Front Page

Critical Infrastructure

RESURGE Malware Haunts Ivanti Devices as Edge Forensics Blind Spots Widen

CISA issued updated indicators of compromise this week for RESURGE, a persistent malware strain targeting Ivanti Connect Secure appliances that has confounded forensic responders by lying dormant well outside the reach of standard endpoint detection tools. Edge network devices — VPN gateways, routers, and remote access appliances — rarely generate the telemetry that investigators rely on, leaving significant gaps in timeline reconstruction.

CISA's guidance urges teams to move beyond host-based triage and adopt appliance-specific acquisition methods alongside network-side flow analysis. For examiners, the RESURGE case is a stark reminder that perimeter devices now represent one of the least-understood and most actively targeted blind spots in modern forensic investigations.

Data Breach Investigation

1.15 Million SSNs Exposed: Ransomware Hits University of Hawai'i Cancer Center

A ransomware incident at the University of Hawai'i Cancer Center exposed Social Security numbers for up to 1.15 million individuals, including patients and staff whose data resided in clinical and administrative systems. The scale of identity exposure demands a dual-track forensic response — maintaining clinical continuity while simultaneously managing evidence preservation across access logs, backup systems, and encrypted data stores.

Healthcare DFIR teams are increasingly confronting this challenge: the same systems that must stay operational for patient care are also the primary evidence sources. Examiners working this case type are urged to prioritize immutable log extraction and chain-of-custody documentation early, before operational recovery efforts overwrite critical artifacts.

Threat Bulletin

CRITICAL
CVE-2026-20127

Cisco Catalyst SD-WAN — Remote Root Exploitation. NSA and international partners issued a joint alert on active exploitation granting full root-level device access. Compromised routing infrastructure can enable traffic redirection and log tampering, undermining evidence integrity. Forensic Note: Perform control-plane forensics and diff running configs against known-good baselines.

ACTIVE EXPLOIT
CVE-2026-25108

FileZen Command Injection — CISA has ordered emergency mitigations for this actively exploited file-transfer appliance vulnerability. Forensic Note: FileZen's native file-monitoring logs may serve as a primary evidence source for validating compromise timelines and scoping data exfiltration.

Malware Spotlight

"Sandworm_Mode" NPM Packages

A supply-chain campaign deploying typosquatted NPM packages via stolen developer credentials to harvest CI/CD pipeline secrets and poison AI coding assistants through rogue MCP server behavior. Targets developer environments directly, making pipeline integrity logs the critical forensic artifact.