Ticker feed

Kaspersky discovered "Keenadu" malware embedded in Android device firmware from multiple small manufacturers, affecting 13,000 devices globally as of February. The malware infiltrates every app on infected devices through Android's core Zygote process, giving attackers complete remote access.

The supply chain attack occurred when compromised firmware reached devices either pre-installed or through legitimate security updates. Russia has the most affected users, followed by Japan, Germany, Brazil, and the Netherlands.

Currently used for ad fraud, Keenadu can hijack browser searches, monitor Chrome queries, and manipulate shopping carts on Amazon, Shein, and Temu. Worryingly, researchers found connections between Keenadu and three major Android botnets: BADBOX, Triada, and Vo1d.

For firmware-level infections, complete firmware replacement is the only solution. Users should stop using infected devices until fixed.

Source: Dark Reading

Marks and Spencer has been reeling from a major cyber attack for over a week, costing millions in lost sales and hitting its share price. Security experts tell the BBC that ransomware called DragonForce was used, with fingers pointing at the Scattered Spider hacking group - some reportedly teenagers - who previously hit MGM Las Vegas.

The attack knocked out online ordering, paused deliveries, and left store shelves empty. M&S paused online orders Friday and won't say what happened or who's responsible. Cybersecurity experts say this looks like ransomware - malware that locks systems until criminals are paid a ransom.

Recovery is complex and slow for major retailers dependent on interconnected systems for everything from inventory to payments. Experts advise M&S customers to change passwords on other sites if they reused their M&S credentials.

Source: BBC

Cybercriminals are exploiting identity weaknesses more than ever, with identity-based attacks accounting for nearly two-thirds of network breaches in 2024, according to Palo Alto Networks' Unit 42 annual report.

Social engineering led the charge, responsible for one-third of the 750 incidents Unit 42 investigated. Attackers also used compromised credentials, brute-force attacks, and overly permissive access policies to break into systems.

The problem extends beyond initial access—identity issues played a role in nearly 90% of all incidents. Once attackers gain legitimate credentials, they're nearly invisible to security systems since their activity appears authorized.

Ransomware payments jumped 87% to a median of $500,000, while attackers moved faster than ever, stealing data within two days in most cases.

Source: CyberScoop

Google rushed out an emergency Chrome update after discovering attackers are actively exploiting a critical zero-day vulnerability. The flaw, CVE-2026-2441, is a use-after-free bug in Chrome's CSS handling that lets hackers execute malicious code remotely.

Researcher Shaheen Fazim reported the vulnerability just five days ago on February 11, 2026. Attackers are already weaponizing it in the wild, likely combining it with other exploits to break out of Chrome's security sandbox and gain system-level access on Windows, Mac, and Linux.

The patched versions are now rolling out: 145.0.7632.75/.76 for Windows and Mac, 144.0.7559.75 for Linux. Users should update immediately through Chrome's settings or let auto-updates handle it. Organizations need to prioritize this patch and watch for suspicious network activity.

Source: Cybersecurity News

Odido, the Netherlands' biggest mobile phone operator, disclosed a massive data breach affecting up to 6.2 million customers last week. Hackers accessed the company's customer contact system, stealing names, addresses, email addresses, bank account numbers, birth dates, and passport or driver's license numbers.

While Odido emphasized that passwords, call records, and billing data weren't compromised, cybersecurity experts warn the stolen information could fuel convincing phishing attacks and identity fraud. The company quickly ended unauthorized access and brought in external security experts to strengthen defenses.

Odido is warning customers to watch for suspicious calls, texts, and fake invoices appearing to come from the company. Affected users will be contacted directly by Odido.

Source: Infosecurity Magazine

Attackers are actively exploiting CVE-2026-1731, a critical vulnerability in BeyondTrust's self-hosted systems that allows complete domain takeover without authentication. The flaw lets hackers execute operating system commands remotely through crafted HTTP requests, earning a devastating 9.8 CVSS score.

Threat actors are deploying SimpleHelp remote access tools and creating privileged domain accounts with Enterprise Admin rights. Arctic Wolf researchers found attackers using reconnaissance commands to map Active Directory networks before spreading across multiple hosts via PSExec and Impacket tools.

Cloud customers received automatic patches on February 2, 2026, but self-hosted users running Remote Support 25.3.1 or Privileged Remote Access 24.3.4 must manually apply updates immediately. CISA warns older versions need upgrades first before patching.

Source: Cybersecurity News

A major data breach at business services provider Conduent has exposed personal information of nearly 17,000 Volvo Group North America employees. Hackers accessed Conduent's network from October 2024 to January 2025, stealing names, addresses, Social Security numbers, birth dates, and medical data. The Safepay ransomware group claimed responsibility for the February attack.

The breach's scope keeps expanding dramatically. Initially affecting 10 million people, recent updates show over 20 million individuals impacted across multiple states. Texas alone saw numbers jump from 4 million to 15 million affected residents.

Volvo only learned about the incident in January 2026, highlighting delays in breach notifications. This marks the second third-party breach hitting Volvo recently, following a September ransomware attack on Swedish IT company Miljödata.

Source: SecurityWeek

The city of Peabody is notifying residents about a data breach that occurred last summer. Hackers gained access to city systems on June 13, 2025, but officials didn't discover the breach until July 7. Mayor Ted Bettencourt's office confirmed the hack is real after some residents initially thought notification letters were scams.

Cybersecurity expert Peter Tran calls cities a "treasure trove" for hackers, noting that budget constraints often leave municipalities with weaker security than private companies. He recommends residents freeze their credit, set up fraud alerts, and change passwords.

Resident Skip O'Neil, who lived in Peabody decades ago, received a notification letter and spent an hour checking his accounts. The city is reviewing security policies and hasn't received reports of information misuse yet.

Source: CBS Boston

Cybercriminals began exploiting a critical BeyondTrust vulnerability just 24 hours after proof-of-concept code went public on February 10. The flaw, CVE-2026-1731, allows unauthenticated remote code execution in BeyondTrust Remote Support and Privileged Remote Access products used widely in enterprise environments.

Hacktron AI researchers found roughly 11,000 exposed instances online, including 8,500 on-premises deployments. GreyNoise detected attacks from multiple IP addresses, with one Frankfurt-based VPN accounting for 86% of reconnaissance activity.

The same threat actors previously targeted SonicWall, MOVEit, Apache, and Sophos vulnerabilities. BeyondTrust released patches on February 6, but the rapid exploitation highlights the critical need for immediate updates in enterprise remote access systems.

Source: SecurityWeek

Two critical zero-day vulnerabilities in Ivanti's Endpoint Manager Mobile solution sparked a fresh wave of cyberattacks targeting European government agencies in late January. CVE-2026-1281 and CVE-2026-1340, both scoring 9.8/10 on the CVSS scale, enabled remote code execution on compromised systems.

The European Commission, Dutch and Finnish government agencies fell victim within days of Ivanti's January 29 disclosure. The EU attack lasted nine hours, exposing staff names and mobile numbers, while Finland's breach affected 50,000 individuals' personal data.

Researchers traced 83% of subsequent attacks to a single IP address that remained active as of February 12. This marks another chapter in Ivanti's troubled security history, raising questions about why critical organizations continue relying on repeatedly compromised infrastructure despite the mounting risks.

Source: Dark Reading