Help AG’s Managed Security Services (MSS) team delivers 24x7x365 monitoring across complex enterprise environments, providing continuous visibility into emerging cybersecurity threats across the region.
Evolving Cyber Threat Landscape Across Multi-Phase Operations
A SOC Radar ((Security Operations Center Radar) assessment covering 28 February to 31 March 2026) identified 1,357 verified incidents across 25+ locations, 15+ sectors, and 40+ threat actor groups. Activity progressed through multiple operational phases:
Phases 1–2
Initial kinetic activity was accompanied by cyber operations, including website disruptions, defacements, and the emergence of hacktivist groups. Operations then expanded geographically, including a state-linked incident that wiped over 200,000 devices via a compromised cloud-based device management platform, demonstrating the potential scale of civilian impact.
Phase 3
Operations shifted to persistence and reconnaissance, with pre-positioned malware identified across sectors. Geo-doxxing targeting critical infrastructure increased, alongside multiple high-profile account compromises.
Phase 4 (Ongoing)
The campaign is entering a sustained phase, with continued risk of covert entrenchment and potential transition to disruptive or destructive operations. Pre-positioned access remains a key risk regardless of ceasefire conditions.
Recommendations
- Validate DDoS (Distributed Denial of Service) protection for public portals and APIs (Application Programming Interfaces)
- Audit Intune / MDM (Mobile Device Management); enforce MFA (Multi-Factor Authentication) and review logs
- Hunt for Dindoor and Fakeset indicators
- Monitor GitHub / Google Drive traffic from non-developer endpoints (C2 – Command and Control)
- Remove unauthorised RMM (Remote Monitoring and Management) tools (Atera, ScreenConnect)
- Review OAuth (Open Authorization) permissions in Microsoft 365 and Google Workspace
- Audit internet-facing OT / ICS (Industrial Control Systems) assets (PLCs – Programmable Logic Controllers, HMIs – Human Machine Interfaces, SCADA – Supervisory Control and Data Acquisition)
- Secure IP (Internet Protocol) cameras and CCTV; update credentials and patch
Critical FortiSandbox Vulnerability Enables Unauthenticated Remote Code Execution
CVE-2026-39808 (Common Vulnerabilities and Exposures ID) is a critical OS (Operating System) command injection vulnerability in Fortinet FortiSandbox versions 4.4.0 to 4.4.8. It allows unauthenticated RCE (Remote Code Execution) via unsanitised input in a public endpoint.
Patched in April 2026 under advisory FG-IR-26-100, a public PoC (Proof of Concept) enables exploitation with minimal effort.
Exploitation is likely in the near term with potential impact including full system compromise, data exfiltration, malware deployment, and lateral movement..
Recommendations
- Upgrade beyond 4.4.8 immediately
- Prioritise internet-facing instances
- Restrict management access
- Update firewall / WAF (Web Application Firewall) rules
- Review logs and monitor outbound activity
- Isolate unpatched systems
- Increase SOC (Security Operations Center) / IR (Incident Response) monitoring
Microsoft Defender Zero-Days Enable Privilege Escalation and Defence Evasion
Three zero-days, BlueHammer (CVE-2026-33825), RedSun, and UnDefend, enable LPE (Local Privilege Escalation) and disruption of Defender updates. BlueHammer is patched, while the others remain unpatched.
Active exploitation includes reconnaissance commands such as whoami /priv, cmdkey /list, and net group, indicating post-compromise activity. Combined, these vulnerabilities enable persistent and undetected access.
Recommendations
- Apply BlueHammer patch
- Detect reconnaissance commands
- Monitor update failures
- Restrict admin privileges
- Apply compensating controls (logging, PAWs – Privileged Access Workstations, segmentation)
Large-Scale Cyber Campaign Targeting Critical Sectors
A coordinated campaign scanned over 12,000 internet-facing systems, followed by targeted intrusions across Asia and Africa. Observed techniques included vulnerability exploitation, Outlook Web Access (OWA) brute-force attacks, and multi-protocol Command and Control (C2).
Confirmed incidents involved the exfiltration of sensitive aviation records. The structured attack lifecycle indicates an intelligence-driven operation targeting the aviation, energy, and government sectors.
Recommendations
- Patch CVEs (Common Vulnerabilities and Exposures) and audit exposure
- Enforce MFA (Multi-Factor Authentication) across remote access
- Block brute-force attempts
- Restrict external access
- Monitor logs and outbound traffic
- Implement segmentation
- Update critical systems
- Conduct threat hunting
Signed PUP Campaign Highlights Supply Chain Risk
A signed PUP (Potentially Unwanted Program) is leveraging a legitimate software update mechanism to deploy SYSTEM-level (Operating System-level privileged) payloads, disable security controls, and maintain persistence.
A misconfiguration exposed update infrastructure, creating the potential for takeover and remote code execution. More than 23,000 endpoints across 124 countries attempted to retrieve updates, indicating significant global exposure.
Recommendations
- Hunt for suspicious WMI (Windows Management Instrumentation) activity
- Monitor persistence mechanisms
- Flag suspicious signed processes
- Inspect hosts file changes
- Review Defender exclusions
- Strengthen supply chain controls
- Monitor unauthorised changes
References
