InfoSec.Watch - Issue #125

BridgePay ransomware attack disrupts local government and utility payment portals — third‑party gateways are critical infrastructure

A ransomware attack forced BridgePay to take systems offline, knocking out card-payment services for multiple municipalities and utilities; BridgePay said services were unavailable while investigation and recovery continued, and noted no payment card data compromise.

Source: GovTech • The Record • BridgePay Status

💡 Key Takeaway: Treat payment gateways like a shared-service outage risk: document workarounds, pre-stage alternate processors, and verify vendor incident SLAs + comms paths before the next outage.

BeyondTrust Remote Support / Privileged Remote Access critical pre-auth RCE (CVE‑2026‑1731) — exploitation observed; scanning ramped quickly

BeyondTrust disclosed a critical pre-auth RCE affecting Remote Support and older Privileged Remote Access versions, with exploitation attempts observed in internet-facing self-hosted environments that remained unpatched; GreyNoise reported rapid reconnaissance following public PoC activity.

Source: BeyondTrust Advisory BT26-02 • GreyNoise

💡 Key Takeaway: Patch immediately, then assume-breach: review appliance logs, rotate creds/tokens used by RS/PRA, and add external exposure monitoring for non-standard ports.

CISA adds multiple actively exploited vulnerabilities to KEV this week — treat KEV adds as same-day change requests

CISA published several KEV updates across the week (Feb 10, Feb 12, Feb 13), reflecting confirmed exploitation across multiple products. Use KEV as the trigger for urgent triage, not just CVSS.

Source: CISA (Feb 10 KEV add) • CISA (Feb 12 KEV add) • CISA (Feb 13 KEV add)

💡 Key Takeaway: Automate KEV ingestion into ticketing, map each CVE to owned assets, and enforce a 24–72h mitigation SLA for anything exposed to the internet or used for admin access.

CVE‑2026‑1731 (BeyondTrust RS / PRA) — critical pre-auth RCE with exploitation attempts observed

A critical pre-auth RCE in BeyondTrust Remote Support and older Privileged Remote Access versions can allow unauthenticated command execution. BeyondTrust reported observed exploitation attempts in internet-facing self-hosted environments that were unpatched as of early February.

Source: BeyondTrust BT26-02 • GreyNoise

💡 Key Takeaway: If you had exposure, treat this like Tier‑0: patch/upgrade, rotate secrets, validate integrity, and hunt for suspicious admin actions and outbound callbacks.

Ivanti Endpoint Manager Mobile (EPMM) — critical code injection bugs (CVE‑2026‑1281, CVE‑2026‑1340) linked to government intrusions

Reporting indicates a wave of attacks tied to Ivanti EPMM vulnerabilities; Ivanti urged customers to treat exposed systems as potentially compromised and review logs for exploitation indicators.

Source: The Record

💡 Key Takeaway: For any MDM/EMM: remove direct internet exposure, enforce admin access via VPN/jump hosts, and do post-patch validation (new accounts, config changes, device enrollment anomalies).

KEV additions include high-impact OS and platform flaws — use KEV deltas as your weekly ‘must-fix’ list

CISA’s KEV updates this week include vulnerabilities across major vendor ecosystems (including Apple and Microsoft entries listed in CISA’s Feb 10/12 alerts).

Source: CISA Feb 10 KEV alert • CISA Feb 12 KEV alert

💡 Key Takeaway: Don’t wait for monthly patch cycles when KEV moves: apply mitigations immediately (disable features, restrict interfaces, WAF rules) and schedule emergency patches.

Choke points are multiplying: payment gateways + remote-support tools are becoming ransomware and initial-access magnets

This week’s outages and exploitation activity show attackers don’t need to hit you directly — they can hit the vendors that sit in the middle of your billing, admin access, or support workflows and still cause real operational downtime.

Source: GovTech (BridgePay impact) • BeyondTrust BT26-02

💡 Key Takeaway: Expand your critical-path threat modeling: identify ‘vendor control planes’ (payments, PAM/remote support, MDM, backup), and build playbooks for outage + compromise.

CISA flags OT/ICS security gaps following a Poland energy-sector incident — treat ‘IT-only’ controls as insufficient for operations

CISA published an alert highlighting OT/ICS security gaps following a Poland energy-sector incident, reinforcing the need for OT-specific segmentation, monitoring, and response planning.

Source: CISA alert

💡 Key Takeaway: If you have OT/ICS exposure: validate segmentation boundaries, ensure out-of-band logging, and rehearse an OT incident workflow with engineering—not just IT.

GreyNoise reconnaissance context for emerging exploits — fast signal when PoCs turn into scanning

GreyNoise’s write-up on BeyondTrust reconnaissance is a practical template for how to translate ‘PoC dropped’ into real-world external-scan visibility and prioritization.

Source: GreyNoise

💡 Key Takeaway: Add a step to your triage: when a PoC drops, check whether scanning is already active for your exposed surface, and prioritize patch/mitigate accordingly.

Dutch telecom Odido announces data breach impacting millions of customers

Odido said customer info was stolen after attackers accessed a customer contact system; the incident occurred Feb 7 and was reported after confirmation.

Source: The Record

💡 Key Takeaway: Harden your CRM/contact platforms: least privilege, MFA, and anomaly alerts for bulk export/download patterns.

Taiwan warns China may be rehearsing disruptive cyber operations via digital replicas of infrastructure

At the Munich Cyber Security Conference, Taiwan officials warned that operations like Volt Typhoon may be ‘real-world testing’ for disruption and that leaked documents point to infrastructure-mirroring cyber training platforms.

Source: The Record

💡 Key Takeaway: Treat long-dwell prepositioning seriously: tighten identity controls, reduce exposed management planes, and prioritize detection for living-off-the-land persistence.

EU and Dutch government confirm hacks tied to Ivanti EPMM zero-days

Reports say critical Ivanti EPMM vulns (CVE‑2026‑1281, CVE‑2026‑1340) were exploited against organizations; government entities disclosed compromises as agencies issued warnings.

Source: The Record

💡 Key Takeaway: MDM/EMM is Tier‑0: treat exploitation as a fleet-level incident, not a single server patch.

BridgePay outage forces organizations to use cash/check workarounds while services remain down

Municipalities and utilities reported payment outages tied to BridgePay’s ransomware incident; some jurisdictions restored service via alternate routing or vendor workarounds.

Source: GovTech

💡 Key Takeaway: Document outage workarounds now: alternate processors, in-person payment procedures, and comms templates for residents/customers.

BeyondTrust: self-hosted customers not on automatic updates must manually patch or upgrade

BeyondTrust said SaaS instances and systems with the update service enabled were patched automatically; other self-hosted deployments require manual patching or upgrades to fixed versions.

Source: BeyondTrust

💡 Key Takeaway: Inventory auto-update gaps: list every security appliance that requires manual patching and make ownership explicit.

Create a ‘Vendor Choke Point’ playbook (payments + remote support + MDM) and test it quarterly

This week’s disruptions show that single vendors can break core business processes and create new compromise paths.

Source: GovTech • BeyondTrust BT26-02

💡 Key Takeaway: Pick your top 3 vendor choke points. For each: define failover steps, key rotation steps, log sources, and a 1-page comms plan. Run a tabletop (and one live test) each quarter.

Final Word

If it sits between you and your users (payments, support, device control), it’s part of your perimeter — even if you don’t own the servers.

💡 Key Takeaway: Make vendor dependency risk a first-class security metric: uptime, patch latency, and incident transparency should be tracked like vulnerabilities.