BeyondTrust RCE exploitation ๐ด, Healthcare ransomware attacks ๐ฅ, Starkiller phishing service ๐ฃ, French banking breach ๐ฐ, AD persistence techniques ๐
Daily Threat Intel Digest - 2026-02-21
๐ด Critical Threats & Active Exploitation
[NEW] BeyondTrust Remote Support RCE actively exploited in ransomware campaigns
Attackers are leveraging CVE-2026-1731, a pre-authentication remote code execution flaw in BeyondTrust Remote Support (โค25.3.1) and Privileged Remote Access (โค24.3.4), to deploy ransomware. CISA confirmed active exploitation and added the flaw to its KEV catalog, urging immediate patches. The vulnerability enables OS command injection via crafted requests, allowing unauthenticated attackers to gain full system control. Healthcare and critical infrastructure organizations are prime targets due to widespread use of BeyondTrust for remote access. Mitigate by upgrading to Remote Support 25.3.2+ or PRA 25.1.1+ and restricting internet exposure of management interfaces [BleepingComputer; CISA KEV].
[NEW] Ransomware forces University of Mississippi Medical Center to shut down 35 clinics
A ransomware attack at the University of Mississippi Medical Center (UMMC) took information systems offline, forcing the closure of all 35 statewide clinics and cancellation of non-urgent appointments. The incident highlights escalating risks to healthcare delivery, where encryption of EHRs and scheduling systems disrupts patient care. UMMC has not disclosed the ransomware strain or data theft status. Defenders should isolate clinical networks, enforce offline backups, and monitor for incremental ransomware variants targeting healthcare [Cyberwarzone via Malware.news].
[NEW] Pulse Secure network breached via backdoor embedded in VPN software
Pulse Secure (Ivanti) suffered a supply-chain breach after attackers implanted a backdoor in its VPN code, affecting 119 customer organizations. The intrusion underscores recurring Ivanti VPN vulnerabilities exploited by state-aligned groups. Compromised VPN appliances provide attackers with persistent network access and lateral movement capabilities. Ivanti customers should audit VPN logs for anomalous authentication, apply emergency patches, and rotate all credentials stored in VPN sessions [Cyberwarzone via Malware.news].
๐ฏ Threat Actor Activity & Campaigns
[NEW] Starkiller phishing-as-a-service proxies real login pages to bypass MFA
A new phishing-as-a-service platform named Starkiller enables attackers to relay victims through legitimate login pages, capturing credentials and session tokens in real time. The service uses reverse proxies and URL masking (e.g., login.microsoft.com@[malicious-site]) to evade traditional detection. It logs keystrokes, steals MFA tokens, and provides campaign analytics, significantly lowering the barrier for low-skill attackers. Organizations should train users to inspect full URLs, deploy anti-phishing tools that detect proxy behaviors, and monitor for session hijacking [Krebs on Security; Abnormal AI analysis].
[NEW] Japanese tech giant Advantest confirms ransomware attack
Advantest, a $120B market-cap semiconductor testing equipment leader, detected a ransomware intrusion on February 15 that may have exposed customer and employee data. The incident disrupted corporate networks and required third-party incident response. While no ransomware group has claimed responsibility, the attack reflects escalating targeting of high-tech supply chains by financially motivated actors. Defenders shouldๅ ๅผบ็ฝ็ปๅๆฎต and prioritize firmware integrity monitoring for industrial equipment suppliers [BleepingComputer].
[NEW] French banking registry breach exposes 1.2 million accounts via compromised credentials
Attackers accessed Franceโs national bank account registry (FICOBA) using credentials stolen from a civil servant, exposing data on 1.2 million accounts including IBANs, identities, and addresses. The breach disrupted the registryโs operations and prompted fraud warnings. Organizations should enforce phishing-resistant MFA for administrative accounts and audit logging for sensitive financial databases [BleepingComputer; DataBreaches.Net].
โ ๏ธ Vulnerabilities & Patches
[NEW] Roundcube CVE-2025-49113 added to CISA KEV amid active exploitation
CISA added CVE-2025-49113, a critical vulnerability in Roundcube Webmail versions prior to 1.5.10/1.6.11, to its Known Exploited Vulnerabilities catalog. The flaw (details undisclosed) is actively exploited in the wild. Administrators should update to patched versions immediately and restrict webmail access to trusted networks [Canadian Centre for Cyber Security].
[NEW] Windows Notepad Markdown RCE (CVE-2026-20841) PoC released
A high-severity RCE vulnerability in modern Windows Notepad (versions โค11.2508) allows command injection via malicious Markdown links when users Ctrl+click them. PoC exploits are publicly available, enabling arbitrary code execution. Microsoft patched the issue in build 11.2510+. Defenders should enforce Microsoft Store updates and block execution of .md files from untrusted sources [Cyber Press].
[NEW] PayPal data breach exposed PII for 6 months due to software error
A coding error in PayPalโs Working Capital loan app exposed names, SSNs, and other PII of business customers from July to December 2025. PayPal reversed the code after discovery and offered credit monitoring. The breach underscores risks of insecure data handling in fintech platforms. Users should enable account alerts and monitor credit reports for identity theft [BleepingComputer; DataBreaches.Net].
๐ก๏ธ Defense & Detection
[NEW] Active Directory dynamic objects abused for stealthy persistence
Attackers are weaponizing AD dynamic objects, which self-delete after a TTL, to bypass quotas, pollute ACLs, and erase forensic evidence. Techniques include creating ephemeral machine accounts to bypass MAQ, corrupting AdminSDHolder with orphan SIDs, and exploiting hybrid sync gaps in Entra ID. Defenders should monitor for creation of objects with entryTTL or msDS-Entry-Time-To-Die attributes and enforce real-time alerting on anomalous ACL changes [Tenable Blog].
[NEW] Anthropic launches Claude Code Security for AI-driven vulnerability scanning
Anthropic introduced Claude Code Security, an embedded scanning tool for codebases that identifies vulnerabilities and suggests patches. Early testing shows effectiveness in finding high-severity flaws, but researchers note it may miss complex threats requiring human analysis. The tool represents a shift toward AI-augmented security reviews but requires validation to avoid false negatives. Security teams should integrate it as a supplement, not replacement, for manual code reviews [CyberScoop].
๐ Policy & Industry News
[NEW] Google blocks 1.75 million malicious apps from Play Store in 2025
Google prevented 1.75M policy-violating apps from reaching Android users, down from 2.36M in 2024, citing improved AI-driven detection. Over 80,000 developer accounts were banned. Enhanced protections include expanded fraud coverage and in-call scam defenses. Defenders should enable Play Protect and prioritize scanning of sideloaded apps [Cyber Press; GBHackers].
[NEW] Winter Olympics 2026 spur hacktivist campaigns targeting defense industry
Hacktivist groups are coordinating attacks on defense contractors and Olympics sponsors via DDoS and data leaks, exploiting heightened event visibility. Google Threat Intelligence notes overlap with state-aligned actors targeting supply chains. Organizations tied to the Games should increase monitoring of public-facing assets and prepare for brand-impacting disruptions [Rapid7 Blog].