Executive Summary
Today's pattern is the failure of trusted business paths: SaaS identity, shared application secrets and employee software sourcing.
The three incidents selected from today's Daily Breach Intelligence report are not isolated news items. Charter shows how vishing against a Microsoft Entra account can lead to Salesforce data export and extortion pressure. KnowledgeDeliver shows how hard-coded ASP.NET machine keys can convert a learning platform into unauthenticated remote code execution, web shell deployment, and workstation compromise. Microsoft's cryptojacking research shows how poisoned search and AI-assisted discovery paths can result in DLL sideloading, ScreenConnect abuse, process hollowing, Defender exclusions, and GPU mining.
CISO takeaway: Treat trusted paths as breach surfaces. The 72-hour priority is to validate SaaS export controls, rotate shared application secrets, hunt for IIS and RMM abuse, and move employee software installation toward managed catalogs with telemetry-backed exceptions.
Prepared for: CISOs, Deputy CISOs, Security Architecture, Detection Engineering, Cloud Security, AppSec, Identity, IT Operations, Third-Party Risk.
Report Lens: Board-aware breach intelligence with technical control guidance.
Top Incidents Featured
| Priority | Incident | Enterprise Risk Signal | Immediate Control Focus |
|---|---|---|---|
| 1 | KnowledgeDeliver ViewState RCE | Shared ASP.NET machine keys enable unauthenticated RCE across internet-facing LMS deployments. | Machine-key rotation, IIS webroot review, Event ID 1316 hunting, web shell containment. |
| 2 | Charter ShinyHunters Salesforce extortion | Vishing and SSO compromise can turn SaaS export rights into customer-data extortion leverage. | Entra phishing resistance, Salesforce export telemetry, BPO/help-desk identity controls. |
| 3 | ScreenConnect cryptojacking via poisoned search | Software-search trust is abused to install RMM, hollow Microsoft-signed .NET utilities, and mine on endpoints. | Managed software catalog, unexpected RMM detection, DLL sideloading and Defender exclusion alerts. |
Why these three matter together
The operating pattern is trusted-path compromise. Attackers are not only exploiting perimeter weaknesses; they are abusing normal identity flows, vendor deployment defaults, user search behavior, legitimate RMM tools, and Microsoft-signed binaries. The control question for CISOs is whether the organization can prove what trusted path was used, revoke or rotate the trust quickly, and detect follow-on behavior before the incident becomes a public breach or operational disruption.
KnowledgeDeliver ViewState RCE
What Happened
Mandiant reported exploitation of CVE-2026-5426 in KnowledgeDeliver, a learning management system used commonly in Japan. Deployments before 24 February 2026 used a standardized web.config with identical ASP.NET machineKey values. Once an attacker had the keys, they could craft malicious ViewState payloads and reach unauthenticated remote code execution on exposed instances.
Observed post-exploitation activity included BLUEBEAM/Godzilla web shell deployment inside w3wp.exe, file permission changes with icacls, JavaScript tampering, fake security plugin prompts, and Cobalt Strike delivery to users visiting the compromised LMS.
Why This Matters
This is a board-relevant application governance failure, not only an LMS bug. Shared deployment secrets create systemic exposure: one recovered key can compromise many independent environments. Training portals, partner-learning systems, and customer education platforms often sit outside the highest-priority application inventory, yet they process identities, documents, session data, and sometimes trusted internal content.
How the Attack Can Unfold
- Attacker identifies an internet-facing KnowledgeDeliver instance deployed with the shared machine key.
- A malicious ViewState payload is submitted through the
__VIEWSTATEparameter. - The server accepts the payload because the attacker can sign or encrypt it with the known machine key.
- The IIS worker process executes attacker-controlled code and loads an in-memory web shell.
- The attacker tampers with web content, stages fake installers, and moves from server compromise to endpoint compromise.
- Do we run KnowledgeDeliver or another ASP.NET LMS with shared vendor-supplied secrets?
- Can application owners prove unique machine keys per deployment?
- Are IIS logs, Windows event logs, and webroot integrity records retained long enough for incident scoping?
- Can we isolate an LMS host without disrupting required training or partner workflows?
MITRE ATT&CK Mapping
| Stage | Technique | Relevance |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing Application | ViewState deserialization reaches exposed LMS servers. |
| Execution | T1059 Command and Scripting Interpreter | Observed child processes include cmd.exe, whoami, and PowerShell from IIS context. |
| Persistence | T1505.003 Web Shell | BLUEBEAM/Godzilla provides command execution through web traffic. |
| Defense Evasion | T1222 File and Directory Permissions Modification | File-system permissions were changed to support control of web content. |
Detection and Hunting Guidance
- Search Windows Application logs for Event ID 1316 from ASP.NET with ViewState verification failures or invalid ViewState messages.
- Hunt for
w3wp.exespawningcmd.exe, PowerShell,whoami, archive tools, or network utilities. - Compare webroot files against known-good baselines, especially
.js,.aspx, and.configfiles. - Review web requests with anomalous concatenated User-Agent strings and unusual POST bodies to application pages.
Controls to Prioritize
- Generate unique, cryptographically strong machine keys for each ASP.NET deployment and rotate any shared vendor defaults.
- Restrict LMS administrative and user access to known networks where business use permits.
- Add webroot file integrity monitoring for externally exposed IIS applications.
- Treat public-facing training and partner portals as tiered assets with named owners, patch SLAs, and tested isolation procedures.
Charter ShinyHunters Salesforce Extortion
What Happened
Charter Communications confirmed a data breach after ShinyHunters listed the company for extortion. Charter stated that no sensitive personal information or customer proprietary network information was exfiltrated. The threat actor claimed a broader impact: a 1 April vishing attack against a Microsoft Entra account, followed by export of consumer and business customer records from a Salesforce instance and access to support-ticket data.
The useful security signal is not the disagreement between company and actor statements alone. It is the repeatability of the path: social engineering against identity, access into SaaS, bulk export, and extortion with customer data narratives.
Why This Matters
Salesforce, Microsoft 365, Google Workspace, Zendesk, Slack, Atlassian, SAP, and similar platforms are now breach data planes. They are business-critical systems with broad data visibility, delegated access, APIs, and export features. Traditional identity controls can fail quietly if help-desk processes, BPO accounts, session controls, OAuth grants, and export permissions are not monitored as one operating model.
How the Attack Can Unfold
- Attacker calls an employee, contractor, or BPO worker and drives a vishing workflow against SSO.
- The compromised account passes into Microsoft Entra or another identity provider with access to SaaS applications.
- The attacker enumerates connected SaaS tools, roles, OAuth grants, and data export paths.
- Customer, support, account, or operational records are exported through native reporting or API functions.
- The stolen data is used for extortion, follow-on phishing, business email compromise, or pressure during notification decisions.
- Are Salesforce exports tied to named business use cases?
- Do BPO and support accounts have phishing-resistant authentication?
- Can we reconstruct who exported which objects, from where, and when?
- Are OAuth tokens and connected apps reviewed after suspected identity compromise?
MITRE ATT&CK Mapping
| Stage | Technique | Relevance |
|---|---|---|
| Initial Access | T1566 Phishing | Vishing is used to compromise identity or authentication flows. |
| Initial Access | T1078 Valid Accounts | An Entra account provides legitimate SaaS access. |
| Collection | T1213 Data from Information Repositories | Customer and support data is collected from Salesforce or adjacent SaaS repositories. |
| Exfiltration | T1567 Exfiltration Over Web Service | Native SaaS exports and APIs can move data through expected channels. |
Detection and Hunting Guidance
- Review Entra sign-ins for vishing indicators: unusual device registration, new MFA methods, atypical locations, impossible travel, and high-risk sign-ins for support or BPO users.
- Hunt Salesforce for mass exports, unusual report downloads, API spikes, object access outside role norms, and exports shortly after authentication anomalies.
- Identify connected apps, refresh tokens, and OAuth grants created or used around the suspected window.
- Compare SaaS access from support workflows against ticket assignments and normal queue ownership.
Controls to Prioritize
- Move high-risk SaaS users and support/BPO accounts to phishing-resistant MFA and hardened recovery workflows.
- Limit Salesforce export rights by role, object sensitivity, and business justification.
- Require alerting for bulk export, unusual report creation, and high-volume API reads.
- Test revocation workflows for SaaS sessions, refresh tokens, connected apps, and delegated admin access.
ScreenConnect Cryptojacking via Poisoned Search
What Happened
Microsoft reported a cryptojacking campaign that pushed users searching for software utilities to attacker-controlled domains. In some observed cases, LLM-generated responses included links to domains later associated with the campaign. The fake sites delivered ZIP files containing legitimate utility executables and a malicious autorun.dll for DLL sideloading.
The chain silently installed ScreenConnect, used remote file transfer to drop SimpleRunPE, created hidden install paths, added Defender exclusions, performed anti-analysis checks, and hollowed Microsoft-signed .NET utilities such as InstallUtil.exe, RegAsm.exe, RegSvcs.exe, and MSBuild.exe before launching GPU-focused mining activity.
Why This Matters
This is more than nuisance cryptomining. The campaign exercises a repeatable endpoint intrusion pattern: trust in search results, local execution of a fake utility, legitimate RMM for persistence and operator access, security-control weakening, and execution inside signed Windows processes. The same pattern can support credential theft, data staging, ransomware preparation, or hands-on-keyboard intrusion.
How the Attack Can Unfold
- Employee searches for a utility and lands on an attacker-controlled download page through poisoned search, sponsored placement, or AI-assisted discovery.
- A ZIP file runs a legitimate executable that sideloads a malicious DLL from the same folder.
- The malware installs ScreenConnect and connects to attacker infrastructure.
- The attacker transfers additional tooling, creates hidden paths, and changes Defender exclusions.
- The miner runs inside a hollowed Microsoft-signed .NET process, while host and GPU telemetry is sent to command infrastructure.
- Do employees have a fast approved route for utility installs?
- Are newly installed RMM clients treated as high-severity events?
- Can EDR correlate DLL sideloading, ScreenConnect, Defender exclusions, and GPU miner execution?
- Are AI and search-result software recommendations covered in user guidance?
MITRE ATT&CK Mapping
| Stage | Technique | Relevance |
|---|---|---|
| Initial Access | T1189 Drive-by Compromise | Poisoned download pages lure users into malicious utility installs. |
| Execution | T1204 User Execution | The user launches the downloaded utility package. |
| Defense Evasion | T1574.002 DLL Side-Loading | A legitimate executable loads malicious autorun.dll. |
| Command and Control | T1219 Remote Access Software | ScreenConnect provides persistent operator access. |
| Defense Evasion | T1055.012 Process Hollowing | Mining code runs inside trusted Microsoft-signed .NET utilities. |
Detection and Hunting Guidance
- Alert on newly installed ScreenConnect clients outside approved deployment tools, especially with suspicious custom properties or uncommon hosts.
- Hunt for signed utility executables loading DLLs from user-writable download or temp directories.
- Detect PowerShell invoking
Add-MpPreferenceto create Defender path or process exclusions. - Watch for
InstallUtil.exe,RegAsm.exe,RegSvcs.exe, orMSBuild.exewith suspicious parentage, network behavior, or GPU miner child processes.
Controls to Prioritize
- Provide an internal software catalog and exception process for common utilities so users do not rely on search results or chatbot answers.
- Restrict RMM execution to approved tenants, signed installers, deployment tools, and device groups.
- Block DLL loading from archive extraction paths and user download directories where practical.
- Require approval or high-severity alerting for Defender exclusion changes outside managed security tooling.
The Control Pattern
| Control Domain | What Failed or Was Stressed | What Good Looks Like |
|---|---|---|
| Application secret governance | Shared machine keys made independent deployments vulnerable to the same exploit path. | Unique per-deployment secrets, rotation evidence, owner accountability, and webroot integrity monitoring. |
| SaaS identity and data access | Compromised identity can inherit broad export privileges. | Phishing-resistant authentication, least-privilege exports, API monitoring, and token revocation. |
| Endpoint software trust | Users installed fake utilities from attacker-controlled discovery paths. | Managed catalogs, source validation, DLL sideloading controls, and RMM allowlisting. |
| Incident response evidence | Public claims and internal statements can diverge until logs and leaked data are validated. | Export logs, authentication records, endpoint telemetry, and clear evidence packs for legal, board, and customer communications. |
72-Hour CISO Actions
First 24 Hours
- Identify KnowledgeDeliver and similar ASP.NET LMS or training portals; confirm patch level and unique machine-key status.
- Pull IIS, Windows Application, EDR, and webroot integrity data for exposed LMS hosts before retention windows close.
- Ask identity and CRM owners for Entra high-risk sign-ins, MFA changes, Salesforce exports, API spikes, and connected-app changes affecting support or BPO users.
- Hunt for unexpected ScreenConnect installs, suspicious DLL sideloading from downloads, and Defender exclusion changes.
- Issue targeted guidance: do not install utilities from search results, ads, mirrors, or AI-generated links; use the approved catalog.
24 to 72 Hours
- Rotate shared ASP.NET machine keys and preserve evidence of old and new key deployment.
- Review Salesforce object-level export permissions and remove standing export rights where not required.
- Revoke risky SaaS sessions, refresh tokens, and OAuth grants tied to suspicious identities.
- Tighten RMM allowlists and alert on newly seen RMM clients outside approved tenants.
- Brief legal, privacy, support, and customer communications on the evidence needed before accepting or disputing actor data claims.
30 Days
- Fold training portals, partner portals, and customer education platforms into tiered asset governance.
- Build SaaS export anomaly detection across CRM, support, collaboration, and file-sharing platforms.
- Create an enterprise software-source policy that covers search, ads, package mirrors, community tools, and AI-generated recommendations.
- Test a cross-functional playbook for vishing-to-SaaS compromise: identity, SaaS admin, legal, privacy, support, and communications.
Today's incidents show attackers abusing systems the business already trusts: SaaS identity, application deployment defaults, and employee software discovery.
The security program is validating that trusted paths are restricted, monitored, and quickly revocable, with evidence that can support customer, regulatory, and board decisions.
- Externally exposed ASP.NET applications with unique machine-key evidence.
- High-risk SaaS users covered by phishing-resistant authentication.
- Bulk SaaS exports reviewed within 24 hours.
- Unauthorized RMM installs detected and contained.
- Endpoints blocked from executing unsigned or untrusted utility downloads.
Sources Reviewed
- Google Cloud / Mandiant: Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
- BleepingComputer: Charter confirms data breach after ShinyHunters extortion threat
- Microsoft Security Blog: From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities
- Context item reviewed but not selected as a primary incident: 7-Eleven data breach exposes personal information of 185,000 people
- Local source:
CISO Platform Daily Breach Report/Daily Breach Intelligence - 27 May 2026
© 2026 CISO Platform. For more information, email contact@cisoplatform.com or visit cisoplatform.com.
Comments