Salt Typhoon Threat "Still Very Much Ongoing" as Ivanti Zero-Day Exploitation Traced to July 2025; Deutsche Bahn DDoS Disrupts European Rail

1. Executive Summary

This week's intelligence cycle reveals persistent nation-state threats to critical infrastructure, significant vulnerabilities in industrial control systems, and notable disruptions to transportation networks. Key developments requiring immediate attention:

• Nation-State Threat Persistence: The FBI confirmed that Salt Typhoon, the Chinese cyber espionage group responsible for the 2024 telecommunications infrastructure compromise, remains an active and ongoing threat to U.S. critical infrastructure. Separately, Ivanti exploitation has surged, with researchers tracing zero-day attacks back to July 2025.
• Transportation Sector Disruption: Deutsche Bahn, Germany's national rail operator, suffered a large-scale DDoS attack disrupting information and booking systems for several hours, highlighting continued targeting of transportation infrastructure.
• Financial Sector Breaches: France's Ministry of Economy disclosed unauthorized access to the national bank account registry (FICOBA), exposing 1.2 million bank accounts. Additionally, blockchain lender Figure confirmed a breach affecting nearly 1 million user records.
• ICS Vulnerabilities at Record Levels: CISA released four new ICS advisories this week affecting industrial equipment across multiple sectors. Research indicates ICS advisories reached a record 508 in 2025, underscoring the expanding attack surface in operational technology environments.
• Emerging AI-Enabled Threats: Researchers discovered PromptSpy, the first known Android malware to leverage generative AI (Google's Gemini) at runtime for adaptive persistence, signaling a new evolution in mobile threat capabilities.
• Law Enforcement Actions: INTERPOL's Operation Red Card 2.0 resulted in 651 arrests across 16 African countries, recovering $4.3 million. A Ukrainian national received a 5-year sentence for facilitating North Korean remote worker schemes at 40 U.S. businesses.

2. Threat Landscape

Nation-State Threat Actor Activities

Salt Typhoon Remains Active Threat: A senior FBI cyber official stated this week that threats from Salt Typhoon are "still very much ongoing." The Chinese cyber espionage group, responsible for the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to critical infrastructure. Organizations in the communications sector should maintain heightened vigilance and review network segmentation and access controls.

Source: CyberScoop

Ivanti Zero-Day Exploitation Surge: Security researchers have observed a significant increase in exploitation of Ivanti vulnerabilities, with attacks traced back to July 2025. Threat actors are leveraging these vulnerabilities to deploy web shells, conduct reconnaissance, and download additional malware. The extended timeline suggests sophisticated actors may have maintained persistent access for months before detection.

Source: SecurityWeek

CRESCENTHARVEST Campaign: Researchers disclosed details of a new campaign dubbed CRESCENTHARVEST, likely targeting supporters of Iran's ongoing protests. The campaign deploys RAT malware for information theft and long-term espionage, demonstrating continued use of cyber operations for political surveillance.

Source: The Hacker News

Ransomware and Cybercriminal Developments

Starkiller Phishing Kit: Security researchers at Abnormal identified a new "commercial-grade" phishing toolkit called Starkiller that uses proxy techniques to mimic popular online services and bypass multi-factor authentication. This represents a "significant escalation in phishing infrastructure" available to cybercriminals.

Source: Infosecurity Magazine

Microsoft 365 MFA Bypass Campaign: A new phishing campaign is actively targeting employees with techniques designed to bypass Microsoft 365 multi-factor authentication. Organizations should review conditional access policies and implement phishing-resistant authentication methods.

Source: CSO Online

Device Code Phishing with Vishing: Threat actors are combining device code phishing with voice phishing (vishing) to target technology, manufacturing, and financial organizations. These campaigns abuse the OAuth 2.0 Device Authorization flow to compromise Microsoft Entra accounts.

Source: Bleeping Computer

Emerging Attack Vectors

AI Chatbots as C2 Channels: Researchers have demonstrated that AI assistants including Grok and Microsoft Copilot can be manipulated to function as covert command-and-control channels. This novel technique could allow attackers to blend malicious traffic with legitimate AI service communications.

Source: CSO Online

PromptSpy Android Malware: Cybersecurity researchers have identified PromptSpy as the first known Android malware to use generative AI (Google's Gemini) at runtime. The malware abuses Gemini to automate persistence mechanisms and adapt to different device configurations, representing a significant evolution in mobile threats.

Source: The Hacker News

Massiv Android Banking Trojan: A new Android banking trojan named Massiv is actively targeting mobile banking users across southern Europe, disguised as IPTV applications. The malware facilitates device takeover attacks for financial theft.

Source: The Hacker News

Law Enforcement Operations

INTERPOL Operation Red Card 2.0: An international cybercrime operation led by law enforcement agencies from 16 African countries resulted in 651 arrests and recovered more than $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications.

Source: The Hacker News

North Korean Remote Worker Scheme: Ukrainian national Oleksandr Didenko was sentenced to 5 years in prison for facilitating a North Korean remote worker scheme. Didenko operated laptop farms and provided forged or stolen identities to North Korean operatives who gained remote employment at 40 U.S. businesses.

Source: CyberScoop

3. Sector-Specific Analysis

Energy Sector

ICS Vulnerabilities in Industrial Equipment: CISA released advisories this week affecting equipment commonly deployed in energy sector environments, including the Valmet DNA Engineering Web Tools used in process automation. Energy sector operators should review CISA ICS advisories and prioritize patching for internet-facing systems.

Quantum-Resilient Infrastructure Planning: Analysis this week highlighted the convergence of quantum computing risks across AI, space, and critical infrastructure sectors. Energy sector organizations should begin assessing cryptographic dependencies and developing post-quantum transition roadmaps.

Source: Homeland Security Today

Water & Wastewater Systems

WaterISAC Security Action Guidance: WaterISAC released updated fact sheets on top security actions for water utilities, including guidance on enhancing physical security posture. The organization also issued alerts regarding hacktivist exploitation of flat IT/OT network connectivity.

Source: WaterISAC

Physical Security Incident: WaterISAC reported an incident involving an 18-year-old accused of using improvised explosive devices to damage manhole covers, highlighting ongoing physical security threats to water infrastructure.

Communications & Information Technology

Salt Typhoon Ongoing Operations: The FBI's confirmation that Salt Typhoon remains an active threat underscores the need for continued vigilance in the communications sector. Telecommunications providers should review network segmentation, implement enhanced monitoring for lateral movement, and ensure incident response plans account for nation-state persistence techniques.

OpenClaw Vulnerabilities: Six new vulnerabilities were disclosed in OpenClaw, a popular AI assistant platform. Despite rapid patches and transition to an OpenAI-backed foundation, security vulnerabilities and misconfiguration risks persist. Organizations using OpenClaw should review configurations and apply available patches.

Source: CSO Online

VoIP Infrastructure Risk: A critical vulnerability in Grandstream GXP1600 series VoIP phones allows remote, unauthenticated attackers to gain root privileges and silently eavesdrop on communications. Organizations using affected devices should prioritize patching or network isolation.

Source: Bleeping Computer

Transportation Systems

Deutsche Bahn DDoS Attack: German rail giant Deutsche Bahn experienced a large-scale distributed denial-of-service attack that disrupted information and booking systems for several hours. While operational rail services continued, the attack demonstrates the vulnerability of transportation sector IT systems to volumetric attacks.

Source: SecurityWeek

Rail Sabotage by Extremists: WaterISAC reported that anarchist violent extremists claimed responsibility for rail sabotage during the Italy Olympics, highlighting the intersection of physical and ideological threats to transportation infrastructure.

CDL Fraud Concerns: A Transportation Department review revealed that nearly 20% of Illinois non-domiciled commercial driver's licenses were improperly issued, raising concerns about supply chain security and the integrity of credentialing systems for commercial transportation.

Source: Homeland Security Today

Healthcare & Public Health

HHS Third-Party Vendor Risk Initiative: The Department of Health and Human Services is intensifying efforts to identify risks to the healthcare sector from third-party vendors. An HHS official speaking at CyberTalks indicated the department is working to help the sector identify where supply chain risks exist.

Source: CyberScoop

Remcos RAT Enhanced Capabilities: A new variant of the Remcos RAT has expanded real-time surveillance and evasion capabilities targeting Windows systems. Healthcare organizations should ensure endpoint detection solutions are updated to detect this variant.

Source: Infosecurity Magazine

Financial Services

French National Bank Registry Breach: France's Ministry of Economy reported discovering unauthorized access to FICOBA, the national bank account registry, exposing 1.2 million bank accounts. The full scope of data accessed remains under investigation.

Source: SecurityWeek

Figure Data Breach: Blockchain-based lender Figure confirmed a data breach after the ShinyHunters threat group leaked over 2GB of data allegedly stolen from the company, affecting nearly 1 million user records.

Source: SecurityWeek

Indonesian Coretax Fraud Campaign: A fraud campaign exploiting Indonesia's Coretax tax system through malicious applications resulted in $1.5 million to $2 million in losses, demonstrating the financial impact of industrial-scale fake application distribution.

Source: Infosecurity Magazine

Government Facilities

TP-Link Router Security Lawsuit: Texas filed a lawsuit against TP-Link Systems, accusing the company of deceptively marketing routers as secure while allowing Chinese state-backed hackers to exploit firmware vulnerabilities. This action highlights growing concerns about supply chain security in networking equipment.

Source: Bleeping Computer

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Dell Maximum-Severity Vulnerability (CISA BOD): CISA has ordered federal agencies to patch a maximum-severity Dell vulnerability within three days due to active exploitation. Private sector organizations using affected Dell products should prioritize remediation.

Source: Bleeping Computer

Microsoft Windows Admin Center (CVE-2026-26119): Microsoft disclosed and patched a privilege escalation vulnerability in Windows Admin Center. Organizations using this browser-based management tool should apply updates immediately.

Source: The Hacker News

CISA ICS Advisories (Published February 19, 2026)

• ICSA-26-050-01: EnOcean SmartServer IoT - Multiple vulnerabilities affecting IoT gateway devices
• ICSA-26-050-02: Valmet DNA Engineering Web Tools - Vulnerability in process automation engineering tools
• ICSA-26-050-03: Jinan USR IOT Technology Limited (PUSR) USR-W610 - Multiple vulnerabilities in industrial wireless devices
• ICSA-26-050-04: Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller - Vulnerability in industrial control equipment

Source: CISA ICS Advisories

Development Tool Vulnerabilities

IDE Extension Flaws: Four serious vulnerabilities affect extensions for Microsoft Visual Studio Code, Cursor, and Windsurf development environments. Three of these vulnerabilities remain unpatched and could allow data exfiltration. Development teams should review installed extensions and limit permissions.

Source: Infosecurity Magazine

ICS Vulnerability Trends

Record Advisory Volume: Research from Forescout reveals that ICS advisories reached a record 508 in 2025, representing a significant increase in disclosed vulnerabilities affecting industrial control systems. This trend underscores the expanding attack surface in OT environments and the need for comprehensive asset inventory and vulnerability management programs.

Source: Infosecurity Magazine

Recommended Defensive Measures

• Prioritize patching for actively exploited vulnerabilities, particularly the Dell flaw under CISA directive
• Review Ivanti product deployments and implement recommended mitigations given extended exploitation timeline
• Implement network segmentation between IT and OT environments to limit lateral movement
• Deploy phishing-resistant MFA methods to counter emerging bypass techniques
• Audit AI assistant integrations and extensions for potential security risks
• Review VoIP infrastructure for Grandstream vulnerabilities and implement network isolation where patching is delayed

5. Resilience & Continuity Planning

Lessons from Recent Incidents

Deutsche Bahn DDoS Response: The Deutsche Bahn incident demonstrates the importance of separating operational technology systems from customer-facing IT services. While booking and information systems were disrupted, core rail operations continued. Organizations should review their architecture to ensure critical operational functions can continue during IT service disruptions.

Caracas Operation Analysis: Analysis of recent operations suggests that cyber capabilities were part of a broader operational plan but not the sole component. This reinforces the importance of integrated security planning that addresses both cyber and physical threats rather than treating them as separate domains.

Source: CyberScoop

Supply Chain Security

NIST Strategic Supply Chain Initiative: NIST announced an initiative focused on building strategic supply chain networks, recognizing that recent disruptions from pandemics, infrastructure failures, and changing trade policies have exposed critical vulnerabilities. Organizations should participate in upcoming workshops to contribute to and benefit from coordinated supply chain resilience efforts.

Source: NIST

Third-Party Vendor Risk: HHS's focus on healthcare sector third-party vendor risks provides a model for other sectors. Organizations should conduct comprehensive assessments of vendor access, data handling, and security practices, particularly for vendors with access to critical systems or sensitive data.

Cross-Sector Dependencies

Climate Change Transportation Impacts: WaterISAC highlighted transportation sector challenges from climate change, emphasizing the interconnected nature of community lifelines. Water and wastewater utilities should assess dependencies on transportation infrastructure for chemical deliveries, emergency response, and workforce access.

Post-Quantum Transition Planning

State Department Guidance: A State Department official confirmed that post-quantum cryptography transition plans will outlive current leadership, signaling long-term government commitment to this initiative. Organizations should begin cryptographic inventory assessments and develop migration roadmaps for quantum-vulnerable systems.

Source: CyberScoop

6. Regulatory & Policy Developments

Federal Initiatives

NIST Agentic AI Initiative: NIST launched a new initiative focused on U.S. dominance in agentic AI, with significant implications for cybersecurity. The initiative aims to establish standards and frameworks for AI systems that can take autonomous actions, addressing both opportunities and risks for critical infrastructure.

Source: CSO Online

ONCD AI and Cybersecurity Strategy: An ONCD official outlined the Trump administration's approach to bolstering AI use for defense while managing associated risks. The strategy includes cyber workforce goals that aim to emulate successful models like Israel's Unit 8200.

Source: CyberScoop

State-Level Actions

Texas TP-Link Lawsuit: Texas's lawsuit against TP-Link for allegedly deceptive security marketing and enabling Chinese state-backed exploitation represents a significant state-level action on supply chain security. This may signal increased state enforcement activity regarding critical infrastructure equipment security claims.

International Developments

UK Annual Terrorism Threat Report: The UK released its 2025 Annual Terrorism Threat Report, providing insights into threat trends that may have implications for U.S. critical infrastructure protection. Security professionals should review the report for applicable threat indicators and protective measures.

Source: WaterISAC

Compliance Considerations

• Organizations subject to CISA directives should ensure Dell vulnerability remediation within specified timeframes
• Healthcare organizations should prepare for increased HHS scrutiny of third-party vendor security practices
• Organizations using networking equipment from foreign manufacturers should document security assessments in anticipation of potential regulatory requirements

7. Training & Resource Spotlight

New Tools and Frameworks

SecureClaw Open Source Tool: A new open source security tool called SecureClaw has debuted, offering capabilities for security assessment and monitoring. Organizations should evaluate the tool for potential integration into security operations.

Source: SecurityWeek

WaterISAC Security Fact Sheets: WaterISAC released updated fact sheets on top security actions for water utilities, covering both cyber and physical security measures. These resources provide practical guidance for utilities of all sizes.

Industry Investment

Venice Security PAM Solution: Venice Security (formerly Valkyrie) emerged from stealth with $33 million in funding for privileged access management solutions. The investment signals continued market interest in identity and access management capabilities for critical infrastructure protection.

Source: SecurityWeek

Workforce Development

Cybersecurity Upskilling Challenges: Analysis from Security Magazine highlights why traditional upskilling strategies fall short in cybersecurity, with insights from industry leaders on effective approaches to talent development. Organizations should review their training programs against these recommendations.

Source: Security Magazine

Best Practices

AI Exposure and Response Windows: Analysis from The Hacker News examines how AI is collapsing response windows from exposure to exploitation. Security teams should review detection and response capabilities to ensure they can operate at the speed required by AI-accelerated threats.

Source: The Hacker News

8. Looking Ahead: Upcoming Events

Conferences and Workshops

NIST Building the Strategic Supply Chain Network Workshop
Date: March 9, 2026
This workshop will address critical vulnerabilities in U.S. supply chains exposed by recent disruptions, including pandemics, infrastructure failures, and changing trade policies. Recommended for supply chain security professionals and critical infrastructure operators.

Source: NIST

NIST Cybersecurity for IoT Workshop: Future Directions
Date: March 31, 2026
This workshop will discuss emerging and future trends for IoT technologies and their implications for IoT cybersecurity. As IoT becomes more sophisticated, automated, and ubiquitous, understanding security implications is critical for infrastructure operators.

Source: NIST

NIST Iris Experts Group Annual Meeting
Date: June 25, 2026
Forum for discussion of technical questions related to iris recognition for government agencies. Relevant for organizations implementing biometric access controls for critical infrastructure facilities.

Source: NIST

Threat Periods Requiring Heightened Awareness

• Ongoing: Salt Typhoon activity targeting telecommunications infrastructure
• Ongoing: Ivanti vulnerability exploitation campaigns
• Ongoing: AI-enabled phishing campaigns targeting Microsoft 365 environments

Anticipated Developments

• Additional CISA guidance expected on Ivanti vulnerability mitigations
• Continued HHS focus on healthcare sector third-party vendor security assessments
• Further state-level actions on networking equipment supply chain security following Texas lawsuit
• Post-quantum cryptography transition guidance updates from federal agencies

Seasonal Considerations

• Tax season fraud campaigns continue through April, with increased targeting of financial services and tax preparation firms
• Spring severe weather season approaching for central U.S., requiring review of emergency response and continuity plans