Transcript
A (0:02)
You're listening to the Cyberwire Network powered by N2K. Cyber threats strike in minutes. Your analysis can't take weeks. That's where Velox Reverser from Booz Allen comes in. It's an autonomous malware, reverse engineering and threat intelligence product that turns weeks of painstaking manual analysis into minutes of AI powered insight sites. With Velox Reverser security teams can perform deep analysis to learn how malware works and how to stop it. It's an advanced product that works at machine speed if you need to outpace evolving adversaries and strengthen your defense at scale. Request a demo or start your 30 day free trial of Velux Reverser today at Booz Allen.com Reverser. The government shutdown leaves CISA at reduced capacity Ransomware and misconfigured AI threaten cyber physical infrastructure operation DoppelBrand targets Fortune 500 financial and technology firms. Researchers uncover info stealers targeting open claw AI. Identity based attacks account for nearly two thirds of initial intrusions. Last year, researchers compromised popular cloud based password managers. Authorities have arrested a man suspected of links to Phobos ransomware. We got our Monday business breakdown on Threat Vector host David Bolton speaks with Steve elovitz about the 750 major breaches his team analyzed in a single year. And a digital detour delivers a Dutchman to detention. Foreign. February 17, 2026 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. CISA will remain operational during the Department of Homeland Security shutdown that began at 12:01am on February 14, but at reduced capacity. Under the Anti Deficiency act, staff cannot be paid and are technically furloughed, though 888 of CISA's 2,341 employees are required to continue working in accepted roles without paying. Others can be recalled if needed to address threats to life, property or national security, such as major ransomware attacks or widespread exploitation of a critical vulnerability. New projects are halted and regulatory work, including finalizing the Circia reporting rule, will likely stop. The known exploited vulnerabilities catalog will remain online and may be updated for active threats, but updates are expected to be slower. Enforcement of federal compliance with KEV requirements will likely be curtailed. As Acting Director Madhu Gautamukkala noted, adversaries do not pause during government shutdowns. Ransomware groups sharply increased attacks on industrial organizations in 2025, exploiting weaknesses in operational technology and industrial control Systems, according to Dragos. The Dragos annual OT Cybersecurity Year in Review for 2026 tracked 119 ransomware groups targeting industrial firms in 2025, up 49% from 80 in 2024. Researchers observed 3,300 industrial organizations hit globally, nearly double the prior year. Manufacturing was the most targeted sector, followed by transportation, oil and gas, electricity and Attackers most often gained access through remote portals such as VPNs and firewall interfaces, abusing legitimate credentials stolen via phishing infostealers or purchased access. Average dwell time in OT environments reached 42 days. Dragos also identified three new threat groups, including an initial access broker targeting US utilities. Prolonged credential based access increases the risk of disruptive multi day outages in critical industries. In a separate report, Gartner predicts that by 2028amisconfigured artificial intelligence system embedded in cyber physical infrastructure could shut down critical services in a G20 nation. Unlike traditional software bugs, AI errors in power grids, transportation or industrial control systems can trigger real world dis. Analysts warn that opaque AI models, excessive privileged access, and poorly governed service accounts increase systemic risk as automation scales, a single flawed configuration or deployment pipeline could cascade across interconnected systems. The warning highlights governance and oversight gaps, not hackers, as the likely cause. Researchers at Socradar have uncovered a large phishing campaign targeting Fortune 500 financial and technology firms including Wells Fargo and USAA. Dubbed Operation Doppelbrand, the activity ran from December 2025 through January of this year and is attributed to a financially motivated actor known as GS7. The campaign uses lookalike domains and cloned login portals to harvest credentials which are sent to attacker controlled telegram bots. Investigators identified more than 150 related domains supported by automated infrastructure and short lived SSL certificates. In some cases, the actor deploys legitimate remote management tools such as LogMeIn resolve to maintain persistent access. Blockchain analysis tied to the Investigation showed roughly 0.28 Bitcoin received. Socradar assesses the actor may function as an initial access broker selling compromised accounts. The scale and automation make the operation difficult to disrupt. Researchers have identified the first known case of information stealing malware exfiltrating sensitive files from the widely adopted Open Claw AI agent framework. Security firm Hudson Rock reports that an infostealer infection on February 13th stole configuration files from a victim's local OpenClaw environment. The malware, believed to be a variant of Vidar, did not specifically target openclaw, but scanned for files containing terms like token and private key. Stolen data included authentication tokens, private signing keys and memory files that store contextual data such as logs and messages. Researchers say. This information could enable device impersonation or broader digital identity compromise. Hudson Rock warns. This marks a shift in infosteeler tactics from harvesting browser credentials to targeting AI agent environments. As OpenClaw becomes more embedded in professional workflows, researchers expect continued targeting. Identity based attacks accounted for nearly two thirds of initial intrusions last year, according to Palo Alto Networks Unit 42. In its annual incident response report covering 750 cases through September 2025, Unit 42 found social engineering led one third of breaches. Compromised credentials, brute force attacks, permissive identity policies and insider threats were also common. Identity elements played a role in nearly 90% of incidents, researchers say. Poor controls, misconfigurations and over privileged accounts allow attackers to pivot across endpoint cloud systems and software supply chains. Vulnerability exploits made up 22% of initial access, but identity abuse had broader impact. Median extortion payments rose 87% to half a million dollars, and data theft often occurred within two days. Unit 42 warns that machine identities, AI agents and SaaS integrations are expanding the attack surface. The report reflects cases escalated for incident response, not the full threat landscape. Researchers at ETH Zurich found that popular cloud based password managers could see their user vaults compromised under a fully malicious server scenario. The team analyzed Bitwarden, Dashlane, LastPass and 1Password, focusing on zero knowledge encryption models rather than client side attacks. By targeting account recovery, single sign on backward compatibility, vault integrity and sharing features, researchers achieved vault compromise in all tested products. They reported full vault Compromise for Bitwarden, LastPass and 1Password and shared vault compromise for Dashlane. In some cases, attackers could both view and modify stored credentials. Vendors noted the attacks assume total server compromise and advanced cryptographic skill. Several patches and mitigations have been issued, though some risks reflect broader industry challenges around public key authenticity and encrypted sharing. Polish authorities have arrested a 47 year old man suspected of links to the Phobos ransomware operation, seizing devices containing stolen credentials and server access data. Officers from Poland's Central Bureau of Cybercrime Control detained the suspect in the Malapolska region as part of Operation Ether, an international effort coordinated by Europol. Investigators found passwords, credit card numbers and server IP addresses that could enable unauthorized system access and ransomware attacks. Police say the suspect communicated with Phobos members via encrypted messaging platforms. He faces charges under Poland's criminal code for possessing and distributing hacking tools, carrying a potential five year sentence. Phobos, a ransomware as a service operation has been linked by the U.S. justice Department to over 1,000 global victims and more than $16 million in ransom payments. Operation Ather has led to multiple arrests, server seizures and victim warnings. Turning to our Monday business breakdown, cybersecurity firms across Israel, Europe and the US Announced new funding rounds and strategic acquisitions aimed at scaling AI, cloud and identity focused security services. Vega raised $120 million in a series B funding led by Accel to expand product development and go to market efforts. GetGuardian secured $50 million to accelerate U.S. and global expansion in secret security and non human identity governance. Ricoh closed a $30 million Series B to grow its AI SaaS security platform while Nucleus Security raised $20 million to enhance cloud and AI driven exposure management. Additional funding went to Backlash Security nullify Zast AI and Enclave for product expansion and international growth. On the MA front, Sophos acquired Arkos, Cyber Aura agreed to acquire Quoria, Zscaler bought Squarex, AEA Investors acquired Magna 5 and Logicalis US purchased Maplewoods Enterprises. The deal's focus on managed security, browser protection, compliance and online safety expansion. Be sure to check out our complete weekly business report as part of Cyberwire Pro. You can find that on our website. Coming up after the break on our Threat Vector segment, David Moulton speaks with Steve elovitz about the 750 major breaches his team analyzed in a single year and a digital detour delivers a Dutchman to detention. Stay with us. When it comes to mobile application security, good enough is a risk. A recent survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Most security conferences talk about Zero Trust. Zero Trust World puts you inside. This is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether your blue team, red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits. Connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now@ZTW.com and take your 0 trust strategy from theory to execution. On the latest Threat Vector segment, our host David Moulton speaks with Steve elovitz about the 750 major breaches his team analyzed in a single year.