In partnership with
Welcome back to The CyberSignal Weekly Briefing — your weekly digest of what’s shifting in the global cybersecurity landscape with a focus on the U.S. and allied markets.
This week: coordinated law enforcement takedowns, critical infrastructure zero-days, massive historical data exposure, and the dismantling of the world's most prolific phishing engine. The narrative is shifting—while attackers are automating, global authorities are finally striking back at the infrastructure that powers them.
If you’re a CISO, IT director, or security leader, this edition highlights why edge orchestration security and legacy data debt are your two biggest liabilities this month.
Let’s dive in.
🔎 Overview: What Shifted in Cyber Since Last Week
Illicit marketplace dismantled — FBI and Europol shut down LeakBase, seizing hundreds of millions of records.
Infrastructure Zero-Days exploited — Cisco SD-WAN under active attack; CISA issues emergency directive.
Phishing-as-a-Service neutralized — "Tycoon 2FA" toolkit dismantled, disrupting 330 active domains.
Legacy data debt strikes — University of Hawaiʻi confirms breach of 1.2M records from historical files.
Hospitality leak expands — Wynn Resorts breach details emerge as ShinyHunters claim 800k sensitive records.
✨ Our Partner
Every headline satisfies an opinion. Except ours.
Remember when the news was about what happened, not how to feel about it? 1440's Daily Digest is bringing that back. Every morning, they sift through 100+ sources to deliver a concise, unbiased briefing — no pundits, no paywalls, no politics. Just the facts, all in five minutes. For free.
🔥 Key Incidents & Analysis
A 14-country operation led by the FBI and Europol successfully shuttered LeakBase, a primary hub for trading stolen credentials and database leaks.
Sector: Illicit Cybercrime Services
Impact: 142,000+ members; hundreds of millions of stolen records seized
Why it matters: While the storefront is gone, the data is already in the wild. CISOs should treat this as a signal to trigger credential resets for users who haven't updated passwords in 90 days, as "re-leaked" data often fuels automated credential stuffing.
Cisco issued an urgent update confirming that CVE-2026-20128 and CVE-2026-20122 are now being exploited in the wild to gain root privileges on Catalyst SD-WAN Manager.
Sector: Enterprise Infrastructure / Networking
Threat Vector: Authentication bypass and command injection
Impact: Complete manager takeover and potential lateral movement
Why it matters: CISA issued Emergency Directive 26-03 this week. SD-WAN and edge orchestration tools are now Tier-0 targets for state-sponsored actors seeking persistent network access.
Microsoft and Europol neutralized the Tycoon 2FA platform, a sophisticated Phishing-as-a-Service (PhaaS) kit designed to bypass MFA at scale.
Sector: Identity / Phishing Infrastructure
Threat Vector: AiTM (Adversary-in-the-Middle) phishing
Impact: 330 domains seized; over 500,000 organizations previously targeted
Why it matters: The success of Tycoon 2FA highlights that traditional "push" or SMS MFA is no longer a sufficient barrier. The shift to FIDO2/WebAuthn (Passkeys) is no longer optional for privileged accounts.
The university confirmed a massive data leak impacting 1.2 million individuals, including SSNs and driver’s license data.
Sector: Healthcare Research / Government
Threat Vector: Historical data exposure / Legacy server compromise
Data Impact: 1.2M records (including historical DOT and voter records)
Why it matters: This breach proves that "legacy data debt" is a ticking time bomb. Storing decade-old sensitive data on internet-facing research servers creates massive regulatory liability with zero operational upside.
📈 Data & Research Corner
142,000+ members were active on the LeakBase marketplace prior to the FBI seizure this week.
330 phishing domains were taken offline in the Tycoon 2FA operation, disrupting tens of millions of phishing messages.
1.2M records exposed at the University of Hawaiʻi, emphasizing the risk of unpurged historical identity data.
600+ FortiGate devices remain under scrutiny following last week's AI-assisted compromise reports, signaling a continued focus on edge infrastructure.
🛡️ Actionable Playbook for CISOs & IT Leaders
SD-WAN Remediation: If you utilize Cisco Catalyst SD-WAN, apply the patches for CVE-2026-20128 immediately. Do not wait for the standard weekend maintenance window.
Credential Rotation: Cross-reference your user base against known LeakBase dumps and enforce mandatory resets for any identified accounts.
Deprioritize SMS/Push MFA: In light of the Tycoon 2FA takedown, accelerate the rollout of hardware security keys or FIDO2-compliant authentication for all IT admins and executives.
Legacy Data Purge: Conduct a "Data ROT" (Redundant, Obsolete, Trivial) audit. If you are storing PII from 2015 that isn't required for compliance, purge it before it becomes a headline.
✨ AI Newsletter Spotlight:
Become An AI Expert In Just 5 Minutes
If you’re a decision maker at your company, you need to be on the bleeding edge of, well, everything. But before you go signing up for seminars, conferences, lunch ‘n learns, and all that jazz, just know there’s a far better (and simpler) way: Subscribing to The Deep View.
This daily newsletter condenses everything you need to know about the latest and greatest AI developments into a 5-minute read. Squeeze it into your morning coffee break and before you know it, you’ll be an expert too.
Subscribe right here. It’s totally free, wildly informative, and trusted by 600,000+ readers at Google, Meta, Microsoft, and beyond.
🏛️ Regulatory, Legislative & Structural Shifts
CISA Emergency Directive 26-03 is driving a massive push for SD-WAN patching across federal and critical infrastructure sectors.
Global Law Enforcement Collaboration is reaching a new peak, with the LeakBase and Tycoon 2FA takedowns signaling a "whack-a-mole" strategy aimed at the infrastructure layer of cybercrime.
Legacy Data Accountability: The scale of the UH breach may prompt new state-level mandates regarding data retention and destruction timelines for public institutions.
📊 Poll of the Week
Which of this week’s "Infrastructure Risks" is your top priority for March remediation?
🔭 Looking Ahead
Expect a surge in credential stuffing as threat actors scramble to find new marketplaces to host the data formerly sold on LeakBase.
Edge device targeting will continue to escalate; the Cisco SD-WAN exploit is likely the first of several infrastructure zero-days we will see this month.
💡 Pro Tip of the Week
If you are managing SD-WAN or Edge Orchestration tools, the management interface should never be directly internet-facing.
Use a dedicated management VPN or a Zero Trust Network Access (ZTNA) gateway to "hide" these interfaces from the public web. If an attacker can see your login page, they can exploit a zero-day before you have time to patch it.
🔒 Conclusion
This week proved that while law enforcement is winning significant battles, the "infrastructure war" is just beginning. From the teardown of LeakBase to the active exploitation of SD-WAN managers, the message is clear: The perimeter has shifted to the management plane.
For security leaders, the mandate for March is clear: secure your edge devices, rotate compromised credentials, and for heaven's sake, delete the data you no longer need.
Until next time,
Stay sharp. Stay ahead.
