Tracking Threats, Incidents, and Vulnerabilities
Tracking Threats, Incidents, and Vulnerabilities
In 2025, enterprise identity exposure intensified, with enterprise identity logs increasing from 8% to 11% of all logs. Microsoft Entra ID credentials appeared in 79% of these logs, making them the most compromised. Over 18% of identity logs contained credentials for multiple providers, expanding the potential impact of a single breach.
https://flare.io/learn/resources/2026-enterprise-infostealer-identity-exposure/
Ransomware declines as “sleeperware” ascends: Picus Labs' report shows a shift from ransomware to stealthy malware that remains dormant until opportune moments, focusing on data theft rather than system disruption. This change reflects a significant drop in ransomware incidents, prompting new cybersecurity strategies.
https://www.zdnet.com/article/sleeperware-malware-sneaks-waits-ransomware-decline/
A security flaw in Orchids AI platform led to a BBC reporter's laptop being hacked without any user action. A cybersecurity researcher exploited vulnerabilities, demonstrating risks associated with “vibe-coding” tools that allow non-technical users to create applications. This zero-click attack could compromise sensitive data and device security, raising concerns about the convenience of AI tools. Experts warn of a new class of vulnerabilities in AI systems.
Milan-Cortina 2026 Winter Olympics implement AI and cybersecurity measures to combat threats amid geopolitical tensions. Organized by Italian authorities and supported by technology partners, initiatives focus on mitigating cyber attacks, including DDoS attempts. Key infrastructure will handle extensive data operations, ensuring performance and security throughout the Games.
Malicious Chrome extensions, including CL Suite, are stealing sensitive data from Meta Business Suite users. These extensions exfiltrate TOTP codes, Business Manager analytics, and contact lists to attackers' servers. Other threats include over 500,000 VKontakte account hijackings and 32 AI-themed extensions that siphon user credentials. These attacks emphasize the growing misuse of browser extensions for data theft, prompting recommendations for cautious installation practices and regular audits.
https://thehackernews.com/2026/02/malicious-chrome-extensions-caught.html
Ransomware attacked the British Library on October 28, 2023, compromising servers, encrypting systems, and exfiltrating about 600 GB of data. The attack exploited vulnerabilities, including lack of multi-factor authentication on an entry point. This incident highlighted systemic issues in cultural institutions: outdated infrastructure, insufficient funding for tech upgrades, and complex network security challenges. In response, the Library initiated a significant overhaul, implementing better network segmentation, robust backup strategies, mandatory cybersecurity training, and elevating cybersecurity to a strategic priority. The incident underscores the risks faced by cultural heritage institutions in a digital age and the need for proactive cyber defense to protect knowledge access.
https://informationsecuritybuzz.com/the-cyberattack-that-exposed-the-fragility-of-digital-heritage/
Microsoft warns of “AI Recommendation Poisoning,” a technique where malicious data manipulates AI responses, risking trust in AI services. Companies have been embedding hidden prompts in AI links, influencing outputs subtly. This can result in AI providing biased advice on crucial topics like health and finance, often unnoticed by users. Microsoft advises caution with AI-related links, reviewing AI memory, and scanning for manipulation attempts in corporate settings.
https://www.theregister.com/2026/02/12/microsoft_ai_recommendation_poisoning/
Palo Alto Networks refrained from linking China to a recent hacking campaign due to fears of potential retaliation from Beijing. Initially, their report identified a hacking group as connected to China, but this was softened to “state-aligned group operating out of Asia” after concerns emerged, particularly following a Chinese ban on certain cybersecurity software. The company aims to protect its personnel and clients. Experts suggest attribution is complex, highlighting the risks cybersecurity firms face in naming state-sponsored cyber threats.
Google Alerts State-Backed Hackers Using Gemini AI for Attacks
North Korean group UNC2970 exploited Google’s Gemini AI for reconnaissance and cyber espionage, targeting cybersecurity firms. The AI synthesized OSINT for profiling high-value targets, enabling tailored phishing strategies. Other hacker groups, including Chinese and Iranian actors, also misuse Gemini for intelligence gathering and deploying malware. Google emphasizes ongoing efforts to enhance safety systems against AI misuse.
https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html
Critical vulnerability in Claude Desktop Extensions allows 0-click remote code execution, affecting 10,000+ users. Attackers exploit this flaw via Google Calendar events, enabling unauthorized commands without user consent. LayerX warns of severe trust boundary violations; fixes are currently not planned by Anthropic.
https://cybersecuritynews.com/claude-desktop-extensions-0-click-vulnerability/
TLDR: LummaStealer, a prominent info-stealer malware, resurfaces alongside CastleLoader after law enforcement disruptions. It primarily spreads via social engineering tactics, tricking users into executing malware through fake software or media downloads. CastleLoader enhances LummaStealer's distribution, employing in-memory execution and heavy obfuscation. The partnership suggests shared infrastructure between both malware, posing severe privacy risks by harvesting sensitive data like credentials and financial information.
https://www.bitdefender.com/en-us/blog/labs/lummastealer-second-life-castleloader
WSL (Windows Subsystem for Linux) enables running a Linux environment on Windows, allowing developers and cybersecurity workflows to leverage Linux tools. It poses security risks, as malware can exploit WSL by checking for its presence and executing commands. An infostealer trojan, “ottercookie-socketScript-module-3.js,” utilizes WSL to access the Windows filesystem and obtain user information.
Kimwolf botnet disrupts I2P, an anonymity network, by overwhelming it with infected devices. Emerged in late 2025, it turns IoT devices into relays for DDoS attacks. Users reported connectivity issues as Kimwolf attempted to escape detection by taking over I2P nodes. This “Sybil attack” compromised the network's integrity, reducing its capacity. Experts believe Kimwolf's operators are experimenting with I2P for stability amid takedown attempts, though botnet numbers are declining due to internal issues and errors.
https://krebsonsecurity.com/2026/02/kimwolf-botnet-swamps-anonymity-network-i2p/
On January 14, 2026, global telnet traffic dropped 59% abruptly due to potential port 23 filtering by U.S. internet providers, coinciding with the discovery of CVE-2026-24061, a critical telnet vulnerability. Eighteen ASNs lost all telnet sessions, and five countries dropped from data completely. The post suggests the drop was a response to an exploitable vulnerability, emphasizing the importance of patching or disabling GNU Inetutils telnetd. The sustained reduction in telnet traffic indicates a shift away from insecure protocols among ISPs.
https://www.labs.greynoise.io/grimoire/2026-02-10-telnet-falls-silent/
Ransomware attack on BridgePay disrupts U.S. payment systems, forcing businesses, like restaurants, to go cash-only. The company is working with law enforcement but has found no evidence of compromised payment card data. This incident highlights vulnerabilities in centralized payment systems, emphasizing the need for improved cyber resiliency among service providers.
https://www.paymentsjournal.com/the-latest-wave-of-ransomware-attacks-as-widespread-as-possible/
