Back to Intelligence

FULCRUMSEC Campaign Alert: High-Volume Attacks on US Tech & Healthcare Leveraging Edge Vulnerabilities

SA
Security Arsenal Team
May 3, 2026
6 min read

Aliases: Fulcrum Security, Team Fulcrum Operational Model: Ransomware-as-a-Service (RaaS) with a distinct focus on "Big Game Hunting" and mid-market critical infrastructure. Typical Ransom Demands: $500,000 – $5,000,000 USD (negotiated aggressively). Initial Access Vectors: FULCRUMSEC primarily exploits exposed edge infrastructure rather than relying on phishing. Their recent activity strongly correlates with the exploitation of unpatched email gateways (Microsoft Exchange, SmarterTools) and firewall management interfaces (Cisco Secure Firewall). Double Extortion: Strict adherence to double extortion. Data is exfiltrated to dedicated cloud storage prior to encryption, with threats to release sensitive PII/PHI if payment is not received. Dwell Time: 3–7 days. The group moves rapidly from initial access to lateral movement, often minimizing detection by leveraging living-off-the-land (LotL) binaries.

Current Campaign Analysis

Sector Targeting: The current campaign shows a massive bias towards the Technology and Healthcare sectors, followed closely by Business Services.

  • Tech: Avnet, Hatica, ReFocus AI, Nordstern Technologies.
  • Healthcare: Lena Health, Woundtech.
  • Business Services: LexisNexis, Interzero, Saleskido.

Geographic Concentration: While FULCRUMSEC lists global victims (DE, IN, NL, MX), this specific posting wave is heavily US-centric (11/15 recent victims), indicating a focused operational effort against US entities.

Victim Profile: The group is targeting a mix of high-revenue enterprises (e.g., LexisNexis, Avnet) and high-growth tech startups. This suggests they are opportunistic regarding specific revenue thresholds but prioritize organizations with sensitive intellectual property or customer data.

Frequency & Escalation: A mass posting event occurred on 2026-05-01, where 15 victims were published simultaneously. This bulk release suggests either a backlog clearance or a successful automated exploit kit deployment against a specific vulnerability (likely the recently added CISA KEVs).

CVE Correlation: The recent victimology aligns perfectly with the active exploitation of specific CISA Known Exploited Vulnerabilities (KEVs):

  • CVE-2023-21529 (Microsoft Exchange): Victims like Avnet and LexisNexis likely run complex Exchange environments vulnerable to deserialization attacks.
  • CVE-2026-20131 (Cisco Secure Firewall): Bypassing firewall management controls allows the group persistent access to network perimeters.
  • CVE-2025-52691 / CVE-2026-23760 (SmarterMail): These email-specific flaws are likely the entry point for the Healthcare and Business Service victims running third-party mail solutions.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Exchange Server Deserialization Exploit (CVE-2023-21529)
id: 2a3b4c5d-6e7f-8a9b-0c1d-2e3f4a5b6c7d
description: Detects suspicious PowerShell commands or deserialization patterns often associated with Microsoft Exchange exploitation.
status: experimental
date: 2026/05/03
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: \\powershell.exe
        CommandLine|contains:
            - 'Serialization'
            - 'System.Management.Automation'
            - 'System.Web.Configuration'
    condition: selection
falsepositives:
    - Legitimate Exchange administration scripts
level: high
---
title: SmarterMail Unrestricted File Upload Exploit (CVE-2025-52691)
id: b1c2d3e4-f5a6-7b8c-9d0e-1f2a3b4c5d6e
description: Detects suspicious file uploads or web access patterns indicative of SmarterMail exploitation attempts.
status: experimental
date: 2026/05/03
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: webserver
detection:
    selection:
        cs_uri_stem|contains: '/Services/'
        cs_uri_query|contains:
            - 'upload'
            - 'file'
        cs_method: POST
    filter_legit:
        cs_user_agent|contains: 'SmarterMail'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative file management
level: critical
---
title: Suspicious PsExec or WMI Lateral Movement
id: c3d4e5f6-a7b8-9c0d-1e2f-3a4b5c6d7e8f
description: Detects the use of PsExec or WMI for lateral movement, common in FULCRUMSEC operations.
status: experimental
date: 2026/05/03
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection_psexec:
        EventID: 4688
        NewProcessName|contains: \\PAExec.exe
        CommandLine|contains: '\\'
    selection_wmi:
        EventID: 4688
        NewProcessName|endswith: \\wmiprvse.exe
        ParentProcessName|endswith: \\svchost.exe
    condition: 1 of selection_*
falsepositives:
    - Administrative IT management tools
level: high

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for SmarterMail exploitation indicators in IIS/W3C logs
// Look for successful POST requests to upload endpoints with high byte counts
W3CIISLog
| where csMethod == "POST"
| where csUriStem has "Services" and (csUriStem has "Mail" or csUriStem has "Calendar")
| where scStatus == 200
| extend FileExtension = extract(@'(\.\w{2,4})$', 1, csUriStem)
| where FileExtension in~ ("aspx", "ashx", "asmx")
| project TimeGenerated, sIP, cIP, csUriStem, csUriQuery, scBytes, csUserAgent
| order by TimeGenerated desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response: Checks for persistence mechanisms and unusual Scheduled Tasks associated with FULCRUMSEC activity.
.DESCRIPTION
    This script enumerates Scheduled Tasks created in the last 7 days and checks for unusual Shadow Copy deletion activity.
#>

$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "[+] Hunting for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Yellow

$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Date -ge $DateCutoff -or 
    $_.LastRunTime -ge $DateCutoff 
}

if ($suspiciousTasks) {
    foreach ($task in $suspiciousTasks) {
        $action = $task.Actions.Execute
        $author = $task.Author
        Write-Host "[!] Suspicious Task Found: $($task.TaskName)" -ForegroundColor Red
        Write-Host "    Author: $author" -ForegroundColor Gray
        Write-Host "    Action: $action" -ForegroundColor Gray
    }
} else {
    Write-Host "[-] No recently modified tasks found." -ForegroundColor Green
}

Write-Host "[+] Checking for VSS Shadow Copy deletions (System Event Log ID 7036) in last 24h..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) {
    Write-Host "[!] VSS Service stopped/started frequently. Check for Shadow Copy deletion." -ForegroundColor Red
}


# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption):**
- [ ] **Audit Exchange Logs:** Immediate review of IIS and Exchange Management logs for `CVE-2023-21529` exploitation patterns (deserialization errors, unusual `PowerShell.exe` calls from `w3wp.exe`).
- [ ] **Review Firewall Management:** Check Cisco Secure Firewall logs for unauthorized configuration changes or authentication anomalies related to `CVE-2026-20131`.
- [ ] **SmarterMail Audit:** If running SmarterTools, identify any unauthorized webshell file creation (`aspx`, `ashx`) in the web root.

**Critical Assets for Exfiltration:**
FULCRUMSEC historically prioritizes:
1.  **Customer Databases** (SQL dumps, CRM exports).
2.  **Intellectual Property** (Source code repositories, design docs).
3.  **Employee PII/HR Records** (Payroll, Tax forms).

**Containment Actions (Urgency Order):**
1.  **Isolate:** Disconnect identified compromised mail gateways and firewall management interfaces from the network immediately.
2.  **Suspend:** Suspend service accounts with administrative privileges used by Exchange/IT teams until credential compromise is ruled out.
3.  **Block:** Block outbound traffic to known FULCRUMSEC C2 infrastructure (check IOCs for recent Tor nodes and cloud storage endpoints).

# Hardening Recommendations

**Immediate (24h):**
- **Patch:** Apply patches for `CVE-2023-21529`, `CVE-2026-20131`, `CVE-2025-52691`, and `CVE-2026-23760` immediately. These are confirmed active exploits.
- **Restrict Access:** Disable external internet access to management interfaces for Cisco FMC and SmarterMail administration panels. Enforce VPN + MFA for any necessary access.
- **Disable Serialization:** If patching Exchange is not possible immediately, implement URL request filtering rules on the IIS frontend to block known deserialization attack patterns.

**Short-term (2 weeks):**
- **Network Segmentation:** Ensure management planes for firewalls and email servers are on a strictly isolated management VLAN.
- **Web Application Firewall:** Deploy or tune WAF rules to specifically target SmarterMail and Exchange OWASP Top 10 + deserialization vectors.
- **EDR Tuning:** Enhance detection for `PsExec` and `WMI` lateral movement within the server VLANs.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangfulcrumsecransomwarecisa-kevexchange-serverhealthcaretech-sector

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action