From the Iran War front,

• Security Week reports,
  • “The Iranian APT MuddyWater has hacked into the networks of several organizations in the US, including an aerospace and defense contractor, Broadcom’s Symantec and Carbon Black threat hunting team reports.
  • “The threat actor has been present in the environments of an airport, a bank, a non-governmental organization operating in the US and Canada, and a software company with a presence in Israel.
  • “According to the Broadcom experts, the APT’s activity has continued “in recent days following US and Israeli military strikes on Iran that have sparked conflict in the region”.

• Cybersecurity Dive adds,
  • “Pro-Russia threat actors have formed a loose coalition with Iran-nexus hacking groups in response to the bombing campaign launched by the U.S. and Israel on Iran. 
  • “The groups began working together Monday under the #OpIsrael campaign, with a focus on targeting critical infrastructure and exfiltration of data, according to researchers at Flashpoint.” * * *
  • “Researchers at Palo Alto Networks Unit 42 estimate that about 60 threat actors, including Iran-nexus and Russia-aligned groups, might be involved in various levels of hacking activity since the bombing campaign began.”  

• The American Hospital Association News tells us,
  • “The FBI is reminding critical infrastructure organizations to implement mitigations from a June 2025 fact sheet on potential actions by Iranian-affiliated cyber actors who may target U.S. devices and networks due to geopolitical tensions. The fact sheet explains how cyber actors often exploit targets with unpatched or outdated software with known common vulnerabilities or passwords.  
  • “In the context of the ongoing conflict with Iran, it is particularly important to ensure that we are implementing cybersecurity measures to defend against the known tactics used by Iranian state-sponsored hackers or pro-Iranian hackers acting independently,” said John Riggi, AHA national advisor for cybersecurity and risk. “Besides seeking to exploit common vulnerabilities and default passwords, they also target internet-connected operational technology and industrial control systems. These systems may be present in hospitals in the form of HVAC, water, life-safety and building automation systems. It is recommended that cyber teams closely coordinate with facilities and building engineers to identify internet-facing OT and ICS systems, assess the need for internet connectivity and ensure they are patched and secure.”

From the cybersecurity policy and law enforcement front,

• The Wall Street Journal reports,
  • “The Trump administration published its new cyber strategy Friday [March 6], framing digital security in the context of broader geopolitical issues and promising to incentivize the private sector to identify and disrupt cyber adversaries.
  • “Compared with the Biden administration’s 2023 National Cybersecurity Strategy, which ran more than 35 pages and detailed dozens of policy initiatives, the new document is far shorter at five pages and sets out broad principles for future policy decisions and priorities.”

• Cyberscoop adds,
  • “The strategy “calls for unprecedented coordination across government and the private sector to invest in the best technologies and continue world-class innovation, and to make the most of America’s cyber capabilities for both offensive and defensive missions,” the White House said in a statement accompanying its release.”
  • “Trump also signed an executive order Friday directing agencies to take action to combat cybercrime and fraud.”
    
• The Congress did not resolve the Department of Homeland Security shutdown this week.

• Fedscoop reports,
  • “The Department of Homeland Security is undergoing an overhaul of its IT and information security leadership, with multiple sources telling FedScoop there is a broad realignment underway at the department to replace key technology leaders.
  • “FedScoop has learned that at least two DHS officials are being replaced: Chief Information Security Officer Hemant Baidwan and Deputy CISO Amanda Day. 
  • “The reorg among IT officials comes as other leadership is changing at the department. President Donald Trump announced Thursday that Secretary of Homeland Security Kristi Noem will be leaving the position at the end of March. Trump has nominated Sen. Markwayne Mullin, R-Okla, as her replacement.

• Cybersecurity Dive adds,
  • “The confirmation prospects for Sean Plankey, President Donald Trump’s nominee to lead the Cybersecurity and Infrastructure Security Agency, have dimmed further following Plankey’s unceremonious departure from a job at the Department of Homeland Security.
  • “Security personnel escorted Plankey out of a DHS facility on Monday, a person familiar with the matter told Cybersecurity Dive, confirming an incident first reported by CBS News. Plankey announced on Wednesday that he had left his job as a senior Coast Guard adviser to DHS Secretary Kristi Noem, but he framed his departure as a voluntary one intended to help him focus on his nomination to serve as CISA director.”

•  Per an HHS news release,
  • “Today [March 5], the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with MMG Fusion, LLC (MMG), a Maryland software company, concerning potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. MMG is a business associate as it receives protected health information (PHI) from HIPAA covered entities and its software is used to communicate directly with patients of covered entities.” * * *
  • “The settlement resolves an investigation that OCR initiated in March 2023 after receiving a complaint concerning an unreported security incident at MMG, and the posting of PHI on the dark web. OCR’s investigation determined that in December 2020, an unauthorized actor infiltrated MMG’s information system and accessed PHI [of 15 million people], including names, phone numbers, mailing addresses, email addresses, dates of birth, and dates and times of medical appointments.” * * *
  • “The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-mmg-fusion-hipaa-agreement.pdf [PDF, 264 KB].”

• Cybersecurity Dive informs us,
  • “An international coalition led by Microsoft and Europol has taken down the operations of Tycoon 2FA, a notorious phishing-as-a-service platform that helped cyber criminals gain access to millions of email accounts across the globe. 
  • “Microsoft obtained a court order from the U.S. District Court from the Southern District of New York to seize 330 active domains used to back the core infrastructure of Tycoon 2FA.
  • “Taking this infrastructure offline cuts off a major pipeline for account takeovers and helps protect people and organizations from follow-on attacks such a data theft, ransomware, business email compromise and financial fraud,” Steve Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post published Wednesday.” 

• Bleeping Computer lets us know,
  • “The FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals buy and sell hacking tools and stolen data.
  • This seizure action is part of an international joint operation coordinated by Europol, known as “Operation Leak,” that involved law enforcement agencies in 14 countries.
  • On March 3 and 4, the FBI and law enforcement agents shut down LeakBase by seizing two of its domains, posting seizure banners, and warning LeakBase members of the seizure after collecting further evidence.” * * *
  • Today’s [March 4] announcement follows the disruption of RaidForums in 2022 and BreachForums in 2023, two cybercrime marketplaces that preceded it, as well as the BreachForums founder’s conviction and sentencing in 2025.
• and
  • “A U.S. government contractor’s son, accused of stealing more than $46 million in cryptocurrency from the U.S. Marshals Service, was arrested Wednesday on the island of Saint Martin.
  • “The arrest was the result of a joint operation between the FBI and France’s elite Groupe d’Intervention de la Gendarmerie Nationale, FBI Director Kash Patel announced on Thursday.
  • “Last night, John Daghita – a U.S. government contractor who allegedly stole more than $46 million in cryptocurrency from the U.S Marshals Service – was arrested on the island of Saint Martin by the French Gendarmerie’s premier elite tactical unit in a joint operation with the @FBI,” Patel said.”

• Cyberscoop points out,
  • “Russian national Evgenii Ptitsyn pleaded guilty to running the Phobos ransomware outfit that extorted more than $39 million from more than 1,000 victims globally, the Justice Department said Wednesday.
  • “Ptitsyn assumed a leadership role in the Phobos ransomware group in January 2022, yet his criminal activities began by April 2019, according to court records. He continued leading the cybercrime syndicate until May 2024 when he was arrested in South Korea. Ptitsyn was extradited to the United States in November 2025.
  • “Federal prosecutors dropped multiple charges against Ptitsyn as part of a plea agreement he signed last month. He faces up to 20 years in prison for wire fraud conspiracy.
  • “Ptitsyn agreed to forfeit $1.77 million in assets and is required to pay at least $39.3 million in restitution, representing the full amount of his victims’ losses.

From the cybersecurity breaches and vulnerabilities front,

• The Wall Street Journal reports on March 6,
  • “U.S. investigators believe hackers affiliated with the Chinese government are responsible for a cyber intrusion on an internal Federal Bureau of Investigation computer network that holds information related to some domestic surveillance orders, according to people familiar with the matter.
  • “The scope and severity of the intrusion aren’t known, and the investigation is in its early stages, the people said. Any preliminary conclusions could change as investigators gather more information. 
  • “If China is confirmed to be responsible for the breach, it would signal the latest intrusion by Beijing’s hackers of computer systems related to law-enforcement surveillance orders, which contain highly sensitive material.
  • “A notification sent in recent days to some lawmakers in Congress said the FBI began investigating the matter last month, the people said. The intrusion involved hackers accessing an unclassified system that contains information about the calls and internet activity of criminal suspects and others under government surveillance. Information in the system includes incoming and outgoing calls, IP and website addresses and some routing information, but doesn’t include the contents of calls or digital communication.” 

• Cybersecurity Dive adds,
  • “A total of 90 zero-day vulnerabilities were exploited in the wild in 2025, according to a report released Thursday by Google Threat Intelligence Group.
  • “Of that total, almost half of the exploited vulnerabilities were used against enterprise-grade technology, marking an all-time high. 
  • “Exploitation from state-sponsored groups targeted networking and security tools with a strong emphasis on edge devices, which often lack endpoint detection and response capabilities, according to GTIG researchers. 
  • “China-nexus groups remain the most prolific state-sponsored groups, with a long history of detailed knowledge of vulnerable devices. 
  • “They have a significant zero-day development ecosystem that includes industry, academia, and government,” John Hultquist, chief analyst at GTIG, told Cybersecurity Dive.”

• Bleeping Computer relates,
  • “TriZetto Provider Solutions, a healthcare IT company that develops software and services used by health insurers and healthcare providers, has suffered a data breach that exposed the sensitive information of over 3.4 million people.
  • “The firm, which has been operating under the Cognizant umbrella since 2014, disclosed that it detected suspicious activity on a web portal on October 2, 2025, and launched an investigation with the help of external cybersecurity experts.
  • “The investigation revealed that unauthorized access began nearly a year before, on November 19, 2024.’ * * *
  • “Affected providers were alerted on December 9, 2025, but customer notification started in early February 2026. According to a filing Maine’s Attorney General submitted today [March 6], the number of exposed individuals is 3,433,965.
  • “TriZetto says that payment card, bank account, or other financial information was not exposed in this incident. Also, the company is not aware of any cases where cybercriminals have attempted to misuse this information.”

• CISA added seven known exploited vulnerabilities to its catalog this week.
  • March 3, 2026
    • CVE-2026-21385 Qualcomm Multiple Chipsets Memory Corruption Vulnerability
    • CVE-2026-22719 Broadcom VMware Aria Operations Command Injection Vulnerability
      • Cybersecurity News discusses the Qualcomm KVE here.
      • Bleeping Computer discusses the VM Aria KVE here.
  • March 5, 2026
    • CVE-2017-7921 Hikvision Multiple Products Improper Authentication Vulnerability
    • CVE-2021-22681 Rockwell Multiple Products Insufficient Protected Credentials Vulnerability
    • CVE-2021-30952 Apple Multiple Products Integer Overflow or Wraparound Vulnerability
    • CVE-2023-41974 Apple iOS and iPadOS Use-After-Free Vulnerability
    • CVE-2023-43000 Apple Multiple products Use-After-Free Vulnerability
      • The Hacker News discusses the Hikvision and Rockwell KVEs here.
      • Bleeping Computer discusses the Apple KVEs here.

• Cyberscoop adds,
  • “Cisco released information on a pair of max-severity vulnerabilities in its firewall management software Wednesday that unauthenticated, remote attackers could exploit to obtain the highest level of access to the underlying operating system or on affected devices.
  • “The vulnerabilities — CVE-2026-20079 and CVE-2026-20131 — affect the web-based interface of Cisco Secure Firewall Management Center (FMC) Software, regardless of device configuration, the vendor said.
  • “Cisco disclosed the critical vulnerabilities one week after it warned that attackers have been exploiting a pair of zero-days in Cisco’s network edge software for at least three years. That campaign, which is ongoing, marked the second series of multiple actively exploited zero-days in Cisco edge technology since last spring. 
  • “Both campaigns prompted the Cybersecurity and Infrastructure Security Agency to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered.” 
• and
  • “Google disclosed one actively exploited zero-day vulnerability Monday, warning that the high-severity defect affecting an open-source Qualcomm display component for Android devices “may be under limited, targeted exploitation.”
  • “The memory-corruption vulnerability — CVE-2026-21385 — which Google’s Androidsecurity team reported to Qualcomm Dec. 18, affects 234 chipsets, Qualcomm said in a security bulletin. Qualcomm said it notified customers of the vulnerability Feb. 2.
  • “Qualcomm declined to say when the earliest known instance of exploitation occurred, how many victims have been directly impacted, and what occurred during the 10-week period between the reporting and public disclosure of the vulnerability. 
  • “We commend the researchers from Google’s Threat Analysis Group for using coordinated disclosure practices,” a Qualcomm spokesperson told CyberScoop. “Fixes were made available to our customers in January 2026. We encourage end users to apply security updates as they become available from device makers.”
• and
  • “North Korean threat groups are using artificial intelligence tools to accelerate and expand the country’s long-running scheme to get remote technical workers hired at global companies for longer durations, Microsoft Threat Intelligence said in a report Friday. 
  • “AI services are empowering North Korean operatives across the attack lifecycle. Attackers have turned AI into a “force multiplier” that bolsters and automates their efforts to conduct research on targets, develop malicious resources, achieve and maintain access, evade detection, and weaponize tools for attacks and post-compromise activities, researchers said.
  • “Microsoft said a trio of groups it tracks as Coral Sleet, Sapphire Sleet and Jasper Sleet are using AI to shorten the time it takes to create digital personas for specific job markets and roles. These groups frequently leverage financial opportunities or interview-themed lures to gain initial access.”

• The Hacker News notes,
  • “Cybersecurity researchers have disclosed details of a new phishing suite called Starkiller that proxies legitimate login pages to bypass multi-factor authentication (MFA) protections.
  • “It’s advertised as a cybercrime platform by a threat group calling itself Jinkusu, granting customers access to a dashboard that lets them select a brand to impersonate or enter a brand’s real URL. It also lets users choose custom keywords like “login,” “verify,” “security,” or “account,” and integrates URL shorteners such as TinyURL to obscure the destination URL.
  • “It launches a headless Chrome instance – a browser that operates without a visible window – inside a Docker container, loads the brand’s real website, and acts as a reverse proxy between the target and the legitimate site,” Abnormal researchers Callie Baron and Piotr Wojtyla said.”

From the ransomware front,

• The Record reports,
  • “The University of Hawaiʻi Cancer Center said up to 1.2 million people had information leaked as a result of a ransomware attack on its epidemiology division last year. 
  • “Hackers accessed records containing Social Security numbers (SSNs) and driver’s license numbers collected from the Hawaiʻi State Department of Transportation as well as City and County of Honolulu voter registration records from 1998, according to a statement released by the organization last week.” * * *
  • “In January, the university sent a report to the state legislature that said the cyber incident was first discovered on August 31, 2025.” * * *
  • “Naoto Ueno, director of the University of Hawaiʻi Cancer Center, apologized for the incident last week and said the organization was “committed to transparency.” 
  • “The university said the attackers encrypted and likely exfiltrated data, prompting them to notify law enforcement and hire cybersecurity experts to resolve the situation. The cybersecurity firm obtained a decryption tool and secured “an affirmation that any information obtained was destroyed.”  
  • “University officials claimed there is “no evidence that any of the information has been published, shared or misused.” The group responsible for the attack was not identified.”   

• Cybersecurity Dive relates,
  • “Identity has replaced malware as the biggest threat vector opening the door for ransomware attacks, Cloudflare said in an annual threat report published on Tuesday.
  • “Hackers’ increasing use of legitimate credentials, rather than malicious code, is making it harder for defenders to detect and contain their attacks.
  • “Cloudflare’s new report also discussed nation-state threat actors’ behavior and how artificial intelligence is changing attacks.”

• Mobihealth News interviews Scott Doerr, virtual CISO, or vCISO, at Fortified Health Security, [who] previews his upcoming talk at the 2026 HIMSS Global Health Conference & Exposition, where he will discuss how healthcare companies can strengthen their preparedness for ransomware attacks. 

From the cybersecurity business and defenses front,

• Cyberscoop reports,
  • “CrowdStrike Holdings reported record earnings in the fiscal fourth-quarter, defying investor concerns about the rising use of agentic AI potentially curbing demand for cybersecurity software and services. 
  • “The Texas-based cybersecurity company said total revenue grew 23% on a year-over-year basis, to $1.31 billion in the quarter ended Jan. 31. 
  • “Annual recurring revenue, a closely watched metric among cybersecurity companies, grew 24%, to $5.25 billion. 
  • “The results come at a time of growing market anxiety about how AI adoption could render traditional software — including cybersecurity tools — obsolete. CrowdStrike executives acknowledged those larger industry concerns and noted the Q4 performance was a demonstration that certain companies were well-positioned to compete in the new marketplace.” 

• ZDNet adds,
  • “Anthropic, OpenAI, and Google tools can automate code debugging. 
  • “But cybersecurity is too complex a problem for these tools to solve. 
  • “AI’s biggest contribution may be to reduce avoidable software flaws. 

• Healthexec relates,
  • “In January, National Security Agency (NSA), released protocols for the U.S. Department of War to achieve “zero trust” security across the agency, meaning any access to the network must come from something continually inside it. While such a setup would be technically demanding for healthcare, the American Hospital Association (AHA) said it may be time for facilities to start moving in that direction.
  • “Zero trust security would mean radical changes for hospitals, where a countless number of devices have access to networks, including everything from EHRs to medical devices, to tablets and smartphones used for communication.
  • “What the NSA wants the Department of War to adopt is a system where no one gains access to a network from the outside, meaning no logins or passwords. In fact, even systems connected to the network from the inside are not automatically trusted.
  • “In other words, every user, device, and system must continually prove they are allowed access—and access is limited strictly to what’s necessary.
  • “The ethos of zero trust means that it’s assumed even the network itself isn’t safe, hence the continuous verification. Something like a two-factor authentication app displaying a constant active code would be required to log on.”

• The AHA News adds,
  • “The Administration for Strategic Preparedness and Response has released a new cybersecurity module for organizations to conduct risk assessments. The free module, part of ASPR’s web-based Risk Identification and Site Criticality 2.0 Toolkit, allows organizations to identify threats, assess vulnerabilities, determine consequences and criticality, and share findings with stakeholders. Users are guided through a series of questions about their policies and practices, which are scored against the National Institute of Standards and Technology’s Cybersecurity Framework 2.0 and the Department of Health and Human Services’ Cybersecurity Performance Goals. The questions are designed to help organizations identify critical gaps, prioritize investments and inform their decisions on risk mitigation.” 
    
• SC World tells us,
  • “The 2026 Zero Trust World conference kicked off here Wednesday (March 4) with a particularly optimistic keynote by futurist and TV host Jason Silva and also featured a last-minute addition in the form of a talk by former White House CIO Theresa Payton.
  • “But it was the smaller sessions, including a dark-web primer and a live Security Now! podcast broadcast featuring cybersecurity veterans Steve Gibson and Leo LaPorte, that stole the show during the first day of ThreatLocker’s annual user conference.”

• Tech Target explains “how to perform a data risk assessment, step by step.”

• Here’s a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cybersecurity Dive reports,
  • “The Trump administration late Thursday removed the scandal-plagued acting director of the Cybersecurity and Infrastructure Security Agency, injecting fresh uncertainty into the operations of an agency already grappling with a morale crisis as it tries to protect the U.S. from sophisticated hacking threats.
  • “The Department of Homeland Security reassigned Madhu Gottumukkala, the deputy CISA director who had led the agency in an acting capacity since last May, to a position at DHS headquarters. Nick Andersen, the executive assistant director for CISA’s Cybersecurity Division and one of the few remaining political appointees at the agency, will step in as acting director.”

• Federal News Network adds,
  • “Sen. Ron Wyden (D-Ore.) is blocking the Trump administration’s nominee to lead both U.S. Cyber Command and the National Security Agency. Wyden said Lt. Gen. Joshua Rudd, who currently serves as the deputy commander of U.S. Indo-Pacific Command, lacks the experience needed to immediately step into the dual leadership role. The lawmaker added that when it comes to U.S. cybersecurity, “there is simply no time for on-the-job learning, the threat is just too urgent for that.”

• Gov Info Security relates,
  • “A bipartisan group of senators called on the federal government to update the regulations governing healthcare cybersecurity through a Thursday vote sending a bill aimed at bolstering sector resilience to the full Senate.
  • ‘The Senate Health, Education, Labor and Pensions Committee voted 22 to 1 to advance the Health Care Cybersecurity and Resiliency Act, a bill that requires publishing cybersecurity guidance for rural medical practices and improved coordination between federal agencies.
  • It has the backing of a healthcare cybersecurity working group that includes committee Chair Bill Cassidy, R-La.
  • “The legislation would additionally bolster an apparently stalled effort to update the HIPAA Security Rule that the Department of Health and Human Services published during the final weeks of the Biden administration (see: What’s in HHS’ Proposed HIPAA Security Rule Overhaul?).
  • “The bill would enforce many of the proposed rule’s updates, including requiring HIPAA-covered organizations and business associates to adopt multifactor authentication and encryption, to conduct audits, including penetration testing. It additionally calls for “other minimum cybersecurity standards” to be determined by the HHS secretary, “in consultation with private sector organizations, based on landscape analysis of emerging and existing cybersecurity vulnerabilities and consensus-based best practices.”
  • “The fate of the Biden administration’s proposed HIPAA overhaul is uncertain at this point. The HHS Office of Civil Rights is expected to make some kind of decision in May on whether it will move forward with the proposals, or perhaps issue a revised version of proposed rulemaking.”

• The National Institute of Standards and Technology celebrated the second anniversary of the  Cybersecurity Framework (CSF) 2.0!
  • “If you haven’t migrated your cybersecurity risk management strategy to the CSF 2.0, there’s no time like the present. Where can you start?
    • “Familiarize yourself with the CSF 2.0 in PDF form or dynamically in the CSF 2.0 Tool.
    • “View our library of CSF 2.0 Quick Start Guides.
    • “Review the Cybersecurity Framework 1.1 to 2.0 Core Transition Changes Overview Supplemental Spreadsheet. 
    • “Watch or listen to the webinar recording, “Implementing CSF 2.0: The Why, What, and How“

• Cyberscoop notes,
  • “An ex-L3 Harris executive was sentenced to over seven years in prison Tuesday after pleading guilty to selling eight zero-day exploits to a Russian broker in exchange for millions of dollars.
  • “Peter Williams, 39, admitted to two counts of theft of trade secrets in U.S. District Court in Washington, D.C., last year, acknowledging he took at least eight exploits or exploit components while working at Trenchant, a specialized cybersecurity unit owned by L3Harris. Prosecutors said the materials were intended for restricted use by the U.S. government and allied partners.
  • “Authorities said Williams sold the stolen information to a broker that advertised itself as a reseller of hacking tools and described it as serving multiple customers, including the Russian government. In court, the government referred to the buyer as “Company 3,” but details read aloud during the plea hearing pointed to Operation Zero, a Russian exploit broker that publicly markets itself online as a platform for purchasing zero-day vulnerabilities.”

From the cybersecurity breaches and vulnerabilities front,

• Cybersecurity Dive reports,
  • “Federal agencies have until Friday evening [February 27] to update certain Cisco networking devices that are vulnerable to compromise, the Cybersecurity and Infrastructure Security Agency said on Tuesday [February 24].
  • “In an emergency directive about Cisco’s Software-Defined Wide-Area Networking (SD-WAN) systems, CISA said it was “aware of a cyber threat actor’s ongoing exploitation” of two vulnerabilities in Cisco Catalyst SD-WAN Manager and Catalyst SD-WAN Controller devices and called the activity “an imminent threat to federal networks.”
• and
  • “The Cybersecurity and Infrastructure Security Agency on Thursday warned that a malware variant previously used in attacks against Ivanti Connect Secure environments may remain undetected on systems. 
  • “In March 2025, CISA issued an alert about the malware, dubbed Resurge, in connection with exploitation of CVE-2025-0282, a stack-based buffer overflow vulnerability in certain versions of Ivanti Connect Secure and other Ivanti products. 
  • “The agency has since analyzed three samples from a critical infrastructure provider’s Ivanti Connect Secure device after hackers exploited the flaw to gain initial access. The analysis shows that Resurge can remain latent on a device until a remote hacker attempts to contact the device.” 

• CISA also added three known exploited vulnerabilities to its catalog this week.
  • February 24, 2026
    • CVE-2026-25108 Soliton Systems K.K. FileZen OS Command Injection Vulnerability
      • The Hackers News discusses this KVE here.
  • February 25, 2026
    • CVE-2022-20775 Cisco Catalyst SD-WAN Path Traversal Vulnerability
    • CVE-2026-20127 Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability 
      • Cyberscoop discusses these KVEs here.

• Cyberscoop adds,
  • “Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.
  • “As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 
  • “The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”
  • “Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”
• and
  • “Cyberattacks reached victims faster and came from a wider range of threat groups than ever last year, CrowdStrike said in its annual global threat report released Tuesday, adding that cybercriminals and nation-states increasingly relied on predictable tactics to evade detection by exploiting trusted systems.
  • “The average breakout time — how long it took financially-motivated attackers to move from initial intrusion to other network systems — dropped to 29 minutes in 2025, a 65% increase in speed from the year prior. “The fastest breakout time a year ago was 51 seconds. This year it’s 27 seconds,” Adam Meyers, head of counter adversary operations at CrowdStrike, told CyberScoop.
  • “Defenders are falling behind because attackers are refining their techniques, using social engineering to access high-privilege systems faster and move through victims’ cloud infrastructure undetected.”

• Cybersecurity Dive points out,
  • “Hackers are increasingly integrating artificial intelligence into all phases of the cyberattack life cycle, with the technology regularly analyzing target information, generating phishing emails and providing coding assistance, security firm ReliaQuest said in a report published on Tuesday [February 24].
  • “Other recent reports from IBM and cyber insurer Resilience similarly highlight how AI has changed the threat landscape.
  • At the same time, a new Sophos report said it was important to put in perspective AI’s ‘capabilities and impact.”

• LinkedIn informs us,
  • “One of the largest data breaches in U.S. history is even bigger than was known. The Conduent cyberattack has now affected more than 25 million Americans, according to a recent update. The January 2025 incident exposed Social Security numbers, medical records and other sensitive information. Conduent is one of the largest contractors for the U.S. government, providing mailroom, printing and payment processing services for state government benefit offices — meaning it manages “a large amount of personal information belonging to a large swath of the United States,” per TechCrunch.”

• Cybersecurity Dive adds,
  • “Hackers working for the Chinese government broke into more than 50 telecommunications companies and government agencies in 42 countries, in a campaign that exploited cloud platforms’ legitimate features to hide the attackers’ tracks.
  • “The attacker was using API calls to communicate with [software-as-a-service] apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign,” researchers at Google’s Threat Intelligence Group and Mandiant said in a report on Wednesday.
  • “Google said the “prolific, elusive” China-linked hacker team, which it tracks as UNC2814, “has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas.”

From the ransomware front,

• The Mississippi Clarion Ledger reports,
  • “Officials with the University of Mississippi Medical Center stated the hospital system is “getting closer to full functions” following a cyberattack on Feb. 19 that disrupted operations.
  • “UMMC issued a statement Friday, Feb. 27, stating after being able to access patient records, clinics statewide will resume normal operations and scheduled appointments on Monday, March 2.
  • “UMMC also stated that on March 2, clinics will begin reaching out to patients to reschedule appointments that were cancelled. Officials added that UMMC clinics will reopen with extended hours and additional days in order to accommodate patients as soon as possible.
  • “All hospitals and emergency departments located in Jackson, Madison County, Holmes County and Grenada remain open.”

• Cybersecurity Dive relates,
  • “UFP Technologies, a Massachusetts-based medical device maker, said it is investigating a cyberattack in mid-February that led to some of its company data being stolen or potentially destroyed, according to a regulatory filing. 
  • “The company said the attack, which was detected Feb. 14, impacted most of its IT network, as well as its billing and label-making capabilities for customer deliveries. The company said it was able to continue operations using data backups and implementing contingency plans.
  • “This was a classic ransomware attack that appeared to have impacted many, but not all, of our IT systems,” Ronald Lataille, chief financial officer at UFP Technologies, said Wednesday on a quarterly conference call with analysts. “Data was taken and then destroyed.”
  • “The company is still trying to figure out how much sensitive information, including personally identifiable data, may have been impacted by the attack, according to the 8-K filing with the Securities and Exchange Commission. However, the company does not currently believe the attack will have a material impact on its financial condition.”

• The Hacker News adds,
  • “The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
  • “Broadcom’s threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.
  • “Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025,” the company said in a report shared with The Hacker News.”

• The Register informs us,
  • “Ransomware payments cratered in 2025, but it seems like the cybercrooks launching the attacks didn’t get the memo.
  • “That’s the headline from Chainalysis’ 2026 Crypto Crime Report, which shows total on-chain ransomware payments falling for a second straight year, even as victim counts and leak site pressure continue to climb.
  • “Ransomware gangs pulled in about $820 million in 2025, roughly 8 percent less than the year before, as the share of victims paying dropped to an all-time low of 28 percent. That drop might sound like progress if the wider picture weren’t so bleak: the median ransom demand jumped from $12,738 in 2024 to $59,556 in 2025, and the number of publicly claimed attacks climbed along with it.
  • “Despite the relative stability in total payments, ransomware attacks surged across multiple vectors in 2025, with eCrime.ch data showing a 50 percent YoY increase in claimed ransomware victims, marking the most active year on record,” Chainalysis said.”

• Help Net Security adds,
  • Intrusions continue to center on credential access and timed execution outside standard business hours. The Sophos Active Adversary Report 2026 analyzes 661 incident response and managed detection and response cases handled between November 1, 2024 and October 31, 2025, spanning organizations in 70 countries.
  • “The dataset examines how attackers gain access, how quickly they reach key systems, and when ransomware and data theft occur.” * * *
  • “Timing patterns show that the most disruptive stages of ransomware incidents often occur when organizations are operating with reduced staffing. In 88% of ransomware cases, encryption was deployed during non business hours.
  • “Data exfiltration followed a similar pattern, with 79% of theft activity also occurring outside the typical workday.
  • “Off hours deployment increases the likelihood that encryption or large scale data transfers proceed without immediate interruption. It places emphasis on monitoring coverage that extends beyond standard schedules.”

From the cybersecurity business and defenses front,

• Dark Reading reports,
  • “The cybersecurity venture capital market experienced unprecedented activity in 2025, driven primarily by the rush to AI-native security solutions and a massive surge in mergers and acquisitions that reached record levels.
  • “In 2025, VC firms invested $119 billion in cybersecurity businesses, with 400 M&A transactions accounting for the majority of funding and another 820 financing deals totaling nearly $21 billion, according to data from Momentum Cyber, a cybersecurity investment bank. The total value of M&A, financing, and IPO activity in 2025 nearly tripled that of deals in the previous year.”
• and
  • “Cybersecurity experts are calling for a major shift in how companies handle data breaches and security failures, arguing that greater transparency and specific detail disclosure about how and why they occur is essential if the industry hopes to effectively reduce cyber-risk.
  • “At the upcoming RSAC Conference, threat research experts Adam Shostack and Adrian Sanabria will make the case for greater incident transparency and the need for structured feedback loops in cybersecurity, in a session aptly titled “A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency,”scheduled for Monday, March 23.”

• Cybersecurity Dive informs us,
  • “The AI era is transforming what CISOs do and how they do it, the enterprise software firm Splunk said in a report published on Tuesday [Feburary 24].
  • “Nearly all CISOs have been assigned to manage their organizations’ AI governance responsibilities, the report found, a significant expansion of “their already overwhelming mandates.”
  • CISOs interviewed in the report expressed both an awareness that they needed to use AI and a range of concerns about its potential harms.”

• Dark Reading relates,
  • “As one ransomware community shutters in RAMP, two more pop up to take its place. 
  • “Rapid7 today published an analysis of that ransomware ecosystem after US authorities seized infrastructure tied to the notorious RAMP cybercrime forum last month. For years, RAMP has been the primary vehicle for acquiring ransomware-as-a-service (RaaS) affiliates, but the Jan. 28 interagency sting led by the FBI forced many cybercrime outfits to find a new means to sell their wares. 
  • “Rapid7’s Alexandra Blia and Efi Sherman in this week’s blog post identified two potential forums where attackers might go next. The bigger takeaway, however, is that the cybercrime ecosystem is fragmenting, and defenders will need to adapt.”
• and
  • A newly developed method for gauging the impact of an OT cybersecurity incident could pave the way for more accurate measurement and response to an event, and also shine light on risk and business ramifications.
  • The Operational Technology Incident (OTI) Impact Score — which will be unveiled today [February 24] at the ICS/OT industry’s S4x26 Conference in Miami — aims to provide rapid clarity on the actual effects of OT cyber incidents, which often get over- or under-hyped, according to Dale Peterson, co-creator of the OTI model and head of ICS/OT consulting and research firm Digital Bond.
  • The OTI model, inspired by the Richter Scale used for measuring earthquake intensity and impact, is meant for OT business executives, governments, cyber insurers, the media, and the general public, according to Peterson, who is the founder and program chair of S4.

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy and law enforcement front,

• Cyberscoop reports from its Cybertalks event held earlier this week.
  • “Department of Health and Human Services official said Thursday that HHS is devoting a lot of attention to the security of third-party service providers after the 2024 Change Healthcare cyberattack.
  • “That attack, which is widely regarded as the biggest ever in the sector — including by HHS’s Charlee Hess, who spoke Thursday at CyberTalks presented by CyberScoop — began with hackers exploiting the lack of multifactor authentication set up on a remote access portal at Change Healthcare.
  • “It wasn’t a hospital, it was a company most people have never heard of and had major impacts on our sector and threatened the liquidity of our entire health care system,” said Hess, director of the healthcare and public health sector cybersecurity at the Administration for Strategy Preparedness and Response division. “We recovered from that, but we realized there are third-party risks lurking in our health care system, and we don’t even know they’re there. Where are those entities or systems that will have an outsized impact on our sector?”
• and
  • “A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors.
  • “Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and government in the wake of the campaign while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday.
  • Companies who engaged with the FBI and federal agencies like CISA early after the campaign went public “have been without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions,” he claimed.”
• and
  • “The Trump administration wants to boost the use of artificial intelligence for security in a way that doesn’t increase the number of targets for adversaries to attack, a top official with the Office of the National Cyber Director said Thursday.
  • “The administration will “promote the rapid implementation of AI enabled cyber defensive tools to detect, divert and deceive threat actors who continue targeting our vital systems and sectors,” Alexandra Seymour, principal deputy assistant cyber director for policy, said at CyberTalks, presented by CyberScoop. “We want to ensure that as Americans, companies and agencies deploy AI to defend themselves, they are not inadvertently making themselves more vulnerable by widening the attack surface.”
  • “Overall, “We’re working with our interagency and White House colleagues to promote AI-driven success while addressing concerns about AI security and countering AI abuse by adversaries,” she said.
  • “The focus on AI is expected to get further attention from a forthcoming national cyber strategy and the implementation of that strategy due to follow.”

• Federal News Network adds,
  • “The National Institutes of Standards and Technology is launching a new project around standards for artificial intelligence agents, with NIST positioning the project as key to advancing agentic AI innovation.
  • “NIST’s Center for AI Standards and Innovation (CAISI) announced the “AI Agent Standards Initiative” this week. The project aims to foster “industry-led technical standards and protocols that build public trust in AI agents, catalyze an interoperable agent ecosystem, and diffuse their benefits to all Americans and across the world,” NIST said in a release this week.
  • “AI agents can now work autonomously for hours, write and debug code, manage emails and calendars, and shop for goods, among other emerging use cases,” NIST added. “While the productivity promise is enticing, the real-world utility of agents is constrained by their ability to interact with external systems and internal data. Absent confidence in the reliability of AI agents and interoperability among agents and digital resources, innovators may face a fragmented ecosystem and stunted adoption.”
  • While NIST’s press release positioned the project around innovation, the initiative’s opening products are centered on security. Since AI agents can take actions autonomously, tech experts say they present significant safety and security concerns.
  • “The initiative’s initial outputs includes a request for information on “AI agent security.” The deadline for responses to the RFI is March 9.”
    
• Per February 19, 2026, HHS news release,
  • “[T]he U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a settlement with Top of the World Ranch Treatment Center (TWRTC), a substance use disorder treatment provider in Illinois, for a potential violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.” * * *
  • “The settlement resolves an investigation of TWRTC that OCR initiated after receiving a breach report that TWRTC filed in March 2023. TWRTC reported that, as a result of a successful phishing attack, an unauthorized third party accessed ePHI through a workforce member’s email account. TWRTC concluded that the ePHI for 1,980 patients was compromised by the attack. OCR’s investigation found evidence that TWRTC failed to conduct an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI TWRTC holds as required by the HIPAA Security Rule.
  • “Under the terms of the resolution agreement, TWRTC agreed to implement a corrective action plan that OCR will monitor for two years, and paid $103,000 to OCR.” * * *
  • “The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/ocr-ra-cap-twrtc.pdf [PDF, 249 KB]“

• Cyberscoop reports,
  • “A Ukrainian national who ran multiple operations to aid the North Korean government’s expansive scheme to  hire remote IT workers at U.S. companies was sentenced to five years in prison, the Justice Department said Thursday.
  • “Oleksandr Didenko stole U.S. citizens’ identities and created more than 2,500 fraudulent accounts on freelance IT job forums, money service transmitters, email services, and social media platforms to sell the proxy identities to North Korean workers. The 29-year-old pleaded guilty to multiple crimes related to the six-year scheme in November 2025.” * * *
  • “U.S. law enforcement has racked up some wins by seizing stolen cryptocurrency and targeting U.S.-based facilitators who provide forged or stolen identities for North Korean operatives. 
  • “Yet, the regime’s scheme runs deep. North Korean nationals have infiltrated many top global companies, and researchers continue to uncover evidence of new tactics and techniques operatives have used to evade detection.”

From the cybersecurity vulnerabilities and breaches front,

• Bleeping Computer tells us,
  • “PayPal is notifying customers of a data breach after a software error in a loan application exposed their sensitive personal information, including Social Security numbers, for nearly 6 months last year.
  • “The incident affected the PayPal Working Capital (PPWC) loan app, which provides small businesses with quick access to financing.
  • “PayPal discovered the breach on December 12, 2025, and determined that customers’ names, email addresses, phone numbers, business addresses, Social Security numbers, and dates of birth had been exposed since July 1, 2025.
  • “The financial technology company said it has reversed the code change that caused the incident, blocking attackers’ access to the data one day after discovering the breach.
  • “On December 12, 2025, PayPal identified that due to an error in its PayPal Working Capital (“PPWC”) loan application, the PII of a small number of customers was exposed to unauthorized individuals during the timeframe of July 1, 2025 to December 13, 2025,” PayPal said in breach notification letters sent to affected users.”

• The Cybersecurity and Infrastructure Security Agency (CISA) added eight known exploited vulnerabilities to its catalog during this shutdown week.
  • February 17, 2026
    • CVE-2008-0015 Microsoft Windows Video ActiveX Control Remote Code Execution Vulnerability
    • CVE-2020-7796 
    • CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted Upload of File with Dangerous Type Vulnerability
    • CVE-2026-2441 Google Chromium CSS Use-After-Free Vulnerability
      • Cybersecurity News discusses the MS Windows KVe here.
      • The Hacker News discusses the other three KVEs here.
  • February 18, 2026
    • CVE-2021-22175 GitLab Server-Side Request Forgery (SSRF) Vulnerability
    • CVE-2026-22769 Dell RecoverPoint for Virtual Machines (RP4VMs) Use of Hard-coded Credentials Vulnerability
      • DeV discusses the Gitlab KVE here.
      • Bleeping Computer discusses the Dell KVE which demands immediate attention.
  • February 20, 2026
    • CVE-2025-49113 RoundCube Webmail Deserialization of Untrusted Data Vulnerability
    • CVE-2025-68461 RoundCube Webmail Cross-site Scripting Vulnerability
      • The Hacker News discusses these KVEs here.

• Cybersecurity Dive reports,
  • “A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance, according to a blog post released Thursday by Palo Alto Networks’ Unit 42. 
  • “Multiple BeyondTrust Remote Support users have been confirmed targets, and a range of industries have been impacted, including financial services, technology, higher education, legal services and healthcare among others. 
  • “The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. 
  • “The flaw was originally discovered by researchers at Hacktron and disclosed to BeyondTrust.”

• Per an HHS announcement,
  • “The Department of Health and Human Services (HHS) encourages Healthcare and Public Health (HPH) sector organizations to review and address a critical vulnerability identified in BeyondTrust Remote Support and Privileged Remote Access solutions in light of rising cyber attacks affecting the sector.
  • “BeyondTrust published Security Advisory BT26-02 regarding a critical pre-authentication remote code execution vulnerability, identified as CVE-2026-1731, affecting Remote Support and older versions of Privileged Remote Access. The vulnerability carries a CVSSv4 score of 9.9 and may be triggered through specially crafted client requests, potentially allowing an unauthenticated remote attacker to execute operating system commands in the context of the site user. 
  • “The vulnerability affects Remote Support version 25.3.1 and prior and Privileged Remote Access version 24.3.4 and prior, with remediation available through specific patches or by upgrading to fixed versions. BeyondTrust issued patches on February 2, 2026, which were automatically deployed to instances with the update service enabled and fully applied to Software as a Service environments. BeyondTrust applied patches to all SaaS customers as of February 2, 2026, and instructed self-hosted customers to manually apply updates or upgrade to supported versions where necessary. For additional information, organizations are encouraged to review the BeyondTrust Security Advisory.”

• Dark Reading relates,
  • “New data suggests a cyber espionage group is laying the groundwork for attacks against major industries.
  • “The “React2Shell” vulnerability is already almost a few months old, but it’s far from over. An unknown but possibly state-sponsored threat actor has been using a newly discovered, maturely named toolkit — “ILovePoop” — to probe tens of millions of Internet protocol (IP) addresses worldwide, looking for opportunities to exploit React2Shell. A report from WhoisXML API, shared with Dark Reading, suggests the threat actor might be out for big game: government, defense, finance, and industrial organizations, among others, around the world but particularly in the United States.
  • “A few months later, the situation has yet to calm down, Pham says. “There are still tens of thousands of vulnerable instances exposed on the internet, and additional botnets have added React2Shell to their arsenals. It has also been confirmed in ransomware campaigns,” she says. 
  • The big difference now is that the attacks have gotten more sophisticated, as the attackers have had more time to gameplan. “The post-exploitation tradecraft has gotten more sophisticated over time. We are seeing things like PeerBlight’s use of the BitTorrent DHT as a resilient C2 fallback, which is a technique designed specifically to survive traditional domain takedowns,” Phams says.” * * *
  • “Patching a deep-rooted vulnerability like React2Shell isn’t as simple as clicking an “Update” button.”
• and
  • “When Hillai Ben Sasson and Dan Segev set out to hack AI infrastructure two years ago, they expected to find vulnerabilities — but they didn’t expect to compromise virtually every major AI platform they targeted.
  • “The two researchers — who work in offensive and defensive research, respectively, at cloud-security firm Wiz — wanted to experiment with how they could attack the AI infrastructure being deployed as part of foundational models, AI services, and in-house AI projects. Yet, what started as simple attacks on the AI supply chain — such as abusing the widely used Pickle format to run arbitrary code — evolved into a comprehensive threat assessment spanning five distinct layers of the AI stack.
  • “They plan to present the lessons learned over their two years of research at the upcoming RSAC Conference in March. Perhaps the most important lesson: Focus on the infrastructure used to to train, run, and host AI services, and not on prompt-injection attacks, says Segev, a security architect in the Office of the CTO at Wiz.”
• and
  • “A growing phishing-as-a-service (PhaaS) tool reliably undermines traditional methods for detecting phishing attacks, both technical and psychological.
  • “Starkiller,” described this week by researchers at Abnormal AI, is packaged and sold with a sleekness comparable to legitimate software-as-a-service (SaaS) platforms. It’s got a clean, retrofuturist dashboard, sporting real-time campaign analytics. It gets periodic updates, and even allows its cybercriminal users to log in using two-factor authentication (2FA).
  • “It’s got substance to back up its style, too. Its website advertises “enterprise-grade phishing infrastructure” for “campaigns that bypass modern security systems.” Though its self-reported 99.7% success rate is almost certainly fictional, it really does help attackers bypass many of the traditional phishing security techniques so many enterprises rely on, according to Abormal AI’s research.”

• Cybersecurity Dive notes,
  • “The vulnerability of the “connective tissue” of the AI ecosystem — the Model Context Protocol and other tools that let AI agents communicate — “has created a vast and often unmonitored attack surface” that is making it easier for hackers to use AI to launch cyberattacks, Cisco said in a report published Thursday [February 19].
  • “Cisco said AI tools’ increasing ability to “execute processes, access databases, and push code on behalf of humans” has become the dominant AI risk and warned companies not to give AI “unsupervised control over critical business functions.”
  • “The new report also described nation-state hackers’ use of AI and warned businesses about potential AI supply-chain crises.”

From the ransomware front,

• Bleeping Computer reports,
  • “The University of Mississippi Medical Center (UMMC) closed all its clinic locations statewide on Thursday [February 19] following a ransomware attack.
  • “UMMC has over 10,000 employees and, as one of the largest employers in Mississippi, operates seven hospitals, 35 clinics, and more than 200 telehealth sites statewide. The medical center includes the state’s only children’s hospital, only Level I trauma center, only organ and bone marrow transplant program, and the only Telehealth Center of Excellence, one of two across the United States.
  • “As revealed on Thursday afternoon, the cyberattack took down many of its IT systems and blocked access to the Epic electronic medical records. While UMMC cancelled outpatient and ambulatory surgeries/procedures and imaging appointments, officials said hospital services continue via downtime procedures.”

• The HIPAA Journal points out ransomware attacks against three other healthcare entities.
  • “Issaqueena Pediatric Dentistry in South Carolina, Enhabit Home Health & Hospice in Texas, and AltaMed Health Services in California have announced that patient data has potentially been compromised in ransomware attacks.”

• Per an Arctic Wolf news release,
  • “Arctic Wolf®, a global leader in security operations, today [February 17] published the 2026 edition of its Threat Report, which analyzes hundreds of real‑world incident response engagements and threat intelligence findings from the past year. The report reveals a continued rise in data‑theft‑driven extortion, sustained pressure from ransomware groups, and a significant increase in attacks that leverage remote access tools rather than technical exploits.
  • “In 2025, ransomware, business email compromise (BEC), and data incidents once again dominated Arctic Wolf’s caseload, accounting for 92% of all incident response engagements. While ransomware remained the most common category, data‑only extortion incidents surged 11x year over year, signaling a strategic shift as threat actors adapt to improved organizational recovery capabilities. The report also finds that 65% of non‑BEC intrusions stemmed from abuse of remote access technologies like RDP, VPN, and RMM tools; which is a dramatic rise that underscores attackers’ preference for low‑friction entry points.
  • “Attackers continue to rely on operational efficiency – logging in instead of breaking in, stealing data instead of encrypting it, and exploiting trusted tools rather than complex vulnerabilities,” said Ismael Valenzuela, vice president, Labs, Threat Research & Intelligence, Arctic Wolf. “Organizations that invested in visibility, identity security, and disciplined remote access controls were far more resilient throughout the year.”

• Cybersecurity Dive adds,
  • “Hackers are using ransomware to accelerate the timeline for cyberattacks, moving on average four times faster than just a year ago, according to an incident response report released Tuesday by Palo Alto Networks. 
  • “AI is being used for reconnaissance, phishing and scripting, and operational execution in many cases. In the most efficient attacks, groups exfiltrate data just 72 minutes after initial access. 
  • Identity is a primary element in attacks, showing up in 90% of incident response cases. Threat groups are increasingly using stolen identities and tokens to gain entry without triggering security warnings.  
  • “Once an attacker has legitimate credentials, they’re not breaking in, they’re logging in,” Sam Rubin, a senior vice president at Palo Alto Networks’ Unit 42, told Cybersecurity Dive. “When an adversary blends into normal traffic, detection becomes incredibly challenging for even mature defenders.”
  • “The report is based on analysis of more than 750 incident response casesacross the globe that involved Unit 42 analysts and researchers.” 

• Qualsys assesses “What Is Black Basta Ransomware and How to Mitigate Attack.”
  
• IT Brew considers how a ransomware attacker thinks.
  • “When it comes to ransomware criminals, the answers can vary. Some organizations are sophisticated businesses where hackers are treated as employees with HR departments and paid time-off, while others are more ramshackle.
  • “But they’re all dangerous—and after your data. Mike Puglia, general manager of cybersecurity labs at Kaseya, told IT Brew that financial motivation has been the constant motive of ransomware attackers. The tactics are much the same between groups: gaining access, exploiting vulnerabilities, escalating privileges, and deploying an encrypter to hold the data for payment.
  • “It’s Whac-a-Mole, or a game of cat and mouse, between defenders and attackers, and as soon as one hole is closed, suddenly the next wave comes,” Puglia said.”

• Per an HHS announcement,
  • “The National Institute of Standards and Technology (NIST) hosted a virtual event titled Resources for Ransomware Risk Management on January 28, 2026. The event focused on ransomware as a persistent risk to organizations of all sizes and sectors and emphasized the need for cross-sector collaboration to develop practical resources for reducing ransomware risk. Speakers from NIST, the Center for Internet Security, and the Institute for Security and Technology (IST) provided an overview of available ransomware risk management resources designed to help organizations establish foundational safeguards and build effective strategies. Featured resources included the NIST Ransomware Risk Management Cybersecurity Framework 2.0 Community Profile, published as an initial public draft, and the IST and Ransomware Task Force Blueprint for Ransomware Defense, which offers an actionable framework tailored for small to medium-sized enterprises. Presenters described the development and use of these resources and discussed ongoing and future efforts in ransomware risk management, with the session allowing time for audience questions and discussion. For additional details, refer to the Ransomware Risk Management webinar.”

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • “Palo Alto Networks PANW lifted its full-year revenue outlook after recording a jump in second-quarter profit driven by continued demand for cybersecurity services.
  • “However, the company issued per-share earnings guidance for its current quarter below Wall Street expectations, in part as it contends with higher costs for memory and storage. It plans to raise prices later in the fiscal year to offset the increases.
  • “The stock, which has dropped 11.2% to start the year, fell 8% in late trading Tuesday to $150.46.
  • “The Santa Clara, Calif.-based company on Tuesday [February 17] said it now expects full-year revenue to come in between $11.28 billion and $11.31 billion, up from a range of $10.5 billion to $10.54 billion.
  • “The raised revenue view came after Palo Alto reported a profit of $432 million, or 61 cents a share, for its fiscal second quarter, compared with a profit of $267.3 million, or 38 cents a share the prior year.”

• Cybersecurity Dive adds,
  • “As investors worry that existing software and services could be rendered obsolete, Palo Alto Networks CEO Nikesh Arora said the rapid acceleration of AI should not be considered a threat to cybersecurity. 
  • “Arora addressed the concerns on Tuesday during the company’s fiscal second-quarter conference call, where the surge in AI dominated much of the discussion. 
  • “As AI becomes more pervasive across the enterprise, it expands the attack surface area, more infrastructure, more machine-to-machine activity and new classes of risk that simply didn’t exist before,” Arora said. “In that environment, security cannot sit on the sidelines.”
  • “Arora said despite the current sentiment about software and AI, the company believes that security is the enabling layer “that allows innovation to move forward safely and at scale.”
• and
  • “Businesses need to pay attention to identity security and third-party risk management to avoid falling prey to hackers whose techniques have evolved, the risk intelligence company Dataminr said in a threat report published on Wednesday [February 18].
  • “2025 marked a clear shift from ‘frequent but contained’ cyber losses toward fewer events with materially larger financial and mission impact,” the report said, attributing the shift to “multi-vector attacks” leveraging stolen credentials, data theft, operational disruptions and regulatory exposure.
  • “Dataminr’s report contains several high-priority recommendations for enterprises, including about supply chain security and the need to look beyond a vulnerability’s severity score.”

• Dark Reading offers “A CISO’s Playbook for Defending Data Assets Against AI Scraping.”
  • “Discover a strategic approach to govern scraping risks, balance security with business growth, and safeguard intellectual capital from automated data harvesting.”

• Cyberscoop relates,
  • “Anthropic is rolling out a new security feature for Claude Code that can scan a user’s software codebases for vulnerabilities and suggest patching solutions.
  • “The company announced Friday that Claude Code Security will initially be available to a limited number of enterprise and team customers for testing. That follows more than a year of stress-testing by the internal red teamers, competing in cybersecurity Capture the Flag contests and working with Pacific Northwest National Laboratory to refine the accuracy of the tool’s scanning features.
  • “Large language models have shown increasing promise at both code generation and cybersecurity tasks over the past two years, speeding up the software development process but also lowering the technical bar required to create new websites, apps and other digital tools.
  • “We expect that a significant share of the world’s code will be scanned by AI in the near future, given how effective models have become at finding long-hidden bugs and security issues,” the company wrote in a blog post.”

• Tech Target shares a “CISO’s guide to demonstrating cyber resilience.”
  • “Elevating cybersecurity to a state of resilience requires a security team to adapt and strengthen defenses. The result should be that a future attack is less likely to succeed.”

• Here is a link to Dark Reading’s CISO Corner.

From the cybersecurity policy front,

• Due to the partial Department of Homeland Security shutdown which began at 12:01 am this morning, the FEHBlog will present this week’s cybersecurity policy developments in chronological order.

• Per a February 11, 2026, Cybersecurity and Infrastucture Security Agency news release,
  • “The Cybersecurity and Infrastructure Security Agency (CISA) unveiled its 2025 Year in Review today, spotlighting bold achievements that strengthened the nation’s cyber and physical security in 2025. The report underscores CISA’s commitment to innovation, resilience, and collaboration. This report is a snapshot of goals achieved for this past year. Year over year CISA’s goals change as the threat landscape evolves and as we lean into core mission objectives as determined by the Administration’s policies. 
  • “The Year in Review is more than a report – it’s proof of CISA’s unwavering commitment to protecting the infrastructure and systems Americans count on every day,” said CISA Acting Director Madhu Gottumukkala. “From safeguarding federal networks to equipping communities with tools to reduce risk, our team delivered measurable results in 2025. And we’re not slowing down – we will lead with innovation, resilience and partnership to stay ahead of tomorrow’s threats.”

• Federal News Network reports,
  • “Sen. Ron Wyden (D-Ore.) is pledging to keep his hold on the nominee to lead the Cybersecurity and Infrastructure Security Agency. Wyden said he will continue to object to Sean Plankey’s nomination until CISA releases a 2022 report on security flaws in the U.S. telecommunications system. Wyden previously held up Plankey’s nomination for much of last year over the same issue. (Sen. Ron Wyden (D-Ore.) floor remarks – Congress.gov)”

• Cyberscoop tells us,
  • “A recent attempt at a destructive cyberattack on Poland’s power grid has prompted the Cybersecurity and Infrastructure Security Agency to publish a warning for U.S. critical infrastructure owners and operators.
  • “Tuesday’s alert follows a Jan. 30 report from Poland’s Computer Emergency Response Team concluded the December attack overlapped significantly with infrastructure used by a Russian government-linked hacking group, and that it targeted 30 wind and photovoltaic farms, among others.
  • “CISA said its warning was meant to “amplify” that Polish report. In particular, CISA said the attack highlighted the threats to operational technology and industrial control systems, most commonly used in the energy and manufacturing sectors.
  • ‘And CISA’s alert continues a recent agency focus on securing edge devices like routers or firewalls, after a binding operational directive last week to federal agencies to strip unsupported products from their systems.”

• Cybersecurity Dive relates,
  • “The Cybersecurity and Infrastructure Security Agency wants critical infrastructure partners’ feedback on the scope of its cyber-incident reporting regulation as the agency homes in on a final version of the long-awaited rule.
  • “In a notice set for publication in the Federal Register on Friday [January 13], CISA announced a series of town hall meetings where different sectors will be able to share their thoughts about the pending rule, which Congress required in the 2022 Cyber Incident Reporting for Critical Infrastructure Act.
  • “A draft version of the CIRCIA rule, published in April 2024, gave covered infrastructure operators 72 hours to report substantial cyber incidents to the government. Business groups and some lawmakers objected to the scope of the information that companies would need to report, as well as to the breadth of companies covered under the regulation.
  • “In its new announcement, CISA said it “appreciates stakeholders’ interest and concern that CISA implement CIRCIA to maximize its impact on improving our nation’s cybersecurity posture while minimizing unnecessary burden to entities in critical infrastructure sectors.”
  • “The agency wants infrastructure operators to share “specific, actionable improvements” to CIRCIA that “clarify or reduce” the burden of the planned reporting requirement while still giving the government ample information about the cyber-threat landscape.”
  • The virtual town hall meeting for the Emergency Services Sector, Government Facilities Sector, Healthcare and Public Health Sector is scheduled for March 17, 2026.

• Federal News Network reports,
  • “The Cybersecurity and Infrastructure Security Agency plans to designate 888 of its 2,341 employees as excepted during a shutdown. All of those employees would go without pay during a shutdown.
  • “A shutdown forces many of our frontline security experts and threat hunters to work without pay— even as nation-states and criminal organizations intensify efforts to exploit critical systems that Americans rely on—placing an unprecedented strain on our national defenses,” Acting CISA Director Madhu Gottumukkala toldlawmakers this week.
  • “The cyber agency’s core responsibilities include defending federal agency networks and working with critical infrastructure to strengthen their security.
  • “Gottumukkala said that a shutdown would delay the deployment of new cyber services to federal networks and the sharing of guidance with critical infrastructure partners. It would also likely delay CISA’s work to finalize a landmark cyber incident reporting rule.“

From the cybersecurity vulnerabilities and breaches front,

• CISA added eleven known exploited vulnerabilities to its catalog this week.
  • February 10, 2026
    • CVE-2026-21510 Microsoft Windows Shell Protection Mechanism Failure Vulnerability
    • CVE-2026-21513 Microsoft MSHTML Framework Security Feature Bypass Vulnerability
    • CVE-2026-21514 Microsoft Office Word Reliance on Untrusted Inputs in a Security Decision Vulnerability
    • CVE-2026-21519 Microsoft Windows Type Confusion Vulnerability
    • CVE-2026-21525 Microsoft Windows NULL Pointer Dereference Vulnerability
    • CVE-2026-21533 Windows Remote Desktop Services Elevation of Privilege Vulnerability
      • SecPod discusses these KVEs here. 
  • February 12, 2026
    • CVE-2024-43468 Microsoft Configuration Manager SQL Injection Vulnerability
    • CVE-2025-15556 Notepad++ Download of Code Without Integrity Check Vulnerability
    • CVE-2025-40536 SolarWinds Web Help Desk Security Control Bypass Vulnerability
    • CVE-2026-20700 Apple Multiple Buffer Overflow Vulnerability
      • Nopsec discusses the MS Configuration KVE here.
      • WNEsecurity discusses the Notepad++ KVE here.
      • Rapid7 discusses the Solarwinds KVE here.
      • Bleeping Computer discusses the Apple KVE here.
  • February 13, 2026
    • CVE-2026-1731 BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) OS Command Injection Vulnerability
      • The Hacker News discusses this KVE here.
        
• Cybersecurity Dive informs us,
  • “Security researchers warn that threat groups are exploiting critical vulnerabilities in SmarterMail, a business email and collaboration server that small to medium-sized businesses use as an alternative to Microsoft Exchange. 
  • “A China-linked threat actor, tracked as Storm 2603, has exploited an authentication bypass vulnerability tracked as CVE-2026-23760 to deploy Warlock ransomware, according to a blog released Monday by researchers at Reliaquest. 
  • “The hacker abuses legitimate administrative functions to hide its activity from security teams. It then installs a digital forensic tool called Velociraptor to maintain access in preparation for potential ransomware attacks, according to Reliaquest. 
  • “SmarterTools, the parent company behind SmarterMail, confirmed in a Feb. 3 blog post that its own network was impacted by a Jan. 29 breach.” 
• and
  • “More than 80% of exploitation activity targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile were traced to a single IP address hiding behind a bulletproof hosting infrastructure, according to a report released Tuesday by GreyNoise. 
  • Researchers warn that several of the most shared indicators of compromise linked to the current threat campaign indicate no activity linked to Ivanti EPMM. The concern is that security teams may therefore be looking for the wrong information, as current IoCs indicate scanning for Oracle WebLogic instead, according to GreyNoise researchers.”

• Cyberscoop notes,
  • “A new report from Google found evidence that state-sponsored hacking groups have leveraged AI tool Gemini at nearly every stage of the cyber attack cycle.
  • “The research underscores how AI tools have matured in their cyber offensive capabilities, even as it doesn’t reveal novel or paradigm shifting uses of the technology.
  • J”ohn Hultquist, chief analyst at Google’s Threat Intelligence Group, told CyberScoop that many countries still appear to be experimenting with AI tools, determining where they best fit into the attack chain and provide more benefit than friction.
  • “Nobody’s got everything completely worked out,” Hultquist said. “They’re all trying to figure this out and that goes for attacks on AI, too.
  • “But the report also reveals that frontier AI models can build speed, scale and sophistication into a myriad of hacking tasks, and state-sponsored hacking groups are taking advantage.”

• Bleeping Computer points out,
  • “Threat actors are abusing Claude artifacts and Google Ads in ClickFix campaigns that deliver infostealer malware to macOS users searching for specific queries.
  • “At least two variants of the malicious activity have been observed in the wild, and more than 10,000 users have accessed the content with dangerous instructions.
  • “A Claude artifact is content generated with Antropic’s LLM that has been made public by the author. It can be anything from instructions, guides, chunks of code, or other types of output that are isolated from the main chat and accessible to anyone via links hosted on the claude.ai domain.”
• and
  • “A set of 30 malicious Chrome extensions that have been installed by more than 300,000 users are masquerading as AI assistants to steal credentials, email content, and browsing information.
  • “Some of the extensions are still present in the Chrome Web Store and have been installed by tens of thousands of users, while others show a small install count.
  • “Researchers at browser security platform LayerX discovered the malicious extension campaign and named it AiFrame. They found that all analyzed extensions are part of the same malicious effort as they communicate with infrastructure under a single domain, tapnetic[.]pro.”
• and
  • “A new variation of the fake recruiter campaign from North Korean threat actors is targeting JavaScript and Python developers with cryptocurrency-related tasks.
  • “The activity has been ongoing since at least May 2025 and is characterized by modularity, which allows the threat actor to quickly resume it in case of partial compromise.
  • “The bad actor relies on packages published on the npm and PyPi registries that act as downloaders for a remote access trojan (RAT). In total, researchers found 192 malicious packages related to this campaign, which they dubbed ‘Graphalgo’.
  • “Researchers at software supply-chain security company ReversingLabs say that the threat actor creates fake companies in the blockchain and crypto-trading sectors and publishes job offerings on various platforms, like LinkedIn, Facebook, and Reddit.”
    
• TechRadar advises
  • “If you’re using an older Android phone, Google has a message you probably don’t want to hear.
  • “More than 40% of Android devices worldwide no longer receive critical security updates, leaving over 1 billion phones exposed to malware and spyware attacks, according to the company.
  • “The problem isn’t a sudden flaw but a slow drift. Android adoption data shows most users are still running software versions that Google no longer fully supports. While recent confusion around Google Play system update dates has raised concerns, Google says that the issue is cosmetic.
  • “The real issue is simpler and more serious: phones running Android 12 or older are now outside the security safety net.”

From the ransomware front,

• The HIPAA Journal reports,
  • “A new record was set for ransomware attacks last year, with disclosed ransomware attacks increasing by 49% year-over-year to a record-high of 1,174 attacks, according to Black Fog’s 2025 State of Ransomware Report. There was also a 37% year-over-year increase in undisclosed attacks, with 7,079 victims added to dark web data leak sites in 2025. The figures indicate that globally, 86% of ransomware attacks are not disclosed by victims.
  • “Data theft almost always occurs with ransomware attacks. In 2025, 96% of attacks involved data exfiltration prior to file encryption, which results in greater organizational harm. Data exfiltration has contributed to the significant increase in breach costs, as data theft results in greater reputational harm and increased regulatory exposure. In 2025, the average cost of a data breach was $4.44 million globally, and $7.42 million for healthcare data breaches. Healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. All sectors experienced an increase in attacks in 2025, apart from education, which saw a 13% year-over-year decrease in attacks.
  • “The breakup of large ransomware groups has led to a fragmentation of the ransomware ecosystem, and the number of active ransomware groups continued to increase in 2025. Black Fog tracked 130 different ransomware groups in 2025, of which 52 were new groups that emerged in 2025, a 9% increase from 2024. Several groups that emerged in 2025 have disproportionately targeted the healthcare sector, including Sinobi, Insomnia, and Devman. Devman issued the largest ever ransom demand of $91 million in 2025 for its attack on China’s real estate development company Shimao Group Holdings. World Leaks, widely believed to be a rebrand of Hunters International, has also claimed several healthcare victims, as have all of the top three most prolific and dangerous ransomware groups of the year: Qilin, Akira & Play.”

• Cybersecurity Dive adds,
  • “Ransomware attacks on the IT sector were higher in each quarter of 2025 than in the same quarters of 2024, with the sector ranking third behind manufacturing and commercial facilities on hackers’ target lists, according to a new report from the Information Technology Information Sharing and Analysis Center.
  • “Nearly half of all ransomware attacks that the IT-ISAC tracked occurred in the U.S., far surpassing the totals in other countries.
  • “The food and agriculture sector also saw a significantly higher number of ransomware attacks in 2025 than it did in 2024, according to a new report from that sector’s ISAC, which shares leadership with the IT-ISAC.”

• The Federal Trade Commission has issued its own 2025 ransomware report according to Executivegov.
  • “The Federal Trade Commission has reported that ransomware and other malware-based attacks represent only 2.23 percent of all fraud complaints submitted to the agency.
  • “In the 2025 Ransomware Report published Friday, the FTC shared that, between July 2023 and June 2025, tech support scams were among the most reported fraud types.
  • “About 1 percent of the 42,972 reports the FTC received that allegedly originate from China are ransomware. The majority of the complaints are related to online shopping fraud.
  • “Complaints tied to Russia, Iran and North Korea are relatively rare, with the three countries accounting for only 0.05 percent of all fraud reports the FTC received from 2023 to 2025.”

• Morphisec calls attention to
  • “Ransomware isn’t slowing down. It’s scaling, adapting, and finding new ways to slip past defenses that many organizations still trust implicitly.  
  • “The Ransomware Reality Check 2026 infographic paints a clear, data-driven picture of the risk landscape ahead: from skyrocketing demands to sophisticated execution methods that beat traditional detection technologies.”  

• Per Security Week,
  • “Mere data exfiltration is no longer a lucrative approach for ransomware groups, and threat actors may increasingly rely on encryption to regain leverage, Coveware notes in a new report.
  • “Following a series of highly successful data-exfiltration-only attacks conducted by known groups such as Cl0p, other ransomware groups adopted the trend, stealing victims’ data without encrypting it.
  • “The campaigns targeting MOVEit, Cleo, and Oracle E-Business Suite (EBS) customers are proof that the approach no longer delivers return on investment, Coveware says.
  • Cl0p, it explains, started this trend with a simple strategy: it acquired an exploit for a zero-day vulnerability in a popular enterprise file transfer or data storage product, hacked as many instances as possible for data exfiltration, and extorted each compromised entity into paying a ransom.
  • I”n 2021, the group likely made tens of millions of dollars using this tactic in the Accellion campaign, when over 25% of the impacted organizations likely paid a ransom. Roughly 20% of the entities impacted by the GoAnywhere MFT hack also paid a ransom.
  • “In the subsequent campaigns, however, the victims’ willingness to pay dropped significantly: less than 2.5% of those affected by the MOVEit breach paid, and almost none paid in the Cleo and Oracle EBS incidents, Coveware says in its latest ransomware trends report.”

• Per Cyberscoop,
  • “Ransomware groups crop up like weeds, angling for striking positions in a crowded field rife with turnover, infighting and unbridled competition. Yet, they rarely emerge, as 0APT did late last month, claiming roughly 200 victims out of the gate.
  • “Researchers have thus far seen no evidence confirming 0APT attacked any of its alleged victims, which includes high-profile organizations. Alleged victim data samples and the structure and size of placeholder file trees published by 0APT place further doubt on the group’s supposed criminal escapades. 
  • “Most signs suggest the group is running a massive hoax, but at least some of the threat 0APT poses is grounded in truth. The group’s inflated pretense may be a ruse to create a sense of momentum, gain recognition and attract affiliates.
  • “While 0APT is probably bluffing about the victims it has already compromised, it is not bluffing on the technical capabilities of its actual ransomware,” Cynthia Kaiser, senior vice president at Halcyon’s ransomware research center, told CyberScoop.”

From the cybersecurity business and defenses front,

• The Wall Street Journal reports,
  • The European Union approved Google’s $32 billion acquisition of cybersecurity startup Wiz, a win for the Alphabet unit’s GOOGL  * * *
  • “Google announced the all-cash deal in March 2025, betting that bringing Wiz under its cloud business would help it fast-track improvements in cloud security and enhance its ability to use multiple clouds, both trends that have gathered pace in the artificial-intelligence era.
  • “Wiz provides cybersecurity software for cloud computing and has presences in New York; Arlington, Virginia; London and Tel Aviv.
  • “The deal—cleared by U.S. antitrust authorities in November last year—was flagged to the EU’s merger watchdog for screening in January.”

• Cyberscoop relates,
  • “Proofpoint announced Thursday [February 12] it has acquired Acuvity, an AI security startup, as the cybersecurity company moves to address security risks stemming from widespread corporate adoption of agentic AI.
  • “The acquisition strengthens Proofpoint‘s capabilities in monitoring and securing AI-powered systems that are increasingly handling sensitive business functions across enterprises. 
  • “Financial terms of the deal were not disclosed, but Ryan Kalember, Proofpoint’s chief strategy officer, told CyberScoop that the acquisition was beyond a pure “technology acquisition,” with Acuvity’s engineering team slated to join the California-based company. 
  • “Acuvity specializes in visibility and governance for AI applications, including the ability to track how employees and automated systems interact with external AI services and protect custom AI models developed within organizations. The startup’s platform monitors AI usage across multiple deployments, from web browsers to specialized infrastructure including Model Context Protocol (MCP) servers and locally installed AI tools.”

• Per a February 13 CISA news release,
  • “For years, CISA has responded to an unending wave of cyber incidents targeting edge devices embedded in the Nation’s federal networks and critical infrastructure. The common culprit? 
    • Unsupported hardware and software residing on the edge of organizational networks that vendors are no longer maintaining.
  • Nation-state adversaries have seized these weak points, exploiting them to gain unauthorized access, maintain persistence, and compromise sensitive data. These neglected devices are more than just vulnerabilities; they threaten the Nation’s security, privacy, and resilience. 
  • As the operational lead for federal cybersecurity, CISA recently took a large step toward addressing this systemic risk by issuing Binding Operational Directive (BOD) 26-02, a mandate for federal civilian agencies to identify and replace end-of-support (EOS) edge devices, stay current with software updates, and patch known vulnerabilities. While directed to federal agencies, we strongly encourage all organizations to adopt similar actions. 
  • However, we as a community can and must do more. Managing the lifecycles of hardware and software products can quickly become a daunting, resource-intensive task—especially without an efficient way to determine the EOS status for hardware and software. 
  • Enter OpenEoX: a machine-readable, international standard that transforms how product lifecycle information is exchanged across software, hardware, services, and AI models. By introducing much-needed standardization and automation, OpenEoX brings transparency, efficiency, and unity to asset management. By integrating OpenEoX across the community, both hardware and software producers and consumers can together turn the tide on one of the most serious cyber threats facing the Nation: EOS hardware and software.” * * *
  • Additional Resources
    • OpenEoX Website: https://openeox.org/
    • OpenEoX GitHub: https://github.com/oasis-tcs/openeox
    • OpenEoX Whitepaper (published April 2025): https://docs.oasis-open.org/openeox/standardization-framework/openeox-standardization-framework-technical-report.pdf

• Meritalk relates,
  • The FBI Cyber Division’s latest initiative, Operation Winter SHIELD, is growing as more field offices join the cybersecurity defense campaign that aims to turn lessons from investigations into high-impact actions that organizations can take to strengthen their defenses. 
  • The bureau launched Operation Winter SHIELD on Jan. 28 as a two-month effort that spotlights one of 10 “high-impact actions” each week. The initiative is designed to help organizations reduce common breach pathways and harden critical infrastructure systems against nation-state and criminal cyber threats. 
  • Since its announcement, numerous FBI field offices across the nation have voiced their support for the operation – some of the latest field offices to join this week include Seattle, Philadelphia, and Anchorage. 
  • In a video announcement, FBI Cyber Division Assistant Director Brett Leatherman said the campaign distills insights from real-world investigations into practical steps that organizations can take immediately. 
  • “Every winter storms test our infrastructure. Power grids, water systems, and supply chains are pushed to their limits, but the most critical threats to infrastructure don’t come from the weather. They come through our networks,” Leatherman said. 
    • The 10 actions outlined by the FBI include: 
    • Adopt phish-resistant authentication 
    • Implement a risk-based vulnerability management program 
    • Track and retire end-of-life technology on a defined schedule 
    • Manage third-party risk 
    • Protect security logs and preserve them for an appropriate time period 
    • Maintain offline immutable backups and test restoration 
    • Identify, inventory, and protect internet-facing systems and services 
    • Strengthen email authentication and malicious content protections 
    • Reduce administrator privileges 
    • Exercise your incident response plan with all stakeholders 

• Per Dark Reading,
  • “Microsoft Under Pressure to Bolster Defenses for BYOVD Attacks
  • “Threat actors are exploiting security gaps to weaponize Windows drivers and terminate security processes in targeted networks, and there may be no easy fixes in sight.”

• Here is a link to Dark Reading’s CISO Corner.