BeyondTrust Flaw Exploited in Ransomware Attacks; Mississippi Medical Center Closes Clinics; Supply Chain Attack Targets Developer Tools

Executive Summary

This week's intelligence highlights several significant developments affecting critical infrastructure security:

• Active Exploitation Alert: CISA has confirmed that the BeyondTrust Remote Support vulnerability (CVE-2026-1731) is now being actively exploited in ransomware attacks, with threat actors deploying web shells, backdoors, and conducting data exfiltration operations. Organizations using BeyondTrust products should prioritize immediate patching.
• Healthcare Sector Impact: The University of Mississippi Medical Center (UMMC) has closed all clinic locations statewide following a ransomware attack, demonstrating the continued targeting of healthcare infrastructure and the real-world impact on patient care delivery.
• Supply Chain Threats Intensify: Two separate supply chain attacks targeting developer tools were disclosed this week—a compromised npm package installing OpenClaw malware and a malicious update to the Cline CLI coding assistant—highlighting the persistent threat to software development pipelines.
• Financial Sector Concerns: The FBI reported over $20 million in losses from ATM jackpotting attacks in 2025, with the Ploutus malware continuing to be deployed across approximately 1,900 incidents since 2020. Additionally, PayPal disclosed a data breach exposing user information for six months, and a French bank registry breach affected 1.2 million accounts.
• Nation-State Activity: Former Google engineers were indicted for trade secret theft with alleged transfers to Iran, while a Ukrainian national received a five-year sentence for facilitating North Korean IT worker fraud schemes targeting U.S. companies.
• DHS Operations Impacted: The partial DHS shutdown enters its second week on Saturday, potentially affecting coordination capabilities for critical infrastructure protection activities.

Threat Landscape

Nation-State Threat Actor Activities

• Iran-Linked Trade Secret Theft: Two former Google engineers and one spouse have been indicted in the U.S. for allegedly stealing trade secrets from Google and other technology firms and transferring the information to Iran. This case underscores the persistent insider threat from nation-state recruitment of technology sector employees with access to sensitive intellectual property.
• North Korean IT Worker Scheme: A 29-year-old Ukrainian national has been sentenced to five years in prison for facilitating North Korea's fraudulent IT worker scheme. The operation involved providing stolen identities to help North Korean operatives infiltrate U.S. companies, generating revenue for the DPRK regime while potentially enabling access to sensitive corporate systems and data.

Ransomware and Cybercriminal Developments

• BeyondTrust Exploitation in Ransomware Campaigns: CISA has updated its Known Exploited Vulnerabilities (KEV) catalog to alert organizations that CVE-2026-1731 is being actively exploited in ransomware attacks. Threat actors are leveraging this vulnerability to deploy web shells, establish backdoors, and exfiltrate data from victim networks. The exploitation of remote access tools represents a high-value target for ransomware operators seeking privileged access to enterprise environments.
• Advantest Ransomware Attack: Japanese semiconductor testing giant Advantest Corporation has disclosed a ransomware attack targeting its corporate network. The company is investigating whether customer or employee data was compromised. Given Advantest's role in the semiconductor supply chain, this incident has potential implications for chip manufacturing and testing operations globally.
• Healthcare Ransomware Impact: The University of Mississippi Medical Center was forced to close all clinic locations statewide following a ransomware attack, demonstrating the severe operational impact these attacks have on healthcare delivery and patient care.
• ATM Jackpotting Surge: The FBI has warned of a significant increase in ATM jackpotting attacks, with over $20 million stolen in 2025 alone. The Ploutus malware, active for over a decade, continues to be deployed in these attacks, with approximately 1,900 incidents recorded since 2020.

Emerging Attack Vectors

• AI-Powered Malware Persistence: Security researchers at ESET have discovered PromptSpy, a novel Android malware that leverages Google's Gemini AI at runtime to analyze on-screen elements and maintain persistence on infected devices. This represents an evolution in malware capabilities, using AI to adapt to device conditions and evade removal.
• Supply Chain Attacks on Developer Tools: Two significant supply chain attacks were disclosed this week:
  • The Cline CLI 2.3.0 coding assistant was compromised to install OpenClaw, a self-hosted autonomous AI agent, on developer systems.
  • A compromised npm package was also found silently installing OpenClaw on developer machines.
  These attacks highlight the continued targeting of software development infrastructure.
• ClickFix Campaign Deploying MIMICRAT: A new ClickFix campaign has been identified that compromises legitimate websites to deliver MIMICRAT, a previously undocumented remote access trojan. This technique of leveraging trusted sites increases the likelihood of successful infections.
• Starkiller Phishing Service: Security researcher Brian Krebs has detailed the "Starkiller" phishing service, which proxies real login pages and can intercept MFA tokens in real-time. Unlike static phishing pages, this service maintains persistent connections to legitimate sites, making detection more difficult.
• TrustConnect Fake Remote Support Tool: A new malicious tool called TrustConnect is masquerading as legitimate remote support software to gain unauthorized access to victim systems.
• Microsoft 365 MFA Bypass Campaign: A new phishing campaign is specifically designed to trick employees into bypassing Microsoft 365 multi-factor authentication protections.
• DDoS Attack Escalation: According to a new Radware report, DDoS attack frequency and power have risen to "alarming levels," presenting increased risk to internet-facing critical infrastructure systems.

Sector-Specific Analysis

Energy Sector

No major energy sector-specific incidents were reported this week. However, organizations should note:

• The BeyondTrust vulnerability being exploited in ransomware attacks may affect energy sector organizations using these remote access tools for operational technology (OT) management.
• The Trump Administration's new Maritime Action Plan may have implications for offshore energy infrastructure security and coordination.

Water & Wastewater Systems

No sector-specific incidents were reported this week. Water utilities should remain vigilant regarding:

• Remote access tool vulnerabilities, particularly given the sector's reliance on remote monitoring and control systems.
• The increasing sophistication of DDoS attacks that could impact SCADA web interfaces and customer portals.

Communications & Information Technology

• Quantum Communications Advancement: NIST has achieved a significant breakthrough in producing single photons on a chip, which will likely make Quantum Key Distribution (QKD) more accessible for a wider range of organizations. This development has long-term implications for secure communications infrastructure.
• Surveillance Technology Developments: Amazon's Ring has cancelled its partnership with Flock, the surveillance technology company, signaling potential shifts in the security camera and monitoring ecosystem.
• ICS Vulnerability Surge: SecurityWeek reports a surge in ICS vulnerabilities, which has implications for operational technology across all critical infrastructure sectors.

Transportation Systems

• Maritime Security Updates: The Trump Administration has released a new Maritime Action Plan that may affect security requirements and coordination for port facilities and maritime transportation.
• Coast Guard Operations: The Coast Guard Cutter Mohawk has completed a 60-day patrol that included escorting two sanctioned oil tankers, highlighting ongoing maritime security enforcement activities.

Healthcare & Public Health

• CRITICAL - Mississippi Medical Center Ransomware: The University of Mississippi Medical Center (UMMC) has been forced to close all clinic locations statewide following a ransomware attack. This incident demonstrates the severe operational impact ransomware can have on healthcare delivery, potentially affecting patient care across an entire state healthcare system.
• Healthcare Sector Targeting: The continued targeting of healthcare organizations underscores the need for enhanced security measures, including:
  • Robust backup and recovery capabilities
  • Network segmentation to protect clinical systems
  • Incident response planning that accounts for patient care continuity

Financial Services

• ATM Jackpotting Epidemic: The FBI has reported significant losses from ATM jackpotting attacks, with over $20 million stolen in 2025 and approximately 1,900 incidents since 2020. The Ploutus malware continues to be the primary tool used in these attacks. Financial institutions should review ATM security controls and monitoring capabilities.
• PayPal Data Breach: PayPal is notifying customers of a data breach caused by a software error in a loan application that exposed sensitive personal information, including Social Security numbers, for nearly six months. This incident highlights the importance of secure software development practices and regular security testing.
• French Bank Registry Breach: The French Ministry of Finance has announced a cybersecurity incident affecting 1.2 million accounts in a bank registry system, demonstrating the continued targeting of financial sector data repositories.
• MFA Security Initiatives: PayPal is launching new efforts to move customers away from SMS-based multi-factor authentication toward more secure alternatives, reflecting industry recognition of SMS MFA vulnerabilities.
• Identity Cyber Scores: A new trend is emerging where identity cyber scores are becoming a key metric in cyber insurance assessments. With one in three cyber-attacks now involving compromised employee accounts, insurers are placing greater emphasis on identity posture when evaluating organizational risk.

Government Facilities

• DHS Partial Shutdown: The partial DHS shutdown enters its second week on Saturday, February 22. This may affect coordination capabilities for critical infrastructure protection activities and information sharing between government and private sector partners.
• Disaster Response Activities: Despite operational challenges, FEMA continues disaster response activities:
  • Major disaster declaration approved for Louisiana following severe winter storms
  • $33.4 million approved for Hawaii wildfire and volcanic eruption recovery
  • $7.5 million approved for Wyoming wildfire disaster recovery

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE	Product	Severity	Status	Action Required
CVE-2026-1731	BeyondTrust Remote Support & Privileged Remote Access	Critical	Active Exploitation in Ransomware	Patch immediately; review for indicators of compromise

CISA Advisories and Updates

• KEV Catalog Update: CISA has updated its Known Exploited Vulnerabilities entry for CVE-2026-1731 to specifically alert organizations that this vulnerability is being exploited in ransomware attacks. Organizations using BeyondTrust products should:
  • Apply available patches immediately
  • Review network logs for indicators of compromise
  • Implement additional monitoring on remote access infrastructure
  • Consider temporary isolation of affected systems if patching cannot be completed immediately

Recommended Defensive Measures

• Remote Access Tool Security:
  • Inventory all remote access tools in use across the organization
  • Ensure all remote access software is patched to current versions
  • Implement network segmentation to limit lateral movement from compromised remote access systems
  • Enable comprehensive logging and monitoring for remote access sessions
• Supply Chain Security:
  • Review and audit npm packages and other third-party dependencies
  • Implement software composition analysis (SCA) tools in CI/CD pipelines
  • Monitor for unexpected network connections from development environments
  • Consider using private package registries with security scanning
• MFA Hardening:
  • Move away from SMS-based MFA where possible
  • Implement phishing-resistant MFA (FIDO2, hardware tokens)
  • Train users to recognize MFA bypass attempts
  • Monitor for anomalous authentication patterns
• ATM Security (Financial Sector):
  • Review physical security controls for ATM access
  • Ensure ATM software is current and hardened
  • Implement real-time monitoring for unusual dispensing patterns
  • Review vendor access procedures and controls

Resilience & Continuity Planning

Lessons Learned from Recent Incidents

• Healthcare Ransomware Response: The UMMC clinic closures highlight the importance of:
  • Maintaining offline backup systems for critical patient care functions
  • Developing manual procedures for essential clinical operations
  • Pre-establishing communication plans for patients and staff during outages
  • Coordinating with regional healthcare partners for patient care continuity
• Data Breach Detection: The PayPal breach, which exposed data for six months before discovery, underscores the need for:
  • Regular security testing of new application features
  • Automated monitoring for data exposure
  • Periodic access reviews and data flow analysis

Supply Chain Security Developments

• The dual supply chain attacks on developer tools (Cline CLI and npm packages) demonstrate the need for:
  • Verification of software updates before deployment
  • Monitoring of developer workstations for unusual activity
  • Network segmentation between development and production environments
  • Regular audits of third-party dependencies
• The Advantest ransomware attack highlights semiconductor supply chain vulnerabilities that could have cascading effects on technology manufacturing.

Cross-Sector Dependencies

• Remote Access Infrastructure: The BeyondTrust exploitation demonstrates how vulnerabilities in common enterprise tools can affect multiple sectors simultaneously. Organizations should:
  • Maintain visibility into shared technology dependencies
  • Participate in sector-specific ISACs for early warning
  • Develop contingency plans for loss of key remote access capabilities
• DHS Coordination Impact: The ongoing partial DHS shutdown may affect:
  • CISA coordination and advisory dissemination
  • Cross-sector information sharing mechanisms
  • Federal incident response support capabilities

Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

• Maritime Action Plan: The Trump Administration has released a new Maritime Action Plan that may affect security requirements for port facilities, maritime transportation, and offshore infrastructure. Organizations in the maritime sector should review the plan for compliance implications.
• European Parliament AI Ban: The European Parliament has implemented new AI restrictions that may affect multinational organizations operating in both U.S. and European markets, particularly those using AI for security operations.

Disaster Declarations

• Major disaster declaration approved for Louisiana (severe winter storm)
• Continued recovery funding for Hawaii ($33.4M) and Wyoming ($7.5M) wildfire disasters

Compliance Considerations

• Identity and Access Management: The emergence of identity cyber scores as a cyber insurance metric suggests organizations should proactively assess and improve their identity security posture to maintain favorable insurance terms.
• MFA Requirements: Organizations should anticipate increasing regulatory pressure to move away from SMS-based MFA, following industry trends exemplified by PayPal's initiatives.

Training & Resource Spotlight

New Tools and Resources

• Anthropic Claude Security Scanning: Anthropic is rolling out embedded security scanning for its Claude AI assistant. Currently limited to a small group of testers, this feature will scan AI-generated code and offer patching solutions, potentially improving secure coding practices for organizations using AI coding assistants.
• Password Security Research: Security Magazine has published research on the 25 most vulnerable passwords of 2026, which can be used for security awareness training and password policy development.
• De-Escalation Training Guidance: Security Magazine provides guidance on implementing meaningful de-escalation training in security programs, relevant for physical security personnel at critical infrastructure facilities.
• Passwordless Authentication Options: CSO Online has published a guide on 10 passwordless options for enterprises, providing practical guidance for organizations looking to enhance authentication security.

Best Practices

• Shift Left Security: Bleeping Computer discusses challenges with "shift left" security approaches, noting that analysis of 34,000 public container images revealed significant security gaps when speed demands override security checks. Organizations should balance development velocity with security requirements.

Looking Ahead: Upcoming Events

Upcoming Conferences and Workshops

• NIST Cybersecurity for IoT Workshop: Future Directions - March 31, 2026
  • Focus on emerging and future trends for IoT technologies and cybersecurity implications
  • Relevant for organizations deploying IoT in critical infrastructure environments
  • More information: NIST Website
• NIST Iris Experts Group Annual Meeting - June 25, 2026
  • Forum for discussion of technical questions related to iris recognition for government agencies
  • Relevant for organizations implementing biometric access controls

Anticipated Developments

• DHS Shutdown Resolution: Monitor for resolution of the partial DHS shutdown and any impacts on critical infrastructure protection programs and coordination.
• BeyondTrust Exploitation: Expect continued exploitation of CVE-2026-1731 in ransomware campaigns. Organizations should monitor for new indicators of compromise and updated guidance.
• Supply Chain Attack Follow-up: Additional analysis of the OpenClaw malware and its capabilities is expected as security researchers continue investigation of the Cline CLI and npm package compromises.
• Quantum Communications: Following NIST's single photon chip breakthrough, watch for developments in quantum key distribution technology availability and standards.

Heightened Awareness Periods

• Ongoing: Healthcare sector should maintain elevated vigilance given active ransomware campaigns targeting medical facilities.
• Ongoing: Financial institutions should monitor for ATM jackpotting activity, particularly at locations with older ATM hardware or limited physical security.
• Developer Organizations: Maintain heightened scrutiny of software updates and third-party packages given active supply chain attack campaigns.

---

This intelligence briefing is based on open-source reporting from February 14-21, 2026. Organizations should verify applicability to their specific environments and consult with security professionals before implementing recommendations. For the latest updates on vulnerabilities and threats, monitor CISA advisories and sector-specific ISACs.