Security Intelligence for Real-World Decisions
← Back to Archive

Microsoft Patches Six Actively Exploited Zero-Days as Conduent Breach Expands to 25 Million; CISA Warns Funding Lapse Could Halt Critical Operations

Executive Summary

This week's intelligence cycle (February 5-12, 2026) reveals significant developments across the critical infrastructure threat landscape requiring immediate attention from security professionals and infrastructure operators.

  • Major Patch Tuesday Release: Microsoft addressed 59 vulnerabilities including six actively exploited zero-days, while Intel and AMD collectively patched over 80 chipmaker vulnerabilities. Organizations should prioritize immediate patching of actively exploited flaws.
  • Expanding Data Breach Impact: The Conduent breach has now affected at least 25 million individuals—up from 10 million estimated months ago—with Volvo Group confirming nearly 17,000 employees' data exposed. This supply chain compromise continues to cascade across sectors.
  • CISA Operational Concerns: Acting CISA Director Madhu Gottumukkala warned that a potential DHS funding lapse could limit or halt agency operations, potentially affecting threat response capabilities and delaying CIRCIA regulation finalization.
  • Nation-State Activity Intensifies: North Korean actors (UNC1069) are deploying AI-generated deepfake video calls and new macOS backdoors targeting cryptocurrency organizations, while APT36 and SideCopy continue cross-platform campaigns against Indian defense entities.
  • Critical Infrastructure Targeting: Leaked documents reveal China rehearsing cyberattacks on neighboring countries' critical infrastructure, underscoring persistent nation-state threats to essential systems.
  • Emerging Botnet Threats: The SSHStalker botnet has compromised approximately 7,000 Linux systems using legacy kernel exploits, while the Kimwolf IoT botnet is disrupting the I2P anonymity network.

Threat Landscape

Nation-State Threat Actor Activities

North Korean Operations (UNC1069): The threat actor known as UNC1069 has escalated attacks against cryptocurrency organizations using sophisticated social engineering techniques. The campaign combines:

  • AI-generated deepfake video calls impersonating legitimate contacts
  • Stolen Telegram accounts for initial contact
  • Fake Zoom meeting invitations
  • ClickFix technique deployment with new macOS backdoors
  • Cross-platform targeting of both Windows and macOS systems

This represents a significant evolution in social engineering tactics, leveraging AI capabilities to enhance credibility of attacks. Source: CyberScoop, Source: Infosecurity Magazine

APT36 and SideCopy Campaigns: Pakistani-linked threat actors continue targeting Indian defense sector and government-aligned organizations with remote access trojans (RATs) designed for both Windows and Linux environments. These campaigns demonstrate persistent interest in defense-related intelligence. Source: The Hacker News

Chinese Infrastructure Targeting: Leaked documents indicate China has been rehearsing cyberattacks against neighboring countries' critical infrastructure. This intelligence reinforces concerns about pre-positioning for potential future conflicts and the need for enhanced defensive measures across all critical infrastructure sectors. Source: Homeland Security Today

Salt Typhoon Investigation Obstacles: A U.S. Senator has reported that AT&T and Verizon are blocking the release of security assessment reports related to the Salt Typhoon intrusion campaign. This development hampers transparency and cross-sector information sharing regarding telecommunications infrastructure compromises. Source: Homeland Security Today

Ransomware and Cybercriminal Developments

0APT Ransomware Group Emergence: A new ransomware operation calling itself "0APT" has emerged with aggressive claims of hundreds of initial victims. While most indicators suggest the group may be exaggerating its impact, security researchers have confirmed at least some capabilities are genuine and backed by proven attack methods. Organizations should monitor for indicators of compromise associated with this group. Source: CyberScoop

Crazy Ransomware Gang TTPs: The Crazy ransomware operation has been observed abusing legitimate employee monitoring software and SimpleHelp remote support tools to maintain persistence in corporate networks. This technique allows attackers to:

  • Evade detection by blending with legitimate administrative tools
  • Maintain long-term access for reconnaissance
  • Prepare networks for ransomware deployment

Organizations should audit remote access and monitoring tools for unauthorized installations. Source: Bleeping Computer

LummaStealer Surge: A significant increase in LummaStealer infections has been observed, driven by social engineering campaigns using the ClickFix technique to deliver CastleLoader malware. This information-stealing malware poses risks to credentials and sensitive data across all sectors. Source: Bleeping Computer

JokerOTP Tool Disruption: Netherlands Police arrested a 21-year-old suspect from Dordrecht for selling access to the JokerOTP phishing automation tool capable of intercepting one-time passwords (OTPs) for account hijacking. This enforcement action may temporarily disrupt MFA bypass services in criminal markets. Source: Bleeping Computer

Emerging Attack Vectors

Malicious Outlook Add-In Discovery: Researchers at Koi Security have identified the first known malicious Microsoft Outlook add-in detected in the wild. The AgreeTo add-in was hijacked and converted into a phishing kit that successfully harvested over 4,000 Microsoft account credentials. This supply chain attack vector represents a new threat to enterprise email environments. Source: The Hacker News, Source: Bleeping Computer

Windows Notepad Vulnerability: Microsoft has patched a remote code execution vulnerability in Windows 11 Notepad that allowed attackers to execute local or remote programs through specially crafted Markdown links. This unexpected attack surface highlights the expanding risk from seemingly benign applications. Source: Bleeping Computer

AI-Based Prompt Injection via Physical Environment: Security researcher Bruce Schneier highlighted research on "CHAI: Command Hijacking Against Embodied AI," demonstrating prompt injection attacks against AI systems through physical environment manipulation, including road signs. This emerging vector has implications for autonomous vehicles and AI-integrated infrastructure systems. Source: Schneier on Security

Enterprise AI Chatbot Manipulation: Organizations are reportedly using "Summarize with AI" features to manipulate enterprise chatbots, raising concerns about AI system integrity and potential for insider threats leveraging AI capabilities. Source: CSO Online

Botnet Activity

SSHStalker Botnet: A newly documented Linux botnet named SSHStalker has compromised approximately 7,000 Linux machines through brute-force attacks and legacy kernel exploits. The botnet uses the IRC (Internet Relay Chat) protocol for command-and-control communications—an old-school technique that may evade modern detection focused on more contemporary C2 methods. Source: CSO Online, Source: The Hacker News

Kimwolf Botnet Disruption: The massive IoT botnet known as Kimwolf has been disrupting the Invisible Internet Project (I2P) anonymity network for the past week. While this primarily affects privacy-focused communications, it demonstrates the scale and capability of current IoT botnets. Source: KrebsOnSecurity

Sector-Specific Analysis

Energy Sector

No sector-specific incidents were reported this week. However, the leaked documents regarding Chinese rehearsal of cyberattacks on critical infrastructure warrant heightened vigilance across energy sector operations. Energy sector organizations should:

  • Review and validate network segmentation between IT and OT environments
  • Ensure patching of Microsoft and chipmaker vulnerabilities in applicable systems
  • Monitor for indicators associated with nation-state pre-positioning activities

Water and Wastewater Systems

No direct incidents reported this week. Water utilities should prioritize:

  • Patching Linux systems against SSHStalker botnet exploitation
  • Reviewing remote access tool configurations given Crazy ransomware TTPs
  • Assessing exposure of any internet-facing OT systems

Communications and Information Technology

Salt Typhoon Transparency Issues: The ongoing dispute over releasing Salt Typhoon security assessment reports from major telecommunications providers creates uncertainty about the full scope of nation-state compromise in U.S. communications infrastructure. This lack of transparency hampers sector-wide defensive coordination. Source: Homeland Security Today

FCC Infrastructure Initiative: The FCC has detailed its "Build America" infrastructure plan, which may include security requirements for communications infrastructure development. Organizations should monitor for implementation guidance. Source: Homeland Security Today

Google-Wiz Acquisition Cleared: The EU has approved Google's $32 billion acquisition of Wiz, which will intensify competition in the cloud security market. This consolidation may affect security tool availability and pricing for infrastructure operators. Source: CSO Online

Transportation Systems

El Paso Airport Flight Halt: The FAA has halted all flights at El Paso International Airport for 10 days citing "security reasons." While specific details have not been disclosed, this unprecedented action suggests a significant security concern requiring investigation. Transportation sector organizations should monitor for additional guidance. Source: Homeland Security Today

EV Charger Security Standards: The Transportation Department has updated its EV charger program to include a "100% Buy America Requirement." While primarily focused on domestic manufacturing, this may have implications for supply chain security of charging infrastructure. Source: Homeland Security Today

AI Vehicle Security Concerns: Research on prompt injection attacks against embodied AI systems, including through road signs, raises concerns for autonomous vehicle security. Transportation authorities should consider these emerging attack vectors in safety assessments. Source: Schneier on Security

Healthcare and Public Health

Workplace Violence Concerns: A new report indicates 55% of healthcare workers have faced increases in workplace violence. Security organizations are adapting protective measures, but this trend represents a significant physical security challenge for the sector. Source: Security Magazine

AI Healthcare Privacy Gaps: Analysis reveals that AI applications entering healthcare may not be subject to the same rigorous data security and privacy practices as traditional healthcare providers. This regulatory gap creates potential exposure for sensitive health information processed by AI systems. Source: CyberScoop

Conduent Breach Healthcare Impact: The expanding Conduent breach (now affecting 25+ million individuals) likely includes healthcare-related data given the company's role as a business process services provider to multiple sectors including healthcare. Organizations should assess their exposure through Conduent relationships. Source: SecurityWeek

Financial Services

Cryptocurrency Sector Targeting: North Korean threat actor UNC1069's sophisticated campaign against cryptocurrency organizations using deepfake video calls and cross-platform malware represents an elevated threat to digital asset firms. Financial services organizations with cryptocurrency exposure should:

  • Implement verification procedures for video call participants
  • Train staff on deepfake recognition
  • Deploy endpoint protection capable of detecting macOS backdoors
  • Review Telegram and Zoom security configurations

Source: Infosecurity Magazine

Crypto Scam Enforcement: A federal court sentenced crypto-scammer Daren Li to 20 years in absentia for a $73 million fraud scheme. This enforcement action demonstrates continued focus on cryptocurrency-related financial crimes. Source: Infosecurity Magazine

Fortune 500 Cloud Exposure: Research has identified that intentionally vulnerable training applications (OWASP Juice Shop, DVWA, etc.) deployed in Fortune 500 cloud environments are being exploited for cryptocurrency mining. Organizations should audit cloud environments for exposed training applications. Source: The Hacker News

Government Facilities

Nevada Data Classification Policy: Following a cyberattack, Nevada has unveiled a new statewide data classification policy categorizing data as "public," "sensitive," "confidential," or "restricted." This post-incident policy development may serve as a model for other state governments. Source: SecurityWeek

CISA Operational Risk: Acting CISA Director Gottumukkala's warning about potential operational impacts from a DHS funding lapse is significant for all critical infrastructure sectors that rely on CISA threat intelligence, incident response support, and regulatory guidance. Source: CyberScoop

Vulnerability and Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Microsoft February 2026 Patch Tuesday - CRITICAL:

Microsoft released fixes for 59 vulnerabilities including six actively exploited zero-days. Five vulnerabilities are rated critical. Organizations should prioritize immediate patching given active exploitation.

  • Total vulnerabilities addressed: 59
  • Actively exploited zero-days: 6
  • Critical severity: 5

Action Required: Immediate patching recommended for all Microsoft systems, with priority given to internet-facing and critical infrastructure systems.

Source: The Hacker News, Source: CSO Online

Apple Zero-Day (CVE Pending):

Apple has released security updates to address a zero-day vulnerability exploited in what the company described as an "extremely sophisticated attack" targeting specific individuals. While details are limited, the targeted nature suggests nation-state or advanced threat actor involvement.

Action Required: Update all Apple devices immediately, particularly those used by high-value targets or in sensitive environments.

Source: Bleeping Computer

Intel and AMD Chipmaker Vulnerabilities:

More than 80 vulnerabilities have been addressed across Intel and AMD products through over two dozen advisories. These hardware-level vulnerabilities may affect systems across all critical infrastructure sectors.

Action Required: Review vendor advisories and apply firmware/microcode updates as applicable to your environment.

Source: SecurityWeek

Ivanti Endpoint Manager Vulnerabilities:

Ivanti has patched vulnerabilities originally disclosed in October 2025, including a high-severity authentication bypass that could be exploited remotely without authentication to obtain credentials.

Action Required: Organizations using Ivanti Endpoint Manager should verify patches are applied and review systems for potential compromise during the exposure window.

Source: SecurityWeek

BeyondTrust Remote Access Tools:

BeyondTrust has fixed a critical remote code execution (RCE) flaw in its remote access tools. Given the widespread use of these tools in enterprise environments, this vulnerability poses significant risk.

Action Required: Update BeyondTrust products immediately and audit for any signs of compromise.

Source: CSO Online

Broader Patch Tuesday Coverage

Over 60 software vendors issued security fixes across operating systems, cloud platforms, and network infrastructure this week. Security teams should review the comprehensive Patch Tuesday coverage and prioritize based on their specific environment and threat exposure. Source: The Hacker News

Upcoming Security Updates

Windows Secure Boot Certificate Refresh (June 2026):

Microsoft has announced plans to refresh Windows Secure Boot certificates in June 2026 after approximately 15 years of service. Organizations should begin planning for this transition to avoid boot failures or security gaps.

Action Required: Begin assessment of Secure Boot dependencies and develop transition plans.

Source: SecurityWeek

Vulnerability Volume Forecast

FIRST (Forum of Incident Response and Security Teams) forecasts that 2026 will see record-breaking vulnerability disclosures, potentially reaching or surpassing 50,000 new CVEs. This projection underscores the need for:

  • Risk-based vulnerability prioritization
  • Automated patch management capabilities
  • Focus on exploited vulnerabilities over raw CVSS scores

Source: Infosecurity Magazine

Recommended Defensive Measures

  • Remote Access Tool Audit: Given Crazy ransomware's abuse of legitimate monitoring and remote support tools, audit all remote access software installations for unauthorized deployments
  • Outlook Add-In Review: Review and restrict Outlook add-in installations following the AgreeTo supply chain compromise
  • Linux System Hardening: Implement SSH hardening measures and update legacy kernels to defend against SSHStalker botnet
  • MFA Verification: Despite JokerOTP disruption, continue enforcing MFA while monitoring for bypass attempts
  • AI Tool Security: Implement controls around enterprise AI chatbot usage to prevent manipulation

Resilience and Continuity Planning

Lessons Learned

Conduent Breach Cascade: The expanding impact of the Conduent breach—now affecting 25+ million individuals across multiple organizations including Volvo Group—demonstrates the cascading risks of third-party service provider compromises. Key lessons include:

  • Initial breach impact assessments often underestimate true scope
  • Third-party risk management must include ongoing monitoring, not just initial assessment
  • Incident response plans should account for supply chain breach scenarios
  • Data minimization with service providers limits exposure

Nevada Post-Incident Policy Development: Nevada's implementation of a statewide data classification policy following a cyberattack illustrates the importance of proactive policy development. Organizations should not wait for incidents to establish data governance frameworks.

Supply Chain Security Developments

Software Supply Chain Risks: This week's discovery of the malicious Outlook add-in and the ongoing Conduent breach impact highlight persistent software and service supply chain risks. Organizations should:

  • Implement software bill of materials (SBOM) requirements for critical vendors
  • Establish add-in and extension whitelisting policies
  • Conduct regular third-party security assessments
  • Develop incident response playbooks for supply chain compromises

Hardware Supply Chain: The "Build America" infrastructure initiatives from FCC and Transportation Department signal increased focus on domestic supply chains for critical infrastructure components. Organizations should monitor for implementation requirements that may affect procurement.

Cross-Sector Dependencies

CISA Operational Continuity: The potential for CISA operational limitations due to funding uncertainty creates cross-sector risk. Organizations should:

  • Ensure alternative threat intelligence sources are established
  • Document current CISA services utilized and identify backup capabilities
  • Strengthen sector-specific ISAC relationships
  • Review incident response plans for scenarios with limited federal support

Telecommunications Transparency: The blocked release of Salt Typhoon assessment reports limits cross-sector understanding of telecommunications infrastructure compromise. Organizations dependent on telecommunications services should implement defense-in-depth assuming potential compromise of underlying infrastructure.

Public-Private Coordination

Given current federal operational uncertainties, organizations should strengthen relationships with:

  • Sector-specific Information Sharing and Analysis Centers (ISACs)
  • State and local fusion centers
  • Industry peer networks and working groups
  • Commercial threat intelligence providers

Regulatory and Policy Developments

Federal Developments

CIRCIA Regulation Timeline Risk: Acting CISA Director Gottumukkala indicated that a DHS funding lapse could affect finalization of CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) regulations. Organizations preparing for CIRCIA compliance should:

  • Continue preparation activities based on proposed rule
  • Monitor for timeline adjustments
  • Establish incident reporting capabilities regardless of final rule timing

Source: CyberScoop

Election Law Proposals: The MEGA Act and SAVE Act are moving through Congress with potential to significantly transform U.S. election laws. While focused on election integrity, these proposals may have implications for election infrastructure security requirements. Source: CyberScoop

Transportation Infrastructure: The Transportation Department's updated EV charger program with "100% Buy America Requirement" establishes precedent for domestic sourcing requirements in infrastructure programs. Similar requirements may expand to other critical infrastructure sectors. Source: Homeland Security Today

State-Level Developments

Nevada Data Classification: Nevada's new statewide data classification policy (public, sensitive, confidential, restricted) provides a framework that other states may adopt. Organizations operating across multiple states should monitor for similar policy developments. Source: SecurityWeek

International Developments

EU Cloud Security Market: The EU's approval of Google's $32 billion Wiz acquisition will reshape the cloud security competitive landscape. European critical infrastructure operators should assess potential impacts on security tool availability and vendor relationships. Source: CSO Online

Compliance Guidance

CVE Volume Management: With FIRST projecting 50,000+ CVEs in 2026, organizations should implement risk-based vulnerability management approaches that prioritize:

  • Actively exploited vulnerabilities (KEV catalog)
  • Internet-facing system exposure
  • Critical infrastructure system impact
  • Threat intelligence correlation

Training and Resource Spotlight

Security Investment Developments

GitGuardian Funding: GitGuardian has raised $50 million for secrets and non-human identity security, bringing total funding to over $100 million since 2017. This investment signals continued market focus on secrets management and API security—areas relevant to critical infrastructure environments with increasing automation. Source: SecurityWeek

Zast.AI Funding: Zast.AI has raised $6 million for AI-powered code security that uses AI agents to identify and validate software vulnerabilities before reporting. This approach may help address the projected surge in CVE volume. Source: SecurityWeek

Best Practices and Frameworks

Purple Teaming Guidance: New analysis emphasizes that "the hard part of purple teaming starts after detection." Organizations conducting purple team exercises should ensure they're measuring and improving response capabilities, not just detection rates. Source: CSO Online

CVE Prioritization: With vulnerability volume increasing, CISOs are advised to "separate signal from noise" by implementing threat-informed prioritization rather than attempting to patch all vulnerabilities equally. Source: CSO Online

Cyber Resilience with Open Source: Wazuh has published guidance on proactive cyber resilience strategies using its open source SIEM and XDR platform, demonstrating how organizations can unify visibility, detection, and automated response. Source: Bleeping Computer

Threat Hunting Resources

Autonomous Threat Operations: Recorded Future has published research on reducing manual threat hunting steps from 27 to 5 through automation, offering a model for organizations seeking to scale threat hunting capabilities. Source: Recorded Future

Identity Security Resources

SecurityWeek hosted a webinar on "Identity Under Attack" providing practical insights on balancing security, user experience, and operational efficiency against sophisticated identity-based threats. Organizations should review identity security posture given the prevalence of credential theft in current campaigns. Source: SecurityWeek

Looking Ahead: Upcoming Events

Scheduled Events and Workshops

NIST Supply Chain Workshop - March 9, 2026: NIST will host "Building the Strategic Supply Chain Network" addressing critical vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies. This workshop is relevant for organizations seeking to strengthen supply chain resilience.

  • Date: March 9, 2026
  • Focus: Supply chain coordination and vulnerability mitigation
  • Relevance: All critical infrastructure sectors

Source: NIST

NIST IoT Cybersecurity Workshop - March 31, 2026: "Cybersecurity for IoT Workshop: Future Directions" will discuss emerging trends for IoT technologies and their cybersecurity implications as IoT becomes more sophisticated, automated, and ubiquitous.

  • Date: March 31, 2026
  • Focus: IoT security trends and future challenges
  • Relevance: All sectors with IoT deployments

Source: NIST

Anticipated Milestones

Windows Secure Boot Certificate Refresh - June 2026: Microsoft's planned refresh of Secure Boot certificates will require organizational preparation to ensure continued system functionality and security.

CIRCIA Final Rule: Timeline uncertain due to potential CISA operational impacts, but organizations should continue preparation activities.

Heightened Awareness Periods

El Paso Airport Security Situation: The 10-day flight halt at El Paso International Airport (through approximately February 21, 2026) may indicate an ongoing security concern. Transportation sector organizations should monitor for additional guidance or related alerts.

Patch Tuesday Follow-On: The week following major Patch Tuesday releases typically sees increased exploitation attempts as threat actors reverse-engineer patches. Organizations should prioritize patching of the six actively exploited Microsoft zero-days within the next 48-72 hours.

Seasonal Considerations

Tax Season Phishing: As tax filing season continues, expect increased phishing campaigns targeting financial information. The JokerOTP tool disruption may temporarily reduce MFA bypass capabilities, but organizations should remain vigilant.

Q1 Budget Cycles: Organizations finalizing Q1 security investments should consider the projected 50,000+ CVE volume for 2026 when allocating vulnerability management resources.

This intelligence briefing is based on open-source reporting from February 5-12, 2026. Analysis represents assessment of available information and should be validated against organization-specific threat models and risk tolerance. For the latest updates on actively exploited vulnerabilities, monitor CISA's Known Exploited Vulnerabilities (KEV) catalog.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.