Transcript
A (0:00)
From the CISO series, it's Cybersecurity Headlines.
B (0:06)
These are the cybersecurity headlines for Tuesday, February 10, 2026. I'm Sarah Lane. UNC3886 targets Singapore telecom sector Singapore's cybersecurity agency says China linked APT Group UNC3886 carried out a targeted espionage campaign against all four of the country's major telecom operators. The group used a zero day exploit and rootkits to gain access to parts of critical systems. Authorities say the intrusion didn't disrupt services or expose customer data. Singapore launched a counter operation called Cyber Guardian and says the attacker's access has since been cut off. Researchers at Ontinu analyzed a Linux based malware framework called Voidlink that can persist across enterprise and multi cloud environments, including aws, Azure, Google Cloud, Alibaba and Tencent. It steals credentials, fingerprint systems, escapes containers and hides at the kernel level while using encrypted traffic that mimics normal web activity. Analysts say the code shows clear science of AI assisted development with leftover debug logs and structured phase labels, suggesting it was generated by an LLM with limited human review. 135,000 OpenClaw instances exposed to Internet Security Scorecard Researchers say more than 135,000 Internet exposed instances of the open source AI agent platform OpenClaw are vulnerable in part because the software listens to all network interfaces by default and a lot of users never change the setting. The tool's been linked to multiple high risk flaws and data leak issues, and more than 50,000 exposed systems are still susceptible to a patched remote code execution bug. The platform's design and widespread insecure deployments could give attackers access to credentials, files and other sensitive data across both personal and corporate systems. New zero click flaw in Claude Desktop Extensions LayerX researchers found a zero click vulnerability in Claude desktop extensions that could let attackers execute code on a victim system using a malicious Google Calendar event, affecting more than 10,000 users and earning a CVSS 10.0 rating. The flaw stems from how the extensions chain tools together with full system privileges and no sandboxing, letting low risk inputs trigger high risk actions. LayerX says Anthropic declined to fix it based on the fact that the issue falls outside its threat model because users choose which extensions and permissions to enable. Huge thanks to our sponsor ThreatLocker Want Real Zero Trust Training Zero Trust World 2026 delivers hands on labs and and workshops that show CISOs exactly how to implement and maintain zero trust in real environments. Join us March 4th through the 6th in Orlando, plus a live CISO series episode on March 6th. Get $200 off with ZW CISO 26 at ztw.com China rehearsing Cyber Attacks on critical Infrastructure Leaked technical documents reviewed by Recorded Future show China using a secret cyber range platform called Expedition Cloud to rehearse attacks on the critical infrastructure of nearby countries. The system replicates real world power transport and smart home networks, letting reconnaissance and attack teams practice operations and analyze results in detail, potentially with AI assisted automation. The platform suggests state sponsorship and potential evidence of China preparing offensive cyber campaigns despite official denials. BridgePay confirms ransomware attack BridgePay says a ransomware attack caused a system wide outage affecting its payments platform, disrupting card transactions for some restaurants, retailers and municipal services. The company says initial forensics show no payment card data was compromised and and any access data was encrypted. The FBI and Secret Service are assisting in the investigation. Fallout from latest Ivanti zero days spreads Ivanti's Endpoint Manager mobile zero day flaws have now been linked to around 100 victims, with Shadow Server identifying 86 compromised instances and warning that multiple threat groups are exploiting the bugs. The the two unauthenticated remote code execution vulnerabilities, each rated 9.8, have hit organizations, including Dutch government agencies and infrastructure. At the European Commission, Rapid7 says exploitation attempts increased after disclosure, with hundreds of attacks observed in a day, with nearly 1,300 Internet exposed EPMM instances still at risk. Warlock gang breaches SmarterTools via Smarter Mail bugs SmarterTools says the Warlock ransomware group breached its network by exploiting two critical Smarter Mail vulnerabilities, including an unauthenticated remote code execution bug and an authentication bypass flaw, both fixed in January. The attackers gained access through an unpatched server, compromising about a dozen Windows machines, though the company says business apps and account data weren't affected. SmarterTools also observed similar attacks on customer systems, with the group targeting Active Directory to spread ransomware. The CISO is the leader of a security program, yet we often hear it's a rare sight when CISOs actually interact with their security teams. Why do some CISOs seem to embrace that distance that can create real operational impacts? And what's the best way to cultivate relationships with staff? We discuss that and more on our latest episode of the CISO Series podcast. Look for the episode when we see white smoke, we know we have a new ciso. Wherever you get your podcasts and if you have thoughts on the news from today or about the show in general. Be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Sarah Lane reporting for the CISO series, and we are will talk to you tomorrow.