Threat Report 165

This week's report covers four threats: a critical zero-day vulnerability in Cisco's SD-WAN networking software flagged by NHS Cyber Alerts and the NCSC, an actively exploited flaw in enterprise file transfer software, a sophisticated phishing kit bypassing multi-factor authentication on Microsoft 365, and a newly discovered backdoor malware linked to North Korea that is targeting healthcare and education organisations.

Critical Zero-Day in Cisco SD-WAN Software Exploited by Multiple Threat Actors

NHS Cyber Alerts has issued a high-severity alert for a critical vulnerability in Cisco Catalyst SD-WAN Controller and SD-WAN Manager, software used by organisations to manage and secure their wide area networks. The flaw, CVE-2026-20127, carries the maximum possible severity score of 10. It allows an attacker to bypass the login process entirely and gain high-level administrative access without a username or password. Cisco, the NCSC, and Five Eyes intelligence partners have confirmed that multiple threat actors have been actively exploiting this vulnerability, with observed attacks dating back to as early as 2023. Patches are now available.

Cisco SD-WAN products are used by enterprise organisations, including NHS trusts and their suppliers, to manage network connectivity across multiple sites. An attacker who exploits this flaw could manipulate an organisation's entire network configuration, intercept traffic, or use the access as a launchpad for further attacks. The fact that this has been exploited as a zero-day since 2023 means some organisations may already be compromised without knowing it. The NHS Cyber Alert specifically calls out edge devices like this as high-value targets that are increasingly exploited. For NHS suppliers, this is directly relevant to DSPT obligations around patch management and edge device security.

Recommendations

• Check immediately whether your organisation uses Cisco Catalyst SD-WAN Controller or SD-WAN Manager in any deployment, including cloud-hosted environments.
• Before patching, consider performing a compromise assessment first, or collect device snapshots and logs to preserve evidence. Patching before doing this may destroy forensic artifacts.
• Apply the patch from Cisco's advisory cisco-sa-sdwan-rpa-EHchtZk as soon as possible. Use Cisco's Software Checker tool to identify the correct version for your deployment.
• If you are running a version earlier than release 20.9, note that it is end-of-life and you must migrate to a supported version before patching.
• If you find evidence of compromise, report it immediately to NHS England's National CSOC by calling 0300 303 5222 or emailing cybersecurity@nhs.net.
• Review Cisco's hardening guidance for Catalyst SD-WAN as an additional protective step.

Actively Exploited Flaw in Enterprise File Transfer Software

A critical vulnerability in a widely used enterprise file transfer product is being actively exploited by attackers in the wild. The flaw lets an attacker upload and run malicious files on the server without needing to log in. File transfer tools like these are commonly used by businesses to send large or sensitive files, including patient data, financial records, and contracts, between organisations. Researchers have observed attackers using this flaw to steal data and, in some cases, to plant backdoors for later access. A patch is available.

Enterprise file transfer products have become a favourite target for cyber criminals because they often sit on the edge of a network, handle valuable data, and are sometimes overlooked in patch management cycles. UK health organisations and their suppliers frequently use these tools to exchange data with NHS systems. A compromise could lead to a data breach affecting patient records, which carries serious regulatory and reputational consequences. Previous campaigns against similar products, such as the MOVEit attacks in 2023, caused widespread disruption across the public and private sectors.

Recommendations

• Identify whether your organisation uses the affected product and apply the patch without delay.
• Check server logs for signs of unexpected file uploads or new user accounts created around the time the vulnerability became public.
• Where possible, place file transfer servers behind a VPN or firewall rule so they are not directly reachable from the internet.
• Review who has administrative access to the file transfer platform and remove any unnecessary accounts.
• Consider whether sensitive data transfers could be moved to a more modern, zero-trust architecture in the medium term.

Phishing Kit Bypassing Multi-Factor Authentication on Microsoft 365

A sophisticated phishing kit is being sold on criminal forums that allows attackers to bypass multi-factor authentication (MFA) on Microsoft 365 accounts. The kit works by sitting between the victim and the real Microsoft login page, capturing both the password and the MFA code in real time. Victims receive a convincing email — often themed around shared documents or urgent IT requests — and are directed to a fake login page. Because the kit passes the real login session through to Microsoft, the attacker receives a valid session cookie that lets them into the account without triggering further MFA checks.

Microsoft 365 is the most widely used email and productivity platform in the UK public sector and among NHS suppliers. Many organisations have invested in MFA as a key defence, so it can be unsettling to learn that certain phishing techniques can get around it. This does not mean MFA is useless — it still blocks the vast majority of credential attacks. It does mean that organisations should treat MFA as one layer of defence, not the only one. For digital health companies handling patient data, a compromised email account can quickly lead to a data breach.

Recommendations

• Move towards phishing-resistant MFA methods such as FIDO2 security keys or passkeys where possible, especially for administrative and privileged accounts.
• Enable conditional access policies in Microsoft 365 to restrict logins from unrecognised devices or unusual locations.
• Train staff to recognise phishing emails, especially those that create a sense of urgency about shared documents or account problems.
• Deploy email filtering rules that flag or block messages containing links to newly registered domains.
• Monitor Microsoft 365 sign-in logs for impossible-travel alerts and sessions from unexpected IP addresses.

North Korean-Linked Backdoor Found Targeting Healthcare and Education Organisations

Security researchers at Cisco Talos have uncovered an active cyber espionage campaign that has been running since at least December 2025. The group behind it, tracked as UAT-10027, has possible links to North Korea and shares technical similarities with the well-known Lazarus Group. The campaign uses a previously unseen piece of malware called Dohdoor, which acts as a backdoor into victims' systems. Attackers likely gain initial access through phishing emails, then run a chain of hidden scripts that load malicious code into legitimate Windows processes to avoid detection. The campaign has so far been observed targeting healthcare facilities — including an elderly care provider — and educational institutions in the United States.

North Korea-linked groups have a well-documented history of targeting healthcare organisations for financial gain, and their tactics do not respect borders. UK health organisations and NHS suppliers use similar technology to that already targeted, and the same phishing techniques work just as well against UK staff. The Dohdoor backdoor is designed to evade detection by security tools, making it harder to spot once it is inside a network. If an attacker gains persistent access through a backdoor like this, they can steal sensitive data, conduct reconnaissance, or deploy ransomware at their discretion. The NHS has previously been a high-profile victim of North Korean cyber activity, most notably during the WannaCry attack in 2017.

Recommendations

• Ensure endpoint detection and response (EDR) tools are deployed and up to date across all devices, including clinical workstations and laptops used for remote access.
• Remind staff about the risk of phishing emails, particularly those involving shared documents or urgent IT messages. This campaign uses social engineering to get a first foothold.
• Review your DNS security controls. This malware uses DNS-over-HTTPS to disguise its communications — consider whether your organisation monitors or restricts this traffic.
• Check whether PowerShell execution is restricted on workstations that do not require it. This campaign heavily utilises PowerShell in its initial stages.
• Stay alert to guidance from the NCSC regarding North Korean threat actor activity, and report any suspected incidents to report@ncsc.gov.uk.

Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services.