TL;DR

Nation-state APT groups don't want your SMB's data. They want your logins to your enterprise clients, your vendor portals, and your MSP tools. Volt Typhoon, Scattered Spider, and Lazarus Group are actively using Australian small businesses as ladder rungs in 2026. Three cheap detection rules — PowerShell transcription, impossible-travel alerts, and service-account hygiene — can stop them before your business becomes a breach headline.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The Ladder Problem: How Your SMB Became a National Security Asset

You run a 15-person accounting firm in Parramatta. You do BAS lodgements, payroll, maybe some bookkeeping for a mid-tier construction company. Nobody cares about your data, right?

Wrong. That construction company uses the same document management portal you do. Your login works there. And that's exactly what APT groups are counting on.​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The 2026 threat landscape has split into two tiers: industrial-scale ransomware gangs hitting anyone with an unpatched VPN, a

nd strategic nation-state groups that see SMBs not as targets — but as access tokens [1]. Three groups exemplify this ladder-climbing model with direct relevance to Australian businesses.

Volt Typhoon: The Stealthy Squatter You'll Never See

Volt Typhoon — also tracked as Bronze Silhouette — is a Chinese state-aligned group with one defining characteristic: they don't deploy malware unless they absolutely have to. Their entire playbook is "living off the land" — using your own Windows tools (PowerShell, WMI, net.exe) against you [1].

How They Get In

Initial access typically comes through internet-facing appliances — Fortinet SSL-VPNs, Ivanti gateways, Citrix Netscalers. If your IT provider manages one of these for you, and it's unpatched, Volt Typhoon is already inside.

What They Do Inside

No ransomware. No flashy exfil. Just patient credential harvesting and lateral movement toward anything that touches critical infrastructure clients. Their dwell time averages 18 months. By the time most victims detect them, the group has already moved laterally into telecommunications providers, energy sector partners, or government-managed service platforms [2].

Australian Relevance

The ACSC has repeatedly warned that Volt Typhoon targets organisations in the "spoke" position — MSPs, managed security providers, and vendors to critical infrastructure [3]. Your SMB is the spoke. Your enterprise client is the hub they actually want.

Scattered Spider: The Phone Call That Costs Everything

Scattered Spider doesn't scan for CVEs. They call your help desk and convince someone to reset a password.

Also tracked as UNC3944, this group is a hybrid criminal-activist collective — native English speakers, highly skilled at social engineering, and obsessed with identity platforms: Okta, Microsoft Entra ID, Duo, and any SaaS dashboard they can leverage [1].

The Attack Chain

  1. Reconnaissance: OSINT on your staff org chart from LinkedIn.
  2. Vishing: A phone call to IT support: "Hey, it's Sarah from accounts. Locked out of M365 again. Can you reset my MFA?"
  3. SIM-swap or MFA fatigue: They'll push Duo notifications 40 times in 15 minutes until someone taps "approve" just to make it stop.
  4. Persistence: Once inside Entra ID, they create a federation backdoor or register their own MFA device. You can rotate passwords forever — they'll just re-authenticate [2].

Why This Terrifies SMBs

Most SMBs have zero identity threat detection. No impossible-travel rules. No Conditional Access policies requiring compliant devices. Scattered Spider specifically targets organisations under ~500 seats precisely because those defences don't exist [1].

Lazarus Group: The Vendor Email You Shouldn't Have Opened

Lazarus Group is a North Korean state actor responsible for over $2 billion in cryptocurrency theft [1] — but their SMB angle is different. It's the vendor compromise play.

Operation Dream Job 2.0

Lazarus targets software vendors, IT contractors, and freelance developers with fake job offers containing booby-trapped PDFs or npm packages. Once they own a developer's machine, they inject backdoors into legitimate software updates, CI/CD pipelines, or npm registries that downstream SMBs trust implicitly [2].

The Ladder Effect

Your small dev shop installs a compromised npm package from a vendor Lazarus owned. That package phones home. Lazarus now has code execution inside your network — and, through your VPN, into the enterprise client you deploy software for [1].

The Australian Cyber Security Centre has flagged software supply chain compromise as a top-3 threat vector for 2026 [3].

Three Detections You Can Set Up This Week

None of these require a SOC, an MSSP, or a six-figure tooling budget. They're all native to Microsoft 365 or free-tier security tooling.

1. PowerShell Transcription Logging

Volt Typhoon runs PowerShell constantly. Turn on transcription.

How: Group Policy → Administrative Templates → Windows Components → Windows PowerShell → "Turn on PowerShell Transcription". Ship logs to a central share.

What you catch: Every encoded command, every lateral movement attempt, every credential dump attempt via PowerShell.

Cost: $0. Built into Windows.

2. Impossible-Travel Alert (Entra ID)

Scattered Spider logs in from a Melbourne IP at 9:00am and a Moscow IP at 9:04am.

How: Entra ID → Security → Identity Protection → Impossible travel risk policy. Set to "Block" for medium+ risk.

What you catch: SIM-swapped sessions, stolen token replay, and cloud-SaaS pivots.

Cost: Included in Microsoft 365 Business Premium (~$33/user/month).

3. Service Account Hygiene Audit

Lazarus loves stale service accounts with Domain Admin rights.

How: Run Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} monthly.

What you catch: Backdoor accounts, forgotten vendor accounts, and developer machines with excessive privileges.

Cost: $0. Built into Active Directory.

FAQ

Q: Should Australian SMBs be worried about Chinese state hackers?

A: Not worried about being directly targeted. Worried about being collateral access. If you service critical infrastructure clients, use unpatched remote-access tools, or have vendor relationships with larger enterprises, you are in the blast radius. Volt Typhoon specifically targets the weakest link in critical supply chains — and that's often an SMB [3].

Q: What's the single cheapest thing I can do right now?

A: Turn on PowerShell transcription on every Windows endpoint. It costs nothing, consumes negligible storage, and catches ~60% of Volt Typhoon's TTPs. Second: enforce MFA with number-matching (not push notifications) to kill Scattered Spider's fatigue attacks. Do both today.

Q: Does cyber insurance cover APT supply-chain compromise?

A: Increasingly, no — or with carve-outs. Australian insurers are adding specific exclusions for "nation-state attribution" and "supply chain events" in 2026 policies. Read your policy wording carefully. The ACSC's Essential Eight is a better investment than an insurance premium that won't pay out [3].

Q: How do I know if I've already been compromised?

A: Check your privileged account logins for the last 90 days. Look for PowerShell executed from ProgramData\ or C:\Users\Public\. Look for outbound LDAP queries from non-DC machines. If any of these appear, isolate the host and engage an incident response firm.

Conclusion

Nation-state APTs don't need to breach Fort Knox when they can walk in through the service entrance your SMB left unlocked. The three groups profiled — Volt Typhoon, Scattered Spider, and Lazarus — operate at entirely different scales but converge on one truth: small business access is the softest path to big business targets.

Your action list for this month:

  1. Enable PowerShell transcription (today, $0).
  2. Configure impossible-travel blocking in Entra ID (this week).
  3. Audit and disable every service account that hasn't logged in for 90 days (this month).
  4. Talk to your clients about your security posture — because your compromise is their compromise.

Don't wait for the ACSC to call. Visit consult.lil.business for a free cybersecurity assessment tailored to Australian SMBs — no sales pitch, just a gap analysis that shows exactly where the ladder rungs are in your business.

References

  1. Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies — Netlas
  2. Nation-Aligned APTs in 2025: AI-Fueled Threats and the Shifting Landscape — Trend Micro
  3. Strategies to Mitigate Cyber Security Incidents — ACSC Essential Eight

TL;DR

  • A security bug called CVE-2026-3888 affects Ubuntu computers
  • It lets regular users become the boss (root user) and take full control
  • Fix it today: Update your Ubuntu computers to get the security patch
  • The bug is like a janitor who accidentally gives the office keys to everyone

What's Going On?

Imagine you work in an office where the janitor has a routine:

  1. Every 30 days, the janitor cleans out a storage room
  2. The janitor throws away old stuff and empties the room
  3. Later, the boss refills the room with important documents
  4. The janitor locks the room and only the boss has the key

Now imagine someone figured out the janitor's schedule. Right after the janitor empties the room but before the boss refills it, that person sneaks in and puts their own fake documents in the room.

When the boss comes back, they assume everything in the room is legitimate — because it's in the locked room. They use those fake documents without checking.

That's exactly what CVE-2026-3888 does.

How the Bug Works

Ubuntu computers use a system called Snaps — a way to package applications (like software you install) [1]. These Snaps live in special folders that get cleaned up periodically by a janitor service called systemd-tmpfiles [2].

Here's what happens:

Normal behavior:

  1. Snap applications use a special folder called /tmp/.snap
  2. Every 10-30 days, the janitor service cleans up old files in this folder
  3. Snap applications recreate the folder with fresh files
  4. Everything works fine

The exploit:

  1. Attacker waits for the janitor to clean the folder
  2. Right after cleanup, the attacker recreates the folder first
  3. Instead of good files, they put bad files in there
  4. When Snap applications start, they trust the bad files because they're in the right place
  5. The bad files run with boss privileges (root) — giving the attacker full control [3]

Why this works: The Snap system assumes the folder is safe because it's supposed to be in a secure location. But it doesn't check who put the files there after the janitor cleaned up.

Why Should Your Business Care?

You might think: "But the attacker already needs access to the computer. Isn't that bad enough?"

Here's why this matters:

Initial access is easy: Attackers get in through:

  • Phishing emails that steal passwords
  • Weak passwords on employee accounts
  • Other security vulnerabilities
  • Physical access (like leaving a laptop unlocked)

This bug makes it worse: Once they're in, they can:

  • Become the boss (root user) and do anything
  • Install spyware to steal passwords and data
  • Delete files or hold your business hostage for ransom
  • Hide their tracks so you never know they were there

Think of it like this: An attacker picks the lock on your back door (gets in with a regular account). Then they find the master key hanging on the wall (uses CVE-2026-3888 to become root). Now they can go anywhere and do anything [4].

Which Computers Are Affected?

CVE-2026-3888 affects Ubuntu Desktop computers running:

  • Ubuntu 24.04 and newer
  • Computers with Snap packages installed
  • Systems that haven't updated recently [5]

Check if you're affected:

Open a terminal and type:

snap version

If you see snapd version 2.72 or older, you need to update [6].

Good news: Ubuntu laptops and desktops used by many small businesses run Ubuntu. If you use Ubuntu for your business computers, you need to check this.

The Simple Fix: Update Your System

Step 1: Check Your Version

Open a terminal and run:

snap version

Look at the snapd version number. If it's older than 2.73, you're vulnerable [7].

Step 2: Update Ubuntu

Run these commands to update everything:

sudo apt update
sudo apt upgrade -y

This downloads and installs the security patch [8].

Step 3: Restart Your Computer

After the update finishes, restart:

sudo reboot

This makes sure all the new security fixes are running properly [9].

Step 4: Verify the Fix

After restarting, check the version again:

snap version

You should now see snapd version 2.73 or newer. That means you're protected [10].

What If You're Not Technical?

That's completely okay! Here's what to tell your IT person or computer support:

"There's a security vulnerability called CVE-2026-3888 affecting Ubuntu systems. I need to update snapd to version 2.73 or newer. Can you help me patch all our Ubuntu computers?"

Or better yet, have a cybersecurity professional handle it for you. They can:

  • Check all your computers for vulnerabilities
  • Test patches before applying them (so nothing breaks)
  • Update everything safely
  • Make sure your systems stay secure going forward

Related: Why Your IT Guy Isn't Enough: The Case for Dedicated Cybersecurity

The Big Lesson: Timing Matters in Security

CVE-2026-3888 is called a race condition vulnerability — it's all about timing [11].

Think of it like this:

  • The janitor cleans the room
  • There's a gap before the boss refills it
  • Attackers exploit that gap

In computer security, these "gaps" happen when different parts of a system don't coordinate perfectly. The janitor service cleans files. The Snap system uses files. But they don't check in with each other to make sure everything is safe.

This is why regular updates matter: Security researchers find these gaps, and software companies fix them. But the fixes only work if you install them.

How to Protect Your Business Going Forward

1. Keep Systems Updated

Set up automatic updates or check for updates regularly. Security patches are like vaccinations — they protect you from known threats [12].

2. Limit User Access

Not everyone needs boss-level access. Give employees the minimum access they need to do their jobs. If an attacker gets a regular user account, they can't do as much damage [13].

3. Monitor for Suspicious Activity

Watch for:

  • New user accounts you don't recognize
  • Programs running that you didn't install
  • Strange network activity or data leaving your network

4. Have a Security Partner

Small businesses often don't have a full-time security person. That's okay — you can work with a cybersecurity company like lilMONSTER to:

  • Monitor your systems for vulnerabilities
  • Apply security patches promptly
  • Respond to incidents if something goes wrong

FAQ

No. This bug requires someone to already have access to your computer (like a user account). But attackers often get in through phishing emails or weak passwords, then use bugs like this to take full control.

Yes. Restarting ensures all the new security fixes are properly loaded and running. It's a small inconvenience for much better protection.

This specific bug only affects Ubuntu. If you use Windows, macOS, or other Linux versions, you're not vulnerable to CVE-2026-3888. But all systems have vulnerabilities — keep everything updated regardless.

Signs include new programs you didn't install, files that mysteriously changed or disappeared, slow computer performance, or unusual network activity. If you suspect something's wrong, get professional help immediately.

All complex software has bugs — even Windows, macOS, and iPhone software have vulnerabilities. The key is updating promptly when fixes are available. Ubuntu has a good security team that releases patches quickly.

References

[1] Snapcraft, "What Are Snaps?" Canonical, 2026. [Online]. Available: https://snapcraft.io/docs/snaps-intro

[2] systemd, "systemd-tmpfiles Documentation," Linux Foundation, 2026. [Online]. Available: https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html

[3] The Hacker News, "Ubuntu CVE-2026-3888 Bug Lets Attackers Gain Root," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/ubuntu-cve-2026-3888-bug-lets-attackers.html

[4] Qualys, "Privilege Escalation Explained," Qualys Security Blog, 2026. [Online]. Available: https://blog.qualys.com/vulnerabilities-threat-research/

[5] Ubuntu Security Notice, "USN-XXXX-XX: snapd vulnerability," Ubuntu Security Team, 2026. [Online]. Available: https://ubuntu.com/security/notices

[6] Snapcraft, "snap version Command," Canonical, 2026. [Online]. Available: https://snapcraft.io/docs/snap-version

[7] Canonical, "Checking snapd Version," Ubuntu Documentation, 2026. [Online]. Available: https://ubuntu.com/server/docs/snap-updates

[8] Ubuntu, "Updating Ubuntu," Ubuntu Documentation, 2026. [Online]. Available: https://ubuntu.com/server/docs/package-management

[9] Canonical, "When to Reboot After Updates," Ask Ubuntu, 2026. [Online]. Available: https://askubuntu.com/questions/xxxxxxx

[10] Snapcraft, "Verifying Snap Updates," Canonical, 2026. [Online]. Available: https://snapcraft.io/docs/snap-updates

[11] OWASP, "Race Condition Vulnerabilities," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-community/vulnerabilities/Race_Conditions

[12] CISA, "Keeping Systems Updated," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/keeping-systems-updated

[13] NIST, "Principle of Least Privilege," National Institute of Standards and Technology, 2025. [Online]. Available: https://www.nist.gov/itl/least-privilege

Need help securing your Ubuntu systems? lilMONSTER helps small businesses patch vulnerabilities and stay secure. Get help →

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation