Ivanti actor identified, search overviews manipulated, ClickFix leverages Nslookup - Cybersecurity Headlines

Summary5 min read

Cybersecurity Headlines - Detailed Episode Summary

Podcast: CISO Series: Cybersecurity Headlines
Host: Steve Prentiss
Date: February 16, 2026
Episode: Ivanti Actor Identified, Search Overviews Manipulated, ClickFix Leverages Nslookup

Episode Overview

This episode covers major new cyber threats and incidents in the infosec arena, including details about a principal threat actor behind Ivanti RCE attacks, the exploitation of Google’s AI search summaries by scammers, novel DNS abuse in social engineering campaigns, ongoing hardware wallet phishing via snail mail, and the latest data privacy incidents. Throughout, Steve Prentiss delivers a concise, matter-of-fact breakdown of each story, with input from leading cybersecurity researchers and official company sources.

Key Discussion Points & Insights

1. Ivanti Endpoint Manager Mobile Exploitation

[00:09 - 01:00]
- A single threat actor using an IP address on bulletproof hosting infrastructure is behind over 83% of recent exploit activity targeting two Ivanti Endpoint Manager Mobile vulnerabilities (active zero-day exploits).
- Greynoise intelligence connected the activity to the "Prospero"-hosted bulletproof system, which is known to target multiple software products.
- Quote:
  "A single IP address hosted on bulletproof infrastructure is responsible for more than 83% of exploitation activity related to vulnerabilities." – Steve Prentiss ([00:12])

2. Manipulation of Google’s AI Search Overviews

[01:01 - 01:54]
- Scammers are injecting malicious content into Google’s AI-generated search summaries by gaming information sources.
- Techniques include creating fake customer service portals, promoting counterfeit products, and circulating convincingly worded misinformation.
- Users are urged to treat AI search overviews as “a starting point that requires verification, rather than as a definitive answer.”
- Quote:
  "Google's AI Overviews feature is being weaponized by scammers who have figured out how to inject deliberately harmful information into its AI generated search summaries." – Steve Prentiss ([01:05])

3. ClickFix Social Engineering & Abuse of Nslookup

[01:55 - 02:53]
- Microsoft warns of attackers tricking users into running NSLookup commands that contact an external DNS server—not the system’s default.
- This “ClickFix” technique obfuscates attacks, blending malicious traffic into normal DNS requests and bypassing common web request monitoring.
- Quote:
  "Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic." – Microsoft Threat Intelligence Team ([02:22])

4. Snail Mail Phishing Targets Trezor and Ledger Users

[02:54 - 03:29]
- Physical mail campaigns are urging users of Trezor and Ledger hardware wallets to submit their recovery phrases for a fake "authentication check."
- Letters feature convincing branding and threaten users with loss of device functionality unless they act urgently.
- Connection drawn to prior data breaches at both companies, which may have exposed user contact info.
- Memorable Moment:
  “The letters include company logos and other letterhead features, warning users to complete the process by yesterday… or risk losing functionality…” ([03:03])

5. Estonia’s Spy Chief Calls for Offensive Cyber Investment

[04:02 - 04:35]
- Kalpu Rosin, Estonia’s foreign intelligence chief, urges Europe to develop indigenous offensive cyber tools at the Munich Cybersecurity Conference, warning of over-reliance on non-European resources.
- Notes modern intelligence depends not just on defense, but on “the ability to penetrate, disrupt or manipulate adversaries’ digital systems.”
- Quote:
  “Europe is focused on defence, while modern intelligence and security operations increasingly depend on the ability to penetrate, disrupt or manipulate adversaries’ digital systems.” – Kalpu Rosin ([04:21])

6. Privacy Fallout: Ring Cancels Partnership with Flock

[04:36 - 05:14]
- After consumer backlash linked to a Ring Super Bowl ad, Ring cancels partnership plans with Flock Safety (police surveillance tech).
- The ad’s suggestion that Ring cameras could help track lost pets using facial recognition prompted fears over mass surveillance.
- Ring maintains relationships with other surveillance companies, such as Axon.
- Memorable Moment:
  “The wording of the ad raised questions about how the facial recognition enabled cameras could also be used to surveil and monitor the movements of people.” ([04:59])

7. Dutch Telco Odido Data Breach

[05:15 - 05:46]
- Odido, the Netherlands’ largest mobile operator, reports a breach possibly impacting 6.2 million people, involving PII and bank account data.
- No passwords, call details, billing/location data, or ID scans reportedly compromised.
- Notified the Dutch Data Protection Authority immediately after detection.
- Quote:
  “The data affected includes PII and bank account numbers… passwords, call details, billing or location data, or scans of ID documents could not have been accessed.” ([05:25])

8. AI Agents Abused for Data-Leaking Links in Messaging Apps

[05:47 - 06:38]
- Prompt Armor researchers find that AI chatbots in messaging platforms can be manipulated into sending URLs which, when previewed by services like Slack or Telegram, leak sensitive data automatically—no user clicks required.
- Proliferation of “zero-click” exploits in chat interfaces highlights need for extra security against automated preview features.
- Quote:
  "These link previews can turn URLs generated by an AI agent and controlled by an attacker into a zero click data exfiltration channel." – Steve Prentiss ([06:07])

Notable Quotes & Memorable Moments (with timestamps)

"Google's AI Overviews feature is being weaponized by scammers…" – Steve Prentiss ([01:05])
"Using DNS in this way reduces dependency on traditional web requests…" – Microsoft ([02:22])
"The letters include company logos and other letterhead features…" ([03:03])
"Europe is focused on defence, while modern intelligence and security operations increasingly depend on the ability to penetrate, disrupt or manipulate adversaries’ digital systems." – Kalpu Rosin ([04:21])
"The wording of the ad raised questions about how the facial recognition enabled cameras could also be used to surveil and monitor the movements of people." – Steve Prentiss ([04:59])
"These link previews can turn URLs generated by an AI agent and controlled by an attacker into a zero click data exfiltration channel." – Steve Prentiss ([06:07])

Segment Timestamps for Reference

[00:09] — Ivanti RCE threat actor identified
[01:01] — Google AI Overviews manipulated
[01:55] — ClickFix/NSLookup DNS attacks
[02:54] — Trezor/Ledger snail mail phishing
[04:02] — Estonia pushes for offensive cyber capability
[04:36] — Ring/Flock partnership canceled after ad backlash
[05:15] — Odido data breach
[05:47] — AI agents create data-leaking links in chat apps

Tone and Language

Steve Prentiss’s delivery is clear, urgent, and pragmatic, emphasizing the immediacy and risks inherent in each headline. Direct expert statements and practical warnings are given in a succinct yet informative style, mirroring the fast-paced tone of cybersecurity news cycles.

This episode is essential listening for infosec professionals keen to stay ahead of evolving attack vectors—from AI exploitation to DNS-based payload delivery—along with critical updates on privacy policy, data breaches, and global cyber strategy.

Loading summary

Transcript3 lines

[00:00]
A
From the ciso series, it's cybersecurity headlines.
[00:08]
B
These are the cybersecurity headlines for Monday, February 16, 2026. I'm Steve Prentiss. One threat actor responsible for 83% of recent Ivanti RCE attacks a single IP address hosted on bulletproof infrastructure is responsible for more than 83% of exploitation activity related to vulnerabilities, says intelligence company Greynoise. The two CVE numbered vulnerabilities exist in Ivanti Endpoint Manager Mobile and have been flagged as actively exploited in zero day attacks in Ivanti's security advisory, where the company also announced hotfixes. End quote the source of these attacks is an IP address hosted by Prospero, which Census analysts marked as a bulletproof autonomous system used to target various software products Google's AI Search Overviews manipulated by scammers from the this is why we can't have nice things department Google's AI Overviews feature is being weaponized by scammers who have figured out how to inject deliberately harmful information into its AI generated search summaries by reverse engineering how Google's AI sources information. This allows them to plant malicious content such as links to phishing sites disguised as customer service portals, promoting counterfeit products as legitimate recommendations and spreading misinformation designed to build trust before hitting victims with financial scams. Experts emphasize that users should treat AI overviews as a starting point that requires verification rather than as a definitive answer. Microsoft warns of DNS based click fix attack that uses NSLookup. The increasingly popular click fix social engineering tactic has a new angle in which attackers trick users into running commands that carry out a domain name system, otherwise known as NSLookup, to retrieve the next stage payload. In this case, it performs a DNS lookup against a hard coded external DNS server rather than the system's default resolver, said Microsoft's threat intelligence team. They added, quote using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic. End quote Trezor and Ledger users targeted through snail mail campaign Physical letters sent through the postal service are urging users of the two cryptocurrency hardware wallets into submitting recovery phrases as part of a fictional authentication check. The letters include company logos and other letterhead features, as do the envelopes. The messages conveyed sufficient urgency, warning users to complete the process by yesterday, February 15th or risk losing functionality on their devices. It should be noted that both Trezor and Ledger suffered data breaches in the past couple of years that did expose customer contact information. Huge thanks to our sponsor Conveyor. I'll tell you two things Conveyor cannot help you with. Conveyor will not make security questionnaires fun and it will not make your sales team stop asking you questions. But it did help Alteryx support a half a billion dollars in enterprise deals with the same four person team. All they did was get an AI trust center and use Conveyor's AI agent to complete questionnaires. That's enough. You know where to go. Www.conveyor.com that is C O N V E-Y-O-R.com Estonia's spy chief tells Europe to invest in offensive cyber capabilities Kalpu Rosin, Estonia's foreign intelligence chief, called on European governments and industry to invest in homegrown offensive cyber capabilities, noting that the Continent relies too heavily on non European tools. Speaking on Friday at the Munich Cybersecurity Conference, he said Europe is focused on defence, while modern intelligence and security operations increasingly depend on the ability to penetrate the disrupt or manipulate adversaries digital systems. End quote. And he added that he would love to coordinate and cooperate with Europeans. More on that Ring ends partnership plans with Flock after privacy blowback from superbowl ad following backlash from consumers concerned about privacy, Amazon owned Ring has cancelled its partnership plans with Flock Safety, a police surveillance tech company best known for automated license plate reader cameras. The Ring super bowl ad showed how people's Ring cameras could be used to help locate lost dogs, but the wording of the ad raised questions about how the facial recognition enabled cameras could also be used to surveil and monitor the movements of people. Ring still maintains a community requests program with another major police surveillance company called Axon A Xon. Dutch telco Odido reveals data breach the Netherlands largest mobile network operator has stated that a breach of its customer contact system may have affected around 6.2 million people. The data affected includes PII and bank account numbers. The telco says, however, that passwords, call details, billing or location data, or scans of ID documents could not have been accessed. The breach was noticed last weekend and was reported to the Dutch Data Protection Authority. AI agents tricked into previewing malicious links in messaging apps According to researchers at Prompt Armorer, attackers are now starting to use malicious prompts inside messaging apps to trick an AI agent into generating a data leaking URL, which link previews may fetch automatically. These link previews can turn URLs generated by an AI agent and controlled by an attacker into a zero click data exfiltration channel, allowing sensitive information to be leaked without any user interaction. PromptArmor notes in its report that this technique removes the need for a victim to click a link, obviously, thus making the problem, especially inside messaging platforms like Slack and Telegram, where link previews are enabled by default, a whole lot worse. Managing and operationalizing log data is nothing new in cybersecurity, but are we only taking advantage of a fraction of its value? That's what we're talking about this week on Super Cyber Friday. We'll be digging into how you can view log data more holistically rather than keeping it siloed in the SIEM and in other IT tools. It all happens this Friday at 1pm Eastern, 10am Pacific. Head on over to the events page@cisoseries.com to register to join us. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us at feedback@cisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[07:30]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.