Information Security News – 3/2/2026

CrowdStrike: Average Cyberattack Breakout Time Now Under 30 Minutes

Article Link: https://www.scworld.com/news/crowdstrike-average-cyberattack-breakout-time-now-under-30-minutes

• CrowdStrike is dubbing 2026 the “Year of the Evasive Adversary.” Their 2026 Global Threat Report showed the average breakout time has fallen to 29 minutes, a 65% acceleration year over year, with the fastest observed intrusion spreading in 27 seconds and one case reaching data exfiltration in four minutes.
• Attackers are exploiting zero-day vulnerabilities, especially in edge devices, abusing valid credentials, compromising trusted software, and increasing AI-assisted activity by 89%, while 82% of detections were malware-free, relying on those valid credentials.
• North Korea-linked activity rose 130%, China-nexus intrusions climbed 38%, and cloud-focused attacks increased 37%, sharply reducing detection windows.
• CrowdStrike recommends prioritizing edge patching, enforcing multi-factor authentication and least privilege, strengthening supply chain validation, expanding cross-domain visibility, and sharpening response readiness through threat hunting and coordinated tabletop exercises.
• Report: https://www.crowdstrike.com/en-us/global-threat-report/

Critical Cisco SD-WAN Bug Exploited in Zero-day Attacks Since 2023

Article Link: https://www.bleepingcomputer.com/news/security/critical-cisco-sd-wan-bug-exploited-in-zero-day-attacks-since-2023/

• Cisco confirmed a maximum severity SD-WAN flaw, CVE-2026-20127, has been exploited since at least 2023 to insert rogue peers into targeted networks and compromise controllers.
• The vulnerability allows authentication bypass, giving attackers high-privileged access to manipulate SD-WAN configurations and potentially escalate to root by downgrading software and restoring it afterward to evade detection.
• Cisco Talos attributes the activity to a highly sophisticated threat actor, and CISA issued Emergency Directive 26-03, calling the exploitation an imminent threat and setting a rapid federal patch deadline, specifically by 5pm EST, February 27, 2026.
• Organizations are also instructed to audit authentication logs, investigate rogue peering events, isolate management interfaces, and rebuild systems if root access is detected. Cisco states that upgrading to a fixed software release is the only way to fully remediate CVE-2026-20127.
• CISA Emergency Directive 26-03: https://www.cisa.gov/news-events/news/immediate-action-required-cisa-issues-emergency-directive-secure-cisco-sd-wan-systems
• CISCO Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

600+ FortiGate Devices Hacked by AI-Armed Amateur

Article Link: https://www.darkreading.com/threat-intelligence/600-fortigate-devices-hacked-ai-amateur

• A Russian-speaking, financially motivated actor used generative AI to compromise more than 600 Fortinet FortiGate firewalls across at least 55 countries, according to Amazon Web Services.
• The campaign did not exploit product vulnerabilities. Instead, the attacker scanned exposed management ports and abused weak or reused single-factor credentials, using AI-assisted scripts to automate reconnaissance and configuration parsing at scale.
• Compromised environments included Active Directory (AD) domains and Veeam Backup & Replication servers, allowing credential theft and positioning for potential ransomware deployment.
• AWS recommends removing management interfaces from internet exposure, restricting access to approved IP ranges, rotating credentials, enforcing multifactor authentication for administrative and VPN access, and monitoring AD for domain-controller sync (DC Sync) operations and unauthorized backup access.

Researchers Reveal Russian Hackers Hijacked Digital Highways to “Steal Funds” from Logistics Giants

Article Link: https://cybernews.com/security/russian-diesel-vortex-logistics-phishing/

• Researchers uncovered a Russia-linked phishing operation, Diesel Vortex, targeting U.S. and European logistics platforms to steal funds and harvesting data from freight and trucking professionals between September 2025 and February 2026.
• The campaign deployed 52 phishing domains, targeted more than 57,000 email addresses, and captured 3,474 credential pairs tied to 1,649 accounts using spear phishing and voice phishing to intercept logins and multi-factor authentication codes.
• Stolen access enabled invoice redirection, double brokering, shipment and personal data theft, and attempted fuel card fraud. Investigators also identified a phishing-as-a-service platform branded “GlobalProfit,” with defined roles and revenue tracking.
• The infrastructure was dismantled through coordinated action involving Have I Been Squatted, Ctrl-Alt-Intel, Google, Cloudflare, GitLab, Microsoft, CrowdStrike, and a few other affected organizations.

University of Mississippi Medical Center Still Offline After Ransomware Attack

Article Link: https://www.infosecurity-magazine.com/news/university-mississippi-medical/

• The University of Mississippi Medical Center confirmed a ransomware attack forced many IT systems offline, including electronic medical records. The system employs more than 10,000 staff across seven hospitals, dozens of clinics, and over 200 telehealth sites.
• Outpatient surgeries, imaging appointments, and elective procedures were cancelled, while hospitals and emergency departments remained open using paper-based downtime procedures.
• UMMC activated its Emergency Operations Plan, disconnected network systems, and is working with the Department of Homeland Security and the FBI. It remains unclear whether patient or employee data was accessed.
• Security leaders recommend maintaining offline or immutable backups, deploying endpoint detection, conducting ransomware-focused penetration tests, upgrading to phishing-resistant authentication, auditing credentials, scanning for vulnerabilities, and strengthening monitoring and executive oversight.

Wynn Under Fire: Cyber-Criminals Demand $1.5M in Massive Data Theft

Article Link: https://thenevadaglobe.com/702times/wynn-under-fire-cyber-criminals-demand-1-5m-in-massive-data-theft/

• Wynn Resorts is reportedly facing an extortion demand from the group ShinyHunters, which claims to have stolen more than 800,000 employee records, including Social Security numbers, salary data, and contact information.
• The breach is linked to a vulnerability identified in late 2025, with attackers now demanding 22.34 Bitcoin, approximately $1.5 million, and setting a February 23 deadline before a potential public leak. As of this writing, Wynn has not disclosed whether any ransom has been paid.
• The incident places pressure on one of Nevada’s largest employers and a flagship Strip brand, raising concerns about employee privacy and reputational damage.
• Regulators and gaming leaders are pressed to treat the breach as a public-safety priority, emphasizing data protection, accountability, and layered defenses against extortion-driven attacks.

Google Disrupts Chinese Hackers Targeting Telecoms, Governments

Article Link: https://www.securityweek.com/google-disrupts-chinese-cyberespionage-campaign-targeting-telecoms-governments/

• Google disrupted a China-linked cyberespionage campaign tied to UNC2814, active since at least 2017 and targeting telecom and government organizations worldwide. At least 53 organizations across 42 countries were impacted.
• The group used API calls to SaaS applications as command-and-control infrastructure, disguising malicious traffic as legitimate cloud activity. A backdoor named GridTide leveraged Google Sheets to transmit shell commands and data.
• GridTide was found on systems containing personal information, including names, dates of birth, phone numbers, voter IDs, and national IDs. Google did not directly observe data exfiltration in this campaign.
• Google and partners removed cloud resources, sink-holed domains, disabled attacker accounts, terminated malicious Google Sheets instances, notified victims, and released indicators of compromise to support detection and response.

Your AI-generated Password isn’t Random, it Just Looks That Way

Article Link: https://www.theregister.com/2026/02/18/generating_passwords_with_llms/

• Research from AI security firm Irregular found that Claude, ChatGPT, and Gemini generate 16-character passwords that appear complex but are highly predictable.
• Testing 50 outputs, using the Shannon entropy formula and character appearance probabilities, revealed only 30 unique passwords, common starting and ending patterns, and no repeating characters, indicating low randomness. These 16-character entropies ranged from 20-27 bits, compared to 98-120 bits for truly random strings.
• Despite passing online strength checkers, researchers said the passwords could be brute forced within hours if attackers understand the patterns. Similar results were observed across other LLMs.
• The Irregular firm warns against using LLMs to generate passwords, recommending rotation of any AI-created credentials and the use of trusted password managers instead.

Defense Contractor Employee Jailed for Selling 8 Zero-Days to Russian Broker

Article Link: https://thehackernews.com/2026/02/defense-contractor-employee-jailed-for.html

• Peter Williams, a former U.S. defense contractor L3Harris employee, was sentenced to over seven years in prison for stealing and selling eight zero-day exploits to Russian broker Operation Zero for up to $4 million in cryptocurrency.
• The theft occurred between 2022 and 2025 and involved tools designed exclusively for the U.S. government and select allies. Prosecutors said the exploits could have enabled cyber fraud, ransomware, espionage, and military targeting worldwide.
• L3Harris estimates financial losses of $35 million. Operation Zero allegedly sold the tools to unauthorized users and sought buyers among non-NATO countries.
• U.S. authorities sanctioned Operation Zero, its director Sergey Zelenyuk, and affiliated entities under PAIPA and OFAC authorities, reinforcing enforcement against trade secret theft tied to national security risks.