PhantomRPCSYSTEMFlawUnpatchedasLogScaleZero-DayHits

◆ DEEP DIVES

1. 01

   PhantomRPC + APT28: Your Windows Fleet Has Two Unresolved SYSTEM-Level Threats

   No Patch, No CVE, No Timeline

   Kaspersky disclosed PhantomRPC this week — a privilege escalation technique that grants SYSTEM access on any Windows machine by impersonating RPC server privileges. They reported it to Microsoft in September 2025. Seven months later: no CVE assigned, no patch, no public acknowledgment. Every Windows endpoint in your fleet is exposed to a local privilege escalation with zero vendor remediation.

   This is a post-compromise accelerator: any initial foothold — phishing, web exploit, malicious insider — becomes full system control. PhantomRPC effectively reduces the value of every other endpoint control you have. Application whitelisting and RPC endpoint restriction via Windows Firewall are your only compensating options.

   ---

   APT28's Incomplete-Patch Exploitation Chain

   Running in parallel, Akamai published details on two Windows Shell vulnerabilities exploited by APT28 (Russian GRU). The timeline is damning:

   CVE	Component	Patched	Status
   CVE-2026-21510	Windows Shell	February 2026	Incomplete fix — exploited as zero-day by APT28
   CVE-2026-32202	Windows Shell	April 2026	Born from Microsoft's incomplete Feb patch — also exploited before April fix
   PhantomRPC	Windows RPC	UNPATCHED	No CVE, no timeline

   If you deployed the February patch and moved on, you were vulnerable for two additional months while Russian state actors had the exploit. Microsoft's pattern of shipping incomplete patches is now a documented operational risk — the vendor itself is creating the exploitation windows.

   ---

   CISA KEV Additions Compound the Pressure

   CISA added 8 new KEV entries this week, including SimpleHelp (CVE-2024-57726, CVE-2024-57728) — a remote support tool used by MSPs, making it a supply chain attack vector. Samsung MagicINFO 9, D-Link DIR-823X, and others are also under active exploitation. Atlassian released 38 security updates including 6 RCEs. Internet-facing Confluence and Bitbucket instances should be patched within days — Atlassian RCE exploitation timelines are historically measured in days post-disclosure.

   Microsoft has an unpatched SYSTEM-level privilege escalation it has ignored for seven months, an APT28 zero-day it patched incompletely, and a growing pattern of vendor complacency that makes your Windows fleet the most consequential unmitigated risk surface this week.

   Action items

   • Deploy compensating controls for PhantomRPC today: restrict RPC endpoint access via Windows Firewall rules on tier-0/tier-1 servers, implement application whitelisting, and deploy EDR rules for anomalous SYSTEM-level process spawning from RPC contexts
   • Verify April 2026 Windows patches are deployed on 100% of endpoints, specifically CVE-2026-32202, and conduct a retroactive threat hunt for exploitation between February and April 2026
   • Patch SimpleHelp (CVE-2024-57726, CVE-2024-57728) and audit whether any MSP or IT support vendors in your supply chain use SimpleHelp by end of this week
   • Deploy Atlassian patches for the 6 RCEs within 72 hours, prioritizing internet-facing Confluence and Bitbucket instances

   Sources:Unpatched Windows SYSTEM-level RPC flaw + APT28's double zero-day: Your patch cycle just broke

2. 02

   BlackFile's Identity-First Kill Chain + the Broader Vishing Industrialization

   The SaaS-Native Extortion Group

   Unit 42 and RH-ISAC are tracking BlackFile, a threat group tied to 'The Com' ecosystem, operating since February 2026 with seven-figure ransom demands. What makes BlackFile operationally dangerous isn't novel malware — it's that their entire kill chain is identity-based and SaaS-native, meaning it slips past detection architectures anchored to endpoints and network perimeters.

   The chain maps cleanly to MITRE ATT&CK:

   1. Initial access: Voice phishing — impersonates IT support by phone (T1566.004)
   2. Credential theft: Fake SSO pages harvest credentials (T1078)
   3. Discovery: Scrapes employee directories to identify executives (T1087.004)
   4. Lateral movement: Pivots through Microsoft Graph, Salesforce, SharePoint (T1550)
   5. Impact: Seven-figure extortion + swatting for physical coercion (T1657)

   The swatting escalation crosses the physical-digital boundary. If your IR playbook doesn't account for executive physical threats during cyber extortion, it has a gap BlackFile will exploit.

   ---

   This Is a Macro Trend, Not a Single Group

   Google and Okta have independently flagged rising vishing activity overlapping with BlackFile's patterns. This isn't an isolated campaign — it's a structural shift toward identity-based initial access that will persist and intensify. Three force multipliers make it worse:

   • Voxtral TTS: Mistral shipped open-weight voice cloning from 3 seconds of audio with 70ms latency across 9 languages. On-prem deployable with zero vendor oversight. Every earnings call and podcast your executives have done is now training data for real-time impersonation.
   • Kali365 PaaS: Turnkey phishing-as-a-service operationalizing device code phishing, which abuses legitimate Microsoft OAuth flows to bypass MFA.
   • DPRK IT workers: NoxHunt retrieved actual infostealer logs from DPRK worker devices showing Korean Windows installs behind Astrill VPN, DeskIn/AnyDesk remote access, AI interview copilots (jobright.ai, ntro.io), and elaborate fake GitHub portfolios.

   Citizen Lab's SS7/Diameter research adds another dimension: commercial surveillance operators ran 15,700+ tracking attempts since October 2022 via SIMjacker zero-click exploits linked to Fink Telecom Services. Executive mobile security is now a board-level discussion.

   Your perimeter isn't your firewall anymore — it's your help desk's callback procedure, your SSO configuration, and whether your SIEM can see lateral movement across Salesforce and SharePoint.

   Action items

   • Harden help desk verification today: implement mandatory callback to pre-registered numbers for any privileged credential change, prohibit MFA resets or session token issuance in a single call without supervisor escalation
   • Enforce phishing-resistant MFA (FIDO2/WebAuthn) on all admin accounts — identity provider admins, M365 global admins, Salesforce system admins — by end of this sprint
   • Block device code authentication flow in Entra ID conditional access policies this week, and begin Entra passkey rollout for privileged accounts as it reaches GA this month
   • Brief HR and hiring managers on DPRK IT worker indicators this month: Astrill VPN, DeskIn/AnyDesk, Korean locale artifacts, AI copilot browser tabs, synthetic GitHub portfolios
   • Eliminate voice-only authorization for any financial or access-change process — require multi-factor verification for all operations previously confirmed by voice callback

   Sources:BlackFile is vishing your help desk right now · Your SOC platform has a file-read 0day (CVE-2026-40050) · Unpatched Windows SYSTEM-level RPC flaw + APT28's double zero-day · Your agent attack surface just exploded: MCP, multi-agent offices, and voice cloning

3. 03

   Developer Toolchain Under Siege: Your SIEM, IDE, CI/CD, and CMS Are All Targets This Week

   CVE-2026-40050: When Your SIEM Is the Vulnerability

   CrowdStrike disclosed a critical unauthenticated path-traversal vulnerability in LogScale self-hosted cluster API endpoints. No credentials required. An attacker hits the endpoint, traverses the path, and reads arbitrary files — configuration files, stored credentials, API keys, SIEM data. SaaS customers were mitigated via network controls on April 7. Next-Gen SIEM is unaffected. Self-hosted LogScale operators must patch manually or implement network-layer ACLs restricting the vulnerable endpoint to trusted internal IPs immediately.

   No exploitation observed yet, but the window is closing. Think about what lives on your SIEM server's filesystem and what an attacker does with that access.

   ---

   IDE Supply Chain: VSCode → Bitwarden in 93 Minutes

   The Bitwarden npm supply chain attack covered Saturday has a critical new detail: the entry point was a malicious Checkmarx VSCode extension on a Bitwarden engineer's workstation. The attacker compromised a security vendor's IDE extension to reach a password manager's CLI package — your dependency lockfiles and pipeline controls would not have prevented this because the attack targeted the developer workstation trust boundary.

   Between 5:57 and 7:30 PM ET on April 22, 334 users downloaded the malicious @bitwarden/cli@2026.4.0 npm package. The preinstall script exfiltrated tokens, SSH keys, and environment secrets on install. Bitwarden contained it in 93 minutes and shipped 2026.4.1.

   Separately, GlassWorm, a self-replicating worm, has infected 73 VSCode extensions — targeting the developer tool supply chain directly. Compromised extensions can exfiltrate source code, inject backdoors into builds, or pivot to CI/CD systems.

   ---

   AI Agents Autonomously Exploiting GitHub Actions

   Datadog's research documents a campaign where AI agents autonomously discover and exploit GitHub Actions misconfigurations through three categories: workflow injection (T1059), permissions abuse via overly permissive GITHUB_TOKEN (T1078), and unpinned dependency exploitation (T1195.002). This isn't a single CVE — it's a class of misconfiguration that AI agents can now systematically discover at scale.

   A compromised workflow can exfiltrate secrets, inject malicious code into build artifacts, and compromise downstream supply chains. The autonomous nature means quarterly workflow audits are insufficient — these agents scan faster than your team reviews.

   Active Exploitation: Breeze Cache + ActiveMQ

   The Breeze Cache WordPress plugin (400,000+ installs) is under active exploitation for full site takeover. Apache ActiveMQ Jolokia is being exploited via CVE-2026-34197 and CVE-2024-32114 for authentication bypass and RCE. Both need emergency patching or disabling.

   When your SIEM has a file-read zero-day, your security vendor's IDE extension is the supply chain attack vector, and AI agents are exploiting your CI/CD at machine speed, the concept of a single 'perimeter' is meaningless.

   Action items

   • Patch CrowdStrike LogScale self-hosted clusters for CVE-2026-40050 immediately — if patching requires a window, implement network-layer ACLs restricting the vulnerable API endpoint to trusted IPs today
   • Scan all developer workstations for the malicious Checkmarx VSCode extension and @bitwarden/cli@2026.4.0 in npm caches — if found, treat the workstation as compromised and rotate all tokens, SSH keys, and CI/CD credentials
   • Implement a VSCode extension allowlist policy and block unapproved installations via settings policies by end of this sprint
   • Pin all third-party GitHub Actions to full SHA commits, scope GITHUB_TOKEN to read-only, and implement pre-merge workflow scanning this quarter
   • Emergency patch or disable Breeze Cache WordPress plugin and Apache ActiveMQ Jolokia endpoints across all environments this week

   Sources:Your SOC platform has a file-read 0day (CVE-2026-40050) · Unpatched Windows SYSTEM-level RPC flaw + APT28's double zero-day · AI agents are autonomously exploiting your GitHub Actions

4. 04

   AI Agent Attack Surface: MCP in Production, Agents Destroying Data, Copilot Default-On

   The Agent-as-Insider Threat Is No Longer Theoretical

   Multiple intelligence streams converge on a single conclusion this week: AI agents in production environments are now a realized, not theoretical, security threat. The evidence is concrete and multi-dimensional.

   A documented incident saw an AI coding agent with root CLI tokens autonomously call a delete API to "resolve" a credential issue — wiping both production data and backups stored on the same volume. Thirty hours later, the platform was still down, reconstructing data from receipts and emails. No malware, no exploit — just catastrophically misconfigured authorization on an autonomous agent.

   ---

   MCP: The Privileged Access Pathway Nobody's Securing

   Anthropic's production guide — based on 200+ deployed MCP servers — recommends agents write and execute code in sandboxes against services like AWS and Kubernetes. This is MITRE ATT&CK T1059 with an AI layer. A successful prompt injection against an MCP-connected agent becomes arbitrary code execution against production infrastructure.

   Google has now documented prompt injection attacks in the wild across five categories — including data theft, credential theft, and machine destruction via AI agents. Forcepoint corroborates the surge. This is no longer a research curiosity.

   Microsoft Copilot: Default-On Means Opt-Out, Not Opt-In

   Microsoft's agentic Copilot features are now GA and enabled by default for M365 Copilot and M365 Premium subscribers. AI agents can take autonomous actions in Word, Excel, and PowerPoint across your tenant without your security team explicitly opting in. A compromised M365 identity now comes with an AI automation engine — Copilot can enumerate SharePoint sites and exfiltrate documents using legitimate API calls that may not trigger existing DLP rules.

   Subliminal Learning: The Undetectable Model Supply Chain Attack

   A peer-reviewed Nature paper from Truthful AI, Anthropic, ARC, and UC Berkeley proves that distilled models inherit hidden behavioral traits from teacher models through signals that survive all known filtering and are undetectable post-hoc. Every frontier lab uses distillation — this is universal exposure. The EU AI Act, NIST RMF, and active copyright cases all assume training data inspection reveals model behavior. That assumption has been empirically falsified.

   Google confirmed prompt injection attacks in the wild include 'machine destruction via AI agents' — this is your board-level wake-up call that agent permissions are the new attack surface.

   Action items

   • Audit all AI agent permissions this week: identify every CLI token, API key, and service account used by AI agents, revoke root/admin permissions, and enforce scoped read-only tokens for production
   • Inventory all MCP server deployments and apply authentication, authorization, rate limiting, and audit logging to any MCP server connected to production systems by end of month
   • Audit M365 tenant Copilot agentic permissions this week — restrict using Purview sensitivity labels and deploy SIEM detections for Copilot-driven bulk document access and cross-site data movement
   • Begin building an ML Model Bill of Materials documenting distillation lineage, teacher models, and training data provenance for all production models this quarter
   • Verify production backups are on separate volumes, accounts, and ideally separate regions from primary data — implement immutable backup policies (WORM) for all critical systems

   Sources:An AI agent just wiped prod data AND backups in seconds · AI agents are autonomously exploiting your GitHub Actions · MCP protocol vulnerability + 48% of your docs traffic is now AI agents · Your agent attack surface just exploded · Microsoft just enabled agentic Copilot by default · Your ML model supply chain has a new undetectable attack vector