Cyber Threat Intelligence Report

This week, we briefed our clients on new social engineering attacks targeting law firms. The Silent Ransomware Group has been showing up in person.

 KEY TAKEAWAYS 

• New Silent Ransomware Group (SRG) campaign targeting legal firms with advanced social engineering attacks (including physical access) for data theft and extortion.

• Critical and high-severity vulnerabilities in Microsoft, Palo Alto, Linux, Cisco, Trend Micro, and Drupal, plus updates to CISA KEV, patch now!

Silent Ransomware Gets Physical

On May 26, the FBI released an FBI Flash CTI report regarding new social engineering methods being leveraged by the Silent Ransomware Group (SRG). In this current campaign, SRG (also known as Luna Moth, Chatty Spider, and UNC3753) has been specifically targeting law firms with these new social engineering techniques. Previous targets have included insurance, finance, and healthcare industries. Using phone calls and phishing emails, SRG poses as IT support in an effort to establish access to victim computers with the goal of exfiltrating sensitive data that can be used for extortion. This access is typically achieved via legitimate remote access tools. However, if this method fails, the group has been observed sending an individual in-person to gain physical access to the victim's computers.

Threat Details

SRG has been active since at least 2022, and their focus has always been data theft and extortion. Unlike other double-extortion ransomware groups that also rely on file encryption, SRG focuses entirely on data theft.

As of Spring 2026, SRG poses as the victim's IT department, either by directly calling the victim or sending a phishing email. The threat actor then convinces the victim to grant them remote access via a legitimate remote access tool, such as Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera. If this remote social engineering attempt fails, SRG sends a threat actor to the victim's physical location, also posing as an IT worker, claiming that the victim needs to let them image the device or create a backup file to address potential impacts from the phishing email. The threat actor then proceeds to plug in a USB device or external hard drive into the victim's computer in order to exfiltrate data.

When SRG is able to access the victim's machine remotely, they often use either WinSCP or a renamed version of rclone to exfiltrate data to common filesharing sites such as Google Drive or Microsoft OneDrive.

Figure 1: MITRE ATT@CK Mapping | Source: FBI Flash aAdvisory

Indicators of Attack

The following indicators of attack are highlighted in the FBI advisory. It should also be noted that many of these indicators apply to other double-extortion ransomware groups:

• New, unauthorized downloads of remote access tools, including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera.
• Unauthorized installation of external hard drives or USB drives on company computers.
• Exfiltration of large amounts of data to external file share sites such as OneDrive, Google Drive, or others.
• WinSCP or Rclone traffic to external IP addresses.

Unidentified or unauthorized individuals attempting to access computers and claiming to be IT support. 

How to Protect Your Organization

This campaign highlights the importance of the synergy between physical and cyber security. Technical controls to prevent cybersecurity attacks mean nothing if the threat actor can simply walk in and steal the data physically. The FBI recommends the following to combat these threats:

• Verify the credentials of all individuals accessing company spaces, including obtaining copies of each visitor's ID card.
• Limit access to sensitive data from less secure networks, such as home or public internet.
• Develop and communicate policies regarding when and how IT support will communicate and authenticate themselves to employees.
• Conduct staff training on identifying, resisting, and reporting phishing attempts.
• Maintain regular backups of company data (and regularly test those backups).
• Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.
• If possible, disable remote access and external drive installation permissions on company computers, especially those with access to sensitive or confidential data. Most modern EDR tools have the ability to allow-list only pre-approved USB or external devices.

Additionally, it is recommended that organizations:

• Deploy fully-up-to-date EDR tools on all possible endpoints.
• Implement network monitoring tools such as PacketWatch to monitor for unauthorized RMM tool usage, data exfiltration tool usage, or anomalous network traffic.

Resources

• https://www.ic3.gov/CSA/2026/260526.pdf

• https://www.bleepingcomputer.com/news/security/fbi-warns-of-silent-ransom-group-in-person-data-theft-attacks/ 

Vulnerability Roundup

Microsoft Releases Fix for SharePoint RCE

Last week, Microsoft issued a patch for a remote code execution vulnerability in SharePoint. The vulnerability, tracked as CVE-2026-45659, allows any authenticated attacker to execute code over a network. The attacker simply needs to be authenticated with "Site Member" permissions. This vulnerability affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Administrators are urged to apply the patch as soon as possible.

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45659
  

• https://thehackernews.com/2026/05/microsoft-patches-sharepoint-rce-flaw.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-45659

Palo Alto GlobalProtect VPN Authentication Bypass Under Active Exploitation

 Earlier this month, Palo Alto disclosed details for CVE-2026-0257, an authentication bypass vulnerability in the GlobalProtect portal and gateway of the PAN-OS software. Successful exploitation allows a remote attacker to bypass security restrictions and establish an unauthorized VPN connection. Per the advisory, Panorama and Cloud NGFW are not impacted. The flaw affects "firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists." Details of how to check for this configuration setting can be found here. The affected PAN-OS versions and their associated fixed versions are below:

As this vulnerability is actively being exploited in the wild, administrators are urged to patch as soon as possible.

• https://security.paloaltonetworks.com/CVE-2026-0257
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-0257
  

• https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html 

New CIFSwitch Linux LPE

A new local privilege escalation vulnerability was discovered in the Linux kernel that can ultimately result in the attacker gaining root privileges. Dubbed "CIFSwitch", the flaw resides in CIFS (Common Internet File System) which is a networking protocol that allows access to files, folders, and devices across a local network, which Linux uses to mount, read, and write data from remote systems. The flaw affects most major distributions; a full list can be found here. If the kernel patch cannot be applied, mitigations include blocking the CIFS module from loading or uninstalling cifs-utils if it is not used, deleting or overriding the default cifs.spnego request-key rule (details found here), or disabling unprivileged user namespaces. Full details on how the vulnerability works can be found here. As proof-of-concept exploit code is in the wild, administrators are urged to apply kernel patches or workarounds as soon as possible. 

• https://heyitsas.im/posts/cifswitch/
  

• https://seclists.org/oss-sec/2026/q2/717
  

• https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/

Maximum-severity Flaw in Cisco Workload REST API

Cisco recently disclosed a maximum-severity vulnerability in the REST APIs of their Secure Workload platform. This vulnerability is being tracked as CVE-2026-20223. Per the advisory, the vulnerability could allow an unauthenticated, remote attacker to access site resources with the privileges of Site Admin. It should be noted that, per the advisory, the vulnerability affects only internal REST APIs and does not affect the web-based management interface. The flaw affects Cisco Secure Workload Cluster Software on SaaS and on-prem deployments, regardless of configuration. The table below shows the affected versions and their corresponding fixed release:

As there are no workarounds available, administrators are urged to patch as soon as possible.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csw-pnbsa-g8WEnuy
  

• https://thehackernews.com/2026/05/cisco-patches-cvss-100-secure-workload.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-20223 

Trend Micro Apex One Zero-day

Trend Micro recently disclosed details of a zero-day vulnerability that affects on-premises Apex One deployments. The vulnerability, tracked as CVE-2026-34926, is "a directory traversal vulnerability in the Apex One (on-premises) server that allows a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations." Per the advisory, it is emphasized that the attacker must already have access to the Apex One Server and have already obtained administrative credentials to the server via some other method in order to exploit this vulnerability. However, since this vulnerability has been confirmed to be exploited in the wild, administrators are urged to patch as soon as possible. Patching version details can be found in the advisory here. 

• https://success.trendmicro.com/en-US/solution/KA-0023430
  

• https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited-in-attacks/
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-34926

Critical Drupal SQL Injection Vulnerability Exploited in the Wild

A critical SQL injection vulnerability in Drupal content management system (CMS) has been flagged as actively exploited in the wild. Tracked as CVE-2026-9082, the flaw can be exploited without authentication, which allows remote attackers to trigger SQL injection on any PostgreSQL-powered sites. Successful exploitation can lead to information disclosure, privilege escalation, or remote code execution. The vulnerability affects the following Drupal core versions:

• 8.9.0 -> 10.4.10
• 10.5.0 -> 10.5.10
• 10.6.0 -> 10.6.9
• 11.0.0 -> 11.1.10
• 11.2.0 -> 11.2.12
• 11.3.0 -> 11.3.10

As this vulnerability is actively exploited in the wild, administrators are urged to patch as soon as possible.

• https://www.drupal.org/sa-core-2026-004
  

• https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-drupal-vulnerability/
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-9082

Yet Another Linux LPE

 On May 22, researchers at Qualys disclosed a local privilege escalation vulnerability in Linux. Tracked as CVE-2026-46333, the flaw allows an unprivileged local user to "disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions." This includes Ubuntu, Debian, and SUSE. It is also worth noting that this vulnerability has been present since November 2016. As proof-of-concept exploit code is already in the wild, administrators are urged to apply kernel updates as soon as possible.

• https://blog.qualys.com/vulnerabilities-threat-research/2026/05/20/cve-2026-46333-local-root-privilege-escalation-and-credential-disclosure-in-the-linux-kernel-ptrace-path
  

• https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-46333

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2026-0257 - Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
• CVE-2026-8398 - Daemon Tools Lite Embedded Malicious Code Vulnerability
• CVE-2026-45321 - TanStack Unspecified Vulnerability
• CVE-2026-48027 - Nx Console Embedded Malicious Code Vulnerability
• CVE-2026-48172 - LiteSpeed cPanel Plugin Privilege Escalation Vulnerability
• CVE-2026-9082 - Drupal Core SQL Injection Vulnerability
• CVE-2026-34926 - Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability
• CVE-2025-34291 - Langflow Origin Validation Error Vulnerability
• CVE-2026-45498 - Microsoft Defender Denial of Service Vulnerability
• CVE-2026-41091 - Microsoft Defender Link Following Vulnerability
• CVE-2010-0806 - Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2010-0249 - Microsoft Internet Explorer Use-After-Free Vulnerability
• CVE-2009-3459 - Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
• CVE-2009-1537 - Microsoft DirectX NULL Byte Overwrite Vulnerability
• CVE-2008-4250 - Microsoft Windows Buffer Overflow Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Visit our Cyber Threat Profile Blog for detailed intelligence profiles.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.