// #detection
5 articles
CVE-2026-23111 Detection and Hardening Guide: Protecting Linux Environments from the nf_tables Exploit
With public proof-of-concept code available for CVE-2026-23111, security teams running Linux across production, containerised, and cloud environments need specific detection and hardening guidance. This guide covers kernel patch availability by distribution, interim mitigations, eBPF-based detection, and Kubernetes-specific containment measures.
CVE-2026-46243: Identifying Affected Systems and Detecting Exploitation Attempts
With a public proof-of-concept available and patched kernels in distribution repositories, security teams need a systematic approach to identify which Linux systems in their environment are exposed to CVE-2026-46243 and whether any exploitation activity has occurred. This guide covers detection queries, affected system identification, and temporary mitigation steps for environments that cannot patch immediately.
CVE-2026-46333 Detection and Mitigation: Security Assessment Guide for Linux Environments
CVE-2026-46333, the Linux kernel ptrace race condition with four known exploit chains, requires both patching and verification that compromise has not already occurred. This guide covers the detection queries, audit configuration, and post-patch verification steps security teams need to assess exposure and confirm remediation.
BeigeBurrow: New Go-Based Covert C2 Agent Deployed via Active Directory RCE CVE-2026-33826
A previously undocumented post-exploitation tool named BeigeBurrow has been observed in at least two enterprise intrusions following exploitation of the Windows Active Directory RCE CVE-2026-33826. The Go-based agent uses HashiCorp's Yamux library to multiplex covert relay channels over port 443, blending into encrypted enterprise traffic. CVE-2026-33826 was patched in April Patch Tuesday; organisations that have not yet applied the patch should treat it as urgent.
Seized Gentlemen Ransomware C2 Server Exposes 1,570 Victims — GPO Deployment Reveals Full Domain Compromise
Check Point Research's analysis of a seized SystemBC command-and-control server linked to The Gentlemen ransomware operation exposed 1,570+ victim IP addresses and documented the group's use of Group Policy Objects to deploy ransomware domain-wide. GPO-based distribution is a forensic marker that attackers achieved Domain Admin access days before encryption — defenders should treat it as an indicator of extended dwell time, not a starting point.
Commentary tagged #detection
Why China-Nexus Actors Are Targeting Network Appliances — and Why Your EDR Won't Tell You
The BRICKSTORM BSD variant developed by VerdantBamboo is not a technical curiosity. It is evidence of a deliberate strategic investment by China-nexus threat actors in precisely the attack surface that most enterprise security programmes cannot see. Appliance-targeting is not the path of least resistance — it is the path of least detection.
CipherWatch Editorial
Security Intelligence Platform
Defenders Can't Block Google. That's Why Attackers Are Routing Through It.
AccountDumpling abuses Google AppSheet to deliver phishing. EtherRAT uses Cloudflare and Ethereum nodes for C2. DEEP#DOOR tunnels over Cloudflare. The pattern is consistent: sophisticated attackers have discovered that the fastest route past enterprise security controls is through infrastructure defenders cannot block. The defence posture that assumes blocking bad infrastructure will stop bad traffic is being systematically rendered obsolete.
CipherWatch Editorial
Security Intelligence Platform
When Ransomware Deploys via Group Policy, You Were Already Owned
The Gentlemen ransomware group's use of Group Policy Objects to distribute encryption payloads domain-wide is not just a clever tactic — it's a forensic signal. GPO deployment requires Domain Admin access. The ransomware event you detected was not the attack. It was the end of an attack that was already over.
CipherWatch Editorial
Security Intelligence Platform