Cybersecurity Weekly Briefing, 11-17 July
Remote code execution with kernel privileges in Windows’ HTTP.sys
Researchers at TrendAI Research, through the Zero Day Initiative, have published an article providing an in-depth analysis of vulnerability CVE-2026-47291 (CVSSv3 9.8 according to Microsoft), an integer overflow in the buffer reference array that HTTP.sys uses when parsing HTTP/1.x headers over TLS. Each TLS record is passed to the parser as a separate buffer, and after 13,107 growth events, the capacity field overflows to zero, causing a write of over 500 KB outside a 40-byte buffer in the kernel pool.
A remote, unauthenticated attacker can trigger this by sending an HTTPS request with thousands of lines of headers spread across individual TLS records, a process that takes around 11 minutes to complete at a moderate rate. HTTP.sys is the kernel-mode HTTP handler that underpins IIS and numerous Windows Server services exposed to the internet, giving this vulnerability a very high prevalence; however, Microsoft fixed it in the June 2026 patch cycle and there are no confirmed active exploits.
It is recommended that the patch be applied immediately and, as a temporary mitigation on unpatched systems, that the MaxRequestBytes value be set to 65,535 bytes or less in the Windows registry.
The Gentlemen has established itself as the second most active RaaS group of 2026, with a 90 per cent cut for its affiliates
Unit 42 details the evolution of The Gentlemen, a Ransomware-as-a-Service programme active since July 2025. Its operators, numbering around twenty, distribute encryptors written in C and Go to target both Windows and virtualised infrastructure; they rely on exploiting perimeter devices (firewalls, VPNs), brute-force attacks and leaked credentials, and have developed their own backdoor in Go alongside an EDR disabling framework called GentleKiller. The group offers its affiliates 90 per cent of ransom payments, well above the 70–80 per cent typical in the sector, which has fuelled rapid growth: from August 2025 to July 2026, it accumulated 580 confirmed victims across 77 countries, with June 2026 being its busiest month (117 victims), almost four times as many as in January.
The manufacturing sector accounts for 103 of these victims, and in May 2026 the group announced a partnership with BreachForums to recruit affiliates and initial access brokers. It is recommended to strengthen SMB segmentation and disable SSH on ESXi hosts except during explicit maintenance windows.
Jalisco and OmegaLord, phishing-as-a-service toolkits, gain access to Microsoft 365 by bypassing MFA
Researchers at ReliaQuest have identified two phishing toolkits that represent a fundamental evolution in identity compromise techniques: Jalisco, a device-code-based phishing toolkit that generates fresh OAuth codes in real time to circumvent 15-minute lifetime-based controls, and OmegaLord, a JavaScript credential harvester that deliberately collects telephone numbers alongside passwords to intercept MFA. The discovery of Jalisco marks a critical turning point: whilst traditional kits use hardcoded tokens, the real-time decoy generation technique neutralises the security assumptions that defenders rely on to limit this attack vector.
ReliaQuest documented a 1,380 per cent increase in phishing activity between late 2025 and early 2026, driven by AI-powered PhaaS kits such as EvilTokens and Kali365, which enable actors of any skill level to launch convincing brand impersonation campaigns on a massive scale. Once a Microsoft 365 account has been compromised, attackers establish persistence by registering multiple devices under their control with the Entra ID tenant, creating an access vector that survives password resets.
Organisations must immediately disable the device code authentication flow in Entra ID via conditional access policies and thoroughly audit device registration.
The European Union and the United Kingdom impose sanctions on the Turla group and the infrastructure of the Russian FSB
The European Union, the United Kingdom and several European governments have announced a comprehensive package of sanctions against members of Centre 16 of the Russian FSB, which is responsible for the Turla threat actor (also known as Secret Blizzard), for more than a decade of cyber-espionage operations and destructive attacks. The measures are in response to campaigns targeting European governments, critical infrastructure and, in particular, the attack on the Polish power grid recorded in December 2025.
At the same time, thirteen countries have issued a joint advisory reminding organisations that this threat actor continues to compromise vulnerable network devices to gain initial access to organisations in strategic sectors.
It is recommended that organisations pay particular attention to exposed routers, remove weak credentials and disable legacy features such as Cisco Smart Install.
Eleven overlooked UEFI shims allow Secure Boot to be bypassed on virtually any Windows computer
Researchers at ESET have identified eleven legacy UEFI shims (version 0.9 or lower) that allow Secure Boot to be bypassed on any system that relies on the third-party certificate “Microsoft Corporation UEFI CA 2011”, regardless of the operating system installed. The issue, recorded as CVE-2026-8863 and CVE-2026-10797, neither of which has a CVSS score yet, does not stem from a specific flaw but rather from obsolete second-stage bootloaders (primarily GRUB 2) containing previously known vulnerabilities.
An attacker can bring their own copy of the vulnerable shim to any computer with the Microsoft certificate enabled, without the original software needing to be installed, and use it to load bootkits such as Bootkitty, HybridPetya or BlackLotus, even with Secure Boot enabled. ESET reported the finding to CERT/CC in February 2026, and Microsoft revoked the affected binaries in the dbx update released on Patch Tuesday, 9 June.
Given the virtually universal scope of the affected chain of trust, it is recommended that users apply the relevant dbx update as soon as possible and verify on Secured-core machines that trust in third-party certificates remains disabled.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities