Summary5 min read

Cybersecurity Headlines – February 20, 2026

Host: Steve Prentiss | Podcast: CISO Series

Episode Overview

This episode of the Cybersecurity Headlines podcast offers a rapid-fire roundup of significant cybersecurity news stories impacting global organizations, individuals, and governments. Key themes include urgent critical vulnerabilities, the evolution of malware using AI, browser-based threats, advanced phishing kits, global cyberattacks on banking infrastructure, a rise in ATM jackpotting, healthcare sector risks, and sophisticated Android banking malware. The overall tone is urgent and authoritative, with an emphasis on actionable intelligence for security teams.

Key Stories & Insights

1. CISA Orders Emergency Patch for Dell Flaw

[00:06]
Issue: U.S. federal agencies must patch a maximum severity Dell Recover Point vulnerability (hard coded credentials) within three days.
Context: Actively exploited since mid-2024 by Chinese threat group UNC6201, distributing the "grimbolt" backdoor—an improvement over the earlier Brickstorm.
Quote:
- "CISA has now ordered government agencies to patch their systems within three days against a maximum severity Dell vulnerability that has been under active exploitation since mid 2024." – Steve Prentiss [00:06]
Impact: Targets VMware VM backup and recovery infrastructures, raising concerns about supply chain software security.

2. Android Malware Uses Google Gemini AI for Control

[01:11]
Discovery: ESET reports the first Android malware leveraging generative AI (Google Gemini) to enhance device hijacking, named "PromptSpy."
How it works: Installs a VNC module for remote control, uses Gemini to interpret device UI and automate malicious actions (e.g., pinning the app to Recent Apps).
Quote:
- "The goal of the malware, named PromptSpy, is to deploy a VNC module that hands hackers remote control of infected devices." – Steve Prentiss [01:14]
- "It comes with capabilities to instruct Google's Gemini Chatbot to interpret parts of the device's user interface using natural language prompts..." – Steve Prentiss [01:33]
Scope: Detected in Argentina, first of its kind on Android.
Insight: AI is now a critical tool for cybercriminals, increasing stealth and persistence.

3. Browsers Identified as Top Attack Vector

[01:56]
Report: Palo Alto Networks' 2026 Incident Response Report – of 750 global incidents, 48% started in the browser.
Attack Methods: Phishing, malicious links, credential harvesting, spoofed sites, and browser plug-ins like "ClickFix."
Mitigations:
- Use password managers, ad blockers, anonymous search engines (e.g., DuckDuckGo)
- Caution against AI-powered browsers.
Quote:
- "48% of cybercrime events involved browser activity." – Steve Prentiss [02:08]
- "Be wary of AI browsers." – Steve Prentiss [02:39]
Advice: Basic browser hygiene is more important than ever.

4. Starkiller Phishing Kit Bypasses MFA

[02:39]
Overview: New "Starkiller" phishing kit, unrelated to the previous penetration tool, is sold on the Dark Web as SaaS—complete with updates & support.
Technique:
- Proxies the real login page live, making phishing sites indistinguishable and defeating fingerprinting/blacklisting.
- Bypasses MFA since victims interact with the actual service through the attacking infrastructure.
Quote:
- "Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist. This also enables it to bypass MFA because the targeted user is authenticating with the real site through the proxy." – Steve Prentiss [03:14, 03:30]
Implication: Raises the bar for phishing defense and detection.

5. France’s National Bank Account Database Breached

[04:21]
Event: Attackers accessed France’s bank account database (FICOBA), impacting 1.2 million accounts.
Method: Impersonated a civil servant with access credentials during information exchanges.
Data Exposed: Account details, not balances or transaction data.
Quote:
- "A representative said that the file contains a list of bank account details but does not provide access to the accounts themselves, nor to account balances, nor to transactions." – Steve Prentiss [05:05]
Takeaway: Third-party impersonation remains a prominent insider risk.

6. ATM Jackpotting Surge Across U.S.

[05:11]
Background: ATM jackpotting attacks, where malware instructs ATMs to dispense cash without authorization, sees an uptick.
Malware: "Plautus" exploits financial service API extensions used by terminals and Point-of-Sale devices.
Quote:
- "ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine to dispense cash on demand without bank authorization." – Steve Prentiss [05:22]
Lesson: Endpoints like ATMs remain attractive, especially where legacy standards prevail.

7. Healthcare Sector’s Growing Third-Party Risks

[05:54]
Development: U.S. Health and Human Services (HHS) urges more scrutiny of third-party healthcare vendors, referencing the massive 2024 Change Healthcare breach.
Vulnerability: Attackers exploited missing MFA on remote portals.
Quote:
- "We realize there are third party risks lurking in our healthcare system and we don't even know they are there." – HHS Cybersecurity Director Charlie Hess [06:23]
Actionable: Calls for comprehensive vendor risk management and MFA everywhere.

8. ‘Massiv’ Android Banking Malware Targets Portuguese Government & Banking

[06:40]
Details: ThreatFabric identifies “Massiv” (spelled "Massiv") posing as an IPTV app to steal credentials, perform overlays, keylogging, and take device control.
Target: Portuguese government’s digital authentication app, can subvert KYC processes and access personal and banking services.
Quote:
- "The malware relies on screen overlays and key logging to obtain sensitive data and can take remote control of a compromised device, the researchers observed." – Steve Prentiss [06:55]
Risk: Tied to identity fraud and broad digital access in Portugal.

Notable Quotes

"Be wary of AI browsers." – Steve Prentiss [02:39]
"We realize there are third party risks lurking in our healthcare system and we don't even know they are there." – Charlie Hess, HHS [06:23]
"Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist. This also enables it to bypass MFA because the targeted user is authenticating with the real site through the proxy." – Steve Prentiss [03:14, 03:30]
"ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine to dispense cash on demand without bank authorization." – Steve Prentiss [05:22]

Timeline of Key Segments

[00:06] — Dell critical vulnerability and CISA emergency order
[01:11] — Android’s “PromptSpy” malware using Gemini AI
[01:56] — Palo Alto’s browser attack statistics & recommendations
[02:39] — Starkiller phishing kit and MFA bypass technique
[04:21] — France’s bank account database cyberattack
[05:11] — ATM jackpotting rise and “Plautus” malware
[05:54] — HHS on healthcare vendor risks and Change Healthcare breach
[06:40] — Discovery of “Massiv” Android banking malware

Summary

This tightly packed episode underscores the rapidly evolving attack surface, with stories ranging from supply chain vulnerabilities and sophisticated phishing kits to the use of artificial intelligence in malware and the ongoing risks endemic to the browser and third-party providers. The episode encourages vigilance, rapid response to critical patches, basic digital hygiene, and a renewed focus on third-party and endpoint security, providing timely, actionable insights for CISOs and security professionals.

Loading summary

Transcript77 lines

[00:00]
Host
From the CISO series, it's Cybersecurity Headlines
[00:07]
Steve Prentiss
these are the cybersecurity headlines for Friday, February 20, 2026. I'm Steve Prentiss. CISA orders urgent patch of Del Flaw following up on a story we covered yesterday, CISA has now ordered government agencies to patch their systems within three days against a maximum severity Dell vulnerability that has been under active exploitation since mid 2024. This CVE numbered hard coded credential vulnerability in Dell's Recover Point, which is a solution used for VMware virtual machine backup and recovery, is being exploited by a suspected Chinese hacking group tracked as UNC6201. It is being used to deploy several malware payloads, including a backdoor called grimbolt, which uses a compilation technique that makes it harder to analyze than its predecessor, the Brickstorm backdoor. Android malware uses Gemini to navigate infected devices According to researchers at eset, the
[01:12]
Cybersecurity Analyst
first Android malware strain that uses generative
[01:14]
Steve Prentiss
AI to improve performance once installed has appeared, but this may just be a proof of concept. The goal of the malware, named PromptSpy, is to deploy a VNC module that hands hackers remote control of infected devices.
[01:31]
Cybersecurity Analyst
ESET says. It comes with capabilities to instruct Google's
[01:34]
Steve Prentiss
Gemini Chatbot to interpret parts of the device's user interface using natural language prompts, which allow the malware to examine the user interface. This then informs the gestures it needs to execute on the device in order to keep the malicious app pinned to its Recent Apps list. ESET found versions of PromptSpy uploaded to
[01:53]
Cybersecurity Analyst
VirusTotal in January with the Gemini assisted
[01:56]
Steve Prentiss
strains submitted from Argentina. Half of all cyber attacks start in the browser, says Palo Alto Networks. According to their 2026 Global Incident Response
[02:09]
Cybersecurity Analyst
Report, which analyzed 750 major cyber incidents across 50 countries in 2025, 48% of cybercrime events involved browser activity.
[02:20]
Steve Prentiss
The report identifies phishing malicious links, credential
[02:24]
Cybersecurity Analyst
harvesting pages, spoofed websites, and even click
[02:26]
Steve Prentiss
fix as browser enabled tools.
[02:30]
Cybersecurity Analyst
Among its 10 recommendations use a password manager and an ad blocker, switch to an anonymous search engine like DuckDuckGo and
[02:40]
Steve Prentiss
be wary of AI browsers. New commercial grade phishing kit bypasses MFA named Star Killer, but unrelated to the Red Team penetration testing tool of the same name.
[02:54]
Cybersecurity Analyst
This kit is distributed on the Dark
[02:55]
Steve Prentiss
Web in a software as a service model, including a subscription, updates and customer
[03:01]
Cybersecurity Analyst
support, whereas most other phishing kits use HTML clones of a victim's login page. Starkiller launches a phishing site through a
[03:09]
Steve Prentiss
proxy operated by infrastructure it controls, which
[03:12]
Cybersecurity Analyst
makes it indistinguishable from the real login
[03:15]
Steve Prentiss
portal being used as a template. Because starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist.
[03:26]
Cybersecurity Analyst
This also enables it to bypass MFA because the targeted user is authenticating with
[03:31]
Steve Prentiss
the real site through the proxy. End quote.
[03:37]
Cybersecurity Analyst
Huge thanks to our sponsor Conveyor. Most of what Conveyor automates is boring. Like really boring Security questionnaires, customer requests
[03:49]
Steve Prentiss
for things like your SoC2, all of their follow up questions answering tickets from your sales team. But you know what's not boring?
[03:58]
Cybersecurity Analyst
Alteryx using Conveyor to support over half a billion dollars in enterprise deals with a small four person team.
[04:05]
Steve Prentiss
All they did was set up an
[04:06]
Cybersecurity Analyst
AI trust center and use Conveyor's AI
[04:09]
Steve Prentiss
agent to complete the questionnaires.
[04:12]
Cybersecurity Analyst
You can learn more@conveyor.com that is conveyor.
[04:21]
Steve Prentiss
France's national bank account database suffers cyberattack
[04:26]
Cybersecurity Analyst
French authorities have confirmed that a malicious actor illegally accessed a portion of the country's national bank accounts file known as
[04:34]
Steve Prentiss
ficoba F I C O B A,
[04:36]
Cybersecurity Analyst
which records all bank accounts in the country. The bank account database consists in general of more than 80 million individuals and in this attack it is believed that
[04:45]
Steve Prentiss
1.2 million accounts were impacted.
[04:49]
Cybersecurity Analyst
It is said that the hacker impersonated a civil servant whose credentials allowed access as part of inter ministerial information exchanges
[04:57]
Steve Prentiss
to query part of the database.
[05:00]
Cybersecurity Analyst
A representative said that the file contains a list of bank account details but does not provide access to the accounts
[05:06]
Steve Prentiss
themselves, nor to account balances, nor to transactions.
[05:12]
Cybersecurity Analyst
Jackpotting on the rise due to malware
[05:15]
Steve Prentiss
stuffed ATMs not a new technique in
[05:18]
Cybersecurity Analyst
itself, but the FBI says this technique
[05:20]
Steve Prentiss
is on the rise across the United States.
[05:23]
Cybersecurity Analyst
ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine
[05:31]
Steve Prentiss
to dispense cash on demand without bank authorization.
[05:35]
Cybersecurity Analyst
Plautus malware that is P L O
[05:37]
Steve Prentiss
U T U S which is commonly
[05:39]
Cybersecurity Analyst
used in these attacks, exploits extensions for financial services, which is an open standard
[05:45]
Steve Prentiss
API that ATMs point of sale terminals and similar devices that run banking applications use the Department of Health and Human
[05:54]
Cybersecurity Analyst
Services to learn more about third party vendors in healthcare. The HHS said on Thursday that this uptick in attention to the security of third party service providers is a result of the 2024 CHANGE Healthcare Cyber attack,
[06:09]
Steve Prentiss
considered the biggest ever in the sector.
[06:12]
Cybersecurity Analyst
The Change Healthcare attack began with hackers exploiting the lack of multi factor authentication
[06:17]
Steve Prentiss
set up on a remote access portal.
[06:19]
Cybersecurity Analyst
This according to HHS Cybersecurity Director Charlie Hess.
[06:23]
Steve Prentiss
At a recent conference, she said, we
[06:26]
Cybersecurity Analyst
realize there are third party risks lurking in our healthcare system and we don't
[06:30]
Steve Prentiss
even know they are there. End Quote Massive Android banking malware poses as an IPTV app researchers at ThreatFabric
[06:41]
Cybersecurity Analyst
have named this new Android banking malware Massive. That is Massiv. It poses as an IPTV app that is Internet Protocol Television to steal digital identities and access online banking accounts.
[06:55]
Steve Prentiss
The malware quote relies on screen overlays
[06:58]
Cybersecurity Analyst
and key logging to obtain sensitive data and can take remote control of a
[07:02]
Steve Prentiss
compromised device, the researchers observed.
[07:05]
Cybersecurity Analyst
MASV Target, a Portuguese government app that
[07:08]
Steve Prentiss
connects with Portugal's digital authentication and signature system.
[07:11]
Cybersecurity Analyst
Such a procedure could be used to bypass know your customer verifications or to access banking accounts and other public and private online services. It's Friday, but let's start thinking about
[07:25]
Steve Prentiss
how to get next week off to a good start.
[07:28]
Cybersecurity Analyst
Instead of dreading a return to office
[07:30]
Steve Prentiss
drudgery, why not look forward to the
[07:32]
Cybersecurity Analyst
best cybersecurity news briefing around? We live stream the Department of no every Monday at 4pm Eastern, breaking down the news of last week and giving
[07:42]
Steve Prentiss
you the insights you need to bring to your team.
[07:46]
Cybersecurity Analyst
Join our two security leader guests in our lively chat room, ask some questions
[07:51]
Steve Prentiss
and join in on the conversation. Be sure you're subscribed to the CISO
[07:55]
Cybersecurity Analyst
Series YouTube channel to join us each
[07:57]
Steve Prentiss
and every week at 4pm Eastern.
[08:00]
Cybersecurity Analyst
And if you have some thoughts on
[08:02]
Steve Prentiss
the news from today or about this
[08:03]
Cybersecurity Analyst
show in general, please be sure to
[08:05]
Steve Prentiss
reach out to us@feedbackisoseries.com we would love to hear from you, Steve I'm Steve Prentice reporting for the CISO Series.
[08:17]
Host
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.