8th June – Threat Intelligence Report
This threat intelligence report highlights active exploitation of critical vulnerabilities, including a Windows Netlogon RCE (CVE-2026-41089) and an Android Framework flaw. It also details significant data breaches affecting DentaQuest and the UN WFP, emerging AI-driven threats such as EDR evasion labs, a supply chain compromise of the Hola browser, and Iranian state-sponsored espionage operations utilizing Dutch hosting infrastructure.
- cve
- cve
- cve
- cve
Detection / HunterGoogle
What Happened
Recent cyber attacks have exposed millions of user records from organizations like DentaQuest and the UN World Food Programme. Hackers are actively exploiting critical flaws in Microsoft Windows, Android, and SolarWinds systems to take control of networks. Additionally, cybercriminals are using artificial intelligence to bypass security tools and trick AI assistants. Organizations should urgently apply the latest security updates and monitor their networks for unusual activity.
Key Takeaways
- Critical vulnerabilities in Microsoft Windows Netlogon (CVE-2026-41089) and Android Framework (CVE-2025-48595) are under active exploitation.
- A supply chain attack on the Hola Windows browser distributed a cryptominer that excluded itself from Windows Defender.
- Threat actors are increasingly leveraging AI, including prompt injection against voice assistants and automated LLM labs for EDR evasion testing.
- Iranian state-sponsored actors (MuddyWater, Agrius) utilized infrastructure from a seized Dutch hosting provider (WorkTitans B.V.) for cyber espionage.
- A covert espionage campaign successfully exfiltrated a senior executive's Outlook mailbox over five months using legitimate cloud storage services.
Affected Systems
- Windows Server (Active Directory/Netlogon)
- Android 14 and later
- Cisco Unified Communications Manager
- SolarWinds Serv-U
- Hola Windows browser
- Microsoft Outlook
Vulnerabilities (CVEs)
- CVE-2025-48595
- CVE-2026-20230
- CVE-2026-28318
- CVE-2026-41089
Attack Chain
Threat actors are employing diverse initial access vectors, including exploiting public-facing applications (Netlogon, Serv-U) and supply chain compromises (Hola browser). Post-compromise activities involve deploying cryptominers, infostealers (RemusStealer), and utilizing legitimate cloud storage for covert data exfiltration. Attackers are also leveraging automated AI labs to iteratively test and refine malware against major EDR solutions to ensure stealthy execution.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Check Point IPS, Check Point Threat Emulation, Harmony Endpoint
Check Point provides protection against the Netlogon vulnerability (CVE-2026-41089) via its IPS, and against the RemusStealer/SessionGate threats via Threat Emulation and Harmony Endpoint.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions can detect cryptominer installations, unauthorized Defender exclusions, and anomalous child processes spawning from browsers or the Netlogon service. Network Visibility: High — Network sensors and IPS can detect Netlogon buffer overflow attempts, crafted HTTP POST requests targeting Serv-U, and exfiltration to unauthorized cloud storage. Detection Difficulty: Moderate — While known CVEs have clear network signatures, detecting AI-evaded malware or covert exfiltration via legitimate cloud storage requires robust behavioral baselining.
Required Log Sources
- Windows Event Logs (Security, System)
- Network IDS/IPS logs
- Web Proxy/Gateway logs
- EDR telemetry
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected modifications to Windows Defender exclusion lists, particularly those initiated by browser processes or unknown services. | EDR process execution and registry modification logs | Defense Evasion | Low |
| Monitor for unusual volumes of data being transferred to legitimate cloud storage domains (e.g., OneDrive, Dropbox) from high-value executive endpoints. | Web proxy and network traffic logs | Exfiltration | Medium |
| Investigate repeated failed 2FA attempts followed by a successful login and immediate device registration. | Authentication and IAM logs | Credential Access | Low |
Control Gaps
- Lack of behavioral monitoring for legitimate cloud storage abuse
- Insufficient rate-limiting on 2FA endpoints
Key Behavioral Indicators
- Windows Defender exclusion modifications
- High-volume data transfers to cloud storage from executive accounts
- Netlogon service crashes or anomalous child processes
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Apply patches for CVE-2026-41089 (Windows Netlogon), CVE-2026-20230 (Cisco), and CVE-2026-28318 (SolarWinds) immediately.
- Review and revoke any unauthorized Windows Defender exclusions on endpoints.
Infrastructure Hardening
- Consider implementing rate limiting and account lockout policies for 2FA verification endpoints to prevent brute-forcing.
- Evaluate network segmentation to restrict domain controller exposure to necessary internal subnets only.
User Protection
- Consider enforcing hardware-based MFA (FIDO2) to mitigate 2FA brute-force and phishing risks.
- Monitor executive mailboxes for unauthorized forwarding rules or unusual access patterns.
Security Awareness
- Educate users on the risks of downloading software from unofficial sources to prevent infection by loaders like SessionGate.
- Train employees to recognize AI-generated phishing and impersonation attempts.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1110.001 - Brute Force: Password Guessing
- T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
- T1562.001 - Impair Defenses: Disable or Modify Tools
