- Home
- Cybercrime and Ransomware
- Emerging Tech
- Threat Intelligence
- Expert Insights
- Careers and Learning
- Compliance
Subscribe to Updates
Subscribe to our newsletter and never miss our latest news
Subscribe my Newsletter for New Posts & tips Let's stay updated!
Author: Staff Writer
John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.
Essential Insights The persistent “mdrfckr” SSH campaign has maintained a stable authorized_keys file for nearly eight years, with recent activity showcasing a new client library version (libssh 0.11.1) that bypasses existing detection rules. Attackers are coordinating rapid, clustered SSH brute-force attempts (notably on April 19, 2026) using a consistent set of compromised credentials, targeting multiple IPs within a tight timeframe. The campaign’s evolving SSH client signature (hassh) underscores the importance of multi-faceted detection—relying solely on previously identified hashes or signatures could result in blind spots. Threat, Attack Techniques, and Targets The malware campaign discussed involves a known threat called “mdrfckr,”…
Quick Takeaways A critical vulnerability (CVE-2026-42897) in on-premises Exchange Server allows attackers to execute arbitrary JavaScript via crafted emails, enabling network spoofing and potential account compromise. The flaw stems from a cross-site scripting (XSS) issue, actively exploited in the wild, with no impact on Exchange Online. Microsoft recommends immediate mitigation using its Exchange Emergency Mitigation Service or manual application of the mitigation tool to prevent malicious exploitation. Threat, Attack Techniques, and Targets Microsoft disclosed a new security flaw in on-premise Exchange Server. This vulnerability is called CVE-2026-42897 and has a high severity score of 8.1. It is a spoofing bug…
Summary Points Exploitation of critical CVE-2026-20182 allows unauthenticated attackers to bypass authentication and gain admin privileges on Cisco SD-WAN Controllers, with active exploit clusters deploying web shells and compromising systems. Multiple threat clusters are leveraging publicly available PoC exploits to deploy web shells and malware (e.g., XenShell, Godzilla) for remote control, data theft, and installing coin miners. These campaigns are chaining vulnerabilities to facilitate unauthorized access, remote command execution, credential theft, and deployment of various malicious tools including web shells, backdoors, and miners. The Threat, Attack Techniques, and Targets CISA has added a new critical vulnerability, CVE-2026-20182, to its KEV…
Critical 0-Day Exploitation Allows Unauthorized Admin Access via Cisco Catalyst SD-WAN Controller
Top Highlights A critical zero-day vulnerability (CVE-2026-20182, CVSS 10.0) in Cisco Catalyst SD-WAN Controller is actively exploited, enabling unauthenticated remote attackers to gain full administrative control by bypassing authentication. The flaw exists in the vdaemon service over DTLS (UDP port 12346), due to a logic gap that allows attackers to impersonate vHub devices without valid credentials or certificates, leading to trusted control-plane peerings. Once authenticated through this bypass, attackers can inject malicious SSH keys into the vmanage-admin account, providing persistent, credential-free access to the SD-WAN network for arbitrary configuration manipulation. Cisco confirms no workaround exists; immediate patching is required—affected versions…
Top Highlights Rapid7’s Cyber GRC unifies compliance workflows with live security data, enabling continuous validation of controls and risk management. The program shifts organizations from static, point-in-time audits to real-time, evidence-backed compliance assurance tied directly to active threat exposure. New automation features reduce manual effort in evidence collection, policy reporting, and audit readiness, streamlining operational efficiency. As governance and security operations become more intertwined, companies seek integrated, real-time risk visibility to adapt to evolving regulatory and threat landscapes. Connecting Compliance with Real-Time Security Data Rapid7’s new Cyber GRC Early Access Program aims to transform how organizations approach cybersecurity compliance. Traditionally,…
Quick Takeaways A Chinese state-linked hacking group, FamousSparrow, exploited unpatched Microsoft Exchange servers in Azerbaijan’s energy sector from Dec 2025 to Feb 2026, deploying sophisticated malware and multiple backdoors for sustained espionage. The attack involved exploiting ProxyNotShell vulnerabilities to inject web shells, establishing persistent footholds through layered malware like Deed RAT and Terndoor, and employing advanced DLL sideloading techniques that evade automated detection. The campaign demonstrated multi-wave persistence, with attackers repeatedly revisiting the compromised server, swapping malware families, and attempting kernel-level insertion, indicating deliberate, ongoing espionage targeting critical energy infrastructure. Security experts advise immediate patching of Exchange servers, credential rotation,…
Quick Takeaways SecurityScorecard’s acquisition of Driftnet enhances its third-party risk management platform with real-time threat intelligence, helping organizations identify vulnerabilities and attack campaigns. The rise of automated tools and AI across supply chains complicates third-party risks, with many deployments lacking proper controls and visibility, increasing breach likelihood. The company aims to enable proactive breach detection and better risk mitigation by aligning threat hunters, security teams, and TPRM practitioners through automation and comprehensive insights. The addition of Driftnet’s threat intelligence addresses the growing challenge of network visibility and compliance, reinforcing SecurityScorecard’s position in combating evolving cyber threats. SecurityScorecard Acquires Driftnet to…
Essential Insights Russian hacking group Sandworm pivoted from compromised IT networks to target critical operational technology (OT) systems, exploiting existing vulnerabilities rather than new exploits. Despite long-standing security alerts prior to attacks, many systems remained uninvestigated, allowing Sandworm to deepen its infiltration and target industrial control devices with high precision. Once inside, Sandworm escalates attacks post-detection, intensifying activity and shifting focus toward physical control systems, often after initial signs are evident for weeks or months. Effective defense requires proactive measures—such as network segmentation, strong fundamentals, and prompt incident response—since much of the attack surface was preventable through basic cybersecurity hygiene.…
Top Highlights A sophisticated threat actor exploited a critical authentication bypass vulnerability (CVE-2026-20182) in Cisco SD-WAN Controllers, allowing unauthenticated access and control over network management tools. The vulnerability was exploited immediately after disclosure, with researchers identifying that the threat actor, UAT-8616, has been active for years, targeting high-value organizations including critical infrastructure sectors. Multiple similar high-severity vulnerabilities have been uncovered in Cisco Catalyst products this year, often exploited for persistent access, privilege escalation, and network manipulation. Cisco users are urged to apply recent patches to mitigate threats, emphasizing that while centralized SD-WAN management has operational benefits, it also presents significant…
Summary Points Lawmakers are questioning Instructure’s response and incident handling after its Canvas LMS was compromised twice in a week by ShinyHunters, raising concerns about vulnerabilities and breach management. Instructure temporarily took Canvas offline following initial breaches but was later attacked again, with the hackers posting ransom demands and claiming access to over 3TB of user data from more than 9,000 institutions. The company’s statement suggests it reached an agreement with the attackers and that no customer will be extorted, but evidence indicates it may have paid a ransom, as the attackers removed their data from leak sites. Previous security…