Chinese APT Exploits Dell Zero-Day for 18 Months; CISA Adds Four Flaws to KEV as Ransomware Hits Record Highs

1. Executive Summary

This week's intelligence highlights significant nation-state activity, with Chinese threat actors revealed to have exploited a critical Dell RecoverPoint vulnerability (CVE-2026-22769) since mid-2024—an 18-month campaign that went undetected until now. The exploitation, attributed to UNC6201, demonstrates advanced persistent threat capabilities and introduces a new malware variant called Grimbolt.

Key Developments:

• Nation-State Threat Activity: Google's Threat Intelligence Group (GTIG) and Mandiant disclosed that Chinese APT group UNC6201 has been exploiting a maximum-severity (CVSS 10.0) Dell RecoverPoint for Virtual Machines zero-day since mid-2024, deploying advanced Brickstorm malware variants.
• CISA KEV Updates: CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, including a flaw in Taiwan security firm TeamT5's ThreatSonar Anti-Ransomware product and critical Honeywell CCTV authentication bypass vulnerabilities.
• Ransomware Surge: IT-ISAC's annual report confirms a 30% increase in ransomware victims in 2025, with record numbers of both victims and active ransomware groups observed.
• Supply Chain Concerns: Notepad++ addressed a hijacked update mechanism exploited by Chinese threat actors for targeted malware delivery, while new Android malware "Keenadu" has been found preinstalled on thousands of devices.
• Critical Infrastructure Alerts: Honeywell CCTV products used in critical infrastructure environments contain authentication bypass vulnerabilities requiring immediate attention.
• DHS Operations Impact: The ongoing DHS partial shutdown, now in its fourth day, may affect coordination capabilities for critical infrastructure protection activities.

2. Threat Landscape

Nation-State Threat Actor Activities

Chinese APT UNC6201 - Dell RecoverPoint Campaign

The most significant threat development this week involves the disclosure of a long-running Chinese cyberespionage campaign exploiting Dell RecoverPoint for Virtual Machines. Key details include:

• Vulnerability: CVE-2026-22769, rated CVSS 10.0 (maximum severity)
• Duration: Active exploitation since mid-2024—approximately 18 months before discovery
• Attribution: UNC6201, a suspected China-nexus threat cluster
• Malware Evolution: Attackers have transitioned from Brickstorm malware to a more advanced variant called "Grimbolt"
• Targets: Organizations using Dell RecoverPoint for VM backup and disaster recovery

This campaign underscores the persistent challenge of detecting sophisticated nation-state operations and the importance of defense-in-depth strategies for backup and recovery infrastructure.

Sources: SecurityWeek, The Hacker News, CSO Online, CyberScoop

Chinese Threat Actors Target Software Update Mechanisms

Notepad++ has released security fixes after discovering that an advanced Chinese threat actor hijacked its software update mechanism to selectively deliver malware to targets of interest. The author states the fixes make the update mechanism "effectively unexploitable." This supply chain attack vector demonstrates continued adversary interest in compromising trusted software distribution channels.

Sources: The Hacker News, CSO Online

Ransomware and Cybercriminal Developments

Record Ransomware Activity in 2025

According to IT-ISAC's annual ransomware report highlighted by WaterISAC, 2025 saw unprecedented ransomware activity:

• 30% increase in ransomware victims compared to the previous year
• Record number of active ransomware groups operating simultaneously
• Continued targeting of critical infrastructure sectors

Searchlight Cyber's research corroborates these findings, noting the proliferation of ransomware-as-a-service operations and increasingly sophisticated extortion tactics.

Sources: WaterISAC, Infosecurity Magazine

Underground Exploit Sharing Accelerates Weaponization

Research from Flare reveals that underground Telegram channels are sharing exploit proof-of-concepts and stolen administrator credentials within days of vulnerability disclosure. Analysis of SmarterMail exploitation demonstrates the rapid weaponization timeline threat actors now achieve through these communities.

Source: Bleeping Computer

Emerging Attack Vectors

AI Platforms as Command-and-Control Channels

Security researchers have demonstrated that AI assistants with web browsing capabilities—including Grok and Microsoft Copilot—can be abused to intermediate command-and-control (C2) communications. This novel technique leverages legitimate AI services to obscure malicious traffic, presenting detection challenges for security teams.

Sources: Bleeping Computer, Infosecurity Magazine

Cryptojacking Campaign Uses Driver Exploitation

A sophisticated cryptojacking campaign is exploiting vulnerable drivers to deploy persistent XMRig Monero miners with advanced stealth tactics. The campaign leverages pirated software as an initial infection vector.

Source: Infosecurity Magazine

Physical Security and Surveillance Concerns

Commercial Forensic Tools in Government Use

Citizen Lab research has documented the use of Cellebrite forensic extraction tools by Kenyan authorities against a prominent dissident while in police custody. This highlights ongoing concerns about the deployment of commercial surveillance technologies against civil society.

Source: The Hacker News

3. Sector-Specific Analysis

Energy Sector

While no sector-specific incidents were reported this week, energy sector organizations using Dell RecoverPoint for Virtual Machines should treat the CVE-2026-22769 disclosure as a high-priority concern given the 18-month exploitation window and the critical nature of backup/recovery systems for operational resilience.

Recommended Actions:

• Inventory Dell RecoverPoint deployments across OT and IT environments
• Apply available patches immediately
• Conduct forensic analysis for indicators of compromise dating back to mid-2024
• Review network segmentation between backup infrastructure and production systems

Water & Wastewater Systems

WaterISAC Intelligence Updates

WaterISAC has released several critical resources this week:

• Pro-Russia Hacktivists' Exploitation of Flat IT/OT Connectivity (TLP:AMBER): Gate 15 report analyzing how pro-Russian hacktivist groups are exploiting poor network segmentation between IT and OT environments
• Weekly Vulnerabilities to Prioritize: Curated list of vulnerabilities most relevant to water sector operations
• CPS Exposure Management for Water and Wastewater Systems (TLP:GREEN): Guidance on prioritizing cyber-physical system protection based on community impact
• TOP ACTIONS to Enhance Utility Cybersecurity: Updated baseline security recommendations

Source: WaterISAC

Key Concern: IT/OT Convergence Risks

The Gate 15 report on pro-Russia hacktivists emphasizes the ongoing risk posed by flat network architectures that allow adversaries to pivot from IT systems to operational technology. Water utilities should prioritize network segmentation assessments.

Communications & Information Technology

Critical VS Code Extension Vulnerabilities

Sixteen vulnerabilities have been discovered across four popular Microsoft Visual Studio Code extensions with a combined install base exceeding 125 million. Successful exploitation could allow threat actors to compromise developer environments and potentially inject malicious code into software projects.

Sources: The Hacker News, CSO Online

PDF Platform Vulnerabilities

Novee researchers disclosed 16 vulnerabilities in Foxit and Apryse PDF tools that could enable account takeover and data exfiltration through malicious documents or URLs. Organizations should review PDF processing workflows and update affected software.

Source: SecurityWeek

VoIP Infrastructure at Risk

A critical unauthenticated remote code execution vulnerability affects Grandstream GXP1600 series VoIP phones. Organizations using these devices in critical infrastructure environments should prioritize patching or replacement.

Source: The Hacker News

Transportation Systems

German Rail System Disruption

A cyberattack on Deutsche Bahn (German Rail) has disrupted passenger information systems. While operational rail systems appear unaffected, the incident demonstrates continued adversary interest in transportation sector targets.

Source: CSO Online

Healthcare & Public Health

Conduent Data Breach Impact

The Conduent data breach continues to have widespread repercussions across healthcare and government services. Organizations that use Conduent for benefits administration or healthcare processing should assess their exposure and implement appropriate notification and monitoring measures.

Source: Security Magazine

Financial Services

Figure Technology Solutions Breach

Fintech firm Figure Technology Solutions has disclosed a data breach affecting nearly 1 million accounts. Personal and contact information was stolen, highlighting ongoing risks to financial technology platforms.

Source: Bleeping Computer

Global Leaders Exposed in Data Leak

A financial summit accidentally exposed passports and personal data of global leaders and executives, demonstrating the risks of inadequate data handling at high-profile events.

Source: Security Magazine

Government Facilities

DHS Partial Shutdown Continues

The Department of Homeland Security partial shutdown has entered its fourth day with no resolution in sight. This may impact CISA coordination activities, information sharing, and other critical infrastructure protection functions. Organizations should ensure they have alternative communication channels and are monitoring sector-specific ISACs for updates.

Source: Homeland Security Today

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CISA Advisories and KEV Updates

Four Vulnerabilities Added to Known Exploited Vulnerabilities Catalog

CISA added four security flaws to its KEV catalog on Tuesday, citing evidence of active exploitation:

• TeamT5 ThreatSonar Anti-Ransomware vulnerability (patched in 2024)
• Additional vulnerabilities detailed in CISA's weekly ICS advisories

Organizations subject to BOD 22-01 must remediate these vulnerabilities within the specified timeframes.

Sources: SecurityWeek, The Hacker News

Honeywell CCTV Critical Vulnerability

CISA has issued an advisory warning of critical authentication bypass vulnerabilities in multiple Honeywell CCTV products. These vulnerabilities could allow unauthorized access to video feeds or account hijacking. Critical infrastructure facilities using Honeywell surveillance equipment should:

• Review CISA advisory for affected product models
• Apply available firmware updates
• Implement network segmentation for surveillance systems
• Monitor for unauthorized access attempts

Source: Bleeping Computer

AI-Related Security Concerns

Microsoft 365 Copilot Data Leakage Bug

Microsoft has acknowledged a bug causing Microsoft 365 Copilot to summarize confidential emails since late January, bypassing data loss prevention (DLP) policies. Organizations using Copilot should:

• Review Copilot access to sensitive data repositories
• Monitor for unintended data exposure
• Implement additional access controls pending Microsoft's fix

Source: Bleeping Computer

AI-Discovered Vulnerabilities in OpenSSL

Security researchers have successfully used AI to discover twelve new vulnerabilities in OpenSSL, demonstrating both the potential of AI-assisted security research and the need for continued vigilance in foundational cryptographic libraries.

Source: Schneier on Security

Supply Chain Security Updates

Notepad++ Update Mechanism Secured

Following the discovery of Chinese threat actor exploitation of Notepad++'s update mechanism, the software author has released fixes described as making the mechanism "effectively unexploitable." Organizations should:

• Update to the latest Notepad++ version
• Review software update mechanisms for other development tools
• Consider code signing verification for all software updates

Sources: The Hacker News, CSO Online

Keenadu Android Malware

A new Android malware family called "Keenadu" has been discovered preinstalled on thousands of devices and distributed through Google Play and other app stores. The malware cannot be removed by users through normal means. Organizations with BYOD policies should:

• Review mobile device management policies
• Consider device attestation requirements
• Monitor for indicators of compromise on managed devices

Sources: SecurityWeek, CSO Online

5. Resilience & Continuity Planning

Lessons Learned: Dell RecoverPoint Exploitation

The 18-month undetected exploitation of Dell RecoverPoint systems offers critical lessons for backup and disaster recovery planning:

Key Takeaways:

• Backup Infrastructure as a Target: Adversaries recognize that backup and recovery systems are high-value targets that can undermine organizational resilience
• Detection Gaps: Traditional security monitoring may not adequately cover backup infrastructure
• Segmentation Requirements: Backup systems should be isolated from general network access while maintaining necessary connectivity for operations
• Forensic Considerations: Organizations should conduct historical analysis of backup system logs and network traffic

Recommended Actions:

1. Conduct inventory of all backup and disaster recovery systems
2. Review network segmentation for backup infrastructure
3. Implement enhanced monitoring for backup system access and changes
4. Test recovery procedures from potentially compromised backup systems
5. Consider offline or air-gapped backup copies for critical systems

Supply Chain Security Developments

Software Update Mechanism Risks

This week's Notepad++ incident reinforces the importance of software supply chain security:

• Verify code signing for all software updates
• Implement application allowlisting where feasible
• Monitor for anomalous software update behavior
• Consider staged rollouts for software updates in critical environments

NIST Supply Chain Initiatives

NIST has announced an upcoming workshop on "Building the Strategic Supply Chain Network" scheduled for March 9, 2026, addressing vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies.

Source: NIST

Cross-Sector Dependencies

IT/OT Convergence Risks

WaterISAC's Gate 15 report on pro-Russia hacktivist exploitation of flat IT/OT connectivity highlights a cross-sector concern. Organizations across all critical infrastructure sectors should:

• Assess network architecture for IT/OT segmentation
• Implement monitoring at IT/OT boundaries
• Develop incident response procedures specific to OT environments
• Train personnel on risks of IT/OT convergence

Fresh Food Production Resilience

Domestic Preparedness highlights the importance of redundant logistics planning and trusted data sharing for agricultural supply chain resilience. When natural disasters impact farms, the effects cascade through supply chains, affecting food availability and costs across sectors.

Source: Domestic Preparedness

Disaster Response Case Study

A Somerset County case study on May 2025 severe weather response demonstrates that disasters need not be historic to be devastating. The incident exposed the importance of:

• Pre-positioned response resources
• Cross-jurisdictional coordination
• Infrastructure damage assessment capabilities
• Community communication systems

Source: Domestic Preparedness

6. Regulatory & Policy Developments

Federal Government Operations

DHS Partial Shutdown Impact

The ongoing DHS partial shutdown entering its fourth day may affect:

• CISA advisory and coordination activities
• Information sharing through federal channels
• Grant program administration
• Incident response support capabilities

Critical infrastructure owners and operators should:

• Maintain communication with sector-specific ISACs
• Document any gaps in federal support for future reference
• Ensure internal incident response capabilities are prepared
• Monitor for updates on shutdown resolution

Source: Homeland Security Today

International Developments

Canada Defense Plan

Canada has launched a defense plan aimed at reducing reliance on the United States. This development may have implications for cross-border critical infrastructure coordination and joint cybersecurity initiatives.

Source: Homeland Security Today

Ukraine Cyber Operations

Ukrainian cyber operations have intercepted Russian Starlink activation efforts, demonstrating the ongoing cyber dimension of the conflict and potential implications for satellite communications security.

Source: Homeland Security Today

Privacy and Surveillance Considerations

Rental Vehicle Tracking

Homeland Security Today highlights growing concerns about rental car tracking capabilities and the privacy implications for travelers. Organizations should consider data exposure risks when employees use rental vehicles for business travel.

Source: Homeland Security Today

Cybersecurity Framework Evolution

Industry analysis suggests that cybersecurity strategies and frameworks must be recalibrated to address AI and quantum computing threats. Organizations should begin assessing:

• Post-quantum cryptography migration planning
• AI-specific security controls and governance
• Updated risk assessment methodologies

Source: Homeland Security Today

Law Enforcement Actions

Tax Fraud Scheme Sentencing

Matthew Akande has been sentenced to 8 years in prison for operating a fraudulent tax refund scheme that compromised tax preparation firm networks and filed over 1,000 fraudulent returns. This case demonstrates continued law enforcement focus on financial cybercrime.

Source: CyberScoop

Darknet Drug Trafficking Sentencing

A Glendale man received nearly five years in federal prison for participation in a darknet drug trafficking operation, reflecting ongoing enforcement against criminal use of anonymization technologies.

Source: Bleeping Computer

7. Training & Resource Spotlight

WaterISAC Resources

WaterISAC has released several valuable resources this week:

• TOP ACTIONS to Enhance Your Utility's Cybersecurity: Updated baseline security recommendations for water and wastewater utilities
• Weekly Vulnerabilities to Prioritize: Curated vulnerability list for February 19, 2026
• CPS Exposure Management Guidance: Framework for prioritizing cyber-physical system protection based on community impact

Access: WaterISAC (membership may be required for some resources)

Industry Investment and Tools

AI-Driven Vulnerability Management

Cogent Security has raised $42 million in Series A funding for AI-driven vulnerability management solutions. This investment reflects growing industry focus on automated vulnerability prioritization and remediation.

Source: SecurityWeek

Endpoint Security Acquisition

Palo Alto Networks' planned acquisition of Koi for approximately $400 million will enhance endpoint security capabilities. Organizations should monitor for product integration announcements.

Source: SecurityWeek

Professional Development

Security Leadership Insights

Security Magazine's "Lock It Down" podcast series features security leaders discussing professional and personal experiences, offering valuable perspectives for security professionals at all levels.

Source: Security Magazine

Secure Software Development

CSO Online highlights emerging paradigms for training secure software engineers, emphasizing the importance of security-focused development practices from the earliest stages of software creation.

Source: CSO Online

GenAI Risk Management

New approaches for GenAI risk protection are emerging as organizations grapple with the security implications of AI adoption. Security teams should develop governance frameworks that address:

• Data exposure through AI systems
• AI-generated content risks
• Third-party AI service security
• Adversarial use of AI capabilities

Source: CSO Online

Intelligent Workflow Programs

The Hacker News outlines three approaches for starting intelligent workflow programs that help security, IT, and engineering teams accelerate outcomes while managing operational complexity.

Source: The Hacker News

8. Looking Ahead: Upcoming Events

Conferences and Workshops

NIST Cybersecurity for IoT Workshop: Future Directions

• Date: March 31, 2026
• Focus: Emerging and future trends for IoT technologies and their implications for IoT cybersecurity
• Topics: Sophisticated, automated, and ubiquitous IoT; evolving security requirements
• Relevance: Critical for organizations deploying IoT in operational environments

Source: NIST

NIST Building the Strategic Supply Chain Network

• Date: March 9, 2026
• Focus: Addressing critical vulnerabilities in U.S. supply chains exposed by recent disruptions
• Topics: Pandemic impacts, infrastructure failures, changing trade policies
• Relevance: Essential for supply chain security and resilience planning

Source: NIST

Iris Experts Group Annual Meeting

• Date: June 25, 2026
• Focus: Technical discussions on iris recognition for government agency missions
• Audience: USG agencies employing or considering iris recognition