Threat Analysis: KongTuke Teams Attacks and Fragnesia Linux Flaw, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 14th May 2026.
Two items today. Neither is background noise. Both warrant action before end of business.
KongTuke: Microsoft Teams Is Now an Attack Surface for Initial Access
KongTuke is an initial access broker, a criminal operation that specialises not in running its own ransomware campaigns, but in selling its way into corporate networks to other groups who do. The distinction matters. When an IAB gets into your network, your problem does not end with the IAB. It begins there.
The group has moved its social engineering operation onto Microsoft Teams. The method is impersonation. An attacker contacts a member of staff via Teams, posing as IT support, or in some observed cases as a senior member of the organisation, and requests that the target approve or facilitate a remote access session. Reported dwell time from first contact to persistent access: as little as five minutes.
Five minutes. That is not a typo.
The NCSC has published guidance on social engineering via collaboration platforms before. The fact that we are still seeing this technique succeed at operational speed tells you how seriously most organisations are taking that guidance. The attack works because Teams carries an implicit trust that email no longer does. Staff who have been trained to scrutinise suspicious emails have not necessarily been trained to scrutinise suspicious Teams messages. Attackers have noticed.
The payload in observed attacks is ModeloRAT, a remote access trojan that provides persistent, covert access to the infected machine and the network it sits on. Once KongTuke has that access, it is packaged and sold. Your network becomes inventory.
Why This Matters to UK SMBs
The obvious objection is that KongTuke is targeting large corporates. That is not a safe assumption. Initial access brokers are opportunistic. The value of access to a smaller professional services firm, an accountancy practice, or a legal firm is real, not as large as a FTSE 250, but the barrier to entry is also lower. And smaller organisations tend to have less mature detection capability, which makes the access more durable and therefore more valuable on the broker market.
If your business uses Microsoft Teams and your staff have external communications enabled, you have an attack surface here. The question is whether your people know what to do when someone they do not recognise asks them to approve a remote session via chat.
What to Do Now
- Review your Teams external access settings. If your business has no operational reason to receive unsolicited external Teams messages, restrict or disable external domain federation. This is a configuration change, not a product purchase.
- Brief your helpdesk and all staff today. Legitimate IT support does not cold-contact staff via Teams and ask them to approve remote sessions. If that happens, the answer is to verify through a known, out-of-band channel before taking any action.
- Check what remote access tools are installed on your endpoints. ModeloRAT achieves persistence, which means it survives reboots. If you have unexplained remote access software present, that warrants investigation.
- Log Teams activity. If you are not currently logging external contact attempts in Teams, you cannot detect this threat pattern.
Fragnesia (CVE-2026-46300): Linux Kernel Privilege Escalation With Public Exploit Code
The second item today is a Linux kernel vulnerability tracked as CVE-2026-46300, named Fragnesia. It is a local privilege escalation flaw in the kernelβs memory and page-cache handling, an area that has produced a series of reliable, high-severity vulnerabilities in recent years, including Dirty Frag, of which Fragnesia is a direct conceptual successor.
The practical consequence is this: an attacker who has any level of local access to an affected Linux system can escalate that access to root. Root is the end. Root is full control of the machine, the processes it runs, the data it holds, and, depending on your network architecture, the infrastructure it can reach from there.
The reason this is being treated as urgent is not just the severity. It is that working public exploit code is already available. This is not a theoretical exploit. It exists. Researchers have it. Criminal groups will have it shortly, if they do not already.
Patches are being rolled out by Linux distributions. Ubuntu, Debian, Red Hat Enterprise Linux, and CentOS advisories are in circulation or imminent. The window between public exploit availability and active exploitation in the wild is typically short.
Why This Matters to UK SMBs
The reflex response here is: we do not run Linux servers, this is not our problem. That response is wrong for most SMBs, and here is why.
If you use hosted infrastructure with any cloud provider, there is Linux in that stack. If you use network-attached storage, there is a reasonable chance it runs a Linux kernel. If you use a managed service provider, they almost certainly have Linux in their infrastructure. If your web hosting, your VPN endpoint, your backup server, or your shared storage runs on Linux and has not been patched, this vulnerability applies.
You do not need to run a Linux desktop for this to be relevant. You need to have Linux anywhere in your supply chain, and most SMBs do, whether they know it or not.
The additional context The Register flags is the consistency of this vulnerability class. Fragnesia follows Dirty Frag in exploiting the same general area of kernel memory handling. This is not a one-off. The pattern suggests that this class of vulnerability is not exhausted, and further findings in this area are plausible. Organisations that have been patching slowly should treat that as a structural problem, not an isolated inconvenience.
What to Do Now
- Identify all Linux systems in your environment. This includes servers, cloud instances, NAS devices, VPN appliances, and anything managed on your behalf by a third party. If you do not know what Linux systems you have, that is the first problem to solve.
- Apply kernel patches. Check the advisories for your specific distributions. Ubuntu, Debian, RHEL, and CentOS patches are available or in progress. Apply them. Reboot is required for a kernel patch to take effect.
- Ask your MSP or hosting provider today. If you outsource infrastructure, send a direct question: have you patched against CVE-2026-46300 on systems that support our environment? Get a written answer.
- Prioritise internet-facing Linux systems. If an attacker can reach a system remotely and exploit an existing foothold, through a web application vulnerability, a misconfigured service, or compromised credentials, Fragnesia becomes the route from foothold to full compromise.
The Connecting Thread
These two threats are worth considering together, not just separately. KongTuke provides initial access. Fragnesia provides privilege escalation on Linux infrastructure. An attacker who uses a Teams social engineering attack to land ModeloRAT on a machine in your environment, then pivots to a Linux server running an unpatched kernel, has a clean path to root on that server. That is not a scenario I am constructing speculatively. That is a description of how layered attacks work.
The mitigations are different. Restrict external Teams access and train your people for one; patch your Linux systems for the other. Neither requires budget. Both require someone to make them happen today.
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | KongTuke hackers now use Microsoft Teams for corporate breaches | https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches/ |
| BleepingComputer | New Fragnesia Linux flaw lets attackers gain root privileges | https://www.bleepingcomputer.com/news/security/new-fragnesia-linux-flaw-lets-attackers-gain-root-privileges/ |
| The Register | Dirty Frag gets a sequel as Fragnesia hands Linux attackers root-level access | https://www.theregister.com/security/2026/05/14/dirty-frag-gets-a-sequel-as-fragnesia-hands-linux-attackers-root-level-access/5240270 |
| The Register | To gain root access at this company, all an intruder had to do was ask nicely | https://www.theregister.com/security/2026/05/14/to-gain-root-access-intruder-just-had-to-ask/5239853 |
| Microsoft Security Response Center | CVE-2026-25541 | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-25541 |