Edge Warfare, MDM Hijacks, and the Warlock Blitz

This week on Dragon News Bites, Will Baxter, Eli Woodward, and Will Thomas break down a week of high-velocity threats targeting the "foundational" layers of enterprise connectivity. From the long-term compromise of Singapore’s ISP infrastructure to the critical hijacking of Mobile Device Management (MDM) platforms, the team explores how state actors and financially motivated groups are bypassing the endpoint to live directly on the edge.
‍

Topics & References
‍

Part 1: The Telco Breach & The Attribution Maze

• Singapore ISP Compromise: Four of Singapore's main ISPs suffered a long-term breach by a suspected China-nexus APT.
• UNC3886 vs. Salt Typhoon: Will Thomas breaks down the tactical nuances between these groups. While Salt Typhoon strategically moves upstream via Cisco switches, UNC3886 utilizes zero-days and rootkits to target FortiGates, Juniper, and VMware.
• The Global Trend: This follows last week's reporting on Norway being targeted, signaling a coordinated global focus on the telecommunications sector.

Part 2: MDM Hijacking — More Dangerous than a SIEM Breach?

• European Commission Compromised: Attackers utilized a zero-day in Ivanti EPMM (formerly Mobile Iron) to breach the European Commission.
  
• The Power of the MDM: The team discusses why an MDM compromise is a "nightmare scenario"—allowing attackers to track physical locations, deploy malicious apps, and snoop on encrypted chats like Signal.
  
• The Geopolitical Connection: A clear trend is emerging of edge device exploitation targeting entities not geopolitically aligned with China.

Part 3: The Rise of Warlock & Edge Blitzing

• Who is Warlock? A suspected Chinese-speaking ransomware group (tracked as Storm-2603) that deviates from the typical Russian-speaking model.
  
• Targeting SmarterMail: Warlock is weaponizing vulnerabilities in SmarterTools/SmarterMail (an Exchange alternative). Ironically, the vendor itself was hit by its own unpatched system.
• The MFA Shift: Eli Woodward notes that as MFA makes phishing harder, attackers have pivoted aggressively to edge device exploitation (Log4j, CenterStack, etc.) as the primary method for initial access.

Part 4: Payroll Pirates & SaaS Fraud

• Social Engineering the Help Desk: Threat actors are chaining help desk social engineering with VDI session hijacking to divert direct deposits in HR SaaS platforms.
• Red Flag Alert: Organizations should immediately investigate any direct deposit change that occurs within two hours of an MFA reset.

Events & Community:

• RISE USA (San Francisco): February 18–19 at Stripe HQ.
  
• Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity.
  
  • 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis
• FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware.
  
  • 🔗 to register: https://www.fsisac.com/events/2026-americas-spring
• RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open.
  
  • 🔗 to register: https://go.team-cymru.com/rise-ireland

Connect with Us:

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

‍