Daily Threat Intel Digest - 2026-02-22

🔴 Critical Threats & Active Exploitation

[NEW] AI-assisted hacker breaches 600+ FortiGate firewalls in 5 weeks
A Russian-speaking threat actor leveraged generative AI to breach over 600 FortiGate firewalls across 55 countries without using any exploits. The campaign, active from January 11 to February 18, targeted internet-exposed management interfaces with weak credentials lacking MFA. After gaining access, the actor used AI-generated scripts in Python and Go to automate reconnaissance, parse configuration files for credentials and network topology, and identify targets like domain controllers and Veeam backup servers for further compromise. This campaign demonstrates how AI is lowering the barrier to entry, enabling attackers with low-to-medium skill to conduct operations at a scale and speed previously reserved for advanced groups. Organizations should immediately ensure firewalls are not exposing management interfaces, enforce MFA, and harden backup infrastructure against the described TTPs Amazon’s AWS Security Blog.

[NEW] Discord’s age verification partner exposes sensitive frontend data
Security researchers discovered that frontend components used by Discord’s third-party identity verification vendor, Persona, were accessible on the open web. This flaw exposes sensitive elements of the age verification process, creating significant privacy and security risks for users undergoing the checks. The discovery places renewed pressure on Discord’s 2026 compliance strategy and raises serious questions about the security posture of vendors handling sensitive personal data for massive platforms. This exposure could be leveraged for reconnaissance or to craft more convincing social engineering attacks targeting Discord users DataBreaches.Net.

[NEW] CISA warns of active exploitation for two Roundcube flaws
CISA has added two vulnerabilities in the Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. While the specific CVEs were not detailed in the report, the KEV addition requires immediate action from all federal civilian executive branch (FCEB) agencies and serves as a critical warning for all organizations. Administrators running Roundcube instances are urged to apply patches or mitigations immediately to prevent compromise. This alert underscores the continuous targeting of web-based email infrastructure as an initial access vector Cyberwarzone.

🎯 Threat Actor Activity & Campaigns

[NEW] Unit 42 report: Attackers exploit new CVEs within 15 minutes, exfiltrate in 1.2 hours
Palo Alto Networks’ Unit 42 2026 Global Incident Response report reveals a paradigm shift in attack speed, driven by AI. Attackers are now weaponizing newly disclosed CVEs within 15 minutes of announcement by automating analysis and exploitation. The fastest intrusions have seen time-to-exfiltration plummet from 4.8 hours in 2024 to just 1.2 hours in 2025. The report details how nation-state actors use deepfakes for “Weaponized HR” to infiltrate organizations as employees and how ransomware groups are shifting focus from encryption (down to 78% of cases) to multi-pronged data theft and reputational extortion, while maintaining “brand reputation” by keeping their promises to victims. Defenders must prioritize velocity in their response, hardening identities and automating defenses to match this “machine speed” threat landscape SOCFortress Medium.

[NEW] Advance-fee scammers abuse Yandex polls to fake Bitcoin payouts
An active and evolving advance-fee scam campaign is abusing legitimate-looking Yandex poll links to lure victims into elaborate fake Bitcoin compensation schemes. The multi-stage flow starts with a simple poll, then redirects to a fake site claiming a large BTC payout is pending. A chat-based “support agent” coerces the victim into paying a small “commission” fee (around $67-$69) to release the non-existent funds. Researchers observed a second variant using a fake Octa dashboard theme. The campaign infrastructure is recent and active, with domains like cosibas[.]site and paybits[.]cc registered in late January and early February 2026. Defenders should block the associated IOCs and educate users on these sophisticated social engineering lures Malwr-analysis.

[NEW] Predator spyware hides iOS recording indicators with a single SpringBoard hook
Technical analysis of Intellexa’s Predator spyware has revealed the precise mechanism it uses to disable iOS camera and microphone recording indicators. After gaining kernel-level access, Predator uses a single hook to target the _handleNewDomainData: method in SpringBoard’s SBSensorActivityDataProvider. By intercepting and nullifying the object responsible for all sensor activity updates, the malware prevents the green or orange dots from ever appearing on the status bar, allowing for completely clandestine surveillance. This detailed TTP provides defenders and MDM vendors with specific artifacts to hunt for, such as unexpected memory mappings and breakpoint-based hooks in SpringBoard and mediaserverd processes, or audio files written to unusual file paths BleepingComputer.