Cybersecurity Headlines – February 20, 2026

Host: Steve Prentiss | Podcast: CISO Series

Episode Overview

This episode of the Cybersecurity Headlines podcast offers a rapid-fire roundup of significant cybersecurity news stories impacting global organizations, individuals, and governments. Key themes include urgent critical vulnerabilities, the evolution of malware using AI, browser-based threats, advanced phishing kits, global cyberattacks on banking infrastructure, a rise in ATM jackpotting, healthcare sector risks, and sophisticated Android banking malware. The overall tone is urgent and authoritative, with an emphasis on actionable intelligence for security teams.

Key Stories & Insights

1. CISA Orders Emergency Patch for Dell Flaw

[00:06]
Issue: U.S. federal agencies must patch a maximum severity Dell Recover Point vulnerability (hard coded credentials) within three days.
Context: Actively exploited since mid-2024 by Chinese threat group UNC6201, distributing the "grimbolt" backdoor—an improvement over the earlier Brickstorm.
Quote:
- "CISA has now ordered government agencies to patch their systems within three days against a maximum severity Dell vulnerability that has been under active exploitation since mid 2024." – Steve Prentiss [00:06]
Impact: Targets VMware VM backup and recovery infrastructures, raising concerns about supply chain software security.

2. Android Malware Uses Google Gemini AI for Control

[01:11]
Discovery: ESET reports the first Android malware leveraging generative AI (Google Gemini) to enhance device hijacking, named "PromptSpy."
How it works: Installs a VNC module for remote control, uses Gemini to interpret device UI and automate malicious actions (e.g., pinning the app to Recent Apps).
Quote:
- "The goal of the malware, named PromptSpy, is to deploy a VNC module that hands hackers remote control of infected devices." – Steve Prentiss [01:14]
- "It comes with capabilities to instruct Google's Gemini Chatbot to interpret parts of the device's user interface using natural language prompts..." – Steve Prentiss [01:33]
Scope: Detected in Argentina, first of its kind on Android.
Insight: AI is now a critical tool for cybercriminals, increasing stealth and persistence.

3. Browsers Identified as Top Attack Vector

[01:56]
Report: Palo Alto Networks' 2026 Incident Response Report – of 750 global incidents, 48% started in the browser.
Attack Methods: Phishing, malicious links, credential harvesting, spoofed sites, and browser plug-ins like "ClickFix."
Mitigations:
- Use password managers, ad blockers, anonymous search engines (e.g., DuckDuckGo)
- Caution against AI-powered browsers.
Quote:
- "48% of cybercrime events involved browser activity." – Steve Prentiss [02:08]
- "Be wary of AI browsers." – Steve Prentiss [02:39]
Advice: Basic browser hygiene is more important than ever.

4. Starkiller Phishing Kit Bypasses MFA

[02:39]
Overview: New "Starkiller" phishing kit, unrelated to the previous penetration tool, is sold on the Dark Web as SaaS—complete with updates & support.
Technique:
- Proxies the real login page live, making phishing sites indistinguishable and defeating fingerprinting/blacklisting.
- Bypasses MFA since victims interact with the actual service through the attacking infrastructure.
Quote:
- "Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist. This also enables it to bypass MFA because the targeted user is authenticating with the real site through the proxy." – Steve Prentiss [03:14, 03:30]
Implication: Raises the bar for phishing defense and detection.

5. France’s National Bank Account Database Breached

[04:21]
Event: Attackers accessed France’s bank account database (FICOBA), impacting 1.2 million accounts.
Method: Impersonated a civil servant with access credentials during information exchanges.
Data Exposed: Account details, not balances or transaction data.
Quote:
- "A representative said that the file contains a list of bank account details but does not provide access to the accounts themselves, nor to account balances, nor to transactions." – Steve Prentiss [05:05]
Takeaway: Third-party impersonation remains a prominent insider risk.

6. ATM Jackpotting Surge Across U.S.

[05:11]
Background: ATM jackpotting attacks, where malware instructs ATMs to dispense cash without authorization, sees an uptick.
Malware: "Plautus" exploits financial service API extensions used by terminals and Point-of-Sale devices.
Quote:
- "ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine to dispense cash on demand without bank authorization." – Steve Prentiss [05:22]
Lesson: Endpoints like ATMs remain attractive, especially where legacy standards prevail.

7. Healthcare Sector’s Growing Third-Party Risks

[05:54]
Development: U.S. Health and Human Services (HHS) urges more scrutiny of third-party healthcare vendors, referencing the massive 2024 Change Healthcare breach.
Vulnerability: Attackers exploited missing MFA on remote portals.
Quote:
- "We realize there are third party risks lurking in our healthcare system and we don't even know they are there." – HHS Cybersecurity Director Charlie Hess [06:23]
Actionable: Calls for comprehensive vendor risk management and MFA everywhere.

8. ‘Massiv’ Android Banking Malware Targets Portuguese Government & Banking

[06:40]
Details: ThreatFabric identifies “Massiv” (spelled "Massiv") posing as an IPTV app to steal credentials, perform overlays, keylogging, and take device control.
Target: Portuguese government’s digital authentication app, can subvert KYC processes and access personal and banking services.
Quote:
- "The malware relies on screen overlays and key logging to obtain sensitive data and can take remote control of a compromised device, the researchers observed." – Steve Prentiss [06:55]
Risk: Tied to identity fraud and broad digital access in Portugal.

Notable Quotes

"Be wary of AI browsers." – Steve Prentiss [02:39]
"We realize there are third party risks lurking in our healthcare system and we don't even know they are there." – Charlie Hess, HHS [06:23]
"Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist. This also enables it to bypass MFA because the targeted user is authenticating with the real site through the proxy." – Steve Prentiss [03:14, 03:30]
"ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine to dispense cash on demand without bank authorization." – Steve Prentiss [05:22]

Timeline of Key Segments

[00:06] — Dell critical vulnerability and CISA emergency order
[01:11] — Android’s “PromptSpy” malware using Gemini AI
[01:56] — Palo Alto’s browser attack statistics & recommendations
[02:39] — Starkiller phishing kit and MFA bypass technique
[04:21] — France’s bank account database cyberattack
[05:11] — ATM jackpotting rise and “Plautus” malware
[05:54] — HHS on healthcare vendor risks and Change Healthcare breach
[06:40] — Discovery of “Massiv” Android banking malware

Summary

This tightly packed episode underscores the rapidly evolving attack surface, with stories ranging from supply chain vulnerabilities and sophisticated phishing kits to the use of artificial intelligence in malware and the ongoing risks endemic to the browser and third-party providers. The episode encourages vigilance, rapid response to critical patches, basic digital hygiene, and a renewed focus on third-party and endpoint security, providing timely, actionable insights for CISOs and security professionals.

Cybersecurity Headlines – February 20, 2026

Host: Steve Prentiss | Podcast: CISO Series

Episode Overview

Key Stories & Insights

1. CISA Orders Emergency Patch for Dell Flaw

[00:06]
Issue: U.S. federal agencies must patch a maximum severity Dell Recover Point vulnerability (hard coded credentials) within three days.
Context: Actively exploited since mid-2024 by Chinese threat group UNC6201, distributing the "grimbolt" backdoor—an improvement over the earlier Brickstorm.
Quote:
- "CISA has now ordered government agencies to patch their systems within three days against a maximum severity Dell vulnerability that has been under active exploitation since mid 2024." – Steve Prentiss [00:06]
Impact: Targets VMware VM backup and recovery infrastructures, raising concerns about supply chain software security.

2. Android Malware Uses Google Gemini AI for Control

[01:11]
Discovery: ESET reports the first Android malware leveraging generative AI (Google Gemini) to enhance device hijacking, named "PromptSpy."
How it works: Installs a VNC module for remote control, uses Gemini to interpret device UI and automate malicious actions (e.g., pinning the app to Recent Apps).
Quote:
- "The goal of the malware, named PromptSpy, is to deploy a VNC module that hands hackers remote control of infected devices." – Steve Prentiss [01:14]
- "It comes with capabilities to instruct Google's Gemini Chatbot to interpret parts of the device's user interface using natural language prompts..." – Steve Prentiss [01:33]
Scope: Detected in Argentina, first of its kind on Android.
Insight: AI is now a critical tool for cybercriminals, increasing stealth and persistence.

3. Browsers Identified as Top Attack Vector

[01:56]
Report: Palo Alto Networks' 2026 Incident Response Report – of 750 global incidents, 48% started in the browser.
Attack Methods: Phishing, malicious links, credential harvesting, spoofed sites, and browser plug-ins like "ClickFix."
Mitigations:
- Use password managers, ad blockers, anonymous search engines (e.g., DuckDuckGo)
- Caution against AI-powered browsers.
Quote:
- "48% of cybercrime events involved browser activity." – Steve Prentiss [02:08]
- "Be wary of AI browsers." – Steve Prentiss [02:39]
Advice: Basic browser hygiene is more important than ever.

4. Starkiller Phishing Kit Bypasses MFA

[02:39]
Overview: New "Starkiller" phishing kit, unrelated to the previous penetration tool, is sold on the Dark Web as SaaS—complete with updates & support.
Technique:
- Proxies the real login page live, making phishing sites indistinguishable and defeating fingerprinting/blacklisting.
- Bypasses MFA since victims interact with the actual service through the attacking infrastructure.
Quote:
- "Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist. This also enables it to bypass MFA because the targeted user is authenticating with the real site through the proxy." – Steve Prentiss [03:14, 03:30]
Implication: Raises the bar for phishing defense and detection.

5. France’s National Bank Account Database Breached

[04:21]
Event: Attackers accessed France’s bank account database (FICOBA), impacting 1.2 million accounts.
Method: Impersonated a civil servant with access credentials during information exchanges.
Data Exposed: Account details, not balances or transaction data.
Quote:
- "A representative said that the file contains a list of bank account details but does not provide access to the accounts themselves, nor to account balances, nor to transactions." – Steve Prentiss [05:05]
Takeaway: Third-party impersonation remains a prominent insider risk.

6. ATM Jackpotting Surge Across U.S.

[05:11]
Background: ATM jackpotting attacks, where malware instructs ATMs to dispense cash without authorization, sees an uptick.
Malware: "Plautus" exploits financial service API extensions used by terminals and Point-of-Sale devices.
Quote:
- "ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine to dispense cash on demand without bank authorization." – Steve Prentiss [05:22]
Lesson: Endpoints like ATMs remain attractive, especially where legacy standards prevail.

7. Healthcare Sector’s Growing Third-Party Risks

[05:54]
Development: U.S. Health and Human Services (HHS) urges more scrutiny of third-party healthcare vendors, referencing the massive 2024 Change Healthcare breach.
Vulnerability: Attackers exploited missing MFA on remote portals.
Quote:
- "We realize there are third party risks lurking in our healthcare system and we don't even know they are there." – HHS Cybersecurity Director Charlie Hess [06:23]
Actionable: Calls for comprehensive vendor risk management and MFA everywhere.

8. ‘Massiv’ Android Banking Malware Targets Portuguese Government & Banking

[06:40]
Details: ThreatFabric identifies “Massiv” (spelled "Massiv") posing as an IPTV app to steal credentials, perform overlays, keylogging, and take device control.
Target: Portuguese government’s digital authentication app, can subvert KYC processes and access personal and banking services.
Quote:
- "The malware relies on screen overlays and key logging to obtain sensitive data and can take remote control of a compromised device, the researchers observed." – Steve Prentiss [06:55]
Risk: Tied to identity fraud and broad digital access in Portugal.

Notable Quotes

"Be wary of AI browsers." – Steve Prentiss [02:39]
"We realize there are third party risks lurking in our healthcare system and we don't even know they are there." – Charlie Hess, HHS [06:23]
"Because Starkiller proxies the real site live, there are no template files for security vendors to fingerprint or blocklist. This also enables it to bypass MFA because the targeted user is authenticating with the real site through the proxy." – Steve Prentiss [03:14, 03:30]
"ATM jackpotting is a technique where physical and software vulnerabilities in ATMs are exploited to deploy malware that instructs the machine to dispense cash on demand without bank authorization." – Steve Prentiss [05:22]

Timeline of Key Segments

[00:06] — Dell critical vulnerability and CISA emergency order
[01:11] — Android’s “PromptSpy” malware using Gemini AI
[01:56] — Palo Alto’s browser attack statistics & recommendations
[02:39] — Starkiller phishing kit and MFA bypass technique
[04:21] — France’s bank account database cyberattack
[05:11] — ATM jackpotting rise and “Plautus” malware
[05:54] — HHS on healthcare vendor risks and Change Healthcare breach
[06:40] — Discovery of “Massiv” Android banking malware

wavePod

CISA's DELL order, Android AI malware, browsers as weak link

Powered by Wave AI

Summary

Cybersecurity Headlines – February 20, 2026

Episode Overview

Key Stories & Insights

1. CISA Orders Emergency Patch for Dell Flaw

2. Android Malware Uses Google Gemini AI for Control

3. Browsers Identified as Top Attack Vector

4. Starkiller Phishing Kit Bypasses MFA

5. France’s National Bank Account Database Breached

6. ATM Jackpotting Surge Across U.S.

7. Healthcare Sector’s Growing Third-Party Risks

8. ‘Massiv’ Android Banking Malware Targets Portuguese Government & Banking

Notable Quotes

Timeline of Key Segments

Summary

Summary

Cybersecurity Headlines – February 20, 2026

Episode Overview

Key Stories & Insights

1. CISA Orders Emergency Patch for Dell Flaw

2. Android Malware Uses Google Gemini AI for Control

3. Browsers Identified as Top Attack Vector

4. Starkiller Phishing Kit Bypasses MFA

5. France’s National Bank Account Database Breached

6. ATM Jackpotting Surge Across U.S.

7. Healthcare Sector’s Growing Third-Party Risks

8. ‘Massiv’ Android Banking Malware Targets Portuguese Government & Banking

Notable Quotes

Timeline of Key Segments

Summary