InfoSec Briefing - February 26, 2026

🚨 Critical Vulnerability Alert

We have a critical security alert. CVE-2026-20127, a authentication bypass in Cisco Catalyst SD, has been added to the CISA Known Exploited Vulnerabilities catalog.

🎧 Audio Briefing

Playback Speed:

Download MP3

Good morning. This is your security briefing for Wednesday, February 25, 2026, covering 11 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

We have a critical security alert. CVE-2026-20127, a authentication bypass in Cisco Catalyst SD, has been added to the CISA Known Exploited Vulnerabilities catalog.

InfoGuard AG reports that security researchers have demonstrated how attackers with local administrator privileges can abuse Palo Alto Networks Cortex XDR's Live Terminal feature as a Command and Control channel. The technique exploits legitimate EDR functionality through cross-tenant access or custom WebSocket server implementation, allowing attackers to execute commands while appearing as legitimate EDR activity and bypassing traditional detection methods.

According to Jeanette Miller-Osborn, the Scattered Lapsus$ Hunters alliance is actively recruiting women on Telegram to conduct vishing attacks, offering $500 to $1,000 per call with pre-written scripts to impersonate help desk staff. The group, known for breaching major organizations like Google, Cisco, and Salesforce, is employing sophisticated social engineering tactics including MFA bypass techniques such as SIM swapping and MFA fatigue bombing.

Have I Been Squatted reports that Diesel Vortex, a Russian-led cybercrime group, conducted sophisticated phishing campaigns targeting freight and logistics platforms in the US and EU between September 2025 and February 2026. The group employed dual-domain phishing schemes with iframe-based credential harvesting, typosquatting domains, and Telegram-controlled real-time operations to steal credentials from platforms including DAT Truckstop, Penske Logistics, and Timocom.

CYJAX researchers Ethan Spiteri, Adam Price, and Joe Wrieden report on the OCRFix campaign, a multi-stage malware operation using typosquatting to impersonate Tesseract OCR software. The campaign employs ClickFix for obfuscation and EtherHiding to conceal C2 addresses on the BNB Smart Chain TestNet, with the malware establishing persistence, disabling Windows Defender, and capable of data exfiltration.

The Internet Security Research Group reports that Internet scanning tools interacting with misconfigured Caddy or autocert On-Demand TLS features created a feedback loop generating excessive certificate requests for unusually long domain names. Let's Encrypt implemented heuristics to block these patterns, and defenders should restrict On-Demand TLS configurations or use wildcard certificates to prevent resource abuse.

Google Threat Intelligence Group and Mandiant disrupted GRIDTIDE, a global cyber espionage campaign attributed to UNC2814, a PRC-nexus threat group active since 2017. The attackers deployed a novel backdoor that abuses Google Sheets API for command-and-control, targeting telecommunications and government organizations across 42 countries to exfiltrate PII and conduct surveillance.

Genians reports on MuddyWater APT group, linked to Iran's Ministry of Intelligence and Security, conducting sustained cyberattacks targeting Middle Eastern government agencies, defense organizations, and critical infrastructure. The group uses spear-phishing with malicious HTML files, exploits legitimate RMM tools like Syncro and Atera, and leverages cloud storage services for long-term infiltration and intelligence gathering.

Splintersfury introduces AutoPiff, an automated framework for detecting silent security fixes in Windows kernel driver patches using semantic analysis, YAML rules, and Ghidra decompilation. The tool addresses the challenge of vendors releasing security patches without CVEs, enabling vulnerability researchers and defenders to identify unannounced fixes through patch differencing and reachability analysis.

The National Cyber Security Centre warns that malicious threat actors are actively exploiting Cisco Catalyst SD-WAN devices globally by adding rogue peers to gain root access and establish persistent control over critical network infrastructure. Organizations with internet-exposed management interfaces face the highest risk, and the NCSC urges immediate investigation, system updates, and implementation of hardening measures.

TechCrunch reports that fintech company Marquis filed a lawsuit against SonicWall alleging that a vulnerability in SonicWall's firewall backup API allowed attackers to access backup files containing firewall configurations and emergency passcodes by exploiting predictable serial numbers. The compromised authentication data enabled a ransomware attack resulting in the theft of sensitive PII affecting at least 400,000 individuals, and SonicWall later confirmed all customer firewall backup files were stolen.

The Royal United Services Institute article by Dr. Gareth Mott proposes a policy shift where UK private sector cybersecurity firms would be deputised to conduct law enforcement counter-cybercrime operations on behalf of the state. The proposal addresses resource limitations in UK law enforcement by granting private entities specific legal powers to investigate and disrupt cybercriminal activities, requiring new legal frameworks and oversight mechanisms.

That concludes today's briefing.

📰 Articles Covered

Abusing Cortex XDR Live Terminal as a C2 - InfoGuard AG

This article details how the **Live Terminal feature of Palo Alto Networks Cortex XDR can be exploited by attackers as a Command and Control (C2) channel** 【1】. This method, referred to as "Living off the Land," allows adversaries to execute commands, run scripts, and interact with files, all while masquerading as legitimate Endpoint Detection and Response (EDR) activity 【1】.

**What Happened:**
Attackers can leverage Cortex XDR's Live Terminal to establish a C2 connection. This is achieved by executing commands that bypass standard detection rules and by exploiting network traffic exclusions from TLS interception, which allows for direct C2 connections from compromised hosts 【1】.

**Who is Affected:**
Organizations using Palo Alto Networks Cortex XDR are potentially affected. Attackers need local administrator privileges to execute the necessary payload from its native path 【1】.

**Security Implications:**
The primary security implication is that attackers can gain a stealthy C2 channel that appears as legitimate EDR activity, making detection significantly more challenging. This bypasses many traditional security measures and detection rules 【1】.

**Technical Details:**
The abuse can be carried out through two main methods:
- **Cross-Tenant Method:** This involves using the official Live Terminal GUI with a compromised Cortex XDR tenant 【1】.
- **Custom Server Method:** Attackers can re-implement the server-side WebSocket communication, exploiting a logic flaw in how the server validates hosts 【1】.

The article notes that the legitimate `cortex-xdr-payload.exe` is typically initiated by `cyserver.exe`. Any instance of this executable being started by a different parent process should be considered suspicious 【1】.

**What Defenders Should Know:**
Defenders need to be aware of this potential abuse vector. Suspicious parent processes for `cortex-xdr-payload.exe` are a key indicator. The article suggests that relying solely on reactive, rule-based detection is insufficient. **Secure-by-design approaches, such as implementing mutual authentication and cryptographic command signing, are recommended** to mitigate such threats 【1】. InfoGuard customers have reportedly been protected against this specific vulnerability since September 2025 【1】.
Scattered Lapsus$ Hunters Recruiting Women for Operations - Jeanette Miller-Osborn

A cybersecurity threat group known as the **Scattered Lapsus$ Hunters (SLH)**, an alliance of Lapsus$, Scattered Spider, and ShinyHunters, is actively **recruiting women to conduct vishing (voice phishing) attacks** 【1】. These recruits are offered between $500 and $1,000 per call and are provided with pre-written scripts to impersonate help desk staff 【1】. This recruitment activity was observed on public Telegram channels on February 22, 2026 【1】.

**Who is Affected:**
The recruitment targets women who may be drawn into participating in these illicit activities 【1】. The ultimate targets of these vishing campaigns are **organizations and their IT/help desk personnel**, who will be impersonated to gain unauthorized access 【1】. Historically, SLH has been linked to significant breaches affecting major companies such as Google, Cisco, Adidas, and Salesforce customers 【1】.

**Security Implications:**
This tactic represents an **evolution in attacker strategies**, moving towards more sophisticated social engineering that leverages voice impersonation, specifically using female voices, to increase success rates 【1】. This poses a greater challenge for defenders due to the pre-scripted nature of the attacks and the ready-made talking points attackers will use 【1】. Given SLH's history, there is a significant risk of **MFA bypass techniques**, such as SIM swapping and MFA fatigue, being employed 【1】. The involvement of a "supergroup" like SLH, known for compromising large organizations and stealing vast amounts of data, amplifies the severity of this threat 【1】.

**Technical Details:**
The primary tactic is **social engineering via vishing**, aiming to manipulate help desk processes to bypass security controls 【1】. Attackers will likely use known methods to bypass Multi-Factor Authentication (MFA), including fatigue bombing and SIM swapping 【1】. Indicators of this activity include recruitment posts on Telegram, offers of payment per call, the provision of scripts, and a focus on impersonating help desk personnel 【1】.

**What Defenders Should Know:**
Defenders need to be **highly aware of these recruiter-driven vishing campaigns** and the specific tactic of using female voice impersonation 【1】. It is crucial to **train help desk staff** to recognize and resist scripted vishing scenarios and to implement **strict out-of-band identity verification** for any sensitive actions like password resets or MFA changes 【1】. Organizations should also **re-evaluate their MFA strategies**, considering stronger methods like FIDO2 hardware keys and reducing reliance on SMS or push-based MFA where possible 【1】. Additionally, **auditing logs for unusual patterns** following help desk interactions, such as the creation of new users or privileged account changes, is recommended 【1】. Monitoring social channels like Telegram can provide early warnings of recruitment trends and evolving attacker methodologies 【1】.
Diesel Vortex: Inside the Russian cybercrime group targeting US & EU freight - Have I Been Squatted

**Diesel Vortex** is a Russian-led cybercrime group that has been actively targeting the **freight and logistics industry** in the US and EU. The operation, detailed in a February 2026 investigation, involved sophisticated phishing campaigns aimed at stealing user credentials.

**What Happened:**
Between September 2025 and February 2026, Diesel Vortex conducted targeted phishing attacks against various freight and logistics platforms. They employed a **dual-domain phishing scheme**, where an initial domain (.com) would load content from a secondary system domain (.top/.icu) within an iframe. This allowed them to harvest credentials in real-time, with operators using **Telegram** to control the process and redirect victims to legitimate websites after credential theft. The group also exploited **typosquatting domains** and exposed a `.git` directory, revealing a GitLab repository containing victim interaction data.

**Who is Affected:**
The primary targets were **users of freight and logistics platforms** in the **United States and European Union**. Specific platforms mentioned include DAT Truckstop, Penske Logistics, EFS, Timocom, Central Dispatch, Teleroute, and Girteka. The operation successfully compromised credentials for **1,649 unique users** and **3,474 credential pairs**.

**Security Implications:**
The Diesel Vortex operation highlights several critical security concerns:
- The effectiveness of **dual-domain phishing techniques** in bypassing browser security measures.
- The use of `postMessage` for controlling iframe content, enabling sophisticated credential harvesting.
- The reliance on **real-time operator commands via Telegram** for dynamic campaign management.
- The potential for **mass credential theft and subsequent fraud** within critical logistics networks.
- The exploitation of legitimate services like **GitLab, Telegram, Zoho, and Google OAuth** as part of a PhaaS (Phishing-as-a-Service) model.

**Technical Details:**
- **Dual-domain phishing:** A primary domain (.com) loads a secondary domain (.top/.icu) within an iframe.
- **Real-time control:** Operators used Telegram to manage the phishing process and harvest credentials.
- **Typosquatting:** Domains mimicking legitimate logistics platforms were used to deceive victims.
- **Exploited `.git` directory:** This led to the discovery of a GitLab repository containing victim interaction data.
- **PhaaS model:** The operation was branded as GlobalProfit/MC Profit Always, offering structured criminal services with defined roles and revenue streams.
- **Infrastructure:** Utilized legitimate services for hosting and communication.

**What Defenders Should Know:**
Security professionals in the logistics sector should be aware of and implement the following:
- **Monitor for typosquatting domains** and patterns related to logistics brand names.
- Implement **phishing-resistant Multi-Factor Authentication (MFA)**, such as FIDO2 or passkeys.
- Deploy **DNS filtering** to block malicious domains.
- Track and block **dual-domain phishing flows**.
- Watch for **compromised admin panels and leaked code repositories**.
- Consider monitoring for **Open-Source Intelligence (OSINT)** overlaps and suspicious telemetry.
The operation also showed signs of evolving towards broader commercialization, including cryptocurrency payments and a subscriber/admin panel 【1】.
OCRFix: Botnet Trojan delivered through ClickFix and EtherHiding - The content posted at the URL is authored by Ethan Spiteri, Adam Price, and Joe Wrieden, and published by CYJAX.

The OCRFix campaign is a sophisticated multi-stage malware operation that began as a typosquatting phishing attack impersonating the Tesseract OCR software. The campaign leverages techniques like ClickFix for obfuscation and EtherHiding for command and control (C2) communication.

**What Happened:**
The campaign initiated with a phishing attack that directed users to a typosquatted website mimicking Tesseract OCR. Upon visiting the site and executing a PowerShell command, victims downloaded an MSI file (98166e51.msi). This file served as the first stage, leading to the execution of subsequent payloads, including `setup_helper.exe` and `CfgHelper.exe`, ultimately establishing a botnet. The botnet's control panel is hosted at `ldture.com`.

**Who is Affected:**
**Users who visited the typosquatted website and ran the provided PowerShell command** are affected. These users inadvertently downloaded and executed the malicious MSI file, which then deployed further stages of the malware.

**Security Implications:**
The OCRFix campaign highlights several critical security concerns:
- **Phishing and Typosquatting:** These remain effective initial access vectors.
- **Abuse of Legitimate Tools:** The campaign utilizes PowerShell and other Microsoft tools, making detection more challenging.
- **Persistence:** The malware establishes persistence through scheduled tasks.
- **Defense Evasion:** Techniques include disabling Windows Defender, deleting logs, and creating exclusions to avoid detection.
- **Command and Control (C2):** The use of EtherHiding to conceal C2 addresses on the BNB Smart Chain TestNet, employing mirrored nodes and PublicNode queries to rotate C2 domains, presents a novel evasion tactic.
- **Data Exfiltration:** The botnet is capable of exfiltrating data.
- **Botnet Control Panel:** The existence of a dedicated bot panel facilitates the management of compromised systems.

**Technical Details:**
The campaign involves multiple stages:
- **Stage 1:** An MSI file (98166e51.msi) is downloaded.
- **Stage 2:** `setup_helper.exe` is executed.
- **Stage 3:** `CfgHelper.exe` is deployed, forming the botnet.
- **C2 Communication:** EtherHiding is used to hide C2 domains on the BNB Smart Chain TestNet. The malware queries `bsc-testnet.publicnode.com` to discover and rotate C2 domains.
- **Malware Components:** The delivered malware includes VBScript-based loaders and DLLs. Indicators of AI-assisted development and the use of signed certificates are present, likely to enhance obfuscation and legitimacy.

**What Defenders Should Know:**
Defenders need to be aware of and implement measures against the following:
- **Block Phishing and Typosquatting:** Implement robust email filtering and educate users about recognizing suspicious links and websites.
- **Restrict PowerShell Usage:** Limit the use of PowerShell for administrative tasks and monitor its execution for unusual commands.
- **Monitor for Persistence:** Detect the creation of unusual scheduled tasks.
- **Detect Loader Malware:** Identify VBScript-based loaders and suspicious DLLs.
- **Monitor C2 Activity:** Track C2 domain rotations and look for indicators related to EtherHiding.
- **User Education:** Emphasize the importance of verifying software sources and being cautious of unsolicited downloads.
- **Network Protections:** Utilize network security solutions to block known malicious domains and IPs.
- **DNS and Domain Reputation:** Employ DNS filtering and domain reputation services to identify and block suspicious domains.
- **Rapid Takedown:** Have processes in place for the swift takedown of identified malicious domains.

Indicators of Compromise (IOCs) include domains such as `ldture.com`, `dltruek.com`, `oklefe.com`, `ldveriz.com`, `dltucra.com`, `tesseract-ocr.com`, `opsecdefcloud.com`, and `bsc-testnet.publicnode.com`, as well as specific SHA1 hashes for the payloads 【1】.
Blocking Some On-Demand Issuance Caused by Internet Scanning - The Internet Security Research Group (ISRG) controls the content posted at the URL. ISRG is a non-profit organization that operates Let's Encrypt.

A recent surge in certificate requests, attributed to internet scanning tools interacting with Caddy or autocert's On-Demand TLS feature, has led to the blocking of some certificate issuances by Let's Encrypt 【1】.

**What Happened:**
Internet scanning tools, possibly in conjunction with Caddy or autocert's On-Demand TLS functionality, created a feedback loop. This loop resulted in an excessive number of certificate requests for unusually long domain names, often featuring repeated subdomains (e.g., "update.update.update.example.com") 【1】. This behavior is believed to be unintentional, stemming from researchers scanning the internet or Certificate Transparency (CT) logs 【1】.

**Who is Affected:**
**Users of Caddy or autocert with On-Demand TLS enabled** are primarily affected, especially if their configurations are not restricted 【1】. The majority of Let's Encrypt subscribers are not expected to be impacted 【1】.

**Security Implications:**
The main security implication is the **potential for abuse and resource wastage** on Let's Encrypt's infrastructure 【1】. Unrestricted On-Demand TLS can be exploited to trigger unnecessary certificate requests for hostnames that may never be actively used 【1】.

**Technical Details:**
The issue arises from the On-Demand TLS feature. In Caddy, this involves the `ask` endpoint, which, if misconfigured to always return a success code (200) for any hostname, can be exploited 【1】. For autocert users, a misconfigured `HostPolicy` can lead to similar problems 【1】. Let's Encrypt is implementing **heuristics to identify and block requests** that appear to originate from unrestricted On-Demand TLS, specifically targeting patterns like identical sequential domain labels 【1】.

**What Defenders Should Know:**
* **Caddy users** should consider **disabling On-Demand TLS** or ensuring their `ask` endpoint is configured to approve only specific, pre-approved subdomains, avoiding deeply nested structures 【1】.
* **Autocert users** should implement a **restrictive `HostPolicy`** that limits certificate issuance to a defined set of subdomains 【1】.
* **Wildcard certificates** are suggested as a more robust alternative for covering multiple subdomains 【1】.
* If legitimate certificate requests are being blocked, users are advised to **seek assistance on the Let's Encrypt Community Forum** 【1】.
Disrupting the GRIDTIDE Global Cyber Espionage Campaign | Google Cloud Blog - Google Cloud

The Google Threat Intelligence Group (GTIG) and Mandiant, in collaboration with other entities, have disrupted a global cyber espionage campaign known as **GRIDTIDE**, attributed to **UNC2814**, a suspected cyber espionage group with ties to the People's Republic of China (PRC) 【1】. This group has been active since at least 2017, with a history of targeting international governments and global telecommunications organizations 【1】.

**What Happened:**
The disruption involved terminating all Google Cloud Projects controlled by the attackers, disabling UNC2814 infrastructure, revoking access to Google Sheets API calls used for command-and-control (C2), and disabling attacker accounts 【1】. A novel backdoor, also named GRIDTIDE, was identified. This backdoor abuses legitimate Google Sheets API functionality to disguise C2 traffic, rather than exploiting a security vulnerability 【1】.

**Who is Affected:**
The GRIDTIDE campaign has impacted telecommunications and government organizations across four continents 【1】. As of February 18, 53 victims in 42 countries were confirmed, with suspected infections in at least 20 additional nations 【1】. The targeting of Personally Identifiable Information (PII) suggests a focus on identifying, tracking, and monitoring individuals of interest, consistent with cyber espionage within the telecommunications sector 【1】.

**Security Implications:**
A significant security implication is the **sophisticated abuse of cloud-hosted products**, specifically the Google Sheets API, for C2 communication 【1】. This technique allows attackers to camouflage malicious traffic as benign, posing a challenge for traditional security measures 【1】. The targeting of PII and telecommunications infrastructure raises concerns about potential surveillance, espionage, and the exfiltration of sensitive communication data 【1】. The disruption efforts aimed to sever the attacker's persistent access and dismantle their operational infrastructure 【1】.

**Technical Details:**
* **Threat Actor:** UNC2814, a PRC-nexus cyber espionage group 【1】.
* **Malware:** The **GRIDTIDE backdoor**, written in C, capable of executing arbitrary shell commands and transferring files 【1】.
* **Command and Control (C2):** Utilizes the **Google Sheets API** for C2, treating spreadsheets as communication channels. It employs AES-128 in CBC mode for configuration decryption. Commands follow a four-part syntax (`<type>-<command_id>-<arg_1>-<arg_2>`), and responses are posted to specific cells 【1】.
* **Persistence:** Achieved through a systemd service file (`xapt.service`) and running the malware from `/usr/sbin/xapt` 【1】.
* **Initial Detection:** A suspicious process tree involving `/var/tmp/xapt` initiating a shell with root privileges was identified by Mandiant using Google Security Operations (SecOps) 【1】.
* **Evasion Techniques:** Employs URL-safe Base64 encoding for data transmission and uses SoftEther VPN Bridge for encrypted outbound connections 【1】.
* **Indicators of Compromise (IOCs):** Include specific file names, hashes, IP addresses, and domain names associated with the campaign 【1】.

**What Defenders Should Know:**
Defenders need to be aware of the **novel tactics employed by UNC2814**, particularly the abuse of legitimate cloud APIs for C2, which can bypass traditional network defenses 【1】. Key indicators include the use of tools like SoftEther VPN for encrypted communication and the creation of specific service files for persistence 【1】. Google SecOps customers can utilize provided hunting queries and detection rules to identify similar activities 【1】. Organizations should monitor for unusual API calls to services like Google Sheets and remain vigilant for new backdoors that masquerade as legitimate traffic 【1】. The release of IOCs by GTIG is essential for threat hunting and network defense 【1】.
Chronology of MuddyWater APT Attacks Targeting the Middle East - Genians, Inc.

The MuddyWater APT group, believed to be linked to Iran's Ministry of Intelligence and Security (MOIS), has been conducting sustained cyberattacks primarily targeting the Middle East, with recent expansions into Europe, Asia, and North America 【1】. Their objective is long-term infiltration and intelligence gathering, rather than immediate financial gain 【1】.

**What Happened:**
MuddyWater initiates attacks through sophisticated spear-phishing campaigns. Initially, they used malicious Microsoft Word documents that prompted users to enable macros, leading to the execution of further malicious payloads. More recently, they have shifted to using malicious HTML files, embedding URLs for cloud storage services like Dropbox and OneDrive, and exploiting legitimate Remote Monitoring and Management (RMM) tools such as Syncro and Atera 【1】. The group has also been observed developing malware using the Rust programming language 【1】.

**Who is Affected:**
The primary targets are entities crucial to national functions, including **government agencies, diplomatic and defense organizations, and the energy and telecommunications sectors** 【1】. Specific organizations that have been targeted include an Iraqi telecommunications operator, a Jordanian university, Egyptian hosting services, Israeli insurance companies, a Malaysian pension sector institution, an Israeli university, an Omani diplomatic institution, and an Israeli IT service provider 【1】.

**Security Implications:**
The main security implications revolve around **long-term infiltration, strategic intelligence collection, and the expansion of influence** 【1】. By leveraging legitimate tools and services, MuddyWater can achieve persistent remote access, making their activities blend with normal administrative traffic and thus evading detection for extended periods. This significantly heightens the risk of prolonged compromise and data exfiltration 【1】.

**Technical Details:**
Key technical aspects of MuddyWater's operations include:
* **Initial Access:** Spear-phishing emails containing malicious MS Word documents (macro-enabled), HTML files, embedded cloud storage URLs (Dropbox, OneDrive), and the abuse of RMM tools like Syncro, Atera, Remote Utilities, ScreenConnect, SimpleHelp, and N-Able 【1】.
* **Payload Delivery:** This is achieved through macro execution, external template loading, and the downloading of malicious ZIP archives 【1】.
* **Malware:** The group has developed payloads in Rust and utilizes PowerShell for backdoor execution and command execution 【1】.
* **Evasion Techniques:** MuddyWater employs encrypted archives and abuses legitimate cloud services and RMM tools to bypass security solutions and camouflage their activities within normal network traffic 【1】.
* **Command and Control (C2):** Communication with C2 servers is conducted via domains such as `stratioai[.]org` and `nomercys.it[.]com` 【1】.

**What Defenders Should Know:**
Defenders need to understand that **traditional perimeter security and signature-based detection methods are insufficient** against MuddyWater's tactics 【1】. An **EDR-centered response strategy focusing on endpoint behavioral detection is crucial** 【1】. This involves monitoring for anomalous behaviors after document execution, such as unusual file creation, process execution, command execution, and network communication patterns 【1】. Gaining visibility into the entire attack chain, from initial access through reconnaissance and C2 communication, is essential for early identification and effective response before a compromise can escalate 【1】.
AutoPiff: Semantic analysis engine for detecting vulnerability fixes in Windows kernel driver patches — 58 YAML rules, Ghidra decompilation, reachability tracing, and scoring - splintersfury

AutoPiff is a framework designed to **automatically detect security fixes in Windows kernel driver patches** 【1】. This is particularly relevant because vendors often release security patches silently, without assigning CVEs, making manual identification of vulnerabilities impractical 【1】.

**What Happened:**
The AutoPiff framework was developed to address the challenge of silently patched vulnerabilities in Windows kernel drivers. It automates the process of identifying security fixes within driver patches 【1】.

**Who is Affected:**
The primary beneficiaries of AutoPiff are **vulnerability researchers and defenders** who need to keep track of security fixes in Windows kernel drivers. It helps them by automating the reconnaissance phase of vulnerability research and defense 【1】.

**Security Implications:**
The silent patching of vulnerabilities means that systems could be exposed to known exploits if these patches are not identified and applied. AutoPiff aims to mitigate this by making the identification of such fixes more scalable. It helps in accelerating **1-day vulnerability research**, auditing vendor security practices, and building historical CVE corpora 【1】.

**Technical Details:**
AutoPiff operates as a Karton pipeline with multiple stages. It performs **patch differencing** to compare driver versions, followed by **reachability analysis**. The framework uses **semantic analysis** and **YAML rules** to identify specific types of fixes, such as Use-After-Free vulnerabilities, additions of bounds checks, and input validation improvements. It also incorporates **sink groups** (e.g., memory copy, pool allocation) and a **scoring model** that ranks potential findings based on their exploitability. This scoring model combines semantic scores, reachability, and sink bonuses 【1】.

**What Defenders Should Know:**
Defenders can leverage AutoPiff to **monitor drivers for silent security fixes**, thereby reducing the window of exposure. It assists in the rapid identification of potential security issues, though it does not replace the need for exploitation research 【1】.
Exploitation of Cisco Catalyst SD-WAN - National Cyber Security Centre (NCSC)

**Malicious actors are exploiting vulnerabilities in Cisco Catalyst SD-WAN devices globally**, compromising them to gain root access and establish persistent control over critical network infrastructure 【1】.

**What Happened:**
Threat actors are compromising Cisco Catalyst SD-WAN systems by adding a malicious rogue peer. This allows them to achieve root access and maintain persistent access to the affected SD-WAN infrastructure 【1】.

**Who is Affected:**
**Organizations utilizing Cisco Catalyst SD-WAN are at risk**. The highest risk is faced by those who expose their management interfaces to the internet 【1】.

**Security Implications:**
The primary security implication is **unauthorized root access and persistent compromise of the SD-WAN**, which is a critical component of an organization's network 【1】.

**Technical Details:**
The exploitation involves the addition of a "malicious rogue peer" to the SD-WAN system. This technique enables attackers to achieve root-level privileges and ensure their continued presence within the compromised network 【1】.

**What Defenders Should Know:**
Defenders are urged to **immediately investigate potential compromises** and take steps to update and secure their systems 【1】. Key actions include:
- Reviewing the provided Hunt Guide for Tactics, Techniques, and Procedures (TTPs) 【1】.
- Reporting any incidents to the NCSC (if located in the UK) 【1】.
- Updating Cisco Catalyst SD-WAN Manager and Controller to the latest versions 【1】.
- Implementing hardening measures as outlined in the Cisco Catalyst SD-WAN Hardening Guide 【1】.
- Specific hardening recommendations include securing network perimeters, managing access to the SD-WAN manager, implementing control and data plane security, setting short session timeouts, and forwarding logs to a remote syslog server 【1】.
Marquis sues firewall provider SonicWall, alleges security failings with its firewall backup led to ransomware attack - TechCrunch is controlled by Regent, an investment firm that acquired the publication from Yahoo.

A fintech company named **Marquis** has filed a lawsuit against its firewall provider, **SonicWall**, alleging that security deficiencies in SonicWall's firewall backup service led to a **ransomware attack** on Marquis's network 【1】.

**What Happened:**
The lawsuit claims that a breach at SonicWall in 2025 exposed sensitive information about Marquis's firewall configurations, including emergency passcodes (scratch codes) 【1】. This compromised information allowed attackers to bypass Marquis's defenses and gain access to its internal network. The attackers then stole sensitive data belonging to Marquis's customers 【1】. Marquis alleges that SonicWall introduced a vulnerability through a code change to an API in February 2025, enabling unauthorized access to backup files by guessing predictable serial numbers 【1】.

**Who is Affected:**
The breach has affected at least **400,000 individuals** in the U.S., with the number anticipated to increase 【1】. The stolen data includes personally identifiable information (PII) of customers of Marquis's financial institution clients, such as names, dates of birth, postal addresses, financial details (bank account, debit/credit card numbers), and Social Security numbers 【1】.

**Security Implications:**
The incident highlights the significant risks associated with vulnerabilities in third-party backup services. The compromise of firewall backup files, including critical authentication data, enabled a severe network breach and extensive data exfiltration 【1】. This has resulted in substantial reputational, operational, and financial damage to Marquis 【1】.

**Technical Details:**
The lawsuit points to a vulnerability created by a code change to an API by SonicWall in February 2025 【1】. This change allegedly allowed hackers to access firewall backup files without proper authentication by exploiting predictable serial numbers 【1】. SonicWall initially acknowledged a breach affecting a small percentage of backup files but later confirmed that all customer firewall backup files were stolen 【1】.

**What Defenders Should Know:**
This case underscores the critical importance of **securing backup services** as they can become a significant attack vector 【1】. It also emphasizes the need for vendors to promptly disclose breaches and their root causes to their customers, enabling timely mitigation efforts 【1】. Defenders must be vigilant about the security posture of their third-party service providers, especially those handling critical infrastructure and sensitive data 【1】.
Deputising UK Counter-Cybercrime Operations - Royal United Services Institute (RUSI), authored by Dr. Gareth Mott

The article "Deputising UK Counter-Cybercrime Operations" from RUSI discusses a proposed shift in how the UK combats cybercrime, moving towards a model where private sector entities are deputised to conduct law enforcement operations.

- **What Happened:** The article explores the concept of deputising private sector actors, such as cybersecurity firms, to carry out counter-cybercrime operations on behalf of the state. This is presented as a potential solution to the UK's resource limitations in tackling the growing volume and sophistication of cyber threats. The proposal suggests that these private entities could be granted specific legal powers to investigate and disrupt cybercriminal activities.

- **Who is Affected:**
- **The UK Government and Law Enforcement Agencies:** They are directly affected by the need to find more effective and efficient ways to combat cybercrime, given current resource constraints.
- **Private Cybersecurity Firms:** These companies would be directly involved, potentially gaining new roles and responsibilities, and requiring new legal frameworks and oversight.
- **Businesses and Individuals:** As potential victims of cybercrime, they would be indirectly affected by the success or failure of these new operational models. Improved counter-cybercrime efforts could lead to greater online safety.
- **Cybercriminals:** The intended targets of these operations, who would face new and potentially more agile adversaries.

- **Security Implications:**
- **Increased Capacity:** Deputising private firms could significantly boost the UK's capacity to respond to and disrupt cybercrime.
- **Potential for Abuse:** Granting law enforcement powers to private entities raises concerns about oversight, accountability, and the potential for misuse of these powers.
- **Data Privacy and Civil Liberties:** The involvement of private companies in law enforcement activities could have implications for data privacy and civil liberties, requiring robust safeguards.
- **Information Sharing:** This model could foster better information sharing between the public and private sectors, leading to more comprehensive threat intelligence.
- **Evolving Threat Landscape:** The dynamic nature of cybercrime necessitates flexible and adaptable responses, which this model aims to provide.

- **Technical Details:** While the article focuses more on the policy and legal aspects, the underlying technical capabilities required for such operations would include:
- **Digital Forensics:** Advanced techniques for collecting, preserving, and analysing digital evidence.
- **Network Analysis:** Tools and expertise to monitor network traffic, identify malicious activity, and trace cyberattacks.
- **Malware Analysis:** Capabilities to understand the workings of malicious software and develop countermeasures.
- **Threat Intelligence Platforms:** Systems for gathering, processing, and disseminating information about cyber threats.
- **Secure Communication and Collaboration Tools:** To facilitate seamless interaction between government agencies and deputised private entities.

- **What Defenders Should Know:**
- **The evolving nature of cybercrime response:** Defenders should be aware that the landscape of cybercrime fighting is changing, with potential for increased public-private partnerships.
- **Importance of robust legal and ethical frameworks:** Any deputisation model must be underpinned by clear legal authorities, strict oversight, and strong ethical guidelines to protect civil liberties and prevent abuse.
- **Need for enhanced collaboration:** Businesses and individuals may see increased collaboration between government and private security firms in tackling cyber threats.
- **Focus on proactive defence:** While counter-cybercrime operations are crucial, defenders should continue to prioritise strong, proactive cybersecurity measures to prevent incidents in the first place.
- **Understanding the capabilities of private sector partners:** If such a model is implemented, understanding the specific capabilities and limitations of deputised private entities will be important for effective collaboration.