Project Hyphae
Search

Information Security News – 2/23/2026

Share This Post

Unit 42: Nearly Two-Thirds of Breaches Now Start with Identity Abuse

Article Link: https://cyberscoop.com/attackers-abuse-identity-unit42-palo-alto-networks-incident-response-report/

  • Nearly two-thirds of initial intrusions began with identity-based techniques, according to Palo Alto Networks’ Unit 42 in the Global Incident Response Report 2026, based on more than 750 incident response engagements through September 2025.
  • Social engineering drove one-third of cases. Stolen credentials, brute-force attempts, excessive permissions, and misconfigurations followed. Identity weaknesses played a role in almost 90% of investigations, and 87% spanned multiple attack surfaces.
  • Financially motivated attacks dominated. Median payments increased 87% year-over-year to $500,000. Data theft occurred in under two days on average, and in 22% of incidents, in less than one hour. Nearly half involved browser activity.
  • Unit 42 calls for stronger identity and access controls, fewer apps talking to each other, and quicker detection through consolidated telemetry (logs, alerts, activity, etc.) and automated response.
  • Report: https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report

API Threats Grow in Scale as AI Expands the Blast Radius

Article Link: https://www.securityweek.com/api-threats-grow-in-scale-as-ai-expands-the-blast-radius/

  • APIs remain a primary attack route, and AI is widening exposure. In its 2025 analysis of more than 60,000 disclosed vulnerabilities, API security firm Wallarm found over 11,000, or 17% were API-related. Also, 43% of 2025 additions to CISA’s Known Exploited Vulnerabilities Catalog involved APIs.
  • The New API Risk Multiplier report cited major 2025 breaches at 700Credit, Qantas, and Salesloft. Wallarm identified 315 Model Context Protocol vulnerabilities, with a 270% increase between Q2 and Q3 2025.
  • API weaknesses are fast and remotely exploitable. Wallarm reported 97% require a single request, 98% are easy to exploit, 99% are remotely accessible, and 59% require no authentication.
  • Wallarm concludes some attackers abuse logic and trust over software flaws, and stronger runtime controls and risk-based conditional access add resilience against that behavior.
  • Report: https://hubspot.wallarm.com/hubfs/Wallarm%20API%20ThreatStatTM%20Report-2026.pdf

Password Managers’ Promise That They Can’t See Your Vaults Isn’t Always True

Article Link: https://arstechnica.com/security/2026/02/password-managers-promise-that-they-cant-see-your-vaults-isnt-always-true/

  • New research from ETH Zurich and USI Lugano challenges the “zero-knowledge” claims made by major password managers including Bitwarden, Dashlane, and LastPass. Researchers found that in certain configurations, a compromised or malicious server could access or manipulate vault data.
  • The team identified 25 attack paths involving account recovery, key escrow, shared vaults, and legacy compatibility features. Some scenarios allow decryption of vault contents or weakening of encryption when specific features are enabled.
  • Password managers are becoming more mainstream, with around 94 million Americans using them and roughly 60 million are using the three platforms reviewed. There’s no sign of active mass abuse yet, but the research questions how much trust users place in “zero-knowledge” claims.
  • The Zero Knowledge (About) Encryption paper suggests stronger client-side validation, authenticated key exchange, elimination of insecure legacy cryptographic modes, and extra protections around recovery and sharing features.
  • Research Paper: https://eprint.iacr.org/2026/058.pdf

Reynolds Ransomware Uses BYOVD to Disable Security Before Encryption

Article Link: https://securityaffairs.com/187869/security/reynolds-ransomware-uses-byovd-to-disable-security-before-encryption.html

  • Broadcom researchers identified a new ransomware family named Reynolds that embeds a Bring Your Own Vulnerable Driver (BYOVD) component directly inside its payload to disable security tools before encryption.
  • This CVE-2025-68947 affects a signed Windows kernel driver, allowing attackers to exploit trusted software to disable security protections prior to ransomware deployment.
  • Specifically, the malware drops the signed NsecSoft NSecKrnl driver and exploits this CVE, allowing termination of protected processes and escalation to SYSTEM-level access. Security tools including Microsoft Defender, CrowdStrike, Sophos, Symantec, ESET, and Avast were targeted.
  • Files are encrypted with a “.locked” extension. Investigators also found evidence of a side-loaded loader and the GotoHTTP remote access tool, suggesting dirty-rotten attackers may have maintained access before and after the encryption event.
  • Because the driver is digitally signed, it can load without raising immediate alarms. Broadcom notes that building defense evasion directly into the ransomware shortens deployment time and reduces detection windows. Defense mechanisms involve tracking driver loading activity, enabling a vulnerable driver block-list through group policy, and blocking known indicators of compromise (IoCs).
  • CVE-2025-68947:  https://nvd.nist.gov/vuln/detail/CVE-2025-68947

BeyondTrust Warns of Critical RCE Flaw in Remote Support Software

Article Link: https://www.bleepingcomputer.com/news/security/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/

  • BeyondTrust disclosed a critical pre-authentication remote code execution flaw, CVE-2026-1731, affecting Remote Support 25.3.1 or earlier and Privileged Remote Access 24.3.4 or earlier.
  • The vulnerability stems from an OS command injection weakness and allows unauthenticated attackers to execute operating system commands through crafted client requests. Exploitation requires no user interaction and could result in system compromise, data exfiltration, or service disruption.
  • Researchers estimate approximately 11,000 internet-exposed instances, including about 8,500 on-prem deployments that remain potentially vulnerable if unpatched. BeyondTrust reports no known active exploitation at this time.
  • Cloud systems were secured by February 2, 2026. On-prem customers must upgrade to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later to remediate exposure.
  • CVE-2026-1731: https://nvd.nist.gov/vuln/detail/CVE-2026-1731

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

Article Link: https://thehackernews.com/2026/02/apple-fixes-exploited-zero-day.html

  • Apple released updates to address CVE-2026-20700, a memory corruption vulnerability in dyld, Apple’s dynamic link loader responsible for launching and managing how apps load code as they run.
  • The flaw carries a CVSS score of 7.8 and could allow arbitrary code execution on affected devices. Apple said the vulnerability may have been used in highly sophisticated attacks against specific individuals running versions prior to iOS 26. Google’s Threat Analysis Group reported the issue.
  • This marks Apple’s first actively exploited zero-day addressed in 2026. Updates are available for current Apple devices, with additional patches issued for older macOS, iOS, and Safari versions.
  • Security experts remind organizations to use mobile device management to enforce update compliance and require minimum OS versions before allowing corporate access.
  • CVE-2026-20700: https://nvd.nist.gov/vuln/detail/CVE-2026-20700

OT Attacks Get Scary With ‘Living-off-the-Plant’ Techniques

Article Link: https://www.darkreading.com/ics-ot-security/ot-attacks-living-off-the-plant

  • Operational technology attacks have remained relatively limited in impact, largely due to attackers’ lack of deep process knowledge within bespoke and legacy industrial environments. Attackers often reach critical systems, but they aren’t sure how to cause a major disruption.
  • That may be changing. At RSAC 2026, Ric Derbyshire of Orange Cyberdefense plans to demonstrate how dirty-rotten attackers could evolve toward “living-off-the-plant” techniques, using legitimate industrial protocols such as Siemens’ S7comm to “blend in” while manipulating systems.
  • Past incidents, including a dam breach in Norway, showed attackers accessing OT systems but using only basic functionality. Derbyshire argues that deeper knowledge of physical processes, network architecture, and system configuration could enable far more severe outcomes.
  • As attackers gain access to technical resources and tools, including PLC hardware and AI assistants, defenders must strengthen monitoring, segmentation, and detection across OT environments rather than relying on obscurity.

Your AI Doctor Doesn’t Have to Follow the Same Privacy Rules as Your Real One

Article Link: https://cyberscoop.com/ai-healthcare-apps-hipaa-privacy-risks-openai-anthropic/

  • AI health tools from OpenAI, Anthropic, and Google are expanding rapidly, offering medical advice, diagnostics, and record analysis to hundreds of millions of users.
  • Legal experts told CyberScoop that these companies are almost certainly not covered entities under HIPAA, meaning they are not bound by the same federal privacy and breach notification rules that apply to hospitals and healthcare providers.
  • While companies promote encryption, multifactor authentication, and infrastructure described as “HIPAA ready,” experts warn that terms of service commitments differ from statutory obligations. Federal law generally places no comprehensive limits on the sale or sharing of non-HIPAA protected consumer health data.
  • Experts caution that consumers may face privacy and resale risks when sharing medical information with unregulated platforms, particularly as AI tools remain opaque and healthcare data breaches continue across traditional systems.

Singapore & Its 4 Major Telcos Fend Off Chinese Hackers

Article Link: https://www.darkreading.com/cyberattacks-data-breaches/singapore-major-telcos-fend-chinese-hackers

  • Singapore’s Cyber Security Agency and four major telecommunications firms, M1, Simba Telecom, Singtel, and StarHub, spent 11 months expelling China-linked threat actor UNC3886 from national telecom networks.
  • The operation, called Cyber Guardian, involved more than 100 responders. The attackers used a zero-day exploit to bypass perimeter defenses and deployed rootkits to maintain persistence within critical systems.
  • Authorities reported unauthorized access to some telecommunications networks, including critical infrastructure, but found no evidence of service disruption, internet outages, or stolen customer data.
  • Singapore credited its coordinated public-private response between the Cyber Security Agency and industry partners for containing the intrusion. Officials warned that telecommunications remain strategic targets and emphasized continued hardening, intelligence sharing, and infrastructure resilience to counter future state-sponsored attempts.


Reach out to our incident response team for help

More To Explore

Information Security News – 2/9/2026

Asian Government’s Espionage Campaign Breached Critical Infrastructure in 37 Countries Article Link: https://www.cybersecuritydive.com/news/asian-governments-espionage-campaign-breached-critical-infrastructure-in-3/811472/ CISA Tells Agencies to Stop Using Unsupported Edge Devices Article Link: https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/

Jo Moldenhauer February 9, 2026

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.