Good morning, cyber pros!

soc_goulash@infosec.exchange

Good morning, cyber pros! It's been a busy 24 hours with some critical zero-day warnings, new insights into nation-state influence operations, and a few notable breaches. Let's dive into the details:

Recent Breaches: Medical, Retail, and Sports Hit

- Medical device manufacturer UFP Technologies confirmed a cyber incident on 14 February, leading to data theft and potential destruction, though primary IT systems remain operational.
- French football club Olympique de Marseille reported an "attempted cyberattack" after a threat actor leaked samples claiming 400,000 individuals' data and 2,050 Drupal CMS accounts were stolen.
- European DIY retailer ManoMano disclosed a data breach affecting 38 million customers, stemming from a compromised third-party customer service provider, exposing names, emails, phone numbers, and communications.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/

Critical Zero-Days and RCE Flaws Under the Spotlight ️

- Five Eyes agencies and CISA issued urgent warnings about two Cisco Catalyst SD-WAN zero-days (CVE-2026-20127, CVSS 10.0; CVE-2022-20775, CVSS 7.8) actively exploited since 2023 by a "highly sophisticated threat actor" UAT-8616 to gain root access on critical infrastructure.
- Check Point discovered multiple RCE and API key theft vulnerabilities in Anthropic's Claude Code, stemming from malicious configuration files in repositories, highlighting new supply chain risks in AI-driven development.
- A critical RCE flaw (CVE-2026-21902, CVSS 10.0) in Juniper Networks PTX Series routers allows unauthenticated root code execution due to an exposed internal service; immediate patching or access restriction is advised.
- Trend Micro patched two critical RCE path traversal flaws (CVE-2025-71210, CVE-2025-71211) in Apex One management console, allowing unprivileged code execution if the console is externally exposed.
- Previously harmless Google API keys, when exposed client-side, can now authenticate to Gemini AI, potentially allowing attackers to access private data and incur significant usage charges.

🤫 CyberScoop | https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
The Hacker News | https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/five_eyes_cisco_sdwan/
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/clade_code_cves/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Evolving Threat Actor TTPs: AI, Supply Chain, and Social Engineering ️

- A coordinated campaign is targeting software developers with fake Next.js job interview repositories, using multiple execution triggers (VS Code, npm run dev, backend startup) to deliver in-memory JavaScript backdoors for RCE and data exfiltration.
- OpenAI reported nation-state actors, including a CCP-linked individual and a Russian group ("Operation No Bell"), are using ChatGPT for politically motivated influence operations, from drafting smear campaigns to generating geopolitical articles.
- A malicious NuGet package, StripeApi.Net, was discovered typosquatting the legitimate Stripe.net library, designed to steal Stripe API tokens from unsuspecting developers while maintaining application functionality.
- The cybercrime group Scattered Lapsus$ Hunters (SLSH) is actively recruiting women for vishing calls to IT helpdesks, aiming to enhance social engineering effectiveness by leveraging different voice profiles.
- Google disrupted a China-linked cyberespionage campaign (UNC2814) active since 2017, targeting telcos and governments in 42 countries, using a new Gridtide backdoor and abusing Google Sheets for C2 communications.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
The Hacker News | https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html
️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/chinese-police-chatgpt-smear-japan-pm-takaichi
The Hacker News | https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/scattered_lapsus_hunters_female_recruits/
️ The Record | https://therecord.media/google-disrupts-china-linked-cyberespionage-campaign-spanning-dozens-of-countries

Ransomware Trends and AI's Double-Edged Sword

- Despite a 50% surge in ransomware attacks, the payment rate dropped to a record low of 28% in 2025, though the median ransom paid significantly increased to $59,556, indicating a shift in victim behaviour and attacker tactics.
- Veracode's report highlights a growing "security debt," with 82% of companies having unresolved vulnerabilities for over a year, suggesting that the rapid pace of AI-driven development is creating more flaws than can be fixed, making comprehensive security "unattainable."
- The UK government has implemented a new Vulnerability Monitoring Service, significantly reducing the median fix time for critical public sector vulnerabilities from 50 to 8 days, addressing long-standing issues with digital defences.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/veracode_security_ai/
️ The Record | https://therecord.media/united-kingdom-vulnerability-scanning-cyber

FTC Clarifies COPPA for Age Verification

- The Federal Trade Commission (FTC) issued a policy statement clarifying that it will not enforce COPPA against companies using age verification technologies, provided strict conditions are met regarding data use, retention, notice, and security.
- This aims to encourage the adoption of age verification tools without fear of COPPA violations, with the FTC planning a broader review of the COPPA Rule to address this area.

️ The Record | https://therecord.media/ftc-says-it-wont-enforce-coppa-age-verification

#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #APT #NationState #SupplyChainAttack #SocialEngineering #AI #Ransomware #DataBreach #DataPrivacy #InfoSec #CyberAttack #IncidentResponse