Cyber Threat Intelligence Digest: Week 20

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Wordfence Patches Actively Exploited Authentication Bypass Vulnerability CVE-2026-8181 Affecting Burst Statistics WordPress Plugin - On 13 May 2026, Wordfence patched an actively exploited authentication bypass vulnerability, tracked as CVE-2026-8181, affecting the Burst Statistics WordPress Plugin versions 3.4.0 to 3.4.1.1. The flaw allows unauthenticated threat actors to impersonate an administrator for the duration of a single request, provided they have knowledge of a valid administrator username, by supplying any arbitrary basic authentication password.

Successful exploitation enables full privilege escalation without valid credentials, posing a significant risk to affected WordPress installations. Site owners running the impacted plugin versions should apply the available patch immediately to mitigate the risk of unauthorised administrative access.

NVIDIA Patches Multiple Vulnerabilities in Triton Inference Server - On 18 May 2026, NVIDIA disclosed and patched eight vulnerabilities affecting the Triton Inference Server on the DALI Backend and Linux platforms, all addressed in version r26.03. The most severe is CVE-2026-24207, a critical authentication bypass flaw capable of enabling code execution, privilege escalation, data modification, information disclosure, and denial-of-service (DoS) conditions. The remaining vulnerabilities range from high to medium severity and include out-of-bounds read, integer overflow, path traversal, uncontrolled resource consumption, and a further authentication bypass flaw, collectively enabling outcomes such as code execution, data modification, sensitive information exposure, and DoS conditions.

At the time of writing, there are no known reports of active exploitation; however, the breadth and severity of the vulnerabilities represent a significant attack surface for organisations running affected versions prior to r26.03. Affected users should prioritise upgrading to the patched release to mitigate the risk of exploitation across the range of identified attack vectors.

CVE-2026-44885 allows Arbitrary File Write affecting Portainer - CVE-2026-44885 is a path traversal vulnerability in Portainer's backup-restore feature, affecting versions 2.33.0 LTS through 2.33.7 LTS. The flaw stems from insufficient validation of file paths during the extraction of uploaded .tar.gz archives, allowing an attacker to craft a malicious archive containing files that escape the intended destination directory and write to arbitrary locations on the server's file system.

Successful exploitation could enable an attacker with access to the backup-restore functionality to overwrite sensitive files or plant malicious content elsewhere on the host, potentially leading to further compromise. Users are advised to update to Portainer 2.33.8 LTS, which addresses the vulnerability.

Potential Threats

Storm-2949 Uses SSPR Abuse and Compromised Identities to Exfiltrate Data Across Microsoft 365 and Azure Environments - On 18 May 2026, Microsoft reported that Storm-2949 conducted a sophisticated, multi-stage intrusion campaign beginning with impersonation-based social engineering targeting Microsoft Entra ID Self-Service Password Reset workflows. By posing as internal IT support staff and manipulating users into approving fraudulent MFA prompts, the group compromised accounts belonging to IT personnel and senior leadership, enrolling attacker-controlled devices into Microsoft Authenticator. Storm-2949 then used custom Python scripts and Microsoft Graph API queries to enumerate privileged identities before expanding into Microsoft 365 services, exfiltrating thousands of files from OneDrive and SharePoint including VPN configurations and remote access documentation.

The threat actor subsequently pivoted into Azure environments using privileged RBAC permissions, targeting App Services, Key Vaults, Storage Accounts, SQL servers, and virtual machines. Storm-2949 exploited auxiliary App Service instances to obtain deployment credentials, accessed Key Vault secrets including database connection strings, manipulated SQL Server firewall rules, and retrieved storage account keys to exfiltrate blob data over several days. To maintain persistence and evade detection, the group installed ScreenConnect RMM software disguised as legitimate Windows components, disabled Microsoft Defender Antivirus protections, and cleared event logs and command histories.

Threat Actors Mail Physical Phishing Letters Impersonating Ledger to Steal Cryptocurrency Wallet Seed Phrases - On 17 May 2026, Ledger disclosed a physical-mail phishing campaign targeting cryptocurrency wallet users with fraudulent security notices designed to steal 24-word recovery seed phrases. The letters impersonate Ledger using official branding, fake reference numbers, and forged signatures attributed to Ledger CTO Charles Guillemet, instructing recipients to scan a QR code leading to a phishing site that requests their recovery seed phrase, granting threat actors full access to the victim's wallet and enabling theft of funds.

Ledger noted that threat actors continue to impersonate the company across multiple channels, including phishing emails, phone calls, fake applications, social media scams, and clipboard hijacking. The latest campaign appears geographically targeted, with Italian-language letters sent to users in Italy, suggesting the threat actors may have access to localised customer data.

Secret Blizzard Evolves Kazuar Into a Modular Peer-to-Peer Botnet for Espionage Operations - On 14 May 2026, Microsoft Threat Intelligence published a technical analysis detailing the evolution of Kazuar, a modular peer-to-peer botnet framework attributed to the Russian state actor Secret Blizzard, designed to support stealthy, long-term access and espionage operations against government, diplomatic, and defence targets. Secret Blizzard delivered Kazuar via multiple dropper variants, including the Pelmeni dropper, which embedded an encrypted payload as a byte array and tied decryption logic to the victim's hostname to ensure execution only on the intended host. In an alternative chain, a lightweight .NET loader was invoked via a Component Object Model (COM) object for in-memory execution, after which Kazuar performed anti-analysis checks scanning for running analysis tools, canary files, and sandbox-related DLLs.

Once active, Kazuar initialised over 150 configurable settings governing transport methods, process injection modes, heartbeat intervals, task execution, and automated file collection, alongside bypasses for the Windows Anti-Malware Scan Interface, Windows Lockdown Policy, and Event Tracing for Windows. The breadth of configurable options reflects the framework's maturity and its suitability for sustained, adaptable espionage operations, with the overall campaign aligned with Russian strategic intelligence objectives against high-value institutional targets.

General News

UK regulator to require tech firms to tackle deepfakes - On 19 May 2026, the UK's communications regulator Ofcom announced it will update its codes of practice to require tech companies to do more to detect and remove harmful AI-generated deepfake imagery from their platforms. The changes, expected to take effect this autumn pending parliamentary approval, include expanded use of hash-matching technology, which converts images into digital fingerprints stored in a database to prevent future uploads of the same or similar content.

The measures sit alongside new legislation requiring that such content be removed within two days of reporting, with Prime Minister Keir Starmer warning that non-compliant platforms could face service blocks and hefty fines. Ofcom's approach currently differs from that of the European Union, where a comparable legal framework expired last month following a prolonged standoff over privacy concerns, leaving the legal status of voluntary scanning efforts uncertain.

Experts warn of privacy risks as AI firms looks to connect to financial accounts - OpenAI announced a new ChatGPT feature allowing users to connect financial accounts to the chatbot for personal finance advice, supported by financial technology firm Plaid and, in future, Intuit. Currently available to ChatGPT Pro subscribers, the feature integrates with more than 12,000 financial institutions and provides a dashboard covering portfolio performance, spending, subscriptions, and upcoming payments. OpenAI states that users retain control of their data and can disconnect accounts, delete conversations, and erase stored financial details at any time.

However, privacy and cybersecurity experts have raised concerns. Critics note that even without access to full account numbers, the financial data collected can reveal deeply personal details, and OpenAI has not addressed whether the data could be used for advertising or commercial targeting. Security professionals have warned that centralising financial data within a single platform creates a high-value target for account takeover attacks, and that a single breach could expose a detailed picture of a user's net worth, spending habits, and financial history. Users are advised to enable multi-factor authentication, review memory settings, and delete chats and stored data when no longer needed.

GitHub confirms breach of 3,800 repos via malicious VSCode extension - GitHub confirmed that approximately 3,800 internal repositories were breached after an employee installed a malicious VS Code extension. The company removed the trojanised extension from the VS Code Marketplace, isolated the compromised device, and initiated incident response. GitHub stated that its current assessment indicates only internal repositories were affected, with no evidence that customer data stored outside those repositories was compromised.

The hacker group TeamPCP claimed responsibility on the Breached cybercrime forum, advertising access to roughly 4,000 private repositories and seeking a minimum of $50,000 for the stolen data. TeamPCP has previously been linked to supply chain attacks targeting GitHub, PyPI, NPM, and Docker, as well as the "Mini Shai-Hulud" campaign which also impacted OpenAI employees. The incident highlights the ongoing risk posed by malicious VS Code extensions, with numerous trojanised plugins having been discovered over recent years stealing developer credentials, deploying cryptominers, and exfiltrating sensitive data from developer systems.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.