Security Intelligence for Real-World Decisions
← Back to Archive

Cisco Zero-Day Exploited at Telecom Provider as Microsoft-Led Coalition Dismantles Amadey/StealC Malware Empire

Critical Infrastructure Intelligence Briefing

Date: Thursday, June 25, 2026 | Reporting Period: June 18-25, 2026

1. Executive Summary

This week's intelligence highlights significant developments across multiple critical infrastructure sectors, with particular concern for communications infrastructure and the broader cybercriminal ecosystem:

  • Active Zero-Day Exploitation: Mandiant disclosed that threat actors exploited a Cisco Catalyst SD-WAN zero-day vulnerability (CVE-2026-20245) to gain root-level access at a communications service provider. The attack vector and persistence mechanisms demonstrate sophisticated tradecraft, though attribution remains unclear.
  • Major Malware Infrastructure Takedown: Microsoft, Europol, and international partners executed a coordinated disruption of Amadey and StealC malware operations under Operation Endgame, seizing approximately 200 command-and-control servers and recovering 27 million stolen credentials. This represents the first court-authorized action targeting two cybercriminal tools simultaneously.
  • Critical Vulnerabilities Under Active Exploitation: CISA issued urgent warnings regarding active exploitation of maximum-severity vulnerabilities in Ubiquiti UniFi OS and Lantronix EDS5000 Series devices, both commonly deployed in critical infrastructure environments.
  • Emerging Ransomware Ecosystem Threat: Security researchers identified "Mistic," a new remote access trojan being distributed by initial access broker "Woodgnat," which maintains relationships with at least six major ransomware operations including Qilin, Rhysida, and Black Basta.
  • AI Security Concerns Escalate: Multiple reports this week highlight emerging attack vectors targeting AI systems, including prompt injection techniques to evade security analysis and malicious AI agent skills that bypassed security controls to reach 26,000 users.

2. Threat Landscape

Nation-State Threat Actor Activities

  • Iran-Linked MuddyWater Adopts Deceptive Tactics: NCC Group reports that the Iranian state-sponsored group MuddyWater is now masquerading as ransomware operators to obscure their cyber espionage activities. The group is deploying commercially available malware to blend in with criminal operations, complicating attribution and response efforts. This tactic represents an evolution in state-sponsored tradecraft that infrastructure operators should factor into incident response planning. Source: Infosecurity Magazine
  • North Korea-Linked macOS Backdoor Uses AI Evasion: SentinelLabs identified a North Korean-linked macOS backdoor employing prompt injection techniques specifically designed to evade AI-based security triage tools. This represents an early example of adversaries adapting to AI-powered defenses. Source: Infosecurity Magazine

Ransomware and Cybercriminal Developments

  • Operation Endgame Disrupts Major Malware Infrastructure: A coordinated international operation led by Microsoft, Europol, Bitdefender, Bitsight, and ESET successfully disrupted infrastructure supporting Amadey and StealC malware families. Key outcomes include:
    • Seizure of approximately 50 domains and nearly 200 active IP-based servers
    • Recovery of 27 million stolen credentials
    • First court-authorized takedown targeting two cybercriminal tools simultaneously
    Source: SecurityWeek, The Hacker News
  • New "Mistic" RAT Linked to Multiple Ransomware Groups: Security researchers have identified a new backdoor called "Mistic" being distributed by an initial access broker known as "Woodgnat" or "KongTuke." This broker maintains operational relationships with at least six ransomware families: Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Organizations in insurance, education, IT, and professional services sectors have been targeted. Source: CSO Online, Bleeping Computer
  • Scattered Spider Members Convicted: Two members of the Scattered Spider cybercriminal group were convicted for their roles in a $38 million attack against Transport for London, demonstrating continued law enforcement success against this prolific threat group. Source: CSO Online
  • DraftKings Hacker Sentenced: Nathan Austad ("Snoopy"), 21, received an 18-month prison sentence for his role in the November 2022 DraftKings credential stuffing attacks, with $1.8 million in forfeiture and restitution ordered. Source: SecurityWeek

Financial Crime Infrastructure

  • DoJ Seizes Huione Cloud Account: The U.S. Department of Justice seized a cloud computing account used by subsidiaries of Cambodia-based HuiOne Group, which Treasury identified as facilitating cyber scam money laundering operations. This action targets infrastructure supporting transnational cybercriminal enterprises. Source: The Hacker News

Emerging Attack Vectors

  • AI Agent Manipulation Techniques: Multiple reports highlight growing concerns about AI system vulnerabilities:
    • Researchers demonstrated techniques to trick AI browsers (including ChatGPT Atlas and Comet) into bypassing guardrails and leaking credentials
    • Malware developers are embedding text about nuclear and biological weapons in spyware code to trigger AI analysis tool guardrails and prevent automated examination
    • A malicious AI agent skill bypassed security checks and reached 26,000 users before detection
    Source: Infosecurity Magazine, Schneier on Security
  • Browser Extension Attack Vector: A malicious Microsoft Edge extension called "Edgecution" was used in ransomware attacks to escape browser sandbox protections and deploy Python-based backdoors, highlighting risks from browser extension ecosystems. Source: Bleeping Computer

3. Sector-Specific Analysis

Communications & Information Technology

CRITICAL: This sector faces the most significant threats this reporting period.

  • Cisco SD-WAN Zero-Day Exploitation at Telecom Provider: Mandiant disclosed details of a sophisticated attack exploiting CVE-2026-20245, a zero-day vulnerability in Cisco Catalyst SD-WAN, against a communications service provider. Key findings:
    • Attackers achieved root-level access to targeted devices
    • Rogue root accounts were created for persistent access
    • Attribution remains unclear; it's unknown if attackers gained broad visibility into internal traffic
    • Exploitation occurred weeks after patch release, emphasizing the critical importance of rapid patching cycles
    Source: CyberScoop, Bleeping Computer
  • Ubiquiti UniFi OS Vulnerabilities Under Active Exploitation: CISA warns that critical vulnerabilities in Ubiquiti devices are being actively exploited. These flaws allow remote, unauthenticated attackers to make system changes, access underlying accounts, and inject commands. Ubiquiti equipment is widely deployed in enterprise and critical infrastructure environments. Source: SecurityWeek
  • Japanese ISP Breach Exposes 14.2 Million Email Credentials: A breach affecting KDDI impacted six Japanese internet service providers, exposing email credentials for millions of users. Affected customers are urged to change passwords immediately. Source: Infosecurity Magazine
  • Klue-Salesforce Incident Impacts Security Vendors: BeyondTrust and LastPass confirmed they were among over a dozen Klue customers affected by an incident where hackers stole data from Salesforce instances. This supply chain incident highlights third-party risk management challenges. Source: SecurityWeek

Energy Sector

  • FortiBleed Campaign Credential Exposure: Recorded Future reports a dataset containing valid administrative and VPN credentials for 73,932 Fortinet FortiGate systems is circulating among threat actors. Energy sector organizations using FortiGate firewalls should immediately verify their exposure status and rotate credentials. Source: Recorded Future
  • Lantronix Serial-to-Ethernet Server Exploitation: CISA added the Lantronix EDS5000 Series vulnerability to its Known Exploited Vulnerabilities catalog. These devices are commonly used for serial-to-IP connectivity in industrial control system environments, including energy sector SCADA systems. Federal agencies must remediate by the specified deadline. Source: The Hacker News

Transportation Systems

  • Scattered Spider Conviction for Transport for London Attack: The conviction of two Scattered Spider members for the $38 million TfL attack serves as a reminder of the transportation sector's attractiveness to sophisticated cybercriminal groups. Organizations should review their defenses against social engineering and identity-based attacks, which are hallmarks of this threat group. Source: CSO Online

Healthcare & Public Health

  • HIPAA Security 2026 Conference Announced: HHS Office for Civil Rights and NIST are hosting "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" on September 2, 2026. This event will address evolving compliance requirements and security best practices for healthcare organizations. Source: NIST

Financial Services

  • Credential Theft Infrastructure Disruption Benefits Sector: The Operation Endgame takedown of Amadey and StealC infrastructure, with recovery of 27 million stolen credentials, provides temporary relief for financial services organizations frequently targeted by these information-stealing malware families. However, operators should expect criminal groups to reconstitute infrastructure.

Government Facilities

  • UK Museums Face Cybersecurity Risks: The UK Public Accounts Committee warned that museums and galleries are not receiving adequate government support for cybersecurity. While UK-focused, this highlights broader concerns about cultural institution security that may apply to similar U.S. facilities. Source: Infosecurity Magazine

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE/Identifier Product Severity Status Action Required
CVE-2026-20245 Cisco Catalyst SD-WAN Critical Actively Exploited Patch immediately; audit for rogue accounts
Multiple CVEs Ubiquiti UniFi OS Critical (Max) Actively Exploited Apply vendor patches; restrict management access
CVE pending Lantronix EDS5000 Series Critical Actively Exploited FCEB agencies: remediate per CISA directive
CVE pending FFmpeg Codec High Disclosed Update media processing infrastructure

CISA Advisories and Alerts

  • Lantronix EDS5000 Added to KEV Catalog: CISA added the Lantronix vulnerability to its Known Exploited Vulnerabilities catalog, triggering mandatory remediation timelines for Federal Civilian Executive Branch agencies. Private sector organizations should treat this with equivalent urgency. Source: CISA
  • Ubiquiti Exploitation Warning: CISA issued guidance on active exploitation of Ubiquiti vulnerabilities, recommending immediate patching and network segmentation for affected devices.

Supply Chain Security Concerns

  • CI/CD Pipeline Vulnerabilities Expose 300+ GitHub Repositories: Researchers identified a class of CI/CD workflow weaknesses dubbed "Cordyceps" that could allow attackers to hijack workflows and compromise open-source supply chains. The flaws affect millions of repositories and allow unauthenticated users to take control of software supply chain processes. Source: The Hacker News, SecurityWeek
  • Open-Source Security Challenges Persist: CyberScoop analysis highlights ongoing challenges in securing open-source software, noting a diffuse landscape, attractive targets, insufficient corporate investment, AI's influence, and flagging government efforts. Source: CyberScoop

Recommended Defensive Measures

  1. Cisco SD-WAN Environments:
    • Apply CVE-2026-20245 patches immediately
    • Audit all administrative accounts for unauthorized additions
    • Review logs for indicators of compromise detailed in Mandiant's report
    • Implement network segmentation to limit lateral movement potential
  2. Ubiquiti and Lantronix Devices:
    • Identify all deployed devices through asset inventory
    • Apply available patches or implement compensating controls
    • Restrict management interface access to trusted networks
    • Monitor for unauthorized configuration changes
  3. Credential Security:
    • FortiGate administrators should verify systems against FortiBleed exposure lists
    • Rotate administrative and VPN credentials for potentially affected systems
    • Implement multi-factor authentication where not already deployed
  4. macOS Endpoint Security:
    • Review research on chained macOS weaknesses that can disable endpoint security agents
    • Note that attacks can be conducted from standard non-admin accounts
    • Implement additional monitoring for security agent status changes

5. Resilience & Continuity Planning

Lessons Learned from Recent Incidents

  • Cisco SD-WAN Exploitation Timeline: The exploitation of CVE-2026-20245 "weeks after patch release" underscores the critical importance of accelerated patching cycles for network infrastructure. Organizations should evaluate their mean-time-to-patch for critical network devices and identify process improvements.
  • Third-Party Risk Materialization: The Klue-Salesforce incident affecting BeyondTrust and LastPass demonstrates how supply chain compromises can impact security vendors themselves. Organizations should:
    • Maintain comprehensive third-party risk inventories
    • Establish notification procedures with critical vendors
    • Develop playbooks for responding to vendor security incidents

Supply Chain Security Developments

  • AIVEX Framework for AI Supply Chain Risk: SecurityWeek reports on AIVEX, a new triage model designed to help security teams identify which software supply chain vulnerabilities pose the greatest operational, safety, and business risks in AI-driven environments. Organizations deploying AI systems should evaluate this framework for risk prioritization. Source: SecurityWeek
  • CI/CD Security Imperative: The Cordyceps vulnerability class affecting GitHub repositories highlights the need for:
    • Workflow security reviews for all CI/CD pipelines
    • Principle of least privilege for automation credentials
    • Monitoring for unauthorized workflow modifications

Cross-Sector Dependencies

  • Communications Sector Compromise Implications: The Cisco SD-WAN zero-day exploitation at a communications service provider raises concerns about potential visibility into customer traffic. Organizations relying on affected providers should:
    • Implement end-to-end encryption for sensitive communications
    • Monitor for unusual network behavior
    • Engage with service providers regarding incident scope and remediation

AI Security Considerations for Resilience Planning

  • AI System Trust Boundaries: This week's reports on AI browser manipulation, malicious AI agent skills, and prompt injection evasion techniques indicate that AI systems require dedicated security controls. Organizations should:
    • Treat AI agents as potentially compromised when processing untrusted data
    • Implement human-in-the-loop controls for sensitive AI-driven actions
    • Develop incident response procedures specific to AI system compromise

6. Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

  • CISA Known Exploited Vulnerabilities Catalog Updates: The addition of Lantronix EDS5000 vulnerabilities to the KEV catalog triggers mandatory remediation timelines for FCEB agencies under BOD 22-01. Private sector critical infrastructure operators are strongly encouraged to adopt similar remediation timelines.

International Developments

  • Operation Endgame International Cooperation: The successful Amadey/StealC takedown demonstrates effective international law enforcement and private sector cooperation. This operation involved:
    • Europol coordination
    • Multiple cybersecurity companies (Microsoft, Bitdefender, Bitsight, ESET)
    • Court-authorized infrastructure seizures across jurisdictions
    This model may inform future public-private partnership frameworks for infrastructure protection.
  • Cambodia-Based Financial Crime Enforcement: The DoJ seizure of Huione Group cloud assets signals continued U.S. focus on disrupting transnational cybercriminal financial infrastructure, regardless of geographic location.

Privacy and Data Protection

  • Meta Pauses Employee Monitoring Program: Meta suspended an employee monitoring program after data protection failures, highlighting ongoing tensions between security monitoring and privacy requirements. Organizations should ensure monitoring programs comply with applicable regulations and maintain appropriate safeguards. Source: CSO Online
  • Google Privacy Controls Update: Google announced new privacy controls for Search services and Google Play, providing users more control over saved history and personalized recommendations. Organizations should review updated privacy settings for enterprise Google deployments. Source: Bleeping Computer

7. Training & Resource Spotlight

New Tools and Frameworks

  • AIVEX Supply Chain Risk Framework: A new triage model for identifying software supply chain vulnerabilities in AI-driven environments. Security teams deploying AI systems should evaluate this framework for integration into risk assessment processes. Source: SecurityWeek
  • AI-SPM Buyer's Guide: CSO Online published a comprehensive guide covering 14 tools for securing AI infrastructure, providing valuable reference material for organizations implementing AI security posture management. Source: CSO Online

Best Practices and Case Studies

  • Service Desk Security: Bleeping Computer and Specops Software published analysis on why social engineering attacks against service desks continue to succeed, with recommendations for strengthening identity verification procedures. This is particularly relevant given Scattered Spider's known tactics. Source: Bleeping Computer
  • AI Era Mental Models for CISOs: CSO Online published guidance on adapting security leadership approaches for the AI era, drawing on behavioral economics principles. Source: CSO Online
  • School Security During Summer Months: Security Magazine published guidance on maintaining school security during summer periods, relevant for education sector security professionals. Source: Security Magazine

Research and Analysis

  • ReliaQuest AI Threat Study: New research identifies six practical ways AI is currently being used in attacks, noting that AI is making attacks cheaper, faster, and more covert. Security teams should review this analysis to understand evolving threat capabilities. Source: Infosecurity Magazine

8. Looking Ahead: Upcoming Events

Conferences and Training

  • Iris Experts Group Annual Meeting
    Date: June 25, 2026
    Host: NIST
    Focus: Technical discussions on iris recognition for USG agencies
    Audience: Government agencies employing or considering iris recognition
    Source: NIST
  • NCCoE Cybersecurity Connections: Accelerating Mobile Driver's License Adoption
    Date: July 21, 2026, 11:00 AM – 1:30 PM EDT
    Host: NIST National Cybersecurity Center of Excellence
    Focus: Mobile driver's license security and adoption
    Source: NIST
  • 2026 Time and Frequency Seminar
    Date: July 21, 2026
    Host: NIST Time and Frequency Division
    Focus: Precision clocks, atomic frequency standards, synchronization, quantum information
    Relevance: Critical for timing-dependent infrastructure systems
    Source: NIST
  • Safeguarding Health Information: Building Assurance through HIPAA Security 2026
    Date: September 2, 2026
    Hosts: HHS Office for Civil Rights and NIST Information Technology Laboratory
    Focus: HIPAA security compliance and best practices
    Audience: Healthcare sector security and compliance professionals
    Source: NIST

Anticipated Threat Periods

  • Post-Takedown Criminal Reconstitution: Following Operation Endgame's disruption of Amadey and StealC infrastructure, security teams should anticipate:
    • Criminal operators establishing new infrastructure within 2-4 weeks
    • Potential shifts to alternative malware families
    • Increased activity from competing criminal groups filling the gap
  • Summer Holiday Periods: Reduced staffing during summer months historically correlates with increased attack activity. Organizations should ensure adequate security coverage and incident response capabilities.

Recommended Preparedness Actions

  1. Review and update incident response procedures for zero-day exploitation scenarios
  2. Conduct tabletop exercises focused on supply chain compromise scenarios
  3. Evaluate AI security posture given emerging attack vectors
  4. Verify patch management processes can achieve rapid deployment for critical network infrastructure
  5. Assess third-party risk management programs in light of recent vendor incidents

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection decision-making. Recipients are encouraged to verify information through primary sources and adapt recommendations to their specific operational environments.

Report Prepared: Thursday, June 25, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.