Satine Sentinel: March 20, 2026

A ransomware group held a working exploit for Cisco’s firewall management software for 36 days before the vendor knew to issue a patch, long enough to own enterprise networks while defenders were still reading their morning briefings. A Russian intelligence group stole full mailbox contents, session tokens, and backup 2FA codes from a Ukrainian critical infrastructure agency without dropping a single file, sending a single suspicious link, or triggering a single endpoint alert. And a benefits administrator that most of its 2.7 million victims have never heard of spent three weeks silently draining Social Security numbers and health plan data through a vulnerable API, discovered the intrusion on January 23, and waited until March 19 to tell anyone.

The common thread is not novel tooling. It is adversaries operating inside trusted systems (a firewall management plane, a legitimate webmail session, a backend API) that defenders treat as normal infrastructure rather than attack surface.

This week: why a CVSS 10.0 Cisco zero-day sat open for a month before you could patch it, how APT28 is running entirely browser-resident espionage operations against government targets, and what “third-party benefits administrator you’ve never heard of” actually means for your employees’ most sensitive data.

Update: Stryker

Last week’s Sentinel covered the Handala wiper attack in detail. A few material developments since then:

Independent forensic estimates put the confirmed wiped device count at roughly 80,000, significant, but well short of Handala’s claimed 200,000+, consistent with the group’s documented pattern of inflating breach claims for psychological effect. Class action lawsuits have begun accumulating in federal court, with multiple firms filing on behalf of employees whose personal devices were factory-reset through Stryker’s BYOD enrollment. Handala has issued explicit warnings of follow-on attacks against other companies with business ties to Israel. If your organization has Stryker vendor relationships or supply chain dependencies, the secondary phishing risk, attackers impersonating Stryker IT teams during the device re-enrollment window, is active and credible right now.

Interlock Ransomware Held a Cisco FMC Zero-Day for 36 Days Before You Could Patch It

What happened:

Amazon Threat Intelligence disclosed this week that the Interlock ransomware group had been actively exploiting CVE-2026-20131, a CVSS 10.0 pre-authentication remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC), since January 26, 2026. That is 36 days before Cisco publicly disclosed the vulnerability and released a patch on March 4. Amazon’s researchers discovered the exploitation retroactively through MadPot, their global honeypot sensor network, after Cisco’s March advisory prompted a historical look through sensor data. They also got lucky: an Interlock infrastructure server was misconfigured, inadvertently exposing the group’s full post-exploitation toolkit for analysis. CISA added CVE-2026-20131 to its Known Exploited Vulnerabilities catalog on March 19 with a federal patch deadline of March 22. The number of organizations compromised during the 36-day zero-day window is unknown.

Technical details that matter:

Vulnerability mechanics: CVE-2026-20131 is an insecure deserialization flaw (CWE-502) in the web-based management interface of Cisco FMC. Sending a crafted serialized Java object to the management interface allows an unauthenticated remote attacker to execute arbitrary Java code as root. No prior authentication. No user interaction. The attack is a single HTTP request to a specific endpoint. Cisco confirmed no effective workaround exists; patching is the only mitigation.
Exploitation confirmation mechanism: The attack chain sends a crafted HTTP request containing Java code execution attempts and two embedded URLs. One delivers exploit configuration data; the other confirms successful exploitation by causing the vulnerable target to perform an HTTP PUT request uploading a generated file. Amazon researchers simulated a compromised device by completing the expected PUT response, which caused Interlock to proceed to the next stage and deliver the malicious ELF binary, giving researchers visibility into the full attack chain.
Post-exploitation toolkit (exposed via misconfigured Interlock server):
- Reconnaissance: A PowerShell script enumerating installed software, running services, browser data, and active network connections, organizing per-host output into ZIP archives on a centralized share for bulk exfiltration
- Persistence and C2: A JavaScript-based RAT using WebSocket communications with RC4 encryption (unique key per transmission); a Java-based RAT as a secondary channel
- Defense evasion: A memory-resident web shell and a lightweight network beacon; a Bash script converting Linux servers into HTTP reverse proxies to obscure C2 infrastructure
- Legitimate tool abuse: ConnectWise ScreenConnect deployed for persistent remote access; the Volatility Framework, a legitimate memory forensics tool, present in the toolkit, likely for in-memory credential extraction
Why FMC specifically: Cisco FMC sits at the center of firewall policy management for enterprise networks. An attacker with root access to FMC can read and modify all firewall rules, extract full network topology, pivot to adjacent management infrastructure, and use the platform as a staging point for ransomware deployment across every managed firewall in scope. Owning the management plane is categorically worse than owning an endpoint.
Threat actor context: Amazon attributes Interlock to a possible Rhysida lineage (the group behind the 2023 British Library attack). Temporal analysis places operator activity in the UTC+3 time zone with working hours roughly 08:30-18:00 local. Prior Interlock victims include DaVita, Kettering Health, Texas Tech University, and the City of Saint Paul, sectors where operational disruption creates maximum payment pressure.

Why critical institutions should care:

If you run Cisco FMC, you have two separate problems. Patch immediately, but patching alone is not enough. Interlock held this zero-day for 36 days. If your FMC management interface was accessible from the internet during that window (a configuration Cisco explicitly warns against but organizations routinely deploy), assume compromise and hunt before you patch. Amazon published a full list of indicators: IP addresses, malicious domains, and JA3 client fingerprint hashes searchable in your FMC and adjacent logs. Healthcare, manufacturing, and government are Interlock’s historically preferred sectors, and the group’s ransom notes explicitly cite HIPAA and other regulatory frameworks as pressure levers. An organization that discovers its firewall management plane was owned for a month before patching faces a fundamentally different incident response scope than a standard endpoint compromise, every firewall policy change made during that window is now potentially attacker-authored.

Key sources:

Operation GhostMail: APT28 Steals Full Mailboxes and Backup 2FA Codes Without Dropping a Single File

What happened:

Seqrite Labs published research this week on Operation GhostMail, a targeted campaign attributed with medium confidence to APT28 (Fancy Bear / Forest Blizzard) against Ukraine’s State Hydrology Agency, a critical national infrastructure body responsible for maritime and hydrographic support for shipping under Ukraine’s Ministry of Infrastructure. The attack was delivered via a single phishing email sent January 22, 2026, posing as a routine internship inquiry from a fourth-year student at the National Academy of Internal Affairs, written in Ukrainian, including an apologetic note in case it reached the wrong inbox. The student email address appears to have been a compromised account used to add legitimacy. When the recipient opened the email in Zimbra’s Classic UI, a JavaScript payload hidden in the email body executed silently in the browser. No attachments. No links. No macros. Zero detections on VirusTotal when the sample was uploaded on February 26. CISA added the underlying vulnerability, CVE-2025-66376, to its Known Exploited Vulnerabilities catalog this week with an April 1 federal patch deadline.

Technical details that matter:

Vulnerability: CVE-2025-66376 is a stored XSS flaw in Zimbra Collaboration Suite’s Classic UI, patched in ZCS versions 10.0.18 and 10.1.13 in November 2025. The flaw stems from insufficient sanitization of CSS @import directives within HTML email content. The bypass exploits the difference between how regex-based content inspection parses the @import tag structure and how a browser’s HTML parser renders it, the construct appears malformed to signature-based detection and executes cleanly in a browser engine.
Payload delivery: The JavaScript payload was embedded in the email body inside a <div style="display:none"> block, base64-encoded. Seqrite noted the attacker composed the email manually via Chrome 132’s Zimbra webmail interface rather than an automated tool, indicating deliberate hands-on targeting rather than a spray campaign.
Execution: nine parallel operations launched simultaneously within the authenticated session:
- Email content extraction via Zimbra SOAP API calls, pulling 90 days of mailbox history within the session
- Server configuration harvesting
- CSRF token extraction
- Mobile device profile enumeration
- OAuth application access inventory
- Backup 2FA code theft, the detail with the longest operational tail
- Browser-autofilled credential harvesting
Persistence mechanism: The script silently enabled IMAP access on the victim’s account and created an app-specific password named “ZimbraWeb.” This persists through a full password reset. The victim changes their password; the attacker retains active IMAP access until an administrator specifically audits and revokes app-specific passwords. Most organizations have no routine process for this.
Exfiltration: Dual-channel: DNS tunneling and HTTPS, to C2 domain zimbrasoft[.]com[.]ua, registered January 20, two days before the phishing email was delivered.
Attribution: Seqrite notes technical overlaps with SpyPress.ZIMBRA, a toolset previously linked to APT28. Medium-confidence attribution is the honest call; the target (Ukrainian maritime critical infrastructure), the technique (Zimbra XSS against Eastern European government entities), and the infrastructure timing are all consistent with APT28’s documented playbook. Russian APTs have a clear history of Zimbra targeting: Winter Vivern used reflected XSS against NATO-aligned targets in 2023; this campaign uses stored XSS with a substantially more capable post-exploitation stage, including structured SOAP API abuse and dual-channel exfiltration.

Why critical institutions should care:

GhostMail is a clean demonstration of what “fileless” actually means when it reaches your email environment. Your gateway appliance that scans attachments: irrelevant. Your sandbox that detonates suspicious links: irrelevant. Your EDR watching for process execution or file writes: irrelevant. The entire attack executes inside the victim’s authenticated browser session, through the trusted Zimbra application context, with no indicator visible to any of the detection layers organizations typically rely on. The backup 2FA code theft is the piece that deserves the most operational attention: it means the attacker retains account access after a forced password reset, after MFA reconfiguration, and after the victim believes the incident is closed. Remediation requires explicit audit of app-specific passwords and IMAP access grants across affected accounts, a step most IR playbooks for credential compromise do not include. If your organization runs any Zimbra version earlier than 10.0.18 or 10.1.13 and has government contracts, defense industrial base relationships, or operations in Eastern European markets, this TTP is being aimed in your direction.

Key sources:

Navia Benefit Solutions: 2.7 Million Americans Learn They Had a Benefits Administrator

What happened:

On March 19, Navia Benefit Solutions, a Renton, Washington company that administers FSA, HSA, HRA, and COBRA benefits for over 10,000 employers across the United States, notified 2.69 million individuals that their data was stolen during a three-week window between December 22, 2025 and January 15, 2026. Navia discovered the breach on January 23. Notification letters did not go out until this week, nearly two months later. The investigation determined that an unauthorized actor exploited a vulnerability in an API used by the organization, gaining read-only access to participant records. Because the attacker did not modify systems or move funds, the intrusion was quiet enough that detection took weeks. Washington state government employees, retirees, and staff at 37 school districts are among those affected. The vast majority of the 2.7 million affected individuals have never heard of Navia, their employers contracted with them as a backend processor, invisibly, without telling anyone.

Technical details that matter:

Attack vector: API exploitation with a read-only access pattern across 24 days. No lateral movement. No privilege escalation. No ransomware. The attacker identified an API endpoint returning participant records without adequate authorization controls and called it repeatedly over the dwell period, exfiltrating structured data silently. Read-only API abuse against a legitimate endpoint generates log traffic that is indistinguishable from normal usage without behavioral baselines for record retrieval volume.
Why detection failed: Without anomaly detection on bulk record retrieval, how many participant records does a normal API call return, how many calls per hour is expected, there is no threshold to cross and no alert to fire. The attack did not require credential brute-force, privilege escalation, or network traversal. It required finding an endpoint that returned more data than it should have and calling it repeatedly for three weeks.
Data compromised: Full names, dates of birth, Social Security numbers, phone numbers, email addresses, and detailed health plan information including HRA, FSA, and COBRA participation status, termination dates, and election dates. Records dating back to 2018 were in scope. No financial account data or claims data was accessed.
Why this dataset is high-value: The combination of SSN, DOB, full name, and health plan information in a single structured export is unusually rich for downstream fraud. This is not a credential breach where the primary risk is account takeover; it is identity fraud substrate sufficient to open credit accounts, file fraudulent tax returns, and conduct targeted medical identity theft. Critically, the health plan termination and election dates enable highly credible social engineering: an attacker who can tell a victim their specific COBRA election date sounds like a legitimate benefits representative.
Third-party aggregator blast radius: A single successful attack against Navia is functionally equivalent to simultaneous attacks against all 10,000 of their employer clients, none of whom had any visibility into Navia’s API security posture. Downstream notification obligations now fall on each of those employers under their respective state breach notification laws.

Why critical institutions should care:

Benefits administration is a category of third-party risk that most vendor risk management programs underweight significantly. These companies aggregate enormous datasets of employee PII and health information and rarely receive the same security scrutiny as vendors with direct access to production systems. The questions to ask your HR and benefits teams immediately: who administers our FSA, HSA, and COBRA benefits? Have we reviewed their security posture? Do we have any visibility into their API access controls? The fact that Navia retained records dating back to 2018, years before some of its current employer relationships began, is also a data retention problem worth examining in your own vendor contracts. You cannot audit your way to zero risk in a third-party relationship you did not know was holding eight years of your employees’ Social Security numbers.

Key sources:

The Pattern This Week

Three incidents. Three completely different attack surfaces. The same structural problem underneath all of them.

Interlock did not compromise individual firewalls. They compromised the platform that manages the firewalls, using a zero-day that predated the patch by five weeks. APT28 did not drop malware on a Ukrainian workstation. They ran the entire operation inside the browser session already authenticated to the mail server, leaving nothing for a forensic examiner to find on the endpoint. The threat actor who hit Navia did not breach any of the 10,000 employer clients. They hit the aggregator sitting behind all of them, through an API endpoint that looked like normal traffic.

The management plane is the target. Your firewall management console, your webmail platform, your backend benefits API, your cloud identity provider. These are not background IT plumbing. They are the highest-leverage attack surfaces in your environment, the layer where a single compromised credential or a single exploited endpoint unlocks everything below it, and most of them were designed for operational convenience long before anyone modeled them as adversarial targets.

Your detection stack is built to watch endpoints. The attacks this week did not happen on endpoints.

See you next week.

The Satine Sentinel is a weekly threat intelligence roundup. Technical details are sourced from vendor analysis, incident reporting, and public disclosures. Attribution assessments reflect researcher confidence levels at time of publication.