Weekly Cyber Briefing 27.02.2026
Zero-day threats stalk Cisco SD-WAN users, and AI is blamed for helping threat actors target FortiGate firewalls and accelerate breakout time. Ransomware attack volumes and the cost of insider threats surge.
Security agencies in the US, UK, Canada, Australia and New Zealand have urged Cisco SD-WAN customers to patch a critical zero-day vulnerability which has been exploited since 2023. CVE-2026-20127 has a CVSS score of 10.0 and affects Cisco Catalyst SD-WAN Controller (formerly SD-WAN vSmart) and Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). It could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
The NCSC said threat actors were using unauthorised access to “add a malicious rogue peer”. This technique could be used to silently intercept, inspect, modify and exfiltrate data, as well as probe deeper into a victim’s corporate network.
Follow NCSC guidance: conduct continuous threat hunting and promptly patch and harden the Cisco environment. If you believe you have been compromised, collect artefacts from the device and report to the NCSC.
A Russian-speaking hacker has used generative AI (GenAI) to compromise 600 FortiGate firewalls across 55 countries in five weeks, AWS has warned. Crucially, the attacks didn’t rely on vulnerability exploitation, but instead used brute-force techniques against exposed management interfaces protected only with weak credentials. The low-skilled actor apparently used at least two LLMs to generate attack methodologies, custom scripts, reconnaissance frameworks, lateral movement steps and operational documentation. The attacks were likely a precursor to ransomware deployment.
The case highlights how commercial GenAI is being used to lower barriers to entry for threat actors with fewer technical skills. In this campaign, when faced with well-protected/hardened environments, they simply moved on to easier targets.
Follows AWS advice to ensure FortiGate management interfaces are not exposed to the internet, and are protected with strong credentials and MFA. The report recommends a full audit, credential rotation, post-exploitation detection, and backup hardening.
Total global crypto payments to ransomware extortionists last year reached $820m (£607m), down 8% year-on-year, according to blockchain analysis firm Chainalysis. The payment rate fell by more than half to 28% of victims. However, attack volumes surged 50% while the number of active groups increased to 85, far higher than in previous years. The median ransom payment rocketed by 368%, from $12,738 (£9427) in 2024 to $59,556 (£44,076) in 2025.
Fewer payments mean more organisations are getting resilience right. But those that do get data stolen or encrypted are being forced to pay more in ransoms. Even organisations that refuse to pay may face a major bill for recovery and lost sales.
Improve resilience with defence-in-depth measures such as robust backups (including immutable copies), a zero-trust approach to identity and access management, risk-based patching, XDR/MDR, network segmentation, third-party risk management, and well-rehearsed incident response plans.
Two reports released this week warned that threat actors are becoming faster at progressing from initial access to lateral movement. CrowdStrike claimed average breakout time is now 29 minutes, while ReliaQuest put the figure at 34 minutes, although the former has seen attackers demonstrate this in less than a minute. The fastest recorded data exfiltration time was just six minutes. Use of GenAI tooling is allowing adversaries to speed up and automate reconnaissance, credential theft, and payload generation, among other steps.
When breakout time is this fast, SecOps teams have less time to respond before a potentially damaging data exfiltration/encryption event.
Use external attack surface management tools to identify and automatically remediate new exposures continuously. Segment networks and automate containment/isolation, enforce zero-trust/least-privilege policies, and consider how AI can accelerate SecOps. Run breakout simulations to test the SOC.
S-RM has identified threat actors hijacking users’ Mimecast Personal Portal to covertly achieve persistence and further business email compromise (BEC) schemes. The two attack variants detailed in the report exploit the shared authentication between Microsoft 365 and Mimecast. They start with the threat actor compromising M365 credentials and MFA tokens via phishing. From there, they can monitor email correspondence and send legitimate-looking fake invoices.
BEC can be a significant financial and reputational risk for organisations. While many will monitor their Outlook in M365, they may not do the same for emails exchanged via the Mimecast portal, creating a dangerous security blind spot.
Mimecast customers should review their administrative account access and enforce MFA. Validate authentication and impersonation protection policies. Audit journaling, routing and mailbox permissions. And review API integrations and third-party access. Assured can support with a rapid assurance review to independently validate your configuration and reduce exposure.
Blogs & Opinions 26.02.2026
How to move the dial on national cyber resilience.
Features 24.02.2026
How CISOs can tackle sophisticated, real-time MFA bypass
Weekly Cyber Briefing 20.02.2026
A multi-year Dell zero-day campaign, more OpenClaw threats, several issues in popular password managers, and a worrying bug in Microsoft 365 Copilot