Cisco SD-WAN Zero-Day Exploited Since 2023; US Sanctions Russian Exploit Broker as CISA Issues Emergency Directive

Executive Summary

This week's intelligence highlights several critical developments requiring immediate attention from critical infrastructure operators:

Active Exploitation Alert: A maximum-severity zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN has been under active exploitation since 2023, prompting CISA to issue an emergency directive and global cyber agencies to urge immediate patching and threat hunting.
Nation-State Activity: The US Treasury sanctioned Russian exploit broker "Operation Zero" following revelations that the firm acquired eight zero-day exploits from a US defense contractor executive now imprisoned. Separately, China-linked threat group UNC2814 conducted a decade-long espionage campaign targeting 53 victims across 42 countries using Google Sheets for command and control.
Healthcare Sector Targeting: A newly identified threat cluster (UAT-10027) is actively targeting US education and healthcare sectors with the "Dohdoor" backdoor, while the Senate advances healthcare cybersecurity reform legislation.
ICS/OT Vulnerabilities: CISA released ten ICS advisories affecting electric vehicle charging infrastructure, industrial control systems (Yokogawa CENTUM), refrigeration controls (Johnson Controls Frick), and security cameras (Pelco), with potential cross-sector impacts on energy and transportation.
Leadership Change: CISA has undergone a leadership transition with Madhu Gottumukkala departing and Andersen assuming the role of acting director amid reported criticisms of agency performance.

Threat Landscape

Nation-State Threat Actor Activities

China-Linked UNC2814 Global Espionage Campaign

Google's Threat Analysis Group disclosed a "prolific and elusive" campaign by UNC2814 targeting telecommunications providers and government entities across 42 countries
The group employed a novel technique using Google Sheets as a command-and-control mechanism, complicating detection efforts
Campaign has been active for approximately a decade, demonstrating significant operational security and persistence
Critical infrastructure operators in telecommunications should review network logs for anomalous Google Sheets API activity
Source: Infosecurity Magazine, CSO Online

US Sanctions Russian Exploit Broker Operation Zero

The US Treasury Department imposed sanctions on Russian exploit broker "Operation Zero"
The firm acquired eight zero-day exploits from a US defense contractor executive who has since been imprisoned for his involvement
This action underscores the ongoing threat posed by the commercial exploit market and its intersection with nation-state actors
Organizations should assume sophisticated adversaries have access to unknown vulnerabilities and implement defense-in-depth strategies
Source: SecurityWeek

Ransomware and Cybercriminal Developments

Ransomware Payment Rates Hit Record Low

Despite a significant increase in claimed attacks, ransomware payment rates dropped to 28% in 2025—an all-time low
This trend suggests improved organizational resilience and backup capabilities, though attack volumes continue to rise
Critical infrastructure operators should maintain robust backup and recovery capabilities while continuing to invest in preventive controls
Source: Bleeping Computer

Steaelite RAT: Combined Data Theft and Ransomware Tool

Security researchers identified a new remote access trojan (RAT) called "Steaelite" that combines data exfiltration and ransomware management capabilities
This convergence of capabilities in a single tool represents an evolution in threat actor efficiency
Organizations should ensure endpoint detection and response (EDR) solutions are updated to detect this emerging threat
Source: CSO Online

Aeternum C2 Botnet Leverages Blockchain

A new botnet loader called "Aeternum C2" stores encrypted commands on the Polygon blockchain to evade takedown efforts
This technique significantly complicates law enforcement and security researcher efforts to disrupt botnet operations
Network defenders should monitor for unusual blockchain-related network traffic as a potential indicator of compromise
Source: The Hacker News, Infosecurity Magazine

Physical Security Threats

Violent Extremist Targets Electric Substation in Nevada

Water ISAC reported an incident involving a violent extremist targeting an electric substation in Nevada
This continues the pattern of physical attacks against energy infrastructure observed over the past several years
Energy sector operators should review physical security measures at substations and coordinate with local law enforcement
Source: Water ISAC

Heightened Geopolitical Tensions with Iran

Water ISAC issued a TLP:AMBER advisory regarding cybersecurity and physical security risks to critical infrastructure amid heightened geopolitical tensions with Iran
Critical infrastructure operators should review and update incident response plans and increase monitoring for indicators associated with Iranian threat actors
Source: Water ISAC

Emerging Attack Vectors

Developer-Targeted Supply Chain Attacks

Microsoft warned of fake Next.js job repositories delivering in-memory malware to developers
A malicious NuGet package mimicking the official Stripe API library was discovered stealing API tokens
Anthropic patched vulnerabilities in Claude Code that could have exposed developer devices to silent hacking via malicious configuration files
Development teams should implement strict code review processes and verify package authenticity before integration
Source: The Hacker News, SecurityWeek

Google API Keys Now Expose Gemini AI Data

Previously harmless Google API keys embedded in client-side code can now be used to authenticate to Gemini AI and access private data
Organizations using Google services should audit exposed API keys and implement proper key management practices
Source: Bleeping Computer

Sector-Specific Analysis

Energy Sector

Electric Vehicle Charging Infrastructure Vulnerabilities

CISA released seven ICS advisories affecting EV charging management platforms: Chargemap, EV Energy, SWITCH EV, EV2GO, CloudCharge, and Mobility46
Successful exploitation could allow attackers to disrupt charging operations, manipulate billing systems, or potentially use charging infrastructure as a pivot point into connected grid systems
As EV adoption accelerates, these systems represent an expanding attack surface with potential cascading impacts on transportation and energy sectors
Operators should review CISA advisories and implement recommended mitigations immediately
Source: CISA ICS Advisories

Physical Attack on Nevada Substation

A violent extremist targeted an electric substation in Nevada, continuing the trend of physical attacks against energy infrastructure
Utilities should coordinate with fusion centers and law enforcement on threat information and review physical security postures
Source: Water ISAC

Industrial Control System Vulnerabilities

Yokogawa CENTUM VP R6 and R7 distributed control systems received a CISA advisory for vulnerabilities that could impact process control in energy and chemical facilities
Johnson Controls Frick Quantum HD refrigeration controllers also received advisories—these systems are used in industrial cooling applications including power generation facilities
Source: CISA ICS Advisories

Water & Wastewater Systems

Potomac River Sewage Spill Emergency Response

An emergency declaration was approved to fast-track federal aid for the Potomac Interceptor sewage spill
The US Army Corps of Engineers activated its Emergency Operations Center to support response efforts
This incident highlights the importance of infrastructure resilience and emergency response coordination for water/wastewater systems
Source: Homeland Security Today

Cross-Sector Threat Awareness

Water ISAC issued multiple advisories this week including guidance on preoperational surveillance tactics and geopolitical threat considerations
Water utilities should review the weekly counterterrorism report and supplemental security highlights for sector-specific guidance
Source: Water ISAC

Communications & Information Technology

Cisco SD-WAN Zero-Day Under Active Exploitation

CVE-2026-20127, a maximum-severity vulnerability in Cisco Catalyst SD-WAN Controller and Manager, has been exploited by "highly sophisticated hackers" since 2023
The flaw allows unauthenticated attackers to bypass authentication and gain administrative privileges
CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive
Global cyber agencies are urging immediate patching and threat hunting for signs of prior exploitation
This marks the second series of actively exploited zero-days in Cisco edge technology since spring 2025
Source: SecurityWeek, The Hacker News, CyberScoop

Critical Network Infrastructure Vulnerabilities

Juniper Networks disclosed a critical vulnerability in Junos OS Evolved on PTX Series routers allowing unauthenticated remote code execution with root privileges
Zyxel patched a critical UPnP vulnerability affecting multiple device models that could enable remote code execution
Organizations using these devices should prioritize patching and review network segmentation
Source: Bleeping Computer, SecurityWeek

China-Linked Espionage Targeting Telecommunications

UNC2814's decade-long campaign specifically targeted telecommunications providers across 42 countries
Communications sector operators should implement enhanced monitoring and review the indicators of compromise provided by Google TAG
Source: Infosecurity Magazine

Healthcare & Public Health

UAT-10027 Targeting US Healthcare and Education

A newly identified threat cluster designated UAT-10027 has been targeting US education and healthcare sectors since December 2025
The campaign deploys the "Dohdoor" backdoor, a previously undocumented malware family
Healthcare organizations should review network logs for indicators of compromise and ensure endpoint protection is current
Source: The Hacker News

Healthcare Cybersecurity Reform Advances

The Senate moved one step closer to passing healthcare cybersecurity reforms, with legislation sailing through committee
The package would overhaul cybersecurity practices at the Department of Health and Human Services
Healthcare organizations should monitor this legislation for potential compliance implications
Source: CyberScoop

Medical Device Manufacturer Data Breach

UFP Technologies, an American medical device manufacturer, disclosed a cybersecurity incident compromising IT systems and data
Healthcare supply chain partners should assess potential downstream impacts
Source: Bleeping Computer

Financial Services

Malicious Stripe API Package Targets Financial Data

A malicious NuGet package impersonating the official Stripe library was discovered stealing API tokens
Financial services organizations using .NET development should audit package dependencies
Source: The Hacker News

Money Mule Intelligence Partnership

Recorded Future announced expanded coverage of scams and financial fraud through a partnership with CYBERA for money mule intelligence
This capability can help financial institutions identify scam-linked bank accounts
Source: Recorded Future

Tax Season Security Concerns

Security researchers warn that AI could impact tax season security, with varied risks emerging from AI-enhanced social engineering and fraud
Financial services and tax preparation organizations should implement enhanced verification procedures
Source: Security Magazine

Transportation Systems

EV Charging Infrastructure Vulnerabilities

Multiple CISA advisories affecting EV charging platforms have direct implications for transportation sector resilience
As electric vehicle adoption increases, charging infrastructure becomes critical to transportation continuity
Transportation authorities should coordinate with energy sector partners on securing shared infrastructure
Source: CISA ICS Advisories

Maritime Security Operations

Coast Guard, DHS partner agencies, and US Navy interdicted multiple suspected smuggling vessels off Southern California
Continued enforcement operations demonstrate ongoing threats to maritime security
Source: Homeland Security Today

Government Facilities

Apple Devices Cleared for NATO Classified Use

Apple iPhone and iPad devices have been added to the NATO Information Assurance Product Catalogue (NIAPC)
This clearance enables use of these devices for classified NATO communications
Government facilities should review updated device policies accordingly
Source: SecurityWeek

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

PRIORITY 1: Cisco Catalyst SD-WAN (CVE-2026-20127)

Severity: Maximum (CVSS 10.0)
Status: Actively exploited since 2023; added to CISA KEV catalog
Impact: Authentication bypass allowing administrative access
Affected Products: Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage)
Action Required: Immediate patching, threat hunting for historical compromise, and network segmentation review
CISA Emergency Directive: Organizations should review and comply with directive requirements
Source: SecurityWeek, The Hacker News

PRIORITY 2: Juniper Networks PTX Series (Junos OS Evolved)

Severity: Critical
Impact: Unauthenticated remote code execution with root privileges
Affected Products: PTX Series routers running Junos OS Evolved
Action Required: Immediate patching and access control review
Source: Bleeping Computer

PRIORITY 3: Trend Micro Apex One

Severity: Critical and High
Impact: Remote code execution on Windows systems
Affected Products: Apex One for Windows and macOS
Action Required: Apply patches for eight critical and high-severity vulnerabilities
Source: SecurityWeek, Bleeping Computer

PRIORITY 4: Zyxel UPnP Vulnerability

Severity: Critical
Impact: Remote code execution via UPnP function
Affected Products: Multiple Zyxel device models
Action Required: Apply patches; consider disabling UPnP if not required
Source: SecurityWeek

CISA ICS Advisories (February 26, 2026)

Advisory ID	Vendor/Product	Sector Impact
ICSA-26-057-01	Johnson Controls Frick Quantum HD	Energy, Manufacturing
ICSA-26-057-02	Pelco Sarix Pro 3 Series IP Cameras	Multiple Sectors (Physical Security)
ICSA-26-057-03	CloudCharge	Energy, Transportation
ICSA-26-057-04	EV2GO	Energy, Transportation
ICSA-26-057-05	Chargemap	Energy, Transportation
ICSA-26-057-06	SWITCH EV	Energy, Transportation
ICSA-26-057-07	EV Energy	Energy, Transportation
ICSA-26-057-08	Mobility46	Energy, Transportation
ICSA-26-057-09	Yokogawa CENTUM VP R6, R7	Energy, Chemical, Manufacturing
ICSA-26-057-10	Copeland XWEB and XWEB Pro	Multiple Sectors

Full advisories available at: CISA ICS Advisories

Recommended Defensive Measures

Network Segmentation: Isolate ICS/OT networks from corporate IT networks; implement strict access controls for SD-WAN management interfaces
Threat Hunting: Given the extended exploitation timeline of the Cisco SD-WAN vulnerability, conduct retrospective analysis of network logs dating back to 2023
Patch Management: Prioritize patching of internet-facing and edge devices; implement compensating controls where immediate patching is not feasible
Supply Chain Security: Audit software dependencies, particularly NuGet packages and development tools, for malicious components
API Key Management: Review and rotate Google API keys; implement proper scoping and monitoring for API access

Resilience & Continuity Planning

Lessons Learned from Recent Incidents

Potomac Interceptor Sewage Spill Response

The rapid activation of the US Army Corps of Engineers Emergency Operations Center demonstrates effective federal-local coordination
Emergency declaration approval enabled fast-tracked federal aid, highlighting the importance of pre-established emergency protocols
Water/wastewater utilities should review mutual aid agreements and emergency declaration procedures
Source: Homeland Security Today

Extended Zero-Day Exploitation Timeline

The Cisco SD-WAN vulnerability exploitation dating back to 2023 underscores the importance of:

Continuous monitoring and anomaly detection
Regular security assessments of edge infrastructure
Maintaining comprehensive logging for forensic analysis
Assuming breach and implementing detection-focused controls

Supply Chain Security Developments

NIST Workshop on Strategic Supply Chain Networks

NIST announced an upcoming workshop on "Building the Strategic Supply Chain Network" scheduled for March 9, 2026
The workshop will address vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies
Critical infrastructure operators should consider participation to inform supply chain resilience strategies
Source: NIST

Developer Supply Chain Attacks

Multiple incidents this week highlight ongoing threats to software supply chains:

Malicious NuGet packages impersonating legitimate libraries
Fake job repositories targeting developers
Vulnerabilities in AI coding assistants

Organizations should implement software bill of materials (SBOM) practices and verify package integrity

Cross-Sector Dependencies

EV Charging Infrastructure as Critical Nexus

This week's seven CISA advisories affecting EV charging platforms highlight the growing interdependency between energy and transportation sectors
Compromise of charging infrastructure could impact:

Grid stability through coordinated charging manipulation
Transportation continuity through service disruption
Financial systems through billing fraud
Privacy through location and usage data exposure

Cross-sector coordination is essential for securing this emerging infrastructure

Public-Private Coordination

Europol Project Compass

Europol launched "Project Compass" as a new playbook for addressing "The Com"—a network of cybercriminal actors
Officials reported 30 arrests in the past year with improved global law enforcement cooperation
This initiative demonstrates the value of international public-private partnerships in combating cybercrime
Source: CyberScoop

Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

CISA Leadership Transition

Madhu Gottumukkala has departed as acting CISA director, with Andersen assuming the role
The transition follows reported criticisms of CISA's performance during the first year of the current administration
Critical infrastructure stakeholders should monitor for potential policy shifts under new leadership
Source: CyberScoop

CISA Emergency Directive on Cisco SD-WAN

CISA issued an emergency directive requiring federal agencies to mitigate the Cisco SD-WAN vulnerability
While binding only on federal agencies, the directive signals the severity of the threat and provides guidance applicable to all sectors
Source: Water ISAC

Pending Legislation

Healthcare Cybersecurity Reform

A legislative package overhauling HHS cybersecurity practices advanced through Senate committee
Healthcare sector organizations should prepare for potential new compliance requirements
Source: CyberScoop

International Policy Developments

UK Information Commissioner's Office Restructuring

The UK's data protection authority is transitioning from a single-leader model to a CEO and board structure
Organizations operating in the UK should monitor for potential changes in regulatory approach and enforcement priorities
Source: Infosecurity Magazine

Nebraska Joins Federal Infrastructure Review Initiative

Nebraska became the third state to participate in a federal effort to speed infrastructure reviews
This initiative may accelerate critical infrastructure projects while maintaining security considerations
Source: Homeland Security Today

Quantum Computing Preparedness

Post-Quantum Cryptography Transition

Multiple sources this week emphasized the urgency of preparing for post-quantum cryptography (PQC)
"Harvest now, decrypt later" attacks mean sensitive data encrypted today may be vulnerable to future quantum decryption
Organizations should begin cryptographic inventory and transition planning now
Source: Security Magazine, The Hacker News

Training & Resource Spotlight

Upcoming Workshops and Training

NIST Cybersecurity for IoT Workshop: Future Directions

Date: March 31, 2026
Focus: Emerging and future trends for IoT technologies and their cybersecurity implications
Topics: Automated and ubiquitous IoT, sophisticated threat landscapes, and defensive strategies
Relevance: Critical for ICS/OT security professionals as IoT integration in critical infrastructure expands
Source: NIST

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.