoint protection workflows to automate the identification and blocking of signed malicious code.
* **Sustainability:** As the project is operated by Rogue Authority LLC and experiences significant infrastructure load, the author encourages organizations that rely on this intelligence to support the project through donations to cover hosting and infrastructure costs.
GhostShell (MB-0009): Targeting Ukraine’s UAV Operations and Defense Supply Chain - Synaptic Systems

This précis details the **GhostShell (MB-0009)** cyber campaign based on the analysis provided by Synaptic Systems.

### Overview: What Happened and Who Is Affected
GhostShell (MB-0009) is a highly disciplined, multi-stage cyber espionage campaign that has been active since at least February 2026. The threat actor is targeting Ukraine's critical **UAV/drone ecosystem**.

By impersonating **Besomar**, a Ukrainian fixed-wing drone manufacturer, the attackers distribute malicious RAR archives—typically labeled as product or technical documentation—to entities within the supply chain. Affected parties include military units, defense personnel, procurement staff, and volunteer organizations involved in drone operations. The primary goals are to gain operational access and steal intelligence related to drone supply-chain logistics.

### Technical Details
The campaign demonstrates sophisticated operational security (OPSEC) and varied deployment tactics:

* **Initial Access:** The attack uses a RAR archive (`Besomar_documentation.rar`) to exploit **CVE-2025-8088 / CVE-2025-6218**. This vulnerability allows the threat actor to perform relative path traversal, dropping a malicious VBS stub directly into the user’s Windows Startup folder.
* **Malicious Payload Execution:** The VBS stub fetches three distinct binaries from `cloudaxis[.]cc`:
* **Implant Loader (`122.exe`):** Employs an XOR-encrypted overlay (Key: `d0cd4cb8d4673e28`) to execute a Stage-2 implant in memory. Notably, this implant uses mutual-TLS (mTLS) for C2 communication, authenticated via a hardcoded private **"GhostShell Implant CA"**.
* **HTTPS Stager (`update.exe`):** A sophisticated loader that masks itself as a legitimate Windows service. It retrieves its dynamic C2 address from a Telegram dead-drop (`t.me/flufff6262`) using specific decoding routines. It further secures its execution by patching AMSI/ETW and unhooking `ntdll.dll` to inject Metasploit-compatible shellcode.
* **Vidar Launcher (`22.exe`):** A Go-based binary that establishes a secure tunnel using Xray-Core (VLESS+XTLS Vision+REALITY) and injects the **Vidar v2** info-stealer into memory to harvest credentials, browser data, and various messaging/gaming application artifacts.

### Security Implications
The campaign stands out for its high level of technical maturity and infrastructure discipline. The actor effectively separates infrastructure across different campaign phases and uses custom cryptographic routines (e.g., the decryption constant `(i*7 - 0x58) & 0xFF`). While the targeting of Ukrainian defense assets points toward a likely Russian geopolitical motive, technical evidence does not yet conclusively link this to a specific state sponsor, leading analysts to classify it as an independent, trackable cluster (MB-0009).

### Recommendations for Defenders
Defenders should focus on the following high-confidence indicators and pivots to identify and mitigate GhostShell activity:

| Category | Indicator/Recommendation |
| :--- | :--- |
| **Pivot Point** | The hardcoded issuer string `CN=GhostShell Implant CA` in client certificates. |
| **YARA/Detection** | Search for the XOR overlay key: `d0cd4cb8d4673e28`. |
| **Detection Logic** | Monitor for the cryptographic decryption routine `(i*7 - 0x58) & 0xFF` and the implant beacon template: `implant=v%u.%u.%u&host=%s&user=%s&pid=%lu&tid=%lu`. |
| **Behavioral** | Monitor for AI-generated decoy documentation sites and suspicious use of Telegram dead-drops for C2 configuration. |
| **Operational** | Maintain strict awareness of archive-handling vulnerabilities (CVE-2025-8088/6218) and secure endpoint configurations to block unauthorized path traversal attempts. |
Security Update: Tanium’s Response to the Klue Breach that Allowed Data Exfiltration from Salesforce | Tanium - Tanium

The breach of Klue, a market intelligence platform, served as a supply-chain attack that allowed unauthorized actors to exfiltrate data from the Salesforce instances of several of its customers 【1】【2】.

### What Happened
On June 12, 2026, Klue detected an intrusion within its systems 【1】. Attackers gained access to Klue’s production and integration infrastructure—specifically targeting the "Klue Battlecards" application—by utilizing compromised legacy credentials 【1】【4】.

By compromising this integration environment, the attackers were able to harvest OAuth tokens associated with Klue’s customers. These tokens were subsequently used to query and exfiltrate data directly from the Salesforce environments of those clients 【1】【2】. Salesforce disabled the Klue Battlecards integration on June 17, 2026, following the detection of this unusual activity 【1】【3】.

### Who Is Affected
Numerous organizations were impacted, particularly within the cybersecurity industry. Publicly acknowledged victims include:
* Tanium 【6】
* Huntress 【4】
* Recorded Future 【4】
* Jamf 【4】
* HackerOne, OneTrust, and Snyk 【4】

### Security Implications
* **Data Exposure:** Affected companies confirmed that unauthorized access was limited to Salesforce environments; internal systems, platforms, or core services remained secure 【1】.
* **Trust and Supply Chain:** The incident highlights the inherent risks of third-party integrations. Even if a company maintains high internal security, a breach of a vendor with privileged access (via OAuth tokens) can bypass those protections.
* **Leakage:** The threat actor "Icarus" listed stolen data from several of these firms on a data leak website, raising concerns about the misuse of customer or operational data 【5】.

### Technical Details
* **Attack Vector:** Compromise of legacy credentials to access Klue’s internal integration infrastructure 【1】.
* **OAuth Abuse:** The attackers specifically targeted OAuth tokens that provide the Klue Battlecards app authorized, persistent access to customer Salesforce instances 【3】.
* **Execution:** With these tokens, the attackers bypassed standard login procedures to query and exfiltrate Salesforce records 【2】.

### What Defenders Should Know
* **Audit OAuth Integrations:** Regularly review all third-party applications connected to enterprise platforms like Salesforce. Apply the principle of least privilege—if an integration is no longer needed, revoke its access tokens immediately.
* **Monitor Token Usage:** Implement monitoring for unusual API behavior or unexpected data export patterns originating from service accounts or OAuth applications 【3】.
* **Manage Legacy Credentials:** Identify and decommission legacy or unused credentials, which are frequent targets for attackers seeking to gain an initial foothold in a supply chain 【1】.
* **Response Readiness:** The swift action taken by Salesforce in disabling the integration underscores the importance of having established channels and processes for working with SaaS providers during an incident.