A

You're listening to the Cyberwire Network powered by N2K. Cyber threats strike in minutes. Your analysis can't take weeks. That's where Velox Reverser from Booz Allen comes in. It's an autonomous malware, reverse engineering and threat intelligence product that turns weeks of painstaking manual analysis into minutes of AI powered insight sites. With Velox Reverser security teams can perform deep analysis to learn how malware works and how to stop it. It's an advanced product that works at machine speed if you need to outpace evolving adversaries and strengthen your defense at scale. Request a demo or start your 30 day free trial of Velux Reverser today at Booz Allen.com Reverser. The government shutdown leaves CISA at reduced capacity Ransomware and misconfigured AI threaten cyber physical infrastructure operation DoppelBrand targets Fortune 500 financial and technology firms. Researchers uncover info stealers targeting open claw AI. Identity based attacks account for nearly two thirds of initial intrusions. Last year, researchers compromised popular cloud based password managers. Authorities have arrested a man suspected of links to Phobos ransomware. We got our Monday business breakdown on Threat Vector host David Bolton speaks with Steve elovitz about the 750 major breaches his team analyzed in a single year. And a digital detour delivers a Dutchman to detention. Foreign. February 17, 2026 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. CISA will remain operational during the Department of Homeland Security shutdown that began at 12:01am on February 14, but at reduced capacity. Under the Anti Deficiency act, staff cannot be paid and are technically furloughed, though 888 of CISA's 2,341 employees are required to continue working in accepted roles without paying. Others can be recalled if needed to address threats to life, property or national security, such as major ransomware attacks or widespread exploitation of a critical vulnerability. New projects are halted and regulatory work, including finalizing the Circia reporting rule, will likely stop. The known exploited vulnerabilities catalog will remain online and may be updated for active threats, but updates are expected to be slower. Enforcement of federal compliance with KEV requirements will likely be curtailed. As Acting Director Madhu Gautamukkala noted, adversaries do not pause during government shutdowns. Ransomware groups sharply increased attacks on industrial organizations in 2025, exploiting weaknesses in operational technology and industrial control Systems, according to Dragos. The Dragos annual OT Cybersecurity Year in Review for 2026 tracked 119 ransomware groups targeting industrial firms in 2025, up 49% from 80 in 2024. Researchers observed 3,300 industrial organizations hit globally, nearly double the prior year. Manufacturing was the most targeted sector, followed by transportation, oil and gas, electricity and Attackers most often gained access through remote portals such as VPNs and firewall interfaces, abusing legitimate credentials stolen via phishing infostealers or purchased access. Average dwell time in OT environments reached 42 days. Dragos also identified three new threat groups, including an initial access broker targeting US utilities. Prolonged credential based access increases the risk of disruptive multi day outages in critical industries. In a separate report, Gartner predicts that by 2028amisconfigured artificial intelligence system embedded in cyber physical infrastructure could shut down critical services in a G20 nation. Unlike traditional software bugs, AI errors in power grids, transportation or industrial control systems can trigger real world dis. Analysts warn that opaque AI models, excessive privileged access, and poorly governed service accounts increase systemic risk as automation scales, a single flawed configuration or deployment pipeline could cascade across interconnected systems. The warning highlights governance and oversight gaps, not hackers, as the likely cause. Researchers at Socradar have uncovered a large phishing campaign targeting Fortune 500 financial and technology firms including Wells Fargo and USAA. Dubbed Operation Doppelbrand, the activity ran from December 2025 through January of this year and is attributed to a financially motivated actor known as GS7. The campaign uses lookalike domains and cloned login portals to harvest credentials which are sent to attacker controlled telegram bots. Investigators identified more than 150 related domains supported by automated infrastructure and short lived SSL certificates. In some cases, the actor deploys legitimate remote management tools such as LogMeIn resolve to maintain persistent access. Blockchain analysis tied to the Investigation showed roughly 0.28 Bitcoin received. Socradar assesses the actor may function as an initial access broker selling compromised accounts. The scale and automation make the operation difficult to disrupt. Researchers have identified the first known case of information stealing malware exfiltrating sensitive files from the widely adopted Open Claw AI agent framework. Security firm Hudson Rock reports that an infostealer infection on February 13th stole configuration files from a victim's local OpenClaw environment. The malware, believed to be a variant of Vidar, did not specifically target openclaw, but scanned for files containing terms like token and private key. Stolen data included authentication tokens, private signing keys and memory files that store contextual data such as logs and messages. Researchers say. This information could enable device impersonation or broader digital identity compromise. Hudson Rock warns. This marks a shift in infosteeler tactics from harvesting browser credentials to targeting AI agent environments. As OpenClaw becomes more embedded in professional workflows, researchers expect continued targeting. Identity based attacks accounted for nearly two thirds of initial intrusions last year, according to Palo Alto Networks Unit 42. In its annual incident response report covering 750 cases through September 2025, Unit 42 found social engineering led one third of breaches. Compromised credentials, brute force attacks, permissive identity policies and insider threats were also common. Identity elements played a role in nearly 90% of incidents, researchers say. Poor controls, misconfigurations and over privileged accounts allow attackers to pivot across endpoint cloud systems and software supply chains. Vulnerability exploits made up 22% of initial access, but identity abuse had broader impact. Median extortion payments rose 87% to half a million dollars, and data theft often occurred within two days. Unit 42 warns that machine identities, AI agents and SaaS integrations are expanding the attack surface. The report reflects cases escalated for incident response, not the full threat landscape. Researchers at ETH Zurich found that popular cloud based password managers could see their user vaults compromised under a fully malicious server scenario. The team analyzed Bitwarden, Dashlane, LastPass and 1Password, focusing on zero knowledge encryption models rather than client side attacks. By targeting account recovery, single sign on backward compatibility, vault integrity and sharing features, researchers achieved vault compromise in all tested products. They reported full vault Compromise for Bitwarden, LastPass and 1Password and shared vault compromise for Dashlane. In some cases, attackers could both view and modify stored credentials. Vendors noted the attacks assume total server compromise and advanced cryptographic skill. Several patches and mitigations have been issued, though some risks reflect broader industry challenges around public key authenticity and encrypted sharing. Polish authorities have arrested a 47 year old man suspected of links to the Phobos ransomware operation, seizing devices containing stolen credentials and server access data. Officers from Poland's Central Bureau of Cybercrime Control detained the suspect in the Malapolska region as part of Operation Ether, an international effort coordinated by Europol. Investigators found passwords, credit card numbers and server IP addresses that could enable unauthorized system access and ransomware attacks. Police say the suspect communicated with Phobos members via encrypted messaging platforms. He faces charges under Poland's criminal code for possessing and distributing hacking tools, carrying a potential five year sentence. Phobos, a ransomware as a service operation has been linked by the U.S. justice Department to over 1,000 global victims and more than $16 million in ransom payments. Operation Ather has led to multiple arrests, server seizures and victim warnings. Turning to our Monday business breakdown, cybersecurity firms across Israel, Europe and the US Announced new funding rounds and strategic acquisitions aimed at scaling AI, cloud and identity focused security services. Vega raised $120 million in a series B funding led by Accel to expand product development and go to market efforts. GetGuardian secured $50 million to accelerate U.S. and global expansion in secret security and non human identity governance. Ricoh closed a $30 million Series B to grow its AI SaaS security platform while Nucleus Security raised $20 million to enhance cloud and AI driven exposure management. Additional funding went to Backlash Security nullify Zast AI and Enclave for product expansion and international growth. On the MA front, Sophos acquired Arkos, Cyber Aura agreed to acquire Quoria, Zscaler bought Squarex, AEA Investors acquired Magna 5 and Logicalis US purchased Maplewoods Enterprises. The deal's focus on managed security, browser protection, compliance and online safety expansion. Be sure to check out our complete weekly business report as part of Cyberwire Pro. You can find that on our website. Coming up after the break on our Threat Vector segment, David Moulton speaks with Steve elovitz about the 750 major breaches his team analyzed in a single year and a digital detour delivers a Dutchman to detention. Stay with us. When it comes to mobile application security, good enough is a risk. A recent survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Most security conferences talk about Zero Trust. Zero Trust World puts you inside. This is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether your blue team, red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits. Connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now@ZTW.com and take your 0 trust strategy from theory to execution. On the latest Threat Vector segment, our host David Moulton speaks with Steve elovitz about the 750 major breaches his team analyzed in a single year.

B

The 2026 unit 42 global incident response Report released today. You can read the entire report on the Palo Alto Network's website. Unit 42 responded to more than 750 major cybersecurity incidents in the past year. AI is helping attackers move faster. The top 25% of intrusions now see data exfiltration in about an hour, down from nearly five hours last year. Identity weakness played a material role in 90% of our investigations. And get this, more than 90% of the breaches happened because of gaps that could have been closed. On Thursday, I'm sharing my conversation with Steve Elvitz, who leads Unit 42's North American consulting practice, about what these 750 investigations reveal. Here's a clip from our conversation. Steve, welcome to threatvector. Excited to talk to you again about this report.

C

Thanks, David. Great to be here.

B

For our listeners who haven't experienced a major breach, help us understand what it's like when an organization calls unit 42. What does pulling the fire alarm actually look like?

C

We have a 247 Follow the Sun team that's available and expecting to receive these phone calls. It happens every day. We're pretty easy to get in touch with. We have an email address, we have a web forum, we have a phone number that's manned 24 7, 365. When someone reaches out, our team is trained in expecting to have the conversation with someone who's experiencing potentially one of the worst days in their career. And we're there to really try to apply a process and some rigor into the response as this is our everyday. We see this, as you say, 750 times plus a year. So we've had to build these processes and procedures in order to really normalize this.

B

So Steve, do you actually take the calls yourself? Because you have one of the most calming, soothing voices that I could imagine being on the other end of any panicked call.

C

Yeah, I'm told I have both a voice and a face for radio. So I do occasionally take calls myself. Yes. Well, you know, as you say, oftentimes feast or famine happens very often Friday night and I'll absolutely dive in with my team, yes.

B

When you get those calls, I'm wondering if they follow a similar pattern each time and you start to know it's going to be type A, type B, type C, kind of a problem or if it's just absolute chaos, completely new every single time because of the nature of the business.

C

No, I mean you'll definitely find some patterns. There's organizations that have some very mature processes and I'm finding this more and more as the entire industry progresses. We'll even have customers that have fully scoped the attack and they're just looking for a second pair of eyes. But it goes on a spectrum. We'll also have organizations that this is truly novel to them and they're not sure where to start. But it could be a threat actor we've seen dozens of times and know exactly what to do.

B

Steve, one of the other big themes that I noticed in the report and I think our readers will be interested in, was around identity as a weakness. Our team saw that the identity weaknesses played a material role in 90% of our investigations. Why is identity such a reliable path for attacker success?

C

I mean identity is the new attack surface is the slogan you'll hear repeated. It's true, right? You can compromise an identity, you can gain access to an organization in many cases. Most organizations and I have to acknowledge a sampling bias on the IR side but most of the organizations I deal with when you see an identity compromised for remote access, the organization's using single factor authentication still in some cases or SMS for the multi factor or a push notification or a one time pin. All of those are fishable and we have attackers reliably sim swapping, reliably socially engineering people to get that one time passcode provided to them for the push notifications we've seen attackers just spam it until someone got frustrated and pressed to prove. And this gains access to the organization rather than moving towards something that's phishing resistant. Right. You know, device registration, Fido, two things like that. It's also aside from just the initial access, identity is the fabric that stitches environments together. Right. You compromise an identity in active directory and organizations using Ad Connect or I think they call it Azure Connect now we've seen organizations that will sync their domain admins with their entra global admins and then you compromise one environment because of how they structured that identity. The attackers now compromise both environments and can move laterally between them and this will be true even as you continue federating identity through other environments. Organizations haven't commonly started to think of identity segmentation as a strategy to understand what should this identity have access to.

B

In the report you had a case study about a compromised sales platform using OAuth tokens accessing Salesforce what did the post incident review reveal that scared you?

C

I'd say it's how often these were over privileged. Right. So we had organizations that had OAuth tokens providing third party access to leverage this application into the platform. Right. Nothing wrong with that. That's common across many applications. Where a lot of organizations fell down was really twofold. Number one, not limiting what IP addresses this could come from. Right. We should know to a certain extent this OAUTH token should be leveraged from this set of IPs, right. Instead of allowing the entire global Internet to access that OAUTH token to access my environment through that OAUTH token. Right. The second is what that token had access to. Back again to the principle of least privilege to what you Learned in the third grade, apparently.

B

Thank you Mrs. Grass.

C

If it didn't have access to more than it needed, then you would have really limited the impact of that incident. Right? You know, what Objects can this OAuth application? What processes can this OAuth token access? And if it sprawls beyond what it needs for its job, you've just added risk without adding function.

A

Foreign.

B

That's Thursday on threatvector. Fair warning. We get into the weeds with defense strategy and attacker ttps. But if you're trying to understand where your team should focus this year, this conversation arms you with insights from the front lines of incident response. You can find Threat Vector wherever you listen to podcasts.

A

Be sure to check out the complete Threat Vector podcast wherever you get your favorite shows. What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works. You can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. Maybe that's an urgent message from your CEO. Or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering? Learn more@doppel.com that's.p-pel.com Doplay. And Finally, Dutch Police arrested a 40 year old man after he declined to delete confidential law enforcement files that were mistakenly sent to him. The episode began when the man contacted authorities with images he believed relevant to an investigation. An officer attempted to send a secure upload link instead. A technical error delivered a download link granting access to sensitive police documents. When officers realized the mistake, they instructed the man not to download the files and to delete anything already obtained. He reportedly refused, saying he would comply only if he received something in return a reward. Police responded by arresting him and seizing his storage devices. Authorities say there's no indication the documents were shared. Police noted that knowingly downloading restricted files after being warned could constitute computer trespassing. Potential charges and penalties remain unclear. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly. I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com Cyberwire SA.