Attackers Exploited the Cisco SD-WAN Zero-Day Two Months Before Disclosure, and Why That Matters to Your Board (ft. Lynda Grindstaff)
A communications provider breached through rogue SD-WAN peering, an infostealer assembly line taken down by court order, and Turla's newest backdoor in Ukraine.
INTRODUCTION
The adversaries who mattered this week were not waiting for defenders to read the advisory. They were operating in the gap before the advisory existed.
Unknown attackers compromised Cisco SD-WAN infrastructure at a communications provider and reached root-level control through a zero-day later disclosed by Cisco. Microsoft and Europol disrupted more than 200 StealC and Amadey command-and-control domains and IPs through a court order, but the roughly 27 million credentials those tools already harvested remain in circulation. Turla deployed a previously undocumented .NET backdoor called STOCKSTAY against Ukrainian government and military targets. Unit 42 exposed malicious AI agent skills on ClawHub that evaded scanners and turned agent authority into an execution path.
None of these incidents hinged on a defender failing to patch quickly enough.
The broken assumption is that the defensive clock starts when the vulnerability, takedown, or tool disclosure becomes public. This week’s signals show the opposite. Attackers are already inside the control plane, already holding stolen credentials, already running parallel implants, or already abusing autonomous execution paths before the security team has a clean event to respond to.
This week we are joined by Lynda Grindstaff, a public company board director who advises organizations on cybersecurity governance, emerging technology, and enterprise risk. Lynda brings more than thirty years of operating and boardroom experience, including senior technical leadership at McAfee and Intel, and was named 2024 Cybersecurity Woman Leader of the Year. Her throughline across this issue is consistent: each of these signals quietly changes a question the board should be asking management, and the job of the security team is to translate technical exposure into business risk the board can act on without getting lost in the weeds. Full bio at the end.
Get The Monday Brief in your inbox every Monday. Subscribe for free, and share it with someone who’d find it useful.
Thanks for supporting us.
WEEKLY SIGNALS ANALYSIS
Pre-disclosure exploitation invalidates patch-centric defense timelines. The Cisco SD-WAN campaign shows attackers were operating against the control plane before defenders had a public advisory to organize around. Audit SD-WAN management infrastructure for signs of unauthorized control-plane peering and rogue administrative accounts that predate the known vulnerability window.
Commodity infostealer infrastructure is now mature enough to require judicial intervention. Microsoft and Europol needed a court order under RICO, not just a technical takedown, to disrupt StealC and Amadey’s 200-plus C2 servers. Inventory your exposure to credentials already harvested by these tools before the infrastructure respins.
Russia’s espionage apparatus is not recycling old tools. It is building new ones in parallel. Turla’s STOCKSTAY backdoor is net-new capability deployed alongside existing implants, which means detection built only around known Turla malware families now has a blind spot. Update threat-hunting hypotheses to account for .NET-based persistence and WebSocket C2 in environments with any Eastern European exposure.
AI agent marketplaces now function as runtime supply chain attack surfaces. Unit 42 found malicious skills on ClawHub that passed automated scanning and abused agent authority for fraud. If your organization consumes AI agent skills or plugins from any marketplace, treat them with the same rigor as third-party code dependencies, and remember they run in-process with the agent’s permissions.
What not to over-index on: patch-window speed as the primary risk metric. Two of this week’s four signals involved attackers operating well before any patch existed. Dwell-time detection and anomaly-based hunting matter more than time-to-patch when the vulnerability timeline itself is unreliable.
THIS WEEK’S SIGNALS
Signal 1: Cisco SD-WAN Attackers Reached Root Before Defenders Had a Patch to Chase
Why it matters: Mandiant revealed that an attacker targeted Cisco SD-WAN infrastructure at a service provider, gaining initial access through unauthorized control-plane peering and later exploiting CVE-2026-20245 to escalate from a compromised administrative account to root, roughly two months before Cisco’s early-June disclosure and patching. The important point is not just that a zero-day existed. It is that the attacker’s timeline began before defenders had a patch, advisory, or clean vulnerability-management trigger to organize around.
What is being misread: The industry conversation has focused on whether the attacker gained visibility into internal traffic. The deeper architectural problem is how they got in. SD-WAN peering is the certificate-authenticated handshake that SD-WAN components use to trust each other, and the attacker abused that trust relationship, likely using stolen certificate material or earlier authentication-bypass flaws, to reach the management plane. Most organizations design their SD-WAN security around authenticated management sessions and assume the fabric itself is controlled. This campaign attacks that assumption at the layer where most security teams have little or no monitoring at all.
Guest Perspective (Lynda Grindstaff): As a board member, this Cisco SD-WAN campaign concerns me a great deal, because it got me thinking, “What, or who, else is lurking in the environment undetected?” and, as a board, “How do we minimize risk against pre-disclosure attacks?” This campaign also illustrates that traditional monitoring and reporting methods need to change. Security teams should add more anomaly-detection capabilities and show their boards how they are proactively monitoring for abnormal activity, without relying on or waiting for formal disclosures. You do not need to get into the weeds with the board on every finding. Instead, use business language to describe how you are minimizing risk across your critical systems through independent and behavior-based monitoring. If you do not have these capabilities yet, use this case to highlight the risks and exposures your company faces and to gain additional funding.
Think Red (Douglas McKee): I do not phish anyone. I establish a rogue peering connection into your SD-WAN fabric, the same trust handshake your controllers and edge routers use to authenticate each other, riding either an earlier authentication-bypass flaw or a certificate I lifted from a prior compromise. This is the kind of trust-relationship abuse I teach in SANS 660, and it is very obtainable. From there I authenticate over SSH as vmanage-admin, upload a crafted file to trigger the zero-day, escalate to root, and quietly add my own account. Your SOC is watching endpoint telemetry and firewall logs. Nobody is watching the SD-WAN control plane for peers that should not exist. I owned that management plane for weeks before anyone had a patch to chase, and when I left I deleted my files, reverted my changes, and reset the admin password behind me. The only reason you know at all is that someone else found the flaw independently.
Act Blue (Ismael Valenzuela): The lesson is that the SD-WAN management plane is a Tier-1 target, and it is one of the few places that does not run EDR. Start where Mandiant pointed: hunt for unauthorized SD-WAN control-plane peering connections. Review SSH authentication logs for the vmanage-admin account, look for a rogue local account such as troot and for unexpected modifications to /etc/passwd and /etc/shadow, and audit the configurations pushed downstream to edge devices during the exposure window. This actor ran an extensive anti-forensic cleanup, deleting files, reverting configuration changes, and restoring the admin password before logging off, so treat clean logs as inconclusive rather than as proof you were untouched. Collect diagnostic data with request admin-tech before you patch, upgrade SD-WAN Manager to a fixed release, and if you find any indicator of compromise, engage Cisco TAC rather than assuming the patch alone evicts the attacker. The broader principle holds for any control plane reachable through the data plane. If you are not instrumenting it, you are trusting it.
Supporting sources:
Google Cloud / Mandiant: Zero-day exploitation of CVE-2026-20245 in Cisco Catalyst SD-WAN Manager, with rogue peering, SSH access via vmanage-admin, and the troot account
BleepingComputer: Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
Dark Reading: Attackers hit Cisco SD-WAN flaw two months before disclosure
Signal 2: Microsoft and Europol Use a Court Order to Dismantle StealC and Amadey Infostealer Infrastructure
Why it matters: Microsoft’s Digital Crimes Unit, working with Europol under Operation Endgame, used a court-authorized action under the RICO statute to disrupt more than 200 command-and-control domains and IPs tied to StealC and Amadey. By treating the two tools as one criminal enterprise, the operation recovered roughly 27 million stolen credentials from more than 385,000 compromised systems. These tools are not niche. They form the backbone of infostealer-as-a-service operations that feed ransomware initial access brokers, account takeover campaigns, and financial fraud at scale.
What is being misread: Many teams will treat this as a win and move on. The broken mental model is that infrastructure takedowns create lasting disruption. History, and BitSight’s own assessment of this operation, says infostealer operators rebuild C2 within weeks, often under new build tags. The real value of this action is the intelligence Microsoft published alongside it, which details how Amadey works as a loader-plus-stealer chain feeding StealC. Organizations should use this window to hunt for artifacts of past compromise, not assume future infections are prevented.
Guest Perspective (Lynda Grindstaff): From a board-level risk perspective, infostealer exposure should be treated as an ongoing identity and access risk, not a one-time breach event. Since many executives and board members do not come from technical backgrounds, security teams should help them understand that infostealers are about “your credentials are already out there being used,” not “your system is vulnerable and needs to be patched.” When the situation is framed that way to board directors, they start to understand that this is much bigger than the systems in their environment. Does your organization have continuous visibility into credentials and session tokens that have already been compromised, as Doug will happily remind you he has yours from last month, and what process is in place to invalidate compromised credentials quickly to prevent reuse? If you do not have the proper infrastructure for continuous monitoring and rapid invalidation, add this to your business justification list to request additional resources, so you are not the next organization in the news to experience an attack.
Think Red (Douglas McKee): I am already in with the credentials I harvested last month, and your takedown of my C2 servers does not recall them. I sold browser session tokens, saved passwords, and cryptocurrency wallet keys before the court order landed. My infrastructure can move faster than your credential reset program. The real problem is not the servers Microsoft disrupted. It is the access those servers already helped produce.
Act Blue (Ismael Valenzuela): The takedown creates a narrow window of opportunity, not a lasting fix. Use Microsoft’s published IOCs and behavioral signatures to sweep your environment for StealC and Amadey artifacts this week, focusing on browser credential stores, autofill databases, and cryptocurrency wallet files that show signs of exfiltration. Check for anomalous outbound connections to the published C2 indicators in your DNS and proxy logs going back 90 days. The larger defensive gap is that infostealers operate below the threshold of most EDR alerting because they mimic legitimate browser behavior. Deploy canary credentials in browser password managers on high-value workstations. When those canaries appear in authentication logs, you have confirmed active credential theft regardless of which stealer variant is in play. Then treat the credentials you cannot rule out as already exposed: rotate them, revoke active sessions and tokens, and review MFA enrollment for the affected identities. Takedowns buy time. Detection architecture and rapid invalidation buy resilience.
Supporting sources:
CyberScoop: In a first, a court takedown goes after two cybercrime tools at once
Microsoft Security Blog: Technical breakdown of the StealC and Amadey loader-stealer chain and infrastructure
BleepingComputer: Amadey, StealC malware operations disrupted in Operation Endgame action
Signal 3: Turla Deploys New STOCKSTAY Backdoor Against Ukrainian Government and Military
Why it matters: Google’s threat intelligence team documented STOCKSTAY, a previously undocumented .NET backdoor that Russia’s Turla group has been developing since at least December 2022 and deployed against government and military organizations in Ukraine, as well as entities connected to Italian foreign policy. Turla is not replacing its existing tools. It is adding new ones alongside them, which means defenders who built detection around known Turla malware families now have a blind spot.
What is being misread: The conventional framing treats Turla tool updates as iterative improvements to a known threat. The real shift is that Turla is running parallel toolkits against the same targets. STOCKSTAY operates alongside older implants like Kazuar and Capibar, and it even shares code and a string-obfuscation routine (K1MORPHER) with Kazuar, which means a detection hit on one tool does not guarantee you have found the full extent of the intrusion. The architectural flaw is that some threat-hunting models assume a single implant family per actor per engagement. Turla appears to plan around exactly that assumption.
Guest Perspective (Lynda Grindstaff): Board directors should understand that advanced threat actors, such as Turla, no longer operate with a single implant per intrusion, and as a result, security teams should update their incident response plans to avoid ending the search once the first implant is found. This will take additional time to close the incident and put additional pressure on the team. Measure success by looking at the full attack path rather than just one malware detection. Executives and boards should be updated on the impact and risks of these types of attacks, especially if your company has exposure to Eastern Europe or Ukraine.
Think Red (Douglas McKee): Your team found my older implant and declared the incident contained. Good. Meanwhile, STOCKSTAY has been running as a .NET assembly in a directory your responders never checked because they were focused on the known Turla indicators. I design my operations so that losing one tool costs me nothing and is actually just a distraction. The backup was already in place before you started hunting. Your incident response playbook closes the case after finding one implant. Mine planned for exactly that.
Act Blue (Ismael Valenzuela): Finding one implant proves presence, not scope. For any organization with exposure to Ukrainian, Eastern European, or EU foreign-policy networks, run a dedicated hunt for STOCKSTAY’s actual tradecraft rather than for a single signature. It is a multi-component .NET backdoor, so look for registry autorun entries that masquerade as legitimate update services, including one Google flagged posing as MicrosoftUpdateOneDrive, for .NET AppDomainManager injection, and for unsigned .NET or Windows Forms assemblies in non-standard directories. Hunt the network behavior too, because STOCKSTAY talks to its C2 over a secure WebSocket connection using the open-source websocket-sharp library, so surface outbound wss sessions that do not map to known-good applications. The shared code and K1MORPHER obfuscation cut both ways: a hit on your existing Kazuar indicators does not mean you have found everything. When an actor runs parallel toolkits against the same target, your detection has to be independent of any single malware family. Hunt the behavior, not the binary.
Supporting sources:
Google Cloud / GTIG: The latest addition to Turla’s intelligence-gathering apparatus, with STOCKSTAY architecture, registry persistence, and WebSocket C2
The Hacker News: Google details Turla’s new STOCKSTAY backdoor used in Ukraine espionage attacks
SecurityWeek: Russian APT deploys STOCKSTAY backdoor against Ukrainian targets
Signal 4: Malicious AI Agent Skills on ClawHub Bypass Scanners to Drive Autonomous Fraud
Why it matters: Unit 42 analyzed OpenClaw’s ClawHub skill marketplace and identified five malicious skills that evaded the marketplace’s VirusTotal and ClawScan screening between February and May 2026. Two delivered macOS infostealers, one used file padding to exceed scanner size thresholds, and two were novel agentic-fraud techniques (a runtime affiliate injection and a meme-token front-running scheme) that abused the agent’s own authority for financial gain with little or no human oversight. This is one of the clearest documented cases yet of an AI agent marketplace being weaponized as a supply chain attack surface, where the “dependency” is not just code a human reviews but an executable behavior an agent consumes and runs in-process with inherited permissions. It is also not the first wave, with earlier disclosures cataloging hundreds of malicious skills.
What is being misread: The instinct is to treat this as another software supply chain story and apply the same controls used for npm or PyPI packages. That mental model breaks because AI agent skills are not static code libraries. They are executable behaviors that an agent invokes at runtime with inherited permissions, and some of these skills passed automated review precisely because the malicious logic was designed for the agent’s execution context, not for static analysis. The review gap exists because no human sees the skill operate before the agent runs it in production.
Guest Perspective (Lynda Grindstaff): I am sure this will not be the last time we hear about AI agents gone wild. It is so critical for security professionals to understand what AI agents are in their environment, where they came from, what they have access to, and to monitor their behavior just as they would a human employee or contractor. From a board perspective, board directors should ask questions and review AI policies to ensure that no additional risk has been introduced by adding new agentic AI capabilities in the name of efficiency. This does not mean the board needs to see every IAM line, but they do need to understand the policy for when and how new AI agents are added to the environment, just as they would for new employee or contractor onboarding. On the flip side, AI policies should also cover how AI agents are removed, how access controls are adjusted, and how the organization reacts to anomalous behavior.
Think Red (Douglas McKee): I pick targets that depend on AI agent marketplaces, because marketplace trust guarantees execution. I do not need to compromise your build pipeline or trick a developer. I publish a skill that looks useful, passes the automated scanner, and waits. When your agent pulls it, my code runs with whatever permissions your agent has. If your agent can move money, I move money. If it can read customer data, I read customer data. The agent does my work for me, and your logs show the agent acting normally because it is. It is just following instructions I wrote.
Act Blue (Ismael Valenzuela): AI agent skill marketplaces are a new category of supply chain risk, and most organizations have no governance framework for them yet. Start by inventorying every AI agent in your environment and cataloging which external skills or plugins each one consumes. Restrict agents from installing new skills without explicit human approval, validate publisher provenance, and require a source-level review of the skill before it ever runs. Enforce least privilege on every agent’s runtime permissions, and where the agent does not need broad access to credentials, secrets, or production data, run it in an isolated or sandboxed environment so a malicious skill cannot escalate beyond its immediate function. Automated scanners failed here by design, so compensating controls must operate at the behavioral layer. Monitor agent actions for anomalies like unexpected network connections, financial transactions, or data access that deviate from the skill’s stated purpose, and log every skill invocation with full context. The principle is straightforward. Any capability your agent can exercise is a capability an attacker can exercise through a malicious skill. Govern agents like you govern privileged users, not like you govern software libraries.
Supporting sources:
Unit 42: OpenClaw’s skill marketplace and the emerging AI supply chain threat
Dark Reading: Malicious OpenClaw skills on ClawHub threaten the AI supply chain
MEME OF THE WEEK
Celebrating the implant you found. Ignoring the one watching you celebrate.
ROLE-BASED TAKEAWAYS
Executive / CISO / Board Level
Pre-disclosure risk is now quantifiable. The Cisco SD-WAN incident shows that zero-day exploitation can give attackers months of undetected access. Ask your security team what percentage of your critical network infrastructure undergoes anomaly-based monitoring independent of vulnerability advisories. If the answer is low, that is a board-level investment gap.
Infostealer takedowns do not recall stolen credentials. The StealC and Amadey disruption is a temporary reprieve, and roughly 27 million credentials were already recovered from infected systems. Direct your team to assess credential exposure from known infostealer campaigns. The risk to your organization is not future infections. It is the credentials already in circulation from past ones.
AI agent governance is a policy gap, not a technology gap. The ClawHub findings mean any organization deploying AI agents with marketplace skills has a new category of third-party risk that existing vendor management frameworks do not cover. Add AI agent skill sourcing to your third-party risk review process, and set the policy for how agents are onboarded, monitored, and removed, before your next quarterly assessment.
Enterprise Architect
Design Principle Impact: SD-WAN management planes must be treated as zero-trust boundaries. The rogue-peering attack on Cisco SD-WAN exploited the assumption that the SD-WAN fabric is inherently trusted. Architect management-plane access so that it is segmented from data-plane reachability, with explicit, monitored authentication required for any peering relationship.
New Constraint: AI agent runtime permissions require the same least-privilege modeling as human IAM. The ClawHub supply chain attack succeeded because skills ran in-process with the agent’s inherited permissions. Architect agent permission models with granular, scoped access and isolation that limits blast radius if a consumed skill is malicious.
Security Operations
Implementation Watch Item: Monitor SD-WAN control-plane peering connections and SSH authentication to the vmanage-admin account for any unauthorized session. The Cisco SD-WAN zero-day was reached through rogue fabric peering rather than a direct external exploit, a vector most SIEM playbooks do not cover.
Common Failure Mode: Closing an incident after finding one implant when a state-sponsored actor has deployed parallel toolkits. Turla’s STOCKSTAY operated alongside known implants, and responders who stopped after the first detection missed the second.
Monitoring Patterns: Hunt for unsigned .NET assemblies in non-standard directories and registry autorun entries masquerading as update services, the persistence STOCKSTAY uses. Cross-reference with outbound secure WebSocket (wss) sessions that do not map to known-good applications.
Signal vs Noise Guidance: A single unauthorized SD-WAN peering connection from an unknown peer is a genuine threat indicator this week, not routing noise. Similarly, treat any AI agent executing network connections or financial operations not explicitly defined in its skill manifest as high-confidence anomalous behavior.
Take the Adversary by Surprise: Plant a honeytoken credential in the password managers and autofill stores on your high-value workstations, and alert the instant it is used. A stealer cannot tell a planted credential from a real one, so the first authentication attempt against that honeytoken is high-confidence proof of active theft no matter which variant grabbed it. Then build an infostealer exposure review into your standard credential response process. When StealC or Amadey indicators appear in DNS, proxy, or endpoint telemetry, do not stop at blocking the malware. Pull browser credential-store access events, review saved-password usage, revoke active sessions, rotate affected credentials, and check whether the same identities authenticated from new devices or geographies after the suspected theft window.
About this week’s guest
Lynda Grindstaff is a public board director who advises companies on cybersecurity governance, emerging technology, and enterprise risk. She currently serves on the board of directors of a publicly traded financial holding company, where she helps strengthen board oversight, sharpen cybersecurity questioning, and elevate risk management frameworks. She brings more than 30 years of operating and boardroom experience, including senior technical leadership roles as Vice President of Engineering at McAfee, where she led malware operations, and at Intel, where she helped bring products from concept to market. Named 2024 Cybersecurity Woman Leader of the Year, she is also an IANS Faculty member, an advisor to Women Leaders for the World, a former Strategic Operating Partner at Kayne Anderson Capital, and an experienced executive coach who has mentored more than 700 technical leaders and delivered more than 50 industry presentations on cybersecurity and leadership. Lynda holds four patents.
Find Lynda at lyndagrindstaff.com · LinkedIn
See you next Monday!
The Monday Brief is produced by Douglas McKee and Ismael Valenzuela. The opinions expressed are our own and do not reflect those of our employers.


