Security Intelligence for Real-World Decisions
← Back to Archive

Critical Juniper Router Flaw Threatens Network Infrastructure as North Korean APT37 Deploys Air-Gap Breach Tools; CISA Leadership Change Amid DHS Shutdown

Executive Summary

This week's intelligence cycle reveals significant developments across multiple critical infrastructure domains, with particular concern for network infrastructure, nation-state threat activity, and federal cybersecurity leadership continuity.

  • Critical Network Infrastructure Vulnerability: Juniper Networks issued an out-of-band security update for a critical remote code execution vulnerability (CVE-2026-21902) affecting PTX series core routers running Junos OS Evolved. Given the deployment of these routers in carrier and enterprise backbone networks, this vulnerability poses significant risk to communications infrastructure.
  • Nation-State Threat Evolution: North Korea's APT37 (ScarCruft) has deployed five newly discovered tools specifically designed to breach air-gapped networks, representing a significant capability advancement with implications for isolated critical infrastructure systems. Separately, Russian cyberattacks continue to provide targeting data for missile strikes in Ukraine, demonstrating the kinetic consequences of cyber operations.
  • Federal Cybersecurity Leadership Transition: CISA has undergone a leadership change with Madhu Gottumukkala departing and Andersen assuming the acting director role. This transition occurs during the third week of a partial DHS shutdown, raising concerns about federal cybersecurity coordination capacity.
  • AI Policy Developments: The administration ordered all federal agencies to phase out Anthropic technology, while Anthropic maintains its position on AI safeguards in an ongoing Pentagon dispute. These developments have implications for AI integration in critical infrastructure protection.
  • Ongoing Exploitation Campaigns: Over 900 Sangoma FreePBX instances remain compromised with web shells, and CISA has issued new guidance on RESURGE malware that can remain dormant on Ivanti devices—both representing persistent threats to enterprise communications infrastructure.

Threat Landscape

Nation-State Threat Actor Activities

North Korea - APT37 (ScarCruft) Air-Gap Breach Capability:

  • Zscaler ThreatLabz researchers have identified five new tools deployed by APT37 specifically designed to compromise air-gapped networks
  • The toolset includes a backdoor utilizing Zoho WorkDrive for command-and-control communications, enabling covert data exfiltration
  • USB-based malware propagation techniques allow the threat actor to bridge air-gapped environments
  • Critical Infrastructure Implications: Air-gapped systems are commonly employed in energy sector SCADA/ICS environments, nuclear facilities, and classified government networks. This capability advancement significantly elevates the threat to these isolated systems.
  • Source: Bleeping Computer, The Hacker News

Russia - Cyber-Enabled Kinetic Operations:

  • Reporting indicates Russian cyberattacks continue to provide targeting intelligence that directly supports missile strike operations in Ukraine
  • This cyber-kinetic integration demonstrates the evolving role of cyber operations in modern warfare and the potential for similar tactics against Western critical infrastructure during heightened tensions
  • Source: SecurityWeek

Ransomware and Cybercriminal Developments

Tactical Evolution - Stealth and Persistence:

  • Ransomware groups are increasingly shifting toward stealthy attack methodologies focused on establishing long-term persistent access rather than immediate encryption and extortion
  • This tactical shift complicates detection and extends dwell time, allowing threat actors to conduct more thorough reconnaissance and maximize impact
  • Defensive Implication: Organizations should enhance behavioral detection capabilities and assume breach mentality in security operations
  • Source: CSO Online

"The Com" Cybercrime Collective Disruption:

  • Europol-led "Project Compass" operation resulted in 30 arrests and identification of 179 suspects linked to "The Com" cybercrime collective
  • The group, comprising primarily teenagers and young adults, engaged in ransomware attacks, extortion, and other cybercrimes
  • This operation demonstrates the growing role of younger threat actors in sophisticated cybercrime operations
  • Source: Bleeping Computer, Infosecurity Magazine

Emerging Attack Vectors

Blockchain-Based Botnet Infrastructure:

  • The Aeternum botnet loader employs Polygon blockchain smart contracts for command-and-control infrastructure
  • This architecture makes the C2 infrastructure extremely difficult to disrupt through traditional takedown methods
  • Analysis: Blockchain-based C2 represents an evolution in botnet resilience that will likely be adopted by more sophisticated threat actors
  • Source: SecurityWeek

Supply Chain Compromise - Malicious Go Modules:

  • Researchers identified a malicious Go cryptographic module designed to harvest credentials and deploy the Rekoobe Linux backdoor
  • The module creates persistent SSH access, enabling long-term compromise of affected systems
  • Source: The Hacker News

AI Agent Vulnerabilities:

  • Security researchers have demonstrated that personal AI agents (specifically OpenClaw) can be manipulated by malicious websites to execute unauthorized commands
  • As AI agents become more integrated into enterprise workflows, this attack vector poses increasing risk to organizational security
  • Source: CSO Online

Sector-Specific Analysis

Communications & Information Technology

Critical: Juniper Networks PTX Router Vulnerability

  • Vulnerability: CVE-2026-21902 - Remote Code Execution in Junos OS Evolved
  • Affected Systems: PTX series core routers
  • Severity: Critical - Out-of-band patch issued
  • Impact: PTX routers are deployed in carrier networks, large enterprise backbones, and data center interconnects. Successful exploitation could enable attackers to compromise core routing infrastructure, potentially affecting internet connectivity and communications for large populations.
  • Recommended Action: Immediate patching; implement network segmentation and enhanced monitoring for management plane access
  • Source: SecurityWeek, CSO Online

FreePBX Compromise Campaign Continues

  • Over 900 Sangoma FreePBX instances remain infected with web shells following exploitation of a post-authentication command injection vulnerability in the endpoint manager interface
  • FreePBX is widely deployed in small-to-medium business and some enterprise VoIP environments
  • Recommended Action: Organizations using FreePBX should immediately audit systems for indicators of compromise and apply available patches
  • Source: SecurityWeek, The Hacker News

Google Gemini API Key Exposure

  • A "silent" Google API key change inadvertently exposed Gemini AI data, highlighting risks associated with AI service integration
  • Organizations integrating AI services should implement robust API key management and monitoring practices
  • Source: CSO Online

Energy Sector

Air-Gap Breach Implications:

  • APT37's newly discovered air-gap breach capabilities have direct implications for energy sector operational technology environments
  • Many SCADA and ICS systems in power generation, transmission, and pipeline operations rely on air-gapping as a primary security control
  • Recommended Actions:
    • Review and enhance USB device policies and controls
    • Implement application whitelisting on air-gapped systems
    • Enhance monitoring for anomalous data transfers to removable media
    • Conduct tabletop exercises focused on air-gap breach scenarios

Water & Wastewater Systems

IoT Security Concerns:

  • CISA released an advisory on four vulnerabilities in Gardyn Home and Gardyn Studio smart garden systems
  • While consumer-focused, this advisory highlights ongoing concerns about IoT device security that extend to industrial IoT deployments in water/wastewater systems
  • Water utilities should review IoT device inventories and ensure proper network segmentation
  • Source: SecurityWeek

Transportation Systems

Maritime Security Updates:

  • DHS announced reinstatement of 56 Coast Guard personnel previously dismissed under COVID vaccine policy
  • Coast Guard operations continue with successful interdiction of suspected smuggling vessel (20 individuals)
  • These personnel actions may affect maritime security operational capacity during the transition period
  • Source: Homeland Security Today

Healthcare & Public Health

Data Breach Activity:

  • ManoMano data breach allegedly impacted 38 million individuals, with exposed data including names, email addresses, phone numbers, and other personal information
  • While not a healthcare-specific breach, the scale demonstrates ongoing data protection challenges across sectors
  • Healthcare organizations should review third-party vendor security practices
  • Source: SecurityWeek

Financial Services

Cryptocurrency Crime Enforcement:

  • DoJ seized $61 million in Tether cryptocurrency linked to "pig butchering" investment scams
  • Chilean carding shop operator extradited to US; accused of trafficking over 26,000 payment cards
  • Ukrainian operator of OnlyFake AI-powered fake ID generation site pleaded guilty after producing over 10,000 fraudulent identification documents
  • These enforcement actions demonstrate continued focus on cryptocurrency-enabled financial crimes
  • Source: The Hacker News, SecurityWeek, Bleeping Computer

Government Facilities

DHS Partial Shutdown - Week Three:

  • The partial DHS shutdown continues into its third week as Democrats review the latest White House counteroffer
  • Critical Infrastructure Impact: Extended shutdown affects CISA operations, TSA staffing, Coast Guard operations, and other DHS components with critical infrastructure protection responsibilities
  • Organizations should anticipate potential delays in federal cybersecurity support and coordination
  • Source: Homeland Security Today

CISA Leadership Transition:

  • Madhu Gottumukkala has departed as acting CISA director; Andersen has assumed the acting director role
  • The transition follows reported criticisms of CISA's performance during the first year of the current administration
  • Leadership continuity concerns are heightened given the concurrent DHS shutdown
  • Source: CyberScoop

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE Product Severity Status Action Required
CVE-2026-21902 Juniper Junos OS Evolved (PTX Routers) Critical Patch Available Immediate patching; out-of-band update released
CVE-2025-0282 Ivanti Connect Secure Critical Active Exploitation Apply patches; scan for RESURGE malware
Multiple Gardyn Home/Studio High CISA Advisory Issued Review CISA ICS advisory; apply mitigations
N/A Sangoma FreePBX High Active Exploitation Audit for web shells; apply patches

CISA Advisories and Guidance

RESURGE Malware Warning:

  • CISA released detailed technical guidance on RESURGE, a malicious implant used in zero-day attacks exploiting CVE-2025-0282 against Ivanti Connect Secure devices
  • Key Finding: RESURGE can remain dormant on compromised devices, evading detection while maintaining persistent access
  • Recommended Actions:
    • Conduct integrity checks on all Ivanti Connect Secure appliances
    • Review CISA's indicators of compromise
    • Implement enhanced monitoring for lateral movement from VPN infrastructure
    • Consider factory reset and rebuild for potentially compromised devices
  • Source: Bleeping Computer

Defensive Recommendations

For Air-Gap Protected Environments:

  • Implement strict USB device controls with hardware-based blocking where possible
  • Deploy endpoint detection and response (EDR) solutions capable of detecting USB-based malware
  • Establish data diode architectures for necessary data transfers
  • Conduct regular integrity monitoring of air-gapped systems

For Network Infrastructure:

  • Prioritize patching of Juniper PTX routers
  • Implement out-of-band management networks for critical routing infrastructure
  • Enable comprehensive logging and monitoring of management plane access
  • Review and restrict administrative access to essential personnel

Resilience & Continuity Planning

Lessons Learned

UK Vulnerability Monitoring Service Success:

  • The UK government's new Vulnerability Monitoring Service has demonstrated significant results:
    • 75% reduction in unresolved security flaws
    • Cyber-attack fix times reduced from nearly two months to just over one week
  • Key Takeaway: Centralized vulnerability monitoring and coordinated remediation tracking can dramatically improve security posture
  • US critical infrastructure operators should consider similar approaches for their environments
  • Source: Infosecurity Magazine

WMD Response Readiness Exercise:

  • Soldiers validated readiness for domestic WMD response during exercise at Fort Bragg
  • Exercise focused on coordination between military and civilian response capabilities
  • Critical infrastructure operators in the energy and chemical sectors should maintain awareness of WMD response protocols and coordination mechanisms
  • Source: Homeland Security Today

Supply Chain Security

Malicious Software Supply Chain Threats:

  • This week's discovery of malicious Go modules and trojanized gaming utilities highlights ongoing software supply chain risks
  • Recommendations:
    • Implement software composition analysis (SCA) tools
    • Verify package integrity through multiple sources
    • Maintain software bills of materials (SBOMs) for critical systems
    • Establish approved software repositories for development environments

Cross-Sector Dependencies

Communications Infrastructure Criticality:

  • The Juniper PTX router vulnerability underscores the dependency of all critical infrastructure sectors on communications backbone infrastructure
  • Organizations should:
    • Map dependencies on carrier and ISP infrastructure
    • Establish redundant communications paths where feasible
    • Develop communications-down contingency procedures
    • Coordinate with communications providers on security practices

Regulatory & Policy Developments

Federal AI Policy

Anthropic Technology Phase-Out Order:

  • Executive order directs all federal agencies to phase out use of Anthropic technology
  • OpenAI, Google, and xAI maintain contracts to supply AI models to the military
  • Critical Infrastructure Implications: Organizations with federal contracts or partnerships should review AI technology dependencies and prepare for potential compliance requirements
  • Source: SecurityWeek

Pentagon AI Safeguards Dispute:

  • Anthropic continues to refuse Pentagon requests to modify AI safeguards, seeking assurances that Claude won't be used for mass surveillance of Americans or in fully autonomous weapons
  • This dispute highlights ongoing tensions between AI capability deployment and ethical/safety constraints
  • Source: SecurityWeek, Homeland Security Today

Enforcement Actions

Malware and Spyware Sellers Targeted:

  • US authorities have taken action against sellers of malware and spyware
  • Predator spyware reportedly bypasses iOS security indicators, demonstrating continued evolution of commercial surveillance tools
  • Source: CSO Online, SecurityWeek

International Developments

Iran Internet Policy:

  • Analysis of Iran's two-tiered internet architecture highlights the dangers of fragmented internet governance
  • Iran appears to be easing internet blackout restrictions following recent disruptions
  • These developments have implications for understanding adversary information control capabilities
  • Source: Schneier on Security

Cybersecurity Workforce

National Cyber Director Compensation:

  • Reporting indicates one of the "most influential cybersecurity roles" (National Cyber Director) will pay under $175,000
  • Compensation levels may affect ability to attract top talent to federal cybersecurity leadership positions
  • Source: CSO Online

Training & Resource Spotlight

Upcoming Training and Events

NIST Cybersecurity for IoT Workshop: Future Directions

  • Date: March 31, 2026
  • Focus: Emerging and future trends for IoT technologies and implications for IoT cybersecurity
  • Relevance: Critical for organizations deploying IoT in operational technology environments
  • Source: NIST

New Resources and Frameworks

Integrated Access Control and Video Verification:

  • New guidance available on enhancing incident response through integration of access control systems with video verification
  • Relevant for physical security of critical infrastructure facilities
  • Source: Security Magazine

Application Security at the Load Balancer:

  • Technical guidance on implementing application security controls at the load balancer level
  • Relevant for organizations seeking to enhance web application protection
  • Source: CSO Online

LLM Defensive Implementation Guide:

  • New guidance on making large language models a defensive advantage without creating new attack surfaces
  • Critical reading for organizations integrating AI into security operations
  • Source: CSO Online

Industry Contracts and Funding

GAO IT Modernization Contract:

  • SAIC awarded $95 million GAO IT modernization contract
  • Indicates continued federal investment in IT infrastructure modernization
  • Source: Homeland Security Today

Looking Ahead: Upcoming Events

March 2026

NIST Events:

  • March 9, 2026: Building the Strategic Supply Chain Network - NIST workshop addressing supply chain vulnerabilities exposed by recent disruptions
  • March 19, 2026: Technologies and Use Cases for Smart Standards - Focus on AI, blockchain, and IoT standards development
  • March 31, 2026: Cybersecurity for IoT Workshop: Future Directions

Threat Periods Requiring Heightened Awareness

  • DHS Shutdown Duration: Organizations should maintain heightened security postures during the federal shutdown period due to reduced federal coordination capacity
  • CISA Leadership Transition: Monitor for potential gaps in federal cybersecurity guidance and coordination during the transition period
  • Ivanti Exploitation Window: Organizations with Ivanti devices should assume potential compromise and conduct thorough forensic analysis given RESURGE malware's dormancy capabilities

Anticipated Developments

  • Pentagon-Anthropic Deadline: Resolution of the AI safeguards dispute may set precedent for AI deployment in defense and critical infrastructure applications
  • Federal AI Policy Implementation: Agencies will begin implementing Anthropic technology phase-out, potentially affecting critical infrastructure partnerships

Security Conference Calendar

CSO Online has published an updated guide to top security conferences for 2026. Critical infrastructure security professionals should review upcoming opportunities for training, networking, and threat intelligence sharing.

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection decision-making. Recipients are encouraged to verify information through official channels and report suspicious activity to appropriate authorities.

Report Date: Saturday, February 28, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.