Cyber Threat Brief — May 31 2026
⚠️ This report is AI-generated. Always validate findings.
1. FortiClient EMS → EKZ Infostealer via Management Plane — CVE-2026-35616
TL;DR: Threat actors exploited CVE-2026-35616 (pre-auth API bypass) to push a novel credential stealer disguised as a Fortinet patch to every EMS-managed endpoint. Arctic Wolf disclosed the EKZ infostealer campaign May 27.
What’s New:
- Attackers modified Remote Access Profile
on_connectscripts to execute PowerShell on VPN tunnel establishment - EKZ Infostealer (MinGW, 4MB) extracts Chrome/Edge/Firefox credentials, cookies, autofill, and credit card data
- Payload staged as
FortiEndpoint_Patch.exeinC:\ProgramData, exfil via HTTP POST to83[.]138[.]53[.]110 - Tor exit nodes used for initial EMS access; additional MSI and DLL payloads recovered from C2 server
- Process chain:
fortitray.exe→cmd.exe(GUID .cmd in\logs\Trace\scripts\) →powershell.exe→FortiEndpoint_Patch.exe
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
83[.]138[.]53[.]110 | C2/exfil IP | T1041 | Firewall/proxy | Block |
hxxp://83[.]138[.]53[.]110/dl/p.exe | Payload URL | T1105 | Proxy | Block |
hxxp://83[.]138[.]53[.]110/service/save.php | Exfil endpoint | T1041 | Proxy | Block |
185[.]220[.]101[.]15 | Tor exit (initial access) | T1090 | Firewall | Alert |
192[.]42[.]116[.]14 | Tor exit (initial access) | T1090 | Firewall | Alert |
0da123adf9251957a4b850a3f6bd6a753dd4892be176a84a18450e899534cc5e | SHA-256 (EKZ p.exe) | T1555.003 | EDR | Block |
338662fd0c4d750a0ba203a32b59f081 | MD5 (EKZ p.exe) | T1555.003 | EDR | Block |
FortiEndpoint_Patch.exe in C:\ProgramData | Staging path | T1036.005 | Sysmon EID 11 | Hunt |
C:\ProgramData\log.txt | Credential dump | T1555.003 | Sysmon EID 11 | Hunt |
fortitray.exe → cmd.exe → powershell.exe | Process chain | T1059.001 | EDR/Sysmon EID 1 | Hunt |
Certificate not found in request header | EMS log indicator | T1190 | FortiClient EMS logs | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None specific | Need FortiClient EMS exploitation + EKZ process chain rules |
| Elastic | None specific | Need fortitray.exe → shell child process rule |
| Sigma | None specific | Need FortiClient EMS log anomaly + PowerShell download-execute from Fortinet paths |
Sources: Arctic Wolf Labs, BleepingComputer, The Hacker News, GitHub IOCs
2. CIFSwitch Linux Kernel LPE — CVE Pending
TL;DR: 19-year-old logic flaw between Linux kernel CIFS client and cifs-utils enables local root via cifs.spnego key injection and malicious NSS library loading. PoC public since May 28; no CVE assigned yet.
What’s New:
- Attacker forges
cifs.spnegokey descriptions in user namespace, trickingrequest-keyinto runningcifs.upcallin attacker-controlled mount namespace - Rogue
nsswitch.conf+ maliciouslibnss_*.so.2loaded during privileged NSS lookup → arbitrary code as root - PoC writes to
/etc/sudoers.dfor persistent root; researcher used AI-assisted semantic graph analysis to chain the flaws - Affects kernels since 2007; requires: unprivileged user namespaces enabled, cifs-utils installed, default
cifs.spnegorequest-key rule - Not exploitable if
user.max_user_namespaces=0(EL family) orkernel.unprivileged_userns_clone=0(Debian/Ubuntu)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
cifs.upcall spawned from user namespace | Process | T1068 | auditd/Sysmon for Linux | Hunt |
request-key executing cifs.upcall | Process chain | T1068 | auditd | Hunt |
Write to /etc/sudoers.d/ by non-root | File creation | T1548.003 | auditd FIM | Alert |
unshare + mount namespace creation | Syscall | T1068 | auditd (AUDIT_UNSHARE) | Hunt |
Malicious libnss_*.so.2 in mount namespace | Shared library | T1574.006 | auditd/LD_PRELOAD monitoring | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Linux Sudoers File Modification (partial) | No rule for cifs.upcall abuse or namespace-based NSS injection |
| Elastic | Linux User Namespace Creation (partial) | No correlation between namespace creation and cifs.spnego key requests |
| Sigma | proc_creation_lnx_susp_unshare.yml (partial) | Need rule chaining unshare + cifs.upcall + sudoers write |
Sources: Asim Manizada writeup, CyberSecurityNews, CloudLinux advisory, SecurityOnline
Status Updates
- CVE-2026-0257 (PAN-OS GlobalProtect): Exploitation ongoing via forged auth override cookies. CISA KEV deadline June 19. Rapid7 PoC public. Brief.
- CVE-2026-39987 (Marimo): Sysdig confirmed first autonomous LLM-agent post-exploitation — RCE → credential extraction → AWS Secrets Manager → SSH lateral → full PostgreSQL exfil in <2 min. Brief.
- CVE-2026-41091/CVE-2026-45498 (Defender RedSun/UnDefend): CISA KEV federal deadline June 3 (3 days). ITW chained exploitation confirmed by Huntress. Patches available (Engine 1.1.26040.8, Platform 4.18.26040.7). Brief.
- CVE-2026-42945 (NGINX Rift): 18-year-old heap overflow, chains with Copy Fail/Dirty Frag for internet-to-root. 5.7M exposed instances. Patch to 1.30.1/1.31.0. Brief.