Playbook for the Secure Enterprise

CyberSecurity Latest Rundown

Heroes, here's your curated threat landscape for Feb 12, 2026.

HIGH SEVERITY ITEMS

• Hacktivists, State Actors, Cybercriminals Target Global Defense Industry
  ▶ Read analysis

  

  Date & Time: 2026-02-12T11:12:46

  Google warns that threat actors from Russia, China, North Korea, and Iran are actively targeting the global defense industrial base. The campaign involves a mix of espionage and potential disruptive capabilities.

  Business impact

  Defense contractors face severe risks of intellectual property theft regarding sensitive military technologies, which could lead to contract termination, regulatory penalties, and loss of competitive advantage.

  Recommended action

  Ask your Threat Intel team: Are we monitoring for the specific TTPs associated with these nation-state groups, particularly regarding our engineering environments?

  CVE: CVE-2026-24423 | Compliance: SOX | Source: SecurityWeek ↗ ↗

• How to Prevent Vishing Attacks Targeting Okta and other IDPs
  ▶ Read analysis

  Date & Time: 2026-02-11T20:57:02

  Threat groups like ShinyHunters are operationalizing voice phishing (vishing) to bypass Multi-Factor Authentication (MFA) on identity platforms like Okta. Attackers call help desks or users directly to trick them into approving login requests.

  Business impact

  If an attacker bypasses MFA, they gain legitimate-looking access to corporate systems, rendering password policies useless and allowing for undetected data exfiltration or ransomware deployment.

  Recommended action

  Ask your CISO: Have we implemented FIDO2/WebAuthn hardware keys or phishing-resistant MFA for all privileged accounts to neutralize vishing attempts?

  CVE: n/a | Compliance: SOX, HIPAA | Source: Hypr ↗ ↗

• Once-hobbled Lumma Stealer is back with lures that are hard to resist
  ▶ Read analysis

  

  Date & Time: 2026-02-11T22:11:40

  The Lumma information stealer malware has resurfaced with new distribution methods after a previous law enforcement disruption. It targets Windows computers to steal credentials, crypto wallets, and browser data.

  Business impact

  Widespread infection could lead to mass credential theft, enabling initial access brokers to sell entry into the corporate network to ransomware gangs.

  Recommended action

  Ask your Endpoint Security team: Does our EDR solution have updated signatures and behavioral rules to detect the latest Lumma Stealer variants?

  CVE: n/a | Compliance: General Enterprise | Source: Ars Technica ↗ ↗

• Microsoft to Enable ‘Windows Baseline Security’ With New Runtime Integrity Safeguards
  ▶ Read analysis

  

  Date & Time: 2026-02-12T11:27:30

  Microsoft is rolling out new default runtime safeguards for Windows to ensure only properly signed software runs. This moves security from static checking to continuous runtime verification.

  Business impact

  While improving security, this could impact legacy or custom in-house applications that are not properly signed, potentially causing operational disruptions if not tested.

  Recommended action

  Ask your IT Operations: Have we audited our internal software catalog to ensure all critical business applications are digitally signed and compatible with these new enforcement modes?

  CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗ ↗

OTHER NOTEWORTHY ITEMS

• OpenClaw Open Source AI Agent Application Attack Surface and Security Risk System Analysis
  ▶ Read analysis

  

  Date & Time: 2026-02-12T05:43:04

  Analysis of OpenClaw, an autonomous AI agent, reveals significant attack surfaces allowing for command injection via web inputs. As AI agents gain autonomy, their vulnerabilities become direct vectors for network compromise.

  CVE: n/a | Compliance: SOX | Source: NSFOCUS ↗ ↗

• Digital asset theft hit $3.4B in 2025 — Lazarus Group accounts for 75% of attacks
  ▶ Read analysis

  Date & Time: 2026-02-11T19:56:18

  New research indicates that weak governance policies, rather than technical perimeter breaches, are the primary driver for digital asset theft. North Korea's Lazarus Group remains the dominant threat actor in this space.

  CVE Details: n/a

  Source: Reddit ↗ ↗

EXECUTIVE INSIGHTS

• Survey: Widespread Adoption of AI Hasn’t Yet Reduced Cybersecurity Burnout

  ▶ Read insight

  Date & Time: 2026-02-11T20:41:03

  Summary: Despite AI promises, cybersecurity teams still spend 44% of their time on manual tasks. Executives should focus AI investments on practical automation to reduce burnout and alert fatigue.

  Source: Security Boulevard ↗

  AI is Rewriting the Rules of Risk: Three Ways CISOs Can Lead the Next Chapter

  ▶ Read insight

  Date & Time: 2026-02-12T09:49:32

  Summary: CISOs must adapt to AI-driven threats by enhancing visibility and aligning security strategies with board-level business objectives. The focus is shifting from pure defense to adaptive risk management.

  Source: Security Boulevard ↗

VENDOR SPOTLIGHT

• Jamf

  ▶ Jamf details

  Specialization: Apple Enterprise Management & Endpoint Security

  Why Jamf Today: The provided threat list highlights a critical, actively exploited zero-day flaw affecting Apple devices (CVE-2026-20700). Jamf is specifically relevant as the market leader in Apple Enterprise Management and security, enabling organizations to rapidly enforce OS updates to patch this vulnerability and monitor for device compromise.

  Key Capability: Automated patch enforcement and behavioral threat detection for macOS and iOS fleets.

  Recommended Actions: 1. Navigate to Jamf Pro Console → Computers → Smart Computer Groups → New 2. Navigate to Jamf Pro Console → Computers → Smart Computer Groups → [Vulnerable Group Name] → View → Action → Send Remote Commands 3. Navigate to Jamf Protect Console → Analytics → Threat Prevention → Plans → [Active Plan]

  Verification Steps: - Review Smart Group Membership in Jamf Pro Dashboard - Monitor Jamf Protect Alerts Dashboard for 'Exploit Prevention' tags

  This guidance assumes a standard integration of Jamf Pro and Jamf Protect. UI paths may vary slightly based on cloud instance versions.

  Learn More About Jamf ↗

DETECTION & RESPONSE KIT

• ⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

  1. Vendor Platform Configuration - Jamf

  TEXT [copy]

  # Actionable Guidance for Jamf
  # Generated: 2026-02-12 13:45:52
  
  # Step 1: Navigate to Jamf Pro Console → Computers → Smart Computer Groups → New
  #   Purpose: Create a Smart Group to isolate devices vulnerable to CVE-2026-20700. Set criteria to 'Operating System Version' operator 'less than' [Patched Version Number].
  #   Expected: A dynamic, real-time list of all unpatched endpoints within the fleet to serve as the scope for immediate remediation.
  
  # Step 2: Navigate to Jamf Pro Console → Computers → Smart Computer Groups → [Vulnerable Group Name] → View → Action → Send Remote Commands
  #   Purpose: Issue a mass MDM command to force the OS update. Select 'Update OS Version' and choose 'Download and Install the Update' for the specific target version.
  #   Expected: Targeted devices will immediately download the security patch and prompt the user to restart, bypassing standard deferral policies due to the critical nature of the zero-day.
  
  # Step 3: Navigate to Jamf Protect Console → Analytics → Threat Prevention → Plans → [Active Plan]
  #   Purpose: Ensure the 'Threat Prevention' module is enabled and set to 'Block' mode rather than 'Report' to actively stop exploit attempts on devices that have not yet patched.
  #   Expected: Immediate termination of known malicious processes or behavioral anomalies associated with the exploit payload.
  
  # Verification Steps:
  #   - Review Smart Group Membership in Jamf Pro Dashboard
  #     Expected: The member count of the 'Vulnerable Devices' Smart Group should trend toward zero as devices check in and report the new OS version.
  #   - Monitor Jamf Protect Alerts Dashboard for 'Exploit Prevention' tags
  #     Expected: Confirmation that no behavioral alerts matching the CVE-2026-20700 signature have been triggered, or that they were successfully blocked.
  

  2. YARA Rule for Apple WebKit Zero-Day (CVE-2026-20700)

  rule Apple_WebKit_ZeroDay_Exploit_Feb2026 {
  meta:
      description = "Detects artifacts related to WebKit exploitation CVE-2026-20700"
      author = "Threat Rundown"
      date = "2026-02-12"
      reference = "https://www.malwarebytes.com/blog/news/2026/02/apple-patches-zero-day-flaw-that-could-let-attackers-take-control-of-devices"
      severity = "critical"
      tlp = "white"
  strings:
      $s1 = "CVE-2026-20700" ascii wide
      $s2 = "WebKit" ascii wide
      $s3 = "CVE-2025-14174" ascii wide
      $s4 = "CVE-2025-43529" ascii wide
      $h1 = { 48 89 E5 48 83 EC ?? C7 45 ?? ?? ?? ?? ?? E8 ?? ?? ?? ?? }
  condition:
      any of ($s*) or $h1
  }
  

  3. SIEM Query — Ivanti/Ransomware Activity

  index=security sourcetype="web_proxy" OR sourcetype="firewall"
  uri_path="/api/v1/settings/sysadmin/connect-to-hub" OR threat_name="Ransomware"
  | eval risk_score=case(
      uri_path=="/api/v1/settings/sysadmin/connect-to-hub", 100,
      threat_name=="Ransomware", 90,
      1==1, 25)
  | where risk_score >= 90
  | table _time, src_ip, dest_ip, uri_path, threat_name, risk_score
  | sort -_time
  

  4. PowerShell Script — Check for Notepad++ Signature

  POWERSHELL [copy]

  $computers = "localhost", "SERVER01", "WKSTN01"
  foreach ($computer in $computers) {
      if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
          # Check for Notepad++ executable and verify signature
          Invoke-Command -ComputerName $computer -ScriptBlock {
              $npp = Get-Item "C:\Program Files\Notepad++\notepad++.exe" -ErrorAction SilentlyContinue
              if ($npp) {
                  $sig = Get-AuthenticodeSignature $npp.FullName
                  if ($sig.Status -ne 'Valid') {
                      Write-Warning "Invalid Signature found on $($env:COMPUTERNAME): $($npp.FullName)"
                  }
              }
          }
      }
  }
  

  This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!