Good Morning Security Gang
Welcome back to the CyberHub Podcast. Before we jump into today’s cyber headlines, a quick human reminder: Valentine’s Day is this Saturday. If you haven’t made plans yet, now’s the time otherwise it’s Chili’s and regret. I care about this audience, and the Security Gang is a real thing. Plan accordingly.
Now that we’ve handled life logistics, today’s show is packed. We’re talking about vendors breached through their own software, Ivanti zero-days moving from mass exploitation into targeted government intrusions, SolarWinds vulnerabilities being abused to deploy legitimate forensic tools, critical flaws in remote access and AI tooling, China openly rehearsing cyber operations against neighbors, and we’ll close with platform safety moves and a major fraud takedown.
I’ve got my double espresso, the crema is perfect — coffee cup cheers — let’s get into it.
SmarterTools Breached Through Its Own Software
SmarterTools confirmed attackers breached its internal network by exploiting a vulnerability in SmarterMail, the company’s own email server product. This is a textbook example of a vendor eating its own dog food — and choking on it. Attackers abused a customer-facing flaw to pivot into the vendor’s internal environment, raising serious downstream supply-chain trust concerns.
The breach occurred on January 29, and at the time SmarterTools had roughly 30 servers and virtual machines running SmarterMail internally, which gave attackers lateral movement opportunities. The vulnerability, CVE-2026-23760, was leveraged by the Warlock ransomware group. While SentinelOne reportedly prevented the final encryption payload, systems were still compromised.
"This is a textbook 'vendor eats its own dog food' failure. Attackers used a customer-facing flaw to pivot into the vendor's environment, raising downstream trust concerns. If you're on the product side—that's how attackers pivot."
The lesson here is simple: vendor internal networks must be strictly isolated from customer-facing infrastructure, even when running the same products. If a flaw exists externally, assume it will be weaponized internally as well.
Ivanti Zero-Days Hit European Governments
Europe continues to absorb the fallout from Ivanti zero-day vulnerabilities, with both EU institutions and the Dutch government confirming intrusions tied to Ivanti flaws. This marks a shift from broad internet scanning to deliberate, high-value government targeting.
The exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2026-1281 and CVE-2026-1340, both with CVSS scores of 9.8 — allowed attackers to establish persistent access through edge and device management platforms. Multiple governments, including the U.S., Canada, Singapore, and EU members, have now added these flaws to their known exploited vulnerability catalogs.
"There's a gift that keeps on giving for people who enjoy gluten for punishment. That gift, folks, is Ivanti. And the people who glute for punishment? Europe."
Shadowserver has also reported web shells and exploitation artifacts on exposed EPMM devices, reinforcing the reality that delayed patching of management planes can lead to entire fleet compromise through a single console. If Ivanti is still internet-facing in your environment, you should assume compromise — or better yet, rip and replace.
SolarWinds Web Help Desk Exploited to Deploy Velociraptor
Attackers are actively exploiting vulnerabilities in SolarWinds Web Help Desk to deploy Velociraptor, a legitimate digital forensics and incident response tool repurposed for post-exploitation. This is classic living-off-the-land behavior: trusted admin tooling used as malware.
The danger isn’t just the exploit — it’s the camouflage. When attackers operate using tools your IT team already trusts, detection becomes significantly harder. The smartest defense here is operational discipline: any dual-use admin or forensic tool should require an open, approved ticket to run. If it’s not approved, it gets blocked first and investigated second.
BeyondTrust Discloses Critical Remote Code Execution Flaw
BeyondTrust issued a warning for a critical remote code execution vulnerability in its Remote Support product (CVE-2026-1731). Given the privileged nature of remote access tools, exploitation could grant attackers instant, full-session control.
BeyondTrust has released a patch, but history shows that prior BeyondTrust vulnerabilities have been targeted as zero-days. The real mitigation goes beyond patching: enforce just-in-time access, automatic session expiration, and strict auditing for all remote support workflows.
Claude Desktop Extensions Expose Zero-Click Vulnerabilities
Researchers identified zero-click remote code execution vulnerabilities affecting Claude desktop extensions, where malicious content could trigger execution without user interaction. This highlights how AI tooling is expanding the attack surface well beyond browsers.
The risk is silent compromise through trusted AI-assisted workflows. Until maturity improves, organizations should disable third-party extensions by default in AI desktop environments and re-enable only after security validation.
China Rehearses Cyber Attacks Against Regional Infrastructure
Leaked technical documents reveal China actively testing cyber capabilities against neighboring countries, focusing on reconnaissance, access validation, and pre-positioning, not immediate disruption. Targets include energy transmission, transportation, telecom, and smart home infrastructure.
This is cyber doctrine in practice — shaping future coercive or wartime options by embedding access early. The documents, discovered on an unsecured FTP server and first reported by Recorded Future, suggest China’s strategy prioritizes latent access over loud attacks.
For defenders, this means threat modeling must assume dormant access already exists, particularly in critical infrastructure environments. Singapore, in particular, remains a key target due to its role as a regional data and telecom hub.
Discord Moves to Restrict Minors’ Access
Discord announced new age-restriction measures, limiting access to certain features and content as regulators increase pressure on platforms to protect minors. While not a breach, this signals rising expectations around platform safety and trust-by-design.
The takeaway for technology companies is clear: bake privacy and safety controls into core architectures, not as afterthoughts bolted on when regulation arrives.
FTC Reports Surge in Ransomware-Related Scams
The Federal Trade Commission reported a sharp rise in ransomware-linked scams, including fake recovery services and follow-on extortion targeting previous victims. Criminals are monetizing breach aftermath, not just the initial incident.
This creates a second wave of victimization that many incident response plans fail to address. Organizations should treat post-breach fraud monitoring and user education as standard components of incident recovery.
Major FanDuel Fraud Ring Busted
In a rare piece of good news, U.S. authorities charged two individuals in a massive FanDuel fraud operation that used thousands of stolen identities to create fake accounts and launder winnings across FanDuel, DraftKings, and BetMGM.
The suspects face dozens of charges including wire fraud, identity theft, and money laundering — with potential sentences totaling hundreds of years if convicted. The case reinforces that fraud prevention must go beyond simple KYC and include behavioral analysis of account creation and transaction patterns.
The indictment charges include:
Conspiracy to commit wire and identity fraud (5 years)
Wire fraud, 23 counts (up to 20 years each)
Identity fraud, 8 counts (up to 15 years each)
Aggravated identity theft, 2 counts (mandatory 2-year consecutive)
Money laundering, 1 count (up to 20 years)
Money laundering, 10 counts (up to 20 years each)
Action List
🔒 Isolate vendor internal networks from customer-facing infrastructure
🚨 Treat internet-exposed Ivanti systems as potentially compromised
🛠️ Require explicit approval and monitoring for dual-use admin tools
⏱️ Enforce just-in-time access for all remote support platforms
🤖 Disable unvetted AI desktop extensions by default
🌏 Model threats assuming latent state-actor access already exists
👶 Build privacy and safety controls directly into platform design
🧾 Add post-breach fraud monitoring to incident response playbooks
💳 Detect fraud using behavioral patterns, not just identity checks
James Azar’s CISO’s Take
Today’s episode highlights a consistent theme: trust keeps failing at scale. Vendors trust their own software too much, governments trust exposed management planes, enterprises trust admin tools without guardrails, and users trust AI workflows implicitly. Attackers are exploiting that trust gap relentlessly.
My biggest takeaway is this: security maturity in 2026 is about controlled friction. Shorter sessions, stricter approvals, more segmentation, and fewer assumptions. Convenience got us here; discipline is how we get out. We’ll be back tomorrow at 9:00 AM Eastern with the latest.
Until then — plan for Valentine’s Day, protect your environments, and as always, stay cyber safe.
