Hybrid Cloud
Cybersecurity
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 4-10 April
A critical vulnerability in Cisco allows attackers to gain full control of the system by modifying passwords
Cisco has released updates to address several high-severity vulnerabilities. Among these is CVE-2026-20093 (CVSSv.4 8.7), a vulnerability in the Cisco IMC password change function that allows attackers to bypass authentication remotely. Through a manipulated HTTP request, they could modify passwords and gain access with administrator privileges. There are no alternative mitigations, so it is recommended to update immediately; although there is no evidence of active exploitation or a public PoC, the flaw is trivial to exploit.
Furthermore, CVE-2026-20160 (CVSSv.3 9.8) has been identified, a critical vulnerability in Smart Software Manager On-Prem (SSM On-Prem) that allows unprivileged attackers to remotely execute code on vulnerable systems. By sending a manipulated request to the exposed API, they can execute commands on the operating system with administrator privileges.
CERT EU attributes the theft of 340 GB from AWS on the europa.eu platform to TeamPCP
CERT EU has confirmed that the incident affecting the public europa.eu platform originated from the use of a compromised version of Trivy in the supply chain attack attributed with high confidence to TeamPCP, which allowed the attackers to obtain an AWS key with administrative privileges over other accounts linked to the European Commission.
Using this access, the actor deployed TruffleHog to search for further secrets, created new credentials for persistence, and carried out reconnaissance before exfiltrating 91.7 GB of compressed data—equivalent to 340 GB uncompressed—from the cloud backend of the europa.eu hosting service. The stolen data potentially affects the websites of 71 clients, including 42 internal Commission clients and at least 29 EU entities, and includes personal data such as first names, surnames, usernames, email addresses and the content of automated communications, with at least 51,992 files linked to outgoing notifications.
There is no evidence of further lateral movement or of an impact on internal systems.
Storm-1175: Medusa ransomware campaigns based on rapid exploitation of vulnerabilities
Microsoft Threat Intelligence attributes high-velocity ransomware campaigns to the threat actor Storm-1175, which primarily exploit N-day vulnerabilities—and in some cases, 0-day vulnerabilities—against exposed perimeter services during the window between disclosure and patching. Following the initial exploitation, the actor rapidly progresses to data exfiltration and deployment of Medusa ransomware, sometimes within less than 24 hours.
Since 2023, the exploitation of more than 16 vulnerabilities has been observed in Exchange, PaperCut, Ivanti, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust. In the post-compromise phase, it establishes persistence by creating administrative accounts, uses LOLBins, RMMs such as Atera, N-able, ScreenConnect, AnyDesk or SimpleHelp, amongst others, and Impacket for lateral movement and credential theft. Finally, it disables or evades defences and uses Bandizip and Rclone for exfiltration before deploying Medusa on a large scale.
The sectors most affected include healthcare, education, professional services and finance.
BlueHammer exploit published for a local privilege escalation 0-day in Windows
A proof-of-concept (PoC) has been published for exploiting a privilege escalation vulnerability in Windows – for which no patch is currently available – that was previously reported privately to Microsoft. The flaw, dubbed BlueHammer, was disclosed by the researcher known as Chaotic Eclipse, who expressed his dissatisfaction with the Microsoft Security Response Centre’s handling of the case.
The exploit was published on GitHub under the alias Nightmare-Eclipse, although the author himself indicated that the PoC contains errors that affect its reliability. Analyst Will Dormann confirmed that the exploit works and described the vulnerability as a local privilege escalation that combines a TOCTOU and path confusion, allowing access to the SAM database.
This access enables the retrieval of local password hashes and subsequent escalation to SYSTEM privileges, resulting in full system compromise. On Windows Server, the exploit elevates non-administrator user privileges to elevated administrator, but does not reach SYSTEM.
Microsoft stated that it is investigating the reports in accordance with its coordinated disclosure processes, without yet announcing a fix.
Atomic Stealer distribution campaign via ClickFix
Researchers at Jamf have identified a new campaign distributing the Atomic Stealer (AMOS) malware via a variant of the ClickFix social engineering attack, which exploits the legitimate Script Editor app on macOS.
The campaign involves luring users to fake Apple-themed websites that masquerade as guides for freeing up disk space; these sites open the Script Editor with preloaded malicious code that executes obfuscated commands to download and launch the payload in memory, thereby bypassing system protections.
The impact is the mass theft of credentials, passwords, cookies, credit card details, keychain data and cryptocurrency wallet details and, in recent versions, the establishment of persistence via a backdoor.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
