📖 4 min read

600+ firewalls compromised across 55 countries. No zero-days. No advanced techniques. Just default credentials and exposed management ports. I had to read the Amazon Threat Intelligence report twice — not because the attack was sophisticated, but because it wasn't. A single actor with limited skills used commercial AI to turn basic hygiene failures into a professional-scale campaign.

Meanwhile, BeyondTrust is being chained into ransomware campaigns, and CISA furloughed 62% of its staff. The thread: the infrastructure you trust is exposed, and the backstop is offline.

Amazon Threat Intelligence documented a Russian-speaking, financially motivated actor who used commercial generative AI to compromise over 600 FortiGate devices between January 11 and February 18. No vulnerabilities were exploited. The actor scanned for exposed management interfaces, then authenticated with commonly reused credentials.

AI generated the attack plans, wrote the Python scripts to parse stolen configurations, and built reconnaissance tools. Post-access, the playbook was textbook ransomware prep: Active Directory compromise, credential harvesting, and targeting Veeam backup servers. When the actor hit hardened environments, they simply moved on. Source: AWS Security Blog

🔐 CISO Take: This actor didn't need zero-days because the basics weren't covered. Audit every FortiGate management interface for internet exposure this week — ports 443, 8443, 10443, 4443. If any are reachable without MFA, treat it as active exposure. Rotate admin and SSL-VPN credentials now.

💻 CIO Take: An unsophisticated attacker compromised 600 devices in six weeks using default settings. Document this incident for your next Fortinet renewal conversation. Ask what they're doing about customers running exposed management ports with single-factor auth.

⚙️ CTO Take: The actor targeted Veeam backup servers after gaining network access — ransomware staging. Verify your backup infrastructure is segmented, credentials are unique (not domain admin), and immutable backups are enabled.

📡 Network signal: AI alongside security concerns in member priorities has nearly quadrupled since last year — from 4% to 16% of submissions. This attack shows why: AI didn't create new techniques. It let an amateur run a professional-grade campaign.

The bottom line: Default credentials + exposed ports + AI = 600 firewalls in six weeks. Check yours.

Unit 42 confirmed this week that CVE-2026-1731 (CVSS 9.9), a pre-authentication RCE flaw in BeyondTrust Remote Support and Privileged Remote Access, is being exploited in ransomware campaigns. The vulnerability lets unauthenticated attackers execute OS commands through the WebSocket-exposed thin-scc-wrapper component.

Attackers are deploying web shells, VShell backdoors, and SparkRAT trojans — the full chain from reconnaissance to database exfiltration. CISA confirmed ransomware use on February 13. Cortex Xpanse identified over 16,400 exposed instances. This is the second critical BeyondTrust flaw in a year — CVE-2024-12356 was exploited by Silk Typhoon in the U.S. Treasury breach. Same component, same weakness. Source: Palo Alto Unit 42 / CISA

🔐 CISO Take: Patch to Remote Support 25.3.2 or PRA 25.1.1 immediately, then assume compromise. Scan for PHP web shells in /var/www, hunt for unexpected admin accounts, and check DNS logs for exfiltration patterns. If you can't patch today, pull the appliance off the internet.

💻 CIO Take: Two critical RCE flaws in the same component in 12 months. If BeyondTrust is your remote access platform, this warrants a formal vendor risk review. Document the timeline — when you were notified, when you patched, what the exposure window was.

⚙️ CTO Take: Block WebSocket traffic to port 33892 if you're not using the thin client. The management interface should never be internet-facing. Move it behind a zero-trust gateway.

📡 Network signal: One IT Director this month told us they're exploring how to detect "devices with default password" across their environment. BeyondTrust's flaw doesn't require passwords at all — it skips authentication entirely. The bar for remote access security just moved.

The bottom line: Second critical BeyondTrust RCE in a year, now confirmed in ransomware. Patch or isolate today.

The DHS funding lapse that began February 14 has left CISA with 888 of 2,341 employees. The rest are furloughed. Acting Director Gottumukkala told lawmakers: "When the government shuts down, cyber threats do not."

Proactive vulnerability scanning of federal networks has stopped. Guidance development is paused. Training and stakeholder engagements are canceled. CIRCIA implementation is further delayed. This on top of workforce reductions that already cut a third of CISA's staff over the past year. The agency that coordinated SolarWinds, Log4j, and every KEV advisory is at a fraction of its pre-2025 capacity. Source: SecurityWeek / Cybersecurity Dive

🔐 CISO Take: If your threat intel includes "wait for CISA advisories," add redundancy now. Confirm your sector ISAC membership is active. Subscribe to vendor-direct advisories for your top 10 critical products. Don't wait for the KEV catalog.

💻 CIO Take: Ask your CISO this week: "What changes if CISA goes dark for 60 days?" If the answer is "nothing," either you're well-prepared or you don't know what CISA was doing for you.

📡 Network signal: Third-party risk management was the most-requested security capability in member submissions this month. When the agency coordinating national threat intelligence drops to 38%, that's a third-party risk most organizations haven't modeled.

The bottom line: CISA is at 38%. Your threat intel and vulnerability scanning just became your problem alone.

This week's signal: leaders are realizing they don't know what's exposed — and they're buying to fix it.

Privileged access and credential management mentions in member priorities have nearly tripled since mid-2025. Multiple leaders are actively replacing PAM tools or starting secrets management projects for the first time this quarter — and the urgency isn't theoretical.

"We have grown to understand we do not know what we do know regarding credential and password leaks on the darkweb." — CISO, Global Education Company

That quote was written a month before the Amazon report dropped. The vulnerability wasn't AI. It was assumption. All three stories this week exploited the same thing: trust that was never verified.

How would your security posture change if CISA went dark for 60 days? Reply — I read every response.

5,000+ senior IT leaders. Companies averaging $24B in revenue. Real buying-motion data — not surveys, not analyst projections. The signal in this newsletter comes from operators sharing what they're actually purchasing, replacing, and escalating. Every meeting is opt-in, pre-screened, and paid ($200-400). You control your calendar. Apply to Join →