Category: Uncategorized

Cybersecurity agencies from the Five Eyes intelligence alliance urgently warned Wednesday that “an advanced threat actor” is actively exploiting new flaws in Cisco networking equipment, pressing organizations to look for signs their systems may already have been compromised.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive warning of a “cyber threat actor’s ongoing exploitation of Cisco SD-WAN systems,” describing the activity as presenting a significant risk to federal civilian executive branch networks.

The vulnerabilities cited in the alerts include CVE-2026-20127 and CVE-2022-20775, which have been linked to real-world exploitation. CISA said it has assessed that the conditions pose “an unacceptable risk to federal agencies and necessitate emergency action.”

The British National Cyber Security Centre (NCSC) also said “malicious cyber threat actors are targeting Cisco Catalyst Software Defined Wide Area Networks (SD-WAN) used by organisations globally,” underscoring that the activity is not limited to the United States.

The NCSC’s chief technology officer, Ollie Whitehouse, said organizations using the affected Cisco products “should urgently investigate their exposure to network compromise” and start to hunt for evidence that a compromise has taken place.

Cisco’s own advisory warns “multiple vulnerabilities” in its product “could allow an attacker to access an affected system, elevate privileges to root, gain access to sensitive information, and overwrite arbitrary files.”

The company stressed the vulnerabilities “are not dependent on one another” and that exploitation of one of the vulnerabilities is not required to exploit another.

As part of the joint alert, the Australian Signals Directorate, the country’s cyber and signals intelligence agency, published a technical “hunt guide” to help organizations understand whether hackers are already inside their systems.

According to the guide, at least one malicious cyber actor has been compromising Cisco SD-WAN environments since 2023 using a zero-day vulnerability that was identified late last year and has since been patched.

“The vulnerability allowed a malicious cyber actor to create a rogue peer joined to the network management plane, or control plane, of an organisation’s SD-WAN,” the document says. “The rogue device appears as a new but temporary, actor-controlled SD-WAN component that can conduct trusted actions within the management and control plane.”

The hunt guide describes how attackers who gained this level of access were able to establish long-term persistence, including by obtaining root access and taking steps to evade detection, such as interfering with logging and other monitoring.

The agencies have not publicly identified the threat groups believed to be behind the activity.

Learn more.

Ravie LakshmananFeb 25, 2026Social Engineering / Cloud Security

The notorious cybercrime collective known as Scattered LAPSUS$ Hunters (SLH) has been observed offering financial incentives to recruit women to pull off social engineering attacks.

The idea is to hire them for voice phishing campaigns targeting IT help desks, Dataminr said in a new threat brief. The group is said to be offering anywhere between $500 and $1,000 upfront per call, in addition to providing them with the necessary pre-written scripts to carry out the attack.

“SLH is diversifying its social engineering pool by specifically recruiting women to conduct vishing attacks, likely to increase the success rate of help desk impersonation,” the threat intelligence firm said.

A high-profile cybercrime supergroup comprising LAPSUS$, Scattered Spider, and ShinyHunters, SLH has a record of engaging in advanced social engineering attacks to sidestep multi-factor authentication (MFA) through techniques like MFA prompt bombing and SIM swapping. 

The group’s modus operandi also involves targeting help desks and call centers to breach companies by posing as employees and convincing them to reset a password or install a remote monitoring and management (RMM) tool that grants them remote access. Once initial access is obtained, Scattered Spider has been observed moving laterally to virtualized environments, escalating privileges, and exfiltrating sensitive corporate data.

Some of these attacks have further led to the deployment of ransomware. Another hallmark of these attacks is the use of legitimate services and residential proxy networks (e.g., Luminati and OxyLabs) to blend in and evade detection. Scattered Spider actors have used various tunneling tools like Ngrok, Teleport, and Pinggy, as well as free file-sharing services such as file.io, gofile.io, mega.nz, and transfer.sh.

SLH’s Telegram post to recruit women

In a report published earlier this month, Palo Alto Networks Unit 42, which is tracking Scattered Spider under the moniker Muddled Libra, described the threat actor as “highly proficient at exploiting human psychology” by impersonating employees to attempt password and multi-factor authentication (MFA) resets.

Scattered Spider attack chain

In at least one case investigated by the cybersecurity company in September 2025, Scattered Spider is said to have created and utilized a virtual machine (VM) after obtaining privileged credentials by calling the IT help desk and then used it to conduct reconnaissance (e.g., Active Directory enumeration) and attempt to exfiltrate Outlook mailbox files and data downloaded from the target’s Snowflake database.

“While focusing on identity compromise and social engineering, this threat actor leverages legitimate tools and existing infrastructure to blend in,” Unit 42 said. “They operate quietly and maintain persistence.”

The cybersecurity company also noted that Scattered Spider has an “extensive history” of targeting Microsoft Azure environments using the Graph API to facilitate access to Azure cloud resources. Also put to use by the group are cloud enumeration tools such as ADRecon for Active Directory reconnaissance.

With social engineering emerging as the primary entry point for the cybercrime group, organizations are advised to be on alert and train IT help desk and support personnel to watch out for pre-written scripts and polished voice impersonation, enforce strict identity verification, harden MFA policies by shifting away from SMS-based authentication, and audit logs for new user creation or administrative privilege escalation following help desk interactions.

“This recruitment drive represents a calculated evolution in SLH’s tactics,” Dataminr said. “By specifically seeking female voices, the group likely aims to bypass the ‘traditional’ profiles of attackers that IT help desk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts.”