Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

PUBLISHED ON

MMaayy  1177,,  22002266
EEDDIITTIIOONN  000077

When Firewalls, Classrooms, and Factories All Failed at Once

Your firewall, your learning platform, and your supplier all got the memo. You may not have.

WEEKLY OPENING

Welcome back to NightWatch, your weekly briefing for people who read CVE descriptions for fun and still somehow sleep at night. This week delivered a full sweep across every layer of the stack we have collectively decided to trust with sensitive things.

A Cisco Catalyst SD-WAN authentication bypass scored a perfect CVSS 10.0, which is either a severity rating or a resignation letter from your network team. A Chinese APT named FamousSparrow hit the same Azerbaijani oil and gas company three separate times through the same door, which is either persistence or a performance review waiting to happen. A ransomware group called The Gentleman deployed malware named after a Guy Ritchie film, which is either bold branding or a federal indictment in the mail.

Meanwhile, the Canvas breach continued to widen. One SaaS provider, nearly 9,000 institutions, and data tied to roughly 275 million users now in the hands of ShinyHunters. Foxconn confirmed an attack by the Nitrogen ransomware group claiming 8TB of stolen data including files tied to Apple, Nvidia, Dell, and others. And CISA quietly published CI Fortify guidance telling critical infrastructure operators to plan for weeks of operating in isolation while assuming adversaries are already on their OT networks.

The theme this week is not a new one, but it is louder: edge trust is over, concentration risk is a feature that attackers are billing as a service, and the window between disclosure and exploitation keeps shrinking. Let us get into it.

EXECUTIVE TAKE

The week's clearest and most urgent signal is CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Manager with confirmed active exploitation under threat cluster UAT-8616, a CISA Emergency Directive with a 72-hour federal remediation clock, and documented post-compromise use of NETCONF access to reshape SD-WAN network fabric configuration across entire deployments. This is not speculative risk. Adversaries with NETCONF-level access inside an SD-WAN fabric can silently reroute traffic, remove segmentation, and establish persistence that survives device reboots. UAT-8616 activity has been traced back to at least 2023, meaning some organizations may already be operating compromised network fabric without knowing it.

May 2026 Patch Tuesday added further urgency. CVE-2026-41089, a CVSS 9.8 stack-based buffer overflow in Windows Netlogon, enables unauthenticated remote code execution directly on domain controllers across every supported Windows Server version. That is structurally a pre-authentication domain takeover primitive. CVE-2026-41096, a CVSS 9.8 heap-based buffer overflow in the Windows DNS Client, requires no user interaction and can be triggered by a crafted DNS response from a compromised or adversary-controlled resolver. Together these two represent the class of vulnerabilities that well-resourced actors move to weaponize within days to weeks of patch release, not months. CVE-2026-0300 in Palo Alto PAN-OS rounds out the edge-device picture: unauthenticated buffer overflow in the User-ID Authentication Portal, root code execution, confirmed exploitation in the wild, and now listed in CISA's Known Exploited Vulnerabilities catalog.

For leadership, the Canvas and Foxconn incidents reframe what "third-party risk" means in practice. The Canvas breach is not just an education story. One SaaS platform aggregating identity and communications data for 275 million users across nearly 9,000 institutions is, from an attacker's perspective, a single high-leverage target. ShinyHunters did not need to breach 9,000 schools. They breached one vendor. Foxconn illustrates the same logic from the manufacturing side: Nitrogen ransomware group claims 8TB of stolen data including files tied to Apple, Dell, Google, Intel, and Nvidia. One supplier breach became a supply chain intelligence event for every customer whose data transited those facilities.

Regulatory and policy pressure is converging on the same conclusions. CISA's CI Fortify guidance tells all 16 critical infrastructure sectors to plan for weeks to months of safe operations while partially isolated from the internet, explicitly citing ongoing Iranian and Russian-linked campaigns against PLCs and routers, and emphasizing manual-mode procedures, local documentation, and reduced reliance on cloud-based tooling. The still-pending CIRCIA final rule will enforce 72-hour incident and 24-hour ransomware payment reporting for covered entities. Microsoft's May 2026 Patch Tuesday batch of 132 vulnerabilities, combined with national cyber agency advisories urging patching of known exploited issues within days, further tightens the window between disclosure and expected remediation for any organization providing essential services.

KEY FINDINGS

  • CVE-2026-20182 (CVSS 10.0): Critical authentication bypass in Cisco Catalyst SD-WAN Controller and Manager, confirmed actively exploited by threat cluster UAT-8616 per Cisco Talos, added to CISA KEV with Emergency Directive 26-03 and a federal remediation deadline of May 17, 2026; post-exploitation activity includes NETCONF-level network fabric reconfiguration across entire SD-WAN deployments; UAT-8616 activity traced to at least 2023.

  • CVE-2026-41089 (CVSS 9.8): Stack-based buffer overflow in Windows Netlogon enabling unauthenticated remote code execution on domain controllers across Windows Server 2012 through 2025; patched May 12, 2026; exploitation not confirmed in the wild at time of writing but blast radius profile places it on a short weaponization timer.

  • CVE-2026-41096 (CVSS 9.8): Critical heap-based buffer overflow in Windows DNS Client; unauthenticated RCE via crafted DNS response; no user interaction required; relevant to any Windows host resolving DNS through a compromised or adversary-controlled resolver.

  • CVE-2026-0300: Critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal, enabling remote code execution with root privileges on PA-Series and VM-Series firewalls; exploitation confirmed in the wild; listed in CISA KEV; suspected state-sponsored cluster CL-STA-1132 observed post-exploitation using Earthworm and ReverseSocks5 tunneling tools with log deletion activity.

  • CVE-2026-41103: Elevation of privilege in Microsoft Entra ID allowing attacker to impersonate existing users via forged credential presentation, bypassing identity provider controls; Microsoft rates exploitation as "more likely"; high impact in cloud-heavy environments.

  • CVE-2026-41940: Missing authentication for a critical function in WebPros cPanel and WHM and WP Squared, enabling invocation of privileged operations without authorization; added to CISA KEV under BOD 22-01 with active exploitation confirmed.

  • CVE-2026-20122, CVE-2026-20128, CVE-2026-20133: Trio of flaws in Cisco Catalyst SD-WAN Manager covering arbitrary file overwrite, recoverable password storage, and sensitive information exposure; actively exploited per CISA; collectively enable privilege escalation and credential exposure in SD-WAN environments.

  • Nitrogen ransomware group breached Foxconn North American facilities, claiming exfiltration of over 8TB across more than 11 million files including confidential data tied to Apple, Dell, Google, Intel, and Nvidia; Foxconn confirmed the incident; BYOVD technique documented using a vulnerable Topaz Antifraud driver (CVE-2023-52271) to disable security tooling prior to encryption.

  • ShinyHunters breached Instructure Canvas, claiming access to approximately 275 million user records across nearly 9,000 educational institutions; exfiltrated data confirmed to include names, email addresses, student IDs, and private messages; Instructure reportedly reached an agreement with the group; a second unauthorized access event occurred May 7, suggesting incomplete initial containment.

  • FamousSparrow APT (assessed overlap with Earth Estries, China-nexus) conducted three distinct intrusion waves against a single Azerbaijani oil and gas company between December 2025 and February 2026, exploiting ProxyShell and ProxyNotShell Exchange chains and deploying Deed RAT and the Terndoor backdoor using evolved DLL sideloading with API hooking to evade sandbox analysis; attributed moderate-to-high confidence by Bitdefender.

  • Salt Typhoon (China-nexus) hit an energy entity in Azerbaijan; Twill Typhoon (China-nexus) targeted Asian entities with an updated Remote Access Trojan; both confirmed by consulted sources, expanding the documented footprint of China-linked APTs into energy and regional infrastructure.

  • The Gentleman ransomware operation documented by The DFIR Report: initial access via trojanized MSI masquerading as Sysinternals RAMMap, delivery of EtherRAT with Ethereum-based EtherHiding C2, followed by TukTuk (assessed as an AI-generated malware framework), lateral movement via GoTo Resolve RMM, data exfiltration to Wasabi cloud storage via Rclone, and domain-wide ransomware deployment.

  • April 2026 set a record 105 publicly disclosed ransomware attacks across 22 countries, with healthcare, services, and government most heavily hit; Foxconn and Canvas-sector activity this week fits a trajectory of industrialized, double-extortion operations trending upward.

  • CISA CI Fortify guidance published this month directs all 16 critical infrastructure sectors to plan for sustained operations under partial cyber-isolation, citing Iranian and Russian-linked campaigns against PLCs and routers, and requiring documented manual-mode procedures and offline recovery capability.

  • Mandiant M-Trends 2026 highlights median 22-second handoffs between initial access and secondary operator activity in some campaigns, with exploitation of internet-facing web applications confirmed as the leading initial access vector, reinforcing the urgency of fast-moving edge exploits.

WEEKLY THREAT NARRATIVE

The Edge Is the Entry Point and the Problem Is Structural

The most strategically significant pattern across this week's reporting is the continued, confirmed targeting of internet-facing edge infrastructure: SD-WAN controllers, firewall authentication portals, ICS gateways, and SaaS management surfaces. CVE-2026-20182 in Cisco Catalyst SD-WAN and CVE-2026-0300 in PAN-OS are not isolated disclosures. They represent a sustained, multi-year pattern in which management-plane and authentication surfaces on perimeter devices become the preferred initial access vector for both nation-state actors and sophisticated criminal groups. UAT-8616's post-exploitation use of NETCONF to reconfigure network fabric is particularly significant: this is not smash-and-grab ransomware. This is an adversary methodically reshaping network architecture to create durable, configuration-layer persistence that survives patching of the original vulnerability.

The ICS Patch Tuesday advisories from Siemens, Schneider Electric, and CERT@VDE, covering critical flaws in Sentron data managers, Simatic S7 PLC web servers, and Ruggedcom networking gear, compound the picture. When CVE-2026-0300 and CVE-2026-20182 land in the same week as a sweep of critical OT device advisories, the operational implication is not just "patch faster." It is that the attack surface on which critical infrastructure depends has more known, exploitable, internet-accessible holes than any reasonable remediation timeline can close simultaneously. CISA's CI Fortify guidance acknowledges this implicitly by shifting the ask: do not just patch; prove you can operate without the network when you need to.

Data Extortion at Scale Is a Concentration Risk Story

The Canvas breach and the Foxconn ransomware incident are best understood together rather than separately, because they illustrate the same attacker logic operating at different layers of concentration. ShinyHunters did not breach 9,000 schools. They breached one vendor whose platform aggregates identity, communications, and academic records for 275 million users. The blast radius is proportional not to the sophistication of the attack but to the architectural centralization of the target. Universities including FIU are already warning communities to expect highly targeted phishing waves built from stolen student and faculty data; that phishing risk will persist long after the platform is restored.

Foxconn applies the same logic to manufacturing. Nitrogen ransomware group's claim of 8TB of exfiltrated data, including files tied to major OEM customers, means the incident cascades into the supply chains of companies that never received a ransom note. The double-extortion model creates two simultaneous levers: operational disruption through encryption, and reputational and commercial damage through threatened data release. The BYOVD technique documented in Nitrogen campaigns, using a vulnerable Topaz Antifraud driver to disable security tooling before encryption, indicates an operator with enough operational maturity to anticipate and neutralize defensive response. These are not opportunistic crews; they are running industrialized operations with deliberate pre-encryption preparation.

The dual-intrusion timeline at Canvas (April 29 and again May 7) requires care in interpretation. Either the initial containment was incomplete and the attacker maintained a foothold through the first response, or coverage is conflating activity by separate actors at the same target. What is confirmed is that Instructure took Canvas offline, brought in forensic support, and reportedly reached an agreement with the threat group. None of that should be interpreted as incident closure. Data that has been exfiltrated does not disappear because a ransom is paid.

Chinese APT Expansion Into Energy and Regional Infrastructure

The FamousSparrow operation against the Azerbaijani oil and gas company is the kind of intrusion that does not make headlines during the months it is occurring. Three intrusion waves between December 2025 and February 2026, each exploiting the same Microsoft Exchange entry point through ProxyShell and ProxyNotShell chains, deploying Deed RAT and Terndoor, and using evolved DLL sideloading with API hooking specifically designed to evade sandbox analysis. The reuse of the same initial access vector across three waves is operationally instructive: the company patched the vulnerability but did not verify remediation, and the attacker walked back in. Remediation verification, not just patching, is the gap.

Salt Typhoon and Twill Typhoon add regional breadth to the picture. Salt Typhoon's confirmed targeting of an Azerbaijani energy entity, alongside FamousSparrow's multi-wave campaign in the same geography, suggests that the South Caucasus energy corridor is receiving coordinated attention from China-linked actors, not isolated targeting. The region sits at the intersection of energy supply routes critical to European diversification; pre-positioning in energy-adjacent infrastructure ahead of geopolitical leverage events is a documented pattern for these groups. Twill Typhoon's deployment of an updated Remote Access Trojan against Asian entities rounds out a week in which Chinese APT tooling evolution is visible across multiple clusters simultaneously.

The Gentleman and the Professionalization of the Ransomware Ecosystem

The Gentleman operation documented by The DFIR Report this week merits attention not because of its scale but because of its architecture. Trojanized MSI masquerading as a legitimate Sysinternals tool, EtherRAT using Ethereum's blockchain as a C2 channel through the EtherHiding technique, TukTuk assessed as an AI-generated malware framework, GoTo Resolve used for RMM-based lateral movement, and Rclone exfiltrating data to Wasabi cloud storage before domain-wide encryption. This is a threat actor who has assembled a modern, modular intrusion chain from components specifically chosen to blend into legitimate infrastructure: blockchain-based C2 that cannot be sinkholed, legitimate cloud storage for exfiltration, and a commercially available RMM for lateral movement. Each individual component may appear benign in isolation. The combination is a full ransomware deployment pipeline.

NOTABLE TECHNICAL SIGNALS

Top CVEs

CVE-2026-20182 (CVSS 10.0): Authentication bypass in Cisco Catalyst SD-WAN Controller and Manager. No credentials required. Exploitation confirmed by Cisco Talos under UAT-8616. CISA Emergency Directive 26-03 issued with federal remediation deadline of May 17, 2026. Post-exploitation behavior includes NETCONF access used to alter network fabric configuration across entire SD-WAN deployments. Patch immediately; treat any unpatched SD-WAN controller as potentially already compromised.

CVE-2026-41089 (CVSS 9.8): Stack-based buffer overflow in Windows Netlogon service. Unauthenticated remote code execution on domain controllers. Affects Windows Server 2012 through 2025. Patched May 12, 2026 as part of May Patch Tuesday. No confirmed in-the-wild exploitation at time of writing, but Netlogon-targeting exploits have historically been weaponized rapidly. Treat as P0 with a 48-hour deployment target on all domain controllers.

CVE-2026-41096 (CVSS 9.8): Heap-based buffer overflow in Windows DNS Client. Unauthenticated RCE triggered by a specially crafted DNS response. No user interaction required. Can be triggered passively against any Windows host resolving DNS through a compromised or adversary-controlled resolver. Particularly relevant for environments using third-party DNS resolvers or split-DNS configurations.

CVE-2026-0300 (Critical, CVSSv4 score confirmed critical): Unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal on PA-Series and VM-Series firewalls. Remote code execution with root privileges when portal is exposed to untrusted networks. Exploitation confirmed in the wild. Listed in CISA KEV. Suspected state-sponsored cluster CL-STA-1132 observed post-exploitation deploying Earthworm and ReverseSocks5 tunneling tools and deleting logs and crash files to maintain stealth.

CVE-2026-41103: Elevation of privilege in Microsoft Entra ID. Forged credential presentation enables full user impersonation, bypassing identity provider controls. Microsoft rates exploitation as "more likely." High blast radius in cloud-heavy and federated identity environments.

CVE-2026-41940: Missing authentication for a critical function in WebPros cPanel and WHM and WP Squared. Enables unauthenticated invocation of privileged operations. Listed in CISA KEV under BOD 22-01 with active exploitation confirmed and federal remediation deadline applied.

CVE-2026-20122, CVE-2026-20128, CVE-2026-20133: Trio of Cisco Catalyst SD-WAN Manager flaws covering arbitrary file overwrite, recoverable password storage, and sensitive information exposure. Actively exploited per CISA. Collectively enable privilege escalation and credential harvesting in SD-WAN management environments. Remediate alongside CVE-2026-20182.

CVE-2026-45185 ("Dead.Letter", CVSS 9.8): Use-after-free in Exim MTA affecting GnuTLS-built versions 4.97 through 4.99.2. Unauthenticated RCE via BDAT over TLS path. Fixed in Exim 4.99.3. Automated scanning activity on port 25 observed within hours of disclosure. Applies to Debian and Ubuntu-based Exim deployments. If patch cannot be applied immediately, disable BDAT chunking extension as a temporary mitigation.

ICS advisory batch (May 2026): New Siemens and Schneider Electric advisories alongside CISA and CERT@VDE alerts covering Sentron data managers, Simatic S7 PLC web servers, and Ruggedcom networking gear. Flaws include critical vulnerabilities enabling device takeover, root command execution, and cross-site scripting in industrial environments. Directly internet-reachable OT devices should be treated as highest priority.

Attack Vectors This Week

The dominant initial access vector this week was exploitation of internet-facing applications and management portals, operating without user interaction and bypassing traditional phishing-dependent defense models. CVE-2026-20182 and CVE-2026-0300 both follow the same structural template: a network-accessible management or authentication surface, a memory-corruption or logic flaw requiring no credentials, and a short path to persistent, high-privilege access at a network chokepoint. Neither required a user to click anything. Both were exploited before a significant portion of the affected install base could patch.

Ransomware and data-extortion operations layered on top of established footholds through double-extortion mechanics. Nitrogen at Foxconn combined pre-encryption data exfiltration with BYOVD-based security tool disablement before deploying ransomware, compressing the window in which defenders could intervene. ShinyHunters at Canvas used bulk credential and identity harvest to enable downstream extortion and phishing, without needing to deploy destructive payloads at all. The Gentleman operation assembled a modular intrusion chain specifically designed to blend into legitimate infrastructure at every stage, using blockchain-based C2, commercial RMM for lateral movement, and legitimate cloud storage for exfiltration.

Phishing remains a significant downstream vector even when it is not the initial intrusion method. Microsoft's Q1 2026 email threat data documented 8.3 billion phishing emails detected in the quarter, with a rise in QR-code-based and CAPTCHA-gated lures. The Canvas breach in particular creates a durable phishing supply: names, email addresses, institutional affiliations, and private messages from 275 million users provide enough personalization material to build convincing, targeted lures for months after the incident.

Actor and Infrastructure Patterns

UAT-8616 is the week's most operationally significant actor, not because of novelty but because of confirmed depth. Activity documented back to at least 2023, a CVSS 10.0 entry point now being actively exploited, and post-compromise behavior oriented toward persistent network fabric control rather than immediate destructive impact. This is an adversary operating on an intelligence and access timeline, not a ransomware timeline. The use of NETCONF for configuration-layer persistence is notable: it is harder to detect than file-based implants and survives many standard remediation steps.

Nitrogen ransomware presents as a well-organized double-extortion operation with demonstrated capability to disable endpoint security through BYOVD before executing encryption. The Foxconn campaign shows pre-positioned access, large-scale exfiltration infrastructure, and targeting logic oriented toward maximum leverage through supply chain data rather than simple operational disruption. The group maintains a dark-web leak site where timed publication pressure is used as a negotiation tool, with selective publication of high-value sample documents as proof of access.

FamousSparrow's evolved tooling tells a clear story about active development within the threat group. The Deed RAT and Terndoor backdoors deployed in the Azerbaijani campaign used DLL sideloading with API hooking specifically to defeat sandbox analysis, indicating awareness of and adaptation to the defensive tooling used in the target environment. The reuse of the same Exchange entry point across three intrusion waves is not carelessness; it is a rational operational choice when the attacker knows the defender's remediation verification is incomplete.

The Gentleman operator's infrastructure choices reflect an emerging pattern in the broader ransomware ecosystem: deliberate selection of components that individually appear legitimate. EtherHiding C2 via Ethereum cannot be taken down by sinkholing a domain. GoTo Resolve is a commercially licensed RMM tool. Rclone and Wasabi are standard cloud utilities. TukTuk's assessed AI-generated origin, if confirmed, would represent an early field example of AI-assisted malware framework construction producing operationally functional code. Each piece has a plausible benign explanation; the combination does not.

CL-STA-1132's post-exploitation behavior at PAN-OS targets, specifically log deletion, crash file removal, and deployment of tunneling tools designed to blend into normal traffic, confirms that at least one actor exploiting CVE-2026-0300 is prioritizing stealth and persistence over rapid monetization.

MITRE ATT&CK Themes

T1190 (Exploit Public-Facing Application): CVE-2026-20182, CVE-2026-0300, CVE-2026-45185, and the Cisco SD-WAN companion CVEs all represent unauthenticated exploitation of internet-facing services for initial access. The FamousSparrow ProxyShell and ProxyNotShell Exchange exploitation fits the same technique. This is the confirmed leading initial access vector in Mandiant M-Trends 2026.

T1486 (Data Encrypted for Impact): Nitrogen ransomware at Foxconn and The Gentleman's domain-wide encryption both represent data encrypted for impact as the terminal stage of a double-extortion chain following pre-encryption exfiltration.

T1562.001 (Impair Defenses: Disable or Modify Tools): Nitrogen's documented BYOVD use of the vulnerable Topaz Antifraud driver (CVE-2023-52271) to disable endpoint security tooling before encryption is a confirmed instance of this technique in active campaigns this week.

T1021.002 (Remote Services: SMB and Windows Admin Shares): Relevant to lateral movement enabled by CVE-2026-41089 Netlogon exploitation path to domain controllers, and to broader Windows-environment post-exploitation documented in The Gentleman case.

T1572 (Protocol Tunneling): CL-STA-1132's post-exploitation deployment of Earthworm and ReverseSocks5 at PAN-OS targets represents tunneling-based C2 designed to blend into legitimate traffic and evade network detection.

T1568.002 (Dynamic Resolution: Domain Generation Algorithms) and T1102 (Web Service): EtherRAT's use of Ethereum blockchain for C2 via EtherHiding fits the broader category of adversary use of legitimate web services and decentralized infrastructure to make C2 resilient to takedown.

T1078 (Valid Accounts): CVE-2026-41103 in Entra ID enables forged credential presentation that passes identity provider validation; the Canvas breach creates a large-scale valid-account risk through credential reuse and downstream phishing.

T1041 (Exfiltration Over C2 Channel): Nitrogen exfiltrated over 8TB from Foxconn infrastructure through established exfiltration infrastructure before deploying ransomware. The Gentleman exfiltrated data to Wasabi via Rclone prior to encryption.

T1574.002 (Hijack Execution Flow: DLL Side-Loading): FamousSparrow used evolved DLL sideloading with API hooking in the Azerbaijani campaign specifically to evade sandbox-based behavioral analysis.

T1219 (Remote Access Software): The Gentleman's use of GoTo Resolve as a legitimate commercial RMM for lateral movement is a documented abuse of remote access tooling to blend into normal IT operations.

Threat Detection

YARA Rule: PAN-OS CVE-2026-0300 Post-Exploitation Tunneling Tools (CL-STA-1132)

rule PANOS_CVE_2026_0300_Earthworm_ReverseSocks5
{
  meta:
    description = "Detects Earthworm and ReverseSocks5 tunneling tools observed in post-exploitation activity following CVE-2026-0300 intrusions attributed to CL-STA-1132"
    reference   = "F5 Labs Weekly Threat Bulletin May 13 2026"
    author      = "NightWatch CTI"
    date        = "2026-05-17"
    tlp         = "WHITE"

  strings:
    // Earthworm binary string artifacts
    $ew1 = "Earthworm"      nocase ascii wide
    $ew2 = "ew_for_win"     nocase ascii
    $ew3 = "ew_for_linux"   nocase ascii

    // ReverseSocks5 binary string artifacts
    $rs1 = "ReverseSocks5"  nocase ascii wide
    $rs2 = "rs5_tunnel"     nocase ascii

    // Common tunneling config artifacts
    $cfg1 = "ssocksd"       nocase ascii   // Earthworm SOCKS server mode flag
    $cfg2 = "-s socks"      nocase ascii

  condition:
    uint16(0) == 0x5A4D and
    filesize < 10MB and
    (
      1 of ($ew*) or
      1 of ($rs*) or
      (1 of ($cfg*) and filesize < 3MB)
    )
}

YARA Rule: FamousSparrow Deed RAT and Terndoor Loader Artifacts

rule FamousSparrow_DeedRAT_Terndoor_Loader
{
  meta:
    description = "Detects DLL sideloading artifacts and anti-sandbox strings associated with FamousSparrow Deed RAT and Terndoor deployments in Azerbaijani energy sector campaign"
    reference   = "Bitdefender Labs FamousSparrow May 2026"
    author      = "NightWatch CTI"
    date        = "2026-05-17"
    tlp         = "WHITE"

  strings:
    // PE-in-PE dropper pattern consistent with sideloaded loaders
    $pe_marker = { 4D 5A ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 50 45 }

    // API hooking stub artifacts observed in evolved Deed RAT loader
    $hook1 = "NtQueryInformationProcess" ascii
    $hook2 = "ZwSetInformationThread"    ascii

    // Anti-sandbox environment checks documented by Bitdefender
    $sb1 = "SbieDll.dll"    nocase ascii   // Sandboxie
    $sb2 = "vmtoolsd.exe"   nocase ascii   // VMware
    $sb3 = "vboxservice"    nocase ascii   // VirtualBox
    $sb4 = "wireshark"      nocase ascii   // Analysis tool detection

    // DLL export names common in sideloaded loaders
    $exp1 = "DllRegisterServer" ascii
    $exp2 = "ServiceMain"       ascii

  condition:
    uint16(0) == 0x5A4D and
    filesize < 8MB and
    (
      ($pe_marker and 2 of ($sb*)) or
      (1 of ($hook*) and 1 of ($sb*)) or
      (all of ($exp*) and 1 of ($sb*))
    )
}

SIGMA Rule: Nitrogen Ransomware BYOVD via Topaz Antifraud Driver (CVE-2023-52271)

title: Nitrogen Ransomware BYOVD via Topaz Antifraud Driver
id: a7c3d1e2-9f04-4b8a-c66d-nitrogen-byovd
status: experimental
description: >
  Detects loading of vulnerable Topaz Antifraud drivers associated with
  BYOVD technique used in Nitrogen ransomware campaigns to disable endpoint
  security tooling prior to encryption. References CVE-2023-52271.
author: NightWatch CTI
date: 2026-05-17
references:
  - Cybersecurity Dive Foxconn coverage May 2026
logsource:
  product: windows
  category: driver_load
detection:
  selection:
    ImageLoaded|endswith:
      - '\topazaf.sys'
      - '\topazaf64.sys'
      - '\topazantifraud.sys'
  filter_legitimate:
    Signed: 'true'
    SignatureStatus: 'Valid'
    # Exclude if loaded from expected vendor installation path
    ImageLoaded|startswith:
      - 'C:\Program Files\Topaz'
  condition: selection and not filter_legitimate
falsepositives:
  - Legitimate Topaz Antifraud product deployments on financial terminals
    where vendor installation path and valid signature are both present
level: high
tags:
  - attack.defense_evasion
  - attack.t1562.001
  - cve.2023-52271

SIGMA Rule: Exim CVE-2026-45185 Dead.Letter BDAT TLS Anomaly

title: Exim Dead.Letter RCE Exploitation Attempt via BDAT TLS Anomaly
id: d9a4c2b1-8e31-4f2a-b77c-exim45185dead
status: experimental
description: >
  Detects anomalous BDAT-over-TLS connection patterns consistent with
  CVE-2026-45185 exploitation. Triggers on TLS close_notify received
  mid-BDAT body transfer, which is the precondition for the use-after-free
  condition in GnuTLS-built Exim versions 4.97 through 4.99.2.
author: NightWatch CTI
date: 2026-05-17
references:
  - https://fieldeffect.com/blog/critical-exim-flaw-gnutls-builds
logsource:
  category: application
  product: exim
detection:
  selection_bdat_tls_anomaly:
    EventMessage|contains:
      - 'BDAT'
      - 'GnuTLS'
    EventMessage|contains:
      - 'close_notify'
      - 'unexpected close'
      - 'connection lost'
  filter_normal_quit:
    EventMessage|contains: 'QUIT'
  timeframe: 60s
  condition: selection_bdat_tls_anomaly and not filter_normal_quit
falsepositives:
  - Legitimate SMTP clients aborting connections mid-transfer
  - Network resets during legitimate bulk mail delivery
level: high
tags:
  - attack.initial_access
  - attack.t1190
  - cve.2026-45185

SIGMA Rule: The Gentleman EtherRAT EtherHiding Blockchain C2 Beacon Pattern

title: The Gentleman EtherRAT EtherHiding Blockchain C2 Communication
id: b2e5f7a1-3c09-4d6e-a88f-gentleman-etherrat
status: experimental
description: >
  Detects network patterns consistent with EtherRAT EtherHiding C2 activity
  used in The Gentleman ransomware campaign. EtherHiding resolves C2
  configuration by querying Ethereum smart contract event logs via public
  blockchain RPC endpoints. Unusual or repeated outbound connections to
  Ethereum RPC nodes from non-blockchain workloads should be investigated.
author: NightWatch CTI
date: 2026-05-17
references:
  - The DFIR Report The Gentleman May 2026
logsource:
  category: network
  product: zeek
detection:
  selection_eth_rpc:
    dest_port:
      - 8545    // Standard Ethereum RPC
      - 8546    // Ethereum WebSocket RPC
    http.method: 'POST'
    http.uri|contains:
      - 'eth_getLogs'
      - 'eth_call'
      - 'eth_getTransactionByHash'
  filter_known_blockchain_systems:
    src_ip|cidr:
      - '0.0.0.0/0'   // Replace with known blockchain infrastructure CIDRs
    # Exclude known crypto workloads or DevOps pipeline nodes in your environment
  condition: selection_eth_rpc and not filter_known_blockchain_systems
falsepositives:
  - Legitimate blockchain development or Web3 application workloads
  - Crypto trading or wallet software on authorized endpoints
level: medium
tags:
  - attack.command_and_control
  - attack.t1102
  - attack.t1568.002

SIEM Pseudocode: Entra ID Forged Credential Impersonation Detection (CVE-2026-41103)

-- SIEM pseudocode: Detect potential Entra ID credential forgery and impersonation
-- CVE-2026-41103: Entra ID EoP via forged credentials
-- Adapt field names to your log schema. Do not assume SIEM product.

SELECT
  user_principal_name,
  source_ip,
  auth_method,
  token_issued_at,
  role_assigned,
  mfa_claim,
  mfa_required_by_policy
FROM identity_sign_in_logs
WHERE
  event_type IN ('SignIn', 'TokenIssuance', 'DirectoryAccess')
  AND auth_result = 'Success'
  AND (
    -- MFA claim absent when policy requires it
    (mfa_claim = false AND mfa_required_by_policy = true)
    OR
    -- Sign-in from IP with no prior history for this user in last 30 days
    (source_ip NOT IN (
      SELECT DISTINCT source_ip
      FROM identity_sign_in_logs
      WHERE user_principal_name = outer.user_principal_name
        AND event_time >= CURRENT_TIMESTAMP - INTERVAL 30 DAY
    ))
    OR
    -- Privileged role token issued without MFA event in preceding 5 minutes
    (
      role_assigned IN ('GlobalAdmin', 'PrivilegedRoleAdmin', 'SecurityAdmin', 'ApplicationAdmin')
      AND NOT EXISTS (
        SELECT 1 FROM identity_sign_in_logs AS mfa_check
        WHERE mfa_check.user_principal_name = outer.user_principal_name
          AND mfa_check.mfa_claim = true
          AND mfa_check.event_time BETWEEN token_issued_at - INTERVAL 5 MINUTE AND token_issued_at
      )
    )
  )
  AND event_time >= CURRENT_TIMESTAMP - INTERVAL 14 DAY
GROUP BY user_principal_name, source_ip, auth_method
-- Correlate findings with: conditional access policy change events,
-- PIM role activation logs, and any concurrent impossible travel alerts

SIEM Pseudocode: Canvas-Themed Phishing Surge Detection

-- SIEM pseudocode: Detect Canvas breach-themed phishing emails
-- Expected surge following ShinyHunters Canvas breach disclosure
-- Adapt field names to your email security log schema.

SELECT
  message_id,
  sender_address,
  recipient_address,
  subject,
  received_time,
  url_list,
  attachment_names
FROM email_security_logs
WHERE
  received_time >= TIMESTAMP '2026-05-10'
  AND (
    LOWER(subject) LIKE '%canvas data breach%'
    OR LOWER(subject) LIKE '%canvas security incident%'
    OR LOWER(subject) LIKE '%canvas account%'
    OR LOWER(subject) LIKE '%instructure breach%'
    OR LOWER(body_text) LIKE '%update your canvas password%'
    OR LOWER(body_text) LIKE '%canvas account has been compromised%'
    OR (
      LOWER(url_list) LIKE '%canvas%'
      AND LOWER(url_list) LIKE '%login%'
      AND sender_domain NOT IN ('instructure.com', 'canvaslms.com')
    )
  )
ORDER BY received_time DESC
-- Alert on: external senders using Canvas-themed subjects,
-- any link to canvas-lookalike domains, and credential-harvest page patterns

SIEM Pseudocode: Cisco SD-WAN CVE-2026-20182 Post-Exploitation NETCONF Anomaly

-- SIEM pseudocode: Detect anomalous NETCONF activity following
-- CVE-2026-20182 exploitation in Cisco Catalyst SD-WAN environments
-- Adapt to your network device syslog or NETCONF audit log schema.

SELECT
  source_ip,
  destination_ip,
  netconf_operation,
  config_target,
  session_user,
  event_time
FROM netconf_audit_logs
WHERE
  event_time >= CURRENT_TIMESTAMP - INTERVAL 7 DAY
  AND (
    -- NETCONF session from unexpected source IPs
    source_ip NOT IN (SELECT allowed_ip FROM netconf_allowlist)
    OR
    -- Bulk edit-config operations outside change windows
    (netconf_operation = 'edit-config'
     AND event_time NOT BETWEEN change_window_start AND change_window_end)
    OR
    -- Interface or routing table modifications without corresponding ticket
    (netconf_operation IN ('edit-config', 'delete')
     AND config_target IN ('interfaces', 'routing', 'bgp', 'vpn-instance')
     AND change_ticket_id IS NULL)
  )
ORDER BY event_time DESC
-- Correlate with: authentication logs for the same source IP,
-- SD-WAN controller login events, and any configuration diff alerts
-- UAT-8616 pattern: NETCONF used to alter VPN and routing fabric post-compromise

DEFENDER PRIORITIES

The most urgent single action this week is identifying every Cisco Catalyst SD-WAN Controller and Manager in your environment and treating it as potentially already compromised if CVE-2026-20182 has not been patched and NETCONF access has not been audited. UAT-8616's documented use of NETCONF for persistent configuration-layer changes means patching alone is insufficient; defenders need to pull configuration diffs, review authentication logs for unexpected NETCONF sessions, and confirm the integrity of routing and segmentation policy. Unpatched SD-WAN fabric is active, confirmed exposure, not a future risk.

Immediately behind SD-WAN, the combination of CVE-2026-41089 in Windows Netlogon and CVE-2026-41096 in Windows DNS Client demands parallel action. Domain controllers are the single highest-leverage target in most enterprise environments, and a pre-authentication RCE in Netlogon with a CVSS 9.8 rating has a documented history of rapid weaponization. CVE-2026-41096 compounds the risk by targeting the DNS Client, which resolves queries on every Windows endpoint in the environment. Prioritize domain controllers first, then all internet-facing and high-value Windows systems, with a 48-hour target for critical infrastructure environments.

CVE-2026-0300 in Palo Alto PAN-OS requires immediate action for any organization with the User-ID Authentication Portal exposed to untrusted networks. The confirmed exploitation and KEV listing, combined with CL-STA-1132's stealth-oriented post-exploitation behavior including log deletion and tunneling, means defenders should not assume absence of evidence is evidence of absence. If the portal was exposed before patching, treat the device as potentially implanted and conduct a full forensic review of authentication logs, running processes, and outbound connections before returning it to normal operation.

For organizations using Exim with GnuTLS builds on Debian or Ubuntu, CVE-2026-45185 (Dead.Letter) has already drawn automated scanning activity. Email infrastructure running unpatched versions should be patched to 4.99.3 immediately or have BDAT chunking disabled as an interim measure. Do not wait for a maintenance window on this one.

The Canvas and Foxconn incidents require two parallel tracks. First, organizations that use Canvas should revoke and rotate all SSO tokens, institutional admin credentials, and API keys associated with the platform, require password resets for all affected accounts, and enforce multi-factor authentication across the board regardless of what the vendor's public statements say about containment status. Second, organizations in the supply chains of Foxconn's North American facilities should initiate a data inventory review to understand what confidential product or commercial data may have transited those environments and begin downstream notification reviews where warranted. Data that has been exfiltrated does not become safe because production has resumed.

For critical infrastructure operators, CI Fortify is not background reading. It is an operational directive to document, rehearse, and validate manual-mode procedures now. Tabletop exercises should specifically simulate weeks of OT-IT isolation under the assumption that adversaries have some degree of OT network access, testing whether local controls, offline runbooks, and staffing are sufficient to maintain safe operations. ICS patch advisories from Siemens, Schneider Electric, and CERT@VDE should be triaged in parallel. Directly internet-reachable OT devices are the highest priority; segment or isolate them where patching cannot be completed within days.

RECOMMENDED ACTIONS

  • Audit all Cisco Catalyst SD-WAN Controllers and Managers for CVE-2026-20182 patch status, pull NETCONF session logs and configuration diffs for the past 30 days, and treat any device with unpatched history as potentially compromised pending forensic review.

  • Patch CVE-2026-41089 (Windows Netlogon) and CVE-2026-41096 (Windows DNS Client) within 48 hours on all domain controllers and internet-facing Windows systems; treat as P0 across any environment with Windows Server infrastructure.

  • Block or restrict the PAN-OS User-ID Authentication Portal from untrusted networks immediately; apply vendor patches for CVE-2026-0300 as soon as operationally possible; conduct forensic review of any firewall where the portal was exposed before patching, checking for tunneling tool artifacts and log deletion.

  • Upgrade Exim to 4.99.3 on all Debian and Ubuntu-based mail servers immediately; if patching is delayed, disable the BDAT chunking extension in Exim configuration as an interim mitigation and monitor port 25 for anomalous chunked transfer patterns.

  • Revoke and rotate all Canvas-associated SSO tokens, institutional admin credentials, and API keys; require password resets for all affected accounts; enforce multi-factor authentication for all Canvas users regardless of Instructure's reported containment status.

  • Review supply chain data exposure for any organization whose confidential product or commercial data may have transited Foxconn North American facilities; initiate breach assessment and downstream notification review where warranted.

  • Hunt for Nitrogen ransomware indicators including Topaz Antifraud driver loads, unexpected EDR or AV process terminations, and bulk outbound data transfers to new external destinations; deploy the BYOVD SIGMA rule in this report across Windows endpoint telemetry.

  • Deploy detections for The Gentleman operation including monitoring for GoTo Resolve RMM usage on systems where it is not authorized, Rclone execution with cloud storage destinations, and outbound connections to Ethereum RPC endpoints (ports 8545 and 8546) from non-blockchain workloads.

  • Audit Microsoft Entra ID sign-in logs for the past 14 days using the SIEM pseudocode in this report; focus on token issuances without preceding MFA events, unfamiliar source IPs accessing privileged roles, and Conditional Access policy changes; patch CVE-2026-41103 on accelerated timeline.

  • Conduct a CI Fortify-aligned tabletop exercise simulating weeks of OT-IT isolation; verify that manual-mode operating procedures, offline runbooks, and staffing are validated and current; prioritize patching of directly internet-reachable ICS devices from the May 2026 Siemens and Schneider advisory batch.

  • Cross-reference your asset inventory against all current CISA KEV entries including CVE-2026-41940 in WebPros cPanel and WHM and the Cisco SD-WAN companion CVEs; apply remediation by federal deadlines or earlier for any internet-facing device.

  • Update email security content filters for Canvas-breach-themed phishing lures and run just-in-time user awareness communications warning staff and students about expected social engineering campaigns exploiting the Canvas and Foxconn incident publicity.

RECOMMENDED ACTIONS

CONFIDENCE & LIMITATIONS

Claim

Confidence

Rationale

CVE-2026-20182 active exploitation by UAT-8616

High

Confirmed by Cisco Talos, CISA KEV with Emergency Directive, multiple independent consulted sources

CVE-2026-41089 and CVE-2026-41096 severity ratings

High

Microsoft advisory, corroborated by Krebs on Security, SANS ISC, and CrowdStrike patch analysis

CVE-2026-0300 exploitation and CL-STA-1132 attribution

High for exploitation, Moderate for attribution

CISA KEV confirmed, F5 Labs documented CL-STA-1132 post-exploitation tooling; attribution to state-sponsored actor is vendor assessment only

Foxconn breach confirmed, Nitrogen responsible

High for breach, Moderate for data volume

Foxconn confirmed the incident; Nitrogen's 8TB and 11M file claims are threat actor self-reporting, not independently verified

Canvas breach and ShinyHunters attribution

High for breach, Moderate for scope

Instructure confirmed unauthorized access; 275 million user figure originates from ShinyHunters and secondary reporting; full scope under investigation

Canvas dual-intrusion timeline (April 29 and May 7)

Moderate

Reported by multiple consulted sources but not formally confirmed as two distinct actor events by Instructure

FamousSparrow three-wave intrusion, Deed RAT and Terndoor deployment

Moderate to High

Attributed by Bitdefender with documented technical indicators; Earth Estries overlap is assessed, not definitively confirmed; nation-state attribution carries inherent uncertainty

Salt Typhoon and Twill Typhoon Azerbaijani and Asian targeting

Moderate

Reported by SecurityWeek citing consulted sources; no independent government advisory corroboration available at time of writing

The Gentleman ransomware chain including TukTuk AI-generated assessment

Moderate

Documented by The DFIR Report with technical detail; AI-generated malware assessment is analytical, not forensically confirmed

EtherHiding blockchain C2 via EtherRAT

Moderate to High

Technique is documented in prior research; specific attribution to The Gentleman in this campaign is based on single source

April 2026 ransomware record (105 attacks)

High

Published telemetry from BlackFog ransomware tracking, consistent with broader industry trend reporting

CISA CI Fortify guidance and CIRCIA final rule status

High

Primary government source; CIRCIA final rule pending as of reporting date

Mandiant M-Trends 2026 22-second handoff statistic

High

Direct from Mandiant M-Trends 2026 publication, widely corroborated