Last Updated On
Cisco SD-WAN Management Planes and VMware ESXi Under Active Fire, Kyber Ransomware Double Platform Campaign
CISA Emergency Directive 26-03 and three new Cisco Catalyst SD-WAN KEV additions hit federal remediation deadlines today, while Kyber ransomware executes a confirmed dual-platform campaign against VMware ESXi and Windows infrastructure using hybrid post-quantum key encapsulation and targeted backup destruction.
10
CVSS Score
20
IOC Count
19
Source Count
88
Confidence Score
Chapter 01 - Executive Overview
Today's brief is anchored by two confirmed, high-consequence operational threat developments: the continued and escalating exploitation of Cisco Catalyst SD-WAN management planes, now the subject of CISA Emergency Directive 26-03 and multiple KEV additions; and the Kyber ransomware family's confirmed dual-platform campaign against VMware ESXi hypervisors and Windows file servers simultaneously. A third cluster — the CISA KEV 8-pack expansion covering seven additional product families including Quest KACE SMA (CVSS 10.0), Apache ActiveMQ, and Microsoft Defender — rounds out a brief with an unusually dense concentration of federally confirmed, actively exploited vulnerabilities reaching remediation deadlines today.
Cisco SD-WAN Management Planes Under Active Attack — Critical — Federal Government / Enterprise
CISA issued Emergency Directive 26-03 on February 25, 2026, after confirming active exploitation of CVE-2026-20127, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN Controller and Manager that allows unauthenticated remote attackers to obtain administrative privileges and access NETCONF to manipulate network configurations across entire SD-WAN fabrics. CVE-2022-20775 is chained with CVE-2026-20127 to escalate privileges to root-level persistence. Three additional Manager vulnerabilities — CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 — were added to the KEV catalog on April 20, 2026, with FCEB remediation deadlines for these three falling today, April 23.
At the business level, SD-WAN controllers and managers sit at the heart of network control planes, so compromise translates into traffic hijacking, lateral movement, and stealthy persistence across distributed sites rather than isolated host-level incidents. Leaders should treat unpatched SD-WAN management as a systemic risk comparable to a domain controller breach.
CISO-Level Decision — Cisco SD-WAN: Escalate. FCEB deadline for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 expired today. Treat remediation as an emergency programme with board-level visibility. Unpatched status is a confirmed regulatory and operational risk.
Kyber Ransomware: Virtualization-Aware Double Platform Campaign — Critical — Defense Industrial Base / Enterprise IT
Rapid7's April 2026 analysis, based on a confirmed March 2026 incident response engagement at a multibillion-dollar U.S. defense contractor and IT services provider, documents Kyber as a coordinated dual-platform ransomware family deploying both an ESXi-targeting ELF binary and a Rust-based Windows variant within the same victim environment under a shared campaign identifier and Tor infrastructure. On ESXi, Kyber encrypts datastores using ChaCha8 with RSA-4096 key wrapping, appending the ".xhsyw" extension and defacing management interfaces. On Windows, a Rust-based variant implements a hybrid Kyber1024+X25519 key encapsulation scheme wrapping AES-CTR bulk encryption keys, while executing aggressive anti-recovery behaviors including shadow copy deletion, Windows Recovery Environment disablement, backup service termination, event log clearing, and recycle bin wipe.
Notably, the "post-quantum" branding is only partially accurate: the ESXi variant does not implement Kyber1024 despite advertising it — it uses ChaCha8 with RSA-4096. The Windows variant does implement the advertised hybrid scheme. The "post-quantum" claims are aspirational marketing but do not affect the operational impact for current victims.
Kyber's strategic significance is that ransomware operators are now deliberately weaponizing both the virtualization orchestration layer and backup infrastructure simultaneously, targeting complete operational blackout rather than isolated data loss. Traditional endpoint controls and basic offsite backups are insufficient against this tradecraft.
CISO-Level Decision — Kyber: Escalate. Treat hypervisors and backup infrastructure as primary exposure surfaces requiring least-privilege, network segmentation, dedicated monitoring, and immutable backup architecture. Verify that both ESXi SSH/vSphere consoles and Windows backup services are governed under the same access control rigour as domain controllers.
CISA KEV 8-Pack — Additional Confirmed Exploited Vulnerabilities
Seven further CVEs were confirmed in the KEV catalog this week across PaperCut NG/MF (CVE-2023-27351), JetBrains TeamCity (CVE-2024-27199), Kentico Xperience (CVE-2025-2749), Quest KACE SMA (CVE-2025-32975, CVSS 10.0), Zimbra ZCS (CVE-2025-48700), Fortinet FortiClient EMS (CVE-2026-21643), and Microsoft Exchange (CVE-2023-21529). Apache ActiveMQ (CVE-2026-34197) and Microsoft Defender BlueHammer (CVE-2026-33825) add OT-adjacent and endpoint-layer exploitation to the cluster. FCEB deadlines for five of these have passed (April 20-23).
CISO-Level Decision — KEV 8-Pack: Escalate. Verify patch status for all eight product families today. Unpatched status constitutes a confirmed attacker pathway. KACE SMA (CVSS 10.0, unauthenticated) and ActiveMQ (default admin:admin credentials) are highest urgency.
Chapter 02 - Threat & Exposure Analysis
Cisco SD-WAN — Vulnerability Chain, Attack Mechanism, and Exposure
The Cisco SD-WAN threat centers on five vulnerabilities that form a coherent attack chain:
CVE-2026-20127 (CVSS 10.0): Authentication bypass in Cisco Catalyst SD-WAN Controller and Manager. Exploits a flaw in the peering authentication mechanism (CWE-287). An unauthenticated remote attacker sends maliciously crafted requests to an unpatched system, logs in as a high-privileged non-root user, and accesses NETCONF to manipulate SD-WAN fabric configuration. Exploitation confirmed since at least 2023.
CVE-2022-20775: Path traversal vulnerability enabling an authenticated attacker to execute arbitrary commands as root. Chained with CVE-2026-20127 to achieve persistent root-level access after initial authentication bypass.
CVE-2026-20122: Authenticated remote attacker with read-only API credentials can upload a malicious file to overwrite arbitrary files on the local filesystem and gain vmanage user privileges. CVSS 5.4. Confirmed exploited in the wild by Cisco as of March 2026.
CVE-2026-20128: SD-WAN Manager stores credentials in recoverable form on the filesystem. An attacker with local access (obtained via the above chain) can recover DCA credentials and escalate privileges. CVSS 7.5. Confirmed exploited March 2026.
CVE-2026-20133: Sensitive-information exposure in SD-WAN Manager. VulnCheck assessed this as higher risk than defenders may realize; CISA listed it as exploited April 20, 2026. Cisco has not independently confirmed exploitation in its own advisory at this time.
Attack progression: Exploitation typically begins with CVE-2026-20127 to achieve unauthenticated administrative access, followed by CVE-2022-20775 for root persistence, then CVE-2026-20122 for file system manipulation, CVE-2026-20128 for credential harvesting, and CVE-2026-20133 for reconnaissance and lateral movement preparation.
Exploitability: High where management interfaces are reachable from untrusted networks or insufficiently segmented. CISA's guidance emphasizes that SD-WAN controllers with internet-exposed management planes are the highest-priority attack targets.
Sector and geographic exposure: Cisco SD-WAN is widely deployed across federal, financial, energy, and service-provider networks globally. Exploitation is confirmed at minimum in U.S. federal environments; CISA's Five Eyes partnership co-authored guidance reflecting broader international concern.
Actor attribution: CISA ED-26-03 refers to "sophisticated threat actors" without naming a specific group or nation-state in publicly referenced materials. Under Attribution.
Kyber Ransomware — Campaign Behavior, Cryptographic Claims, and Infrastructure
ESXi variant (ELF binary):
64-bit ELF, statically linked against OpenSSL.
Enumerates virtual machines and optionally terminates them before encryption.
Generates per-file 40-byte key/IV material; wraps with embedded RSA-4096 public key.
Encrypts datastore files in chunks: files <1 MB fully encrypted; files 1–4 MB have first MB encrypted; files >4 MB intermittently encrypted based on operator configuration.
Appends ".xhsyw" extension; drops ransom notes that overwrite the ESXi management interface view.
Preserves core system files to keep hypervisors bootable — focus is maximizing operational disruption to VM workloads, not bricking the hypervisor.
Critical note: Despite advertising "post-quantum" encryption using Kyber1024, the ESXi variant does NOT implement Kyber1024 — it uses ChaCha8 for bulk encryption and RSA-4096 for key wrapping. The "post-quantum" claim is marketing only for this variant.
Windows variant (Rust-based):
Written in Rust; includes experimental Hyper-V targeting features.
Implements the advertised hybrid scheme: Kyber1024 and X25519 encapsulate AES-CTR symmetric keys used for bulk encryption.
Pre-encryption defense evasion and impact sequence (source-confirmed ATT&CK behaviors):
Stops SQL Server, Exchange, and backup services (T1489)
Deletes all Volume Shadow Copies (T1485)
Disables Windows Recovery Environment (T1490)
Clears Windows event logs (T1562)
Wipes the Recycle Bin
Post-encryption: logs each encrypted file; drops READ_ME_NOW.txt ransom note across directories.
Appends ".#~~~" extension to encrypted files.
Contains a distinctive mutex string tied to a Boomplay URL.
Selective encryption: different logic for small vs. large files.
Shared infrastructure: Both ESXi and Windows variants share a campaign identifier and Tor-based negotiation and leak site, confirming coordinated cross-platform deployment by a single operator.
Confirmed incident: Rapid7 responded to an IR engagement at a multibillion-dollar U.S. defense contractor and IT services provider in March 2026, recovering both variants from the same production environment.
Exposure: Highest for organizations where ESXi and Hyper-V administrative credentials can be compromised and where backups are accessible from production networks. Kyber explicitly targets backup file systems and associated services.
CISA KEV 8-Pack — Cross-Cluster Threat Patterns
CVE-2025-32975 (Quest KACE SMA, CVSS 10.0): Unauthenticated impersonation of any user. Arctic Wolf confirmed active exploitation in March 2026. Post-exploitation scope is [NOT CONFIRMED in available sources] beyond confirmed active exploitation.
CVE-2023-27351 (PaperCut NG/MF, CVSS 8.2): Historical exploitation by Lace Tempest for Cl0p and LockBit ransomware delivery confirmed from April 2023. Current active exploitation: threat actor Under Attribution. Impersonates users and executes code via the application's SecurityRequestFilter bypass.
CVE-2025-48700 (Zimbra ZCS): Exploited by UAC-0233/UAC-0250 against Ukrainian entities since September 2025. Post-compromise: mailbox content access, TGZ archive compilation, MFA backup code harvest, application password extraction, global address book exfiltration.
CVE-2026-34197 (Apache ActiveMQ): Jolokia JMX-HTTP bridge at /api/jolokia/ accepts management operations. Attacker uses credentials (default admin:admin in most production deployments) to invoke a broker management operation causing the broker to fetch a remote configuration file from an attacker-controlled URL and execute OS commands. Discovered using Claude AI by Horizon3. FCEB deadline April 20, 2026.
CVE-2026-33825 (Microsoft Defender BlueHammer): Insufficient access control granularity in Defender allows local privilege escalation to SYSTEM. Public PoC released April 3, 2026. Patched April 14 in Defender 4.18.26030.3011. Active exploitation confirmed by Huntress Labs telemetry. RedSun (second local privilege escalation path) and UnDefend (definition update blocker/DoS) PoCs also released; their CVE IDs are [NOT CONFIRMED in available sources].
Cross-Incident Pattern Analysis
Two structural themes converge across all three clusters in today's brief:
Control-plane and orchestration layer targeting: Cisco SD-WAN management, VMware ESXi hypervisors, and backup infrastructure are all orchestration surfaces — their compromise enables large-scale simultaneous manipulation of many dependent systems. Adversaries are deliberately moving up the infrastructure stack.
Credential and default credential abuse as the common enabler: Cisco SD-WAN management interfaces with weak segmentation, Apache ActiveMQ with admin:admin credentials, and Kyber operators with administrative access to hypervisors all share a credential-exploitation thread. Credential hygiene and management interface segmentation are the highest-leverage common defensive action across all clusters today.
Chapter 03 - Operational Response
Defender Priority Order (Today)
Cisco SD-WAN CVE-2026-20122/20128/20133: FCEB deadline expired today; confirmed exploitation; management-plane credential chain is active.
CVE-2026-20127 (Cisco SD-WAN Controller): CVSS 10.0; unauthenticated admin access; root persistence via CVE-2022-20775 chain; original ED-26-03 primary driver.
Quest KACE SMA CVE-2025-32975 (CVSS 10.0): Unauthenticated full user impersonation; FCEB deadline May 4 but active exploitation now.
Kyber Ransomware (ESXi + Windows): Dual-platform confirmed incident; administrative credential protection and hypervisor segmentation are today's most important preventive actions.
Apache ActiveMQ CVE-2026-34197: Default credentials make this near-unauthenticated at scale; OT environments elevate blast radius.
Microsoft Defender BlueHammer CVE-2026-33825: Patch available since April 14; PoC public; active exploitation confirmed by Huntress.
PaperCut CVE-2023-27351: Ransomware deployment link confirmed historically; verify patch status.
Vercel/Context.ai OAuth Supply Chain: Revoke Context.ai OAuth access in Google Workspace immediately if present; lower urgency if not applicable.
Cisco SD-WAN — Immediate Response and Containment
Do This NOW (0–4 hours):
Inventory and scope: Run an immediate inventory of all Cisco Catalyst SD-WAN Manager and Controller instances, including cloud-hosted deployments within FedRAMP or other regulated boundaries, aligned with CISA ED-26-03 requirements.
Exposure review and emergency ACLs: Verify that SD-WAN management interfaces are not exposed to the internet or untrusted networks. Where external exposure exists, apply emergency ACLs or VPN restrictions to limit access to documented administrative ranges only.
Patch verification: Confirm that CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 are patched (FCEB deadline expired today). Confirm CVE-2026-20127 and CVE-2022-20775 are patched (original ED-26-03 deadline was February 27, 2026).
Do This Within 24 Hours:
Artifact collection and threat hunting: Collect virtual snapshots and logs from SD-WAN controllers and managers. Execute CISA's Cisco SD-WAN Threat Hunt Guide to search for anomalous peering events, unauthorized configuration changes, NETCONF session activity, and evidence of root-level access. Hunt across at least the last 90 days of retained logs.
Segmentation and hardening: Implement or validate segmentation placing SD-WAN management in restricted admin-only networks. Apply Cisco's Catalyst SD-WAN Hardening Guide in conjunction with CISA's supplemental hunt and hardening direction.
Credential rotation: Rotate all administrative credentials on SD-WAN Manager (vmanage accounts) and DCA service accounts as a precautionary measure, regardless of compromise indicators found.
IR coordination: If indicators of compromise are identified during threat hunting, initiate incident response, preserve forensic artifacts before remediation, and coordinate reporting to CISA, sector regulators, and affected customers as required.
Internal Escalation: Notify CISO immediately if any SD-WAN Manager or Controller is unpatched for CVE-2026-20127. Treat as board-level risk given CVSS 10.0 and ED-26-03 mandate.
Kyber Ransomware — Operational Playbook
Do This NOW (0–4 hours):
Credential and access review: Review all administrative access paths to ESXi and Windows file servers, including SSH to ESXi hosts, vSphere management interface access, RDP to file servers, and Hyper-V management consoles. Restrict these to jump hosts with phishing-resistant MFA.
Backup exposure audit: Identify all backup servers and storage targets (Veeam, SQL, Exchange repositories) and verify they are logically and physically segmented from production networks. Validate immutable backup configuration where applicable.
Immediate monitoring deployment: Deploy or tune SIEM alerts for mass shadow-copy deletion (vssadmin Delete Shadows /all /quiet), event-log clearing (wevtutil.exe), and abnormal esxcli-driven VM shutdown sequences.
Do This Within 24 Hours:
ESXi-focused threat hunting: Search ESXi hosts for files with the ".xhsyw" extension across datastores and non-standard esxcli usage for VM enumeration or mass power-off events outside maintenance windows.
Windows server hunting: Search for files with the ".#~~~" extension and READ_ME_NOW.txt ransom notes. Look for the Kyber mutex string (Boomplay URL-based) and process creation patterns consistent with the Rust-based payload.
Recovery rehearsal: Conduct a tabletop or limited live test of recovering core line-of-business applications from immutable backups under a scenario where both hypervisors and file servers are simultaneously unavailable.
Internal Escalation: If any esxcli abnormality, .xhsyw files, or mass shadow-copy deletion is detected, declare an incident immediately. Do not attempt containment without forensic artifact preservation. Kyber operators target backup infrastructure — recovery without pre-staged immutable backups may be impossible.
CISA KEV 8-Pack — Consolidated Response
Do This NOW (0–4 hours):
Quest KACE SMA (CVE-2025-32975, CVSS 10.0): Isolate any unpatched KACE SMA appliances from network access until patched — unauthenticated full-user impersonation is critical.
Apache ActiveMQ (CVE-2026-34197): Change all default admin:admin credentials immediately regardless of patch status. Block external access to /api/jolokia/ at WAF/perimeter level.
Microsoft Defender (CVE-2026-33825 / BlueHammer): Verify all endpoints running Microsoft Defender are on version ≥ 4.18.26030.3011. Push manually where auto-update is disabled.
Do This Within 24 Hours:
PaperCut NG/MF (CVE-2023-27351): Confirm patch status; review print server access logs for anomalous activity consistent with Lace Tempest post-exploitation patterns.
Zimbra ZCS (CVE-2025-48700): Apply patches; review mailbox access logs for bulk export events, TGZ archive creation, or MFA backup code access targeting senior or government-facing accounts.
JetBrains TeamCity (CVE-2024-27199): Confirm patch; enable MFA on admin interfaces.
Kentico Xperience (CVE-2025-2749): Apply path traversal patch; review staging server access logs for anomalous file writes.
Apache ActiveMQ (CVE-2026-34197): Upgrade to version 5.19.4 or 6.2.3. Review broker logs for anomalous remote configuration fetch requests.
Vercel/Context.ai OAuth: Audit Google Workspace API Controls for Context.ai OAuth app; revoke immediately if found; rotate Vercel environment variables and deployment tokens.
Cisco SD-WAN KEV & ED-26-03 — Timeline
2023 (exact date not confirmed) — CVE-2026-20127 exploitation begins; SOC Prime documents confirmed exploitation predating formal disclosure by approximately three years.2026-02-24 — Cisco discloses CVE-2026-20127 (CVSS 10.0) and related SD-WAN CVEs; added to CISA KEV immediately upon publication alongside Emergency Directive issuance.2026-02-25 — CISA issues Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems. FedRAMP Notice 0006 issued simultaneously, requiring cloud providers to complete patching by 5:00 PM ET February 27, 2026.2026-03-09 — Cisco expands advisory to include CVE-2026-20122, CVE-2026-20126, CVE-2026-20128, CVE-2026-20129, and CVE-2026-20133; confirms active exploitation of CVE-2026-20122 and CVE-2026-20128.2026-04-20 — CISA adds CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 to the KEV catalog as part of the 8-pack expansion. FCEB remediation deadlines set: April 23 for Cisco trio; May 4 for remaining five.2026-04-23 (today) — FCEB remediation deadline for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 expires.
Kyber Ransomware — Timeline
2025-09 (assessed) — Kyber ransomware operation surfaces, targeting Windows and ESXi environments. Assessed date per aggregated reporting; not confirmed in a single primary source.2026-03 (confirmed) — Rapid7 responds to confirmed Kyber incident at a multibillion-dollar U.S. defense contractor and IT services provider; recovers both ESXi ELF and Windows Rust payloads from the same production network.2026-04-20 — Rapid7 publishes full technical analysis of Kyber cross-platform campaign, including hybrid cryptography detail, ATT&CK-mapped behaviors, and confirmed IR findings.2026-04-21 — BleepingComputer publishes Kyber feature article, including "post-quantum" marketing claims analysis and Windows variant technical breakdown. SOC Prime publishes Kyber ATT&CK-mapped detection content.
CISA KEV 8-Pack Supplemental — Timeline
2023-04 — CVE-2023-27351 (PaperCut) first exploited; Lace Tempest attribution; Cl0p and LockBit ransomware deployed.2024-03 — CVE-2024-27199 (JetBrains TeamCity) first added to KEV.2025-09 — UAC-0233/UAC-0250 begins exploitation of CVE-2025-48700 (Zimbra ZCS) against Ukrainian entities.2026-03 — Arctic Wolf observes active Quest KACE SMA exploitation (CVE-2025-32975).2026-04-03 — BlueHammer (CVE-2026-33825) PoC released publicly.2026-04-14 — Microsoft patches CVE-2026-33825 in Defender version 4.18.26030.3011.2026-04-16 — PoC exploits for RedSun and UnDefend (Defender zero-days) released publicly; CVE IDs not confirmed in available sources.2026-04-20 — CISA adds full 8-pack to KEV; FCEB deadlines set for April 23 (Cisco) and May 4 (remaining). Apache ActiveMQ CVE-2026-34197 FCEB deadline passes on same date.2026-04-20/21 — Huntress Labs confirms active exploitation of all three Defender zero-days in customer telemetry; SANS ISC NewsBites Vol. XXVIII-30 reports.2026-04-23 (today) — FCEB deadline for Cisco SD-WAN trio expires.
Vercel/Context.ai Supply Chain Breach — Timeline
2026-02 (assessed) — Hudson Rock assesses Lumma infostealer infected Context.ai environment; assessment basis, not confirmed independently.2026-04-19 — Vercel publishes security bulletin disclosing breach via Context.ai OAuth compromise; Mandiant engaged for investigation.2026-04-20/21 — SANS ISC NewsBites Vol. XXVIII-30 reports; Hudson Rock assessment of infostealer origin published.
Scattered Spider / Tyler Buchanan Guilty Plea — Timeline
2024-06 — Tyler Robert Buchanan arrested.2025-11 — Charged in U.S. federal court.2026-04 (week of April 21) — Buchanan pleads guilty: one count conspiracy to commit wire fraud, one count aggravated identity theft. Confirmed theft of more than $8 million in virtual currency.2026-08-21 — Sentencing hearing scheduled. Maximum statutory exposure: 22 years.
Chapter 04 - Detection Intelligence
Part A: Cisco SD-WAN — CVE Chain Technical Breakdown
CVE-2026-20127 (CVSS 10.0) — Authentication Bypass: Core Attack Vector
Vulnerability class: CWE-287 — Improper Authentication
Attack vector: Network. No authentication required. No user interaction required.
Technical mechanism: CVE-2026-20127 exploits a flaw in the peering authentication logic of Cisco Catalyst SD-WAN Controller and Manager. An unauthenticated remote attacker can send specially crafted requests to an unpatched system, causing it to authenticate the attacker as a high-privileged non-root user. Once authenticated, the attacker gains access to the NETCONF protocol endpoint used to manage SD-WAN fabric configuration across all connected network devices.
Operational impact of successful exploitation: An attacker with NETCONF access can read and modify routing policy, VPN tunnel configuration, access control lists, and WAN interface settings across the entire SD-WAN fabric — equivalent to administrative control over all connected sites without needing to breach individual devices.
Exploitation confirmed since: At least 2023, per SOC Prime citing CISA reporting. Formal CVE disclosure and KEV listing: February 24, 2026.
Affected components: Cisco Catalyst SD-WAN Controller; Cisco Catalyst SD-WAN Manager (vManage).
Patch: Applied via Cisco-provided software update; per FedRAMP Notice 0006, the remediation deadline for FedRAMP cloud providers was February 27, 2026.
CVE-2022-20775 — Privilege Escalation to Root: Persistence Chain
Vulnerability class: Path traversal enabling root command execution.
Attack vector: Requires prior authenticated access (obtained via CVE-2026-20127).
Technical mechanism: After achieving initial authenticated access via CVE-2026-20127, an attacker uses CVE-2022-20775's path traversal flaw to execute arbitrary commands as root on the SD-WAN Controller operating system. Root access enables persistent implant installation, credential extraction, and configuration manipulation that survives reboots and patches to the authentication bypass alone.
Why this chain matters: CVE-2026-20127 provides management-plane access; CVE-2022-20775 converts that access into operating-system-level persistence. CISA's ED-26-03 specifically calls out this chaining behavior as the mechanism enabling durable attacker foothold on SD-WAN infrastructure.
CVE-2026-20122 (CVSS 5.4) — Improper Use of Privileged APIs: Filesystem Manipulation
Vulnerability class: Improper use of privileged APIs; allows arbitrary file upload.
Attack vector: Network. Requires low-privileged (read-only) API credentials — achievable after initial compromise.
Technical mechanism: An authenticated attacker with read-only API credentials can craft API requests that upload a malicious file and overwrite arbitrary files on the SD-WAN Manager local filesystem, escalating privileges to vmanage user level. In the broader chain, this enables persistent modification of Manager configuration, introduction of backdoored scripts, or credential file replacement.
Exploitation confirmed: By Cisco in March 2026 advisory update.
CVE-2026-20128 (CVSS 7.5) — Password in Recoverable Format: Credential Harvesting
Vulnerability class: Storage of password in recoverable format; CWE-257.
Attack vector: Local — requires prior filesystem access (achieved via CVE-2026-20127 + CVE-2022-20775 chain).
Technical mechanism: Cisco Catalyst SD-WAN Manager stores DCA (Device Configuration Archive) service account credentials in recoverable format on the local filesystem. An attacker with local access — gained through the preceding chain — can read and recover these credentials, enabling further privilege escalation and lateral movement to additional SD-WAN components or adjacent infrastructure.
Exploitation confirmed: By Cisco in March 2026 advisory update.
CVE-2026-20133 (CVSS 6.5) — Sensitive Information Exposure: Reconnaissance Enablement
Vulnerability class: Information exposure of sensitive configuration data.
Attack vector: Network.
Technical mechanism: A flaw in Cisco Catalyst SD-WAN Manager exposes sensitive configuration information to an attacker with network access. VulnCheck assessed the risk as higher than the CVSS score suggests — noting that the exposed information can be leveraged to accelerate exploitation of other vulnerabilities in the chain or enable targeting of downstream network infrastructure.
CISA KEV listing: April 20, 2026. Cisco has not independently updated its advisory to confirm exploitation at time of source consumption — discordance noted in confidence rationale.
Cisco SD-WAN Attack Chain: Integrated Exploitation Flow
Exploitation conditions: Management interface must be network-accessible. Risk is highest where management planes are internet-exposed or in under-segmented networks.
Part B: Kyber Ransomware — Full Technical Analysis
Variant Comparison Matrix
Property | ESXi / Linux Variant | Windows Variant |
|---|---|---|
Language | C++, GCC 4.4.7 (2012) | Rust, MSVC 19.36 / VS2022 |
SHA-256 |
|
|
Bulk cipher | ChaCha8 | AES-256-CTR |
Key wrapping | RSA-4096 | Kyber1024 + X25519 |
Advertised in note | AES-256-CTR + X25519 + Kyber1024 | AES-256-CTR + X25519 + Kyber1024 |
Encryption matches note? | NO — ChaCha8/RSA-4096 only | YES — hybrid scheme implemented |
File extension |
|
|
Ransom note filename |
|
|
VM termination |
|
|
Anti-recovery commands | None | 11 commands (elevation required) |
Strip/obfuscation | Not stripped | Not stripped, not packed |
Hyper-V targeting | N/A | Experimental ( |
Campaign ID | 5176[REDACTED] (shared) | 5176[REDACTED] (shared) |
ESXi Variant — Deep Technical Analysis
Binary characteristics:
64-bit ELF executable. Not stripped. Statically linked against OpenSSL 1.0.1e-fips. C++, compiled with GCC 4.4.7 (a 2012-era compiler).
Binary is not packed or obfuscated — full symbol and string information retained.
Execution flow:
Parse CLI arguments: target path required; encryption size parameter validated as 0–100 (controls what percentage of large files is encrypted).
Initialize optional logging.
If
--vmkillflag set: enumerate and gracefully terminate all non-whitelisted VMs viaesxcli vm process list, thenesxcli vm process kill --type=soft --world-id <id>. Usesfork()/execlp()rather thansystem()— direct syscall-level argument passing avoids shell injection issues, indicating low-level OS programming competency.Load embedded RSA-4096 public key.
Initialize thread pool (capped at 12 threads for parallel encryption).
Traverse directories recursively; encrypt files.
Background persistence during encryption:
Implements a
--detachflag: forks the parent process, exits the parent, callssetsid()on the child to detach from the controlling terminal and avoid SIGHUP on SSH session close. Allows the operator to disconnect safely while encryption continues uninterrupted across/vmfs/volumes.
Defacement (pre-encryption):
Before the encryption loop begins, the binary replaces three files:
/etc/motd— displays ransom note on SSH login/usr/lib/vmware/hostd/docroot/index.html— replaces VMware web management portal/usr/lib/vmware/hostd/docroot/ui/index.html— replaces Host Client interface
Any administrator accessing the system via SSH or the vSphere web console sees the ransom note immediately, regardless of encryption progress. Replacement fails gracefully on non-ESXi systems.
Directory traversal:
Recursive walk; does NOT follow symbolic links.
Drops
readme.txtransom note into every folder before encryption begins.No file extension allowlist — all files encrypted unless explicitly excluded.
Excluded extensions/names:
.xhsyw(already encrypted),.locksignal,.processing,.cryptdata_backup,.tmp,readme.txt,.sf(VMware system files).
Encryption mechanism (confirmed by Rapid7 decompilation — not as advertised):
Advertised: AES-256-CTR + X25519 + Kyber1024.
Actual: ChaCha8 for bulk encryption; RSA-4096 for key wrapping only. No post-quantum implementation found.
Decompilation evidence:
ECRYPT_encrypt_bytesfunction executes 8 rounds (i = 8; i > 0; i -= 2) with 32-bit right rotations at constants 16, 20, 24, and 25 (corresponding to ChaCha standard left-rotation constants 16, 12, 8, 7 from RFC 8439).ECRYPT_keysetupuses the "expand 32-byte k" sigma constant in standard ChaCha 256-bit key initialization layout.
Partial encryption strategy (size-based):
File size | Encryption scope |
|---|---|
Under 1 MB | Entire file encrypted |
1 MB to 4 MB | First 1 MB encrypted |
Over 4 MB | Calculated portion only (default: 10% per CLI parameter, valid range 0–100) |
This approach dramatically reduces encryption time while still rendering large VMDK files unusable.
Per-file encryption workflow:
Create
.locksignalmarker file; rename original to.processing(concurrency guard).Check last 535 bytes for trailer markers
KYBER,CDTA,ATDC— skip if present (already encrypted).Generate unique 40-byte key/IV; wrap with embedded RSA-4096 public key.
Append metadata trailer (with redundant
.cryptdata_backupcopy) before encryption starts.Encrypt in-place in 1 MB chunks.
Rename from
.processingto.xhsywon success.
Files remaining with
.processingsuffix indicate interrupted or failed encryption.
Windows Variant — Deep Technical Analysis
Binary characteristics:
64-bit PE executable. Not stripped, not packed. Rust, compiled with MSVC 19.36 / VS2022.
Retains full Rust panic strings and cargo dependency paths including build path:
C:\Users\user\.cargo\registry\src\index.crates.io-6f17d22bba15001fBinary version flag reveals project name:
win_encryptor 1.0
Entropy pipeline (custom — atypical for ransomware):
Aggregates entropy from four independent sources: system time, Windows CSPRNG (BCryptGenRandom), processor-based entropy via RDRAND, and running process telemetry. Produces approximately 30 KB of randomness to seed an internal AES-CTR DRBG. Unlike typical ransomware using only BCryptGenRandom, this custom pipeline suggests deliberate attention to key material quality by the developer.
Privilege check:
On startup, the binary checks for elevated privileges by attempting to acquire SeDebugPrivilege. This determines execution path:
Without elevation: File encryption only.
With elevation: Full toolkit unlocked — service termination, registry modification, shadow copy deletion, all 11 anti-recovery commands.
Service termination (elevated, via Windows Service Control Manager API):
Uses OpenSCManagerA, EnumServicesStatusA, and ControlService to terminate services matching five patterns: msexchange, vss, backup, veeam, sql. Forces system locale to en-US before enumeration to ensure pattern matching is language-independent regardless of the victim's regional settings.
11 Anti-Recovery Commands (complete list — source confirmed from Rapid7):
# | Command | Purpose |
|---|---|---|
1 |
| Delete VSS shadow copies via WMI |
2 |
| Delete shadow copies via WMIC (redundant) |
3 |
| Delete shadow copies via vssadmin (redundant) |
4 |
| Disable Windows Recovery Environment |
5 |
| Suppress boot failure prompts |
6 |
| Delete system state backups |
7 |
| Delete oldest system state backup |
8 |
| Stop IIS to release locked web files |
9 |
| Increase SMB concurrent connections (likely for faster lateral spread) |
10 |
| Clear all Windows event logs |
11 |
| Empty the Recycle Bin |
Hyper-V shutdown (experimental, requires --system flag):
If invoked with the --system flag, the binary enumerates Hyper-V VMs via PowerShell:
Hard shutdown (-TurnOff) forces abrupt termination to release file locks before encryption. The developer explicitly labels this as "experimental."
File encryption workflow (Windows):
Check for prior encryption marker — skip if already encrypted.
If file is locked by a process, use Windows Restart Manager API to identify and terminate the responsible process.
If still inaccessible, modify file ACL to
Everyone:FullControland clear the read-only attribute.Retry entire sequence up to three times per file.
Encrypt successfully opened file.
Rename with
.#~~~extension; dropREAD_ME_NOW.txtin the directory.Log to console:
Successfully encrypted <file>. File size: <size>.
Excluded directories (Windows variant):
Excluded files (Windows variant):
Cryptography (Windows — confirmed as advertised):
Hybrid key encapsulation: Kyber1024 (1568-byte / 0x620 public key, validated at runtime) + X25519 protect the symmetric key material.
Bulk encryption: AES-256-CTR.
Per-file: AES-256-CTR context initialized with 32-byte key expanded into 60-word key schedule.
Kyber1024 is NOT used for direct file encryption — it encapsulates the AES-CTR symmetric key.
Registry artifacts and icon registration (elevated):
Creates directory
C:\fucked_icon\Writes
processed_file.iconto that pathRegisters
.#~~~extension in the registry with this as the default iconExecutes
ie4uinit.exeto refresh the shell icon cache immediately — encrypted files display the custom icon without requiring a system restart
Mutex:
Stored as a wide string in .rdata. References Boomplay, a legitimate African music streaming platform. The specific track was unidentifiable by Rapid7 due to geo-restrictions.
Part C: CISA KEV 8-Pack — Supplemental Technical Notes
CVE-2025-32975 — Quest KACE SMA (CVSS 10.0)
Mechanism: Improper authentication validation in Quest KACE Systems Management Appliance allows an unauthenticated attacker to craft requests treated as originating from a legitimate authenticated user. Full user impersonation achieved without credentials. KACE SMA holds endpoint management privileges across all managed devices — post-compromise scope is effectively equivalent to domain-level endpoint administration.
CVE-2026-34197 — Apache ActiveMQ Jolokia JMX-HTTP Bridge
Mechanism: The Jolokia JMX-HTTP bridge at /api/jolokia/ in Apache ActiveMQ Classic accepts authenticated management API calls. An attacker uses credentials (default admin:admin is endemic in production) to invoke a broker management operation that fetches a remote configuration file from an attacker-controlled URL and executes its contents as OS commands within the broker process. Discovered by Horizon3 using Anthropic Claude AI. Patch: Apache ActiveMQ Classic 5.19.4 or 6.2.3.
CVE-2026-33825 (BlueHammer) — Microsoft Defender
Mechanism: Insufficient granularity of access control in Microsoft Defender allows a low-privileged process to invoke privileged Defender operations, achieving SYSTEM-level privilege escalation. PoC released April 3, 2026. Patched April 14 in Defender version 4.18.26030.3011. Active exploitation confirmed by Huntress Labs telemetry as of April 20-21, 2026.
RedSun: Second local privilege escalation path in Defender. CVE ID: [NOT CONFIRMED in available sources]. PoC released April 16, 2026.
UnDefend: Exploits a condition causing Defender to fail to receive definition updates — effectively blinding endpoint protection. CVE ID: [NOT CONFIRMED in available sources]. PoC released April 16, 2026.
Kyber Ransomware — All Confirmed IOCs
Type | Value | Context | Verdict | Source |
|---|---|---|---|---|
SHA-256 |
| Kyber ESXi/Linux 64-bit ELF encryptor (C++, GCC 4.4.7, statically linked OpenSSL 1.0.1e-fips) | Malicious | Rapid7 |
SHA-256 |
| Kyber Windows Rust encryptor (MSVC VS2022; win_encryptor 1.0) | Malicious | Rapid7 |
SHA-256 |
| Older Windows Kyber variant (historical; relationship to current campaign not fully confirmed) | Malicious | Rapid7 |
Tor domain |
| Kyber ransomware negotiation chat portal | Malicious / Block | Rapid7 |
Tor domain |
| Kyber ransomware leak blog / data extortion site | Malicious / Block | Rapid7 |
Campaign ID (partial) |
| Shared campaign identifier embedded in both ESXi and Windows variants; confirms coordinated cross-platform deployment by same operator | Tracking | Rapid7 |
Chat path |
| Victim-specific negotiation path on the Tor chat portal | Tracking | Rapid7 |
File extension |
| Encrypted file extension appended by ESXi variant | Malicious | Rapid7 |
File extension |
| Encrypted file extension appended by Windows variant | Malicious | Rapid7 |
Filename |
| Ransom note dropped in every directory by ESXi variant (pre-encryption) | Malicious | Rapid7 |
Filename |
| Ransom note dropped per-directory by Windows variant post-encryption | Malicious | Rapid7 |
Filename |
| Log file dropped by Windows variant recording each encrypted file | Artifact | Rapid7 |
Filename |
| Custom icon written to | Artifact | Rapid7 |
Registry path |
| Registry modification for SMB concurrent connection increase (value: 65535) | Malicious | Rapid7 |
Directory |
| Created by Windows variant for icon registration; presence indicates compromise | Artifact | Rapid7 |
Mutex |
| Wide string mutex in Windows variant | Malicious | Rapid7 |
Build path |
| Rust cargo build path retained in Windows binary; developer environment artifact | Intel | Rapid7 |
Marker bytes |
| Trailer markers in last 535 bytes of already-encrypted ESXi files; used to prevent double-encryption | Forensic | Rapid7 |
File pattern |
| In-progress encryption marker on ESXi; files with this suffix indicate interrupted encryption | Forensic | Rapid7 |
File pattern |
| Redundant key metadata copy written alongside each encrypted ESXi file | Forensic | Rapid7 |
ESXi path |
| Primary target directory for ESXi encryptor (explicit in binary help text) | Target | Rapid7 |
ESXi defacement path |
| Replaced with ransom note pre-encryption | Artifact | Rapid7 |
ESXi defacement path |
| Replaced with ransom note pre-encryption | Artifact | Rapid7 |
ESXi defacement path |
| Replaced with ransom note pre-encryption | Artifact | Rapid7 |
ESXi signal file |
| Created before per-file encryption begins; used as concurrency guard | Forensic | Rapid7 |
Cisco SD-WAN — CVE IOC Table
Type | Value | CVSS | KEV Status | FCEB Deadline | Source |
|---|---|---|---|---|---|
CVE ID |
| 10.0 | Yes (Feb 2026) | Feb 27, 2026 (passed) | NVD , ED-26-03 |
CVE ID |
| [NOT CONFIRMED discrete value] | Yes (via ED-26-03) | Feb 27, 2026 (passed) | CISA ED-26-03 |
CVE ID |
| 5.4 | Yes (Apr 20, 2026) | Apr 23, 2026 (today — expired) | Feedly/NVD , HNS |
CVE ID |
| 7.5 | Yes (Apr 20, 2026) | Apr 23, 2026 (today — expired) | Feedly/NVD |
CVE ID |
| 6.5 | Yes (Apr 20, 2026) | Apr 23, 2026 (today — expired) | HelpNetSecurity |
Infrastructure patterns — Cisco SD-WAN:
Management interfaces targeted: TCP/8443 (HTTPS management), TCP/443, TCP/22 (SSH), TCP/830 (NETCONF). Any of these reachable from untrusted networks constitutes high-risk exposure.
Specific attacker C2 infrastructure: [INSUFFICIENT SOURCE DATA — no IPs, domains, or C2 indicators published for the Cisco SD-WAN exploitation actor in any available source.]
CISA KEV 8-Pack — CVE IOC Table
Type | Value | CVSS | Product | KEV Status | FCEB Deadline | Source |
|---|---|---|---|---|---|---|
CVE ID |
| 8.2 | PaperCut NG/MF | Yes | May 4, 2026 | CISA KEV |
CVE ID |
| [NVD value not confirmed in sources] | JetBrains TeamCity | Yes | May 4, 2026 | CISA KEV |
CVE ID |
| [NVD value not confirmed in sources] | Kentico Xperience | Yes | May 4, 2026 | CISA KEV |
CVE ID |
| 10.0 | Quest KACE SMA | Yes | May 4, 2026 | CISA KEV |
CVE ID |
| 6.1 | Zimbra ZCS | Yes | May 4, 2026 | CISA KEV |
CVE ID |
| 9.1 | Fortinet FortiClient EMS | Yes | May 4, 2026 | SANS ISC |
CVE ID |
| [NVD value not confirmed in sources] | Microsoft Exchange | Yes | May 4, 2026 | SANS ISC |
CVE ID |
| [NOT CONFIRMED in sources] | Apache ActiveMQ | Yes | Apr 20, 2026 (passed) | SANS ISC |
CVE ID |
| 7.8 | Microsoft Defender (BlueHammer) | Not confirmed as KEV-listed | N/A | SANS ISC |
URL path |
| N/A | Apache ActiveMQ | Exploitation confirmed | N/A | SANS ISC |
Vercel/Context.ai Supply Chain Breach — IOC Table
Type | Value | Context | Verdict | Source |
|---|---|---|---|---|
OAuth App | Context.ai OAuth application (specific App ID not published in available sources) | Malicious OAuth application in Google Workspace used to access Vercel employee accounts | Revoke immediately — check via Google Admin Console → Security → API Controls | SANS ISC |
Malware family | Lumma infostealer | Assessed (not confirmed) as root-cause credential theft vector at Context.ai employee systems, estimated February 2026 | Pending — Hudson Rock assessment | SANS ISC |
Infrastructure Pattern Summary
Cluster | Infrastructure Type | Status | Notes |
|---|---|---|---|
Kyber — Negotiation portal |
| ACTIVE — block at Tor exit/proxy | Confirmed Rapid7 |
Kyber — Leak blog |
| ACTIVE — block at Tor exit/proxy | Confirmed Rapid7 |
Cisco SD-WAN — Attacker C2 | [INSUFFICIENT SOURCE DATA] | Unknown | No IPs or domains in any available source |
ActiveMQ — Attacker remote config URL | Attacker-controlled external URL (not published in sources) | Unknown | Block outbound HTTP/S from ActiveMQ broker process |
Vercel/Context.ai — OAuth app | Google Workspace OAuth (App ID not published) | Revoke | Audit via Admin Console |
IOC Enrichment Action Items
Immediate: Add both Kyber SHA-256 hashes and both Tor .onion domains to your threat intelligence platform, EDR IOC feeds, and network blocking rules.
Immediate: Add the Kyber mutex string (
boomplay.com/songs/182988982) to EDR behavioral detection rules as a hunting indicator.Immediate: Add
.xhsywand.#~~~extensions to file integrity monitoring alerting across ESXi datastores and Windows file servers.Within 24 hours: Add
C:\fucked_icon\directory creation andprocessed_file.iconfile writes to EDR alerting.Within 24 hours: Add the registry modification
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\MaxMpxCtvalue change to SIEM monitoring rules.Within 24 hours: Monitor for creation of
.locksignalor.processingfiles under/vmfs/volumes/on any ESXi host — these are in-progress encryption markers.This week: Hunt for the ESXi defacement paths (
/etc/motd, bothhostd/docrootpaths) for modification events in the last 90 days on all ESXi hosts.This week: Submit both Kyber hashes to VirusTotal, Hybrid Analysis, and internal sandbox for enrichment and additional related sample identification.
Cisco SD-WAN — Detection Engineering
Detection Engineering Opportunities:
Management-plane authentication anomalies: Alert on authentication events to SD-WAN Manager and Controller APIs from new source IPs, geolocations, or ASNs not in the established administrative baseline. Repeated failed authentication followed immediately by success is a high-fidelity indicator of CVE-2026-20127 exploitation.
NETCONF manipulation: Monitor for unexpected NETCONF sessions (TCP/830 or TCP/22 subset) originating from management-plane hosts; alert on configuration changes to routing policy, VPN configuration, or administrative account lists outside approved change windows.
Privileged API misuse (CVE-2026-20122): Detect anomalous file uploads to SD-WAN Manager's API endpoint; alert on changes to vmanage user accounts or privilege escalation events within the Manager UI.
Credential recovery behavior (CVE-2026-20128): Alert on filesystem reads of credential storage files on SD-WAN Manager hosts; monitor process activity for unexpected credential-scraping patterns on the vmanage operating system.
Log pipeline validation: Ensure SD-WAN logs are shipped to a central SIEM platform. Retention of at least 90 days is required to support the CISA Threat Hunt Guide retrospective.
SIEM Pseudocode — Cisco SD-WAN Management Plane Anomaly:
Immediate detection action (deploy within 24 hours): Enable and tune SIEM alerting for any access to SD-WAN management interfaces from outside known admin networks, including VPN 512 interfaces highlighted in CISA guidance.
Hunt this week: Execute CISA's Cisco SD-WAN Threat Hunt Guide across the last 90 days of retained SD-WAN logs; prioritize anomalous peering events, root-level command execution patterns, and unauthorized configuration changes.
Kyber Ransomware — Windows Detection Engineering
SIEM Pseudocode — Shadow Copy and Recovery Sabotage:
SIEM Pseudocode — Event Log Clearing:
SIEM Pseudocode — Mass File Extension Change (Windows):
EDR Behavioral Rule — Kyber Windows Pre-Encryption Chain:
Kyber Ransomware — ESXi Detection Engineering
SIEM Pseudocode — ESXi Abnormal VM Shutdown and Datastore Write:
File Integrity Monitoring Rule — ESXi:
YARA Pattern — Kyber ESXi ELF Encryptor (from Rapid7 SHA-256 artifact):
Immediate detection action (deploy within 24 hours): Implement SIEM rules to flag mass shadow-copy deletion and event-log clearing sequences on Windows servers; deploy file extension monitoring for .xhsyw and .#~~~ patterns; add Kyber SHA-256 hash to threat intelligence platforms and endpoint IOC feeds.
Hunt this week: Scan historical endpoint and ESXi logs for documented Kyber extensions, ransom-note filenames, the Boomplay-derived mutex string, and service-stop command sequences; prioritize environments hosting critical virtualized workloads and backup infrastructure.
CISA KEV 8-Pack — Additional Detection Opportunities
Apache ActiveMQ CVE-2026-34197 — SIEM:
EDR — ActiveMQ RCE Post-Exploitation:
Microsoft Defender BlueHammer CVE-2026-33825 — SIEM:
Defender UnDefend — Definition Update Failure Alert:
Source-Confirmed Technique Mappings
The following technique IDs are confirmed from SOC Prime's Kyber detection content and MITRE ATT&CK official definitions, with behavioral evidence sourced from Rapid7's Kyber analysis and CISA ED-26-03 materials.
Technique ID | Technique Name | Tactic | Source Basis | Incident Cluster | Confidence |
|---|---|---|---|---|---|
T1486 | Data Encrypted for Impact | Impact | SOC Prime (explicit ID) + Rapid7 behavioral evidence + MITRE ATT&CK definition match | Kyber (ESXi + Windows) | High — source-confirmed ID |
T1489 | Service Stop | Impact | SOC Prime (explicit ID) + Rapid7: stops SQL Server, Exchange, backup services pre-encryption | Kyber (Windows) | High — source-confirmed ID |
T1485 | Data Destruction | Impact | SOC Prime (explicit ID) + Rapid7: Volume Shadow Copy deletion via vssadmin | Kyber (Windows) | High — source-confirmed ID |
T1490 | Inhibit System Recovery | Impact | SOC Prime (explicit ID) + Rapid7: disables Windows Recovery Environment, wipes recycle bins | Kyber (Windows) | High — source-confirmed ID |
T1562 | Impair Defenses | Defense Evasion | SOC Prime (explicit ID) + Rapid7: event log clearing, backup service disablement | Kyber (Windows) | High — source-confirmed ID |
Analyst-Inferred Technique Mappings
The following mappings are analyst-inferred from behavioral descriptions in referenced sources. They are stated explicitly as inferred and must not be used for adversary emulation, purple team exercises, or attribution without independent validation and explicit source confirmation.
Technique ID | Technique Name | Tactic | Behavioral Basis | Incident Cluster | Confidence |
|---|---|---|---|---|---|
T1190 | Exploit Public-Facing Application | Initial Access | CVE-2026-20127 authentication bypass on internet-accessible SD-WAN management interface; described in CISA ED-26-03 and Greenbone analysis | Cisco SD-WAN | Analyst-inferred |
T1068 | Exploitation for Privilege Escalation | Privilege Escalation | CVE-2022-20775 path traversal enabling root command execution on SD-WAN Controller; described in CISA ED-26-03 | Cisco SD-WAN | Analyst-inferred |
T1078 | Valid Accounts | Initial Access / Persistence | Kyber operators described as deploying payloads from administrative access to ESXi and Windows file servers; Rapid7 notes administrative credential abuse as the presumed access path | Kyber | Analyst-inferred |
T1078.001 | Valid Accounts: Default Accounts | Initial Access | Apache ActiveMQ CVE-2026-34197: default admin:admin credentials described by SANS ISC as the de facto access enabler across production deployments | Apache ActiveMQ | Analyst-inferred |
T1195.002 | Compromise Software Supply Chain | Initial Access | Vercel breach chain: Lumma infostealer → Context.ai credential theft → OAuth application abuse → Vercel employee Google Workspace access; described in SANS ISC NewsBites | Vercel/Context.ai | Analyst-inferred |
T1528 | Steal Application Access Token | Credential Access | Context.ai malicious OAuth application authorized access to Vercel employee Google Workspace; token-based access to internal Vercel systems | Vercel/Context.ai | Analyst-inferred |
T1059 | Command and Scripting Interpreter | Execution | Kyber Windows variant executes vssadmin, wevtutil, bcdedit, and net stop commands as part of pre-encryption sequence; consistent with T1059 execution patterns | Kyber (Windows) | Analyst-inferred |
T1222 | File and Directory Permissions Modification | Defense Evasion | Kyber ESXi variant modifies ESXi management interface view to display ransom notes; consistent with file-level permission or content modification | Kyber (ESXi) | Analyst-inferred — low confidence |
MITRE D3FEND Countermeasure Mappings
The following D3FEND countermeasures map directly to the confirmed and inferred ATT&CK techniques above.
D3FEND Technique | D3FEND ID | Maps Against ATT&CK | Application to This Brief |
|---|---|---|---|
Software Update | D3-SU | T1190, T1068 | Apply Cisco SD-WAN patches for CVE-2026-20127 and CVE-2022-20775 immediately; patch Apache ActiveMQ to 5.19.4/6.2.3 |
Network Segmentation | D3-NI | T1190, T1078 | Restrict SD-WAN management interfaces to admin-only networks; segment ESXi vSphere consoles and backup servers from production |
Credential Hardening | D3-CH | T1078, T1078.001 | Eliminate default credentials (admin:admin on ActiveMQ); enforce phishing-resistant MFA on SD-WAN, ESXi, and Hyper-V management consoles |
File Backup | D3-FB | T1486, T1485, T1490 | Enforce immutable backup architecture inaccessible from production networks; rehearse recovery under concurrent hypervisor and backup unavailability |
Platform Hardening | D3-PH | T1489, T1562 | Restrict vssadmin and wevtutil execution to approved administrator accounts only via AppLocker or WDAC policy; monitor Defender service health for UnDefend-pattern disruptions |
User Account Management | D3-UAM | T1528, T1195.002 | Audit and restrict OAuth application authorizations in Google Workspace; enforce least-privilege on API scopes; maintain approved vendor allowlist for third-party OAuth apps |
ATT&CK Tactic Coverage Map (Today's Brief)
Tactic | Confirmed (Source-Mapped) | Inferred (Analyst Basis) |
|---|---|---|
Initial Access | — | T1190, T1078, T1078.001, T1195.002 |
Execution | — | T1059 |
Privilege Escalation | — | T1068 |
Credential Access | — | T1528 |
Defense Evasion | T1562 (confirmed) | T1222 |
Impact | T1486, T1489, T1485, T1490 (all confirmed) | — |
All confirmed technique IDs are source-mapped to SOC Prime's Kyber ATT&CK detection content and MITRE ATT&CK official definitions. Inferred techniques are labeled as such and must not be operationalized without independent validation.
Chapter 05 - Governance, Risk & Compliance
Cisco SD-WAN — Regulatory Obligations and Business Risk
Regulatory Exposure:
CISA Emergency Directive 26-03 (U.S. FCEB): Legally binding for all FCEB agencies. Requires inventory, patching, log collection, threat hunting, and reporting on a defined schedule. FCEB compliance for CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 was due today, April 23. Non-compliance constitutes a regulatory violation reportable to CISA.
FedRAMP Notice 0006: Cloud service providers with Cisco SD-WAN in FedRAMP-authorized boundaries were required to complete patching by 5:00 PM ET February 27, 2026, and upload evidence to the FedRAMP IR folder. Any provider who has not done so is in breach of their FedRAMP authorization obligations.
NIST SP 800-53 (Revision 5): Unpatched CVE-2026-20127 (CVSS 10.0) on network management systems likely violates SI-2 (Flaw Remediation) and CA-7 (Continuous Monitoring) controls for any organization seeking FISMA compliance.
NIS2 (EU): Operators of essential services in EU member states are obligated to apply security measures including timely patch management under NIS2 Article 21. Unpatched SD-WAN management planes on essential-service networks represent reportable security risk.
PCI DSS 4.0 (Requirement 6.3): All security vulnerabilities must be identified and remediated in a risk-ranked manner. CVE-2026-20127 at CVSS 10.0 on payment-relevant network infrastructure is a critical PCI finding.
Business Risk:
Operational risk: Cisco SD-WAN controller compromise can cause traffic hijacking, routing manipulation, and VPN disruption across all connected sites — equivalent in blast radius to a domain controller breach at the network fabric level.
Financial risk: Regulatory penalties for FedRAMP non-compliance and potential civil liability in the event of customer data exfiltration through compromised SD-WAN segments.
Reputational risk: Any confirmed SD-WAN management plane compromise affecting customer traffic or data will carry significant notification obligations across multiple regulatory regimes.
Board-Level Decision — Cisco SD-WAN: Escalate immediately. ED-26-03 and FedRAMP Notice 0006 carry regulatory force. CVSS 10.0 with confirmed exploitation since 2023 is not a theoretical risk. Treat as board-visible emergency remediation programme with independent assurance over completion status.
Kyber Ransomware — Governance, Risk, and Compliance
Regulatory Exposure:
GDPR / UK GDPR: If Kyber's confirmed victim (a multibillion-dollar U.S. defense contractor with IT services) processes EU or UK personal data, and if Kyber exfiltrated data prior to encryption (which Rapid7 does not confirm but does not exclude in available sources), a 72-hour supervisory authority notification obligation arises.
DFARS / CMMC (U.S. Defense Industrial Base): The confirmed Kyber victim is a defense contractor. Under DFARS clause 252.204-7012 and CMMC 2.0, contractors experiencing cyber incidents affecting covered defense information must report to the Department of Defense within 72 hours. If Kyber encrypted or accessed controlled unclassified information, this obligation is triggered.
SEC Cybersecurity Disclosure Rule: For publicly traded companies, a material cybersecurity incident (simultaneous hypervisor and backup encryption at a major contractor qualifies as material by most assessments) must be disclosed via Form 8-K within four business days of determining materiality.
SOC 2 Type II: Simultaneous encryption of production hypervisors and backup infrastructure constitutes a catastrophic availability failure; auditors would treat this as a significant SOC 2 finding requiring client notification and remediation documentation.
Business Risk:
RTO/RPO exposure: Kyber explicitly targets backup infrastructure and virtualization platforms simultaneously — the most critical test of business continuity assumptions. Organizations with RTO/RPO commitments to customers should validate whether those commitments remain achievable under a Kyber-style scenario where both hypervisors and backup repositories are affected.
Supply chain liability: The confirmed victim is an IT services provider — Kyber's compromise of a managed services environment creates downstream risk to the provider's own customers.
Financial risk: Ransom demand scope is unknown from available sources. Recovery cost from simultaneous hypervisor and backup encryption without immutable backups is likely to significantly exceed any ransom demand.
Board-Level Decision — Kyber: Escalate. Require executive-level attestation that hypervisor and backup resilience has been validated against a scenario where both production and backup environments are simultaneously unavailable. Review incident response retainer arrangements and confirm they include hypervisor recovery capability.
CISA KEV 8-Pack — Governance Supplement
Quest KACE SMA (CVE-2025-32975, CVSS 10.0): KACE SMA is widely deployed in regulated healthcare and education environments. Unauthenticated full user impersonation on a system management appliance with endpoint management privileges constitutes a critical HIPAA Security Rule concern (§164.312 — Access Control). If KACE SMA manages systems containing PHI, compromise may constitute a reportable HIPAA breach.
Zimbra ZCS (CVE-2025-48700) — UAC-0233 targeting Ukraine: Ukrainian government entities and allied organisations processing EU persons' communications via ZCS have a GDPR breach notification obligation if mailbox exfiltration (confirmed by CERT-UA) affects EU-linked personal data. CERT-UA's confirmed pattern of bulk mailbox export and TGZ archiving constitutes a data exfiltration event for GDPR purposes.
Fortinet FortiClient EMS (CVE-2026-21643, CVSS 9.1): FortiClient EMS is commonly deployed in regulated enterprise environments. RCE via SQL injection on an endpoint management server provides an attacker with the ability to push configurations or software to all managed endpoints — a board-level supply chain risk for any organization with FortiClient EMS in its endpoint management stack.
Microsoft Exchange (CVE-2023-21529 — Medusa ransomware link): Exchange servers in healthcare and financial services environments that remain unpatched are confirmed attack vectors for Medusa ransomware deployment. Given HIPAA and PCI exposure, board notification is warranted if these systems remain unpatched after today.
CISO Decision — KEV 8-Pack: Escalate for KACE SMA, FortiClient EMS, and Exchange. Regulated-sector exposure for these three products is above the threshold requiring board-level visibility. Confirm patch status today.
Chapter 06 - Adversary Emulation
Adversary emulation scenarios require explicitly source-confirmed MITRE ATT&CK technique IDs mapped to specific campaign behaviors in primary research. Five technique IDs have been source-confirmed for the Kyber ransomware campaign (T1486, T1489, T1485, T1490, T1562). These are sufficient to define a structured purple team exercise.
Kyber Ransomware — Purple Team Exercise: Impact Phase Validation
Objective: Validate whether existing detection and response controls would identify and contain Kyber's confirmed impact-phase techniques before operational data is encrypted. This emulation covers only the confirmed source-mapped Impact and Defense Evasion techniques — not Initial Access, which remains under attribution.
Pre-conditions:
Emulation team has assumed administrative access to a target Windows Server in a controlled lab or non-production segment.
Target environment mirrors production: domain-joined, with VSS enabled, Windows event logging active, at least one backup agent running (e.g., Veeam, Windows Server Backup).
Blue team is monitoring with SIEM and EDR in active alert mode — do NOT disable monitoring.
Exercise Sequence (source-mapped to Kyber documented behavior):
Step | ATT&CK ID | Emulation Action | Expected Detection Signal |
|---|---|---|---|
1 | T1489 | Execute: | SIEM: service stop events for critical backup/DB services outside maintenance window |
2 | T1485 | Execute: | SIEM: Volume Shadow Copy deletion alert; EDR: vssadmin with delete-all arguments |
3 | T1490 | Execute: | SIEM: bcdedit recovery-disable command; EDR: wbadmin delete catalog |
4 | T1562 | Execute: | SIEM: Event ID 1102 (Security log cleared); wevtutil detection rule fires |
5 | T1486 | Simulate file extension rename to .#~~~ across a test directory tree (do NOT use actual encryption binary in production) | File integrity monitoring: mass extension change alert; SIEM: T1486 detection rule fires |
Validation Questions:
Did the SIEM fire within the 5-minute SLA defined in Chapter 4 detection rules for shadow-copy deletion?
Was the event-log clearing alert generated before or after the simulated encryption step?
Did the incident response team receive and acknowledge the alert within defined SLA?
Would the backup infrastructure have been recoverable (immutable/offline) if step 2 had been executed against production VSS?
Post-Exercise Actions:
Document any detection gaps revealed.
Tune SIEM alert thresholds where false negatives occurred.
Review backup architecture findings against Kyber's documented targeting of backup services.
Report results to CISO with specific RTO/RPO implications if any backup recovery gap was identified.
Cisco SD-WAN — Validation Activity (Non-Emulation)
Full adversary emulation of the Cisco SD-WAN attack chain (CVE-2026-20127 + CVE-2022-20775 exploitation) is not recommended against production infrastructure and would require authorized penetration testing with vendor-specific expertise. However, the following validation actions can be performed without adversary emulation and will confirm defensive posture:
Exposure validation: Use network scanning or authorized access to confirm that SD-WAN management interfaces (TCP/8443, TCP/443, TCP/22) are not reachable from untrusted network segments. Document results.
Patch confirmation: Query Cisco SD-WAN Manager software version via the management API or CISA guidance tooling; confirm all KEV-listed CVEs are remediated.
Log completeness check: Confirm that SD-WAN controller and manager logs are flowing into the SIEM and that 90+ days of history is available for retrospective threat hunt.
CISA Threat Hunt Guide execution: Execute the prescribed hunt queries as a structured validation activity — this is the CISA-recommended method for confirming absence of compromise indicators.
Factors supporting high confidence:
CISA Emergency Directive 26-03 is the highest-authority source in the registry (T1-08, authoritative LLM weight); FedRAMP Notice 0006 provides independent government confirmation of mandate scope.
NVD confirms CVSS 10.0 for CVE-2026-20127 with active exploitation notation.
Rapid7 primary research provides a confirmed IR-engagement-based analysis with actual recovered malware samples for Kyber. This is the highest evidential standard available for ransomware intelligence.
SOC Prime provides explicit ATT&CK technique IDs for Kyber, confirmed independently against MITRE ATT&CK definitions.
BleepingComputer Kyber coverage independently corroborates Rapid7 technical findings on the Windows variant.
CISA KEV listings provide authoritative exploitation confirmation for all eight KEV-cluster CVEs.
SANS ISC NewsBites Vol. XXVIII-30 (T1-14, elevated) provides authoritative practitioner corroboration for Defender zero-days, ActiveMQ, and Vercel breach.
Factors limiting score below 95:
Actor attribution for Cisco SD-WAN exploitation: CISA describes "sophisticated threat actors" without naming a group or nation-state in any publicly referenced source — Under Attribution reduces overall attribution confidence.
Kyber's initial access vector is not explicitly documented in Rapid7's published analysis — the administrative credential abuse pathway is assessed, not confirmed.
CVE-2026-20133 exploitation is CISA KEV-listed but Cisco has not independently confirmed exploitation in its own advisory at the time of source consumption — slight discordance between CISA listing and vendor confirmation.
RedSun and UnDefend (Defender zero-days) CVE IDs are [NOT CONFIRMED] in any available source — reduces completeness of the Defender cluster.
IOC enrichment is raw — no reputation scoring, passive DNS, or sandbox classification is available for the Kyber Tor domain or SHA-256 hash beyond source-publication.
MITRE technique IDs for Cisco SD-WAN exploitation are analyst-inferred, not source-confirmed.