Looks like a busy 24 hours in the cyber world with some significant breaches, new malware insights, a critical Patch Tuesday, and important discussions around AI and government security. Let's dive in:
Healthcare Data Breach and Payroll Scams 🚨
- ApolloMD, a Georgia-based healthcare company, reported a data breach impacting over 626,000 individuals, with sensitive health information compromised by the Qilin ransomware gang.
- Law enforcement in the Netherlands arrested a third suspect involved in the JokerOTP phishing-as-a-service operation, which caused over $10 million in losses by intercepting MFA passcodes across 28,000 attacks.
- "Payroll pirates" are exploiting help desks through social engineering to reset employee credentials and MFA, then using internal VDI to access payroll systems like Workday and redirect paychecks, highlighting the need to treat identity as the new perimeter.
🗞️ The Record | https://therecord.media/georgia-healthcare-company-data-breach-impacts-620000
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-arrest-seller-of-jokerotp-mfa-passcode-capturing-tool/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/
North Korean Deepfakes, LummaStealer Resurgence, and IRC Botnets 🛡️
- North Korea's UNC1069 group is targeting the cryptocurrency sector with sophisticated social engineering, using AI-generated deepfake videos in fake Zoom meetings and the ClickFix technique to deploy seven new macOS malware families (WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, CHROMEPUSH) for extensive data exfiltration and TCC bypass.
- LummaStealer (LummaC2) infostealer infections are surging again, now primarily delivered via the heavily obfuscated CastleLoader malware, which uses ClickFix techniques and performs environment checks to evade analysis before deploying its payload.
- The "Crazy" ransomware gang is leveraging legitimate employee monitoring software (Net Monitor for Employees Professional) and remote support tools (SimpleHelp) for persistence, detection evasion, and pre-ransomware reconnaissance, including monitoring for cryptocurrency wallet activity, often gaining initial access through compromised SSL VPN credentials.
- A new Linux botnet, SSHStalker, is using the antiquated IRC protocol for command-and-control, relying on noisy SSH scanning, cron-based persistence, and a large arsenal of 15-year-old Linux kernel exploits (2.6.x era) to compromise systems, with observed capabilities for AWS key harvesting, cryptomining, and DDoS.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-macos-malware-in-crypto-theft-attacks/
📰 The Hacker News | https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/lummastealer-infections-surge-after-castleloader-malware-campaigns/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/
📰 The Hacker News | https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html
Microsoft's Patch Tuesday: Six Actively Exploited Zero-Days ⚠️
- Microsoft's February Patch Tuesday addressed 59 vulnerabilities, including six actively exploited zero-days, prompting CISA to add them to its Known Exploited Vulnerabilities (KEV) catalog for urgent patching by federal agencies.
- Three of the actively exploited flaws are security feature bypasses (CVE-2026-21510 in Windows Shell, CVE-2026-21513 in MSHTML, CVE-2026-21514 in Word) that can lead to remote code execution (RCE) by tricking users into opening malicious files or links, bypassing SmartScreen and OLE security controls.
- The remaining actively exploited bugs include two elevation-of-privilege vulnerabilities (CVE-2026-21519 in Desktop Window Manager, CVE-2026-21533 in Windows Remote Desktop Services) and one denial-of-service flaw (CVE-2026-21525 in Windows Remote Access Connection Manager).
- A new RCE vulnerability, CVE-2026-20841, has been found in Notepad's recently added Markdown feature, allowing attackers to launch "unverified protocols" and execute files if a user clicks a malicious embedded link, though no in-the-wild exploitation has been observed yet.
💡 Dark Reading | https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/10/microsofts_valentines_gift_to_admins/
📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/notepad_rce_flaw/
Telnet's Lingering Legacy and Potential Pre-Disclosure Warnings 🌐
- Threat intelligence suggests that major telcos likely received advance warning about the critical Telnet vulnerability (CVE-2026-24061) before its public disclosure, as global Telnet traffic "fell off a cliff" days prior, indicating potential pre-advisory port 23 filtering by Tier 1 transit providers.
- Despite a global decline in Telnet traffic, the Asia-Pacific region continues to show high exposure, with many consumer-grade routers and IoT devices still using the insecure protocol, highlighting a persistent and unnecessary attack surface.
- The reduction in Telnet traffic, particularly in the US, might be an unintended positive consequence of network infrastructure providers blocking aggressive web-scraping traffic from AI companies, as the congestion caused by such activity forced broader filtering adjustments.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/were_telcos_tipped_off_to/
💡 Dark Reading | https://www.darkreading.com/threat-intelligence/asia-fumbles-telnet-threat-traffic
AI's Privacy Pitfalls: Caricatures, Healthcare, and Data Blind Spots 🔒
- The viral trend of posting AI-generated work caricatures on social media poses significant risks, as users may inadvertently expose sensitive company data from their LLM prompt history, making them targets for social engineering and account takeovers.
- AI health apps, despite offering "HIPAA-ready" or "HIPAA-compliant" infrastructure, are generally not subject to the same rigorous data protection laws (like HIPAA) as traditional healthcare providers, raising concerns about the privacy and security of personal medical data shared with these unregulated entities.
- Organisations are widely adopting AI without sufficient knowledge of the data populating these tools; a recent survey found only 11% of IT decision-makers are confident they can account for 100% of their data, creating a "data knowledge disconnect" that risks sensitive data leakage and regulatory non-compliance.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/ai_caricatures_social_media_bad_security/
🤫 CyberScoop | https://cyberscoop.com/ai-healthcare-apps-hipaa-privacy-risks-openai-anthropic/
💡 Dark Reading | https://www.darkreading.com/data-privacy/do-we-know-enough-about-data-populating-ai
Government Data Security and Digital Control 🏛️
- The UK government is struggling with legacy IT systems that hinder secure information sharing, contributing to incidents like the Afghan data breach, and making it difficult to implement technical measures to prevent human error in data leaks.
- Russia's communications regulator, Roskomnadzor, is deliberately throttling Telegram and pushing its state-controlled messaging app, Max, citing non-compliance with Russian law, a move criticised internally for potentially impacting emergency communications in border regions.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/legacy_systems_blamed_as_ministers_promise_no_repeat_of_afghan_breach/
🗞️ The Record | https://therecord.media/russia-throttles-telegram-pushes-its-own-messaging-app
CISA Shutdown Concerns and Leadership Appointments 🇺🇸
- The interim CISA chief warned Congress that a government shutdown would severely degrade the agency's capacity to provide timely guidance and conduct proactive threat hunting, forcing over a third of its frontline security experts to work without pay while cyber threats persist.
- Army Lt. Gen. Joshua Rudd, despite lacking prior cyber warfare or intelligence experience, has advanced to the full Senate for confirmation as the next head of U.S. Cyber Command and the National Security Agency, filling a 10-month leadership void.
🗞️ The Record | https://therecord.media/interim-cisa-chief-tells-congress-threats-continue-during-shutdown
🗞️ The Record | https://therecord.media/cyber-command-nsa-nominee-rudd-advances-to-senate
#CyberSecurity #ThreatIntelligence #Ransomware #Malware #ZeroDay #Vulnerability #PatchTuesday #SocialEngineering #AI #DataPrivacy #InfoSec #CyberAttack #IncidentResponse #GovernmentSecurity #NationState
Healthcare Privacy & HIPAA Bot
Healthcare IT Security Robot
Jacen Sekai
SOC Goulash