InfoSec.Watch — Issue #124

CISA Tells Agencies to Stop Using Unsupported Edge Devices

CISA directed federal agencies to identify and remove unsupported “edge” devices (e.g., internet-facing routers/firewalls) that can’t receive security updates—reducing exposure from end-of-life infrastructure that attackers routinely target.

Source: https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/

💡 Key Takeaway: Build an inventory of internet-facing edge gear, map each model/OS to vendor support status, and set an internal deadline to replace or retire anything out of support.

Aisuru/kimwolf Botnet Launches Record-setting 31.4 Tbps Ddos Attack

Researchers reported a massive DDoS event attributed to the AISURU/Kimwolf botnet, underscoring how quickly volumetric capacity is scaling and how “traditional” upstream protection can be overwhelmed.

Source: https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html

💡 Key Takeaway: Validate you have an always-on DDoS plan (contact path, runbooks, scrubbing enablement) and confirm your CDN/WAF and upstream provider can handle multi-Tbps events for your critical domains.

Compromised Dydx Npm and Pypi Packages Deliver Wallet Stealers and RAT Malware

A package compromise targeting both npm and PyPI was reported to drop credential/wallet-stealing functionality and remote-access malware, reinforcing the blast radius of dependency trust failures.

Source: https://thehackernews.com/2026/02/compromised-dydx-npm-and-pypi-packages.html

💡 Key Takeaway: Enforce dependency pinning + integrity checks (lockfiles, hashes/SBOM), and block unknown package installs in CI/CD by requiring allowlisted registries and maintainers.

CVE-2026-24423 — Smartermail Missing Authentication for a Critical Function (added to CISA KEV)

CISA added this SmarterMail issue to the Known Exploited Vulnerabilities (KEV) catalog this week, signaling real-world exploitation and raising patch urgency for exposed deployments.

Source: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

💡 Key Takeaway: Immediately identify SmarterMail instances (including shadow IT), restrict admin interfaces to VPN/IP allowlists, and patch/mitigate on an emergency change window.

CVE-2025-40551 — Solarwinds Web Help Desk Deserialization of Untrusted Data (added to CISA KEV)

CISA added this SolarWinds Web Help Desk vulnerability to KEV, elevating priority for organizations running the product in reachable network zones.

Source: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

💡 Key Takeaway: Treat Web Help Desk as a Tier-1 patch target: patch fast, segment it away from domain controllers and admin tooling, and monitor for suspicious process creation from the application host.

CVE-2021-39935 — Gitlab CE/EE SSRF (added to CISA KEV)

This GitLab SSRF issue was added to KEV, highlighting that older but reachable DevOps platforms remain high-value targets when left unpatched or exposed.

Source: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

💡 Key Takeaway: Audit external exposure of GitLab, patch to a fixed version, rotate credentials/tokens that could be reachable via SSRF paths, and enable egress controls to limit what GitLab servers can call out to.

Adversary-in-the-middle (aitm) Tooling Moves “downstream” to Routers and Edge Infrastructure

Reporting this week highlights AitM frameworks and implants targeting routers/edge devices to hijack traffic and facilitate credential theft or malware delivery—an evolution that turns network infrastructure into the attack platform.

Source: https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html • https://www.securityweek.com/dknife-implant-used-by-chinese-threat-actor-for-adversary-in-the-middle-attacks/

💡 Key Takeaway: Add router/edge telemetry to your detection program (config-change alerts, new admin users, unexpected DNS/NTP changes) and require MFA-resistant phishing controls (FIDO2/passkeys) for admin access.

DHS Privacy Probe to Focus on Biometric Tracking by ICE and OBIM

A DHS Inspector General audit will examine biometric data tracking practices, reflecting continued scrutiny over government use of biometrics and associated privacy controls.

Source: https://cyberscoop.com/dhs-ig-audit-ice-obim-biometric-data-privacy-facial-recognition/

💡 Key Takeaway: If you operate biometric systems, document data flows and retention, tighten access logging, and be ready to demonstrate purpose limitation and deletion/appeal processes.

CISA Known Exploited Vulnerabilities (KEV) JSON Feed

The KEV catalog’s machine-readable feed is a practical way to automate “what must get fixed now” prioritization based on confirmed exploitation.

Source: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

💡 Key Takeaway: Wire KEV ingestion into your vuln management pipeline and auto-open tickets when a KEV CVE matches assets you own—then enforce an SLA (e.g., 7–14 days based on exposure).

German Agencies Warn of Signal Phishing Targeting Politicians, Military, and Journalists

Authorities warned about phishing attempts targeting Signal users, a reminder that secure messaging apps don’t eliminate social engineering—attackers shift to account takeover and device compromise.

Source: https://thehackernews.com/2026/02/german-agencies-warn-of-signal-phishing.html

💡 Key Takeaway: Train high-risk users on Signal-specific lures (QR/device linking), require device PIN/biometrics, and consider MDM hardening for officials and executives.

Rapid7 on Chrysalis/notepad++ and Supply Chain Risk: What to Do Next

Rapid7 published practical guidance following supply-chain concerns, focusing on how defenders can validate software integrity and reduce blast radius when trusted tooling becomes suspect.

Source: https://www.rapid7.com/blog/post/tr-chrysalis-notepad-supply-chain-risk-next-steps

💡 Key Takeaway: Implement application allowlisting for admin workstations and use signed, internally mirrored installers for common tooling (editors, CLIs) rather than ad-hoc downloads.

Romania’s Oil Pipeline Operator Confirms Cyberattack as Hackers Claim Data Theft

A critical infrastructure operator confirmed a cyber incident amid claims of stolen data, reinforcing the operational and regulatory impact when OT-adjacent enterprises get hit.

Source: https://therecord.media/romania-conpet-oil-pipeline-ransomware-attack

💡 Key Takeaway: Validate your “IT-to-OT” separation (jump hosts, MFA, least privilege) and ensure backups for business-critical IT systems are immutable and routinely tested.

State-backed Group Reported Breaching Dozens of Government and Infrastructure Entities

A reported campaign involving a state-aligned actor targeting government and critical infrastructure underscores persistent pressure on credential access, email, and remote management pathways.

Source: https://thehackernews.com/2026/02/asian-state-backed-group-tgr-sta-1030.html

💡 Key Takeaway: Prioritize hardening identity: enforce phishing-resistant MFA for admins, reduce long-lived tokens, and monitor for anomalous OAuth consent and mailbox rule creation.

Iphone Lockdown Mode Credited with Protecting a Journalist

A case study highlighted how Lockdown Mode can blunt sophisticated mobile threats, especially for high-risk individuals.

Source: https://www.schneier.com/blog/archives/2026/02/iphone-lockdown-mode-protects-washington-post-reporter.html

💡 Key Takeaway: For executives and high-risk roles, standardize a “hardened mobile” profile (Lockdown Mode where appropriate, restricted sideloading, rapid patching) and pair it with travel/incident playbooks.

Stand Up an “edge Device Hygiene” Sprint (inventory → Support Status → Replace/segment)

In one week, you can materially reduce risk by focusing on the equipment that sits directly on the internet and often escapes normal patch SLAs.

Source: https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/

💡 Key Takeaway: Create a list of all public IPs you own, map them to the device model/firmware, flag anything end-of-support, and either (a) replace, (b) move behind a managed security service, or (c) restrict management planes to VPN + allowlists.

Final Word

Exploitation is increasingly shaped by two realities: attackers love the “edges” (where visibility and patch discipline are weakest), and supply-chain trust failures keep expanding the set of initial access paths. The teams that win are the ones that automate prioritization (KEV-style) and remove legacy exposure faster than attackers can operationalize it.