top of page
3.png
Search

AV | This week in Cybersecurity

2026 Week 5


This week in Cybersecurity
This week in Cybersecurity

This week’s signal is a human and identity driven intrusion pattern (vishing + SSO session theft) with platform-native trust abuse (Teams brand impersonation, Zendesk ticket spam) and software supply-chain bypasses (npm Git dependencies, malicious VS Code extensions). The result is a measurable increase in Credential Compromise / Session Hijack risk (↑) and Developer Toolchain exposure (↑), while patch-driven exploitation continues to accelerate for edge and infrastructure platforms (Cisco UC/Webex zero-day; VMware vCenter RCE in KEV; FortiGate patch bypass).


Operational Technology (OT) security gets a material policy-level lift: CISA + UK NCSC + FBI published Operational Technology (OT) secure connectivity principles that can drive programmatic reduction in exploitability (↓) when adopted. Meanwhile, CISA’s PQC product categories push long-horizon crypto agility planning forward and this is important for insurers/financial services that retain data for long periods


Key Signals & What Changed

  • SSO + MFA bypass pressure increases (↑): adaptable vishing kits synchronize victim flows to defeat non-phishing-resistant MFA; ShinyHunters claims involvement in SSO-related data theft.

  • Enterprise comms “trust surface” hardening begins (↓): Teams rolling out brand impersonation warnings by default (targeted release).

  • Security tooling adds anti-phishing guardrails (↓): 1Password introduces URL-mismatch warnings (autofill + paste protections).

  • Supply chain & dev ecosystem pressure persists (↑): npm defenses can be bypassed via Git dependencies; malicious VS Code “AI assistant” extensions exfiltrate developer data at scale.

  • Patch bypass / known exploitation continues (↑): VMware vCenter RCE flagged as actively exploited; FortiGate “patched but still getting hacked” pattern expands blast radius.


Threat Activity Highlights (what mattered most)

  1. Identity-first intrusions (vishing + SSO/session theft): attackers use real-time phone social engineering + dynamic phishing flows to capture credentials and/or session tokens, enabling rapid lateral movement into SaaS and enterprise apps.

  2. Dev and build pipeline targeting: malicious IDE extensions and npm bypass paths increase odds of code/IP theft and downstream supply-chain compromise.

  3. Infrastructure exploitation velocity: actively exploited enterprise vulnerabilities (Cisco UC/Webex; VMware vCenter; Fortinet bypass) reinforce “patch + validate + monitor” as a weekly cadence, not a quarterly motion.

  4. Trust-abuse spam and impersonation: Zendesk ticket spam waves and brand impersonation calls highlight growing abuse of legitimate platforms for scale.


Critical Vulnerabilities & Exploitation Watchlist (prioritize this week)

Actively exploited / urgent

  • Cisco Unified Communications / Webex Calling - CVE-2026-20045 (RCE; exploited as zero-day).

  • VMware vCenter Server - CVE-2024-37079 (RCE; now in KEV / actively exploited).

  • Fortinet FortiGate - CVE-2025-59718 (auth bypass; reports of patch bypass / continued exploitation).


High-impact / rapid weaponization risk

  • Telnet injection path - (reported large exposed surface; exploitation observed quickly after disclosure/patch).

  • WordPress ACF Extended - CVE-2025-14533 (admin/priv-esc style site takeover risk) Why is anyone still using WordPress?.

  • CISA exploitation advisory (multi-product) - exploitation confirmed across multiple enterprise software components (treat as “verify exposure now”).


Recommended Actions This Week (do-now checklist)

  • Identity / SSO: enforce phishing-resistant MFA (passkeys/FIDO2) for privileged and high-value SaaS; tighten Okta network zones / tenant allowlists; disable legacy auth where possible.

  • Comms trust controls: prepare Teams helpdesk playbooks for impersonation warnings; add end-user “verify-before-comply” scripts for inbound calls.

  • DevSecOps hardening: block unapproved IDE extensions; enforce signed extensions where possible; restrict npm Git dependencies and add pipeline policy checks.

  • Exploit mitigation: patch Cisco/VMware/Fortinet urgently; add detection for suspicious admin creation / config exports on firewalls.

  • OT programs: apply the OT secure connectivity principles as design requirements for any new integrations and remote access.


FAIR QuickQuant (12-month annualized)


Scenario A - Vishing defeats non-phishing-resistant MFA → Okta SSO takeover (↑)

  • Threat Actor / Method: organized fraud / extortion crews using real-time vishing + dynamic phishing kits

  • Asset: Okta tenant / SSO session tokens and admin workflows

  • Effect: unauthorized access to SaaS apps + data exfil + potential extortion

  • Loss Event Frequency (LEF) (annual): 0.5 – 2.0 / year

  • Loss Magnitude (LM) (per event): $750k – $6.0M

  • Annualized Loss Exposure (ALE): $375k – $12.0M / year


Scenario B - FortiGate auth bypass / patch-bypass → rogue admin + config exfil (↑)

  • Threat Actor / Method: automated exploitation + persistence account creation

  • Asset: perimeter firewall, VPN config, segmentation rules

  • Effect: persistent access, lateral movement enablement, partner risk

  • LEF (annual): 0.25 – 1.0 / year

  • Loss Magnitude (per event): $500k – $8.0M

  • Annualized Loss Exposure: $125k – $8.0M / year


Scenario C - Malicious VS Code extension → source/IP exfil + downstream compromise (↑)

  • Threat Actor / Method: trojanized “AI assistant” extension siphoning code/credentials

  • Asset: developer endpoints + repositories + build secrets

  • Effect: IP loss, credential theft, supply-chain exposure

  • LEF (annual): 0.25 – 1.5 / year

  • Loss Magnitude (per event): $300k – $5.0M

  • Annualized Loss Exposure: $75k – $7.5M / year


FAIR-CAM Control Mapping (controls that reduce this week’s threats)

Avoidance (↓)

  • Reduce exposed attack paths: disable unnecessary remote admin paths; restrict Telnet/legacy services; remove unsupported auth flows.

Deterrence (↓)

  • Strong account recovery & impersonation friction: Teams impersonation warnings + reporting; publicized enforcement + rapid suspension for abuse.

Resistance (↓)

  • Phishing-resistant MFA/passkeys; device-bound session protections; conditional access; extension allowlisting; package policy gates.

Responsive (↓)

  • Detect rogue admin creation / config exports; IR playbooks for SSO compromise; rapid credential rotation; tenant lockdown procedures.


Sector Notes (high-level)

  • Insurance/FinServ: identity compromise + long data retention makes PQC planning strategically relevant (→ now, ↓ later).

  • OT operators / critical infrastructure: connectivity principles provide a blueprint to reduce systemic exposure (↓ if adopted).

  • Software orgs: dev ecosystem risks remain one of the highest ROI areas for control investment (↑).


Metrics to Track (weekly)

  • % privileged accounts on phishing-resistant MFA

  • SaaS session/token theft alerts + time-to-contain

  • blocked/unapproved extensions and packages

  • Patch SLA for KEV / exploited vulns


Executive Decisions / Investment Signals

  • Fund identity hardening controls (passkeys/FIDO2 + conditional access) as a top-line risk reducer.

  • Expand dev toolchain governance (extension policy + supply chain gates).

  • Treat “patched-but-exploited” edge systems as assumed-breach and invest in continuous validation + monitoring.

 
 
 

Comments

Contact Us

Address: 2750 S Preston Rd

               Ste 116126

               Celina, TX 75009

Tel: +1 (469) 813-5870

 Privacy 

© 2026 by Armes Vantage LLC operating as AV. All rights reserved.

bottom of page