Cybersecurity Saturday

David ErmerCybersecurity, Generative AI

From the cybersecurity policy and law enforcement front,

  • Cyberscoop reports from its Cybertalks event held earlier this week.
    • “Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.
    • “That attack, which is widely regarded as the biggest ever in the sector — including by HHS’s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop — began with hackers exploiting the lack of multifactor authentication set up on a remote access portal at Change Healthcare.
    • “It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”
  • and
    • “A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors.
    • “Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and government in the wake of the campaign while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday.
    • Companies who engaged with the FBI and federal agencies like CISA early after the campaign went public “have been without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions,” he claimed.”
  • and
    • “The Trump administration wants to boost the use of artificial intelligence for security in a way that doesn’t increase the number of targets for adversaries to attack, a top official with the Office of the National Cyber Director said Thursday.
    • “The administration will “promote the rapid implementation of AI enabled cyber defensive tools to detect, divert and deceive threat actors who continue targeting our vital systems and sectors,” Alexandra Seymour, principal deputy assistant cyber director for policy, said at CyberTalks, presented by CyberScoop. “We want to ensure that as Americans, companies and agencies deploy AI to defend themselves, they are not inadvertently making themselves more vulnerable by widening the attack surface.”
    • “Overall, “We’re working with our interagency and White House colleagues to promote AI-driven success while addressing concerns about AI security and countering AI abuse by adversaries,” she said.
    • “The focus on AI is expected to get further attention from a forthcoming national cyber strategy and the implementation of that strategy due to follow.”
  • Federal News Network adds,
    • “The National Institutes of Standards and Technology is launching a new project around standards for artificial intelligence agents, with NIST positioning the project as key to advancing agentic AI innovation.
    • “NIST’s Center for AI Standards and Innovation (CAISI) announced the “AI Agent Standards Initiative” this week. The project aims to foster “industry-led technical standards and protocols that build public trust in AI agents, catalyze an interoperable agent ecosystem, and diffuse their benefits to all Americans and across the world,” NIST said in a release this week.
    • “AI agents can now work autonomously for hours, write and debug code, manage emails and calendars, and shop for goods, among other emerging use cases,” NIST added. “While the productivity promise is enticing, the real-world utility of agents is constrained by their ability to interact with external systems and internal data. Absent confidence in the reliability of AI agents and interoperability among agents and digital resources, innovators may face a fragmented ecosystem and stunted adoption.”
    • While NIST’s press release positioned the project around innovation, the initiative’s opening products are centered on security. Since AI agents can take actions autonomously, tech experts say they present significant safety and security concerns.
    • “The initiative’s initial outputs includes a request for information on “AI agent security.” The deadline for responses to the RFI is March 9.”
  • Per February 19, 2026, HHS news release,
    • “[T]he U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with Top of the World Ranch Treatment Center (TWRTC), a substance use disorder treatment provider in Illinois, for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
    • “The settlement resolves an investigation of TWRTC that OCR initiated after receiving a breach report that TWRTC filed in March 2023. TWRTC reported that, as a result of a successful phishing attack, an unauthorized third party accessed ePHI through a workforce member’s email account. TWRTC concluded that the ePHI for 1,980 patients was compromised by the attack. OCR’s investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI TWRTC holds as required by the HIPAA Security Rule.
    • “Under the terms of the resolution agreement, TWRTC agreed to implement a corrective action plan that OCR will monitor for two years, and paid $103,000 to OCR.” * * *
    • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-twrtc.pdf [PDF, 249 KB]
  • Cyberscoop reports,
    • “A Ukrainian national who ran multiple operations to aid the North Korean government’s expansive scheme to  hire remote IT workers at U.S. companies was sentenced to five years in prison, the Justice Department said Thursday.
    • “Oleksandr Didenko stole U.S. citizens’ identities and created more than 2,500 fraudulent accounts on freelance IT job forums, money service transmitters, email services, and social media platforms to sell the proxy identities to North Korean workers. The 29-year-old pleaded guilty to multiple crimes related to the six-year scheme in November 2025.” * * *
    • “U.S. law enforcement has racked up some wins by seizing stolen cryptocurrency and targeting U.S.-based facilitators who provide forged or stolen identities for North Korean operatives. 
    • “Yet, the regime’s scheme runs deep. North Korean nationals have infiltrated many top global companies, and researchers continue to uncover evidence of new tactics and techniques operatives have used to evade detection.”

From the cybersecurity vulnerabilities and breaches front,

  • Bleeping Computer tells us,
    • “PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly 6 months last year.
    • “The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.
    • “PayPal discovered the breach on December 12, 2025, and determined that customers’ names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth had been exposed since July 1, 2025.
    • “The financial technology company said it has reversed the code change that caused the incident, blocking attackers’ access to the data one day after discovering the breach.
    • “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,” PayPal said in breach notification letters sent to affected users.”
  • The Cybersecurity and Infrastructure Security Agency (CISA) added eight known exploited vulnerabilities to its catalog during this shutdown week.
    • February 17, 2026
      • CVE-2008-0015 Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
      • CVE-2020-7796 
      • CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
      • CVE-2026-2441 Google Chromium CSS Use-After-Free Vulnerability
        • Cybersecurity News discusses the MS Windows KVe here.
        • The Hacker News discusses the other three KVEs here.
    • February 18, 2026
      • CVE-2021-22175 GitLab Server-Side Request Forgery (SSRF) Vulnerability
      • CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
        • DeV discusses the Gitlab KVE here.
        • Bleeping Computer discusses the Dell KVE which demands immediate attention.
    • February 20, 2026
      • CVE-2025-49113 RoundCube Webmail Deserialization of Untrusted Data Vulnerability
      • CVE-2025-68461 RoundCube Webmail Cross-site Scripting Vulnerability
        • The Hacker News discusses these KVEs here.
  • Cybersecurity Dive reports,
    • “A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance, according to a blog post released Thursday by Palo Alto Networks’ Unit 42. 
    • “Multiple BeyondTrust Remote Support users have been confirmed targets, and a range of industries have been impacted, including financial services, technology, higher education, legal services and healthcare among others. 
    • “The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. 
    • “The flaw was originally discovered by researchers at Hacktron and disclosed to BeyondTrust.”
  • Per an HHS announcement,
    • “The Department of Health and Human Services (HHS) encourages Healthcare and Public Health (HPH) sector organizations to review and address a critical vulnerability identified in BeyondTrust Remote Support and Privileged Remote Access solutions in light of rising cyber attacks affecting the sector.
    • “BeyondTrust published Security Advisory BT26-02 regarding a critical pre-authentication remote code execution vulnerability, identified as CVE-2026-1731, affecting Remote Support and older versions of Privileged Remote Access. The vulnerability carries a CVSSv4 score of 9.9 and may be triggered through specially crafted client requests, potentially allowing an unauthenticated remote attacker to execute operating system commands in the context of the site user. 
    • “The vulnerability affects Remote Support version 25.3.1 and prior and Privileged Remote Access version 24.3.4 and prior, with remediation available through specific patches or by upgrading to fixed versions. BeyondTrust issued patches on February 2, 2026, which were automatically deployed to instances with the update service enabled and fully applied to Software as a Service environments. BeyondTrust applied patches to all SaaS customers as of February 2, 2026, and instructed self-hosted customers to manually apply updates or upgrade to supported versions where necessary. For additional information, organizations are encouraged to review the BeyondTrust Security Advisory.”
  • Dark Reading relates,
    • “New data suggests a cyber espionage group is laying the groundwork for attacks against major industries.
    • “The “React2Shell” vulnerability is already almost a few months old, but it’s far from over. An unknown but possibly state-sponsored threat actor has been using a newly discovered, maturely named toolkit — “ILovePoop” — to probe tens of millions of Internet protocol (IP) addresses worldwide, looking for opportunities to exploit React2Shell. A report from WhoisXML API, shared with Dark Reading, suggests the threat actor might be out for big game: government, defense, finance, and industrial organizations, among others, around the world but particularly in the United States.
    • “A few months later, the situation has yet to calm down, Pham says. “There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals. It has also been confirmed in ransomware campaigns,” she says. 
    • The big difference now is that the attacks have gotten more sophisticated, as the attackers have had more time to gameplan. “The post-exploitation tradecraft has gotten more sophisticated over time. We are seeing things like PeerBlight’s use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns,” Phams says.” * * *
    • “Patching a deep-rooted vulnerability like React2Shell isn’t as simple as clicking an “Update” button.”
  • and
    • “When Hillai Ben Sasson and Dan Segev set out to hack AI infrastructure two years ago, they expected to find vulnerabilities — but they didn’t expect to compromise virtually every major AI platform they targeted.
    • “The two researchers — who work in offensive and defensive research, respectively, at cloud-security firm Wiz — wanted to experiment with how they could attack the AI infrastructure being deployed as part of foundational models, AI services, and in-house AI projects. Yet, what started as simple attacks on the AI supply chain — such as abusing the widely used Pickle format to run arbitrary code — evolved into a comprehensive threat assessment spanning five distinct layers of the AI stack.
    • “They plan to present the lessons learned over their two years of research at the upcoming RSAC Conference in March. Perhaps the most important lesson: Focus on the infrastructure used to to train, run, and host AI services, and not on prompt-injection attacks, says Segev, a security architect in the Office of the CTO at Wiz.”
  • and
    • “A growing phishing-as-a-service (PhaaS) tool reliably undermines traditional methods for detecting phishing attacks, both technical and psychological.
    • “Starkiller,” described this week by researchers at Abnormal AI, is packaged and sold with a sleekness comparable to legitimate software-as-a-service (SaaS) platforms. It’s got a clean, retrofuturist dashboard, sporting real-time campaign analytics. It gets periodic updates, and even allows its cybercriminal users to log in using two-factor authentication (2FA).
    • “It’s got substance to back up its style, too. Its website advertises “enterprise-grade phishing infrastructure” for “campaigns that bypass modern security systems.” Though its self-reported 99.7% success rate is almost certainly fictional, it really does help attackers bypass many of the traditional phishing security techniques so many enterprises rely on, according to Abormal AI’s research.”
  • Cybersecurity Dive notes,
    • “The vulnerability of the “connective tissue” of the AI ecosystem — the Model Context Protocol and other tools that let AI agents communicate — “has created a vast and often unmonitored attack surface” that is making it easier for hackers to use AI to launch cyberattacks, Cisco said in a report published Thursday [February 19].
    • “Cisco said AI tools’ increasing ability to “execute processes, access databases, and push code on behalf of humans” has become the dominant AI risk and warned companies not to give AI “unsupervised control over critical business functions.”
    • “The new report also described nation-state hackers’ use of AI and warned businesses about potential AI supply-chain crises.”

From the ransomware front,

  • Bleeping Computer reports,
    • “The University of Mississippi Medical Center (UMMC) closed all its clinic locations statewide on Thursday [February 19] following a ransomware attack.
    • “UMMC has over 10,000 employees and, as one of the largest employers in Mississippi, operates seven hospitals, 35 clinics, and more than 200 telehealth sites statewide. The medical center includes the state’s only children’s hospital, only Level I trauma center, only organ and bone marrow transplant program, and the only Telehealth Center of Excellence, one of two across the United States.
    • “As revealed on Thursday afternoon, the cyberattack took down many of its IT systems and blocked access to the Epic electronic medical records. While UMMC cancelled outpatient and ambulatory surgeries/procedures and imaging appointments, officials said hospital services continue via downtime procedures.”
  • The HIPAA Journal points out ransomware attacks against three other healthcare entities.
    • “Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks.”
  • Per an Arctic Wolf news release,
    • “Arctic Wolf®, a global leader in security operations, today [February 17] published the 2026 edition of its Threat Report, which analyzes hundreds of real‑world incident response engagements and threat intelligence findings from the past year. The report reveals a continued rise in data‑theft‑driven extortion, sustained pressure from ransomware groups, and a significant increase in attacks that leverage remote access tools rather than technical exploits.
    • “In 2025, ransomware, business email compromise (BEC), and data incidents once again dominated Arctic Wolf’s caseload, accounting for 92% of all incident response engagements. While ransomware remained the most common category, data‑only extortion incidents surged 11x year over year, signaling a strategic shift as threat actors adapt to improved organizational recovery capabilities. The report also finds that 65% of non‑BEC intrusions stemmed from abuse of remote access technologies like RDP, VPN, and RMM tools; which is a dramatic rise that underscores attackers’ preference for low‑friction entry points.
    • “Attackers continue to rely on operational efficiency – logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities,” said Ismael Valenzuela, vice president, Labs, Threat Research & Intelligence, Arctic Wolf. “Organizations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year.”
  • Cybersecurity Dive adds,
    • “Hackers are using ransomware to accelerate the timeline for cyberattacks, moving on average four times faster than just a year ago, according to an incident response report released Tuesday by Palo Alto Networks. 
    • “AI is being used for reconnaissance, phishing and scripting, and operational execution in many cases. In the most efficient attacks, groups exfiltrate data just 72 minutes after initial access. 
    • Identity is a primary element in attacks, showing up in 90% of incident response cases. Threat groups are increasingly using stolen identities and tokens to gain entry without triggering security warnings.  
    • “Once an attacker has legitimate credentials, they’re not breaking in, they’re logging in,” Sam Rubin, a senior vice president at Palo Alto Networks’ Unit 42, told Cybersecurity Dive. “When an adversary blends into normal traffic, detection becomes incredibly challenging for even mature defenders.”
    • “The report is based on analysis of more than 750 incident response casesacross the globe that involved Unit 42 analysts and researchers.” 
  • Qualsys assesses “What Is Black Basta Ransomware and How to Mitigate Attack.”
  • IT Brew considers how a ransomware attacker thinks.
    • “When it comes to ransomware criminals, the answers can vary. Some organizations are sophisticated businesses where hackers are treated as employees with HR departments and paid time-off, while others are more ramshackle.
    • “But they’re all dangerous—and after your data. Mike Puglia, general manager of cybersecurity labs at Kaseya, told IT Brew that financial motivation has been the constant motive of ransomware attackers. The tactics are much the same between groups: gaining access, exploiting vulnerabilities, escalating privileges, and deploying an encrypter to hold the data for payment.
    • “It’s Whac-a-Mole, or a game of cat and mouse, between defenders and attackers, and as soon as one hole is closed, suddenly the next wave comes,” Puglia said.”
  • Per an HHS announcement,
    • “The National Institute of Standards and Technology (NIST) hosted a virtual event titled Resources for Ransomware Risk Management on January 28, 2026. The event focused on ransomware as a persistent risk to organizations of all sizes and sectors and emphasized the need for cross-sector collaboration to develop practical resources for reducing ransomware risk. Speakers from NIST, the Center for Internet Security, and the Institute for Security and Technology (IST) provided an overview of available ransomware risk management resources designed to help organizations establish foundational safeguards and build effective strategies. Featured resources included the NIST Ransomware Risk Management Cybersecurity Framework 2.0 Community Profile, published as an initial public draft, and the IST and Ransomware Task Force Blueprint for Ransomware Defense, which offers an actionable framework tailored for small to medium-sized enterprises. Presenters described the development and use of these resources and discussed ongoing and future efforts in ransomware risk management, with the session allowing time for audience questions and discussion. For additional details, refer to the Ransomware Risk Management webinar.”

From the cybersecurity business and defenses front,

  • The Wall Street Journal reports,
    • Palo Alto Networks PANW lifted its full-year revenue outlook after recording a jump in second-quarter profit driven by continued demand for cybersecurity services.
    • “However, the company issued per-share earnings guidance for its current quarter below Wall Street expectations, in part as it contends with higher costs for memory and storage. It plans to raise prices later in the fiscal year to offset the increases.
    • “The stock, which has dropped 11.2% to start the year, fell 8% in late trading Tuesday to $150.46.
    • “The Santa Clara, Calif.-based company on Tuesday [February 17] said it now expects full-year revenue to come in between $11.28 billion and $11.31 billion, up from a range of $10.5 billion to $10.54 billion.
    • “The raised revenue view came after Palo Alto reported a profit of $432 million, or 61 cents a share, for its fiscal second quarter, compared with a profit of $267.3 million, or 38 cents a share the prior year.”
  • Cybersecurity Dive adds,
    • “As investors worry that existing software and services could be rendered obsolete, Palo Alto Networks CEO Nikesh Arora said the rapid acceleration of AI should not be considered a threat to cybersecurity. 
    • “Arora addressed the concerns on Tuesday during the company’s fiscal second-quarter conference call, where the surge in AI dominated much of the discussion. 
    • “As AI becomes more pervasive across the enterprise, it expands the attack surface area, more infrastructure, more machine-to-machine activity and new classes of risk that simply didn’t exist before,” Arora said. “In that environment, security cannot sit on the sidelines.”
    • “Arora said despite the current sentiment about software and AI, the company believes that security is the enabling layer “that allows innovation to move forward safely and at scale.”
  • and
    • “Businesses need to pay attention to identity security and third-party risk management to avoid falling prey to hackers whose techniques have evolved, the risk intelligence company Dataminr said in a threat report published on Wednesday [February 18].
    • “2025 marked a clear shift from ‘frequent but contained’ cyber losses toward fewer events with materially larger financial and mission impact,” the report said, attributing the shift to “multi-vector attacks” leveraging stolen credentials, data theft, operational disruptions and regulatory exposure.
    • “Dataminr’s report contains several high-priority recommendations for enterprises, including about supply chain security and the need to look beyond a vulnerability’s severity score.”
  • Dark Reading offers “A CISO’s Playbook for Defending Data Assets Against AI Scraping.”
    • “Discover a strategic approach to govern scraping risks, balance security with business growth, and safeguard intellectual capital from automated data harvesting.”
  • Cyberscoop relates,
    • “Anthropic is rolling out a new security feature for Claude Code that can scan a user’s software codebases for vulnerabilities and suggest patching solutions.
    • “The company announced Friday that Claude Code Security will initially be available to a limited number of enterprise and team customers for testing. That follows more than a year of stress-testing by the internal red teamers, competing in cybersecurity Capture the Flag contests and working with Pacific Northwest National Laboratory to refine the accuracy of the tool’s scanning features.
    • “Large language models have shown increasing promise at both code generation and cybersecurity tasks over the past two years, speeding up the software development process but also lowering the technical bar required to create new websites, apps and other digital tools.
    • “We expect that a significant share of the world’s code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and security issues,” the company wrote in a blog post.”
  • Tech Target shares a “CISO’s guide to demonstrating cyber resilience.”
    • “Elevating cybersecurity to a state of resilience requires a security team to adapt and strengthen defenses. The result should be that a future attack is less likely to succeed.”
  • Here is a link to Dark Reading’s CISO Corner.

Leave a Reply

Your email address will not be published. Required fields are marked *