Skip to main content

CISO Weekly Brief: Zero-Day Exploits, Identity Threats, and AI Abuse (Feb 12, 2026)

This week’s security landscape is marked by multiple zero-day vulnerabilities, sophisticated identity attacks, and the growing abuse of AI in cyber operations. CISOs should focus on rapid patching, monitoring for credential theft, and preparing for advanced threat scenarios. Below are the top items requiring executive attention, followed by a concise action checklist.

Top Items CISOs Should Care About (Priority)

Apple Fixes Exploited Zero-Day Affecting iOS, macOS, and Apple Devices

  • What happened: Apple released urgent patches for a zero-day vulnerability actively exploited in the wild, impacting iOS, macOS, and other Apple devices.
  • Why it matters: Exploited zero-days in widely used devices pose significant threat and regulatory risk.
  • What to verify internally:
    • Confirm all Apple devices are updated to the latest OS versions.
    • Review device management policies for timely patch deployment.
    • Assess exposure of high-value users and executives.
    • Check for signs of compromise in Apple device logs.
  • Exec questions to prepare for:
    • Are all company Apple devices patched?
    • Were any devices compromised before patching?
    • How quickly can we respond to future Apple zero-days?
    • What is our process for high-risk user protection?
  • Sample CISO response: "We have prioritized patching all Apple devices and are monitoring for any indicators of compromise. Our device management process is under review for further acceleration."

Apple fixes zero-day flaw used in 'extremely sophisticated' attacks

  • What happened: Apple addressed a zero-day vulnerability exploited in highly sophisticated attacks targeting its devices.
  • Why it matters: Patch for zero-day exploited in advanced attacks on Apple devices demands urgent mitigation.
  • What to verify internally:
    • Ensure all Apple endpoints are running the latest security updates.
    • Communicate patch urgency to all users, especially executives.
    • Audit for unusual device behavior or access patterns.
    • Coordinate with legal/compliance on regulatory notification if needed.
  • Exec questions to prepare for:
    • How are we protecting against sophisticated attacks?
    • What is our exposure to this vulnerability?
    • Are there any regulatory implications?
    • What lessons can we apply to future zero-day responses?
  • Sample CISO response: "We have completed emergency patching and are reviewing device telemetry for any signs of targeted exploitation."

Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts

  • What happened: A malicious Outlook add-in from the Microsoft Store was used to steal credentials from over 4,000 Microsoft accounts.
  • Why it matters: Hijacked Outlook add-in stealing thousands of accounts threatens identity security and brand trust.
  • What to verify internally:
    • Identify and remove any instances of the compromised add-in.
    • Reset credentials for affected users.
    • Review add-in approval and monitoring processes.
    • Enhance user awareness on add-in risks.
  • Exec questions to prepare for:
    • Were any of our users affected?
    • How do we control third-party add-ins?
    • What steps are we taking to prevent future incidents?
    • How are we communicating with impacted users?
  • Sample CISO response: "We have removed the malicious add-in, reset affected credentials, and are tightening controls on third-party integrations."

Crazy ransomware gang abuses employee monitoring tool in attacks

  • What happened: A ransomware group leveraged a legitimate employee monitoring tool to facilitate attacks, increasing their sophistication and impact.
  • Why it matters: Ransomware group abusing trusted tools increases attack sophistication and enterprise impact.
  • What to verify internally:
    • Audit use of employee monitoring and remote access tools.
    • Review endpoint detection and response (EDR) coverage.
    • Update incident response playbooks for tool abuse scenarios.
    • Train staff to recognize unusual tool behavior.
  • Exec questions to prepare for:
    • Are our monitoring tools secure?
    • How do we detect abuse of legitimate software?
    • What is our ransomware response plan?
    • Have we seen similar activity internally?
  • Sample CISO response: "We are auditing all monitoring tools and enhancing detection for misuse, with updated response plans for ransomware leveraging legitimate software."

Google says hackers are abusing Gemini AI for all attacks stages

  • What happened: Google reported that threat actors are leveraging Gemini AI to enhance every stage of the attack lifecycle, from reconnaissance to exploitation.
  • Why it matters: Abuse of AI for multi-stage attacks increases threat sophistication and exploitability.
  • What to verify internally:
    • Assess AI usage and monitoring within the organization.
    • Review controls for detecting AI-driven threats.
    • Update security awareness training to include AI risks.
    • Engage with vendors on AI threat intelligence.
  • Exec questions to prepare for:
    • How are we monitoring for AI-driven attacks?
    • What is our exposure to AI-enabled threats?
    • Are our defenses adapting to new AI risks?
    • How do we leverage AI for our own defense?
  • Sample CISO response: "We are enhancing our detection capabilities for AI-driven threats and updating staff training to address evolving attack techniques."

Over 60 Software Vendors Issue Security Fixes Across OS, Cloud, and Network Platforms

  • What happened: More than 60 software vendors released security patches addressing vulnerabilities across operating systems, cloud, and network platforms.
  • Why it matters: Multiple vendor patches highlight widespread vulnerabilities requiring urgent enterprise attention.
  • What to verify internally:
    • Inventory all affected software and prioritize patching.
    • Coordinate with IT for rapid deployment of critical updates.
    • Monitor for patch failures or exceptions.
    • Communicate patching urgency to business units.
  • Exec questions to prepare for:
    • Are we up to date on all critical patches?
    • How do we prioritize patching across platforms?
    • What is our exposure to unpatched vulnerabilities?
    • How do we ensure patching compliance?
  • Sample CISO response: "We are coordinating with IT to ensure all critical patches are deployed promptly and are monitoring for any issues in the update process."

83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

  • What happened: The majority of Ivanti EPMM exploits have been traced to a single IP address hosted on bulletproof infrastructure, indicating a centralized attack campaign.
  • Why it matters: High exploitation rate of a vulnerability with centralized attack source increases enterprise risk.
  • What to verify internally:
    • Check for Ivanti EPMM deployments and patch status.
    • Review logs for connections to known malicious IPs.
    • Update threat intelligence feeds and blocklists.
    • Coordinate with vendors on additional mitigations.
  • Exec questions to prepare for:
    • Do we use Ivanti EPMM and is it patched?
    • Have we seen any suspicious activity from the identified IP?
    • What is our process for responding to centralized attack campaigns?
    • Are we sharing intelligence with peers?
  • Sample CISO response: "We have verified our Ivanti EPMM patch status and are monitoring for any connections to the identified threat infrastructure."

Windows 11 Notepad flaw let files execute silently via Markdown links

  • What happened: A vulnerability in Windows 11 Notepad allowed files to execute silently through malicious Markdown links.
  • Why it matters: Silent code execution vulnerability in Windows 11 Notepad poses significant enterprise risk.
  • What to verify internally:
    • Ensure Windows 11 systems are updated with the latest patches.
    • Review endpoint security controls for file execution monitoring.
    • Educate users on risks of opening untrusted files.
    • Audit for suspicious Notepad activity.
  • Exec questions to prepare for:
    • Are all Windows 11 devices patched?
    • How do we detect silent code execution attempts?
    • What user awareness measures are in place?
    • Have we seen any exploitation attempts internally?
  • Sample CISO response: "We have patched all Windows 11 endpoints and are monitoring for any suspicious file execution activity."

LummaStealer infections surge after CastleLoader malware campaigns

  • What happened: There has been a significant increase in LummaStealer infections following widespread CastleLoader malware campaigns.
  • Why it matters: Surge in credential stealing malware infections increases fraud risk and enterprise exposure.
  • What to verify internally:
    • Scan endpoints for LummaStealer and related malware.
    • Reset credentials for potentially affected users.
    • Review email filtering and malware detection efficacy.
    • Enhance user training on phishing and malware risks.
  • Exec questions to prepare for:
    • Have we detected any LummaStealer infections?
    • What is our credential theft response process?
    • How are we improving malware detection?
    • Are users aware of current phishing tactics?
  • Sample CISO response: "We are actively scanning for LummaStealer, resetting credentials as needed, and reinforcing user awareness on malware threats."

APT36 and SideCopy Launch Cross-Platform RAT Campaigns Against Indian Entities

  • What happened: Nation-state groups APT36 and SideCopy have launched cross-platform remote access trojan (RAT) campaigns targeting Indian organizations.
  • Why it matters: Nation-state RAT campaigns targeting entities indicate high threat severity and espionage risk.
  • What to verify internally:
    • Monitor for indicators of compromise related to APT36 and SideCopy.
    • Review remote access controls and logging.
    • Coordinate with threat intelligence partners for updates.
    • Assess exposure for business units with ties to India.
  • Exec questions to prepare for:
    • Are we a target for these campaigns?
    • What controls are in place for remote access?
    • How do we share intelligence on nation-state threats?
    • What is our response plan for targeted attacks?
  • Sample CISO response: "We are monitoring for relevant indicators and have reinforced controls on remote access to mitigate nation-state threat activity."

Police arrest seller of JokerOTP MFA passcode capturing tool

  • What happened: Authorities arrested the seller of JokerOTP, a tool used to capture multi-factor authentication passcodes, disrupting its distribution.
  • Why it matters: Arrest disrupts MFA bypass tool distribution but highlights ongoing identity security threats.
  • What to verify internally:
    • Review MFA implementation and monitoring for anomalies.
    • Educate users on MFA phishing risks.
    • Update incident response for MFA bypass scenarios.
    • Coordinate with vendors on MFA security enhancements.
  • Exec questions to prepare for:
    • How resilient is our MFA implementation?
    • What is our exposure to MFA bypass tools?
    • How do we respond to MFA compromise?
    • Are users trained on MFA phishing?
  • Sample CISO response: "We are reviewing our MFA controls and updating user training to address evolving bypass threats."

First Malicious Outlook Add-In Found Stealing 4,000+ Microsoft Credentials

  • What happened: The first known malicious Outlook add-in was discovered stealing over 4,000 Microsoft credentials, highlighting a new attack vector.
  • Why it matters: Credential theft via Outlook add-in impacts identity security and could lead to widespread breaches.
  • What to verify internally:
    • Audit all Outlook add-ins for legitimacy.
    • Reset credentials for users with suspicious add-ins.
    • Enhance monitoring for credential exfiltration.
    • Update policies for add-in approval and review.
  • Exec questions to prepare for:
    • How do we detect malicious add-ins?
    • Were any of our users affected?
    • What is our credential theft response?
    • How do we control add-in installations?
  • Sample CISO response: "We have audited Outlook add-ins, reset at-risk credentials, and are tightening controls on add-in installations."

Notable Items

CISO Action Checklist Today

  • Prioritize and complete patching for Apple, Microsoft, and all critical vendor updates.
  • Audit all Outlook and Microsoft add-ins for legitimacy and remove suspicious ones.
  • Scan for LummaStealer and other credential-stealing malware across endpoints.
  • Review and update controls on employee monitoring and remote access tools.
  • Enhance detection and response for AI-driven and sophisticated attack techniques.
  • Verify MFA implementation and update user training on MFA phishing risks.
  • Monitor for connections to known malicious IPs, especially related to Ivanti EPMM exploits.
  • Coordinate with IT and business units to ensure patching compliance and communication.
  • Update incident response playbooks for ransomware and identity compromise scenarios.
  • Engage with threat intelligence partners for updates on nation-state and emerging threats.

Comments

Post a Comment

Popular posts from this blog

Asset Management - Physical Devices - What do you have? Do you know?

Asset management and inventorying your physical systems, we all know we should do it, and I am sure most try.  I am not going to talk about the should have, would have or could have. Instead, I am going to focus on the risks associated with the NIST CSF control ID-AM.1.   The control simply states, “Physical devices and systems within the organization are inventoried.”  At the simplest level, this control is saying that the organization inventories all physical systems that are apart of the information system. In my opinion, the control is foundational because how can you secure something if you don't know it exists.  If you are not inventorying your systems, how do you know if they have adequate controls to protect the data and network.   If you had a breach of data, would you know what type of data was involved, or would you even know if you had a breach?  To further extend this, how can you perform a risk assessment on the system to understand and relay ...
Post a Comment
Read more

Vulnerability Management… It’s easy - Planning

I am sure you have had either consultants, vendors, or heard at a conference that vulnerability management is foundational security control.  While I agree that it is an essential control, I also understand that it is challenging to implement.  Vulnerability management is not just to pick a tool, scan, and fix issues.  Many components make it a complicated journey.  This series will attempt to help break it down and give you ideas on how this complex service and be delivered effectively.    Planning   Objective When you start, I recommend creating a targeted objective and set of measures against your objective.   Ensure that you keep in mind your organization’s culture, politics, and risk appetite as you are developing your objective.   I have seen some target just “critical” systems for regulatory compliance, whereas others have targeted their entire enterprise.   No matter your scope, keep in mind your team’s current resource...
Post a Comment
Read more

The Detect Function in NIST CSF 2.0: The Risk of Seeing Too Late—or Too Much

In NIST Cybersecurity Framework 2.0 (CSF 2.0) , the Detect function represents the organization’s ability to identify the occurrence of a cybersecurity event in a timely and reliable manner . While Protect focuses on reducing the likelihood of compromise, Detect determines how quickly and how accurately an organization recognizes that something has gone wrong. For CISOs and security leaders, detection is where many programs quietly fail. Not due to a lack of tools, but due to poor signal quality, unclear objectives, and misalignment with business impact. Detection that is late, noisy, or misunderstood can be as damaging as no detection at all. Official NIST CSF 2.0 guidance is available here: https://www.nist.gov/publications/nist-cybersecurity-framework-csf-20 What the Detect Function Is (and What It Enables) Under CSF 2.0, the Detect (DE) function focuses on outcomes related to: Continuous monitoring Anomalies and event detection Security logging and analysis Threat intelligence ...
Post a Comment
Read more