It's been a busy 24 hours in the cyber world with significant updates on AI-assisted attacks, actively exploited vulnerabilities, a data exposure incident, new spyware techniques, and a look at AI for defence. Let's dive in:

AI-Augmented FortiGate Breaches 🤖📰

- A Russian-speaking, financially motivated threat actor used commercial generative AI services to breach over 600 FortiGate firewalls across 55 countries between January and February 2026.
- The attacks exploited exposed management interfaces and weak credentials lacking multi-factor authentication, rather than zero-day vulnerabilities, demonstrating how AI lowers the barrier to entry for less skilled actors.
- AI was used to generate attack methodologies, develop custom reconnaissance tools (in Python and Go), plan lateral movement, and draft operational documentation, leading to the extraction of sensitive configurations, Active Directory compromise, and targeting of backup infrastructure, likely for ransomware deployment.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/amazon-ai-assisted-hacker-breached-600-fortigate-firewalls-in-5-weeks/
📰 The Hacker News | https://thehackernews.com/2026/02/ai-assisted-threat-actor-compromises.html

Actively Exploited Vulnerabilities: React2Shell & Roundcube 🕶️📰

- React2Shell (CVE-2025-55182): This critical RCE (CVSS 10.0) in React Server Components is still being actively exploited, with a new "ILovePoop" toolkit used by a possibly state-sponsored actor for reconnaissance against government, defence, finance, and industrial targets globally. Patching is complex due to Next.js bundling React as a 'vendored' package, making it invisible to standard dependency scanners.
- Roundcube Webmail Flaws: CISA has added two actively exploited vulnerabilities to its KEV catalog: CVE-2025-49113 (RCE, CVSS 9.9) and CVE-2025-68461 (XSS, CVSS 7.2). The RCE flaw, a deserialization issue present for over 10 years, was weaponised within 48 hours of public disclosure, with nation-state actors previously targeting Roundcube.
- Organisations should prioritise patching these vulnerabilities, especially React2Shell, which affects default configurations and has seen sophisticated post-exploitation tradecraft, and Roundcube, with a CISA deadline for FCEB agencies by March 13, 2026.

🕶️ Dark Reading | https://www.darkreading.com/application-security/attackers-new-tool-scan-react2shell-exposure
📰 The Hacker News | https://thehackernews.com/2026/02/cisa-adds-two-known-exploited-vulnerabilities-catalog

PayPal Code Error Exposes PII 🕵🏼

- PayPal notified approximately 100 customers of a data exposure incident due to a coding error in its Working Capital loan application, which inadvertently leaked personal information including names, Social Security numbers, dates of birth, email addresses, and business addresses.
- The exposure occurred between July 1, 2025, and December 13, 2025, with a "few" customers also experiencing unauthorised transactions, all of which have been fully refunded by PayPal.
- The company has rolled back the problematic code change, reset affected account passwords, and is offering two years of free credit monitoring to impacted individuals.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/paypal_app_code_error_leak/

Predator Spyware's iOS Stealth Techniques 🤖

- Intellexa's Predator spyware can effectively hide iOS camera and microphone recording indicators (the green/orange dots) from users, allowing it to secretly stream audio and video feeds to operators.
- The malware achieves this by leveraging kernel-level access to hook a single function, ‘HiddenDot::setupHook()’, within SpringBoard, which intercepts and nullifies sensor activity updates before they reach the UI layer.
- This sophisticated technique prevents the operating system from displaying any visual cues of active surveillance, making the spyware's activity completely hidden to a regular user, although technical analysis can still reveal malicious processes.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/predator-spyware-hooks-ios-springboard-to-hide-mic-camera-activity/

Anthropic Launches AI for Code Security 📰

- Anthropic has introduced "Claude Code Security," a new feature for its Enterprise and Team customers that uses AI to scan software codebases for vulnerabilities and suggest targeted patches.
- This initiative aims to counter the growing threat of adversaries weaponising AI for automated vulnerability discovery by providing defenders with an AI-powered tool that can reason about code like a human security researcher, tracing data flows and identifying issues missed by traditional static analysis.
- The system includes a multi-stage verification process to filter false positives, assigns severity ratings, and operates with a human-in-the-loop approach, ensuring that no patches are applied without developer review and approval.

📰 The Hacker News | https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html

#CyberSecurity #ThreatIntelligence #AI #FortiGate #Vulnerabilities #RCE #Roundcube #React2Shell #Spyware #Predator #iOS #DataBreach #PayPal #CodeSecurity #InfoSec #CyberAttack #IncidentResponse

IDMerit data breach: 1 billion records of personal data exposed in KYC data leak

https://cybernews.com/security/global-data-leak-exposes-billion-records/

> A massive global data leak linked to IDMerit has exposed 1 billion personal records, including national IDs and emails, across the US, Europe, and Asia.

#infosec #dataBreach #privacy #technology

China’s Military Hackers Are Stealing American Secrets | VICE: Cyberwar | Blueprint

https://www.youtube.com/watch?v=wYKdHnkKH04

#databreach #cybersecurity #threatintelligence

🇧🇪 A K U L A v 2 . 2 claims data breach on Belgium's Police. Leaked login credentials belonging to the Belgium Police. #DataBreach #Government #Belgium #ThreatIntel

@XposedOrNot += CarMax Data Breach

The CarMax #databreach was reported in January 2026 after data allegedly sourced from its systems was published online. The exposed dataset contained 431k unique email addresses along with names, phone numbers, and physical addresses.

Exposed data: Email addresses, Names, Phone numbers, Physical addresses

Potential risks: Phishing, Identity theft, Targeted scams, Privacy breaches

Nur für euch zur Info.
Data breach bei #bestwesternhotel
Scam mit genauen Reisedaten, Namen und Vornamen wird an die beinder Buchung hinterlegte Rufnummer per #whatsapp versendet.
@bsi
#databreach

OK, I feel sorry for this dentist, but I am really happy to see someone quickly informing patients about what happened and what they have done and are doing in response. I think his approach will go a long way to maintaining his patients' trust in him.

https://www.impartialreporter.com/news/25875061.dentist-speaks-practice-hit-cyber-attack/

#hack #healthsec #databreach #incidentresponse #GDPR #transparency #cybersecurity

Alert Medical Alarms Reports Data Breach

Alert Medical Alarms reports a data breach afteer a network compromise, resulting in the unauthorized exfiltration of sensitive personal and protected health information.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/alert-medical-alarms-reports-data-breach-w-8-6-5-u/gD2P6Ple2L

Alpine Lumber Ransomware Attack Exposes Employee Personnel Records

Alpine Lumber, reports a ransomware attack in December 2025 that allowed unauthorized access to sensitive employee data, including Social Security numbers and medical information.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/alpine-lumber-ransomware-attack-exposes-employee-personnel-records-f-6-6-3-9/gD2P6Ple2L

Holiday Haven Shoalhaven Heads Reports Data Breach and Phishing Campaign

Holiday Haven, a division of Shoalhaven City Council, suffered a data breach involving its booking software that allowed attackers to access customer contact details and launch fraudulent phishing campaigns.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/holiday-haven-shoalhaven-heads-reports-data-breach-and-phishing-campaign-x-n-9-d-6/gD2P6Ple2L

PayPal Discloses Six-Month Data Exposure Caused by Software Error

PayPal reports a data breach affecting approximately 100 customers after a software error in its Working Capital loan application exposed Social Security numbers and personal data for six months. The company has rolled back the faulty code, reset passwords, and offered credit monitoring to the impacted.

****
#cybersecurity #infosec #incident #databreach
https://beyondmachines.net/event_details/paypal-discloses-six-month-data-exposure-caused-by-software-error-s-z-c-g-m/gD2P6Ple2L

PayPal app code error leaked personal info

https://go.theregister.com/feed/www.theregister.com/2026/02/20/paypal_app_code_error_leak/

#databreach #incidentresponse #privacy

#PayPal Discloses #DataBreach That Exposed User Info For 6 Months

PayPal is notifying customers of a data #breach after a software error in a loan application exposed their sensitive personal information, including #SocialSecurity numbers, for nearly 6 months last year. From a report: The incident affected the #PayPalWorkingCapital ( #PPWC ) #loan app, which provides small businesses with quick access to #financing.
#ssn #privacy #security

https://slashdot.org/story/26/02/20/1733211/paypal-discloses-data-breach-that-exposed-user-info-for-6-months?utm_source=rss1.0mainlinkanon&utm_medium=feed

CarMax - 431,371 breached accounts - https://www.redpacketsecurity.com/carmax-431-371-breached-accounts/

#databreach #HaveIBeenPwnedLatestBreaches #HIBP #OSINT #Security #threatintel #TroyHunt

Adidas is probing a #databreach at a third-party martial arts partner after hackers claiming to be Lapsus$ said they stole 815K records, including names, emails, passwords, and technical data.

https://www.theregister.com/2026/02/18/adidas_investigates_thirdparty_data_breach/

University of Mississippi Medical Center shut all statewide clinics after a ransomware attack knocked out IT systems and access to Epic EMRs. Hospitals remain open using downtime procedures. UMMC is working with CISA and FBI as talks with attackers continue. #databreach

https://www.bleepingcomputer.com/news/security/university-of-mississippi-medical-center-closes-clinics-after-ransomware-attack/

PayPal says a software error in its PayPal Working Capital loan app exposed sensitive data, including SSNs of about 100 customers from July to December 2025. #databreach

https://www.bleepingcomputer.com/news/security/paypal-discloses-data-breach-exposing-users-personal-information/

:headache: Adidas investigates third-party data breach

｢ someone claiming to be the Lapsus$ Group posted on BreachForums (screenshot shared here on Daily Dark Web) that they compromised the sportswear giant’s extranet. According to the crooks, the stolen files – 815,000 rows of information – allegedly include: first and last names, email addresses, passwords, birthdays, company names, and "a lot of technical data." ｣

https://www.theregister.com/2026/02/18/adidas_investigates_thirdparty_data_breach/

#adidas #databreach #cybersecurity

Data leaked by The Gentlemen and there is no official statement on how much data was stolen.

https://www.security-chu.com/2026/02/incidente-informatico-INDH-Chile.html

#databreach #ransomware #cyberattack #Chile

It's been a packed 24 hours in the cyber world, with a flurry of recent breaches, critical vulnerabilities under active exploitation, and fascinating new threat research emerging. We're also seeing important updates on the evolving threat landscape, regulatory clarity, and significant law enforcement actions. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

- The University of Mississippi Medical Center (UMMC) has shut down all clinics statewide following a ransomware attack, with officials confirming communication with the attackers and CISA/FBI assistance.
- Japanese semiconductor test equipment supplier Advantest is dealing with a ransomware attack that impacted several systems, highlighting the ongoing targeting of the lucrative semiconductor industry.
- Wynn Resorts, the Las Vegas casino giant, is reportedly the latest victim of ShinyHunters, who claim to have stolen over 800,000 employee records, including Social Security numbers, and are demanding a $1.5 million Bitcoin ransom.
- The French Ministry of Finance disclosed a data breach affecting 1.2 million accounts in its national bank account registry (FICOBA), where stolen civil servant credentials led to the exposure of bank account details, physical addresses, and tax IDs.
- Ukraine's central bank reported a supply-chain attack on a contractor supporting its collectible coin online store, exposing customer registration data but not core banking systems or financial details.
- The FBI issued a flash alert on ATM jackpotting, noting over 700 incidents in 2025 with losses exceeding $20 million, primarily using Ploutus malware to exploit physical and software vulnerabilities to dispense cash without authorisation.

🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-mississippi-medical-center-closes-clinics-after-ransomware-attack/
🗞️ The Record | https://therecord.media/leading-japanese-semiconductor-supplier-ransomware
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/data-breach-at-french-bank-registry-impacts-12-million-accounts/
🗞️ The Record | https://therecord.media/hackers-breach-ukraine-national-bank-contractor
🗞️ The Record | https://therecord.media/fbi-atm-jackpotting-2025-report

Actively Exploited Vulnerabilities 🛡️

- CISA has ordered federal agencies to patch a maximum-severity Dell RecoverPoint for Virtual Machines bug (CVE-2026-22769) within three days, as it's been actively exploited since mid-2024 by suspected China-nexus operators.
- The BeyondTrust Remote Support RCE flaw (CVE-2026-1731) is now being actively exploited in ransomware attacks, with CISA adding it to its KEV catalog and urging immediate patching for self-hosted instances.
- A supply chain attack poisoned the npm package for Cline (an AI coding tool), silently installing the OpenClaw AI framework on approximately 4,000 systems after an attacker exploited a prompt injection vulnerability to steal an npm publish token.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/cisa_dell_vulnerability/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-beyondtrust-rce-flaw-now-exploited-in-ransomware-attacks/
🌑 Dark Reading | https://www.darkreading.com/application-security/supply-chain-attack-openclaw-cline-users

New Threat Research and Tradecraft 🧠

- Proofpoint researchers uncovered "TrustConnect," a fake RMM vendor that actually sells a remote access trojan (RATaaS), complete with a legitimate EV code-signing certificate and distributed via phishing campaigns, with ties to Redline infostealer customers.
- ESET has identified "PromptSpy," the first known Android malware to use generative AI (Google Gemini) at runtime to adapt its persistence mechanisms across different devices, while also functioning as spyware with VNC capabilities.
- The "Starkiller" phishing-as-a-service (PhaaS) kit is gaining traction for its ability to bypass MFA by proxying actual login pages in real-time, stealing credentials and session tokens, and evading traditional phishing detection methods.
- MIT CSAIL's 2025 AI Agent Index highlights a concerning lack of safety disclosures and standards from AI agent developers, with most relying on a few foundation models, creating complex dependencies that are difficult to evaluate.
- Wiz researchers revealed that virtually every major AI platform they targeted was vulnerable, emphasising that infrastructure security across the five layers of the AI stack (training, inference, application, cloud, hardware) is more critical than prompt injection concerns, with issues like the "Pickle" format allowing arbitrary code execution.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/19/rmm_rat_trustconnect/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/promptspy-is-the-first-known-android-malware-to-use-generative-ai-at-runtime/
🌑 Dark Reading | https://www.darkreading.com/threat-intelligence/starkiller-phishing-kit-mfa
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/ai_agents_abound_unbound_by/
🌑 Dark Reading | https://www.darkreading.com/application-security/lessons-ai-hacking-model-every-layer-risky

Threat Landscape Commentary 🌍

- Dutch intelligence warns that Russia is intensifying its hybrid attacks (cyberattacks, sabotage, disinformation) across Europe, signalling preparation for a prolonged confrontation with the West and an increased risk tolerance.
- A report from Intel 471 indicates that Latin America's cybersecurity maturity is lagging behind its rapidly escalating threat landscape, with a 78% increase in ransomware breaches in 2025 and the region becoming a central hub for cybercrime.

🗞️ The Record | https://therecord.media/russia-cyberattacks-europe-warfare
🌑 Dark Reading | https://www.darkreading.com/threat-intelligence/latin-americas-cyber-maturity-lags-threat-landscape

Regulatory Developments ⚖️

- The UK's Information Commissioner's Office (ICO) has won a significant legal battle against DSG Retail, with the Court of Appeal confirming that payment card details (even without cardholder names) constitute "personal data" from the data controller's perspective, upholding a £500,000 fine for a 2017 breach.

🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/20/ico_wins_battle_in_protracted_fight/

Law Enforcement Actions 🚨

- A Ukrainian national, Oleksandr Didenko, has been sentenced to five years in prison for facilitating North Korea's remote IT worker scheme, which involved stealing US identities and creating fraudulent accounts to funnel hundreds of thousands of dollars to the regime.
- A Romanian hacker, Catalin Dragomir, pleaded guilty to breaching Oregon's Department of Emergency Management in 2021 and selling access for $3,000 in Bitcoin, facing up to seven years in prison for this and other hacks.

🤫 CyberScoop | https://cyberscoop.com/doj-ukrainian-north-korea-remote-worker-scheme-facilitator-sentenced/
🗞️ The Record | https://therecord.media/romanian-hacker-faces-7-years-oregon-breach

#CyberSecurity #ThreatIntelligence #Ransomware #DataBreach #Vulnerability #ZeroDay #RCE #SupplyChainAttack #Malware #RATaaS #Phishing #MFA #AI #AIsecurity #HybridWarfare #LawEnforcement #DataPrivacy #InfoSec