1st June – Threat Intelligence Report

What Happened

Several major organizations, including Carnival Corporation and Charter Communications, recently suffered data breaches exposing millions of records. Cybercriminals are increasingly using artificial intelligence tools to write malicious code, create fake software packages, and generate convincing phishing emails. Additionally, hackers are actively exploiting known security flaws in popular software like Palo Alto Networks' GlobalProtect and Ghost CMS to break into networks. Organizations should apply available security updates immediately, monitor for suspicious remote access, and remain vigilant against fake recruiter emails and AI-generated scams.

Key Takeaways

• Multiple major data breaches occurred, affecting millions of users at Carnival Corporation and Charter Communications via social engineering and credential theft.
• Threat actors are actively leveraging AI tools (ChatGPT, Gemini) to accelerate malware development, automate propaganda, and generate malicious npm packages.
• Critical vulnerabilities in PAN-OS GlobalProtect (CVE-2026-0257) and Ghost CMS (CVE-2026-26980) are being actively exploited in the wild.
• A critical, unpatched Remote Code Execution (RCE) vulnerability exists in the Gogs Git service, posing severe risks to repositories.
• JINX-0164 is targeting cryptocurrency organizations using recruiter-themed social engineering to deploy macOS malware (AUDIOFIX, MINIRAT).

Affected Systems

• PAN-OS GlobalProtect
• Gogs Git service
• Ghost CMS
• macOS
• Windows
• Android

Vulnerabilities (CVEs)

• CVE-2026-48131
• CVE-2026-48132
• CVE-2026-0257
• CVE-2026-26980

Attack Chain

Threat actors are utilizing diverse initial access vectors, ranging from social engineering and fake CAPTCHA pages to the exploitation of public-facing applications (PAN-OS, Ghost CMS). Once initial access is achieved, attackers deploy platform-specific payloads, such as macOS malware (MINIRAT) or Windows tools via DLL side-loading (Grandoreiro). Post-compromise activities involve lateral movement into code repositories, credential theft, and data exfiltration to attacker-controlled infrastructure or legitimate services like GitHub.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Check Point IPS

Check Point IPS provides network-level protection signatures against the mentioned vulnerabilities, including the IKE flaws, Gogs RCE, and Ghost CMS SQL Injection.

Detection Engineering Assessment

EDR Visibility: Medium — EDR provides strong visibility into endpoint behaviors like DLL side-loading and macOS malware execution, but may lack insight into network appliance exploitation (PAN-OS) or SaaS/Git repository compromises. Network Visibility: High — Network sensors and IPS are critical for detecting the exploitation of PAN-OS, Ghost CMS, and Gogs vulnerabilities, as well as identifying anomalous outbound traffic to unauthorized GitHub repositories. Detection Difficulty: Moderate — While vulnerability exploitation can be detected with updated IPS signatures, identifying AI-generated phishing, social engineering, and malicious open-source packages requires robust behavioral analytics and developer environment monitoring.

Required Log Sources

• Network IDS/IPS logs
• VPN authentication logs
• Web Application Firewall (WAF) logs
• Endpoint process execution logs

Hunting Hypotheses

Control Gaps

• Lack of patching for zero-day or recently disclosed vulnerabilities (e.g., Gogs RCE)
• Insufficient safeguards against malicious open-source dependencies in developer environments

Key Behavioral Indicators

• Unexpected VPN session creations or authentication bypasses
• SQL injection payloads in web requests targeting CMS administrative APIs
• Execution of unsigned DLLs from unusual directories
• Anomalous outbound network connections from developer workstations to unauthorized GitHub repositories

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Apply available patches for PAN-OS GlobalProtect (CVE-2026-0257) and Ghost CMS (CVE-2026-26980) immediately.
• If using Gogs, evaluate network exposure and consider restricting access or migrating to an alternative until a patch is released for the critical RCE.

Infrastructure Hardening

• Implement strict access controls and monitor authentication logs for VPN and remote access gateways.
• Deploy Web Application Firewalls (WAF) to block common SQL injection and RCE exploit attempts.

User Protection

• Enhance email filtering to detect AI-generated phishing lures and malicious attachments.
• If applicable, restrict the installation of unverified npm packages and monitor developer environments for unauthorized data exfiltration.

Security Awareness

• Educate employees on the risks of recruiter-themed social engineering, particularly targeting developers and cryptocurrency personnel.
• Train users to identify fake CAPTCHA pages and deceptive websites used in credential harvesting campaigns.

MITRE ATT&CK Mapping

• T1566 - Phishing
• T1190 - Exploit Public-Facing Application
• T1574.002 - DLL Side-Loading
• T1078 - Valid Accounts
• T1189 - Drive-by Compromise
• T1195.001 - Compromise Software Dependencies and Development Tools