CyberHub Podcast

Microsoft and Europol Smash Amadey and StealC Infrastructure in Operation Endgame, Mandiant Reveals How Cisco SD-WAN Zero-Day Created Rogue Root Accounts at Service Provider

0:00

-19:48

Microsoft and Europol Smash Amadey and StealC Infrastructure in Operation Endgame, Mandiant Reveals How Cisco SD-WAN Zero-Day Created Rogue Root Accounts at Service Provider

Why the next major breach will likely begin at the network edge, not the endpoint and what defenders must do to stay ahead.

James Azar

Jun 25, 2026

☕ Good Morning Security Gang,

Today’s headlines were dominated by attacks against the network edge. Three critical Ubiquiti UniFi vulnerabilities with perfect CVSS scores are now being actively exploited just days before the federal remediation deadline. Mandiant released a detailed forensic analysis showing exactly how attackers compromised Cisco Catalyst SD-WAN environments and escalated to root access across enterprise management planes. Meanwhile, Operation Endgame delivered one of the largest coordinated law enforcement victories against the cybercrime ecosystem, dismantling hundreds of servers supporting the Amadey and StealC malware operations.

We also saw the Department of Justice announce the largest healthcare fraud takedown in U.S. history, highlighting how cybercrime, stolen identities, and financial fraud continue to converge.

The message throughout today’s show was clear: if attackers control your infrastructure, they control your business.

Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.

🧭 Executive Summary

Today’s cybersecurity landscape focused almost entirely on infrastructure resilience.

Attackers continue concentrating their efforts against network edge devices, management platforms, and identity infrastructure because those systems provide the fastest route to enterprise-wide compromise. Cisco, Ubiquiti, and legacy industrial communication systems all demonstrated how weaknesses in centralized management platforms create disproportionate organizational risk.

On the positive side, Operation Endgame continues producing measurable disruption against cybercriminal ecosystems by targeting not individual threat actors, but the infrastructure enabling ransomware, credential theft, and malware-as-a-service operations.

The battle is increasingly shifting away from individual malware campaigns and toward dismantling the infrastructure that allows cybercrime to scale globally.

📰 Top Stories & Deep Dive Analysis

🚨 Three Critical Ubiquiti UniFi Vulnerabilities Now Under Active Exploitation

The most urgent story today involves three critical vulnerabilities affecting Ubiquiti UniFi OS, all carrying perfect CVSS 10.0 severity ratings and all now confirmed to be under active exploitation after their inclusion in CISA’s Known Exploited Vulnerabilities catalog. Federal agencies face a remediation deadline of June 26, underscoring the urgency of the situation.

Researchers at Bishop Fox demonstrated that the vulnerabilities can be chained together into a complete unauthenticated remote code execution attack. The exploit sequence begins with an authentication bypass, followed by a path traversal vulnerability that exposes sensitive configuration files and credentials, and concludes with a command injection flaw that grants full root-level execution on vulnerable systems.

Threat researchers have already observed automated attacks creating unauthorized administrator accounts named “John Sim,” suggesting mass internet scanning is well underway.

UniFi devices are widely deployed across enterprise campuses, branch offices, SMBs, and home office environments. That broad deployment significantly expands the potential attack surface.

The patches have been available since May 21, yet many organizations remain exposed. If UniFi management interfaces are still internet accessible, the opportunity for attackers is substantial.

Organizations should immediately upgrade to UniFi OS version 5.0.8 or later, restrict management interfaces to dedicated administrative networks, block external access to UniFi controller ports, and leverage Bishop Fox’s published detection tools to identify vulnerable systems before attackers do.

⚠️ Mandiant Reveals How Cisco SD-WAN Zero-Day Became Full Enterprise Compromise

Mandiant published one of the most detailed forensic analyses of a Cisco SD-WAN compromise to date, documenting exactly how attackers transformed multiple vulnerabilities into complete control of a communications provider’s network infrastructure.

“Seven actively exploited zero-days in a single product line in six months isn’t bad luck. That’s structural failure.” James Azar

The attack unfolded in multiple stages over several months. Threat actors first exploited authentication bypass vulnerabilities to establish administrative access, quietly changed default administrator passwords to avoid detection, and extracted SD-WAN configuration data covering controllers, edge devices, templates, and network architecture.

Months later, they leveraged a newly discovered command injection vulnerability by uploading a malicious CSV file through Cisco’s tenant management interface. That payload created a hidden root account named “Truth,” allowing attackers to obtain unrestricted administrative control over the SD-WAN management plane.

With management plane access established, attackers gained the ability to push malicious configurations across every connected branch office and edge device managed by the platform.

Perhaps the most concerning aspect of the investigation is the trend itself.

This represents the seventh actively exploited Cisco SD-WAN zero-day disclosed during 2026.

At some point, organizations must ask whether repeated vulnerabilities within the same product family represent isolated software defects—or deeper architectural challenges.

Security teams operating Cisco SD-WAN environments should approach this as an active incident response effort rather than a routine patch cycle. Administrator accounts, unauthorized configuration changes, NetConf activity, and unexpected peering relationships all warrant immediate investigation.

🌍 Operation Endgame Strikes the Amadey and StealC Malware Ecosystem

International law enforcement agencies, Europol, Microsoft, IBM X-Force, Proofpoint, and numerous private-sector partners announced another major success under Operation Endgame, dismantling infrastructure supporting the Amadey loader and StealC information-stealing malware.

The scale of the operation is remarkable.

Authorities disrupted 326 servers, seized 142 malicious domains, identified more than $47 million in criminal cryptocurrency assets, and recovered approximately 27 million stolen credentials harvested from over 385,000 compromised systems worldwide.

“The cybercrime supply chain only works because the infrastructure behind it keeps operating. Break the infrastructure, and you break the business model.” James Azar

The operation targeted an entire cybercrime business model rather than a single malware family.

Amadey functioned as an initial access platform, delivering secondary malware such as ransomware and remote access trojans. StealC then harvested browser credentials, session cookies, cryptocurrency wallets, messaging data, and authentication tokens that were sold to other criminal organizations or used to facilitate enterprise intrusions.

Microsoft’s Digital Crimes Unit even employed AI-assisted analysis to connect infrastructure shared between both malware families, while Proofpoint and IBM X-Force identified weaknesses within the StealC command-and-control platform itself that law enforcement ultimately leveraged during the takedown.

Rather than arresting individual operators, Operation Endgame continues attacking the infrastructure that makes cybercrime profitable.

That strategy appears to be producing meaningful results.

🏥 DOJ Announces Largest Healthcare Fraud Takedown in U.S. History

The Department of Justice announced charges against 455 defendants across 56 federal districts, involving more than $6.5 billion in fraudulent Medicare and Medicaid claims. Authorities also seized approximately $182 million in assets connected to the schemes.

While primarily a financial crime story, the cybersecurity implications are significant.

Large-scale healthcare fraud increasingly depends upon compromised provider credentials, stolen patient identities, fraudulent billing systems, and automated digital infrastructure capable of processing enormous volumes of false claims.

Investigators highlighted the role of AI, cloud computing, and advanced analytics in identifying suspicious billing activity before payments were issued. Several defendants were arrested overseas, reflecting the increasingly international nature of healthcare fraud operations.

This case reinforces an important reality for healthcare security teams.

Patient data breaches do not simply create privacy risks.

They frequently become the raw material fueling organized financial crime.

⚡ Need to Know

🖥️ Lantronix EDS5000 Vulnerability Carries Critical Risk

A critical command injection vulnerability affecting Lantronix EDS5000 Serial-to-Ethernet servers is now included in CISA’s Known Exploited Vulnerabilities catalog. These systems frequently bridge legacy industrial equipment into modern IP networks, making them particularly important within operational technology environments. Organizations should update firmware immediately and isolate management interfaces wherever possible.

🍎 Atomic macOS Stealer Expands ClickFix Campaigns

Researchers uncovered a new ClickFix campaign targeting macOS users with Atomic macOS Stealer. Victims are tricked into opening Terminal and executing malicious commands that install credential-stealing malware targeting browsers, cryptocurrency wallets, Apple Keychain, Telegram, and Discord. No legitimate website should ever instruct users to paste commands into Terminal.

🔐 Passkeys Still Lag Across Major Platforms

Security researchers Scott Helme and Troy Hunt launched WhyNoPasskeys.com, highlighting major online services that still do not support passkey authentication. Despite growing adoption by Apple, Google, and Microsoft, several high-profile consumer platforms continue relying exclusively on passwords.

🤖 OpenAI Introduces Custom AI Inference Chip

OpenAI unveiled its first internally designed inference processor, codenamed Jalapeño, built using TSMC’s 3-nanometer manufacturing process. While primarily a business development story, custom AI silicon introduces new supply chain considerations for organizations evaluating AI infrastructure security.

🚆 German Rail Outage Traced to Equipment Failure

Germany’s national rail communications network experienced a nationwide outage caused by failure during replacement of a GSM-R communications component. Authorities confirmed the incident was not the result of a cyberattack, although the disruption renewed attention on aging communications infrastructure supporting critical services.

🎯 DraftKings Credential Stuffing Case Ends in Prison Sentences

A Minnesota man received an 18-month prison sentence for participating in the 2022 DraftKings credential stuffing campaign that compromised approximately 60,000 user accounts and stole roughly $600,000. The case reinforces growing federal enforcement against credential stuffing operations fueled by breached password databases.

🎯 Key Takeaway

Today’s show wasn’t about malware.

It wasn’t about ransomware.

It was about infrastructure.

The routers.
The controllers.
The management planes.
The edge devices.
The systems responsible for connecting everything else.

When attackers compromise infrastructure, every downstream security control becomes less effective.

Protecting the management plane is no longer simply an operational best practice.

It’s one of the most important cybersecurity priorities organizations have.

🧠 James Azar’s CISOs Take

What stood out to me today is that nearly every major story revolved around infrastructure rather than endpoints. The UniFi vulnerabilities demonstrate how quickly attackers automate exploitation once proof-of-concept code becomes available. The Cisco SD-WAN investigation showed that management platforms remain among the highest-value targets in enterprise environments because they provide centralized control over hundreds or even thousands of devices. If an attacker owns your management plane, they’ve effectively inherited your network.

The second lesson is that we should pay close attention to what Operation Endgame is accomplishing. For years we’ve measured success by arrests, but today’s operation reminds us that dismantling cybercrime infrastructure often delivers greater long-term impact. Recovering millions of stolen credentials, disrupting malware distribution, and removing command-and-control servers directly raises operational costs for cybercriminals. Defenders need to adopt the same mindset internally focus less on reacting to individual attacks and more on eliminating the infrastructure weaknesses that allow attacks to succeed repeatedly.