Patches and Hacks on Cisco Equipment

Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Cisco patches and hacks and attackers spread spyware through a Trojanized RedAlert app targeting Israelis. Bye-bye, Tycoon 2FA phishing-as-a-service platform. Also bye-bye LeakBase. LexisNexis confirmed a breach. A Florida woman sentenced to 22 months for trafficking in Microsoft licenses. Silver Dragon targeted Southeast Asian and European governments. A Broadcom patch. A Mississippi medical clinic resumed operations after a cyber incident.

See Also: Why Cyberattackers Love ‘Living Off the Land’

Networking equipment maker Cisco published patches Wednesday for two flaws in its firewall management software each rated a maximum 10 out of 10 on the CVSS scale.

Both can be exploited remotely by unauthenticated attackers to execute code on an affected device and obtain root access to the underlying operating system, warned cybersecurity firm Abstract of the flaws, tracked as CVE-2026-20079 and CVE-2026-20131.

Neither flaw has been reported as exploited in the wild – although hackers, particularly of the nation-state variety, have been quick to exploit Cisco vulnerabilities given the equipment maker’s ubiquity in large enterprises (see: Talos: No Cisco Zero Days Used in Salt Typhoon Telecom Hacks).

The patches were part of a semi-annual set of bundled advisories for firewalls that contained 25 security advisories covering patches for 48 vulnerabilities. “Compromise a firewall, and you own the chokepoint: you can read encrypted traffic, alter routing, rewrite access rules and suppress alerts. The security operations center never receives a warning because the device generating the warnings just changed ownership. That is why nation-state groups invest zero-day development budgets in firewall and edge device exploits specifically,” said David Brumley, chief AI and science officer at Bugcrowd.

The patch dump comes as Cisco said Thursday that vulnerabilities in Cisco Catalyst SD-WAN Manager patched in late February are now under active exploitation. Tracked as CVE-2026-20122 and CVE-2026-20128, the flaws require an attacker to have authenticated access to a network.

Software-defined network management software hasn’t been kind to Cisco recently, with evidence separately surfacing in late February that hackers used a zero-day, now tracked as CVE-2026-20127, in the Catalyst SD-WAN Manager since 2023. The U.S. Cybersecurity and infrastructure Security Agency ordered federal agencies on Feb. 25 to apply patches within two days (see: Feds Scramble Amid Shutdown to Secure Cisco SD-WAN Systems).

A mobile spyware campaign targeting Israeli users is spreading through a Trojanized version of the widely used RedAlert rocket warning app being distributed through SMS phishing messages that impersonate official emergency alerts.

Researchers at threat intelligence firm CloudSEK said attackers are sending spoofed text messages impersonating Israel’s Home Front Command and urging recipients to download an updated version of the RedAlert emergency alert application.

The malicious app closely mimics the RedAlert application, which many Israelis rely on to receive real-time notifications about rocket attacks. The fake app delivers real alerts to maintain the appearance of legitimacy while operating spyware silently in the background.

CloudSEK’s analysis found the malware uses several techniques to evade detection and maintain persistence on infected devices. The code uses dynamic proxy hooks to spoof the original app’s signing certificate, bypassing integrity checks and making the installation appear to originate from the Google Play Store.

The infection follows a multi-stage chain involving an initial loader, an intermediate loader and a final spyware payload with banking Trojan capabilities. The spyware aggressively requests high-risk permissions, including access to SMS messages, contact lists and device location data. Once granted, the malware collects sensitive information and exfiltrates it to attacker-controlled infrastructure over HTTP, including a command-and-control endpoint observed routing traffic through Cloudflare-proxied AWS infrastructure.

Additional permissions embedded in the malicious Android manifest allow the app to access call logs, account information and the list of installed applications. The spyware also includes anti-debugging and anti-emulation checks designed to evade security researchers and automated analysis tools.

A coordinated operation involving Europol, law enforcement agencies and Microsoft dismantled Tycoon 2FA, a major phishing-as-a-service platform used by cybercriminals worldwide to steal credentials and bypass multi-factor authentication protections (see: Tycoon 2FA – The Criminals’ Favorite Platform for MFA Theft).

Microsoft obtained a U.S. federal court order to seize 330 domains used as Tycoon 2FA infrastructure.

“Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such a data theft, ransomware, business email compromise and financial fraud,” Steve Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a Wednesday blog post.

Microsoft in a complaint accused a resident of Pakistan, Saad Fridi, as the system administrator. “Microsoft’s investigation has revealed that Fridi was previously involved in cyber defacement, a form of cyber-vandalism similar to graffiti where attackers gain unauthorized access to a website to alter its visual appearance, replacing content with messages, images, or slogans. However, because phishing-as-a-service is more lucrative financially, Fridi focused his attention on selling his phishing kits,” the complaint states.

Researchers say Tycoon 2FA used an adversary-in-the-middle phishing technique powered by a reverse-proxy server that sits between victims and legitimate login services such as Microsoft 365 or Gmail. The system intercepted credentials and MFA prompts during authentication and captures session cookies, allowing attackers to hijack authenticated sessions.

Microsoft tracked the activity under the name Storm-1747, and said the platform incorporated several evasion techniques, including anti-bot screening, browser fingerprinting, self-hosted Captcha challenges and heavily obfuscated code designed to evade automated security scans.

The subscription-based toolkit allowed even low-skilled actors to impersonate legitimate login portals and capture authentication tokens, effectively bypassing MFA protections.

Security researchers say the service generated tens of millions of phishing emails each month and facilitated unauthorized access to nearly 100,000 organizations worldwide, targeting sectors including healthcare, education and government.

The FBI and a raft of police from Europe, Australia and Malaysia dismantled LeakBase, a subscription-based breach forum used to trade stolen data and hacking tools, Europol and the U.S. Department of Justice announced Wednesday.

The takedown, dubbed Operation Leak, involved law enforcement agencies from 14 countries. Investigators seized the forum’s domain and infrastructure and replaced the site with a law enforcement seizure banner. An FBI official told The Record that the operation resulted in 13 arrests, 32 searches and interviews with 33 suspects, along with capturing the forum’s entire database.

LeakBase had more than 142,000 registered members and over 215,000 posts as of December 2025. The forum operated on the open internet and served as a marketplace for hacked databases, stolen credentials and financial data, including credit card and bank account information.

Authorities say the platform distributed “stealer logs” – large archives of credentials harvested by infostealer malware – enabling criminals to conduct account takeovers, financial fraud and other cybercrime.

Threat intelligence firm Flare described LeakBase in 2023 as “one of the more sophisticated forums on the darkweb, both in terms of the amount of sensitive data available and the mature approach to discovery and commerce.

A threat group calling itself FulcrumSec claimed responsibility for breaching information services firm LexisNexis and leaking stolen files online, prompting the company to confirm that attackers accessed parts of its infrastructure and customer and business data.

The threat group posted about 2 gigabytes of stolen data, claiming it was taken from the company’s Amazon Web Services environment. The attackers say they gained access on Feb. 24 by exploiting the React2Shell vulnerability in an unpatched React-based frontend application, allowing them to access internal cloud resources and databases (see: Nation-State and Cybercrime Exploits Tied to React2Shell).

FulcrumSec also claimed to have stolen hundreds of Redshift database tables and AWS Secrets Manager credentials, allowing the extraction of millions of LexisNexis records and details tied to roughly 400,000 cloud user profiles. The leaked dataset allegedly includes accounts linked to more than 100 users with .gov email addresses, including federal judges and Department of Justice staff.

LexisNexis said the breach involved a limited number of servers containing legacy data, primarily from before 2020. Exposed information includes customer names, user IDs, business contact details, product usage data, survey responses with IP addresses and support tickets.

The company said the incident did not expose highly sensitive data, such as Social Security numbers, financial information, active passwords or customer search queries. It added that there is no evidence its products or services were compromised.

A federal court sentenced a Florida software distributor to 22 months in prison for conspiring to traffic in illicit Microsoft authentication labels used to activate Windows and Office software, the U.S. Department of Justice announced Monday.

Heidi Richards, 52, must also pay a $50,000 fine after a federal jury convicted her of conspiracy to traffic in counterfeit labels and related offenses.

Richards operated an e-commerce business, Trinity Software Distribution, under aliases including Heidi Hastings, Heidi Shaffer and Heidi Williams. Beginning as early as 2017, she purchased tens of thousands of genuine Microsoft Certificates of Authenticity labels from suppliers at steep discounts. The labels contain unique product keys used to activate Microsoft software.

Richards obtained the labels and product keys from a Texas-based supplier, which marketed Microsoft software and related components online. Microsoft had previously sued the company in 2017 for selling unauthorized software and activation keys.

Richards and her employees extracted the activation codes from the labels and compiled them into spreadsheets, which they then sold in bulk to customers seeking software product keys, prosecutors said in the indictment. In some cases, employees emailed batches of product keys directly to customers.

Federal law bars the sale of COA labels separately from the hardware or software licenses they accompany. Prosecutors said Richards nonetheless purchased tens of thousands of labels between July 2018 and January 2023, wiring more than $5.1 million to the Texas supplier over that period.

Microsoft designed COA labels with anti-counterfeiting features to verify legitimate software licenses. But authorities said the labels have no standalone commercial value and become attractive in illicit resale markets because the embedded product keys can activate software without a valid license.

A China-linked threat actor tracked as Silver Dragon is targeting government organizations in Southeast Asia and Europe, in a campaign researchers say shows technical overlap with the long-running APT41 espionage ecosystem.

Researchers at Check Point said the group has been active since mid-2024, using phishing emails, malicious Windows shortcut files and DLL-based persistence techniques to infiltrate government networks and deploy Cobalt Strike beacons for remote access.

Silver Dragon primarily gains initial access by exploiting internet-facing servers or sending phishing emails with malicious attachments. Once inside a network, the attackers maintain persistence by hijacking legitimate Windows services. They also rely heavily on Cobalt Strike beacons to maintain remote access to compromised systems.

In one phishing campaign, attackers sent LNK files that triggered PowerShell commands, dropping additional malware components while displaying decoy documents to victims. The technique allowed attackers to load malicious DLLs and ultimately deploy Cobalt Strike on infected hosts.

The threat group deploys custom post-exploitation tools, including SilverScreen for screen capture, SSHcmd for remote command execution and GearDoor, a backdoor that communicates with command-and-control infrastructure through Google Drive.

Semiconductor and infrastructure software solutions provider Broadcom patched a high-severity command injection vulnerability in VMware Aria Operations that could allow attackers to execute arbitrary commands and potentially gain remote code execution in affected environments.

The vulnerability, tracked as CVE-2026-22719, carries a CVSS score of 8.1 and can be exploited by an unauthenticated attacker under specific conditions. Broadcom said the flaw could be triggered during a support-assisted product migration to execute commands on the system.

VMware Aria Operations is widely used by enterprises to monitor and manage the performance and health of infrastructure across servers, networks and cloud environments.

The U.S. Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities Catalog.

The University of Mississippi Medical Center’s dozens of clinics throughout the state resumed normal operations this week following a Feb. 19 ransomware “ordeal” that caused the academic health system to cancel patient appointments and procedures and resort to manual, paper-based clinical processes for nine days.

“While all mission areas were impacted by the criminal intrusion, the patient care mission was disproportionately affected,” UMMC said in a March 2 statement.

The medical center’s main campus in Jackson, Mississippi, includes four hospitals – University Hospital, Children’s of Mississippi, Wiser Hospital for Women and Infants, and Conerly Critical Care Hospital – with a combined 827 patient beds.

The medical center’s phone system, Epic electronic health records, and other IT systems are back online – but some tech “issues” are still being worked out, a UMMC spokeswoman told Information Security Media Group on Wednesday (see: Mississippi Medical Center Clinics Still Closed After Attack).

UMMC’s division of information systems “worked around the clock to bring the network back online” while its medical teams worked under extended downtime procedures to ensure continuity of patient care, UMMC said.

That required intense collaboration among UMMC clinical teams and leadership from all areas as staff worked “feverishly” to recreate physical charts and patient care documents containing vital information typically handled only digitally.

The medical center has not yet disclosed whether patient data was stolen in the attack.

Other Stories From This Week

With reporting from Information Security Media Group’s Marianne Kolbasuk McGee in the Boston exurbs, Poulami Kundu in Bengaluru and David Perera in Northern Virginia.