Today’s roundup
Cisco flags more SD-WAN flaws as actively exploited in attacks
Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
Fake LastPass support email threads try to steal vault passwords
Cisco fixes maximum-severity Secure FMC bugs threatening firewall security
Google uncovers Coruna iOS Exploit Kit targeting iOS 13–17.2.1
Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware
APT28-Linked Campaign Deploys BadPaw Loader and MeowMeow Backdoor in Ukraine
Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks
Operation Leak: FBI and Europol dismantle LeakBase Cybercrime forum
VMware Aria Operations Bug Exploited, Cloud Resources at Risk
Summary
Cisco confirmed active exploitation of two new high-severity vulnerabilities (CVE-2026-20072, CVE-2026-20073) in Catalyst SD-WAN Manager. These flaws grant full administrative control; advisories were issued February 2026, urging immediate upgrades.
A maximum severity, zero-click Mail2Shell vulnerability in FreeScout helpdesk platform allows unauthenticated remote code execution without user interaction, fully compromising mail servers.
LastPass warns of an active phishing campaign from March 2026, stealing master passwords. Spoofed emails, appearing as internal threads about unauthorized access, direct users to fake SSO login pages at `verify-lastpass[.]com`.
Cisco patched two maximum-severity vulnerabilities (CVE-2026-20079, CVE-2026-20131; CVSS 10.0) in Secure Firewall Management Center (FMC). These flaws enable unauthenticated remote attackers to bypass authentication or exploit Java deserialization for root access and arbitrary code execution.
Google's GTIG uncovered "Coruna" (aka "CryptoWaters"), a powerful iOS exploit kit with 23 exploits across five chains. It targets iOS 13.0-17.2.1 and is used for targeted espionage and financial cryptocurrency theft.
Zscaler ThreatLabz identified "Dust Specter," an Iran-nexus threat actor targeting Iraqi government officials since January 2026. The campaign impersonates the Ministry of Foreign Affairs, deploying new SPLITDROP and GHOSTFORM malware.
Russia-linked APT28 launched a new cyber campaign against Ukrainian entities, deploying undocumented "BadPaw" loader and "MeowMeow" backdoor via phishing emails with malicious ZIP archives.
Europol led an international operation dismantling Tycoon 2FA, a major phishing-as-a-service (PhaaS) platform. Active since August 2023, it facilitated 64,000 adversary-in-the-middle (AitM) attacks, targeting millions of credentials including those from healthcare and education.
The FBI and Europol's "Operation Leak" seized the LeakBase cybercrime forum, a hub for trading stolen data and hacking tools since 2021, with over 142,000 members. This global effort involved 14 countries, targeting 37 active users.
A command injection vulnerability in VMware Aria Operations is under active exploitation, posing a significant threat. This critical flaw allows attackers broad access to victims' cloud resources, necessitating immediate patching.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| APT28 | IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, GruesomeLarch |
Malware Families