← Back to Threat Briefs

Cyber Threat Brief — February 22, 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief — February 22, 2026

Audience: Detection Engineers | Window: Feb 21–22, 2026 | Briefs: Index

1. AI-Augmented Threat Actor Compromises 600+ FortiGate Devices

What’s New

Amazon’s CISO published an in-depth campaign report today documenting a Russian-speaking financially motivated actor that breached 600+ FortiGate firewalls across 55 countries in just five weeks (Jan 11 – Feb 18, 2026) — aided by generative AI for code development and recon automation.

Technical Details

FieldValue
Threat ActorRussian-speaking, financially motivated (low-to-medium skill)
Campaign WindowJanuary 11 – February 18, 2026
Targets600+ FortiGate devices, 55 countries (South Asia, Latin America, West Africa, Northern Europe, Southeast Asia)
Initial AccessBrute-force on exposed mgmt interfaces (no exploits used)
Scanned Ports443, 8443, 10443, 4443
AI RoleCode generation, recon automation, operational documentation
Secondary TargetsVeeam Backup & Replication servers
Exploitation CVEsCVE-2019-7192 (QNAP RCE), CVE-2023-27532 / CVE-2024-40711 (Veeam)

What was extracted from breached FortiGates:

  • SSL-VPN user credentials (with recoverable passwords)
  • Administrative credentials
  • Firewall policies and internal network architecture
  • IPsec VPN configurations
  • Network topology and routing information

AI-fingerprints in attacker tooling (Go/Python):

  • Redundant comments that restate function names
  • Naive JSON parsing via string matching (not proper deserialization)
  • Compatibility shims with empty documentation stubs
  • Architecture: simplistic with disproportionate investment in formatting

Post-access recon tool behavior:

  • Analyzes routing tables, classifies networks by size
  • Port scans via gogo scanner (chainreactors/gogo)
  • Identifies SMB hosts and domain controllers
  • Uses Nuclei for HTTP service discovery

Credential extraction: Operational docs (in Russian) referenced Meterpreter + Mimikatz for DCSync attacks and NTLM hash extraction from AD. Script DecryptVeeamPasswords.ps1 deployed to extract Veeam credentials before ransomware staging.

TTPs

TacticTechniqueObservable
Initial AccessT1078.001 - Valid Accounts: DefaultCommon passwords against FortiGate mgmt interfaces
Initial AccessT1190 - Exploit Public-Facing ApplicationMgmt interfaces exposed on non-standard ports
Credential AccessT1110.001 - Brute Force: Password GuessingFailed/successful auth attempts on ports 443/8443/10443/4443
CollectionT1005 - Data from Local SystemFortiGate config file extraction (SSL-VPN creds, firewall policies)
DiscoveryT1018 - Remote System Discoverygogo scanner + routing table analysis
DiscoveryT1046 - Network Service DiscoveryNuclei HTTP scanning, SMB host enumeration
Lateral MovementT1021.002 - SMB/Windows Admin SharesPost-VPN domain traversal
Credential AccessT1003.006 - DCSyncMeterpreter + Mimikatz against AD
ImpactT1490 - Inhibit System RecoveryVeeam credential theft before ransomware deployment

Detection Opportunities

FortiGate Management Interface:

# Monitor for brute-force auth failures on FortiGate
# Look for rapid auth failures followed by success from same source
# Especially on ports 8443 / 10443 / 4443 (non-standard)

# FortiGate Syslog:
event_id=0101037122 AND action=login AND status=failed -> followed by status=success

AI-generated tool fingerprints in scripts:

# Python/Go scripts with these patterns may indicate AI-assisted tooling:
# - Comments that exactly restate function names
# - String-based JSON parsing (not json.loads)
# - "gogo" scanner usage on internal networks

Veeam targeting:

# PowerShell script detection
CommandLine|contains: "DecryptVeeamPasswords"
ParentImage|endswith: "powershell.exe"

# Veeam credential access
Process accessing: VeeamVssSupport.dll, VeeamDeploymentSvc.exe

DCSync Detection:

# Mimikatz DCSync
EventID: 4662
Properties: {1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}  # DS-Replication-Get-Changes-All
AccountName: (non-DC account)

Log Sources

  • FortiGate system/auth event logs (syslog)
  • Sysmon Events: 1 (process create), 3 (network), 7 (image load)
  • Windows Security: 4625/4624 (auth), 4662 (object access/DCSync)
  • EDR: process lineage for PowerShell + credential tools
  • Network: connections to external IPs from VPN-accessing hosts
  • Veeam: service/access logs

Detection Coverage

SourceStatus
Sigma (FortiGate)FortiGate - VPN SSL Settings Modified, FortiGate - New Local User Created, FortiGate - New Administrator Account Created
Sigma (DCSync)✅ Multiple Mimikatz/DCSync rules
Sigma (Veeam)Veeam Backup Servers Credential Dumping Script Execution
ElasticNewly Observed FortiGate Alert, Potential Veeam Credential Access Command
Splunk ESCUCisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
Brute-force on non-std portsGap — No specific detection for FortiGate brute-force on 8443/10443/4443
gogo scanner internal useGap — No detection for chainreactors/gogo on internal networks

Recommendation: Add threshold-based alerting for consecutive FortiGate auth failures from same source IP, specifically targeting non-standard ports.

Sources

2. CVE-2026-27197 — Sentry SAML SSO Bypass (CVSS 9.1)

What’s New

A critical authentication bypass in Sentry’s SAML SSO implementation allows complete account takeover of any user on a Sentry instance — without knowing their credentials. Affects versions spanning over 4 years of releases.

Technical Details

FieldValue
CVECVE-2026-27197
CVSS9.1 (Critical)
AffectedSentry 21.12.0 – 26.1.0 (self-hosted and Sentry.io)
FixedSentry 26.2.0
ExploitNo public PoC at time of writing
PublishedFebruary 21, 2026

Root Cause: Logic flaw in SAML assertion processing across organizational contexts. An attacker with a malicious SAML Identity Provider (IdP) can leverage cross-organization SSO interactions on the same Sentry instance to authenticate as any victim user.

Attack Requirements:

  • Network-accessible Sentry instance (no prior auth)
  • Either: multi-org Sentry instance, OR attacker has access to modify SSO settings for one org on a shared instance
  • Self-hosted instances with SENTRY_SINGLE_ORGANIZATION = False are most exposed

Impact: Full account takeover → access to all error logs, stack traces, source code snippets, environment variables, and secrets surfaced through Sentry integrations.

TTPs

TacticTechniqueObservable
Initial AccessT1078.004 - Cloud AccountsSSO login from unexpected IdP
PersistenceT1550.001 - Application Access TokenSessions created via SAML assertion bypass
CollectionT1213 - Data from Information RepositoriesAccess to Sentry project errors and source maps

Detection Opportunities

# Sentry audit logs: authentication events from unexpected IdP sources
# Look for: SAML auth events where the requesting org ≠ the authenticated org

# Web server / proxy logs:
POST /auth/sso/ with unusual Assertion consumer URLs

# Anomalous login patterns:
User authenticated to Org-A using IdP registered under Org-B

Immediate Action: Upgrade to Sentry 26.2.0. Workaround: enforce 2FA for all user accounts (mitigates even if attacker completes SAML bypass).

Log Sources

  • Sentry audit log (via Sentry API: /api/0/organizations/{org}/audit-logs/)
  • Identity provider (IdP) assertion logs
  • Web access/proxy logs for /auth/sso/ endpoints
  • Cloud SIEM for SaaS Sentry environments

Detection Coverage

SourceStatus
Sigma (SAML)SAML Token Issuer Anomaly, AWS Suspicious SAML Activity
Elastic❌ No Sentry-specific SAML detection
Splunk ESCUIvanti Connect Secure SSRF in SAML Component (tangentially related)
Sentry-specific auth bypassGap — No detection rule for cross-org SAML assertion abuse

Sources

3. Operation Aether — Phobos Ransomware Affiliate Arrested in Poland

What’s New

Polish police (CBZC) arrested a 47-year-old Phobos ransomware affiliate as part of Operation Aether — a Europol-coordinated international crackdown. Devices seized contained a treasure trove of credentials, CC numbers, and server access data, revealing the infrastructure of an active RaaS operation.

Technical Details

FieldValue
OperationOperation Aether (Europol-coordinated)
Arrest47-year-old male, Małopolska region, Poland
AgenciesCBZC (Poland) + Katowice/Kielce units + District Prosecutor, Gliwice
SeizedCredentials, passwords, credit card numbers, server IPs
CommunicationsEncrypted messaging apps (Phobos contact)
ChargesArt. 269b Polish Criminal Code — hacking tool production/distribution, max 5 years
RaaS Volume~11% of all ID Ransomware submissions (May–Nov 2024)
Historical Impact1,000+ victims, $16M+ in ransom payments (DOJ)

Phobos TTPs (for detection context):

  • Initial access primarily via RDP brute-force (exposed port 3389)
  • Derived from Crysis ransomware family
  • Affiliates use stolen credentials / server IPs (as found on seized devices)

TTPs

TacticTechniqueObservable
Initial AccessT1110.001 - Brute Force: Password GuessingRDP auth failures from external IPs
Initial AccessT1078 - Valid AccountsUse of purchased/stolen server credentials
ImpactT1486 - Data Encrypted for Impact.phobos / .eking file extensions post-encryption
Defense EvasionT1562 - Impair DefensesShadow copy deletion, backup removal

Detection Opportunities

# Detect RDP brute-force (Phobos primary vector)
EventID: 4625
LogonType: 3 or 10
# Threshold: >10 failures from same IP in 5 minutes

# Post-auth: Shadow copy deletion
CommandLine|contains:
  - 'vssadmin delete shadows'
  - 'wmic shadowcopy delete'
  - 'bcdedit /set safeboot'

# File rename monitoring for .phobos/.eking extensions
# (EDR file system telemetry)

Operational note: The arrest provides law enforcement visibility into Phobos infrastructure. Expect potential wave of infrastructure takedowns — IOCs may shift rapidly.

Log Sources

  • Windows Security: 4625/4624 (auth failures/successes)
  • Sysmon: Event 1 (process create for vssadmin, bcdedit, wmic)
  • EDR: File system events for bulk extension changes
  • Firewall/network: Inbound RDP traffic from untrusted IPs

Detection Coverage

SourceStatus
Sigma✅ Multiple RDP brute-force, shadow copy deletion rules
Splunk ESCU✅ Multiple shadow copy, ransomware detonation rules
Elastic✅ Multiple ransomware detection rules
Phobos-specificGap — No Phobos-specific Sigma rules found; detection must rely on behavior (RDP brute-force + encryption + VSS deletion chain)

Sources

4. Air-Gap-Bridging Cryptominer Worm via USB

What’s New

Security researchers have documented a sophisticated cryptomining campaign capable of crossing air-gapped network boundaries by propagating through infected removable storage devices — masquerading as Windows processes and using kernel-level persistence to mine cryptocurrency indefinitely without user awareness.

Technical Details

FieldValue
Malware TypeCrypto-mining worm
PropagationUSB drives, portable hard disks
Initial DeliveryPirated software bundles (social engineering)
Process MasqueradeExplorer.exe (fake Windows process)
Air-Gap TechniqueWM_DEVICECHANGE / DBT_DEVICEARRIVAL monitoring
PersistenceKernel-level (system-level techniques)
GoalSilent, persistent cryptocurrency mining
AttributionNot publicly attributed

Air-gap crossing mechanism:

  1. Malware installed via pirated software bundle on internet-connected machine
  2. Monitors Windows device notification events (WM_DEVICECHANGE, DBT_DEVICEARRIVAL)
  3. Confirms presence of storage volumes, scans drive letters E–Z
  4. Copies payload to removable media via function sub_140014190
  5. When infected drive inserted into air-gapped machine → infection continues

Infection chain:

Pirated software → installer → dropper → Explorer.exe fake process
                                       → WM_DEVICECHANGE monitor
                                       → USB payload copier (E-Z drives)
                                       → kernel-level mining component

TTPs

TacticTechniqueObservable
Initial AccessT1091 - Replication Through Removable MediaAutorun or user-executed payload from USB
ExecutionT1036.005 - Masquerading: Match Legitimate NameExplorer.exe in non-standard path
PersistenceT1543 - Create/Modify System ProcessKernel-level persistence components
DiscoveryT1120 - Peripheral Device DiscoveryWM_DEVICECHANGE API calls scanning E-Z drive letters
Lateral MovementT1091 - Replication Through Removable MediaWriting payload to newly connected USB drives
ImpactT1496 - Resource HijackingCPU/GPU resources consumed for cryptomining

Detection Opportunities

# Suspicious Explorer.exe from non-standard path
Image|endswith: '\Explorer.exe'
NOT Image: 'C:\Windows\explorer.exe'

# WM_DEVICECHANGE monitoring via PowerShell / suspicious process
CommandLine|contains: 'WM_DEVICECHANGE'
# OR via process creating window messages handlers

# Drive letter enumeration via WMI/API (E-Z scanning pattern)
CommandLine|contains:
  - 'GetDriveType'
  - DriveType: DRIVE_REMOVABLE

# File copy to removable media from non-user process
DestinationDrive: [E-Z]
ParentProcess: (not explorer, not robocopy)

# High CPU usage from masqueraded system process
ProcessName: 'Explorer.exe'
CPUUsage: >70%
ParentImage: NOT 'C:\Windows\System32\userinit.exe'

Log Sources

  • Sysmon: Event 11 (file create on removable media), Event 1 (process create with suspicious paths), Event 12/13 (registry for persistence)
  • Windows: Event 6416 (new external device recognized)
  • EDR: USB insertion events, process tree analysis, CPU telemetry
  • AV/EDR: Heuristic detection for process masquerading

Detection Coverage

SourceStatus
SigmaUSB Device Plugged, External Disk Drive Or USB Storage Device Was Recognized By The System
Splunk ESCUWindows Replication Through Removable Media, Windows Process Executed From Removable Media
ElasticExecution from a Removable Media with Network Connection, New USB Storage Device Mounted
KQLUSB_Data_Exfiltration
Air-gap bridging chain (WM_DEVICECHANGE + write)Gap — No compound detection for USB monitoring + payload copy chain
Explorer.exe masquerade from non-standard path✅ Covered by existing process masquerade Sigma rules

Sources

5. D-Link DWR-M960 — 4 Stack Buffer Overflow CVEs with Public Exploits

What’s New

Four separate stack-based buffer overflow vulnerabilities were disclosed today in the D-Link DWR-M960 4G LTE router (version 1.01.07), each carrying CVSS 8.8 and each with a public exploit already available. No patches exist at time of writing — these are unpatched with weaponized PoCs.

Technical Details

FieldValue
CVEsCVE-2026-2925, CVE-2026-2926, CVE-2026-2927, CVE-2026-2928
CVSS8.8 (High) each
AffectedD-Link DWR-M960 firmware 1.01.07 only
Auth RequiredNone (unauthenticated, remote)
Exploit Status✅ Public exploits available for each CVE
Patch❌ No patch available
PublishedFebruary 22, 2026

Vulnerable endpoints:

CVEEndpointParameter
CVE-2026-2926/boafrm/formLteSetupsubmit-urlsub_4237AC
CVE-2026-2925/boafrm/formBridgeVlanCrafted request
CVE-2026-2927(additional endpoint)Oversized input
CVE-2026-2928(additional endpoint)Oversized input

Attack pattern: Attacker sends malformed POST with oversized submit-url or similar parameter → stack buffer overflow in compiled C function (sub_XXXXXXXX) → potential arbitrary code execution as root.

TTPs

TacticTechniqueObservable
Initial AccessT1190 - Exploit Public-Facing ApplicationMalformed POST requests to /boafrm/form* endpoints
ExecutionT1059 - Command and Scripting InterpreterShell command execution post-overflow
DiscoveryT1046 - Network Service DiscoveryScanning for D-Link web admin ports (80/443/8080)
PersistenceT1542.003 - Bootkit / FirmwareRouter firmware modification post-compromise

Detection Opportunities

# Network IDS signature concepts:
# 1. Oversized POST body to /boafrm/formLteSetup or /boafrm/formBridgeVlan
#    Threshold: request body > expected parameter length

# Web server/proxy logs:
POST /boafrm/formLteSetup | body_bytes > 1024

# Shodan/exposure monitoring:
# DWR-M960 devices exposed on internet — proactively identify and segment

# IDS rule concept (Snort/Suricata):
alert http any any -> any any (
  msg:"Potential D-Link DWR-M960 CVE-2026-2926 Exploit Attempt";
  content:"POST"; http_method;
  content:"/boafrm/formLteSetup"; http_uri;
  pcre:"/submit-url=.{512,}/";
  sid:20260222; rev:1;
)

Priority action: Identify all D-Link DWR-M960 devices on the network. Isolate management interfaces. Disable internet-facing admin access until vendor releases a patch. Monitor Shodan for exposure.

Log Sources

  • Network IDS/IPS (Snort/Suricata): HTTP POST anomalies
  • Web proxy / next-gen firewall logs
  • Router syslog (if accessible)
  • Network flow data: unexpected connections from routers to external IPs

Detection Coverage

SourceStatus
Sigma❌ No D-Link DWR-M960 specific rules
Splunk ESCU❌ No specific coverage
Elastic❌ No specific coverage
Network IDSGap — No Snort/Suricata rules published yet for these CVEs

Note: These are too new for rule repositories. Create custom IDS rules based on the endpoint patterns above.

Sources

6. Chrome CVE-2026-2441 — Public PoC Released (Update)

Background: Initial coverage in Feb 16 brief. Patch exists: Chrome ≥ 145.0.7632.75 (Win/macOS), ≥ 144.0.7559.75 (Linux).

What’s New

A public proof-of-concept exploit was released today for CVE-2026-2441 (Chrome Blink CSS use-after-free). The PoC documents three distinct trigger paths and includes heap grooming techniques — significantly lowering the barrier to exploitation for this actively-exploited zero-day.

Technical Details

FieldValue
CVECVE-2026-2441
CVSS8.8 (High)
PoC ReleasedFebruary 22, 2026 (today)
VulnerabilityUse-After-Free in CSSFontFeatureValuesMap (Blink CSS engine)
Root CauseIterator raw pointer (aliases_) dangles after HashMap::rehash() during mutation
Confirmed ExploitationYes — Google confirmed active in-the-wild exploitation

Three PoC trigger methods:

MethodTechnique
entries() IteratorMutation loop during iteration causes rehash
for…of LoopConcurrent delete + heap spray
requestAnimationFrameLayout recalc mid-iteration

50 @font-feature-values rules used for heap grooming to improve reliability.

Sandbox escape chain: UAF → arbitrary read/write in sandbox → V8 heap leak → ASLR bypass → full compromise (documented as Pegasus-style WebKit chaining pattern).

TTPs

TacticTechniqueObservable
Initial AccessT1189 - Drive-by CompromisePage visit triggers PoC (no user interaction beyond visit)
ExecutionT1203 - Exploitation for Client ExecutionRenderer process UAF → code execution
Defense EvasionT1055 - Process InjectionSandbox escape for further compromise
CollectionT1539 - Steal Web Session CookieAccess to document.cookie, localStorage, IndexedDB

Detection Opportunities

# Renderer crash monitoring (Blink CSS engine):
chrome://crashes for UAF patterns (STATUS_ACCESS_VIOLATION in renderer)

# EDR process monitoring:
# Chrome renderer spawning unexpected child processes (sandbox escape indicator)
ParentImage: '*\chrome.exe'
ChildImage: NOT IN ['nacl_helper', 'gpu-process', 'renderer']

# Proxy/web filter:
# High @font-feature-values rule counts in CSS responses (50+ = suspicious)
# Monitor malvertising domains serving heavy CSS payloads

# Network:
# Chrome renderer → outbound connection (unexpected for renderer process)
ProcessName: '*\chrome.exe'
CommandLine|contains: '--type=renderer'
Network: outbound connection to external IP

Patch status check: Deploy chrome://settings/help version audit across fleet. Prioritize unpatched endpoints — PoC release dramatically increases exploitation risk.

Log Sources

  • EDR: Chrome process tree, renderer crash events
  • Web proxy: CSS payload inspection (size, @font-feature-values count)
  • Chrome Enterprise: Browser version reporting
  • Endpoint: chrome://crashes telemetry

Detection Coverage

SourceStatus
Sigma❌ No Chrome renderer UAF specific rule
Elastic❌ No specific coverage
Splunk ESCU❌ No specific coverage
Chrome sandbox escapeGap — Rely on EDR behavioral detection of unexpected child processes

Priority: Verify patch deployment immediately — PoC release makes this time-sensitive.

Sources

Detection Coverage Summary

ThreatSigmaSplunk ESCUElasticCritical Gap?
AI-Assisted FortiGate Campaign✅ Partial✅ Partial✅ PartialFortiGate brute-force on non-std ports
Sentry SAML Bypass (CVE-2026-27197)⚠️ Generic⚠️ GenericCross-org SAML assertion abuse
Phobos Ransomware✅ Behavior-based✅ Behavior-based✅ Behavior-basedNo Phobos-specific IOC rules
Air-Gap USB Cryptominer✅ Partial✅ Partial✅ PartialWM_DEVICECHANGE + write chain
D-Link DWR-M960 CVEsAll sources — create custom IDS rules
Chrome CVE-2026-2441 PoCRely on EDR behavioral detection

Brief compiled at 05:00 PST | Next brief: February 23, 2026