This Week in Cybersecurity #41

BridgePay Ransomware Halts Payments, China Breaches Singapore Telecoms, Microsoft Patches 6 Zero-Days, Ivanti Strikes Again, and Vendors Become the Easiest Way In

Feb 13, 2026

Good morning, Security Gang!

This week proved trust must expire—sessions, tokens, vendors, identities, and convenience itself because the longer trust lives unchecked, the more valuable it becomes to adversaries. BridgePay confirmed ransomware halted payment processing stopping revenue instantly, China successfully breached four major Singapore telecommunications providers for strategic intelligence collection, and Microsoft released patches for six actively exploited zero-days including SmartScreen bypass, Windows Shell, Internet Explorer, Desktop Window Manager, RDP privilege escalation, and Remote Access Connection Manager. Meanwhile, SmarterTools was breached through its own SmarterMail product proving vendors eat their own dog food and choke on it, Ivanti EPMM zero-days (CVE-2026-1281, CVE-2026-1340) hit European governments with EU, Netherlands, US, Canada, and Singapore adding to KEV catalogs, Volvo customer data leaked through third-party Conduent breach illustrating how enterprises build fortresses while vendors dig tunnels from outside, and North Korean operatives impersonate IT professionals on LinkedIn gaining trusted insider access through deception not exploitation.

Add Chinese DKnife implant hijacking authenticated sessions to bypass MFA, Apple patching “extremely sophisticated” zero-day, $2,000 spyware kits promising full mobile takeover, Georgia healthcare breach hitting 620,000 patients, SolarWinds exploited to deploy Velociraptor forensics tool, the first malicious Outlook add-in discovered exfiltrating 4,000+ credentials, 155-country state-actor espionage campaign, and AI identifying 500+ high-severity vulnerabilities—and you have a week proving convenience is the adversary’s favorite tool, identity and mobility are the new perimeter, and security maturity in 2026 is about controlled friction not endless trust.

Let’s break it down - coffee ready, Security Gang, because trust now requires expiration dates.

💳 BUSINESS CONTINUITY & PAYMENT FAILURES

BridgePay Confirms Ransomware Behind Payment Outage

BridgePay confirmed that ransomware was the root cause of the outage that disrupted card processing for downstream merchants. While technical details remain limited, the business impact is crystal clear: when a payment processor goes down, revenue stops immediately and reputational damage compounds with every failed transaction.

This isn’t just a BridgePay problem it’s a resiliency failure across dependent retailers.

James emphasized: “If you only have one payment provider, you’re doing it wrong.”

The risk here is cascading business interruption and potential exposure of transaction metadata.

Mitigation isn’t theoretical:

Merchants need secondary and tertiary payment providers
Ability to fail over instantly
Segmented transaction handling so limited operations can continue during upstream outages
Payments resilience today is not optional—it’s table stakes

🦠 VENDOR & SUPPLY CHAIN TRUST COLLAPSE

SmarterTools Breached Through Its Own Software

SmarterTools confirmed attackers breached its internal network by exploiting a vulnerability in SmarterMail, the company’s own email server product. This is a textbook example of a vendor eating its own dog food and choking on it. Attackers abused a customer-facing flaw to pivot into the vendor’s internal environment.

The breach occurred on January 29, with roughly 30 servers and VMs running SmarterMail internally, giving attackers lateral movement opportunities. The vulnerability, CVE-2026-23760, was leveraged by the Warlock ransomware group. While SentinelOne reportedly prevented final encryption, systems were still compromised.

James stated: “This is a textbook ‘vendor eats its own dog food’ failure. Attackers used a customer-facing flaw to pivot into the vendor’s environment, raising downstream trust concerns.”

The Lesson: Vendor internal networks must be strictly isolated from customer-facing infrastructure, even when running the same products.

Volvo Customer Data Exposed Through Third-Party Conduent Breach

Volvo Group North America disclosed customer data exposure stemming from the Conduent breach. Volvo itself wasn’t directly compromised, instead, the blast radius flowed through a shared third-party service provider handling customer operations.

James explained: “Large enterprises have built fortresses. Meanwhile, the working bees inside are digging tunnels to bring in services from outside. Those vendors don’t have fortresses, they become the easy way in. Threat actors have realized going after big companies directly doesn’t pay off. They’re going after lower-hanging fruit and then playing the blackmail game.”

This perfectly illustrates supply-chain reality: Large enterprises have built digital fortresses, but their vendors often haven’t. Threat actors now avoid attacking hardened enterprises directly and instead target weaker vendors to tunnel inside.

Mitigation:

Contractual data segmentation
Strict data-handling limitations
Clear breach-notification SLAs baked into every vendor agreement

Flickr Security Incident Tied to Third-Party Email System

Flickr disclosed a security incident tied not to its core photo platform, but to a third-party email service. This is a textbook SaaS risk scenario where the inbox becomes the entry point. While Flickr reports no direct compromise of stored photos, users face elevated risks of phishing and unauthorized access attempts.

The real threat is credential harvesting through trusted-brand emails. Once users trust the sender, attackers don’t need to break systems—they just wait for clicks.

Users should:

Reset credentials out of caution
Platforms should enforce phishing-resistant MFA, especially for logins initiated from email links

⚡ NATION-STATE ESPIONAGE OPERATIONS

China Hacks Major Singapore Telecom Providers

Confirmation that China successfully breached four of Singapore’s largest telecommunications providers, gaining access to sensitive customer information and operational metadata. This was not a smash-and-grab criminal operation, this was deliberate, strategic cyber espionage.

Singapore has effectively replaced Hong Kong as Asia’s primary financial and communications hub since Beijing dismantled Hong Kong’s autonomy. That makes Singapore telecoms a high-value intelligence target, especially when access could extend to metadata visibility and lawful-intercept-adjacent systems.

The risk is long-term intelligence collection and secondary targeting of government officials, business leaders, and influential individuals.

Mitigation requires:

Treating telecom management planes as national critical infrastructure
Fully segmented from customer and signaling environments
An expensive but unavoidable investment in today’s threat landscape

China Rehearses Cyber Attacks Against Regional Infrastructure

Leaked technical documents reveal China actively testing cyber capabilities against neighboring countries, focusing on reconnaissance, access validation, and pre-positioning not immediate disruption. Targets include energy transmission, transportation, telecom, and smart home infrastructure.

This is cyber doctrine in practice shaping future coercive or wartime options by embedding access early. The documents, discovered on an unsecured FTP server and first reported by Recorded Future, suggest China’s strategy prioritizes latent access over loud attacks.

For defenders: Threat modeling must assume dormant access already exists, particularly in critical infrastructure environments. Singapore remains a key target due to its role as a regional data and telecom hub.

State Actor Runs Espionage Campaign Across 155 Countries

Palo Alto researchers revealed a massive global espionage campaign attributed to a state actor targeting organizations in 155 countries, focusing on government, telecom, and diplomatic entities. This isn’t smash-and-grab hacking, it’s long-term intelligence collection, low-and-slow exfiltration designed to shape geopolitical leverage over years.

While attribution remains cautious, the geographic patterns point squarely toward Asia-based operations, and activity spiked during moments of U.S. political instability.

Defending against this requires:

Shifting away from malware signatures
Toward network-level anomaly detection tuned for slow, quiet data exfiltration
If you’re only looking for loud attacks, you’re already losing

Pakistan-Linked Cyber Campaign Targets India

Researchers detailed a Pakistan-linked cyber campaign combining hacktivism, espionage, and influence operations against Indian targets. The activity blends defacement, data theft, and narrative shaping cyber operations used as strategic messaging.

The danger is cyber incidents inflaming tensions between two nuclear-armed neighbors. Governments must integrate incident response with strategic communications planning, not treat cyber events in isolation.

Spain’s Ministry of Science Takes Systems Offline After Breach Claims

Spain’s Ministry of Science has taken systems offline following hacker claims of access to internal data. This defensive move is common when governments are still validating breach scope. European ministries are prime espionage targets, and Spain’s domestic political climate raises the risk of both external and insider-driven attacks.

The risk isn’t just embarrassment. Exposure of research data, grant funding, and academic collaborations carries national-interest implications.

The Lesson: Segmentation before compromise. Research systems, grants, and academic identities should be isolated from central directories to limit blast radius.

🔐 IDENTITY & SESSION HIJACKING

Chinese DKnife Implant Enables Adversary-in-the-Middle Attacks

Researchers detailed the DKnife implant, a Chinese-linked tool designed for adversary-in-the-middle attacks. Instead of cracking passwords, it intercepts authenticated sessions and tokens, bypassing MFA entirely. This is not credential theft, it’s session hijacking at scale.

This is the natural evolution of identity attacks. We moved from passwords to MFA, from SMS to apps, from apps to passwordless and attackers followed. Identity is now the endpoint.

The tradeoff is brutal: mitigating this threat requires shorter session lifetimes and token validity, especially for privileged and cloud admin roles. It’s terrible for user experience—and necessary for survival.

North Korean Operatives Impersonate IT Professionals

New reporting confirms that North Korean (DPRK) operators are impersonating legitimate IT workers, recruiters, and consultants, often using real LinkedIn profiles. These are not short-term scams—once inside, they generate revenue, steal intellectual property, or stage follow-on attacks while remaining undetected for months.

This is trusted insider access obtained through deception, not exploitation. Hackers don’t hack anymore, they log in.

James warned: “LinkedIn is not a source of truth, it’s a social network, very similar to how Instagram isn’t how anyone actually lives their lives. LinkedIn is not how anyone is truly professional. Validate with your two eyes.”

Mitigation must go beyond pre-hire background checks:

Live identity verification
Continuous behavioral monitoring
Recurring validation for all remote workers
LinkedIn is NOT a source of truth—trust, but verify with your own eyes

🚨 CRITICAL ZERO-DAYS & PATCHING CRISIS

Microsoft Patches Six Actively Exploited Zero-Days

Patch Tuesday hit hard. Microsoft released fixes for six zero-day vulnerabilities already being exploited in the wild, spanning Windows SmartScreen, Windows Shell, Office security prompts, Remote Desktop Services, and Remote Access Connection Manager.

The Six Zero-Days:

CVE-2026-21510 – Windows SmartScreen security prompt bypass
CVE-2026-21514 – Windows Shell security feature bypass allowing OLE mitigation bypass in Office
CVE-2026-21513 – Internet Explorer issue allowing security control bypass and code execution
CVE-2026-21519 – Windows Desktop Window Manager flaw exploitable by local attacker
CVE-2026-21533 – Windows Remote Desktop Services vulnerability allowing privilege escalation to SYSTEM
CVE-2026-21525 – Windows Remote Access Connection Manager bug exploitable for local denial of service

The speed at which these vulnerabilities were weaponized highlights a dangerous reality: attackers are now operationalizing exploits almost instantly. Severity scores matter less than active exploitation.

Organizations should prioritize risk-based patching tied to exploitation status, not quarterly maintenance windows. If you’re waiting, you’re already exposed.

Ivanti Zero-Days Hit European Governments

Europe continues to absorb fallout from Ivanti zero-day vulnerabilities, with both EU institutions and the Dutch government confirming intrusions tied to Ivanti flaws. This marks a shift from broad internet scanning to deliberate, high-value government targeting.

The exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) CVE-2026-1281 and CVE-2026-1340, both with CVSS scores of 9.8, allowed attackers to establish persistent access through edge and device management platforms. Multiple governments, including the US, Canada, Singapore, and EU members, have now added these flaws to their known exploited vulnerability catalogs.

James quipped: “There’s a gift that keeps on giving for people who enjoy gluten for punishment. That gift, folks, is Ivanti. And the people who glute for punishment? Europe.”

Shadowserver has also reported web shells and exploitation artifacts on exposed EPMM devices. If Ivanti is still internet-facing in your environment, assume compromise or better yet, rip and replace.

Apple Patches Zero-Day Used in “Extremely Sophisticated” Attacks

Apple issued an emergency patch for CVE-2026-20700, an actively exploited zero-day that allowed attackers to execute code outside intended security boundaries.

When Apple describes attacks as “extremely sophisticated,” that language is usually reserved for nation-state or advanced mercenary spyware operators. The vulnerability could enable sandbox escape, privilege escalation, and potential spyware deployment.

Mobile devices are now high-value espionage platforms. High-risk users—executives, diplomats, critical infrastructure leaders cannot treat OS updates as optional. Rapid mobile update enforcement is mandatory.

BeyondTrust Discloses Critical Remote Code Execution Flaw

BeyondTrust issued a warning for a critical remote code execution vulnerability in its Remote Support product (CVE-2026-1731). Given the privileged nature of remote access tools, exploitation could grant attackers instant, full-session control.

BeyondTrust has released a patch, but history shows prior BeyondTrust vulnerabilities have been targeted as zero-days.

Real mitigation goes beyond patching:

Enforce just-in-time access
Automatic session expiration
Strict auditing for all remote support workflows

Adobe, Fortinet, and SAP Release Critical Fixes

Adobe released patches for dozens of vulnerabilities across Creative Cloud applications like After Effects, InDesign, Lightroom, and Substance 3D, tools heavily used outside traditional IT controls. These non-technical workstations still hold privileged tokens and remain attractive lateral-movement targets.

Fortinet disclosed multiple vulnerabilities, including sandbox XSS, SQL injection, and authentication bypass flaws in FortiOS and FortiClient. Internet-facing security appliances remain high-value targets mitigation means removing direct internet exposure wherever possible.

SAP also released critical updates across CRM, S/4HANA, and NetWeaver—systems that sit at the heart of finance and operations. These platforms should be patched monthly, not quarterly—business continuity depends on it.

🏥 HEALTHCARE UNDER SIEGE

Georgia Healthcare Company Breach Impacts 620,000 Patients

A Georgia-based healthcare provider disclosed a breach affecting approximately 620,000 patients after attackers gained unauthorized access to internal systems between May 22 and May 23. The company provides multi-specialty physician services across 125 practices in 18 states, serving roughly 4 million patients annually.

Exposed data includes names, dates of birth, and potentially insurance or treatment-related information making it highly valuable for medical identity theft and insurance fraud. And make no mistake: healthcare fraud directly drives up insurance costs for everyone.

This wasn’t described as a mass phishing blast. It appears more consistent with credential compromise or lateral movement due to insufficient segmentation. Healthcare environments especially SaaS-dependent ones struggle with segmentation, but this breach highlights exactly why it’s necessary.

The real risk isn’t just identity theft. It’s long-term insurance fraud, Medicare abuse, and extortion tied to sensitive medical history. Healthcare remains one of the most monetizable data environments on Earth.

📱 MOBILE SECURITY THREATS

$2,000 Spyware Kit Claims Full Device Takeover

A new spyware framework marketed as “Zero-Day RAT” is being advertised on Telegram for as little as $2,000, promising full compromise of iOS and Android devices including microphone activation, SMS interception, credential harvesting, and persistent access.

Whether the marketing matches reality remains to be validated, but the trend is clear: mobile exploitation is being commoditized.

The real challenge here isn’t just technology, it’s trust. Organizations struggle to deploy runtime mobile threat defense on employee-owned devices due to privacy concerns and employment laws in certain states. But without runtime monitoring, mobile becomes the weakest link.

Mobile endpoints are no longer secondary risk. They are primary footholds.

Ivanti EPMM Zero-Day Under Active Exploitation (Mobile)

Ivanti Endpoint Manager Mobile (EPMM) is once again under active exploitation. The latest vulnerabilities, including CVE-2026-1281 and CVE-2026-1340, allow authentication bypass and remote compromise of mobile device management infrastructure.

MDM platforms are centralized control hubs. If compromised, attackers can pivot directly into enterprise identity systems and push malicious payloads to entire device fleets.

At this point, Ivanti vulnerabilities are not anomalies—they are patterns. Organizations still running exposed Ivanti management interfaces should assume compromise or aggressively isolate them behind strict VPN and IP allowlists.

North Korean MacOS Malware Targets Crypto Ecosystem

North Korean hackers, reportedly operating with Chinese enablement, are deploying new macOS malware designed to steal cryptocurrency from developers and executives. This variant focuses on stealthy credential harvesting, not noisy exploitation.

The risk here is direct financial loss combined with geopolitical escalation.

Mitigation requires:

Separate, hardened devices for crypto custody and signing operations
Yes, it’s inconvenient but it’s far cheaper than losing tens or hundreds of millions overnight

🛠️ LIVING-OFF-THE-LAND ATTACKS

SolarWinds Web Help Desk Exploited to Deploy Velociraptor

Attackers are actively exploiting vulnerabilities in SolarWinds Web Help Desk to deploy Velociraptor, a legitimate digital forensics and incident response tool repurposed for post-exploitation. This is classic living-off-the-land behavior: trusted admin tooling used as malware.

The danger isn’t just the exploit it’s the camouflage. When attackers operate using tools your IT team already trusts, detection becomes significantly harder.

The smartest defense is operational discipline: Any dual-use admin or forensic tool should require an open, approved ticket to run. If it’s not approved, it gets blocked first and investigated second.

First Malicious Outlook Add-In Discovered

Researchers identified what is believed to be the first malicious Outlook add-in observed in the wild. The add-in disguised as a legitimate calendar integration tool called “AgreeTo” intercepted and exfiltrated email and session data.

This represents a strategic shift: attackers no longer need macro malware if they can embed inside legitimate SaaS extensibility models.

More than 4,000 credentials were reportedly harvested via this tactic.

The Mitigation:

Centralized add-in approval policies
Active auditing of Microsoft 365 integrations
Trusted plug-in ecosystems are now attack surfaces

Ransomware Gang Abuses Employee Monitoring Software

The ransomware group Crazy has been abusing legitimate employee monitoring tools and Windows installer utilities to deploy payloads and maintain persistence. This is living-off-the-land in its purest form repurposing trusted productivity tools as ransomware infrastructure.

Detection becomes harder when attackers look like IT administrators.

Organizations must:

Enforce strict role-based allowlisting for administrative tools
Tie execution privileges to explicit approvals

Claude Desktop Extensions Expose Zero-Click Vulnerabilities

Researchers identified zero-click remote code execution vulnerabilities affecting Claude desktop extensions, where malicious content could trigger execution without user interaction. This highlights how AI tooling is expanding the attack surface well beyond browsers.

The risk is silent compromise through trusted AI-assisted workflows.

Until maturity improves, organizations should disable third-party extensions by default in AI desktop environments and re-enable only after security validation.

🤖 AI SECURITY & EMERGING THREATS

AI Identifies Over 500 High-Severity Vulnerabilities

Now for the good news: AI working for defense. Anthropic reported that Claude Opus 4.6 identified more than 500 high-severity vulnerabilities during automated analysis. This is exactly where AI shines, compressing the time between vulnerability introduction and discovery.

The flip side is obvious: attackers can do the same. The window between “bug introduced” and “bug exploited” is shrinking fast.

The answer:

Integrating continuous AI-assisted code scanning into CI/CD pipelines
Fix-before-merge gates enforced
AI doesn’t replace secure development—it accelerates it

Moltbook (OpenClaw) Exposes 1.5 Million API Keys

Researchers found that Moltbook, now rebranded as OpenClaw, exposed roughly 1.5 million API keys, likely through misconfigured storage or logging. API keys remain one of the most abused secrets because they often never expire and bypass interactive authentication entirely.

The risk is unauthorized access to third-party services and downstream data compromise.

The fix is straightforward but rarely implemented:

Short-lived API keys
Automatic rotation
Usage-based alerts
Even better, run all APIs through a gateway and monitor behavior centrally

OpenClaw also announced VirusTotal integration, which is a positive move collapsing detection and investigation into a single workflow.

VoidLink Framework Enables On-Demand Malware Generation

The newly uncovered VoidLink framework allows threat actors to dynamically generate custom-built malware variants on demand. Each build can appear slightly different, reducing the effectiveness of signature-based defenses.

Static detection is fading. Behavior-based detection and telemetry-driven anomaly monitoring are now mandatory for modern SOC operations.

🏛️ REGULATORY & POLICY DEVELOPMENTS

Governments Warn on Discontinued Edge Devices

Both the U.S. and U.K. governments are urging organizations to replace discontinued, end-of-life edge devices. These systems will never receive patches again and remain permanent internet-facing vulnerabilities.

This isn’t a tooling issue, it’s a governance failure.

Mitigation means mandatory lifecycle enforcement: No device stays in production past vendor end-of-support. Period.

Lawmakers Push Five Bills to Strengthen Energy Cybersecurity

U.S. lawmakers introduced five bills aimed at boosting energy-sector cyber resilience, covering grid security, rural utilities, pipelines, LNG facilities, and threat analysis. These include expanded funding, incident response coordination, and long-term resilience programs through 2030.

The risk here isn’t regulation, it’s checkbox compliance. Energy organizations must align these mandates with real threat modeling, not paperwork. Done right, this could materially raise the bar for critical infrastructure defense. Done wrong, it becomes another audit exercise.

Nevada Rolls Out Statewide Data Classification Policy

Following its previous cyberattack, Nevada’s IT agencies are implementing a standardized data classification policy across the state. This is governance-driven resilience formalizing how data is labeled, stored, and protected to reduce exposure.

It’s not glamorous, but governance transformation often follows breach events. Policy maturity can reduce blast radius, if it’s enforced consistently.

Discord Moves to Restrict Minors’ Access

Discord announced new age-restriction measures, limiting access to certain features and content as regulators increase pressure on platforms to protect minors. While not a breach, this signals rising expectations around platform safety and trust-by-design.

The takeaway for technology companies: Bake privacy and safety controls into core architectures, not as afterthoughts bolted on when regulation arrives.

FTC Reports Surge in Ransomware-Related Scams

The Federal Trade Commission reported a sharp rise in ransomware-linked scams, including fake recovery services and follow-on extortion targeting previous victims. Criminals are monetizing breach aftermath, not just the initial incident.

This creates a second wave of victimization that many incident response plans fail to address. Organizations should treat post-breach fraud monitoring and user education as standard components of incident recovery.

Russia Throttles Telegram While Promoting State Messaging App

Russia is reportedly throttling Telegram traffic while promoting its own state-aligned messaging platforms. This is cyber infrastructure as political leverage, shaping domestic information flow through technical throttling.

While users often find alternative access paths, the broader implication is fragmentation of global communication ecosystems along geopolitical lines.

Leadership Update at NSA and Cyber Command

Josh Reed advances toward Senate confirmation to lead NSA and U.S. Cyber Command during a period of escalating nation-state cyber activity. The swift movement here is encouraging—leadership gaps in cyber defense are a vulnerability all their own.

Now, let’s finish the job and get CISA leadership confirmed as well. Stability matters when the threat landscape is this volatile.

💰 FINANCIAL CRIME & ENFORCEMENT

Major FanDuel Fraud Ring Busted

In a rare piece of good news, U.S. authorities charged two individuals in a massive FanDuel fraud operation that used thousands of stolen identities to create fake accounts and launder winnings across FanDuel, DraftKings, and BetMGM.

The suspects face dozens of charges including wire fraud, identity theft, and money laundering—with potential sentences totaling hundreds of years if convicted. The case reinforces that fraud prevention must go beyond simple KYC and include behavioral analysis of account creation and transaction patterns.

The indictment charges include:

Conspiracy to commit wire and identity fraud (5 years)
Wire fraud, 23 counts (up to 20 years each)
Identity fraud, 8 counts (up to 15 years each)
Aggravated identity theft, 2 counts (mandatory 2-year consecutive)
Money laundering, 1 count (up to 20 years)
Money laundering, 10 counts (up to 20 years each)

🔧 ADDITIONAL CRITICAL VULNERABILITIES

Intel, AMD, and ICS Vendors Release Critical Patches

Intel and AMD patched over 80 firmware and chipset vulnerabilities, including privilege escalation and arbitrary code execution conditions.

On the industrial control side, Siemens, Schneider Electric, Aviva, Phoenix Contact, and others released patches for remote code execution, authentication bypass, and OpenSSL-related flaws.

Firmware-level vulnerabilities persist below OS visibility, often remaining unpatched for extended periods. Hardware patch tracking must be integrated into vulnerability management dashboards—not treated as optional maintenance.

✅ YOUR COMPREHENSIVE ACTION LIST

BUSINESS CONTINUITY:

💳 Deploy secondary/tertiary payment providers with instant failover capability

VENDOR & SUPPLY CHAIN:

🔒 Isolate vendor internal networks from customer-facing infrastructure
🧩 Enforce contractual data segmentation and breach SLAs with all vendors
📧 Reset credentials after third-party email incidents; enforce phishing-resistant MFA

ZERO-DAY PATCHING (CRITICAL):

🚨 Microsoft 6 zero-days - Patch immediately (SmartScreen, Shell, IE, DWM, RDP, RACM)
🧱 Ivanti EPMM - Assume compromise; isolate behind VPN with strict IP allowlisting
📱 Apple CVE-2026-20700 - Enforce rapid mobile update compliance for executives
🔐 BeyondTrust CVE-2026-1731 - JIT access; automatic session expiration
🎨 Adobe Creative Cloud - Apply least-privilege to creative workstations
🧩 Fortinet - Remove internet exposure from security appliances
💼 SAP - Monthly patching for CRM/S/4HANA/NetWeaver

IDENTITY & SESSION SECURITY:

⏱️ Shorten session/token lifetimes for privileged and cloud admin accounts
👤 Deploy continuous identity verification for remote workers
🔍 LinkedIn validation - Verify with your own eyes, not social profiles
🔑 Enforce phishing-resistant MFA across all SaaS platforms

MOBILE SECURITY:

📱 Deploy runtime mobile threat defense, not just MDM policies
💰 Use dedicated hardened devices for crypto custody/signing
🚨 Rapid OS update enforcement mandatory for high-risk users

THREAT HUNTING:

🔍 Shift SOC detection toward behavioral analytics over signatures
📊 Monitor for slow, quiet data exfiltration patterns
🚨 Audit M365 integrations and SaaS extensibility models

🧠 JAMES AZAR’S CISO TAKE

This week reinforces a hard truth that defines 2026: trust is the real vulnerability, and convenience has become the adversary’s favorite tool. When BridgePay ransomware halts payment processing proving single-provider dependency is operational suicide, when SmarterTools gets breached through its own SmarterMail product in textbook vendor-eats-own-dog-food failure, when Volvo data leaks through Conduent because large enterprises built fortresses while vendors dig tunnels from outside, when Microsoft patches six actively exploited zero-days in one day while Ivanti strikes Europe again with the gift that keeps on giving for people who enjoy gluten for punishment, when China breaches four major Singapore telecoms for strategic intelligence collection and rehearses cyber attacks on regional infrastructure pre-positioning for future coercion.

When North Korean operatives impersonate IT workers on LinkedIn gaining trusted insider access through deception not exploitation, when DKnife implant hijacks authenticated sessions bypassing MFA entirely, when Apple patches “extremely sophisticated” zero-day while $2,000 spyware kits promise full mobile takeover, when SolarWinds gets exploited to deploy Velociraptor forensics tool as malware and the first malicious Outlook add-in exfiltrates 4,000+ credentials, when 620,000 Georgia healthcare patients get exposed fueling medical identity theft and insurance fraud, and when 155-country espionage campaign runs low-and-slow exfiltration for years while AI finds 500+ vulnerabilities proving attackers can do the same, we’re witnessing the complete weaponization of trust chains, vendor dependencies, identity platforms, mobile endpoints, SaaS extensibility, and the convenience assumptions we built our entire digital economy upon.

Discussion about this post

Ready for more?