Cisco Zero-Day Exploited, Amadey/StealC Takedown, Global Breach Wave
Summary
Today's intelligence landscape is defined by a convergence of high-impact operational security events and a sustained, broad-based data breach wave. The most significant developments are the confirmed exploitation of a Cisco Catalyst SD-WAN zero-day vulnerability for root-level access at a communications provider, and a coordinated law enforcement takedown of the Amadey botnet and StealC infostealer infrastructure. Simultaneously, analysts tracked over 50 alleged data exposure events, indicating that opportunistic and targeted threat actors continue to target a wide range of sectors globally, with a notable focus on healthcare, government, and financial services. Defenders should prioritize patching Cisco SD-WAN appliances and reviewing their environments for indicators related to the Amadey/StealC disruption.
Today's developments
Critical Infrastructure and Supply-Chain Threats: Industry researchers from Mandiant and Google Threat Intelligence have detailed a sophisticated intrusion campaign targeting a communications service provider, where a threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager. The actor allegedly used rogue peering connections and credential manipulation to gain initial access, then leveraged the vulnerability to escalate privileges to root. The campaign involved extensive anti-forensic measures, including file deletion and configuration restoration, to avoid detection. This incident underscores the "living off the edge" paradigm, where network appliances become prime targets for persistent access. Separately, researchers flagged a new class of CI/CD workflow weakness, codenamed "Cordyceps," which could allow attackers to hijack workflows and compromise over 300 GitHub repositories, posing a significant supply-chain risk.
Major Law Enforcement Action: A coordinated international operation, involving Europol, Microsoft, ESET, and other partners, resulted in the disruption of criminal infrastructure behind the Amadey botnet and StealC infostealer. Over 200 command-and-control servers were taken down, and more than 27 million stolen credentials were recovered. Security reporters note this is a first-of-its-kind court-authorized takedown targeting two distinct cybercrime tools simultaneously, reflecting a more aggressive and collaborative approach to disrupting malware-as-a-service ecosystems.
Widespread Data Exposure Events: The day saw a high volume of alleged data breaches and leaks across multiple sectors and geographies. Notable incidents include:
- Government & Healthcare: Alleged breaches of the Ministry of Health of Northern Cyprus, Guatemala's Ministerio de Salud Publica, and the U.S. Internal Revenue Service. In France, the Ordre National des Pedicures-Podologues (ONPP) website was allegedly compromised.
- Financial Services: Alleged data breaches targeting STB Bank Tunisia, AYA Bank in Myanmar, and a sale of financial leads from Brazil. A separate leak allegedly involves bank accounts from worldwide sources.
- Education: Alleged data breaches at King Faisal University (Saudi Arabia) and the University of Magdalena (Colombia), with the latter reportedly involving 20,000 records.
- Other Sectors: Incidents include a webshell on science.nasa.gov, a breach of a U.S. driving school software provider (novadriving.com), and alleged leaks of Australian email and telephone records. The LockBit actor is also alleged to be selling a global bank account dataset.
Threat landscape signals
The day's events reveal several key patterns. First, actor concentration is high, with groups like Hax.or, NoName057(16), and The Gentlemen accounting for a significant portion of tracked events, primarily in DDoS and defacement activities. Second, the victimology is diverse but shows a strong bias toward the United States (22 events), followed by France and Slovakia. The targeting of government and healthcare entities in multiple countries (Cyprus, Guatemala, Peru, France) suggests a persistent interest in sensitive personal and administrative data. Third, the simultaneous disruption of Amadey and StealC, combined with the exploitation of a Cisco zero-day, highlights the dual challenge defenders face: defending against both widespread, commoditized malware and highly targeted, advanced persistent threats. The emergence of the Cordyceps CI/CD vulnerability further emphasizes the growing attack surface in software supply chains. Organizations should prioritize patching for Cisco SD-WAN and Unified CM vulnerabilities, conduct threat hunting for Amadey/StealC indicators, and reinforce security around CI/CD pipelines.