Daily Threat Intelligence Brief: 29 May 2026
Executive Summary
The 28–29 May window is dominated by two converging deadline pressures — the CISA federal remediation deadlines for LiteSpeed CVE-2026-48172 and Exchange CVE-2026-42897 expire today — and a rare CISA ICS advisory cluster releasing ten advisories simultaneously covering operational technology across critical infrastructure sectors. The FBI FLASH alert on Silent Ransom Group / Luna Moth highlights an escalating physical social engineering campaign against law firms, now confirmed at over 100 organisations. The GHOST STADIUM FIFA World Cup fraud operation continues to expand ahead of the tournament.
Top priorities for today:
- CVE-2026-48172 (LiteSpeed cPanel) — CISA federal deadline is today. If not yet patched, patch now or disable the LiteSpeed cPanel plugin immediately.
- CVE-2026-42897 (Exchange OWA XSS) — CISA federal deadline is today. Apply the Exchange interim mitigation if a permanent patch is not yet available.
- CISA ICS Advisory Cluster — Ten advisories across ABB, Schneider Electric, USR IOT, Fourth Frontier, CP Plus, XCharge, KMW, and MacGregor. Review all OT/ICS environments against the advisory list and apply vendor mitigations immediately for hard-coded credential and command injection findings.
- Silent Ransom Group / Luna Moth — If your organisation is a law firm, financial services provider, or healthcare entity: brief staff that physical IT support requests must be verified through an out-of-band callback to a known-good number. Do not allow USB devices to be inserted by unverified personnel.
- NGINX CVE-2026-42945 — Dual exploitation with CVE-2026-9256 is ongoing. Review NGINX and Ingress-NGINX configurations.
Threat Landscape Overview
| # | Threat Cluster | Severity | Status | Timestamp |
|---|---|---|---|---|
| 1 | CISA ICS Advisory Cluster — 10 advisories, multiple critical infrastructure sectors | HIGH | NEW — Released 2026-05-28 | 2026-05-28 00:00 UTC |
| 2 | CVE-2026-42897 — Exchange OWA XSS — CISA deadline TODAY | CRITICAL | [UPDATED] Deadline 2026-05-29 | 2026-05-29 |
| 3 | CVE-2026-48172 — LiteSpeed cPanel priv esc — CISA deadline TODAY | CRITICAL | [UPDATED] Deadline 2026-05-29 | 2026-05-29 |
| 4 | NGINX CVE-2026-42945 — dual exploitation with CVE-2026-9256 | CRITICAL | [UPDATED] Ongoing | 2026-05-28 |
| 5 | Silent Ransom Group / Luna Moth — physical social engineering, law firms | HIGH | [UPDATED] FBI FLASH 2026-05-26 | 2026-05-28 |
| 6 | GHOST STADIUM — FIFA World Cup phishing fraud network | HIGH | [UPDATED] Active, 300+ domains | 2026-05-28 |
| 7 | KnowledgeDeliver LMS CVE-2026-5426 — ViewState deserialization | HIGH | [UPDATED] Active exploitation | 2026-05-28 |
| 8 | Gitea CVE-2026-27771 — unauthenticated container image pull | HIGH | [UPDATED] Patched in 1.26.2 | 2026-05-28 |
| 9 | MiniPlasma — Windows LPE via cldflt.sys (incomplete CVE-2020-17103 patch) | HIGH | [UPDATED] Active | 2026-05-28 |
| 10 | Charter / ShinyHunters breach — 42M+ records, Microsoft Entra vishing | MEDIUM | [UPDATED] Data published 2026-05-27 | 2026-05-28 |
| 11 | Tycoon 2FA AiTM PhaaS — post-takedown resurgence | HIGH | [UPDATED] Resurgent | 2026-05-28 |
New Intelligence
1. CISA ICS Advisory Cluster — 10 Advisories, Multiple Critical Infrastructure Sectors HIGH
Source: CISA ICS Advisories, 2026-05-28 • Sectors: Energy, Healthcare, Transportation, Manufacturing, Maritime
CISA released ten ICS advisories simultaneously on 28 May covering a broad range of operational technology products across critical infrastructure sectors. The advisory cluster reflects coordinated vulnerability disclosure from multiple vendors following CISA’s coordinated vulnerability disclosure programme. Key findings:
| Vendor / Product | Advisory | Vulnerability Type | Severity |
|---|---|---|---|
| ABB EIBPORT | ICSA-26-148-01 | Hard-coded credentials, authentication bypass | CRITICAL |
| Schneider Electric EcoStruxure HVAC Expert | ICSA-26-148-02 | Command injection via HVAC configuration interface | HIGH |
| USR IOT Gateway | ICSA-26-148-03 | Hard-coded credentials, remote code execution | CRITICAL |
| Fourth Frontier Frontier X2 (cardiac monitor) | ICSA-26-148-04 | Unencrypted Bluetooth transmission, spoofing | HIGH |
| CP Plus NVR | ICSA-26-148-05 | Authentication bypass, command injection | CRITICAL |
| XCharge C6s EV Charger | ICSA-26-148-06 | Insecure direct object reference, charge manipulation | MEDIUM |
| KMW CCTV Systems | ICSA-26-148-07 | Hard-coded credentials | HIGH |
| MacGregor Voyage Data Recorder | ICSA-26-148-08 | Unencrypted storage of voyage records, tampering | HIGH |
| USR IOT Smart Gateway (second variant) | ICSA-26-148-09 | Path traversal, credential exposure | HIGH |
| ABB EIBPORT (firmware 3.x) | ICSA-26-148-10 | Unauthenticated remote code execution | CRITICAL |
The ABB EIBPORT advisories (ICSA-26-148-01 and ICSA-26-148-10) are the most severe: the device is a building automation gateway widely deployed in commercial HVAC, lighting, and access control systems, and the hard-coded credential and unauthenticated RCE findings mean any internet-exposed EIBPORT is trivially compromisable. CP Plus NVR authentication bypass is similarly critical given widespread deployment in physical security systems across healthcare and government facilities.
Action required: Cross-reference all OT asset inventories against the ten advisory products. Apply vendor mitigations immediately. For products with hard-coded credentials (ABB EIBPORT, USR IOT, KMW CCTV), place them behind a network jump host and remove direct internet exposure while awaiting firmware updates.
Updated Intelligence
2. CVE-2026-42897 — Exchange OWA XSS — CISA Federal Deadline TODAY CRITICAL [UPDATED]
CISA federal deadline: 2026-05-29 (TODAY)
Any FCEB agency that has not applied the Exchange interim mitigation for CVE-2026-42897 is now in violation of BOD 22-01. No permanent patch exists as of this date; Microsoft’s interim mitigation involves disabling specific OWA rendering components and applying URL filtering rules. Exchange Online is not affected. The XSS enables session token theft from any OWA user who opens a crafted email, allowing full mailbox impersonation and lateral movement via Outlook delegation.
Action required: Apply Microsoft’s interim mitigation immediately. Consider enabling OWA external access restrictions to known IP ranges as a defence-in-depth measure. Monitor Exchange application event logs for anomalous JavaScript execution events.
3. CVE-2026-48172 — LiteSpeed cPanel Privilege Escalation — Federal Deadline TODAY CRITICAL [UPDATED]
CISA federal deadline: 2026-05-29 (TODAY)
CVE-2026-48172 federal remediation deadline expires today. LiteSpeed v2.4.5 addresses the vulnerability. cPanel’s emergency patch from 19 May auto-uninstalled vulnerable plugin versions on managed servers. Operators running self-managed cPanel+LiteSpeed stacks must verify plugin version manually. The exploitation indicator — /var/cpanel/logs entries containing cpanel_jsonapi_func=redisAble from unexpected user accounts — should be audited retroactively for the past two weeks.
4. NGINX CVE-2026-42945 — Dual Exploitation with CVE-2026-9256 Ongoing CRITICAL [UPDATED]
First reported: 2026-05-14 • Updated: 2026-05-28
Attackers are chaining CVE-2026-42945 (NGINX HTTP/2 memory corruption, CVSS 9.4) with CVE-2026-9256 (NGINX stream module buffer overflow) in dual-vulnerability exploit chains. Analysis of active exploitation confirms Ingress-NGINX on Kubernetes is also affected when NGINX Plus R33 or earlier is used as the ingress controller. Exploitation results in process memory disclosure and, in some configurations, remote code execution. NGINX Plus R34 and open-source NGINX 1.28.1 address both vulnerabilities.
Action required: Upgrade NGINX to 1.28.1 (open source) or Plus R34. For Kubernetes environments, update the Ingress-NGINX controller. Review NGINX error logs for unusual HTTP/2 connection resets or stream module errors as exploitation indicators.
5. Silent Ransom Group / Luna Moth — Physical Social Engineering Against Law Firms HIGH [UPDATED]
FBI FLASH alert: 2026-05-26 • Updated: 2026-05-28 (Security Affairs, BleepingComputer)
The FBI issued a FLASH alert on 26 May documenting Silent Ransom Group (SRG), also known as Luna Moth, expanding from phone-based social engineering to physical social engineering. Operatives posing as contracted IT support staff are physically visiting law firm offices, presenting fake credentials, and requesting physical access to workstations to “apply critical updates.” Once at an unattended workstation, they insert pre-configured USB devices deploying a lightweight backdoor that establishes a reverse shell to SRG infrastructure.
The campaign has compromised over 100 law firms, with 38 firms having data publicly leaked on SRG’s extortion site. Targets span BigLaw practices and regional firms across litigation, M&A, and intellectual property specialisations. The FBI FLASH notes that the physical approach is specifically used for targets where remote phishing was blocked by security tooling — the physical visit bypasses endpoint detection entirely as the USB executes in a trusted user context.
Action required: Brief all office staff: no IT support personnel should be given access to workstations without prior scheduling, out-of-band identity verification with your own IT department, and physical ID verification with management approval. Implement USB port disable policies via Group Policy. Deploy endpoint detection for reverse shell initiation from cmd.exe or powershell.exe spawned by unusual parent processes.
TTPs: T1091 Replication Through Removable Media • T1059.001 PowerShell • T1071.001 Web Protocols (reverse shell C2) • T1036 Masquerading (fake IT support credentials)
6. GHOST STADIUM — FIFA World Cup Fraud Network Expanding HIGH [UPDATED]
First reported: 2026-05-22 • Updated: 2026-05-28 (Group-IB, Security Affairs)
Group-IB updated their analysis of GHOST STADIUM, confirming the Chinese-speaking criminal gang now operates over 300 live fraudulent domains ahead of the 2026 FIFA World Cup (June–July 2026). The domains impersonate FIFA official ticketing, team merchandise stores, travel packages, and fan experience platforms. The sites use the Layui front-end UI library — a Chinese-developed framework rarely seen in Western web development — which serves as a consistent fingerprint across the infrastructure.
Victims who enter payment card details are charged for non-existent tickets and merchandise. A secondary payload — an infostealer targeting browser-stored credentials and payment autofill data — is delivered to victims who complete a fake “ticket verification” CAPTCHA step. GHOST STADIUM is running paid Facebook and Instagram advertising campaigns directing traffic to the fraudulent sites, with ad spend estimated in the hundreds of thousands of dollars.
Detection fingerprint: Layui CSS/JS library loaded from cdn.bootcdn.net or local bundle; domain registration through Chinese registrars with 1–14 day-old registration dates; SSL certificates issued by Let’s Encrypt within 48 hours of site launch.
7. KnowledgeDeliver LMS CVE-2026-5426 — ViewState Deserialization HIGH [UPDATED]
CVE: CVE-2026-5426 • Updated: 2026-05-28 (Rapid7, BleepingComputer)
CVE-2026-5426 is an ASP.NET ViewState deserialization vulnerability in the KnowledgeDeliver Learning Management System. The vulnerability arises from a hard-coded machineKey in the application’s web.config — a value shared across all KnowledgeDeliver deployments that allows any attacker with knowledge of the key to forge ViewState payloads triggering arbitrary .NET object deserialization and remote code execution.
Rapid7 confirmed active exploitation, with attackers deploying both Godzilla web shell (a Chinese-developed post-exploitation framework) and the BLUEBEAM web shell (associated with APT41-adjacent activity). Post-exploitation activity includes Cobalt Strike beacon deployment, LSASS memory dumping, and lateral movement via stolen credentials. Affected versions include all KnowledgeDeliver releases prior to 4.8.2.
Action required: Update KnowledgeDeliver to 4.8.2 immediately. After patching, rotate the machineKey in web.config. Scan IIS logs for POST requests containing Base64-encoded ViewState parameters with unusual length (exploitation payloads are typically 2–8KB). Check %SYSTEMROOT%\Temp and the application App_Data directory for dropped web shells.
8. Gitea CVE-2026-27771 — Unauthenticated Private Container Image Pull HIGH [UPDATED]
CVE: CVE-2026-27771 • CVSS: 8.2 • Patched in: Gitea 1.26.2 • Updated: 2026-05-28
CVE-2026-27771 allows unauthenticated users to pull any private container image from Gitea’s built-in container registry (OCI-compliant). The vulnerability is in Gitea’s OCI registry authentication handler, which fails to enforce access controls on image blob and manifest retrieval when the repository owner has disabled certain visibility settings. Approximately 30,000 Gitea deployments use the container registry feature.
The practical impact is significant: private container images often contain embedded secrets, application source code, database connection strings, and API keys in environment variables or configuration files baked into image layers. An attacker can pull and inspect images without any credentials. Gitea 1.26.2 patches the authentication handler. Self-hosted Gitea deployments are the primary exposure; Gitea.com is updated.
Action required: Upgrade to Gitea 1.26.2 immediately. Audit container registry access logs for unauthenticated pulls. Review private container images for embedded secrets and rotate any credentials found in image layers.
9. MiniPlasma — Windows LPE via cldflt.sys HIGH [UPDATED]
Updated: 2026-05-28 (Elastic Security, security researcher “splitline”)
MiniPlasma is a local privilege escalation exploit targeting cldflt.sys, the Windows Cloud Files minifilter driver. The vulnerability stems from an incomplete patch for CVE-2020-17103 — the original 2020 fix addressed only one code path, leaving an adjacent race condition exploitable on all versions of Windows 10 and Windows 11 including fully patched builds. Elastic Security and independent researcher “splitline” confirmed SYSTEM-level code execution on a fully-patched Windows 11 23H2 endpoint.
MiniPlasma is being sold on Russian-language cybercrime forums and has been observed in post-exploitation toolchains alongside Cobalt Strike and Brute Ratel. The exploit is delivered as a compiled binary and requires only local user access to escalate to SYSTEM. Microsoft has not yet released a patch addressing the new variant; the original CVE-2020-17103 patch is insufficient.
TTPs: T1068 Exploitation for Privilege Escalation • T1574.010 Services File Permissions Weakness (driver load path)
10. Charter / ShinyHunters Breach — 42 Million Records MEDIUM [UPDATED]
First reported: 2026-05-22 • Data published: 2026-05-27 • Updated: 2026-05-28
ShinyHunters published the full 42-million-record dataset from the Charter Communications breach on a cybercrime forum on 27 May after Charter declined to pay a ransom. The data includes customer PII, account numbers, service addresses, and partial payment card data. The intrusion was facilitated by a social engineering attack against Charter’s identity provider — attackers called Charter’s IT helpdesk posing as a new employee, triggered a Microsoft Entra (Azure AD) self-service password reset, and used the resulting credentials to access customer management systems.
The vishing technique used to compromise Microsoft Entra is notable: attackers obtained the target employee’s personal phone number from LinkedIn and called claiming to be IT support, directing the target to approve a fake MFA prompt. This technique bypasses phishing-resistant MFA when the target approves without verifying the request origin.
11. Tycoon 2FA AiTM PhaaS — Post-Takedown Resurgence HIGH [UPDATED]
First reported: 2026-03 (Sekoia) • Updated: 2026-05-28
Tycoon 2FA, the adversary-in-the-middle phishing-as-a-service platform taken down in partial law enforcement action in early May 2026, has resurged with updated infrastructure and two new attack techniques. Operators are now combining WebSocket-based AiTM (real-time credential relay via persistent WebSocket connections that reduce detection by proxy-based security tools) with OAuth device-code phishing (tricking victims into approving attacker-controlled device code grants, which survive MFA reset). The combination allows persistent access even after password resets.
The platform targets Microsoft 365 and Google Workspace accounts and is sold as a subscription service at $250/month on cybercrime forums. Detections have been confirmed across financial services, legal, and healthcare sectors.
TTPs: T1557.002 AiTM Phishing • T1550.001 Application Access Token (device code) • T1606.001 Forge Web Credentials
Notable IOC: npm mouse5212-super-formatter
Socket.dev flagged the npm package mouse5212-super-formatter as malicious. Unlike typical npm malware targeting Node.js environment variables, this package specifically targets the Claude AI desktop application’s data directory at /mnt/user-data, attempting to exfiltrate conversation histories and any credentials stored in Claude’s local configuration. Organisations using Claude for developer workflows or code review should audit npm dependencies for this package and block access from developer tooling to /mnt/user-data paths.
IOC Summary
| Type | Value | Campaign |
|---|---|---|
| npm package | mouse5212-super-formatter | Claude AI data directory exfiltration |
| File path | /mnt/user-data | Claude AI target path (mouse5212-super-formatter) |
| Registry path | /var/cpanel/logs entries with cpanel_jsonapi_func=redisAble | LiteSpeed CVE-2026-48172 exploitation indicator |
| Domain pattern | Layui from cdn.bootcdn.net + new Let’s Encrypt cert + Chinese registrar | GHOST STADIUM FIFA fraud network |
KQL Hunting Queries
HUNT-01: Silent Ransom Group — USB Device Insertion Followed by Reverse Shell
Covers Luna Moth / SRG physical USB insertion spawning reverse shell. MITRE: T1091, T1059.001.
// HUNT-01: Silent Ransom Group — USB device insertion followed by reverse shell
// Covers: Luna Moth / SRG physical social engineering
// MITRE: T1091, T1059.001
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe")
| where InitiatingProcessFileName !in~ ("explorer.exe", "svchost.exe", "services.exe", "wmiprvse.exe")
| join kind=inner (
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "UsbDriveMount"
| project DeviceName, UsbMountTime = Timestamp
) on DeviceName
| where Timestamp between (UsbMountTime .. (UsbMountTime + 5m))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, UsbMountTime, InitiatingProcessFileName
| order by Timestamp descHUNT-02: KnowledgeDeliver LMS — Oversized ViewState POST Request
Covers CVE-2026-5426 ViewState deserialization exploitation via oversized __VIEWSTATE parameter. MITRE: T1190.
// HUNT-02: KnowledgeDeliver LMS — oversized ViewState POST (CVE-2026-5426)
// Covers: ASP.NET hard-coded machineKey exploitation
// MITRE: T1190
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where LocalPort in (80, 443)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where RemoteUrl has "__VIEWSTATE"
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where FileName !in~ ("w3wp.exe", "WerFault.exe")
| project SpawnTime = Timestamp, DeviceName, SpawnedProcess = FileName, SpawnedCommandLine = ProcessCommandLine
) on DeviceName
| where Timestamp between (SpawnTime .. (SpawnTime + 2m))
| project Timestamp, DeviceName, RemoteUrl, SpawnedProcess, SpawnedCommandLine
| order by Timestamp descHUNT-03: MiniPlasma LPE — cldflt.sys Driver Load by Non-System Process
Covers MiniPlasma LPE exploit loading cldflt.sys from unexpected context. MITRE: T1068.
// HUNT-03: MiniPlasma LPE — cldflt.sys driver interaction by non-system process
// Covers: MiniPlasma Windows LPE exploit
// MITRE: T1068
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has "cldflt" or ProcessCommandLine has "CldFlt"
| where AccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descHUNT-04: Tycoon 2FA Device Code Phishing — Anomalous OAuth Device Code Grant
Covers Tycoon 2FA OAuth device-code phishing yielding persistent access tokens. MITRE: T1550.001.
// HUNT-04: Tycoon 2FA — OAuth device code grant from unusual location
// Covers: Tycoon 2FA AiTM PhaaS device-code phishing
// MITRE: T1550.001
SigninLogs
| where TimeGenerated > ago(24h)
| where AuthenticationProtocol == "deviceCode"
| where ResultType == 0
| where NetworkLocationDetails !has "trustedNamedLocation"
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, DeviceDetail, Location, RiskLevelDuringSignIn
| order by TimeGenerated descHUNT-05: NGINX Exploitation — Worker Process Spawning Shell
Covers CVE-2026-42945 / CVE-2026-9256 exploitation resulting in shell execution from NGINX worker. MITRE: T1190.
// HUNT-05: NGINX exploitation — worker process spawning unexpected child process
// Covers: CVE-2026-42945 / CVE-2026-9256 dual exploitation
// MITRE: T1190
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("nginx", "nginx.exe")
| where FileName in~ ("sh", "bash", "cmd.exe", "powershell.exe", "python", "python3", "perl")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descHUNT-06: Gitea CVE-2026-27771 — Unauthenticated OCI Registry Pull
Covers CVE-2026-27771 unauthenticated container image pulls from Gitea OCI registry. MITRE: T1530.
// HUNT-06: Gitea CVE-2026-27771 — unauthenticated OCI registry pull attempts
// Covers: Gitea container registry auth bypass
// MITRE: T1530
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where LocalPort in (3000, 443, 80)
| where RemoteUrl has_any ("/v2/", "/blobs/", "/manifests/")
| where InitiatingProcessFileName in~ ("docker.exe", "docker", "nerdctl", "skopeo", "crane", "oras")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descHUNT-07: GHOST STADIUM — Layui CDN Access from Endpoint Browsing
Covers GHOST STADIUM infrastructure fingerprint: Layui library loaded from Chinese CDN. MITRE: T1566.002.
// HUNT-07: GHOST STADIUM — Layui CDN access indicating fraudulent site visit
// Covers: GHOST STADIUM FIFA fraud network infrastructure fingerprint
// MITRE: T1566.002
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "bootcdn.net" or RemoteUrl has "layui"
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe")
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, InitiatingProcessFileName
| order by Timestamp descHUNT-08: Claude AI Data Directory Access by npm/Node Process
Covers mouse5212-super-formatter targeting Claude AI /mnt/user-data. MITRE: T1552.001.
// HUNT-08: npm package targeting Claude AI data directory
// Covers: mouse5212-super-formatter malicious npm package
// MITRE: T1552.001
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has "/mnt/user-data" or FolderPath has "user-data"
| where InitiatingProcessFileName in~ ("node.exe", "node", "npm.exe", "npx.exe", "npm")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp descKQL Detection Rules (High Fidelity)
DET-01: Silent Ransom Group — Reverse Shell from USB-Mounted Drive CRITICAL
Rationale: Luna Moth USB payloads execute immediately on mount and establish a reverse shell. PowerShell or cmd initiated from a USB-origin executable within five minutes of drive mount is a high-confidence indicator of SRG physical intrusion activity.
// DET-01: Silent Ransom Group — PowerShell/cmd from USB-mounted drive
// MITRE: T1091 | Severity: CRITICAL
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "UsbDriveMount"
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where InitiatingProcessFolderPath has ":\\\\REMOVABLE" or InitiatingProcessFolderPath matches regex @"^[D-Z]:\\\"
| project SpawnTime = Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFolderPath
) on DeviceName
| where SpawnTime between (Timestamp .. (Timestamp + 5m))
| extend AlertTitle = "Possible Luna Moth USB Payload — Shell Spawned from Removable Media"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1091 — Replication Through Removable Media"
| extend RecommendedAction = "Quarantine endpoint. Eject USB. Check for reverse shell C2 connections. Review physical access logs. Report to security team and law enforcement if physical intrusion confirmed."
| project SpawnTime, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, FileName, ProcessCommandLine
| order by SpawnTime descDET-02: Tycoon 2FA — Device Code Grant to Non-Managed Device HIGH
Rationale: Legitimate device code flows in enterprise environments should only occur from registered, compliant devices. A device code grant completing from an unregistered device or an IP not associated with known office locations is a direct indicator of Tycoon 2FA device-code phishing.
// DET-02: Tycoon 2FA — device code grant from unmanaged device
// MITRE: T1550.001 | Severity: HIGH
SigninLogs
| where TimeGenerated > ago(24h)
| where AuthenticationProtocol == "deviceCode"
| where ResultType == 0
| where DeviceDetail.isCompliant == false or DeviceDetail.isManaged == false
| extend AlertTitle = "Device Code Grant to Unmanaged Device — Possible Tycoon 2FA AiTM"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1550.001 — Use Alternate Authentication Material: Application Access Token"
| extend RecommendedAction = "Revoke refresh token for this user immediately. Verify with user whether they initiated the device code request. Check for MFA fatigue or vishing interaction. Review all subsequent sign-ins from this token."
| project TimeGenerated, AlertTitle, Severity, MITRETechnique, RecommendedAction, UserPrincipalName, IPAddress, AppDisplayName, DeviceDetail, Location
| order by TimeGenerated descDET-03: MiniPlasma LPE — Non-SYSTEM Process Gaining SYSTEM Token HIGH
Rationale: The MiniPlasma exploit results in a user-context process acquiring a SYSTEM-level access token via the cldflt.sys race condition. Process token privilege escalation from a standard user account to SYSTEM is highly anomalous and warrants immediate investigation.
// DET-03: MiniPlasma LPE — token privilege escalation to SYSTEM
// MITRE: T1068 | Severity: HIGH
DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "TokenPrivilegesElevated"
| where PreviousAccountName !in~ ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")
| where NewAccountName =~ "SYSTEM"
| extend AlertTitle = "Process Token Escalated to SYSTEM — Possible MiniPlasma LPE"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1068 — Exploitation for Privilege Escalation"
| extend RecommendedAction = "Immediately investigate the escalating process. Check for cldflt.sys interaction in the process call stack. Quarantine if confirmed malicious. Apply Microsoft guidance on cldflt.sys when available."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, PreviousAccountName, NewAccountName, InitiatingProcessFileName
| order by Timestamp descDET-04: ICS Hard-Coded Credential — Default Username Authentication on OT Network HIGH
Rationale: Multiple devices in the May 28 ICS advisory cluster (ABB EIBPORT, USR IOT, KMW CCTV) have published hard-coded default credentials. Authentication using default usernames (admin, root, user) on OT network segments is anomalous in production environments and may indicate attacker enumeration or exploitation of advisory-disclosed credentials.
// DET-04: ICS default credential use on OT network segment
// MITRE: T1078.001 | Severity: HIGH
DeviceLogonEvents
| where Timestamp > ago(24h)
| where AccountName in~ ("admin", "root", "user", "administrator", "guest", "support", "service")
| where LogonType in (3, 10)
| where DeviceName has_any ("ot-", "ics-", "plc-", "scada-", "hmi-", "eibport", "nvr-", "cctv-")
| extend AlertTitle = "Default Credential Logon on OT/ICS Network Segment"
| extend Severity = "HIGH"
| extend MITRETechnique = "T1078.001 — Valid Accounts: Default Accounts"
| extend RecommendedAction = "Immediately verify whether this is a legitimate administrator action. Cross-reference with CISA ICS advisory cluster May 28. Check device firmware version against advisory affected ranges. Disable default accounts on advisory-affected devices immediately."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, LogonType, RemoteIP
| order by Timestamp descDET-05: NGINX Worker Process Spawning Interactive Shell CRITICAL
Rationale: NGINX worker processes do not spawn interactive shells under any legitimate operational circumstances. An NGINX worker spawning bash, sh, cmd, or PowerShell is a definitive indicator of successful exploitation of CVE-2026-42945, CVE-2026-9256, or another NGINX RCE vulnerability. Zero legitimate exceptions expected.
// DET-05: NGINX worker process spawning interactive shell — confirmed exploitation
// MITRE: T1190 | Severity: CRITICAL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("nginx", "nginx.exe", "nginx: worker process")
| where FileName in~ ("sh", "bash", "dash", "zsh", "cmd.exe", "powershell.exe", "python", "python3")
| extend AlertTitle = "NGINX Worker Process Spawned Shell — Confirmed RCE Exploitation"
| extend Severity = "CRITICAL"
| extend MITRETechnique = "T1190 — Exploit Public-Facing Application"
| extend RecommendedAction = "Isolate web server immediately. Take memory dump and disk snapshot before remediation. Upgrade to NGINX 1.28.1 (open source) or Plus R34. Review access logs for the HTTP/2 or stream module request that triggered exploitation. Engage IR."
| project Timestamp, AlertTitle, Severity, MITRETechnique, RecommendedAction, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp descMitigation Priorities
Patch (deadline TODAY — 2026-05-29)
- LiteSpeed cPanel — CVE-2026-48172 — Federal deadline today. Upgrade to LiteSpeed cPanel plugin v2.4.5 or disable the plugin.
- Exchange — CVE-2026-42897 — Federal deadline today. Apply Microsoft’s interim mitigation. Exchange Online is not affected.
ICS / OT hardening (act this week)
- Cross-reference OT asset inventory against the ten CISA ICS advisories released 28 May. Priority: ABB EIBPORT (ICSA-26-148-01/10), USR IOT Gateway (ICSA-26-148-03/09), CP Plus NVR (ICSA-26-148-05).
- Remove internet-facing exposure from all ABB EIBPORT and USR IOT devices immediately. Place behind a network jump host pending firmware updates.
- Change all default credentials on affected ICS devices; enumerate default accounts using CISA advisory guidance.
Web infrastructure
- Upgrade NGINX to 1.28.1 (open source) or Plus R34. Update Ingress-NGINX controller in Kubernetes environments.
- Update KnowledgeDeliver LMS to 4.8.2 and rotate the
machineKeyinweb.config. - Upgrade Gitea to 1.26.2 and audit container registry access logs for unauthenticated pull activity.
Workforce and identity
- For law firms and professional services: brief all staff on the Silent Ransom Group physical social engineering technique. Establish mandatory out-of-band verification for any physical IT support request.
- Deploy USB port restriction policies via Group Policy for law firms, financial services, and healthcare organisations.
- Review Microsoft Entra / Azure AD self-service password reset policies. Require manager approval for SSPR from unregistered devices or unfamiliar locations.
- Disable OAuth device code flow for external access in Microsoft 365 tenants unless specifically required.
Sources
- CISA ICS Advisories ICSA-26-148-01 through ICSA-26-148-10 — CISA, 2026-05-28
- FBI FLASH Alert: Silent Ransom Group Physical Social Engineering Targeting Law Firms — FBI, 2026-05-26
- Luna Moth Threat Actors Infiltrate Law Firms Using Physical Social Engineering — Security Affairs, 2026-05-28
- GHOST STADIUM: Chinese Gang’s FIFA World Cup 2026 Fraud Network Expands to 300+ Domains — Group-IB, 2026-05-28
- CVE-2026-5426: KnowledgeDeliver LMS ASP.NET Deserialization Actively Exploited — Rapid7, 2026-05-28
- Gitea 1.26.2 Patches CVE-2026-27771 Unauthenticated Container Registry Access — BleepingComputer, 2026-05-28
- MiniPlasma: Windows 11 LPE via Incomplete CVE-2020-17103 Patch in cldflt.sys — Elastic Security, 2026-05-28
- Charter Communications Breach: ShinyHunters Publishes 42 Million Records — BleepingComputer, 2026-05-27
- Tycoon 2FA PhaaS Resurges Post-Takedown with WebSocket AiTM and Device Code Phishing — Sekoia, 2026-05-28
- mouse5212-super-formatter Malicious npm Package Targets Claude AI Data Directory — Socket.dev, 2026-05-28
- NGINX CVE-2026-42945 and CVE-2026-9256 Dual Exploitation Confirmed in Kubernetes Environments — Security Affairs, 2026-05-28
- Microsoft Security Advisory: Exchange CVE-2026-42897 Interim Mitigation Update — MSRC, 2026-05-28