Security Intelligence for Real-World Decisions
← Back to Archive

CISA Operating at 38% Capacity Amid DHS Shutdown; Chrome Zero-Day Exploited in Wild as BeyondTrust Flaw Gets Emergency Directive

Critical Infrastructure Intelligence Briefing

Date: Tuesday, February 17, 2026

Reporting Period: February 10-17, 2026

1. Executive Summary

This week's intelligence highlights a critical convergence of reduced federal cybersecurity capacity and active exploitation of multiple vulnerabilities affecting critical infrastructure sectors.

  • CISA Capacity Crisis: The Cybersecurity and Infrastructure Security Agency is operating at approximately 38% capacity (888 of 2,341 staff) following the DHS shutdown that began February 14, 2026. This significantly reduces the federal government's ability to coordinate cyber defense, issue advisories, and support critical infrastructure operators during an active threat period.
  • Active Exploitation: Google has patched CVE-2026-2441, the first actively exploited Chrome zero-day of 2026, while CISA has issued an emergency directive requiring federal agencies to patch BeyondTrust Remote Support vulnerabilities within three days. Both vulnerabilities are being exploited in the wild.
  • Novel Attack Techniques: Microsoft has disclosed a new ClickFix attack variant that abuses DNS lookups to deliver malware—the first known use of DNS as a delivery channel in these social engineering campaigns. This technique may evade traditional security controls.
  • AI Infrastructure Targeting: Information-stealing malware has been observed targeting OpenClaw AI agent configuration files and gateway tokens, marking the first documented case of infostealers specifically targeting agentic AI infrastructure.
  • Major Data Breaches: Multiple significant breaches this week include Dutch telecom Odido (6+ million customers), Eurail traveler data now for sale on dark web, and luxury brands fined $25 million in South Korea following Scattered LAPSUS$ Hunters attacks on Salesforce instances.

2. Threat Landscape

Nation-State and Advanced Threat Actor Activities

  • Scattered LAPSUS$ Hunters: This threat group has been linked to successful attacks against multiple luxury brand Salesforce instances, resulting in data breaches at Dior, Louis Vuitton, and Tiffany. South Korean regulators have imposed $25 million in fines. Organizations using Salesforce should review access controls and monitor for unauthorized data access. (SecurityWeek)
  • ShinyHunters Data Extortion: The well-known data extortion group claims responsibility for stealing over 600,000 Canada Goose customer records containing personal and payment-related data. Canada Goose is investigating the incident. (Bleeping Computer)

Ransomware and Cybercriminal Developments

  • Washington Hotel Japan Ransomware: The Washington Hotel brand in Japan disclosed a ransomware attack compromising servers and exposing business data. This continues the trend of hospitality sector targeting. (Bleeping Computer)
  • Operation DoppelBrand: A new phishing campaign is weaponizing trusted financial brand identities, specifically targeting major institutions including Wells Fargo for credential theft. Financial sector organizations should alert employees and enhance email security controls. (Infosecurity Magazine)
  • OysterLoader Evolution: The OysterLoader malware has evolved with new command-and-control infrastructure and enhanced obfuscation techniques, indicating continued development and active use by threat actors. (Infosecurity Magazine)

Emerging Attack Vectors

  • DNS-Based ClickFix Attacks: Microsoft has identified a novel attack technique where threat actors abuse DNS queries (nslookup) to retrieve PowerShell payloads. This represents the first documented use of DNS as a delivery mechanism in ClickFix social engineering campaigns. The technique delivers a RAT named ModeloRAT to targeted users. Security teams should monitor for unusual DNS query patterns and PowerShell execution following DNS lookups. (SecurityWeek)
  • Promptware Kill Chain: Security researcher Bruce Schneier has published analysis of the "Promptware Kill Chain," detailing attack stages against AI systems including initial access, privilege escalation, reconnaissance, persistence, and command execution. This framework provides defenders with a model for understanding and defending against AI-targeted attacks. (Schneier on Security)
  • AI Agent Reputation Farming: Open source maintainers are being targeted by AI agents conducting "reputation farming" operations, potentially to establish trust before introducing malicious code. This represents an emerging supply chain threat vector. (CSO Online)

Mobile and Surveillance Threats

  • ZeroDayRAT Mobile Spyware: A new mobile spyware platform called ZeroDayRAT is being advertised on Telegram, offering real-time surveillance and data theft capabilities. This commercial spyware poses risks to personnel with access to critical infrastructure systems. (The Hacker News)

3. Sector-Specific Analysis

Communications & Information Technology

  • Dutch Telecom Breach: Odido, a major Dutch telecommunications provider, has disclosed a data breach affecting over six million customers. Telecommunications infrastructure operators should review access controls and incident response procedures. (Infosecurity Magazine)
  • Chrome Browser Vulnerabilities: Beyond the actively exploited zero-day, researchers have identified Chrome extensions with 37 million combined installs that were leaking user browsing history. Organizations should audit browser extensions and implement extension management policies. (CSO Online)
  • Password Manager Vulnerabilities: Security researchers have disclosed 25 password recovery attacks affecting major cloud password managers including Bitwarden, Dashlane, and LastPass. These findings challenge end-to-end encryption claims and may impact organizations relying on these tools for credential management. (The Hacker News)

Transportation Systems

  • Eurail Data Breach: Eurail B.V., which provides access to 250,000 kilometers of European railways, confirmed that data stolen in an earlier breach is now being sold on the dark web. Transportation sector operators should monitor for credential exposure and implement additional authentication controls. (Bleeping Computer)
  • Olympics Security Concerns: European authorities are on high alert regarding mobile security threats as Olympic preparations continue. The shift to mobile-first experiences requires corresponding security strategy adjustments. (Security Magazine)

Financial Services

  • Operation DoppelBrand Targeting: Financial institutions including Wells Fargo are being specifically targeted by sophisticated phishing campaigns that weaponize trusted brand identities. Financial sector security teams should enhance email filtering and user awareness training. (Infosecurity Magazine)
  • Crypto-Enabled Human Trafficking: Chainalysis reports an 85% surge in cryptocurrency payments to human trafficking operations, indicating that online fraud is fueling sophisticated criminal enterprises. Financial institutions should enhance transaction monitoring for associated indicators. (Infosecurity Magazine)
  • Bangladesh Bank Heist Anniversary: The 10-year anniversary of the Bangladesh Bank cyberheist provides an opportunity to review cyber-resiliency lessons. The incident remains relevant for understanding SWIFT system vulnerabilities and the importance of transaction verification controls. (CSO Online)

Healthcare & Public Health

  • AI Infrastructure in Healthcare: The targeting of OpenClaw AI agent configurations by infostealers has implications for healthcare organizations deploying AI assistants for clinical or administrative functions. Organizations should audit AI tool configurations and secure associated credentials.

Government Facilities

  • CISA Reduced Operations: With CISA operating at 38% capacity, critical infrastructure operators should expect delays in federal coordination, advisory issuance, and incident response support. Organizations should ensure internal capabilities are prepared to operate with reduced federal assistance. (SecurityWeek)
  • FEMA Coordination Gaps: Analysis indicates concerns about emergency preparedness coordination as FEMA operations face uncertainty. State and local emergency management agencies should review mutual aid agreements and ensure communication channels remain functional. (Homeland Security Today)

Defense Industrial Base

  • ISIS Operations Continue: U.S. forces conducted strikes on 30 additional ISIS targets in Syria, indicating continued counterterrorism operations. Defense contractors should maintain heightened security awareness. (Homeland Security Today)

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE Product Severity Status Action Required
CVE-2026-2441 Google Chrome High Actively Exploited Update to Chrome 145 immediately
BeyondTrust Flaw BeyondTrust Remote Support Critical Actively Exploited Patch within 3 days per CISA directive

Chrome Zero-Day (CVE-2026-2441)

  • Impact: Allows remote attackers to execute arbitrary code
  • Exploitation: Confirmed active exploitation in the wild; public exploit code available
  • Mitigation: Update to Chrome 145 immediately across all enterprise systems
  • Sources: SecurityWeek, The Hacker News, CSO Online

BeyondTrust Remote Support Vulnerability

  • Impact: Actively exploited vulnerability in remote support software
  • CISA Directive: Federal agencies ordered to patch within three days
  • Recommendation: All organizations using BeyondTrust Remote Support should apply patches immediately, regardless of sector
  • Source: Bleeping Computer

Recommended Defensive Measures

  • Browser Security: Audit and remove unnecessary Chrome extensions; implement extension allowlisting where possible
  • DNS Monitoring: Implement DNS query logging and monitor for unusual patterns, particularly nslookup commands followed by PowerShell execution
  • Password Manager Review: Assess organizational use of cloud password managers in light of disclosed vulnerabilities; consider additional authentication layers
  • AI Tool Security: Audit OpenClaw and similar AI agent configurations; secure API keys and authentication tokens; monitor for unauthorized access to configuration files
  • Salesforce Security: Review Salesforce instance configurations, access controls, and API permissions following Scattered LAPSUS$ Hunters campaign

Android Security Update

  • Android 17 Beta introduces strengthened secure-by-default design for privacy and app security. Organizations with BYOD or managed Android deployments should plan for testing and rollout. (SecurityWeek)

5. Resilience & Continuity Planning

Lessons Learned

  • Bangladesh Bank Heist (10-Year Retrospective): Key lessons remain relevant: implement transaction verification controls, establish out-of-band confirmation procedures for high-value transfers, and maintain 24/7 monitoring capabilities. (CSO Online)
  • Reduced Federal Support Operations: The current CISA capacity reduction highlights the importance of organizational self-sufficiency in cybersecurity operations. Critical infrastructure operators should:
    • Ensure incident response plans do not assume immediate federal assistance
    • Verify sector-specific ISAC contact information is current
    • Test internal detection and response capabilities
    • Establish peer communication channels within sectors

Supply Chain Security

  • Open Source Supply Chain Threats: The targeting of open source maintainers by AI agents for "reputation farming" represents an emerging supply chain attack vector. Organizations should:
    • Implement software bill of materials (SBOM) practices
    • Monitor dependencies for unusual maintainer activity
    • Verify code changes through multiple channels before deployment
  • AI Tool Supply Chain: The theft of OpenClaw configuration files demonstrates that AI infrastructure introduces new supply chain considerations. Organizations deploying AI agents should treat configuration files and API tokens as high-value assets requiring protection.

Cross-Sector Dependencies

  • Telecommunications-Transportation Nexus: The Odido and Eurail breaches highlight the interconnection between telecommunications and transportation sectors. Disruption or compromise of telecom infrastructure can cascade to transportation operations.
  • Federal Coordination Gaps: With both CISA and FEMA facing operational constraints, cross-sector coordination may be impacted. Sector-specific ISACs and regional partnerships become more critical during this period.

SME Security Considerations

  • NCSC's Richard Horne has warned that small and medium enterprises should not assume they are too small to be targeted. Cybercriminals do not discriminate based on business size, and SMEs often serve as entry points to larger supply chains. (Infosecurity Magazine)

6. Regulatory & Policy Developments

Federal Developments

  • DHS Shutdown Impact: The DHS shutdown beginning February 14, 2026 has reduced CISA to 38% operational capacity. This affects:
    • Advisory and alert issuance timelines
    • Federal network monitoring and defense
    • Critical infrastructure coordination activities
    • Incident response support availability
    Critical infrastructure operators should plan for extended periods of reduced federal support. (SecurityWeek)
  • CISA Emergency Directive: Despite reduced capacity, CISA has issued an emergency directive requiring federal agencies to patch BeyondTrust Remote Support vulnerabilities within three days. This indicates the severity of the threat and should prompt private sector organizations to prioritize similar patching. (Bleeping Computer)

International Developments

  • South Korea Data Protection Enforcement: South Korean regulators have fined luxury brands including Dior, Louis Vuitton, and Tiffany a combined $25 million following data breaches attributed to Scattered LAPSUS$ Hunters. This demonstrates continued international enforcement of data protection requirements. (SecurityWeek)
  • UK Terrorism Designation Ruling: A UK High Court has ruled the proscription of Palestine Action as a terrorist group was unlawful, with potential implications for security planning and threat assessments. (Homeland Security Today)
  • Lithuania AI Fraud Initiative: Lithuania is implementing a national mission for "A Safe and Inclusive Digital Society" focused on AI-driven cyber fraud prevention, offering potential models for other nations. (The Hacker News)

Privacy and Surveillance

  • Ring-Flock Safety Partnership Terminated: Amazon's Ring has terminated its partnership with police surveillance technology company Flock Safety following public backlash over a Super Bowl advertisement. This reflects ongoing tensions between security technology deployment and privacy concerns. (SecurityWeek)

7. Training & Resource Spotlight

New Resources

  • Center for Homeland Defense and Security Updates: CHDS has launched new learning and research sites and expanded irregular warfare courses. These resources may be valuable for security professionals seeking to enhance their understanding of evolving threat landscapes. (Homeland Security Today)
  • Risk Communication Framework: CSO Online has published guidance on "Finding a common language around risk," providing frameworks for security professionals to communicate effectively with business leadership. (CSO Online)
  • CISO Leadership Insights: CISO Julie Chatman has shared insights on taking control of security leadership roles, offering guidance for security executives navigating organizational challenges. (CSO Online)

Best Practices

  • Critical Thinking in Security: Security Magazine highlights the erosion of critical thinking as a hidden threat to security career resilience, emphasizing that cybersecurity is only one piece of the larger security puzzle. (Security Magazine)
  • Passwordless Authentication: Guidance on maintaining ISO 27001 compliance while transitioning from passwords to passkeys is available, supporting organizations moving toward passwordless authentication. (Bleeping Computer)
  • Network Intelligence: Recorded Future has published guidance on using network intelligence for threat investigation with global visibility, offering alternatives to passive threat feeds. (Recorded Future)

Sector-Specific Training

  • Mobile Security for Events: With major international events approaching, security teams should review mobile security strategies. The Olympics security analysis provides a framework for protecting mobile-first experiences at large-scale events. (Security Magazine)

8. Looking Ahead: Upcoming Events

Workshops and Conferences

  • March 9, 2026: NIST Workshop - "Building the Strategic Supply Chain Network" - Addressing supply chain vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies. (NIST)
  • March 31, 2026: NIST Workshop - "Cybersecurity for IoT Workshop: Future Directions" - Discussion of emerging and future trends for IoT technologies and their implications for IoT cybersecurity as systems become more sophisticated, automated, and ubiquitous. (NIST)

Threat Periods Requiring Heightened Awareness

  • Ongoing: DHS shutdown period - Expect reduced federal cybersecurity coordination and support. Organizations should maintain heightened internal vigilance and leverage sector ISACs for threat information.
  • February-March 2026: Active exploitation of Chrome and BeyondTrust vulnerabilities continues. Monitor for additional exploitation attempts and ensure patches are deployed.
  • Spring 2026: Olympics preparation period - European authorities report heightened alert status. Organizations with European operations or travel should review security postures.

Anticipated Developments

  • AI Security Evolution: The targeting of OpenClaw configurations and the emergence of the "Promptware Kill Chain" framework indicate AI security will be an increasing focus area. Organizations should prepare for additional guidance and potential regulatory attention.
  • Password Manager Security: Following disclosure of 25 password recovery attacks, expect vendor responses and potential updates to cloud password manager security architectures.

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection decision-making. Recipients are encouraged to verify information through primary sources and adapt recommendations to their specific operational environments.

Report Prepared: Tuesday, February 17, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.