Cybersecurity Latest Rundown

CyberSecurity Latest Rundown

Heroes, your curated look at the current cybersecurity landscape for Feb 10, 2026.

CRITICAL ITEMS

SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks

▶ Read analysis

Date & Time: 2026-02-09T14:42:00

Microsoft reports that threat actors are actively exploiting internet-exposed SolarWinds Web Help Desk instances to gain initial access and move laterally through networks. This is a multi-stage intrusion campaign targeting unpatched help desk software.

Business impact

Help desk systems often hold sensitive user data and credentials; a breach here facilitates rapid spread to high-value assets, leading to potential ransomware deployment and significant downtime.

Recommended action

Direct IT to: "Immediately audit all SolarWinds Web Help Desk instances for internet exposure and apply the latest patches."

CVE: n/a | Compliance: SOX | Source: The Hacker News ↗ ↗
Fortinet Patches Critical SQLi Flaw Enabling Unauthenticated Code Execution

▶ Read analysis

Date & Time: 2026-02-10T04:38:00

Fortinet has patched a critical SQL injection vulnerability (CVSS 9.1) in FortiClientEMS that allows unauthenticated attackers to execute arbitrary code. This flaw essentially gives attackers a "master key" to the endpoint management server without needing a password.

Business impact

Exploitation grants full control over the endpoint management server, allowing attackers to deploy ransomware to all managed clients or steal sensitive corporate data. Expect immediate operational paralysis and potential GDPR/SOX compliance violations if not patched.

Recommended action

Ask your IT team: "Have we applied the latest security updates to our FortiClientEMS servers, specifically addressing CVE-2026-21643?"

CVE: CVE-2026-21643 | Compliance: SOX, GDPR | Source: The Hacker News ↗ ↗
BeyondTrust Fixes Critical Pre-Auth Bug Allowing Remote Code Execution

▶ Read analysis

Date & Time: 2026-02-09T19:52:26

BeyondTrust has resolved a critical vulnerability (CVSS 9.9) in its Remote Support and Privileged Remote Access products that allows attackers to execute code remotely before authentication. This affects the very tools used to secure privileged access, turning a security asset into a liability.

Business impact

A compromise here bypasses the "keys to the kingdom" security layer, allowing attackers to create rogue admin accounts or access critical infrastructure undetected. This poses a severe risk of intellectual property theft and long-term persistence in the network.

Recommended action

Verify with Security Operations: "Are our BeyondTrust appliances isolated from the public internet, and has the patch for CVE-2026-1731 been applied immediately?"

CVE: CVE-2026-1731 | Compliance: SOX, HIPAA | Source: Security Affairs ↗ ↗
Dutch Agencies Hit by Ivanti EPMM Exploit Exposing Employee Data

▶ Read analysis

Date & Time: 2026-02-10T10:11:48

The Dutch Data Protection Authority and Council for the Judiciary confirmed a breach where attackers exploited Ivanti EPMM flaws to access employee contact data. This incident moves from theoretical risk to confirmed active exploitation against government entities.

Business impact

For organizations using Ivanti EPMM, this signals a high probability of targeted attacks. The impact includes regulatory scrutiny (GDPR), loss of employee trust, and potential follow-on phishing attacks using the stolen contact data.

Recommended action

Request a report: "Do we use Ivanti EPMM? If so, have we scanned for indicators of compromise similar to the Dutch agency breach?"

CVE: n/a | Compliance: SOX, GDPR | Source: Security Affairs ↗ ↗

Warlock Ransomware Breaches SmarterTools Through Unpatched Server

▶ Read analysis

Date & Time: 2026-02-10T10:24:00

The Warlock ransomware gang (Storm-2603) successfully breached SmarterTools by exploiting an unpatched SmarterMail instance. This highlights the speed at which ransomware groups weaponize known vulnerabilities against communication infrastructure.

Business impact

Reliance on unpatched communication servers creates a direct entry point for ransomware, resulting in total data encryption, operational blackout, and potential extortion demands.

Recommended action

Ask Infrastructure teams: "Are all our mail servers, specifically SmarterMail if used, running the latest versions?"

CVE: n/a | Compliance: General Enterprise | Source: The Hacker News ↗ ↗

HIGH SEVERITY ITEMS

Flaw in Anthropic Claude Extensions Can Lead to RCE in Google Calendar

▶ Read analysis

Date & Time: 2026-02-09T15:38:20

LayerX researchers discovered a flaw in Anthropic's Claude Desktop Extensions that allows threat actors to inject Remote Code Execution vulnerabilities into Google Calendar. This demonstrates the emerging risk of granting AI models full system privileges and API access.

Business impact

As organizations rush to adopt AI tools, unvetted extensions can bypass traditional security controls, allowing attackers to manipulate corporate schedules or execute code via trusted applications.

Recommended action

Review AI usage policy: "Are we restricting which extensions can be installed on corporate AI tools like Claude?"

CVE: n/a | Compliance: SOX | Source: Security Boulevard ↗ ↗

Google Warns Over 1 Billion Android Phones Are Now at Risk

▶ Read analysis

Date & Time: 2026-02-09T19:37:37

Google has issued a warning that over 40% of Android devices (1 billion+) are no longer receiving security updates. These devices are permanently exposed to known malware and spyware without a path for remediation.

Business impact

Employees accessing corporate data from outdated personal Android devices introduce a massive, unpatchable attack surface into the enterprise environment.

Recommended action

Audit BYOD policy: "Do our MDM policies block access from Android devices running unsupported OS versions?"

CVE: n/a | Compliance: SOX | Source: TechRepublic ↗ ↗
China-linked APT UNC3886 Targets Singapore Telcos

▶ Read analysis

Date & Time: 2026-02-10T08:40:15

A cyber espionage campaign attributed to the China-linked group UNC3886 has targeted Singapore's telecommunications sector. This aligns with broader geopolitical trends of state-sponsored actors targeting critical infrastructure providers.

Business impact

Telecom breaches can lead to interception of sensitive corporate communications and metadata, compromising trade secrets and executive communications.

Recommended action

For regional operations: "Review threat intelligence feeds for UNC3886 indicators if we have operations in Southeast Asia."

CVE: n/a | Compliance: SOX, HIPAA | Source: Security Affairs ↗ ↗

OTHER NOTEWORTHY ITEMS

Vulnerability Found in InsightVM & Nexpose: CVE-2026-1814 (FIXED)

▶ Read analysis

Date & Time: 2026-02-09T19:00:00

Rapid7 has fixed a vulnerability in their InsightVM and Nexpose vulnerability management products. While fixed, vulnerabilities in security tools themselves are high-value targets for attackers seeking to blind defenders.

CVE: CVE-2026-1814 | Compliance: SOX, HIPAA | Source: GitHub ↗ ↗
ZAST.AI Raises $6M to Scale Zero False Positive AI-Powered Code Security

▶ Read analysis

Date & Time: 2026-02-10T11:40:00

ZAST.AI has secured funding to scale its AI-powered code security solution. This investment reflects the growing market necessity for tools that can secure the AI and machine learning supply chain against emerging threats.

CVE Details: n/a

Source: The Hacker News ↗ ↗

VENDOR SPOTLIGHT

Protect AI (Specialized Vendor)

▶ Protect AI details

Specialization: AI Security and MLSecOps

Why Protect AI Today: The provided threat landscape highlights the emergence of AI-specific security solutions, specifically the funding news for ZAST.AI. Protect AI is a direct leader in this emerging sector, providing necessary tools to secure the machine learning supply chain and AI models against vulnerabilities, paralleling the need to patch traditional software flaws like those listed for Fortinet and BeyondTrust.

Key Capability: AI Security Posture Management (AISPM) to detect vulnerabilities in ML models, notebooks, and datasets.

Recommended Actions: 1. Navigate to Guardian Console → Scans → Create New Scan → Select Repository/Model 2. Navigate to Radar Console → Policy Management → Admission Control → Create Policy 3. Navigate to Radar Console → Inventory → Select Model → View AI-BOM

Verification Steps: - Review the 'Scan History' log in the Guardian Dashboard - Simulate a deployment of a model containing a known EICAR test string or known CVE

This guidance is based on general platform knowledge of Protect AI's Guardian and Radar modules. Verify UI paths against the latest SaaS or on-premise release notes.

Learn More About Protect AI ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Protect AI

TEXT

# Actionable Guidance for Protect AI
# Generated: 2026-02-10 13:30:51

# Step 1: Navigate to Guardian Console → Scans → Create New Scan → Select Repository/Model
#   Purpose: Initiate deep inspection of model artifacts (e.g., PyTorch, TensorFlow files) to detect model serialization attacks and embedded malicious code, directly addressing the need to 'patch' model flaws.
#   Expected: A generated Model Security Report highlighting critical vulnerabilities (CVEs) and unsafe file formats (e.g., pickle files) within the model weights.

# Step 2: Navigate to Radar Console → Policy Management → Admission Control → Create Policy
#   Purpose: Establish a supply chain gate that blocks the deployment of models with a 'Critical' or 'High' severity vulnerability score, ensuring only secure models enter production.
#   Expected: Active enforcement where non-compliant models trigger a 'Policy Violation' block event during the CI/CD pipeline or model registry push.

# Step 3: Navigate to Radar Console → Inventory → Select Model → View AI-BOM
#   Purpose: Generate and review the AI Bill of Materials (AI-BOM) to identify vulnerable third-party dependencies and open-source libraries used within the AI supply chain.
#   Expected: A complete dependency graph listing all upstream components, allowing for rapid identification of components requiring updates or patching.

# Verification Steps:
#   - Review the 'Scan History' log in the Guardian Dashboard
#     Expected: Scan status transitions to 'Completed' and displays a vulnerability count &gt; 0 for unpatched test models, confirming detection capabilities are active.
#   - Simulate a deployment of a model containing a known EICAR test string or known CVE
#     Expected: The Radar Admission Controller intercepts the request, returns a 403 Forbidden (or equivalent block message), and logs the event in the 'Security Alerts' tab.

2. YARA Rule for Suspicious Artifacts (Generic)

rule Suspicious_Threat_Indicators_Feb2026 {
meta:
    description = "Detects specific threat indicators observed in recent campaigns"
    author = "Threat Rundown"
    date = "2026-02-10"
    reference = "https://thehackernews.com/2026/02/fortinet-patches-critical-sqli-flaw.html"
    severity = "medium"
    tlp = "white"
strings:
    $s1 = "Malware" ascii wide
    $s2 = "User" ascii wide
    $s3 = "Context" ascii wide
    $s4 = "Article" ascii wide
    $s5 = "Status" ascii wide

    // Contextual combination to reduce false positives
    $suspicious_combo = ($s1 and $s2) or ($s3 and $s4 and $s5)

condition:
    any of them
}

3. SIEM Query — Fortinet SQLi Attempt Detection (CVE-2026-21643)

index=security sourcetype="fortinet:firewall" 
(dest_port=443 OR dest_port=80) app="FortiClientEMS"
| regex _raw="(?i)(union select|exec xp_|waitfor delay|1=1)"
| eval risk_score=case(
    match(_raw, "(?i)xp_cmdshell"), 100,
    match(_raw, "(?i)union select"), 80,
    1==1, 50)
| where risk_score >= 50
| table _time, src_ip, dest_ip, url, risk_score
| sort -_time

4. PowerShell Script — Check SolarWinds WHD Service Status

POWERSHELL

$computers = "localhost", "SERVER01", "WKSTN01"
foreach ($computer in $computers) {
    if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
        Write-Host "Checking $computer for SolarWinds WHD..."
        try {
            $service = Get-Service -Name "WHD" -ComputerName $computer -ErrorAction Stop
            Write-Host "Found SolarWinds WHD on $computer - Status: $($service.Status)" -ForegroundColor Red
        } catch {
            Write-Host "SolarWinds WHD service not found on $computer" -ForegroundColor Green
        }
    }
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

Playbook for the Secure Enterprise