Coverage: Last 24 hours

Today’s Highlights

Today’s brief includes urgent vulnerabilities, evolving attack techniques, and the disruption of major criminal malware operations. Focus areas: zero-days in Cisco SD-WAN and Lantronix, ongoing supply-chain risks in CI/CD, an active browser extension attack, persistent social engineering at help desks, and broad impact from a takedown of malware networks.

Table of Contents

1. Google releases new privacy controls for activity history, personalization
2. DraftKings hacker ‘Snoopy’ sentenced to 18 months in prison
3. Malicious Edge extension abuses Native Messaging as bridge to malware
4. Amadey, StealC malware operations disrupted in Operation Endgame action
5. Securing the service desk: Why social engineering attacks keep succeeding
6. Stealthy Mistic backdoor linked to ransomware access broker KongTuke
7. Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
8. CISA warns of max severity Ubiquiti flaws exploited in attacks
9. Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
10. CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited

Top Stories

Google releases new privacy controls for activity history, personalization

Source: BleepingComputer | Risk: Medium | Impacted: Google Workspace administrators, End-user Google Accounts, Compliance teams

Summary: Google is rolling out new privacy controls for Search services and Google Play, giving you more control over saved history and personalized recommendations.

Why it matters: Default data retention and history settings can inadvertently expose sensitive business or personal information, increasing risk in account recovery or targeted phishing scenarios.

Practitioner Perspective

Organizations leveraging Google Search and Play services should review how changes to privacy and personalization controls affect end-user data exposure and access. New granular options could alter default visibility and the persistence of activity logs, impacting incident response and forensics. Mismatches between privacy configurations and organizational policy can hamper e-discovery or breach notification obligations. Security teams must coordinate with privacy and compliance to align GCP and Google Workspace settings with broader enterprise standards.

Recommended Actions

• Audit all Google Workspace privacy and personalization defaults after this update and realign them with internal policy
• Update onboarding/offboarding runbooks to include verification of Google activity and history controls for newly provisioned or deprovisioned users

DraftKings hacker ‘Snoopy’ sentenced to 18 months in prison

Source: BleepingComputer | Risk: Medium | Impacted: Consumer web and mobile platforms, Identity and access management teams, Incident response teams

Summary: A 21-year-old using the alias “Snoopy” was sentenced to 18 months in prison for his role in hacking DraftKings accounts in the November 2022 cyberattack.

Why it matters: Criminal prosecution does not mitigate risks from credential stuffing or account takeover campaigns, which remain persistent threats to consumer-scale platforms.

Practitioner Perspective

Consumer-facing services like DraftKings remain lucrative targets for attackers abusing stolen credentials from prior breaches. Deterrence through law enforcement action may reduce one actor but does not address the ecosystem of account compromise. Security teams should anticipate ongoing use of automated tools to bypass security controls using fresh and recycled credentials. Focus should remain on making large-scale automated attacks less viable rather than relying on post-factum enforcement.

Recommended Actions

• Implement active detection of credential stuffing and rapid lockout/warning workflows on login endpoints
• Integrate breached credential checks (e.g., via Have I Been Pwned or equivalent) at registration and login

Malicious Edge extension abuses Native Messaging as bridge to malware

Source: BleepingComputer | Risk: High | Impacted: Microsoft Edge desktop users, SOCs with browser extension management gaps, Organizations with weak EDR correlation on browser activity

Summary: A malicious Microsoft Edge extension dubbed ‘Edgecution’ has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor.

Why it matters: Abuse of the Native Messaging API gives attackers a new lateral movement vector from browser environments to endpoint compromise, bypassing traditional sandboxing defenses.

Practitioner Perspective

Environments supporting Microsoft Edge are exposed to threats where untrusted extensions can escalate privileges through misused Native Messaging, culminating in ransomware or remote backdoor deployment. Attackers are pivoting from email-based infection chains to browser ecosystem abuse, exploiting weaker extension vetting controls. This technique subverts EDR visibility as malicious payloads appear as legitimate browser child processes. Security teams should reevaluate browser extension governance and monitor for suspicious native host registrations tied to Edge.

Recommended Actions

• Enforce strict allow-listing of Edge browser extensions through Microsoft Intune or Group Policy
• Scan managed endpoints for unauthorized Native Messaging host registrations and binaries that interface with Edge

Amadey, StealC malware operations disrupted in Operation Endgame action

Source: BleepingComputer | Risk: Medium | Impacted: Enterprises with historic commodity malware infections, Security teams lacking automated credential exposure monitoring, Third-party risk managers

Summary: Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs.

Why it matters: Even with key infrastructure takedowns, credentials exfiltrated by commodity malware can circulate in underground markets for years, fueling downstream fraud and ransomware.

Practitioner Perspective

Amadey and StealC have seeded large-scale info-stealer and loader campaigns across multiple sectors; Operation Endgame’s disruption will be temporary without follow-on controls. Many organizations underestimate dwell time and persistent risk due to harvested credentials being sold or reused elsewhere. Security programs must focus on ongoing detection of commodity malware behaviors and prompt reset of exposed credentials. Network defenders should incorporate lessons from recent takedown actions to shape proactive threat hunting.

Recommended Actions

• Proactively rotate credentials for staff and service accounts identified in info-stealer breach dumps post-Amadey/StealC disruption
• Hunt for lateral movement and persistence artifacts linked to Amadey and StealC infection chains

Securing the service desk: Why social engineering attacks keep succeeding

Source: BleepingComputer | Risk: High | Impacted: Enterprise service desks, Identity and access management teams, Organizations with remote or third-party IT support

Summary: Service desks have become a favored target for attackers seeking password resets, MFA changes, and access to corporate accounts. Specops Software breaks down how service desk social engineering attacks work and how organizations can defend against them.

Why it matters: Attackers can weaponize weak service desk identity verification to reset passwords or disable MFA, leading to account takeovers with minimal technical effort.

Practitioner Perspective

Service desks represent a persistent weak link, especially when processes prioritize customer experience over security. Attackers frequently succeed by exploiting common oversights: limited staff training in adversarial tactics, inconsistent call recording, or lack of verification checklists. With the rise in social engineering and MFA push fatigue, security teams must treat the service desk as a privileged target within the attack surface, warranting technical controls and continual awareness drills. Harden call scripts and empower staff to escalate any suspicious inbound requests.

Recommended Actions

• Implement step-up identity verification protocols for all password resets and MFA changes via service desk
• Mandate call recording and regular spot-audits of helpdesk interactions for social engineering attempts

Stealthy Mistic backdoor linked to ransomware access broker KongTuke

Source: BleepingComputer | Risk: High | Impacted: Firms in insurance, education, IT, and professional services, Incident response teams, Defenders lacking advanced threat hunting

Summary: A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.

Why it matters: Initial access brokers leveraging custom backdoors facilitate rapid ransomware deployment and business disruption, often bypassing commodity malware detection.

Practitioner Perspective

The emergence of Mistic, tailored for stealth and persistence, signals ongoing professionalization among access brokers servicing ransomware groups. Traditional perimeter and endpoint controls may be inadequate due to bespoke payloads and novel C2. Organizations in insurance, education, IT, and professional services should assess lateral movement exposure and hunt for persistence implants beyond standard malware signatures. Evaluate the maturity of threat hunting operations to avoid detection gaps from tooling unfamiliar with new backdoor variants.

Recommended Actions

• Task threat hunting teams with searching for Mistic backdoor TTPs and unknown persistence in relevant sector environments
• Review endpoint telemetry for unusual one-off network connections or new persistent services linked to recent access broker campaigns

Emerging Signals

Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered

Source: The Hacker News | Risk: Medium | Impacted: Organizations with historic malware events, Security operations monitoring credential usage, User populations with weak password hygiene

Summary: A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. “The main common goal was to disrupt the ‘assembly lines’ cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure,” Europol said in

Why it matters: Credential reuse remains a significant risk after malware takedowns, as stolen data is resold, re-used, or leveraged in secondary campaigns for long after initial compromise.

Practitioner Perspective

Recovery of 27 million stolen credentials following disruption of Amadey and StealC operations by Microsoft and partners addresses the supply side but not root cause risk. Enterprise defenders must quickly identify accounts tied to recovered credential data sets and drive resets or monitoring. Networks that previously suffered info-stealer infections may already be exposed to lateral movement or data leakage. Tactical controls must now follow strategic disruptions to close residual access routes.

Recommended Actions

• Ingest and cross-reference newly recovered credential data with enterprise SSO and IAM logs
• Force password changes for any accounts matched to Amadey/StealC dumps

Exploits & CVEs

Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access

Source: BleepingComputer | Risk: Critical | Impacted: Organizations with Cisco Catalyst SD-WAN deployments, Network operations centers, Critical infrastructure sectors

Summary: New details have been revealed on how hackers exploited a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices.

Why it matters: Compromise of Cisco Catalyst SD-WAN infrastructure enables attackers to manipulate network routing, intercept sensitive traffic, or deploy persistent implants at the core of enterprise networks.

Practitioner Perspective

Actively exploited by sophisticated actors, CVE-2026-20245 poses a systemic risk to organizations reliant on vulnerable Cisco SD-WAN devices. Privilege escalation to root on routing infrastructure enables attackers to bypass segmentation, inject malicious configurations, and maintain long-term access. This zero-day reinforces the ongoing interest of threat actors in supply-chain and core networking layers. Flawed segmentation or delayed patch cycles compound these risks, emphasizing the critical need for real-time inventory and expedited patch workflows.

Recommended Actions

• Immediately apply Cisco’s patches addressing CVE-2026-20245 to all affected Catalyst SD-WAN devices
• Implement out-of-band network monitoring to detect unauthorized configuration changes in SD-WAN environments

CISA warns of max severity Ubiquiti flaws exploited in attacks

Source: BleepingComputer | Risk: Critical | Impacted: Organizations running Ubiquiti UniFi OS, SMBs with limited network segmentation, Managed IT service providers

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.

Why it matters: Unpatched Ubiquiti UniFi OS flaws can enable remote compromise of network gear commonly deployed in SMBs and enterprises, allowing lateral movement or eavesdropping within internal networks.

Practitioner Perspective

CISA’s advisory highlights ongoing exploitation of high-impact vulnerabilities in Ubiquiti network management solutions. These platforms are widely deployed, often with internet-facing management and weak default configurations. Adversaries frequently pivot into higher value internal networks once initial access is gained through these devices. Failure to urgently remediate exposes organizations to both data exfiltration and supply-chain risk, especially where UniFi devices are managed by MSPs.

Recommended Actions

• Apply all security updates for Ubiquiti UniFi OS and verify removal of default accounts and credentials
• Restrict external management plane access for UniFi equipment using firewall rules

Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access

Source: The Hacker News | Risk: Critical | Impacted: Large enterprises with Cisco SD-WAN, Critical infrastructure network operators, Telecommunications providers

Summary: An unknown threat actor exploited a recently disclosed high-severity security flaw impacting Cisco Catalyst SD-WAN as a zero-day at least two months before it was publicly disclosed, according to new findings from Google-owned Mandiant. The vulnerability, tracked as CVE-2026-20245 (CVSS 7.8), allows an authenticated, local attacker to execute arbitrary commands with elevated privileges.

Why it matters: A successfully exploited local privilege escalation within Cisco Catalyst SD-WAN enables attackers to execute arbitrary commands as root, undermining the integrity of critical network backbone devices.

Practitioner Perspective

Organizations relying on Cisco Catalyst SD-WAN devices face heightened risk as CVE-2026-20245 is proven exploitable prior to public disclosure, suggesting skilled actors already hold access in some environments. This expands attacker persistence options, bypasses many traditional controls, and may go undetected without direct device monitoring. Network backbone compromise is particularly destructive for regulated or uptime-sensitive sectors. Proactive validation of patch status and account hygiene on SD-WAN is necessary to reduce dwell time and exposure.

Recommended Actions

• Expedite deployment of Cisco firmware updates for CVE-2026-20245 across vulnerable SD-WAN routers
• Conduct a full audit of root and administrative accounts on SD-WAN platforms for unexplained entries or activity

CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited

Source: The Hacker News | Risk: Critical | Impacted: Industrial organizations using Lantronix EDS5000, Manufacturing and healthcare IT, Industrial control system operators

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026. The vulnerability in question is CVE-2025-67038 (CVSS 9.8), a code injection flaw that could result in the execution

Why it matters: Unmitigated code injection in Lantronix EDS5000 appliances exposes operational networks to full remote takeover, affecting device integrity and availability in production and critical environments.

Practitioner Perspective

CVE-2025-67038 presents an active exploitation scenario in industrial and IT settings where Lantronix EDS5000 serial-to-ethernet servers are deployed. Attackers can gain deep access to machine-to-machine gateways or peripheral devices by abusing these flaws, facilitating lateral movement, data exfiltration, or operational outage. The short CISA patch window underscores potential for high-impact attacks across user bases that often lack strong patch automation. Assessment should extend beyond patching to include segmentation and device hardening.

Recommended Actions

• Prioritize installation of Lantronix EDS5000 patches for CVE-2025-67038 before CISA’s enforcement deadline
• Audit access to network segments containing EDS5000 devices, limiting exposure to trusted management networks

Defensive Actions

• Audit all Google Workspace privacy and personalization defaults after this update and realign them with internal policy
• Implement active detection of credential stuffing and rapid lockout/warning workflows on login endpoints
• Enforce strict allow-listing of Edge browser extensions through Microsoft Intune or Group Policy
• Proactively rotate credentials for staff and service accounts identified in info-stealer breach dumps post-Amadey/StealC disruption
• Implement step-up identity verification protocols for all password resets and MFA changes via service desk
• Task threat hunting teams with searching for Mistic backdoor TTPs and unknown persistence in relevant sector environments
• Immediately apply Cisco’s patches addressing CVE-2026-20245 to all affected Catalyst SD-WAN devices
• Apply all security updates for Ubiquiti UniFi OS and verify removal of default accounts and credentials
• Prioritize installation of Lantronix EDS5000 patches for CVE-2025-67038 before CISA’s enforcement deadline
• Ingest and cross-reference newly recovered credential data with enterprise SSO and IAM logs

What We’re Watching

• Early signs of new credential stuffing waves after recent takedowns of commodity malware networks
• Patch compliance rates for SD-WAN and Lantronix infrastructure, given active exploitation windows and supply-chain risk
• Ongoing abuse of browser extension APIs for lateral movement and ransomware deployment
• Effectiveness of updated service desk call verification procedures in preventing account takeovers
• Changes in observed threat actor TTPs following high-profile law enforcement disruptions

Categories: Cybersecurity Blog, Cybersecurity News

Tags: Credential Theft, cybersecurity, daily briefing, Incident Response, Malware, Network Security, patching, Ransomware, Vulnerabilities, Zero-Day