Skip to main content

CISO Daily Brief: Cloud API Key Exposure, Air-Gapped Network Breaches, and Supply Chain Risks – Feb 28, 2026

Today’s security landscape continues to evolve rapidly, with new threats and exposures impacting cloud, supply chain, and operational environments. This briefing highlights the most pressing developments CISOs should prioritize, along with actionable steps and executive considerations. Staying informed and prepared is essential for maintaining enterprise resilience and board confidence.

Top Items CISOs Should Care About (Priority)

Thousands of Public Google Cloud API Keys Exposed with Gemini Access After API Enablement

  • What happened: Thousands of Google Cloud API keys, including those with access to Gemini services, were found publicly exposed after API enablement.
  • Why it matters: This exposure creates a high risk of mass exploitation and potential enterprise data compromise.
  • What to verify internally:
    • Inventory all Google Cloud API keys in use and their permissions.
    • Review access controls and ensure keys are not publicly accessible.
    • Audit recent API enablement and key generation events.
    • Monitor for unusual activity or unauthorized access to Gemini services.
  • Exec questions to prepare for:
    • Are any of our cloud API keys exposed or at risk?
    • What controls are in place to prevent public exposure of credentials?
    • How quickly can we rotate or revoke compromised keys?
    • What is our incident response plan for cloud credential leaks?
  • Sample CISO response: "We have initiated a review of all cloud API keys, confirmed no public exposures, and are enhancing monitoring and key management controls."

APT37 Hackers Use New Malware to Breach Air-Gapped Networks

  • What happened: Nation-state group APT37 has deployed new malware specifically designed to breach air-gapped networks.
  • Why it matters: This signals a high-severity threat with potential for significant enterprise and critical infrastructure impact.
  • What to verify internally:
    • Assess controls around air-gapped and sensitive network segments.
    • Review USB and removable media policies and enforcement.
    • Monitor for indicators of compromise related to APT37 activity.
    • Ensure incident response plans address air-gapped network breaches.
  • Exec questions to prepare for:
    • Do we have air-gapped networks or similar high-value assets?
    • What protections are in place against advanced nation-state threats?
    • How do we detect and respond to breaches in isolated environments?
  • Sample CISO response: "We are reviewing controls on isolated networks and updating detection capabilities for advanced threats targeting air-gapped systems."

900+ Sangoma FreePBX Instances Compromised in Ongoing Web Shell Attacks

  • What happened: Over 900 Sangoma FreePBX VoIP systems have been compromised through ongoing web shell attacks.
  • Why it matters: This poses a severe threat to enterprise communications and operational security.
  • What to verify internally:
    • Identify any use of Sangoma FreePBX or similar VoIP systems.
    • Check for signs of compromise or unauthorized web shells.
    • Ensure systems are patched and properly segmented from critical networks.
    • Review VoIP security monitoring and incident response readiness.
  • Exec questions to prepare for:
    • Are our communications systems affected or vulnerable?
    • What is our exposure to VoIP-related threats?
    • How are we monitoring and protecting these systems?
  • Sample CISO response: "We have assessed our VoIP infrastructure, applied necessary patches, and increased monitoring for web shell activity."

Pentagon Designates Anthropic Supply Chain Risk Over AI Military Dispute

  • What happened: The Pentagon has formally designated Anthropic as a supply chain risk due to concerns over AI use in military contexts.
  • Why it matters: This highlights serious national security and regulatory concerns that may require board-level attention.
  • What to verify internally:
    • Review any current or planned use of Anthropic or similar AI vendors.
    • Assess supply chain risk management processes for AI providers.
    • Monitor for regulatory updates or new compliance requirements.
    • Engage legal and procurement teams for contract reviews.
  • Exec questions to prepare for:
    • Are we using Anthropic or other flagged AI vendors?
    • What is our process for evaluating AI supply chain risks?
    • How do we ensure compliance with new regulatory guidance?
  • Sample CISO response: "We are reviewing our AI vendor relationships and updating supply chain risk assessments in line with new federal guidance."

Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor

  • What happened: A malicious Go crypto module was discovered stealing credentials and deploying the Rekoobe backdoor in development environments.
  • Why it matters: Compromised software modules in the supply chain can lead to credential theft and persistent enterprise backdoors.
  • What to verify internally:
    • Audit use of third-party Go modules and dependencies.
    • Scan for indicators of compromise related to Rekoobe.
    • Review software supply chain security controls.
    • Educate development teams on secure dependency management.
  • Exec questions to prepare for:
    • How do we vet and monitor third-party software modules?
    • What is our exposure to this specific Go module?
    • How are we protecting credentials in development environments?
  • Sample CISO response: "We have scanned our codebase for the affected module and reinforced supply chain security practices with our development teams."

ScarCruft Uses Zoho WorkDrive and USB Malware to Breach Air-Gapped Networks

  • What happened: The ScarCruft threat group is leveraging Zoho WorkDrive and USB malware to target and breach air-gapped networks.
  • Why it matters: This demonstrates high sophistication and risk to critical infrastructure and isolated environments.
  • What to verify internally:
    • Review controls on cloud storage and USB device usage.
    • Assess monitoring for suspicious file transfers and malware activity.
    • Update policies for removable media and cloud service access.
    • Coordinate with OT/ICS teams for targeted awareness.
  • Exec questions to prepare for:
    • Are our air-gapped or OT networks at risk from this vector?
    • How do we monitor for unauthorized data movement?
    • What is our response plan for breaches involving removable media?
  • Sample CISO response: "We are enhancing controls on removable media and cloud storage, and increasing monitoring for suspicious activity in sensitive environments."

CISA Warns that RESURGE Malware Can Be Dormant on Ivanti Devices

  • What happened: CISA has issued a warning that RESURGE malware may remain dormant on Ivanti devices, posing a latent threat.
  • Why it matters: Dormant malware on widely used devices increases the risk of undetected exploitation across enterprises.
  • What to verify internally:
    • Inventory all Ivanti devices in the environment.
    • Apply latest security patches and guidance from CISA.
    • Scan for indicators of dormant RESURGE malware.
    • Review incident response playbooks for latent threats.
  • Exec questions to prepare for:
    • Do we have Ivanti devices in use?
    • What steps are we taking to detect and remediate dormant threats?
    • How do we stay current with CISA advisories?
  • Sample CISO response: "We have applied all recommended patches to Ivanti devices and are conducting scans for dormant malware as advised by CISA."

Notable Items

CISO Action Checklist Today

  • Audit all cloud API keys and rotate or revoke any that are exposed or unnecessary.
  • Review controls and monitoring on air-gapped and OT networks.
  • Assess VoIP infrastructure for compromise and apply all relevant patches.
  • Engage with procurement and legal teams to review AI and supply chain vendor risks.
  • Scan development environments for malicious modules and reinforce secure coding practices.
  • Update removable media and cloud storage policies, especially for sensitive environments.
  • Apply latest patches and CISA guidance to all Ivanti devices and scan for dormant threats.
  • Enhance incident response playbooks for cloud, supply chain, and air-gapped network breaches.
  • Communicate key risks and mitigation steps to executive leadership and the board.
  • Monitor for regulatory updates and adjust compliance programs as needed.
Labels:

Comments

Post a Comment

Popular posts from this blog

CISO Daily Brief: Key Threats and Action Items – February 24, 2026

Today's cyber threat landscape continues to evolve, with notable activity from nation-state actors, ransomware groups, and sophisticated fraud campaigns. Several high-severity vulnerabilities are being actively exploited, and recent incidents highlight the importance of robust access controls and employee awareness. Below is a prioritized summary of the most relevant items for CISOs, along with actionable steps and executive considerations. Top Items CISOs Should Care About (Priority) North Korean Lazarus group linked to Medusa ransomware attacks What happened: The Lazarus group, a North Korean state-sponsored actor, has been linked to recent Medusa ransomware attacks targeting enterprises globally. Why it matters: This represents a high-severity, board-level risk due to the potential for operational disruption and regulatory exposure. What to verify internally: Current ransomware detection and response capabilities Backup and recovery procedure...
Post a Comment
Read more

CISO Daily Brief: Major Data Breach, Critical Vulnerabilities, and Android Banking Malware – February 19, 2026

Today’s cybersecurity landscape presents several high-impact developments that require CISO attention. From a major fintech data breach to critical vulnerabilities in widely used devices and software, the risks span operational, regulatory, and reputational domains. This briefing distills the most urgent items and provides actionable steps to help you prepare your organization and leadership for board-level discussions. Top Items CISOs Should Care About (Priority) Data breach at fintech firm Figure affects nearly 1 million accounts What happened: Fintech company Figure suffered a data breach impacting nearly one million accounts, exposing sensitive financial data. Why it matters: This incident carries significant regulatory, reputational, and board-level risk due to the scale and sensitivity of the data involved. What to verify internally: Exposure to Figure as a vendor, partner, or service provider Controls over sensitive customer and financial dat...
Post a Comment
Read more

CISO Daily Brief: AI-Assisted FortiGate Breaches & Emerging Threats (Feb 22, 2026)

Today’s security landscape is shaped by rapid advances in attacker capabilities, notably through AI-assisted techniques. Recent incidents highlight the need for CISOs to stay vigilant and proactive in protecting critical infrastructure. This brief summarizes the most pressing issues and provides actionable steps for security leaders. Top Items CISOs Should Care About (Priority) AI-Assisted Threat Actor Compromises 600+ FortiGate Devices in 55 Countries What happened: An AI-assisted threat actor exploited vulnerabilities to compromise over 600 FortiGate devices across 55 countries. Why it matters: This large-scale, automated attack on widely deployed firewall infrastructure presents significant enterprise and regulatory risks. What to verify internally: Inventory and patch status of all FortiGate devices Review of firewall logs for indicators of compromise Assessment of remote access and VPN configurations Validation of incident respons...
Post a Comment
Read more