Cyber Threat Weekly – #118
The week of February 23rd through March 1st, about 345 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin about the velocity and volume of attacks.
One thing seems certain; AI is helping threat actors move quicker and it’s helping them with social engineering. Identities are our Achilles heal; threat actors continue to abuse trust. Business email compromise (Funds transfer fraud) is on the rise big time. Threat actors are getting good at exploiting our gaps. The line continues to blur between nation state and cyber-criminal groups; their behavior is similar. It’s only going to get worse.
Let’s start with ClawJacked, an OpenClaw attack. Nation state threat actors breach air-gapped network. Malicious Go module deploys backdoor. Blockchain used for command and control. ClickFix style fake Google security check.
1Phish kit targets 1Password users. X-Force Threat Intelligence Index 2026. Supply chain attack shift to financials outside of crypto. More NuGet and NPM supply chain attacks. Researchers share the latest account takeover analysis.
New service 1Campaign bolsters malicious ads. CrowdStrike 2026 Global Threat Report. Researchers share OT security data analysis. The 2026 Active Adversary Report.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
VPN gateways from all vendors are under constant attack.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – February 23rd to March 1st:
CVE-2026-25108 – Soliton Systems K.K FileZen OS Command Injection Vulnerability:
When a user logs-in to the affected product and sends a specially crafted HTTP request.
CVE-2022-20775 – Cisco SD-WAN Path Traversal Vulnerability:
Could allow an authenticated local attacker to gain elevated privileges via improper access controls on commands within the application CLI. A successful exploit could allow the attacker to execute arbitrary commands as the root user.
CVE-2026-20127 – Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass Vulnerability:
Could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
OpenClaw Attack Dubbed ClawJack
The bug allowed for a malicious website to connect to OpenClaw via a WebSocket and attempt authentication. The management password could be brute-forced without being throttled or logged, game-over for a human chosen password. The point is as we deploy more agentic AI, these types of things will continue to pop up.
https://www.oasis.security/blog/openclaw-vulnerability
Multi-Stage Attack uses USB Drives to Bridge Air-Gapped Networks
Nation state attackers breach air-gapped networks via USB drives using malware with bi-directional capabilities. The ability to not only compromise an air-gapped system, but exfil data via USB drives interconnecting systems is interesting. There are a lot of possibilities with this type of malware. Let’s hope others don’t move this direction. Yesterday’s nation state attack is tomorrow’s commodity attack.
Backdoor Deployed by Malicious GO Module
The multi-stage attack chain starts with impersonation leading to a malicious Go module. Because the legit project uses GitHub as a mirror, the attacker was able to pull off the charade easier. The chance for the pattern to repeat is high, targeting other ‘credential edge’ libraries.
https://thehackernews.com/2026/02/malicious-go-crypto-module-steals.html
https://socket.dev/blog/malicious-go-crypto-module-steals-passwords-and-deploys-rekoobe-backdoor
Polygon Blockchain Abused for Aeternum Botnet Loader
This isn’t the first malware to abuse blockchain for command and control to increase resilience to take-downs. The use of smart contracts and decentralized infrastructure also increases speed in which bots get their commands.
https://qrator.net/blog/details/Exploring-Aeternum-C2/
Progressive Web App Installed via Fake Google Security Check
A routine looking security check walks the victim through a ClickFix style four step process to install a Progressive Web App. If the victim follows all four steps, their browser becomes a proxy for the attacker. We should expect more attacks like this.
1Password Users Targeted by 1Phish Kit
Researchers share a detailed walk-through of four versions of this rapidly evolving phish kit focused on 1Password users. The latest version shifted to an API style back-end with dynamic session management and possible real-time authentication attempts.
https://securitylabs.datadoghq.com/articles/hook-line-vault-a-deep-dive-into-1phish/
X-Force Threat Intelligence Index 2026
Like other reports so far this year, valid credentials are a top initial access vector. The attack on trust continues. Supply chain risk remains high, especially open-source repositories. The lines continue to blur between cyber criminal and nations state groups.
https://www.infosecurity-magazine.com/news/app-exploits-surge-ai-speeds/
https://www.ibm.com/think/premium/threat-intelligence-report-access-vectors#605511091
Stripe Targeted with Malicious NuGet Package
Attackers are shifting supply chain targets to the wider financial sector. Similar to the supply chain attack trend over many months, typo squatting and impersonating legitimate packages carry’s over to a new target.
https://www.infosecurity-magazine.com/news/malicious-nuget-package-stripe-devs/
https://www.reversinglabs.com/blog/malicious-nuget-package-targets-stripe
Supply Chain Attacks Continue – NuGet / NPM
The customary open-source repository attack stories. New attack dubbed Sand_Mode with worm like propagation capabilities.
https://thehackernews.com/2026/02/malicious-nuget-packages-stole-aspnet.html
https://www.tenable.com/blog/cybersecurity-research-faq-new-malicious-npm-package-ambar-src
https://www.microsoft.com/en-us/security/blog/2026/02/24/c2-developer-targeting-campaign/
https://www.securityweek.com/new-sandworm_mode-supply-chain-attack-hits-npm/
https://www.endorlabs.com/learn/sandworm-mode-dissecting-a-multi-stage-npm-supply-chain-attack
Account Takeover Attack Analysis Across Customer Base
The dataset covers 50M+ accounts from November 2024 to November 2025. During this period, 99% of organizations were targeted, and 67% successfully compromised. Precision attacks succeed more then twice as often. Post compromise behavior occurred in 88% of accounts impacted.
Malicious Ads Run Longer on Goggle Thanks to 1Campaign
A new cloaking service is designed to pass Google’s screening process. Active for at least three years, the tool filters out security researchers and automated scanners. The developer claims the tool bypasses Google’s policy limitations, allowing for legit brand impersonation.
https://www.varonis.com/blog/1campaign
CrowdStrike 2026 Global Threat Report
The new breakout time (move from initial-access to lateral movement) average for cyber-criminals is 29 minutes. The fastest breakout time, a blistering 27 seconds. This stat is now pretty stable, malware-free (living-off-the-land) methodology was 82% of intrusions. Speed of defense is critical.
https://www.darkreading.com/cyber-risk/attackers-now-need-just-29-minutes-to-own-a-network
https://go.crowdstrike.com/rs/281-OBQ-266/images/CrowdStrike-2026-Global-Threat-Report.pdf
OT Security Data Analysis
Researchers comb through 20 years of historical data and global telemetry from over 61,000 firewalls. They found that 82.8% of intrusions occur within the IT environment making IT / OT convergence the biggest battle ground.
https://unit42.paloaltonetworks.com/ot-edge-security/
The 2026 Active Adversary Report
Interestingly, 84% of the dataset came from organizations with less than 1,000 employee’s and 56% from those with fewer than 250 employees. Compromised identity was 67.32% of incident root causes. Business email compromise attempts increased 4x this year. Active directory continues to be a target. This is a report worth at least skimming over.
https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
