CISO Daily Briefing – June 8, 2026

Executive Summary

Today’s cycle brings two critical-urgency threat actor campaigns requiring immediate attention: VerdantBamboo (Chinese APT) has deployed a new BSD variant of the BRICKSTORM backdoor against Linux storage appliances — infrastructure invisible to most Windows-trained EDR tools — while UNC3753 (Silent Ransom Group) combined vishing, screen-sharing, and physical intrusion to extract a confirmed $20M ransom from Weil Gotshal and dozens of U.S. law firms. Separately, Anthropic’s Project Glasswing status report reveals 1,596 unpatched vulnerabilities disclosed to partners with almost no remediation — exposing a systemic accountability gap that Schneier flags as a structural breakdown in AI-era vulnerability disclosure. Two additional high-priority items cover NIST’s expanded AI safety standards mandate and AI scraping SDKs that silently convert consumer devices into enterprise-facing proxy infrastructure.

VerdantBamboo: BRICKSTORM BSD on Linux Storage

CRITICAL

Chinese APT deploys unseen BSD BRICKSTORM variant plus two new malware families against Linux storage appliances — evading Windows-focused EDR.

Egnyte Storage Sync LPE flaw (patched v13.13) used as initial access
PLENET/AGENTPSD: two previously undocumented post-exploitation implants
Linux appliance persistence bypasses endpoint tooling trained on Windows

UNC3753 Vishing + Physical Intrusion — $20M Ransom

CRITICAL

Silent Ransom Group’s Jan–May 2026 campaign hit dozens of U.S. law firms using a social engineering chain that progressed to on-premises physical breach.

Weil Gotshal confirmed $20M payment — boardroom-level exposure
Attack chain: pretextual email → vishing → screen-sharing → RMM install
No malware required — attack uses legitimate remote management tooling

Project Glasswing: 1,596 Vulns, Almost None Fixed

HIGH

Anthropic’s Mythos AI has found 1,596+ vulnerabilities in partner software. According to Schneier, “almost none of them has been patched” — growing enterprise exposure.

AI lab controls disclosure pipeline; no public timeline
Known-but-unpatched vulnerability debt accumulates silently
Accountability vacuum: who is liable when AI-found bugs go unremediated?

NIST AI Safety Consortium Scope Expands

MEDIUM

NIST’s May 29 announcement extends its AI Safety Consortium beyond TEVV testing — signaling broader AI security standards covering agentic AI, supply chain integrity, and incident response.

Compliance question shifts from TEVV alignment to 12–18 month standard horizon
Cloud and AI providers gain direct influence over de facto requirements

AI Scraping SDKs Convert Smart TVs Into Proxies

HIGH

Bright Data embeds SDKs in free consumer apps to harvest 150M+ residential IPs for AI web scraping — invalidating WAF and geo-fencing assumptions at enterprise scale.

Residential IPs assumed to represent real users — that assumption is now broken
Always-on smart TVs act as persistent exit nodes without user awareness
No clear regulatory liability framework across the full data pipeline

Overnight Research Output

VerdantBamboo Deploys BRICKSTORM BSD Variant and New Malware Against Linux Storage

CRITICAL

Summary: A Chinese APT cluster tracked as VerdantBamboo — overlapping with Microsoft’s Clay Typhoon, Google’s UNC5221, and CrowdStrike’s Warp Panda — exploited a local privilege escalation flaw in Egnyte Storage Sync (patched March 2026 in v13.13) to deploy a previously undocumented BSD variant of the BRICKSTORM backdoor alongside two new implants: PLENET (aka GRIMBOLT) and AGENTPSD. Volexity discovered the intrusion during a September 2025 incident response engagement and published full technical details on June 8. The Linux-targeting focus represents a deliberate shift by this APT cluster toward enterprise storage infrastructure that lacks the EDR coverage protecting Windows endpoints.

CISO Action: Verify Egnyte Storage Sync is at v13.13 or later. Audit Linux appliance EDR coverage gaps. Review network egress from storage infrastructure for BRICKSTORM C2 indicators published by Volexity.

▸ The Hacker News — VerdantBamboo Deploys BSD Variant of BRICKSTORM (Jun 8, 2026)

▸ BleepingComputer — Chinese APT Deploys New Malware to Keep Access to Hacked Networks (Jun 5, 2026)

▸ Volexity — VerdantBamboo: Just Another BRICKSTORM in the Firewall (Jun 4, 2026)

Why This Matters: Existing CSA notes cover Chinese APT IIS webshell espionage and general LLM-assisted post-exploitation. None address Linux storage appliance compromise as an espionage vector or the BRICKSTORM/PLENET/AGENTPSD malware family cluster — representing a genuine blind spot in enterprise EDR strategy.

Read Full Research Note

UNC3753 / Silent Ransom Group: Vishing, Screen-Sharing, and Physical Intrusion Against Law Firms

CRITICAL

Summary: Google Mandiant’s June 8 report on UNC3753 — also known as Chatty Spider, Luna Moth, and Silent Ransom Group — documents a January through May 2026 campaign targeting dozens of U.S. professional, legal, and financial services organizations. The attack chain requires no malware: a pretextual invoice email triggers an inbound vishing call posing as IT support, which escalates to a screen-sharing session and RMM tool installation. Data exfiltration typically occurs within hours of initial access. Weil Gotshal’s confirmed $20M ransom payment represents the campaign’s highest-profile victim. Some engagements escalated to physical intrusion at office locations, marking a significant capability escalation that no existing CSA research note addresses.

CISO Action: Issue immediate advisory to finance and legal staff on IT support vishing pretexts. Restrict RMM tool installation to managed endpoints only. Review physical access controls and visitor screening protocols at high-value offices.

▸ The Hacker News — UNC3753 Used Vishing and Physical Intrusion to Extort Law Firms (Jun 8, 2026)

▸ BleepingComputer — Silent Ransom Group Targets Law Firms with Fake IT Support Calls (Jun 7, 2026)

▸ Google Mandiant — Targeted Campaign Against U.S. Law Firms (Jun 8, 2026)

Why This Matters: Existing notes cover AI-assisted ransomware and EDR evasion — but the vishing-to-physical-intrusion attack chain, and specifically this group’s targeting of high-value professional services firms with sensitive client data, represents an unaddressed coverage gap directly relevant to the enterprise segment CSA serves.

Read Full Research Note

Project Glasswing Patching Deficit: AI Finds 1,596 Vulnerabilities; Almost None Are Fixed

HIGH

Summary: Anthropic’s Project Glasswing status report, published June 8, reveals that its Mythos AI has disclosed over 1,596 vulnerabilities to partner software vendors. Bruce Schneier’s June 8 analysis observes that “almost none of them has been patched.” The result is a growing inventory of known-but-unpatched vulnerabilities held by a single AI lab that “refuses to release details” — with no public disclosure timeline and no clear accountability mechanism. This is structurally different from the AI vulnerability discovery economics note (FFmpeg/zero-day cost analysis) and the disclosure policy reform note: this concerns the specific failure mode where an AI partner program generates enterprise-grade vulnerability debt that never reaches remediation.

CISO Action: Determine whether your organization’s software vendors participate in Glasswing’s partner program. Escalate vendor patching velocity tracking. Model exposure risk from AI-discovered-but-unpublished vulnerabilities in your threat landscape assessments.

▸ Schneier on Security — Anthropic’s Project Glasswing Update (Jun 8, 2026)

▸ Schneier on Security — Vulnerability Disclosure in the Age of AI (Jun 1, 2026)

▸ tl;dr sec #330 — Glasswing Updates Coverage (May 28, 2026)

Why This Matters: The accountability vacuum when an AI lab controls the vulnerability disclosure pipeline — with no transparency, no public timeline, and partner vendors that aren’t patching — represents a novel systemic risk. CISOs cannot patch what they don’t know about; they cannot pressure vendors on vulnerabilities they cannot verify exist.

Read Full Research Note

NIST Expands AI Safety Consortium Scope Beyond TEVV — Enterprise Compliance Implications

MEDIUM

Summary: On May 29, 2026, NIST announced it is expanding the AI Safety Consortium beyond its original Testing, Evaluation, Validation, and Verification (TEVV) mandate and calling for new member organizations. The expanded scope signals NIST is positioning itself as the primary U.S. body for end-to-end AI security standards — likely extending into agentic AI red-teaming, AI supply chain integrity, and incident response frameworks for AI systems. For enterprises that aligned compliance programs to the June 3 TEVV framework, the compliance question has shifted: not “are we aligned with TEVV today?” but “what broader NIST AI security requirements are coming in the next 12 to 18 months?” Organizations with leverage as AI or cloud providers now have direct influence over standards that will become de facto compliance requirements.

CISO Action: Evaluate membership in the expanded consortium for standard-setting influence. Extend AI governance roadmaps to anticipate agentic AI and supply chain integrity standards beyond current TEVV scope.

▸ NIST — NIST Expands AI Consortium’s Scope, Calls for New Members (May 29, 2026)

Why This Matters: The existing June 3 CSA note on NIST AI Consortium TEVV focused on current evaluation framework alignment. This expansion materially changes the compliance landscape by broadening NIST’s AI security mandate — CISOs building AI governance programs need an updated horizon beyond what the earlier note addressed.

View Full Research Note

AI Scraping SDKs Turn Consumer Devices Into Enterprise Attack Vectors

HIGH

Summary: A June 6 investigation by Include Security and independent researcher Buchodi documented how Bright Data embeds SDKs in free consumer applications — including always-on smart TVs — to create exit nodes for commercial AI web scraping. The company markets access to 150M+ residential IP addresses to the AI industry. The structural enterprise risk: WAF rules, geo-fencing, rate limiting, and behavioral anomaly detection all rest on the assumption that residential IP addresses represent legitimate human end users. AI data pipeline operators have quietly invalidated that assumption at scale. This is not a single-vendor issue — the residential proxy market is a multi-billion-dollar industry powering significant portions of AI training data collection, with no clear regulatory liability framework for consumer device operators, SDK distributors, or AI data pipeline customers.

CISO Action: Reassess WAF and rate-limiting rules that rely on residential IP assumptions. Evaluate whether your AI data procurement chain includes vendors that source training data via residential proxy networks. Flag this risk in your AI supply chain risk management program.

▸ The Hacker News — Free Apps Are Quietly Turning Smart TVs Into Proxy Nodes (Jun 6, 2026)

▸ Include Security — The Smart TV in Your Living Room Is a Node in the AI-Scraping Economy (Jun 2026)

Why This Matters: This is a novel systemic risk category — AI industry data pipeline infrastructure as an adversary-exploitable proxy network — that maps to MAESTRO Layer 4 (data supply chain) and AICM risk domains CSA has not yet addressed. The defense mechanisms enterprises rely on to detect anomalous access are structurally invalidated by this market.

View Full Research Note

Notable News & Signals

Miasma Worm Expands to 73 Microsoft GitHub Repositories

The ongoing Miasma supply chain campaign has spread to 73 Microsoft-hosted GitHub repositories as of June 8 — a significant scope expansion from earlier reporting. The attack mechanism and threat actor are already addressed in existing CSA notes on the Miasma npm supply chain campaign and IronWorm eBPF rootkit.

Source: The Hacker News — Miasma Worm Hits 73 Microsoft GitHub Repositories

Meta AI Support Bot Instagram Hijacking: Scope Confirmed at 20,225 Accounts

BleepingComputer’s June 8 update confirms the Meta AI support bot identity bypass campaign affected 20,225 Instagram accounts — validating the attack mechanism documented in the existing June 3 CSA research note on AI support bot identity bypass. No new attack surface identified; scale confirmation only.

Source: BleepingComputer — Security News

PAN-OS GlobalProtect CVE-2026-0257 Authentication Bypass — Active Exploitation Confirmed

CISA has confirmed active exploitation of the PAN-OS GlobalProtect authentication bypass vulnerability CVE-2026-0257. This is a conventional network vulnerability without AI-specific dimensions; patching should follow standard vulnerability management processes. Not prioritized for a separate CSA research note under this initiative.

Source: The Hacker News — PAN-OS GlobalProtect Authentication Bypass

SolarWinds Serv-U CVE-2026-28318 Added to CISA KEV — DoS Only, Patch Available

CISA added SolarWinds Serv-U CVE-2026-28318 to the Known Exploited Vulnerabilities catalog. Impact is limited to denial-of-service; a straightforward patch is available. Lower priority than today’s five selected topics — follow standard patching SLAs.

Source: CISA — Known Exploited Vulnerabilities Catalog

Topics Already Covered (No New Action Required)

Miasma npm Supply Chain / IronWorm eBPF Rootkit: Miasma’s GitHub expansion is a scope update; attack mechanics covered by CSA notes from June 3 and June 7.
Cisco SD-WAN CVE-2026-20245 Active Exploitation: Fully covered by CSA research note from June 5.
AI Agent Finding 21 FFmpeg Zero-Days / Chrome 429 Patches: Covered by the autonomous AI vulnerability discovery economics research note from June 7.
Meta AI Support Bot Instagram Account Hijacking (20,225 accounts): Attack mechanism documented in the June 3 CSA note; today’s BleepingComputer story confirms scope only.
OpenAI ChatGPT Lockdown Mode Rollout: Feature development context partially addressed in the AI agent lethal trifecta capability/security tradeoff note from June 6.
PAN-OS GlobalProtect CVE-2026-0257: Conventional network vulnerability without AI-specific dimensions — patching per standard vulnerability management is the appropriate response.
SolarWinds Serv-U CVE-2026-28318: DoS-only impact with straightforward patch availability — lower priority than today’s selected topics.

← Back to Research Index