Security Intelligence for Real-World Decisions
← Back to Archive

Mississippi Hospital System Shuttered by Ransomware as AI-Powered Attacks Compromise Hundreds of FortiGate Firewalls; Ivanti Zero-Days Under Active Exploitation

Executive Summary

This week's intelligence reveals a convergence of significant threats across multiple critical infrastructure sectors, with healthcare bearing the brunt of ransomware operations while network security appliances face sophisticated, AI-enhanced exploitation campaigns.

  • Healthcare Sector Crisis: The University of Mississippi Medical Center (UMMC) remains offline following a ransomware attack that forced closure of approximately three dozen clinics statewide and cancellation of elective procedures. Separately, Vikor Scientific (now Vanta Diagnostics) disclosed a breach affecting 140,000 individuals, with the Everest ransomware group claiming responsibility.
  • AI-Enhanced Network Attacks: Amazon Web Services (AWS) has identified a campaign where threat actors are leveraging generative AI tools to compromise hundreds of FortiGate firewalls through exposed ports and weak credentials. This represents a significant evolution in attack methodology, lowering the barrier for less sophisticated actors.
  • Critical Zero-Day Exploitation: Ivanti Endpoint Manager Mobile (EPMM) zero-day vulnerabilities are under active exploitation, enabling attackers to seize control of Mobile Device Management (MDM) servers. CISA has also flagged recently patched RoundCube webmail vulnerabilities as actively exploited.
  • Nation-State Activity: Russian APT28 is conducting targeted campaigns against Western and Central European entities using webhook-based macro malware, while Iranian MuddyWater continues operations against Middle East and North African organizations with new tooling including GhostFetch, CHAR, and HTTP_VIP.
  • Physical Infrastructure Threat: The FBI is investigating an attempted attack on a power substation near Boulder City, Nevada, highlighting persistent physical security threats to the energy sector.
  • Supply Chain Concerns: Multiple malicious npm packages have been identified harvesting cryptocurrency keys, CI/CD secrets, and API tokens, with researchers warning of autonomous AI agents creating a new class of supply chain attack vectors.

Threat Landscape

Nation-State Threat Actor Activities

APT28 (Russia) - European Campaign: S2 Grupo's LAB52 threat intelligence team has attributed a new campaign to APT28 targeting specific entities in Western and Central Europe. The campaign employs webhook-based macro malware, representing continued Russian intelligence collection efforts against NATO-aligned nations. Organizations in government, defense, and critical infrastructure sectors should review detection capabilities for macro-enabled document attacks and webhook-based command and control mechanisms.

Source: The Hacker News

MuddyWater (Iran) - MENA Operations: The Iranian threat group MuddyWater (also tracked as Earth Vetala, Mango Sandstorm, and MUDDYCOAST) continues targeting organizations across the Middle East and North Africa. New tooling identified includes GhostFetch, CHAR, and HTTP_VIP malware variants. Organizations with operations or partnerships in the MENA region should prioritize threat hunting for indicators associated with this group.

Source: The Hacker News

Chinese AI Espionage Concerns: Anthropic has publicly accused Chinese laboratories of attempting to illicitly acquire capabilities from its Claude AI system. The company characterized this as a national security threat, citing potential applications in offensive cyber operations. This development underscores growing concerns about AI technology transfer and its implications for cyber warfare capabilities.

Source: CyberScoop

Ransomware and Cybercriminal Developments

Healthcare Sector Under Siege: The ransomware threat to healthcare continues unabated with two significant incidents this week:

  • University of Mississippi Medical Center: A ransomware attack last Thursday has forced UMMC to close all approximately three dozen clinics across the state and cancel elective procedures. Systems remain offline as of this reporting, significantly impacting patient care across Mississippi.
  • Vanta Diagnostics (formerly Vikor Scientific): The Everest ransomware group has claimed responsibility for an attack affecting 140,000 individuals at this healthcare diagnostic firm.

Sources: SecurityWeek, Infosecurity Magazine

Semiconductor Industry Targeted: Advantest, a leading Japanese semiconductor testing equipment supplier serving major chip manufacturers, has activated incident response protocols following a ransomware attack. Given the critical role of semiconductor manufacturing in multiple infrastructure sectors, supply chain impacts should be monitored.

Source: Infosecurity Magazine

ATM Jackpotting Surge: The FBI has issued a Flash alert warning that ATM jackpotting attacks resulted in over $20 million in losses during 2025. Financial institutions should review physical and logical security controls on ATM infrastructure.

Source: Infosecurity Magazine

Physical Security Threats

Power Substation Attack Attempt: The FBI and local law enforcement are investigating an attempted attack on a power substation near Boulder City, Nevada. While details remain limited, this incident continues a concerning pattern of physical attacks and attempted attacks against electrical infrastructure. Energy sector operators should review physical security measures and coordinate with local law enforcement on threat awareness.

Source: Homeland Security Today

Emerging Attack Vectors

AI-Powered Firewall Exploitation: AWS security researchers have identified a campaign where threat actors are using generative AI tools to exploit FortiGate firewalls at scale. The attacks target exposed management ports and weak credentials, with AI assistance helping less sophisticated attackers develop and execute successful attack workflows. Hundreds of devices have been compromised.

Sources: SecurityWeek, Infosecurity Magazine, CSO Online

Autonomous AI Supply Chain Attacks: Security researchers have identified autonomous AI agents being used to conduct supply chain attacks, with current campaigns targeting cryptocurrency wallets. The methodology has broader implications, as the same techniques could be adapted for attacks against critical infrastructure software supply chains.

Source: SecurityWeek

Wormable Cryptojacking Campaign: A new cryptojacking campaign uses pirated software bundles to deploy XMRig miners, employing BYOVD (Bring Your Own Vulnerable Driver) exploits and time-based logic bombs to evade detection. The wormable nature of this threat increases propagation risk across networks.

Source: The Hacker News

Sector-Specific Analysis

Energy Sector

Physical Attack Investigation: The attempted attack on a power substation near Boulder City, Nevada represents the latest in a series of incidents targeting electrical infrastructure. While the attack was unsuccessful, it demonstrates continued interest by unknown actors in disrupting power generation and distribution.

Recommended Actions:

  • Review and enhance physical security at substations and generation facilities
  • Coordinate with local law enforcement on threat information sharing
  • Ensure surveillance and intrusion detection systems are operational
  • Brief personnel on reporting suspicious activity

Healthcare & Public Health

Critical Operational Impacts: The healthcare sector faces severe operational disruption this week:

University of Mississippi Medical Center: The ransomware attack has resulted in:

  • Closure of approximately 36 clinics statewide
  • Cancellation of elective procedures
  • Extended system outages affecting patient care
  • Potential diversion of emergency cases to other facilities

Vanta Diagnostics Breach: The exposure of 140,000 patient records by the Everest ransomware group raises concerns about:

  • Protected health information exposure
  • Potential for secondary fraud targeting affected patients
  • Regulatory compliance implications under HIPAA

Mental Health App Vulnerabilities: Security researchers have identified significant vulnerabilities in mental health mobile applications with a combined 14.7 million downloads on Google Play. These flaws could expose sensitive medical information, representing a significant privacy risk for vulnerable populations.

Source: Bleeping Computer

Recommended Actions:

  • Healthcare organizations should review ransomware response plans and ensure offline backup capabilities
  • Verify network segmentation between clinical and administrative systems
  • Review third-party application security, particularly for patient-facing mobile apps
  • Ensure incident response retainers are current and tested

Communications & Information Technology

FortiGate Firewall Compromise Campaign: The AI-assisted campaign targeting FortiGate devices represents a significant threat to network perimeter security across all sectors. Organizations using Fortinet products should:

  • Audit management interface exposure and restrict to trusted networks
  • Enforce strong authentication including MFA where supported
  • Review logs for indicators of compromise
  • Ensure firmware is current with all security patches applied

Ivanti EPMM Zero-Day Exploitation: Active exploitation of Ivanti Endpoint Manager Mobile zero-day vulnerabilities enables attackers to seize control of MDM servers. Given the privileged access MDM systems have to managed devices, compromise could enable:

  • Mass deployment of malicious configurations
  • Data exfiltration from managed devices
  • Lateral movement into enterprise networks

RoundCube Webmail Exploitation: CISA has confirmed active exploitation of recently patched RoundCube vulnerabilities (patched December 2025) that enable XSS attacks via SVG animate tags. Organizations using RoundCube should prioritize patching.

Ad Tech Breach via Vishing: Optimizely has disclosed a data breach resulting from a voice phishing (vishing) attack, highlighting the continued effectiveness of social engineering against technology companies.

Source: Bleeping Computer

Financial Services

PayPal Data Breach: PayPal has disclosed that an application error exposed customer personal information for nearly six months, with the breach leading to fraudulent transactions. This incident underscores the importance of application security testing and monitoring for data exposure.

Source: SecurityWeek

ATM Jackpotting Alert: The FBI's warning of $20+ million in ATM jackpotting losses during 2025 should prompt financial institutions to:

  • Review physical security of ATM installations
  • Audit ATM software and firmware versions
  • Implement enhanced monitoring for anomalous dispensing patterns
  • Coordinate with ATM vendors on security hardening

Cryptocurrency Supply Chain Threats: Malicious npm packages targeting cryptocurrency keys and wallets demonstrate continued criminal interest in digital asset theft. Organizations in the cryptocurrency and fintech space should enhance software supply chain security.

Water & Wastewater Systems

BeyondTrust Vulnerability Alert: WaterISAC has issued an advisory regarding BeyondTrust vulnerability CVE-2026-1731, which is under active exploitation. Water and wastewater utilities using BeyondTrust products for privileged access management should:

  • Review the WaterISAC advisory for specific mitigation guidance
  • Prioritize patching of affected systems
  • Monitor for indicators of compromise
  • Consider temporary compensating controls if immediate patching is not possible

Source: WaterISAC

Transportation Systems

UAS Policy Developments: Analysis published this week argues that national unmanned aircraft system (UAS) policy should prioritize integration over interception. As drone technology proliferates, transportation sector operators should monitor policy developments affecting airspace management and counter-UAS capabilities at critical facilities.

Source: Homeland Security Today

Government Facilities

State Network Access Sold: Romanian national Catalin Dragomir has pleaded guilty in U.S. court to selling access to an Oregon state government office's network. This case highlights the market for initial access to government systems and the importance of monitoring for unauthorized access and credential compromise.

Source: SecurityWeek

Spanish Hacktivist Arrests: Spanish authorities have arrested four alleged members of a hacktivist group responsible for DDoS attacks against government ministries, political parties, and public institutions. This demonstrates ongoing hacktivist threats to government infrastructure globally.

Source: Bleeping Computer

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product Vulnerability Status Priority
Ivanti EPMM Zero-day vulnerabilities enabling MDM server takeover Active Exploitation CRITICAL
BeyondTrust CVE-2026-1731 Active Exploitation CRITICAL
RoundCube Webmail XSS via SVG animate tags (patched Dec 2025) Active Exploitation - CISA KEV CRITICAL
FortiGate Firewalls Exposed management interfaces with weak credentials Active Exploitation Campaign HIGH

CISA Advisories

RoundCube Added to Known Exploited Vulnerabilities Catalog: CISA has flagged two RoundCube Webmail vulnerabilities as actively exploited and ordered federal agencies to patch within three weeks. Private sector organizations should align with this timeline.

Source: Bleeping Computer

Recommended Defensive Measures

For FortiGate Firewall Operators:

  • Immediately audit external exposure of management interfaces
  • Implement IP allowlisting for administrative access
  • Enforce multi-factor authentication
  • Review and strengthen administrative credentials
  • Enable logging and forward to SIEM for anomaly detection
  • Apply latest firmware updates

For Ivanti EPMM Operators:

  • Monitor Ivanti security advisories for patch availability
  • Implement network segmentation to limit MDM server exposure
  • Review MDM server logs for indicators of compromise
  • Consider temporary isolation of MDM infrastructure if compromise is suspected

For Organizations Using Password Managers:

  • Security researcher Bruce Schneier has highlighted concerns about password managers with potential backdoors. Organizations should review their password management solutions and vendor security practices.

Source: Schneier on Security

Resilience & Continuity Planning

Lessons from Current Incidents

Healthcare Ransomware Response: The UMMC incident demonstrates several key lessons:

  • Operational Continuity: Healthcare organizations must maintain ability to deliver care during extended IT outages
  • Geographic Distribution: Centralized IT infrastructure creates single points of failure affecting multiple facilities
  • Communication Plans: Patient and public communication during incidents requires pre-planned messaging
  • Mutual Aid: Regional healthcare coalitions should have agreements for patient diversion and resource sharing

Supply Chain Security Developments

Software Supply Chain Threats: This week's reporting on malicious npm packages and autonomous AI supply chain attacks reinforces the need for:

  • Software composition analysis in development pipelines
  • Verification of package integrity before deployment
  • Monitoring of dependencies for known vulnerabilities
  • Incident response plans for supply chain compromise scenarios

Semiconductor Supply Chain: The Advantest ransomware attack highlights vulnerabilities in the semiconductor manufacturing supply chain. Organizations dependent on semiconductor components should:

  • Monitor for potential delivery delays
  • Review inventory levels of critical components
  • Identify alternative suppliers where possible

Insider Threat Considerations

Fraudulent Hiring Concerns: Research indicates 41% of organizations have unknowingly hired fraudulent candidates, with deepfake technology enabling sophisticated identity fraud. The conviction of Oleksandr Didenko for facilitating North Korean IT worker fraud schemes underscores this threat.

Recommended Actions:

  • Enhance identity verification during hiring processes
  • Implement video interview protocols that can detect deepfakes
  • Verify credentials and employment history through multiple channels
  • Monitor for anomalous behavior by new employees, particularly remote workers

Sources: Security Magazine, SecurityWeek

Cross-Sector Dependencies

Healthcare-IT Interdependency: The UMMC incident illustrates how healthcare delivery is entirely dependent on IT infrastructure. Similar dependencies exist across critical infrastructure sectors, requiring:

  • Identification of critical IT dependencies for operational functions
  • Development of manual or degraded-mode operating procedures
  • Regular testing of continuity plans
  • Investment in resilient and redundant IT architectures

Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

DHS Asylum Screening Rule: The Department of Homeland Security has proposed a rule to strengthen screening of asylum seekers, prioritizing safety considerations. While not directly related to cybersecurity, this reflects broader homeland security policy directions.

Source: Homeland Security Today

International Developments

AI Technology Transfer Concerns: Anthropic's public accusation against Chinese laboratories regarding AI capability theft highlights growing tensions around AI technology and its national security implications. Organizations developing or deploying AI systems should review security controls protecting proprietary models and training data.

Law Enforcement Actions

Cybercrime Prosecutions:

  • Oleksandr Didenko (Ukraine): Sentenced to 5 years for selling stolen U.S. identities to enable North Korean IT fraud
  • Catalin Dragomir (Romania): Pleaded guilty to selling access to Oregon state government network
  • Spanish Hacktivist Arrests: Four individuals arrested for DDoS attacks against government institutions

These prosecutions demonstrate continued law enforcement focus on cybercrime, though they also highlight the international nature of threats facing U.S. critical infrastructure.

Training & Resource Spotlight

Emerging Threat Awareness

AI-Enhanced Attack Methodologies: Security teams should familiarize themselves with how threat actors are leveraging generative AI to:

  • Develop and refine attack scripts
  • Identify vulnerable configurations
  • Automate exploitation workflows
  • Create convincing social engineering content

CSO Online has published a detailed analysis of 13 ways attackers use generative AI to exploit systems, which provides valuable awareness training material.

Source: CSO Online

LLM Infrastructure Security

Exposed Endpoint Risks: Organizations deploying Large Language Models should review guidance on how exposed endpoints increase risk across LLM infrastructure. Key considerations include:

  • API security for model interfaces
  • Authentication and authorization controls
  • Input validation and prompt injection prevention
  • Monitoring for abuse and anomalous usage patterns

Source: The Hacker News

Human-Related Security Risks

2025 Trends: Research indicates human-related security risks rose 90% in 2025, with AI-related risks contributing significantly. Security awareness programs should be updated to address:

  • AI-generated phishing and social engineering
  • Deepfake-enabled fraud
  • Vishing attacks (as demonstrated in the Optimizely breach)
  • Insider threat indicators

Source: Security Magazine

New Malware Awareness

Arkanix Stealer: Security researchers have identified a new information stealer called Arkanix that combines rapid Python-based harvesting with stealthier C++ payloads. Security teams should update detection capabilities and review indicators of compromise.

Source: CSO Online

Looking Ahead: Upcoming Events

NIST Events

Technologies and Use Cases for Smart Standards
Date: March 19, 2026
Focus on emerging technologies including AI, blockchain, and IoT, and the need for standards that keep pace with rapid development. Relevant for organizations implementing these technologies in critical infrastructure environments.

Building the Strategic Supply Chain Network
Date: March 9, 2026
Addresses critical vulnerabilities in U.S. supply chains exposed by recent disruptions. Valuable for supply chain security professionals across all critical infrastructure sectors.

Cybersecurity for IoT Workshop: Future Directions
Date: March 31, 2026
Discussion of emerging trends for IoT technologies and implications for IoT cybersecurity. Critical for organizations with operational technology and IoT deployments.

Iris Experts Group Annual Meeting
Date: June 25, 2026
Forum for discussion of iris recognition technology for government agencies. Relevant for organizations implementing biometric security controls.

Threat Periods Requiring Heightened Awareness

  • Ongoing: Healthcare sector remains under elevated threat from ransomware operators
  • Ongoing: FortiGate firewall exploitation campaign continues; organizations should assume targeting
  • Ongoing: Nation-state activity from Russian and Iranian actors targeting Western organizations

Seasonal Considerations

  • Tax Season (through April 15): Increased phishing and fraud targeting financial information
  • Spring Severe Weather: Review business continuity plans for weather-related disruptions

This intelligence briefing is based on open-source reporting from February 17-24, 2026. Organizations should verify applicability to their specific environments and consult vendor advisories for detailed technical guidance. For sector-specific threat information, contact your relevant Information Sharing and Analysis Center (ISAC).

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.