Threat Analysis: APT28 Router Hijacking, Ivanti Zero-Day, and the RMM Abuse Wave Hitting UK SMBs
Hello, Mauven here.
This is your Daily Threat Analysis for 8th May 2026.
Three items today. All active. All with direct relevance to UK small businesses, even if none of the reporting frames them that way.
APT28 Is Rewriting Your Routerβs DNS Settings
The NCSC has published guidance, jointly with Five Eyes partners, confirming that APT28, the Russian military intelligence unit you may know better as Fancy Bear, is exploiting routers to overwrite DHCP and DNS settings. The objective is to redirect your traffic through attacker-controlled DNS servers, where credentials, OAuth tokens, and web session data can be intercepted before your systems ever see them.
The advisory attributes this to APT28. What it does not say loudly enough is that this technique does not require sophisticated access to your internal systems. It requires access to your router. And for a significant proportion of UK SMBs, that router is either unpatched, still running default credentials, or both.
CVE-2023-50224 is noted in relation to TP-Link devices, but the technique is not limited to one manufacturer. The attack works by compromising the edge device and poisoning DNS resolution. Once that is in place, every password your staff enters for web-based services, email, cloud storage, accounting software, banking, can be intercepted. MFA tokens delivered via browser can be captured in adversary-in-the-middle configurations. This is not a hypothetical attack chain. It has been observed in active campaigns.
The NCSC advisory on this class of threat is not new. The fact we are discussing an active APT28 campaign exploiting routers in 2026 tells you everything about how consistently organisations have taken that guidance on board.
If your IT provider manages your router, ask them today whether DNS settings have been audited and whether firmware is current. If you manage it yourself, change the admin credentials, update the firmware, and verify your DNS resolver settings have not been modified. If you do not know how to check that, that is also important information.
Ivanti EPMM: Zero-Day, Active Exploitation, Four Days to Patch
CISA added a high-severity vulnerability in Ivanti Endpoint Manager Mobile to its Known Exploited Vulnerabilities catalogue and gave US federal agencies a four-day remediation deadline. That is the shortest standard window CISA issues. It reflects confirmed, active exploitation in the wild.
Ivanti EPMM is a mobile device management platform. It is used by organisations to manage smartphones and tablets connected to corporate networks, the kind of deployment that has become standard as hybrid working normalised. If your business or your IT provider uses Ivanti for device management, this affects you.
The specific vulnerability allows remote code execution. The details of the exploitation method are not yet fully public, which is partly why the four-day window exists, CISA is trying to close the gap before detailed proof-of-concept code circulates widely.
Ivanti has had a difficult run of vulnerability disclosures over the past eighteen months. The advisory recommends patching immediately, isolating EPMM instances from direct internet exposure where patching cannot happen immediately, and reviewing access logs for anomalous authentication activity.
If your IT provider tells you this does not affect you because you are too small to be a target, ask them whether they use Ivanti to manage any devices on your behalf. Managed service providers are a primary target precisely because compromising one gives access to multiple downstream clients.
RMM Tools Are Being Bundled Into Malspam, Including Tools Your IT Provider Uses
Huntress has published research on a campaign, active since late February, in which threat actors are weaponising Tiflux, a remote management tool, alongside UltraVNC, Splashtop, and ScreenConnect. The attack chain begins with phishing emails carrying fake document lures that deliver malicious MSI installers.
Once executed, those installers deploy multiple remote access tools simultaneously, giving attackers persistent, legitimate-looking access to the victimβs machine. The reason this matters is not Tiflux specifically, it is the technique.
Splashtop and ScreenConnect are widely used by managed IT providers in the UK. They are the tools your IT support company uses to remotely access your machines to fix problems. An attacker who deploys these tools via a phishing email gets remote access that, to most monitoring systems, looks indistinguishable from your legitimate IT support doing their job.
The campaign uses CVE-2023-39143 as part of the chain, but the social engineering component is doing most of the work. Employees receive what appears to be a document attachment. They open it. An MSI installer runs. Remote access tools are deployed silently.
This is not a sophisticated attack. It does not need to be. The sophistication is in the choice of tools, using legitimate remote management software means defenders have to think carefully about what constitutes malicious activity versus normal IT operations.
What to do: brief your staff that they should never run installer files received by email, regardless of who appears to have sent them. Verify any unexpected remote access sessions by calling your IT provider directly using a number you already have, not one provided in the email.
Also Worth Noting
Trellix source code breach claimed by RansomHouse. Trellix makes security software. The breach of a security vendorβs source code repository is significant because it potentially gives attackers insight into detection logic, understanding what Trellix products look for means understanding how to evade them. If Trellix is part of your security stack, this warrants a conversation with your provider about what the exposure means for your specific configuration.
βDirty Fragβ Linux privilege escalation zero-day. A root-level Linux vulnerability with a public proof-of-concept exploit and no CVE assigned yet is circulating. The disclosure embargo broke before patches were available. If you run Linux servers, directly or via a hosting provider, monitor for patches and apply them promptly when they arrive. The absence of a CVE number does not reduce the risk; it just makes tracking harder.
Actions for Today
-
Routers: Verify firmware is current. Audit DNS settings. Ensure admin credentials are not default. Ask your IT provider to confirm this has been done if they manage your network equipment.
-
Ivanti EPMM: If in use, patch immediately. If your IT provider uses it for device management, ask them for confirmation of remediation status today.
-
Phishing awareness: Brief staff on the MSI installer lure campaign. Unexpected installer files from any source should not be run. Verify unexpected remote access requests directly.
-
Trellix users: Request confirmation from your provider that the source code breach has been assessed for impact on your configuration.
-
Linux administrators: Watch for the Dirty Frag patch. Apply it as soon as it is available.
Sources
| Source | Title | URL |
|---|---|---|
| NCSC | APT28 exploit routers to enable DNS hijacking operations | https://www.ncsc.gov.uk/news/apt28-exploit-routers-to-enable-dns-hijacking-operations |
| BleepingComputer | CISA gives feds four days to patch Ivanti flaw exploited as zero-day | https://www.bleepingcomputer.com/news/security/cisa-gives-feds-four-days-to-patch-ivanti-flaw-exploited-as-zero-day/ |
| Huntress | Threat Actors Weaponize Tiflux RMMs in Malspam Attacks | https://www.huntress.com/blog/tiflux-rmm-install |
| BleepingComputer | Trellix source code breach claimed by RansomHouse hackers | https://www.bleepingcomputer.com/news/security/trellix-source-code-breach-claimed-by-ransomhouse-hackers/ |
| The Register | Dirty Frag Linux flaw one-ups CopyFail with no patches and public root exploit | https://www.theregister.com/security/2026/05/08/dirty-frag-linux-flaw-one-ups-copyfail-with-no-patches-and-public-root-exploit/5237230 |