NATO adopts Apple, Education and Healthcare backdoor, Apex One flaws - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines – Episode Summary (Feb 27, 2026)

Podcast: Cybersecurity Headlines
Host: Steve Prentiss, CISO Series
Date: February 27, 2026
Episode Focus: Fast-paced rundown of major cybersecurity stories from enterprise, public sector, and threat research landscapes.

Episode Overview

This episode presents a roundup of significant cybersecurity developments, including NATO’s adoption of Apple devices for classified work, a novel backdoor campaign targeting US education and healthcare, critical flaws in Trend Micro’s Apex One, record-breaking ransomware activity paired with declining payments, advances in automated UK public sector security, warning signs for secure AI-driven development, and a blockchain-resilient botnet. Steve Prentiss maintains a brisk, fact-driven delivery throughout.

Key Stories & Discussion Points

1. NATO Approves Apple iPhones and iPads for Restricted Work

[00:08–01:05]
- Apple announces its iPhones and iPads are the first consumer devices approved for NATO Restricted-classified work.
- Devices included in the NATO Information Assurance Products Catalog.
- Notably, no special software or additional configurations required; native email, calendar, and contacts apps considered secure for classified work.
“This means that iPhones and iPads can be used with classified information without requiring special software or settings.”
— Steve Prentiss, [00:18]

2. Education and Healthcare Targeted by 'Door' Backdoor

[01:05–02:04]
- Cisco Talos discovers a yet-unknown group (“UAT 10027”) targeting US education and healthcare with a new backdoor called “door.”
- The malware relies on DNS over HTTPS (DoH) for command and control, hiding servers behind Cloudflare infrastructure.
- Likely uses social engineering/phishing leading to PowerShell-based infection.
- Tactics resemble North Korean Lazarus and Kim Suki group operations.
“The group’s goal is to deliver a new backdoor codenamed door, which uses DNS over HTTPS, hence the DoH in its name, for command and control communications.”
— Steve Prentiss, [01:16]

3. Trend Micro Apex One – Critical Code Execution Flaws Patched

[02:04–02:56]
- Trend Micro patches two critical vulnerabilities (with CVEs) in Apex One endpoint security platform.
- Allowed remote code execution, but attackers must have console access.
- Customers with externally exposed management consoles urged to use source restrictions.
“Successful exploitation requires attackers to have access to the Trend Micro Apex One management console…customers whose console’s IP address is exposed externally should consider mitigating factors…”
— Steve Prentiss, [02:51]

4. Mano Mano (European E-commerce) Data Breach

[02:56–03:42]
- French online marketplace Mano Mano hit in breach affecting 38 million people (France, Belgium, Spain, Italy, Germany, UK).
- Data taken: “basic PII,” no financial information compromised.
- Root cause: Third-party vendor in Tunisia suffered Zendesk breach.

5. 2025 Ransomware Landscape: More Attacks, Fewer Payments

[04:22–05:17]
- Chainalysis reports attacks rose 50%, but payment rate dropped to 28%—an all-time low.
- Estimated $820M paid out in 2025, may climb to $900M as data matures.
- Improved incident response and regulatory pressure cited as main reasons for payout decline.
“Companies are getting better at incident response and…regulatory scrutiny has increased to the point where payouts are now heavily discouraged.”
— Steve Prentiss, [05:08]

6. UK’s Automated Scanning Cuts Vulnerability Response Times

[05:17–06:05]
- UK government’s “Vulnerability Monitoring Service” is rapidly fixing critical public sector flaws—400 per month across 6,000 organizations.
- Platform continuously scans internet-facing government systems.
“A central scanning platform that continuously checks Internet facing systems…for signs of known security weaknesses.”
— Steve Prentiss, [05:26]

7. AI-Driven Development: Security Gaps Widening

[06:05–06:51]
- Veracode’s latest report: Influx of AI-generated code and faster release cycles mean more vulnerabilities created than fixed.
- Elevated numbers partly reflect better use of detection tools.
- Remediation is tougher as new code is added more rapidly.
“High velocity development with AI is making comprehensive security unattainable.”
— Steve Prentiss, [06:22]

8. Aeternum C2: Blockchain-Resilient Botnet

[06:51–07:31]
- Curator Labs exposes Aeternum C2 botnet loader, which uses the Polygon blockchain for encrypted command and control.
- This tactic helps bots evade takedowns.
- First spotted December 2025, offered on underground forums.
“Uses a blockchain-based command and control infrastructure to make it resilient to takedown efforts.”
— Steve Prentiss, [07:10]

Notable Quotes & Memorable Moments

On regulatory impact on ransomware payments:

“Regulatory scrutiny has increased to the point where payouts are now heavily discouraged.”
— Steve Prentiss, [05:10]
On AI-driven security paradox:

“More vulnerabilities are being created than are being fixed and that high velocity development with AI is making comprehensive security unattainable.”
— Steve Prentiss, [06:22]

Timestamps for Key Segments

[00:08] – NATO approves Apple devices
[01:05] – 'Door' backdoor campaign against US sectors
[02:04] – Trend Micro Apex One flaws
[02:56] – Mano Mano data breach
[04:22] – Ransomware payment/report
[05:17] – UK automated vulnerability scanning
[06:05] – AI and secure software development
[06:51] – Aeternum C2 Blockchain botnet

Takeaway

The episode underscores the continuously evolving threat landscape—where attackers innovate (backdoors, blockchain botnets), regulatory and organizational responses shift (ransomware payouts fall), and technological progress (AI-accelerated development, automated vulnerability scanning) offers both hope and new risks.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Friday, February 27, 2026. I'm Steve Prentiss iPhone and iPad cleared for classified NATO Work the announcement was made yesterday by Apple that its phones and tablets are the first consumer devices to receive approval for working at the NATO restricted. The devices are now part of the NATO Information Assurance Products Catalog. This means that iPhones and iPads can be used with classified information without requiring special software or settings. The listing specifies that the native mail, calendar and Contacts apps for iOS and iPadOs provide secure access to data, US education and healthcare. Targeted with Door Backdoor this attack is being conducted by a previously unknown group named by cisco talus as UAT 10027. The group's goal is to deliver a new backdoor codenamed door, which uses DNS over HTTPs, hence the DoH in its name for command and control communications. The campaign is suspected to involve the use of social engineering phishing techniques leading to the execution of a PowerShell script. The threat actor hides the command and control servers behind the cloudflare infrastructure, and although the group has not been identified, certain attributes of the campaign strongly resemble those used by North Korea's Lazarus and Kim Suki groups. Trend Micro warns of Critical Apex 1 Code execution flaws the cybersecurity software firm has patched the two vulnerabilities, which would allow attackers to gain remote code execution on vulnerable windows systems. ApexOne is an endpoint security platform that detects and responds to security threats, including malware, spyware, malicious tools and vulnerabilities. Both of these named vulnerabilities have CVE numbers, as Trend Micro explained in a security advisory released on Tuesday. Successful exploitation requires attackers to have access to the Trend Micro Apex one management console, end quote, meaning customers whose console's IP address is exposed externally should consider mitigating factors such as source restrictions if not already applied. European E commerce chain Mano Mano suffers data breach Mano Mano, spelled M A N O M A N O is an online marketplace specializing in DIY home improvement, gardening and related products. It is based in France and sells to customers in France, Belgium, Spain, Italy, Germany and the United Kingdom, and its E stores reportedly have about 50 million unique visitors per month. The company learned of the hack in January of this year and an investigation has determined that 38 million individuals are affected. The data stolen appears to be basic PII with no financial information. The cause of the breach is believed to be a third party vendor, specifically a Tunis based customer support service provide that suffered a Zendesk breach. Huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering security training fails when it's generic. Adaptive's platform personalizes training and runs deepfake simulations across email, sms, voice and video. And with Adaptive's AI content creator, you can drop in a breaking threat or compliance doc and instantly turn it into interactive multilingual training. No designers, no delays. You can learn more@adaptivesecurity.com that is the two words adaptive security together.com. Ransomware payments dropped in 2025, but attack numbers reached record levels A new report released yesterday by blockchain research company Chainalysis stated that claimed attacks grew by 50%, but victim payment rates dropped to a record low of 28%. This translates to a total of $820 million in payments to ransomware actors in 2025, which might rise to 900 million as more data arrives. Chainalysis researchers attribute the increase in attacks and slowdown in payments to the fact that companies are getting better at incident response and that regulatory scrutiny has increased to the point where payouts are now heavily discouraged. The UK turns to automated scanning to speed cyber fixes the British government said yesterday that it has slashed the time required to fix some of the most serious cyber vulnerabilities across the public sector, pointing to a new automated monitoring service, end quote. This service is called the Vulnerability Monitoring Service and it quote operates as a central scanning platform that continuously checks Internet facing systems used by public bodies from central government departments to health and local authorities for signs of known security weaknesses, end quote. This is the latest in a series of steps and attempts made by the UK government to formulate a stronger cyber defence position. The service currently covers around 6,000 organizations and is leading to about 400 confirmed vulnerabilities being processed and resolved each month. AI driven development makes security unattainable, warns Veracode in its annual State of Software Security report. The company says that based on data from 1.6 million applications tested on its cloud platform, more vulnerabilities are being created than are being fixed and that high velocity development with AI is making comprehensive security unattainable. The researchers do say, however, that the higher numbers may be a result of increasing use of testing tools, meaning that more problems are being spotted than might have previously been missed. Veracode also suggests that there is an accelerating pace of software releases, causing new code to be added more quickly than existing vulnerabilities are addressed and that AI generated code makes remediation more difficult. Aeternum C2 botnet stores encrypted commands on Polygon blockchain Researchers at Curator Labs have disclosed details of a new botnet loader called Aeternum C2 that is spelled A E T E R N U M that uses a blockchain based command and control infrastructure to make it resilient to take down efforts. End quote. The public Polygon blockchain being used is widely used by decentralized applications including Polymarket, the world's largest prediction market. Aeternum C2 first appeared in December of last year when a threat actor advertised the malware on underground forums. Are you going to be in Central Florida next week? Then there's a good chance that you can join us for a live CISO series podcast recording. We will be in Clearwater, Florida on March 3rd as part of the Convene Conference and then we will be in Orlando on March 6th for Zero Trust World. For more information on how to join and some discount codes to register for both events, head on over to the events page@cisoseries.com and of course, if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO Series.
[08:13]
A
Cybersecurity headlines are available every weekday. Head to CISO series.com for the full stories behind the headlines.