Weekly Threat Intelligence Briefing - February 23, 2026
🔴 Weekly Threat Intelligence Briefing
Monday, February 23, 2026
PSY Logistics Technology Partners, Inc. | Houston, TX
Prepared by Craig Wood, CCA Lead Assessor | CISM | vCISO Services & DIB Compliance
This is not a normal week in cybersecurity. If you manage infrastructure, lead a security program, or hold CUI for the Defense Industrial Base — read this and act today.
🎯 Top Story: Chinese APT Exploiting Dell RecoverPoint Zero-Day Since Mid-2024
Google Mandiant and GTIG disclosed that suspected China-nexus threat cluster UNC6201 has been silently exploiting a maximum-severity flaw (CVE-2026-22769, CVSS 10.0) in Dell RecoverPoint for Virtual Machines for over 18 months. The vulnerability stems from hardcoded admin credentials in Apache Tomcat Manager — allowing unauthenticated root access.
The attackers deployed the BRICKSTORM and GRIMBOLT backdoors plus a SLAYSTYLE web shell, and created “Ghost NICs” on virtual machines for stealthy lateral movement that bypasses traditional network monitoring. UNC6201 overlaps significantly with Silk Typhoon (UNC5221), a group known for targeting U.S. government agencies and critical infrastructure.
CISA added this to the KEV catalog on February 18 and gave federal agencies only 3 days to patch.
If you run Dell RecoverPoint in any VMware environment, treat this as an emergency.
⚡ AI-Assisted Actor Compromises 600+ FortiGate Devices in 55 Countries
Amazon Threat Intelligence reported that a low-sophistication threat actor used multiple commercial generative AI tools — including DeepSeek and others — to compromise over 600 FortiGate firewalls between January 11 and February 18, 2026.
Here’s what makes this alarming: no FortiGate vulnerabilities were exploited. The entire campaign succeeded by targeting exposed management ports and weak single-factor credentials. The AI tools handled tool development, attack planning, and command generation.
This is the inflection point we’ve been warning about. Unskilled actors are now achieving enterprise-scale impact with AI assistance.
Action: Audit every network edge device management interface. Disable public-facing admin ports. Enforce MFA. Rotate all default credentials. Today.
🚨 Microsoft February 2026 Patch Tuesday: 6 Actively Exploited Zero-Days
Microsoft patched 58 vulnerabilities including six zero-days already under active exploitation — one of the most critical Patch Tuesday events in recent history:
•CVE-2026-21510 — Windows Shell SmartScreen Bypass (CVSS 8.8): One click on a malicious link bypasses all download warnings
•CVE-2026-21513 — MSHTML Framework Security Feature Bypass
•CVE-2026-21514 — Microsoft Word OLE Mitigations Bypass
•CVE-2026-21519 — Desktop Window Manager EoP to SYSTEM (CVSS 7.8)
•CVE-2026-21525 — Remote Access Connection Manager Denial of Service
•CVE-2026-21533 — Remote Desktop Services EoP to SYSTEM (discovered by CrowdStrike)
Three were publicly disclosed before patches were available. Discovery was coordinated between Microsoft MSTIC, Google Threat Intelligence Group, and CrowdStrike — suggesting sophisticated, coordinated attack campaigns are underway. CISA set a March 3 remediation deadline.
🔓 BeyondTrust RCE Now Confirmed in Ransomware Campaigns
CVE-2026-1731 (CVSS 9.8) — a pre-authentication remote code execution flaw in BeyondTrust Remote Support and Privileged Remote Access — is now actively being used in ransomware attacks. The vulnerability was a zero-day for over a week before BeyondTrust’s February 6 disclosure, with exploitation confirmed as early as January 31.
PoC exploits are publicly available. CISA gave federal agencies 3 days to patch when it was added to the KEV on February 13.
If you use BeyondTrust RS or PRA — patch immediately or discontinue use.
🔗 BeyondTrust Advisory BT26-02
🌐 Additional Exploits: Roundcube & Chrome Under Active Attack
Roundcube Webmail — Two new CISA KEV additions (CVE-2025-49113 deserialization, CVE-2025-68461 stored XSS). Shadowserver reports a 300% spike in scanning for exposed instances. Patch to 1.6.10+ immediately.
Google Chrome — CVE-2026-2441 (CVSS 8.8), a use-after-free in CSS rendering, is actively exploited via crafted HTML pages. Affects all Chromium-based browsers. Update immediately.
📋 Notable Breach Disclosures
Advantest Corp
Feb 19 - Ransomware
🚨Impact: Systems encrypted; semiconductor supply chain risk
Japan Airlines
Feb 9 - Unauthorized Access
🚨Impact: Customer PII since July 2024
Harvard University
Feb 4 - ShinyHunters Exfiltration
🚨Impact: 115K donor/alumni records
700Credit LLC
Ongoing - Web App Breach
🚨Impact: 5.8M consumer records, SSNs
Feb 2026 -Platform Breach
🚨Impact: 19K+ hacking platform users
🔗 CYFIRMA Weekly Intelligence Report
🛡️ What You Should Do This Week
1.Emergency patch Dell RecoverPoint, BeyondTrust RS/PRA, and all Microsoft February Patch Tuesday zero-days
2.Audit all edge device management interfaces — the AI-assisted FortiGate campaign proves that weak credentials + exposed ports = full compromise at scale
3.Update all Chromium browsers and Roundcube instances
4.DIB contractors: Review boundary protection (NIST 800-171 SC-7) and remote access controls (AC-17) — this week’s exploits overwhelmingly target remote access infrastructure, mapping directly to CMMC Level 2 assessment objectives
5.Hunt for IOCs from the Mandiant/GTIG Dell RecoverPoint report, especially in VMware environments
📊 By the Numbers This Week
•6 Microsoft zero-days actively exploited
•600+ FortiGate devices compromised by AI-assisted actor
•18 months that Chinese APT exploited Dell RecoverPoint undetected
•831 ransomware victims claimed globally in January 2026
•300% spike in Roundcube scanning activity
•3-day CISA remediation deadlines issued twice this month
This threat intelligence briefing is produced weekly by PSY Logistics Technology Partners, Inc. for our vCISO clients and the Defense Industrial Base community. If your organization needs help with CMMC compliance, gap assessments, or vCISO services, reach out at [email protected].
All sources linked above for independent verification. Stay safe out there.
#Cybersecurity #ThreatIntelligence #CMMC #DIB #InfoSec #vCISO #PatchTuesday #ZeroDay #Ransomware #DefenseIndustrialBase
