Alright team, it's been a busy 24 hours in the cyber world with significant updates on actively exploited zero-days, new threat actor tradecraft, major data breaches, and shifts in privacy regulations. Let's dive in:

Apple Patches Actively Exploited Zero-Day in dyld ⚠️

- Apple has patched CVE-2026-20700, a memory corruption zero-day in dyld (Dynamic Link Editor), affecting all iOS versions since 1.0.
- This flaw was actively exploited in "extremely sophisticated attacks" against targeted individuals, allowing arbitrary code execution with memory write capability.
- The vulnerability is linked to previous WebKit and ANGLE flaws, potentially enabling "zero-click" or "one-click" exploits, and is suspected to be leveraged by commercial surveillance spyware.

📰 The Hacker News | https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/12/apple_ios_263/

Ivanti EPMM Zero-Day Exploits Dominated by Single Bulletproof IP 🛡️

- A staggering 83% of exploitation attempts for Ivanti EPMM zero-day CVE-2026-1281 (unauthenticated RCE) originate from a single IP (193.24.123.42) on PROSPERO bulletproof hosting infrastructure.
- This IP is simultaneously exploiting other unrelated CVEs (Oracle WebLogic, GNU InetUtils telnetd, GLPI) using diverse user agents, indicative of automated tooling.
- Attackers are deploying "sleeper shells" and using OAST callbacks to verify exploitability before deploying payloads, a common tactic for initial access brokers. Organisations with internet-facing MDM should assume compromise and apply patches immediately.

📰 The Hacker News | https://thehackernews.com/2026/02/83-of-ivanti-epmm-exploits-linked-to.html

Major Data Breaches Hit Dutch Telecom and Senegalese Government 🚨

- Dutch mobile provider Odido suffered a cyberattack on 7 February, resulting in the theft of personal information for 6.2 million customers, including names, bank account numbers, addresses, and IDs. The breach was traced to a compromised customer contact system.
- In Senegal, the "The Green Blood Group" ransomware outfit breached the Directorate of File Automation (DAF), exfiltrating biometric data and immigration records for most of the adult population. A second government-adjacent entity, Sénégal Numérique SA, was also attacked.
- These incidents highlight a critical lack of cybersecurity maturity, particularly in Senegal, where digital ambition has outpaced defensive capabilities, leading to widespread fraud risks and potential systemic mistrust in digital government initiatives.

🗞️ The Record | https://therecord.media/dutch-telecom-giant-announces-data-breach
💀 Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/hackers-breach-senegal-national-biometric-database

Nation-State Hackers Weaponising Gemini AI for Recon and Malware 🤖

- Google reports that sophisticated state-backed threat actors from North Korea (UNC2970/Lazarus Group), China (Temp.HEX, APT31, APT41, UNC795), and Iran (APT42) are increasingly using Gemini AI.
- These groups leverage Gemini for open-source intelligence (OSINT) gathering, profiling high-value targets, vulnerability analysis, code generation, and crafting highly convincing social engineering lures.
- New malware like HONESTCUE is also emerging, which uses Gemini's API to dynamically generate C# source code for its second-stage functionality, bypassing traditional detection methods.

📰 The Hacker News | https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html
🗞️ The Record | https://therecord.media/nation-state-hackers-using-gemini-for-malicious-campaigns

Ransomware Actors Adopt Bossware for Stealthy Operations 🕵🏼

- Threat actors are now repurposing legitimate employee monitoring software, or "bossware," to blend into corporate networks and facilitate ransomware deployment.
- Huntress observed incidents where "Net Monitor for Employees Professional" was chained with RMM SimpleHelp for reconnaissance, tooling delivery, and attempted ransomware deployment (Crazy ransomware/VoidCrypt).
- This tactic leverages legitimate signed binaries to evade detection, effectively turning employee monitoring tools into fully functional remote access trojans (RATs). Organisations should audit third-party RMM and monitoring tools and monitor for unusual process execution.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/12/ransomware_slingers_bossware/

0APT Ransomware Group: More Bluster Than Bite (For Now) 💥

- A new ransomware group, 0APT, emerged claiming around 200 victims within its first week, though researchers found no evidence to substantiate these claims, suggesting a likely hoax to gain recognition and attract affiliates.
- Despite the fabricated victim counts, 0APT's ransomware binaries are cryptographically strong and fully operational, posing a genuine threat if they secure legitimate initial access.
- This highlights the competitive and often deceptive nature of the ransomware-as-a-service landscape, where groups use inflated claims to establish a presence.

🤫 CyberScoop | https://cyberscoop.com/0apt-ransomware-group-hoax-technical-capabilities/

Chrome Extensions Exfiltrating Browsing History to Data Brokers 🔒

- A security researcher identified 287 Chrome extensions, with an estimated 37.4 million installations, that are allegedly exfiltrating users' browsing history data to data brokers like Similarweb.
- Many of these extensions appear harmless but request access to sensitive browsing data without clear justification, often obscuring these practices in their privacy policies.
- This underscores the "you are the product" model for free software and the urgent need for users to be aware of the risks and for more robust safeguards against malicious extensions.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/security_researcher_287_chrome_extensions_data_leak/

Supply Chain Attacks Fuel a "Self-Reinforcing" Cybercrime Economy ⛓️

- Group-IB reports that supply chain attacks are becoming industrialised, creating a "self-reinforcing" ecosystem where breaches, credential theft, and ransomware are interconnected.
- Attackers exploit inherited access to customers, with AI-assisted tools accelerating vulnerability scanning across vendors, CI/CD pipelines, and browser extension marketplaces.
- There's a growing shift towards identity attacks, where criminals impersonate genuine users to evade detection, making HR, CRM, ERP, and MSP platforms high-priority targets due to their broad access.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/12/supply_chain_attacks/

Disney Fined $2.75 Million for Data Privacy Violations; FTC Pushes Age Verification ⚖️

- Disney has been fined $2.75 million by the California Attorney General for making it excessively difficult for consumers to opt out of data sharing and sales under the California Consumer Privacy Act (CCPA). This is the largest fine ever levied under the CCPA.
- Separately, FTC officials are now actively endorsing age verification technology, planning a policy statement and potential COPPA rule amendment to clarify its use without violating child privacy regulations.
- This FTC stance is seen as a "major landmark" that will accelerate the global implementation of age verification, addressing industry concerns and encouraging broader adoption to protect minors online.

🗞️ The Record | https://therecord.media/california-fines-disney-data-privacy
🗞️ The Record | https://therecord.media/ftc-push-for-age-verification-a-major-landmark-for-implementation

US Seeks Coordinated Cyber Partnerships; Russia Blocks WhatsApp 🌐

- The US National Cyber Director, Sean Cairncross, emphasised the need for deeper cyber cooperation with allies and the private sector to send a "coordinated, strategic message" to adversaries and change their "risk calculus."
- Meanwhile, Russia attempted a full block of WhatsApp to compel users to switch to its state-backed Max messaging platform, citing Meta's non-compliance with Russian law. This involved removing WhatsApp's domain records from Russia's National Domain Name System, making it inaccessible without a VPN.
- These events highlight contrasting approaches to national cybersecurity and digital sovereignty, with the US advocating for a "clean tech stack" rooted in allied systems, while Russia tightens control over foreign platforms.

🗞️ The Record | https://therecord.media/us-wants-cyber-partnerships-to-send-message-to-adversaries
🗞️ The Record | https://therecord.media/whatsapp-russia-blocked-state

CISA Warns of Significant Impact from DHS Funding Lapse 📉

- Acting CISA Director Madhu Gottumukkala testified that another Department of Homeland Security (DHS) funding lapse would severely hamper CISA's ability to respond to threats, offer services, and develop new capabilities.
- While 888 of CISA's 2,341 employees would be "excepted" (working without pay), strategic planning, development of new technical capabilities, and completion of key regulations like those stemming from CIRCIA would halt.
- This underscores the critical risk to national cybersecurity when government shutdowns occur, as adversaries do not pause their operations.

🤫 CyberScoop | https://cyberscoop.com/cisa-shutdown-impact-dhs-funding-testimony/

#CyberSecurity #ThreatIntelligence #ZeroDay #Vulnerability #Ransomware #APT #NationState #AI #DataBreach #DataPrivacy #IncidentResponse #InfoSec #CyberAttack #Malware #SupplyChainSecurity

Abhishek Yadav (@abhishek__AI)

xyOps라는 플랫폼이 발표되었습니다. 스케줄링·모니터링·인시던트 대응을 하나의 플랫폼으로 통합하며, 시각적 워크플로 빌더, 실시간 서버 스냅샷, 컨텍스트 기반 스마트 알림 등을 제공하고 5~5000+ 노드까지 확장 가능하다고 소개됩니다. 유료 차단이나 텔레메트리 수집이 없다는 점도 강조됩니다.

https://x.com/abhishek__AI/status/2021787527255142748

#devops #observability #incidentresponse #platform

Looks like a busy 24 hours in the cyber world with some significant breaches, new malware insights, a critical Patch Tuesday, and important discussions around AI and government security. Let's dive in:

Healthcare Data Breach and Payroll Scams 🚨
- ApolloMD, a Georgia-based healthcare company, reported a data breach impacting over 626,000 individuals, with sensitive health information compromised by the Qilin ransomware gang.
- Law enforcement in the Netherlands arrested a third suspect involved in the JokerOTP phishing-as-a-service operation, which caused over $10 million in losses by intercepting MFA passcodes across 28,000 attacks.
- "Payroll pirates" are exploiting help desks through social engineering to reset employee credentials and MFA, then using internal VDI to access payroll systems like Workday and redirect paychecks, highlighting the need to treat identity as the new perimeter.

🗞️ The Record | https://therecord.media/georgia-healthcare-company-data-breach-impacts-620000
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/police-arrest-seller-of-jokerotp-mfa-passcode-capturing-tool/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/payroll_pirates_business_social_engineering/

North Korean Deepfakes, LummaStealer Resurgence, and IRC Botnets 🛡️
- North Korea's UNC1069 group is targeting the cryptocurrency sector with sophisticated social engineering, using AI-generated deepfake videos in fake Zoom meetings and the ClickFix technique to deploy seven new macOS malware families (WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, CHROMEPUSH) for extensive data exfiltration and TCC bypass.
- LummaStealer (LummaC2) infostealer infections are surging again, now primarily delivered via the heavily obfuscated CastleLoader malware, which uses ClickFix techniques and performs environment checks to evade analysis before deploying its payload.
- The "Crazy" ransomware gang is leveraging legitimate employee monitoring software (Net Monitor for Employees Professional) and remote support tools (SimpleHelp) for persistence, detection evasion, and pre-ransomware reconnaissance, including monitoring for cryptocurrency wallet activity, often gaining initial access through compromised SSL VPN credentials.
- A new Linux botnet, SSHStalker, is using the antiquated IRC protocol for command-and-control, relying on noisy SSH scanning, cron-based persistence, and a large arsenal of 15-year-old Linux kernel exploits (2.6.x era) to compromise systems, with observed capabilities for AWS key harvesting, cryptomining, and DDoS.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/north-korean-hackers-use-new-macos-malware-in-crypto-theft-attacks/
📰 The Hacker News | https://thehackernews.com/2026/02/north-korea-linked-unc1069-uses-ai.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/lummastealer-infections-surge-after-castleloader-malware-campaigns/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/crazy-ransomware-gang-abuses-employee-monitoring-tool-in-attacks/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-linux-botnet-sshstalker-uses-old-school-irc-for-c2-comms/
📰 The Hacker News | https://thehackernews.com/2026/02/sshstalker-botnet-uses-irc-c2-to.html

Microsoft's Patch Tuesday: Six Actively Exploited Zero-Days ⚠️
- Microsoft's February Patch Tuesday addressed 59 vulnerabilities, including six actively exploited zero-days, prompting CISA to add them to its Known Exploited Vulnerabilities (KEV) catalog for urgent patching by federal agencies.
- Three of the actively exploited flaws are security feature bypasses (CVE-2026-21510 in Windows Shell, CVE-2026-21513 in MSHTML, CVE-2026-21514 in Word) that can lead to remote code execution (RCE) by tricking users into opening malicious files or links, bypassing SmartScreen and OLE security controls.
- The remaining actively exploited bugs include two elevation-of-privilege vulnerabilities (CVE-2026-21519 in Desktop Window Manager, CVE-2026-21533 in Windows Remote Desktop Services) and one denial-of-service flaw (CVE-2026-21525 in Windows Remote Access Connection Manager).
- A new RCE vulnerability, CVE-2026-20841, has been found in Notepad's recently added Markdown feature, allowing attackers to launch "unverified protocols" and execute files if a user clicks a malicious embedded link, though no in-the-wild exploitation has been observed yet.

💡 Dark Reading | https://www.darkreading.com/vulnerabilities-threats/microsoft-fixes-6-actively-exploited-zero-days
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/10/microsofts_valentines_gift_to_admins/
📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-patches-59-vulnerabilities.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/notepad_rce_flaw/

Telnet's Lingering Legacy and Potential Pre-Disclosure Warnings 🌐
- Threat intelligence suggests that major telcos likely received advance warning about the critical Telnet vulnerability (CVE-2026-24061) before its public disclosure, as global Telnet traffic "fell off a cliff" days prior, indicating potential pre-advisory port 23 filtering by Tier 1 transit providers.
- Despite a global decline in Telnet traffic, the Asia-Pacific region continues to show high exposure, with many consumer-grade routers and IoT devices still using the insecure protocol, highlighting a persistent and unnecessary attack surface.
- The reduction in Telnet traffic, particularly in the US, might be an unintended positive consequence of network infrastructure providers blocking aggressive web-scraping traffic from AI companies, as the congestion caused by such activity forced broader filtering adjustments.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/were_telcos_tipped_off_to/
💡 Dark Reading | https://www.darkreading.com/threat-intelligence/asia-fumbles-telnet-threat-traffic

AI's Privacy Pitfalls: Caricatures, Healthcare, and Data Blind Spots 🔒
- The viral trend of posting AI-generated work caricatures on social media poses significant risks, as users may inadvertently expose sensitive company data from their LLM prompt history, making them targets for social engineering and account takeovers.
- AI health apps, despite offering "HIPAA-ready" or "HIPAA-compliant" infrastructure, are generally not subject to the same rigorous data protection laws (like HIPAA) as traditional healthcare providers, raising concerns about the privacy and security of personal medical data shared with these unregulated entities.
- Organisations are widely adopting AI without sufficient knowledge of the data populating these tools; a recent survey found only 11% of IT decision-makers are confident they can account for 100% of their data, creating a "data knowledge disconnect" that risks sensitive data leakage and regulatory non-compliance.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/ai_caricatures_social_media_bad_security/
🤫 CyberScoop | https://cyberscoop.com/ai-healthcare-apps-hipaa-privacy-risks-openai-anthropic/
💡 Dark Reading | https://www.darkreading.com/data-privacy/do-we-know-enough-about-data-populating-ai

Government Data Security and Digital Control 🏛️
- The UK government is struggling with legacy IT systems that hinder secure information sharing, contributing to incidents like the Afghan data breach, and making it difficult to implement technical measures to prevent human error in data leaks.
- Russia's communications regulator, Roskomnadzor, is deliberately throttling Telegram and pushing its state-controlled messaging app, Max, citing non-compliance with Russian law, a move criticised internally for potentially impacting emergency communications in border regions.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/11/legacy_systems_blamed_as_ministers_promise_no_repeat_of_afghan_breach/
🗞️ The Record | https://therecord.media/russia-throttles-telegram-pushes-its-own-messaging-app

CISA Shutdown Concerns and Leadership Appointments 🇺🇸
- The interim CISA chief warned Congress that a government shutdown would severely degrade the agency's capacity to provide timely guidance and conduct proactive threat hunting, forcing over a third of its frontline security experts to work without pay while cyber threats persist.
- Army Lt. Gen. Joshua Rudd, despite lacking prior cyber warfare or intelligence experience, has advanced to the full Senate for confirmation as the next head of U.S. Cyber Command and the National Security Agency, filling a 10-month leadership void.

🗞️ The Record | https://therecord.media/interim-cisa-chief-tells-congress-threats-continue-during-shutdown
🗞️ The Record | https://therecord.media/cyber-command-nsa-nominee-rudd-advances-to-senate

#CyberSecurity #ThreatIntelligence #Ransomware #Malware #ZeroDay #Vulnerability #PatchTuesday #SocialEngineering #AI #DataPrivacy #InfoSec #CyberAttack #IncidentResponse #GovernmentSecurity #NationState

Incident response isn’t a script.

If your team is just following the playbook without true situational awareness, you might be running theater, not security.

New article:
https://jimguckin.com/2026/02/11/incident-response-without-situational-awareness-is-theater/

#CyberSecurity #IncidentResponse #SecurityLeadership #CyberResilience

We’re proud to partner with 13Cubed Studios LLC, known for high-quality DFIR training. You’ll find courses covering macOS, Linux, and Windows.

➡️ DFIR Labs Users: Complete any quiz in the platform to unlock $100 off all 13Cubed training.
➡️13Cubed Customers: Purchase Investigating Windows Endpoints and receive 20% off your DFIR Labs purchase!

👉 https://training.13cubed.com/
👉 https://dfirlabs.thedfirreport.com

#DFIR #DigitalForensics #IncidentResponse #Training