Cyber Threat Intelligence Report

This week, we briefed our clients on a wave of new phishing campaigns worth noting due to their large scale and varied techniques—here are the TTPs.

 KEY TAKEAWAYS 

• Multiple large-scale phishing campaigns are affecting a variety of verticals. Learn the details and TTPs so you can protect your organization.

• Critical and high-severity vulnerabilities in Cisco, Juniper, VMware, and Trend Micro, plus updates to CISA KEV, patch now!

Phishing Campaign Rundown

Over the last few weeks, there has been a surge in reports of various phishing campaigns affecting a wide variety of industry verticals and targets. While phishing attacks are always a constant threat, these new waves of attacks are worth noting due to their scale and varied techniques. The sections below highlight relevant campaigns observed in recent weeks.

Fake Tech Support

Security researchers at Huntress recently detailed a "fake tech support" phishing scam that affected multiple partners. The campaign consisted of the following pattern: large volume of email spam to flood the victim's inboxes, a phone call from "IT Support" that leads to the victim downloading malware. This fake tech support scheme was famously used by the Black Basta ransomware group in 2025. The attacker, posing as IT Support, is able to convince the victim to download RMM tools such as QuickAssist or AnyDesk, which the attacker uses for persistence. This is followed by additional malicious payloads including Havoc C2, a post-exploitation command-and-control framework. While the Huntress team disrupted the attacks before total compromise was achieved, it is believed that the end goal of these intrusions was data exfiltration and/or ransomware.

OAuth Redirection Abuse

Microsoft recently published a security blog detailing an active campaign that is abusing legitimate OAuth redirection mechanisms that enable token theft and malware delivery. The campaign has been observed targeting government and public-sector organizations using a variety of lures, such as e-signature requests, Social Security notices, meeting invitations, and password resets. Each of these lures contain links to OAuth redirect URLs. In this campaign, threat actors create malicious OAuth applications in a tenant they control and configure them with a redirect URI that points to their infrastructure. The specially crafted links in the email lures trigger authentication errors which forces the identity provider to redirect users to the redirect URI configured by the attacker. In certain cases, the victim is sent to a phishing page where an attacker-in-the-middle framework such as EvilProxy is leveraged to harvest session cookies, effectively bypassing MFA. In other cases, victims are redirected to an attacker-controlled page where a malicious ZIP file is downloaded to the victim machine. Administrators are urged to review the Microsoft blog here for mitigation and hardening recommendations. 

Diesel Vortex

Security researchers at haveibeensquatted.com published a detailed report on a sophisticated phishing campaign targeting freight and logistics organizations across the US and Europe. This campaign has been attributed to a Russian cybercrime group known as Diesel Vortex. The campaign has been running since at least September 2025, and the researchers found evidence of over 1,649 unique stolen credentials from various logistics companies. The campaign relies on leveraging typo-squatted domains to fool users. The campaign also uses iframes to hide the real malicious phishing sites. The user is presented with a semi-legitimate looking .com domain (the typosquat), but this page contains a full-page iframe that points to the malicious domain where the real phishing content lives (typically .top or .icu TLDs). A full list of IOCs can be found in the report here. 

Fake LastPass Support

Last week LastPass published a blog detailing a phishing campaign targeting their users. Attackers are using fake email chains as phishing lures, showing fake conversations between "LastPass Support" and another "attacker". The lures show that another unauthorized individual is attempting to gain access, and the email includes a link to "secure your vault". Clicking the link redirects to a fake LastPass SSO page, hosted at verify-lastpass[.]com. It should be noted that per LastPass, they will never ask for your master password. Any email or notification that requests this information should be treated as malicious.

Resources

• https://www.huntress.com/blog/fake-tech-support-havoc-command-control
  

• https://www.microsoft.com/en-us/security/blog/2026/03/02/oauth-redirection-abuse-enables-phishing-malware-delivery/
  

• https://www.bleepingcomputer.com/news/security/microsoft-hackers-abuse-oauth-error-flows-to-spread-malware/
  

• https://haveibeensquatted.com/blog/diesel-vortex-inside-the-russian-cybercrime-group-targeting-us-eu-freight
  

• https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
  

• https://blog.lastpass.com/posts/march-2026-phishing-campaign-targeting-lastpass-customers

Vulnerability Roundup

Cisco Catalyst SD-WAN Vulnerabilities Actively Exploited

On Februrary 25, Cisco published a security advisory detailing a maximum-severity vulnerability in the Cisco Catalyst SD-WAN Controller. Tracked as CVE-2026-20127, the vulnerability allows for an unauthenticated remote attacker to bypass authentication and obtain administrative (non-root) privileges. On the same day, Cisco Talos published a blog detailing that there is evidence this vulnerability has been exploited in the wild as a 0-day since 2023 by a threat actor they track as "UAT-8616". After exploiting the above vulnerability, the threat actor would then downgrade the software version in order to exploit CVE-2022-20775 to gain root privileges, then restore back to the original software version.

The table below shows affected versions and their corresponding fixed release:

Administrators are urged to update as soon as possible. Additionally, administrators can look for evidence of compromise by reviewing the /var/log/auth.log file for entries related to "Accepted publickey for vmanage-admin". An example log is below:

It should also be noted that Cisco revised the original advisory to include that their PSIR team is aware of additional in-the-wild exploitation of 2 additional vulnerabilities: CVE-2026-20128 (a medium-severity information disclosure flaw that requires local attackers to have valid vmanage credentials) and CVE-2026-20122 (which can only be exploited by attackers with valid read-only credentials with API access).

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v
  

• https://blog.talosintelligence.com/uat-8616-sd-wan/
  

• https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
  

• https://www.bleepingcomputer.com/news/security/cisco-flags-more-sd-wan-flaws-as-actively-exploited-in-attacks/
  

• https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
  

Maximum-Severity Vulnerabilities in Cisco Secure FMC

On March 4, Cisco disclosed 2 maximum-severity flaws in the Cisco Secure Firewall Management Center (FMC) Software. The first vulnerability, tracked as CVE-2026-20079, allows an unauthenticated remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying OS. The second vulnerability, tracked as CVE-2026-20131, is an insecure deserialization flaw, allowing an unauthenticated remote attacker to execute arbitrary Java code as root on an affected device. Per both advisories, the flaws affected Cisco Secure FMC Software and Cisco Security Cloud Control (SCC) Firewall Management, regardless of device configuration. However, since these are SaaS offerings, the flaws have been mitigated by Cisco as part of maintenance and no user action is required. Cisco is also not aware of any active exploitation or proof-of-concept exploit code in the wild.

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-onprem-fmc-authbypass-5JPp45V2
  

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-rce-NKhnULJh
  

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-secure-fmc-flaws-giving-root-access/   

Critical Vulnerability in Juniper PTX Routers

On February 25, Juniper released a security advisory detailing a critical vulnerability affecting Junos OS Evolved on PTX Series routers. The vulnerability, tracked as CVE-2026-21902, allows an unauthenticated network-based attacker to execute code as root. This flaw is due to a misconfiguration of the On-Box Anomaly detection framework that allows the service to be accessed externally. The vulnerability affects Junos OS Evolved on PTX Series "25.4 versions before 25.4R1-S1-EVO, 25.4RS-EVO". It does not affect Junos OS Evolved versions before 25.4R1-EVO, nor does it affect Junos OS. Administrators are urged to patch as soon as possible. A workaround is also available. Per the advisory, it is recommended to use access lists or firewall filters to limit access to only trusted networks and hosts. Additionally, the vulnerable service can be disabled with the following command: 'request pfe anomalies disable'.

• https://supportportal.juniper.net/s/article/2026-02-Out-of-Cycle-Security-Bulletin-Junos-OS-Evolved-PTX-Series-A-vulnerability-allows-a-unauthenticated-network-based-attacker-to-execute-code-as-root-CVE-2026-21902

• https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/

• https://nvd.nist.gov/vuln/detail/CVE-2026-21902

VMWare Aria Operations Flaw Actively Exploited

Broadcom published a security advisory addressing a high-severity vulnerability affecting VMware Aria Operations. The vulnerability, tracked as CVE-2026-22719, allows an unauthenticated attacker to execute arbitrary commands with may lead to remote code execution while "support-assisted product migration is in progress." The flaw affects the following platforms:

• VMware Cloud Foundation and VMware vSphere Foundation versions 9.x.x.x, fixed 9.0.2.0
• VMware Aria Operations versions 8.x, fixed 8.18.6

Administrators are urged to patch as soon as possible, as CISA identified this vulnerability as being actively exploited.

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947
  

• https://thehackernews.com/2026/03/cisa-adds-actively-exploited-vmware.html
  

• https://nvd.nist.gov/vuln/detail/CVE-2026-22719 

Critical Vulnerabilities in Trend Micro Apex One

Trend Micro recently released fixes for two critical vulnerabilities in their Apex One endpoint security platform. Both vulnerabilities, tracked as CVE-2025-71210 and CVE-2025-71211, are path traversal flaws that allow attackers without privileges to execute malicious code on unpatched systems. Per the Trend Micro security advisory, the attacker must have access to the Trend Micro Apex One Management Console to exploit these vulnerabilities. Administrators are advised to apply the "Critical Patch Build 14136". In addition to patching, it is recommended that access to the Management Console is restricted as much as possible.

• https://success.trendmicro.com/en-US/solution/KA-0022458
  

• https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/ 

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2023-41974 - Apple iOS and iPadOS Use-After-Free Vulnerability
• CVE-2021-30952 - Apple Multiple Products Integer Overflow or Wraparound Vulnerability
• CVE-2023-43000 - Apple Multiple Products Use-After-Free Vulnerability
• CVE-2021-22681 - Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
• CVE-2017-7921 - Hikvision Multiple Products Improper Authentication Vulnerability
• CVE-2026-21385 - Qualcomm Multiple Chipsets Memory Corruption Vulnerability
• CVE-2026-22719 - Broadcom VMware Aria Operations Command Injection Vulnerability
• CVE-2026-20127 - Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability
• CVE-2022-20775 - Cisco SD-WAN Path Traversal Vulnerability
• CVE-2026-25108 - Soliton Systems K.K FileZen OS Command Injection Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.