Good morning, cyber pros!

Good morning, cyber pros! It's been a busy 24 hours with some critical zero-day warnings, new insights into nation-state influence operations, and a few notable breaches. Let's dive into the details:

Recent Breaches: Medical, Retail, and Sports Hit

- Medical device manufacturer UFP Technologies confirmed a cyber incident on 14 February, leading to data theft and potential destruction, though primary IT systems remain operational.
- French football club Olympique de Marseille reported an "attempted cyberattack" after a threat actor leaked samples claiming 400,000 individuals' data and 2,050 Drupal CMS accounts were stolen.
- European DIY retailer ManoMano disclosed a data breach affecting 38 million customers, stemming from a compromised third-party customer service provider, exposing names, emails, phone numbers, and communications.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/medical-device-maker-ufp-technologies-warns-of-data-stolen-in-cyberattack/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/olympique-marseille-football-club-confirms-cyberattack-after-data-leak/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/european-dyi-chain-manomano-data-breach-impacts-38-million-customers/

Critical Zero-Days and RCE Flaws Under the Spotlight ️

- Five Eyes agencies and CISA issued urgent warnings about two Cisco Catalyst SD-WAN zero-days (CVE-2026-20127, CVSS 10.0; CVE-2022-20775, CVSS 7.8) actively exploited since 2023 by a "highly sophisticated threat actor" UAT-8616 to gain root access on critical infrastructure.
- Check Point discovered multiple RCE and API key theft vulnerabilities in Anthropic's Claude Code, stemming from malicious configuration files in repositories, highlighting new supply chain risks in AI-driven development.
- A critical RCE flaw (CVE-2026-21902, CVSS 10.0) in Juniper Networks PTX Series routers allows unauthenticated root code execution due to an exposed internal service; immediate patching or access restriction is advised.
- Trend Micro patched two critical RCE path traversal flaws (CVE-2025-71210, CVE-2025-71211) in Apex One management console, allowing unprivileged code execution if the console is externally exposed.
- Previously harmless Google API keys, when exposed client-side, can now authenticate to Gemini AI, potentially allowing attackers to access private data and incur significant usage charges.

🤫 CyberScoop | https://cyberscoop.com/cisco-zero-days-cisa-emergency-directive-five-eyes/
The Hacker News | https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/five_eyes_cisco_sdwan/
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/clade_code_cves/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-juniper-networks-ptx-flaw-allows-full-router-takeover/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-critical-apex-one-rce-vulnerabilities/
Bleeping Computer | https://www.bleepingcomputer.com/news/security/previously-harmless-google-api-keys-now-expose-gemini-ai-data/

Evolving Threat Actor TTPs: AI, Supply Chain, and Social Engineering ️

- A coordinated campaign is targeting software developers with fake Next.js job interview repositories, using multiple execution triggers (VS Code, npm run dev, backend startup) to deliver in-memory JavaScript backdoors for RCE and data exfiltration.
- OpenAI reported nation-state actors, including a CCP-linked individual and a Russian group ("Operation No Bell"), are using ChatGPT for politically motivated influence operations, from drafting smear campaigns to generating geopolitical articles.
- A malicious NuGet package, StripeApi.Net, was discovered typosquatting the legitimate Stripe.net library, designed to steal Stripe API tokens from unsuspecting developers while maintaining application functionality.
- The cybercrime group Scattered Lapsus$ Hunters (SLSH) is actively recruiting women for vishing calls to IT helpdesks, aiming to enhance social engineering effectiveness by leveraging different voice profiles.
- Google disrupted a China-linked cyberespionage campaign (UNC2814) active since 2017, targeting telcos and governments in 42 countries, using a new Gridtide backdoor and abusing Google Sheets for C2 communications.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-nextjs-job-interview-tests-backdoor-developers-devices/
The Hacker News | https://thehackernews.com/2026/02/fake-nextjs-repos-target-developers.html
️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/chinese-police-chatgpt-smear-japan-pm-takaichi
The Hacker News | https://thehackernews.com/2026/02/malicious-stripeapi-nuget-package.html
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/scattered_lapsus_hunters_female_recruits/
️ The Record | https://therecord.media/google-disrupts-china-linked-cyberespionage-campaign-spanning-dozens-of-countries

Ransomware Trends and AI's Double-Edged Sword

- Despite a 50% surge in ransomware attacks, the payment rate dropped to a record low of 28% in 2025, though the median ransom paid significantly increased to $59,556, indicating a shift in victim behaviour and attacker tactics.
- Veracode's report highlights a growing "security debt," with 82% of companies having unresolved vulnerabilities for over a year, suggesting that the rapid pace of AI-driven development is creating more flaws than can be fixed, making comprehensive security "unattainable."
- The UK government has implemented a new Vulnerability Monitoring Service, significantly reducing the median fix time for critical public sector vulnerabilities from 50 to 8 days, addressing long-standing issues with digital defences.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/ransomware-payment-rate-drops-to-record-low-despite-attack-surge/
The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/26/veracode_security_ai/
️ The Record | https://therecord.media/united-kingdom-vulnerability-scanning-cyber

FTC Clarifies COPPA for Age Verification

- The Federal Trade Commission (FTC) issued a policy statement clarifying that it will not enforce COPPA against companies using age verification technologies, provided strict conditions are met regarding data use, retention, notice, and security.
- This aims to encourage the adoption of age verification tools without fear of COPPA violations, with the FTC planning a broader review of the COPPA Rule to address this area.

️ The Record | https://therecord.media/ftc-says-it-wont-enforce-coppa-age-verification

#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #APT #NationState #SupplyChainAttack #SocialEngineering #AI #Ransomware #DataBreach #DataPrivacy #InfoSec #CyberAttack #IncidentResponse

It's been a busy 24 hours in the cyber world with significant updates on the evolving "ClickFix" social engineering tactic, showing how attackers are getting creative with initial access and payload delivery. Let's take a look:

Evolving ClickFix Attacks: DNS Staging and Crypto Hijacks ️

- Microsoft has detailed a new DNS-based ClickFix variant where victims are tricked into running `nslookup` commands, using DNS as a stealthy staging channel for payloads like ModeloRAT. This method blends malicious activity into normal network traffic, making detection harder.
- A separate, novel ClickFix campaign is leveraging Pastebin comments and Google Docs to socially engineer cryptocurrency users into executing malicious JavaScript directly in their browser. This allows attackers to hijack Bitcoin swap transactions and redirect funds to their wallets.
- These incidents highlight the evolving nature of ClickFix, moving beyond traditional OS-level command execution to sophisticated DNS staging and direct browser manipulation for financial theft, underscoring the critical need for user awareness and robust detection of procedural trust abuse.

The Hacker News | https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html
Bleeping Computer | https://www.bleepingcomputer.com/news/security/pastebin-comments-push-clickfix-javascript-attack-to-hijack-crypto-swaps/

#CyberSecurity #ThreatIntelligence #SocialEngineering #ClickFix #Malware #ModeloRAT #LummaStealer #CryptoScam #InfoSec #CyberAttack #IncidentResponse

Morning, cyber pros! It's been a slightly quieter 24 hours, but we've still got some critical updates to chew on, from a dominant threat actor exploiting Ivanti RCEs to North Korean fake recruiters and a low-tech crypto phishing scam. Let's dive in:

Ivanti RCE Exploitation Dominance ️
- A single threat actor, using bulletproof infrastructure from IP 193.24.123.42, is behind 83% of recent active exploitation attempts targeting two critical Ivanti EPMM RCE vulnerabilities (CVE-2026-21962 and CVE-2026-24061).
- This IP address is not widely published in IOC lists, meaning many defenders might be missing the primary source of these automated attacks, which also target Oracle WebLogic and GNU Inetutils Telnetd.
- Ivanti has released hotfixes and recommends using specific RPM packages or, for the most conservative approach, rebuilding EPMM instances and migrating data until full patches are available in Q1.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/one-threat-actor-responsible-for-83-percent-of-recent-ivanti-rce-attacks/

Lazarus Group's Fake Job Scams ️
- North Korean threat actors, likely the Lazarus Group, are targeting JavaScript and Python developers with fake job offers that include malicious coding challenges.
- These challenges trick developers into installing compromised packages from npm and PyPi (dubbed 'Graphalgo'), which then deploy a sophisticated Remote Access Trojan (RAT) capable of exfiltrating files and checking for MetaMask installations.
- Developers who may have installed packages like 'bigmathutils' or those with 'graph' or 'big' in their name from suspicious sources should immediately rotate all credentials, tokens, and consider a full OS reinstall.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-job-recruiters-hide-malware-in-developer-coding-challenges/

Crypto Wallet Phishing via Snail Mail ️
- Threat actors are employing a rare physical phishing tactic, sending fake letters impersonating Trezor and Ledger to trick hardware wallet users into revealing their recovery phrases.
- The letters create urgency, claiming mandatory "Authentication Checks" or "Transaction Checks" and directing users to scan QR codes that lead to sophisticated phishing websites designed to steal 12-, 20-, or 24-word seed phrases.
- Remember: reputable hardware wallet manufacturers will NEVER ask you to enter your recovery phrase on a website or computer; it should only be entered directly on the device itself during restoration.

Bleeping Computer | https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/

#CyberSecurity #ThreatIntelligence #Vulnerability #RCE #Ivanti #LazarusGroup #APT #Malware #RAT #Phishing #SocialEngineering #CryptoSecurity #InfoSec #IncidentResponse