Cookie Consent by Free Privacy Policy Generator

Cyber Brief: Russian State Targeting, OAuth Abuse, and Router Hygiene

Today's brief highlights the importance of foundational security hygiene and clear governance over access and trust relationships. The NCSC and international partners have issued fresh guidance on Russian state exploitation of poorly configured routers, Microsoft has detailed a year-long campaign abusing OAuth trust in Salesforce environments, CISA has added a 2008 Cisco vulnerability to its Known Exploited Vulnerabilities catalogue, and the Los Angeles Police Department has ended its contract with surveillance technology provider Flock Safety over civil liberties concerns. Together, these stories reinforce that mature security depends on maintaining visibility, managing third-party trust, and ensuring that foundational controls remain fit for purpose over time.

NCSC and allies warn of Russian state targeting of poorly configured routers

The National Cyber Security Centre, alongside CISA and international partners, has published a joint advisory warning that Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices across critical infrastructure sectors worldwide. The advisory, published on 13 July 2026, highlights ongoing opportunistic compromise of routers and edge devices that lack basic security hygiene, including default credentials, outdated firmware, and insufficient access controls. The targeting is described as broad and persistent rather than sophisticated, relying on organisations failing to implement well-established protective measures. The advisory includes detailed technical guidance on router hardening, logging, segmentation, and monitoring to help organisations reduce exposure to this activity.

For UK businesses, this advisory is a practical reminder that state-sponsored threat actors continue to exploit the weakest points in enterprise networks, often at the perimeter where visibility and ownership can be unclear. Routers and edge devices are frequently managed inconsistently, left with vendor defaults, or overlooked during patching cycles. The operational risk is that compromised routers can provide persistent access, enable lateral movement, and allow attackers to monitor or manipulate traffic without triggering endpoint detection tools. This is particularly relevant for organisations in critical national infrastructure, manufacturing, energy, healthcare, and professional services sectors, all of which have been targeted by Russian state actors in recent years.

Why it matters

For UK businesses, this is a prompt to review who owns router and edge device security, how those devices are configured, and whether logging and monitoring are sufficient to detect unauthorised access. Many organisations have strong endpoint and identity controls but weaker visibility at the network perimeter. Ensuring that routers are patched, hardened, and monitored is a foundational control that should be verified regularly, not assumed to be in place.

Source: NCSC UK

Microsoft tracks year-long Salesforce data theft campaign exploiting OAuth trust

Microsoft has published research detailing a year-long campaign in which attackers, whose methods align with the data extortion group ShinyHunters, have been stealing data from corporate Salesforce environments by exploiting OAuth trust relationships rather than vulnerabilities in the platform itself. The Hacker News reports that the attackers gained access through legitimate OAuth connections that organisations had already established between Salesforce and third-party applications or vendors. Once inside, the attackers used those trusted connections to exfiltrate customer data, contact lists, and business records without triggering traditional security alerts. The campaign highlights how attackers are increasingly targeting the trust relationships between cloud platforms rather than exploiting software flaws, making detection significantly harder for organisations that rely on perimeter and endpoint controls alone.

For many UK organisations, Salesforce and similar cloud platforms are central to customer relationship management, sales operations, and business intelligence. OAuth is widely used to connect these platforms to marketing tools, analytics services, support systems, and automation platforms. The operational challenge is that OAuth permissions are often granted during initial setup and rarely reviewed thereafter. If a third-party application is compromised, or if an attacker gains access to OAuth tokens through credential theft or social engineering, they can move laterally into connected systems without needing to exploit a vulnerability. This creates a significant blind spot for security teams that focus primarily on identity and endpoint protection but lack visibility into how cloud platforms are interconnected and what data those connections can access.

Why it matters

For UK businesses, this is a prompt to review which third-party applications have OAuth access to Salesforce, Microsoft 365, Google Workspace, and other cloud platforms, what data those connections can access, and whether those permissions are still necessary. Many organisations discover that OAuth permissions granted years ago are still active, even after the original business need has ended. Establishing a regular review process for OAuth grants, ensuring that security teams have visibility into cloud platform integrations, and monitoring for unusual data access patterns are all practical steps that reduce exposure to this type of attack.

Source: The Hacker News

CISA adds 2008 Cisco IOS vulnerability to Known Exploited Vulnerabilities catalogue

The US Cybersecurity and Infrastructure Security Agency has added CVE-2008-4128, a cross-site request forgery vulnerability in Cisco IOS, to its Known Exploited Vulnerabilities catalogue based on evidence of active exploitation. CISA reports that the vulnerability, originally disclosed in 2008, allows attackers to perform unauthorised actions on behalf of authenticated users by tricking them into visiting a malicious website or clicking a crafted link. The addition to the KEV catalogue indicates that threat actors are actively exploiting this 18-year-old flaw in environments where Cisco IOS devices have not been patched or replaced. CISA requires US federal agencies to address KEV-listed vulnerabilities within specified timeframes, and the catalogue is widely used by UK and international organisations as a prioritisation tool for vulnerability management.

For UK businesses, the continued exploitation of vulnerabilities from 2008 highlights the operational reality that legacy network infrastructure often remains in production far longer than originally intended, and patching cycles for network devices can lag significantly behind endpoint and server patching. Cisco IOS devices are widely deployed in UK enterprise networks, and many organisations continue to operate older hardware that may no longer receive vendor support. The risk is that attackers can exploit these devices to gain initial access, establish persistence, or move laterally within the network. The fact that CISA has added this vulnerability to the KEV catalogue nearly two decades after disclosure suggests that it remains a viable attack vector in real-world environments, likely because organisations have not prioritised network device patching or have assumed that older vulnerabilities are no longer relevant.

Why it matters

For UK businesses, this is a prompt to review the age and patch status of network infrastructure, particularly routers, switches, and firewalls. Many organisations focus patching efforts on servers and endpoints but treat network devices as stable infrastructure that rarely changes. Ensuring that network devices are inventoried, that their firmware versions are known, and that a process exists to apply security updates or replace unsupported hardware is a foundational control that should be verified regularly. Where devices cannot be patched, organisations should consider whether compensating controls such as network segmentation, access restrictions, or replacement are appropriate.

Source: CISA

Los Angeles Police Department ends Flock Safety contract over civil liberties concerns

The Los Angeles Police Department has allowed its contract with surveillance technology provider Flock Safety to expire, citing serious concerns over civil liberties and privacy. TechCrunch reports that the LAPD, one of Flock's largest government customers, made the decision following internal review and public pressure over the use of automated licence plate recognition technology and the potential for mass surveillance. Flock Safety provides networked cameras that capture and analyse vehicle movements, storing data in a centralised platform accessible to law enforcement agencies. The LAPD's decision reflects growing scrutiny of surveillance technology procurement, data retention practices, and the balance between public safety and individual privacy. The move is significant given the scale of Flock's deployment in the US and the increasing use of similar technology by UK police forces and private sector organisations for security and access control purposes.

For UK businesses, particularly those in property management, logistics, retail, and corporate security, the LAPD's decision highlights the importance of understanding the privacy and civil liberties implications of surveillance technology before procurement and deployment. Automated licence plate recognition, facial recognition, and similar technologies are increasingly used for access control, perimeter security, and operational monitoring. However, the legal, ethical, and reputational risks associated with these systems are also increasing, particularly where data is retained indefinitely, shared with third parties, or used in ways that individuals may not reasonably expect. The UK's data protection framework requires organisations to demonstrate lawful basis, necessity, and proportionality for surveillance activities, and the Information Commissioner's Office has published guidance on the use of biometric and location tracking technologies.

Why it matters

For UK businesses, this is a prompt to review the surveillance and monitoring technologies in use across physical and digital environments, ensuring that data protection impact assessments are current, that retention periods are justified, and that individuals are informed about how their data is being collected and used. Many organisations deploy surveillance technology for legitimate security purposes but do not revisit the governance, retention, and transparency arrangements once the system is operational. Ensuring that procurement decisions consider privacy by design, that contracts with technology providers are clear about data ownership and access, and that regular reviews take place are all practical steps that reduce legal and reputational risk.

Source: TechCrunch

Today's Key Actions

  • Review who owns router and edge device security in your organisation, verify that devices are patched and hardened, and ensure that logging and monitoring are sufficient to detect unauthorised access or configuration changes.
  • Audit which third-party applications have OAuth access to Salesforce, Microsoft 365, Google Workspace, and other cloud platforms, what data those connections can access, and whether those permissions are still necessary and appropriately governed.
  • Check the age and patch status of network infrastructure, particularly routers, switches, and firewalls, and ensure that a process exists to apply security updates or replace unsupported hardware where vulnerabilities cannot be mitigated.
  • Review the surveillance and monitoring technologies in use across your organisation, ensuring that data protection impact assessments are current, retention periods are justified, and individuals are informed about how their data is being collected and used.
  • Ensure that ownership of perimeter security, cloud platform integrations, network infrastructure patching, and surveillance technology governance is clearly assigned and that regular reviews are taking place across all of these areas.

Secarma Insight

Today's stories reinforce that mature security is built on clear ownership, regular review, and the discipline to maintain foundational controls even when they are not generating immediate alerts or incidents. Router hygiene, OAuth governance, network device patching, and surveillance technology oversight are all areas where security can degrade quietly over time if they are not actively managed. The organisations that manage these risks well are those that have embedded regular review cycles, clear accountability, and the confidence to ask whether the controls they put in place years ago are still fit for purpose today. Good security is not about reacting to the latest threat, it is about maintaining the habits and governance that make exploitation harder in the first place.

News and blog posts
Introduction Knowing what to do when a client asks for proof of cybersecurity...
The National Cyber Security Centre, alongside CISA and international partners,...
Microsoft has published research detailing a year-long campaign in which...
The US Cybersecurity and Infrastructure Security Agency has added...