Mid-February Security Digest: Zero-Days, Government

Welcome to Issue #6

February 2026 has been one of the most turbulent months in recent cybersecurity history. Between 6 Microsoft zero-days, a Chrome zero-day under active exploitation, Ivanti EPMM breaches across European governments, and a Cloudflare BGP error that cascaded across the internet, security teams have had no time to breathe.

Here's what you need to know — and what you should be doing about it right now.

The Big Stories

1. Chrome's First Zero-Day of 2026 (CVE-2026-2441)

Google patched a high-severity use-after-free in Chrome's CSS engine that's actively exploited in the wild. CVSS 8.8. All it takes is visiting a malicious page.

Action: Update Chrome to 145.0.7632.75 immediately across all endpoints.

Read the full advisory →

2. Ivanti EPMM Breaches EU Governments

Two critical zero-days (CVE-2026-1281, CVE-2026-1340 — both CVSS 9.8) in Ivanti EPMM were exploited to breach the Dutch Data Protection Authority, European Commission, and Finland's Valtori. Attackers planted sleeper webshells for long-term persistence — patching alone isn't enough.

Action: Patch EPMM, then conduct forensic investigation for webshells.

Read the full advisory →

3. APT28 Weaponizes Office Zero-Day in 3 Days

Russia's APT28 weaponized Microsoft Office CVE-2026-21509 within three days of Patch Tuesday disclosure, deploying espionage implants against 60+ Ukrainian government email addresses and targets across Slovakia and Romania.

Action: Apply February Patch Tuesday updates and block WebDAV to external servers.

Read the full story →

4. Cloudflare BGP Error Takes Down AWS, X, and Thousands of Sites

A BGP misconfiguration at Cloudflare's Ashburn data center caused a 4-hour cascading outage on February 16 — the fourth major cloud outage this month.

Action: Review your multi-CDN and DNS failover strategy.

Read the incident report →

Critical Patch Priorities

Here's what to patch first if you haven't already:

Priority	CVE(s)	Product	Severity
1	CVE-2026-1281/1340	Ivanti EPMM	9.8 Critical
2	CVE-2026-1731	BeyondTrust RS/PRA	9.9 Critical
3	CVE-2026-2441	Google Chrome	8.8 High
4	6 zero-days	Microsoft Feb Patch Tuesday	7.5-8.8
5	CVE-2026-21516	GitHub Copilot (all IDEs)	8.8 High
6	CVE-2026-25049	n8n Workflow Automation	9.4 Critical
7	CVE-2026-21643	Fortinet FortiClientEMS	9.1 Critical

Threat Intelligence Highlights

ShinyHunters Leaks 600K Canada Goose Records

The data extortion group dumped 1.67 GB of customer data on the dark web. Canada Goose denies a direct breach, pointing to a third-party payment processor.

ChainReaver Supply Chain Attack via GitHub

A Russian state-sponsored APT hijacked 50 trusted GitHub accounts and file-sharing mirrors to distribute cross-platform infostealer malware targeting Windows, macOS, and iOS.

ClickFix Goes DNS-Native

A new ClickFix variant uses DNS nslookup commands to retrieve payloads, bypassing web proxies and URL filtering entirely. First known use of DNS as a ClickFix delivery channel.

Anthropic hits $380 billion valuation after closing a $30B funding round
India AI Impact Summit kicks off in New Delhi with 20 world leaders and CEOs of Anthropic, OpenAI, Google
GPT-5.3-Codex is the first AI model rated "high" for cybersecurity risk by its own creator
Seven major AI models released in February — API prices expected to drop

Quick Tips

Hunt for Ivanti webshells — Even after patching EPMM, check web directories for unauthorized files. Sleeper webshells survive patching.
Block nslookup from Explorer — The new ClickFix variant relies on nslookup spawned from the Windows Run dialog. Use AppLocker or WDAC to restrict nslookup execution to IT accounts.
Audit Copilot extensions — Update GitHub Copilot across all IDEs and review extension permissions. AI coding assistants run with the same privileges as your development environment.
BGP monitoring — Subscribe to BGPStream alerts for your ASN and critical provider ASNs. Early detection of route anomalies can reduce incident response time.

What's New on CosmicBytez Labs

Latest News

Latest Security Advisories

Outage Reports

Cloudflare/AWS/X Global Outage — Feb 16

Coming Soon

IT Offboarding Checklist — Complete access revocation template
Endpoint Security Baseline Template — Windows 11 + Intune standard configuration
BGP Monitoring How-To — Setting up alerts for routing anomalies
ClickFix Detection Guide — Endpoint and network-based detection rules

Stay Connected

Visit CosmicBytez Labs for the latest content
Browse all Security Advisories
Check Service Status for current incidents
Use our Security Tools for quick calculations and lookups

See you in Issue #7!

— Dylan H., CosmicBytez Labs

Welcome to Issue #6

Here's what you need to know — and what you should be doing about it right now.

The Big Stories

1. Chrome's First Zero-Day of 2026 (CVE-2026-2441)

Google patched a high-severity use-after-free in Chrome's CSS engine that's actively exploited in the wild. CVSS 8.8. All it takes is visiting a malicious page.

Action: Update Chrome to 145.0.7632.75 immediately across all endpoints.

Read the full advisory →

2. Ivanti EPMM Breaches EU Governments

Action: Patch EPMM, then conduct forensic investigation for webshells.

Read the full advisory →

3. APT28 Weaponizes Office Zero-Day in 3 Days

Action: Apply February Patch Tuesday updates and block WebDAV to external servers.

Read the full story →

4. Cloudflare BGP Error Takes Down AWS, X, and Thousands of Sites

A BGP misconfiguration at Cloudflare's Ashburn data center caused a 4-hour cascading outage on February 16 — the fourth major cloud outage this month.

Action: Review your multi-CDN and DNS failover strategy.

Read the incident report →

Critical Patch Priorities

Here's what to patch first if you haven't already:

Priority	CVE(s)	Product	Severity
1	CVE-2026-1281/1340	Ivanti EPMM	9.8 Critical
2	CVE-2026-1731	BeyondTrust RS/PRA	9.9 Critical
3	CVE-2026-2441	Google Chrome	8.8 High
4	6 zero-days	Microsoft Feb Patch Tuesday	7.5-8.8
5	CVE-2026-21516	GitHub Copilot (all IDEs)	8.8 High
6	CVE-2026-25049	n8n Workflow Automation	9.4 Critical
7	CVE-2026-21643	Fortinet FortiClientEMS	9.1 Critical

Threat Intelligence Highlights

ShinyHunters Leaks 600K Canada Goose Records

The data extortion group dumped 1.67 GB of customer data on the dark web. Canada Goose denies a direct breach, pointing to a third-party payment processor.

ChainReaver Supply Chain Attack via GitHub

A Russian state-sponsored APT hijacked 50 trusted GitHub accounts and file-sharing mirrors to distribute cross-platform infostealer malware targeting Windows, macOS, and iOS.

ClickFix Goes DNS-Native

A new ClickFix variant uses DNS nslookup commands to retrieve payloads, bypassing web proxies and URL filtering entirely. First known use of DNS as a ClickFix delivery channel.

Anthropic hits $380 billion valuation after closing a $30B funding round
India AI Impact Summit kicks off in New Delhi with 20 world leaders and CEOs of Anthropic, OpenAI, Google
GPT-5.3-Codex is the first AI model rated "high" for cybersecurity risk by its own creator
Seven major AI models released in February — API prices expected to drop

Quick Tips

Hunt for Ivanti webshells — Even after patching EPMM, check web directories for unauthorized files. Sleeper webshells survive patching.
Block nslookup from Explorer — The new ClickFix variant relies on nslookup spawned from the Windows Run dialog. Use AppLocker or WDAC to restrict nslookup execution to IT accounts.
Audit Copilot extensions — Update GitHub Copilot across all IDEs and review extension permissions. AI coding assistants run with the same privileges as your development environment.
BGP monitoring — Subscribe to BGPStream alerts for your ASN and critical provider ASNs. Early detection of route anomalies can reduce incident response time.

What's New on CosmicBytez Labs

Latest News

Latest Security Advisories

Outage Reports

Cloudflare/AWS/X Global Outage — Feb 16

Coming Soon

IT Offboarding Checklist — Complete access revocation template
Endpoint Security Baseline Template — Windows 11 + Intune standard configuration
BGP Monitoring How-To — Setting up alerts for routing anomalies
ClickFix Detection Guide — Endpoint and network-based detection rules

Stay Connected

Visit CosmicBytez Labs for the latest content
Browse all Security Advisories
Check Service Status for current incidents
Use our Security Tools for quick calculations and lookups

See you in Issue #7!

— Dylan H., CosmicBytez Labs

Welcome to Issue #6

The Big Stories

1. Chrome's First Zero-Day of 2026 (CVE-2026-2441)

2. Ivanti EPMM Breaches EU Governments

3. APT28 Weaponizes Office Zero-Day in 3 Days

4. Cloudflare BGP Error Takes Down AWS, X, and Thousands of Sites

Critical Patch Priorities

Threat Intelligence Highlights

ShinyHunters Leaks 600K Canada Goose Records

ChainReaver Supply Chain Attack via GitHub

ClickFix Goes DNS-Native

AI & Industry Watch

Quick Tips

What's New on CosmicBytez Labs

Latest News

Latest Security Advisories

Outage Reports

Coming Soon

Stay Connected

Welcome to Issue #6

The Big Stories

1. Chrome's First Zero-Day of 2026 (CVE-2026-2441)

2. Ivanti EPMM Breaches EU Governments

3. APT28 Weaponizes Office Zero-Day in 3 Days

4. Cloudflare BGP Error Takes Down AWS, X, and Thousands of Sites

Critical Patch Priorities

Threat Intelligence Highlights

ShinyHunters Leaks 600K Canada Goose Records

ChainReaver Supply Chain Attack via GitHub

ClickFix Goes DNS-Native

AI & Industry Watch

Quick Tips

What's New on CosmicBytez Labs

Latest News

Latest Security Advisories

Outage Reports

Coming Soon

Stay Connected