IvantiEPMMThirdZero-DayExposesJanuaryPatchGap

◆ DEEP DIVES

1. 01

   Claude Chrome Extension Takeover: The Attack Your SOC Cannot See

   The Exploit Class Nobody Is Detecting

   LayerX has shown that Anthropic's Claude Chrome extension remains exploitable after the May 6 patch via cross-extension prompt injection. No elevated permissions required. Any co-installed extension on the same browser profile can hijack Claude's agent and exfiltrate from Google Drive, GitHub, and email, riding the user's own authorized sessions.

   A SOC watching endpoint, identity, and network telemetry will not see this. The exfiltration rides the user's own authorized sessions. There is no malware. There is no anomalous login. There is an AI agent doing what it was told, by the wrong party.

   This is a genuinely new detection blind spot. The traditional indicators do not fire: no malicious binary, no credential anomaly, no lateral movement. The agent calls legitimate APIs with legitimate tokens belonging to the legitimate user. The only signal is behavioral. The agent performs reads or actions the user did not request.

   ---

   Converging Agent Attack Surfaces This Week

   The Claude extension is not a one-off. Three other events this week establish that AI agent identity is now a first-class attack surface without first-class defenses:

   • AWS MCP Server went GA, granting AI agents authenticated access to 15,000+ AWS API operations through existing developer IAM credentials, with sandboxed Python execution. A prompt injection sitting in a documentation page or a poisoned GitHub issue can invoke arbitrary AWS APIs under the developer's identity.
   • Braintrust (AI observability) was breached. The API key database was likely accessed. Named customers include Cloudflare, Vercel, and Stripe. Keys held there fan out into the infrastructure stack.
   • Google Cloud shipped first-class agent identity primitives, alongside AWS. Non-human agent identities are now a recognized principal class.

   The Detection Architecture Gap

   Surface	Auth Model	SOC Visibility	Primary Risk
   Claude Chrome extension	User's OAuth sessions	None — looks like normal browsing	Cross-extension prompt injection → Drive/GitHub/email exfil
   AWS MCP Server	Developer IAM credentials	CloudTrail (but agent indistinguishable from human)	Prompt injection → arbitrary API calls
   Braintrust breach blast radius	Stored API keys	Depends on key-owner's logging	Cascading access to Cloudflare/Vercel/Stripe

   ---

   Why This Is Different From Friday's Agent Coverage

   Friday's briefing framed AI agents as a destruction risk, via the PocketOS database deletion. Today's threat is stealth exfiltration through legitimate channels. The attacker never trips an alert because the operation sits inside the trust boundary of a sanctioned tool. The blast radius is not availability. It is confidentiality, and it stays invisible until forensic reconstruction.

   Action items

   • Inventory Claude Chrome extension deployments via managed browser policy and disable or restrict to vetted allowlist until Anthropic ships a full fix
   • Rotate all API keys issued to or stored by Braintrust; review AWS CloudTrail for anomalous access from Braintrust IP ranges over last 30 days
   • Scope IAM permissions for any developer role connected to AWS MCP Server to short-lived sessions with explicit deny on destructive operations
   • Stand up agent-behavior telemetry: log all MCP tool invocations and Claude extension API calls with session attribution, separate from human activity

   Sources:CyberScoop · Risky.Biz · TLDR DevOps · TLDR IT · TLDR AI · Daily Dose of DS

2. 02

   Ivanti EPMM CVE-2026-6973: The January Compromise You Didn't Finish Cleaning

   Why This Zero-Day Is Different

   CVE-2026-6973. Ivanti EPMM. Active exploitation confirmed, listed on CISA KEV with a May 10 remediation deadline. The relevant detail is the prerequisite: authenticated admin access. That is not a mitigation. That is the fingerprint of operators who already got in through January's EPMM zero-days and are using this one to keep the access.

   Treating these as independent vulnerabilities is how organizations end up getting hit a fourth time.

   Multiple sources agree on the pattern. Ivanti's own advisory states that customers who rotated credentials after earlier EPMM bugs are at lower risk. Read plainly: the credentials being chained now were staged during prior incidents. This is Ivanti's 34th CISA-flagged defect since 2021.

   ---

   The MDM Pivot Threat Model

   MDM admin compromise is not a standard RCE. In the 2024 Stryker incident the attackers used the victim's own MDM to wipe every managed device. An EPMM admin foothold is a fleet-wide destructive-action primitive. The blast radius is every phone, tablet, and laptop enrolled.

   Android ADB Adds a Second Mobility Vector

   Running in parallel: CVE-2026-0073, a logic flaw in Android ADB authentication affecting every device on Android 11 or later. A mismatched key type — RSA versus Ed25519 — returns an error and still opens a remote shell. Exploitation requires reachable ADB. On a managed fleet, that number should be zero. Discovery is credited to BARGHEST, a non-profit researching mobile surveillance against human rights defenders.

   Dimension	Ivanti EPMM	Android ADB
   CVE	CVE-2026-6973	CVE-2026-0073
   Auth required	Admin (chained from January)	Bypass via key mismatch
   Patch	Available: 12.6.1.1 / 12.7.0.1 / 12.8.0.1	May 2026 Android update
   Exploitation	Active, chaining prior compromises	No confirmed wild exploitation yet
   Fleet impact	Full MDM control of all managed devices	Shell user on any ADB-exposed device

   ---

   The Vendor-Risk Pattern

   Four sources independently reach the same conclusion. Continued reliance on Ivanti EPMM is a conscious risk-acceptance decision. The pattern across 34 KEV entries does not vary: exploitation precedes disclosure, credential material is staged early, and organizations that patch without rotating credentials find the intruder still resident. A vendor-risk review that does not model this pattern is underweighting the evidence.

   Action items

   • Patch Ivanti EPMM to 12.6.1.1 / 12.7.0.1 / 12.8.0.1 and rotate ALL admin credentials — including API tokens and service accounts
   • Hunt EPMM admin session logs for unauthorized account creation, policy pushes, or mass device actions since January 2026
   • Push May 2026 Android security update across MDM fleet and disable ADB via device policy where not strictly required
   • Schedule formal Ivanti vendor-risk review: evaluate MDM/UEM alternatives or implement architectural segmentation to contain blast radius

   Sources:SANS NewsBites · Risky.Biz · CyberScoop · Matt Johansen

3. 03

   MuddyWater's Teams Campaign and the $0.03/Minute Voice-AI Arms Race

   Iran's Help-Desk Social Engineering Has Gone Live

   The actor is MuddyWater, Iran-nexus. The vector is posing as IT support on Microsoft Teams. Operators get the victim to screen-share, harvest credentials in real time, coach the target through MFA prompts, and drop DWAgent for persistence. They then skip encryption entirely and move to pure exfiltration. The whole chain hides under a Chaos RaaS false flag to look like commodity ransomware.

   The campaign is built to evade ransomware-centric detection stacks. The chain omits mass file writes, shadow-copy deletion, and encryption behaviors, which is the entire detection surface most stacks are tuned for. The signal lives at the identity layer: RMM installation on non-IT endpoints, Teams federation with external tenants, and credential reset flows initiated inside a screen-share session.

   Any ransomware-centric detection stack looking for mass file writes, shadow-copy deletion, or encryption behaviors is blind to this chain.

   ---

   The Economics Just Broke the Defender's Advantage

   Voice and video impersonation are now priced like a phone call. The pricing moves that landed this week make that literal:

   Capability	Product	Cost	Implication
   Real-time voice + 70 languages	GPT-Realtime-2 + Translate	$0.034/min	Native-quality vishing in any language, with reasoning
   Lip-sync video + ambient audio	Seedance 2.0 (ByteDance)	$0.24/sec	Executive video impersonation at scale
   Live voice translation	GPT-Realtime-Whisper	$0.017/min	Cross-border social engineering without accent tells

   Genspark's production deployment on GPT-Realtime-2 reports a 26% effective conversation rate on automated outbound calls. Roughly four calls per credential. At $0.034 per minute, a ten-minute pretext call costs $0.34. A stolen credential now costs under $1.50.

   The ByteDance Wrinkle

   Seedance 2.0's face and copyright filter is app-layer only, scoped to CapCut. The same model ships through BytePlus, Volcengine, Dreamina, and Higgsfield.ai without those filters. The invisible watermark is ByteDance-proprietary and cannot be independently verified. C2PA provenance is not mentioned.

   ---

   Converging Signals

   The Iran-nexus Teams campaign and commodity voice-AI pricing land in the same operational window. The consequence is narrow and specific: voice, accent, fluency, and security-question checks no longer discriminate attacker from executive. Help desks still relying on caller recognition, security questions, or callbacks to a caller-provided number are running obsolete controls against a state actor and a commodity market at the same time.

   Action items

   • Implement out-of-band verification for all help-desk credential and MFA resets: callback to HR-sourced directory number only, never the number on the call or in email
   • Disable Teams external-tenant screen-share by default; alert on DWAgent, AnyDesk, and non-IT RMM tool installations on endpoints
   • Commission a red-team vishing exercise using a commercial real-time voice stack within 30 days — measure helpdesk pass-through rate
   • Add CapCut, BytePlus, Volcengine, Dreamina, and Higgsfield.ai to CASB/DLP high-risk classification; alert on corporate video uploads

   Sources:Matt Johansen · Risky.Biz · AINews · Simplifying AI · The Batch @ DeepLearning.AI · Techpresso