Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #10-2026
Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face escalating pressure from three reinforcing threats: Iranian state-sponsored actors targeting energy, water, and transportation OT systems; financially motivated extortion groups exploiting third-party vendors in education, healthcare, and commercial facilities; and automated vulnerability exploitation that is closing the gap between disclosure and weaponization faster than most organizations can patch. The 2026 Verizon Data Breach Investigations Report confirmed that exploitation of unpatched vulnerabilities has surpassed credential theft as the leading breach entry point — a structural shift that favors well-resourced adversaries and penalizes organizations slow to remediate. CISA’s CI Fortify initiative signals that federal planners now treat destructive OT attacks as a near-term contingency, not a theoretical risk. The campaign against LA Metro and ongoing Iranian targeting of gas-station tank gauges and PLCs in water and energy systems demonstrate transferable risk to Florida’s ports, utilities, and transit networks. Critical infrastructure owners should treat supply chain vendors, contractor-managed cloud accounts, and internet-exposed OT devices as the highest-priority attack surface for the foreseeable future.

Confidence – High

Executive Summary
  • All Sectors: CISA’s CI Fortify initiative and continued Iranian OT targeting require Florida operators to test manual fallback procedures and close contractor access gaps.
  • Commercial Facilities: ShinyHunters breached 7-Eleven, exposing personal data on 185,300 individuals after holding the data for ransom and then leaking it publicly.
  • Communications: Major U.S. telecoms launched the C2 ISAC, a new sector-specific threat-sharing body; a Huawei zero-day caused a nationwide telecom outage in Luxembourg.
  • Critical Manufacturing: Nitrogen ransomware breached Foxconn’s North American facilities, exfiltrating 8 TB of data and disrupting production; Four-Faith router exploitation continues at scale.
  • Defense Industrial Base: Iranian APT Seedworm (MuddyWater) maintains persistent access inside a U.S. defense and aerospace software supplier using the previously undocumented Dindoor backdoor.
  • Energy: NEMA and NERC warn of growing data-center grid strain; Iranian actors have breached unprotected automatic tank gauge systems at gas stations across multiple states.
  • Government Services and Facilities: ShinyHunters’ Canvas breach directly hit USF and multiple Florida school districts; Chelan County’s full network shutdown illustrates ransomware risk for Florida municipalities; federal cyber grant reauthorization is in jeopardy.
  • Healthcare and Public Health: OpenLoop Health breach exposed 716,000 individuals; a ransomware attack at another hospital allegedly caused an infant’s death; NYC Health + Hospitals vendor breach exposed 1.8 million patients.
  • Information Technology: Exploited vulnerabilities in Drupal, Gitea, Notepad++, and SonicWall SSL-VPN, combined with GitHub supply chain compromises and novel blockchain-based malware, expand attack surface across developer and CI environments.
  • Transportation Systems: Iranian state-linked actors breached LA Metro in a destructive attack that required weeks of recovery — directly transferable risk to Florida ports, transit, and aviation.
  • Water and Wastewater Systems: CISA CI Fortify guidance is directly applicable to Florida water utilities, which face continued Iranian PLC targeting and reduced federal support.
All Sectors

CISA Unveils New Initiative to Fortify America’s Critical Infrastructure The Cybersecurity and Infrastructure Security Agency (CISA) launched the CI Fortify initiative on May 5, 2026, urging critical infrastructure operators, particularly in energy, water, and government facilities, to prepare for “weeks to months” of information technology/operational technology (IT/OT) isolation and manual operations in the event of sustained state-sponsored cyber campaigns. The guidance emphasizes proactive network segmentation, offline backups of system configurations, and regular drills of manual fallback procedures. It is important to note that the initiative’s planning assumption is that adversaries may already have a foothold inside OT networks during a conflict scenario, requiring operators to plan for continuity under a ‘communications-degraded’ environment in which external vendors, internet connectivity, and third-party dependencies may be unavailable. This is directly relevant to Florida, whose hurricane-prone utilities, ports, and water systems already face compounded risks from Iranian-linked OT targeting campaigns that continue to probe internet-exposed programmable logic controllers.

CISA Adds Seven Known Exploited Vulnerabilities to Catalog CISA added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026, based on confirmed active exploitation in the wild. The additions include CVE-2026-41091 (a link-following vulnerability) in the Microsoft Malware Protection Engine that enables local privilege escalation to SYSTEM level) and CVE-2026-45498 (Microsoft Defender denial of service), along with several legacy but still-weaponized flaws. These vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to federal, state, local, and critical infrastructure entities. Florida operators of Microsoft Defender, Windows systems, and related OT environments should apply patches immediately to prevent privilege escalation and service disruption. Organizations that disable automatic Microsoft Defender engine updates, including some OT-adjacent environments, should verify manually that engine version 1.1.26040.8 or later is installed.

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Verizon’s 2026 Data Breach Investigations Report (DBIR) found that vulnerability exploitation surpassed credential theft as the leading initial access vector in confirmed breaches. The DBIR analyzed more than 31,000 security incidents, of which more than 22,000 were confirmed breaches. Approximately 31% of breaches involved exploitation of unpatched vulnerabilities, highlighting the growing impact of internet-facing systems and delayed remediation cycles. Third-party involvement also rose sharply, reaching 48% of confirmed breaches. That represents a 60% year-over-year increase underscoring the growing risk of vendor and contractor access across CI environments. The report emphasized that organizations continue to struggle with patch management timelines and exposure to third-party applications. These findings reinforce concerns that cyber threat actors are increasingly prioritizing automated exploitation of known vulnerabilities across critical infrastructure sectors.

CISA Admin Leaked AWS GovCloud Keys on Github A public GitHub repository managed by a CISA contractor (Nightwing) inadvertently exposed credentials for several highly privileged Amazon Web Services (AWS) GovCloud accounts as well as a large number of internal CISA systems. The leak prompted legislators to request an urgent classified briefing within 24 hours. This incident underscores persistent third-party and supply chain risks, where basic credential hygiene and repository security failures can have cascading effects. Notably, the contractor had disabled GitHub’s built-in secret-scanning protections, underscoring that policy-level controls are insufficient without enforced technical guardrails that prevent circumvention. Florida critical infrastructure owners and operators should apply the same rigorous scrutiny to contractor-managed code repositories and third-party cloud environments that they apply to external vendors.

Security Update for LiteSpeed cPanel Plugin CISA added CVE-2026-48172, a critical privilege-escalation vulnerability in the LiteSpeed user-end cPanel plugin (before version 2.4.5), to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw allows any authenticated cPanel user, including low-privileged or compromised accounts, to execute arbitrary scripts with root privileges, meaning a single compromised hosting account on a shared server is sufficient for full system takeover. LiteSpeed resolved the issue in version 2.4.5. This development is highly relevant to Florida state agencies, school districts, municipal utilities, and other critical infrastructure entities that use cPanel-hosted web services for public-facing systems.

FBI Warns Extortion Hackers are Visiting US Law Firms to Steal Data The FBI has issued a warning about the Silent Ransom Group (SRG), a cyber extortion gang with roots in the Conti ransomware syndicate that is actively targeting U.S. law firms using an unusually bold mix of phishing, fake IT calls, and in-person office visits. The group’s tactics are exceptionally hard to detect: attackers use legitimate remote management tools and transfer stolen data through trusted platforms such as Google Drive and Microsoft OneDrive, blending in with normal IT activity. Notably, SRG deploys no ransomware encryption — systems remain fully operational throughout the attack with no locked files or ransom screens, making the intrusion effectively invisible until an extortion email arrives. SRG’s reach extends beyond legal services—the FBI notes the group has also hit organizations in healthcare, insurance, and financial sectors. This is pertinent to all Florida critical infrastructure sectors, and law firms frequently hold sensitive legal, financial, and corporate data for CI operators. SRG has been active since at least 2022. They have compromised data from more than 38 law firms, with at least 100 confirmed attacks as of Spring 2026.

All Sectors Recommendations:

  • Implement phishing-resistant multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
  • Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
  • Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.
  • Audit all third-party and contractor-managed code repositories, cloud credentials, and privileged service accounts, and the use of cloud collaboration tools (such as Google Drive and Microsoft OneDrive) for exposed secrets or misconfigured access controls.
  • Immediately inventory, patch, or isolate systems affected by newly added CISA KEVs to prevent active exploitation.
Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

185,000 Likely Impacted by 7-Eleven Data Breach 7-Eleven has confirmed that it was the victim of a data breach. An April 8, 2026 breach of 7-Eleven systems, via their Salesforce environment, exposed personal information (including names, dates of birth, email addresses, phone numbers, and physical addresses) affecting roughly 185,300 individuals. The ShinyHunters extortion group claimed responsibility, initially demanding ransom and later offering the data for sale on a Russian hacking forum. This incident highlights ongoing risks to commercial facilities from extortion groups like ShinyHunters, which have also targeted education vendors serving Florida school districts and higher-education institutions.

Commercial Facilities Sector Recommendations:

  • Conduct regular third-party risk assessments of vendors and service providers that handle customer or employee personally identifiable information (PII).
  • Implement robust data encryption, access controls, and data-loss-prevention monitoring on systems containing sensitive personal or financial data.
  • Develop and regularly test incident response playbooks specifically for data-extortion campaigns, including protocols for ransom demands and mandatory breach notification.
  • Monitor closely for anomalous data exfiltration, especially involving legitimate cloud storage and file-sharing platforms commonly abused by groups like ShinyHunters.
  • Provide targeted security awareness training for staff on advanced social engineering, phishing, and impersonation tactics used in these extortion operations.
Communications Sector

Telecom Sector Launches its Own Private ISAC Major U.S. telecommunications providers launched the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) to improve coordination against AI-enabled cyberattacks, espionage, and nation-state threats targeting communications infrastructure. The initiative aims to strengthen collaboration between telecommunications companies and government cybersecurity partners. Officials warned that adversaries continue targeting telecom infrastructure to support surveillance, espionage, and operational disruption campaigns. This development is relevant to Florida as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services.

Huawei Zero-day Attack Behind Last Year’s Crash of Luxembourg’s Entire Telecoms Network An attack exploiting a previously undisclosed vulnerability in Huawei enterprise router software caused a nationwide telecom outage in Luxembourg, disrupting mobile, landline, and emergency communications for more than three hours. As of this reporting, the vulnerability has not been publicly disclosed or assigned as a CVE identifier. Because no CVE has been assigned, operators cannot rely on standard vulnerability management tools to identify this exposure — network inventory and manual review of Huawei equipment are the only current detection paths. This incident highlights persistent supply-chain risks associated with Chinese-manufactured networking equipment in critical communications infrastructure. Florida’s telecommunications providers, managed service providers, and municipal utilities that rely on similar enterprise routing and OT networking hardware should review Huawei equipment inventories and consider immediate segmentation or replacement strategies where feasible.

Communications Sector Recommendations:

  • Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
  • Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
  • Inventory all enterprise routers and OT networking hardware for Huawei or other high-risk vendors and implement strict network segmentation or accelerated replacement to mitigate undisclosed zero-day supply-chain risks.
Critical Manufacturing Sector

Ransomware Hackers Claim Breach at Foxconn, Major Electronics Manufacturer for Apple, Google, and Nvidia The Nitrogen ransomware group claimed responsibility for breaching Foxconn’s North American facilities in Mount Pleasant, Wisconsin and Houston, Texas, alleging theft of more than 11 million files totaling 8 terabytes (TB) of data, including confidential instructions, internal project documentation, technical drawings (including circuit board layouts and integrated circuit documentation), financial files, and temperature sensor records — tied to projects for Apple, Intel, Google, Dell, Nvidia, and AMD. The affected plants have resumed normal production, but the incident highlights downstream supply chain risk to U.S. critical manufacturing. This is highly relevant to Florida, where ports in Jacksonville, Tampa, and Miami serve as key logistics hubs for electronics and aerospace components.

CVE-2024-9643: Four-Faith Router Authentication Bypass Fuels Botnet Activity CrowdSec researchers reported a surge in exploitation of Common Vulnerabilities and Exposures (CVE)-2024-9643, a critical authentication-bypass flaw with hard-coded credentials in Four-Faith F3x36 industrial cellular routers. The activity has escalated into large-scale botnet campaigns targeting utilities, warehouses, and critical infrastructure. These routers are commonly deployed in remote monitoring and operational technology (OT) environments. Florida municipal utilities, water systems, and energy providers using similar industrial routers should immediately inventory, patch, or isolate these devices.

CVE-2026-8153: Command Injection in the PolyScope 5 Dashboard Server Universal Robots disclosed and patched a critical command injection vulnerability (CVE-2026-8153) in the Dashboard Server interface of its PolyScope 5 operating system used on collaborative robots deployed across operational technology environments. The flaw allows unauthenticated remote attackers to execute arbitrary commands, potentially compromising system integrity and physical security safety. Collaborative robots are widely used in manufacturing, energy, and logistics facilities. This development is highly relevant to Florida’s aerospace, critical manufacturing, and port logistics clusters that employ Universal Robots systems.

Critical Manufacturing Sector Recommendations:

  • Harden remote access gateways and segment manufacturing networks from corporate IT systems to limit lateral movement during supply-chain ransomware incidents.
  • Implement immutable offline backups of engineering schematics and design files to ensure rapid recovery without paying ransoms.
  • Conduct immediate third-party risk assessments of electronics and component suppliers to identify exposure from large-scale breaches such as the Foxconn incident.
  • Inventory all collaborative robots and industrial cellular routers (Universal Robots PolyScope and Four-Faith F3x36) for exposed interfaces and apply available patches or implement strict network segmentation.
Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

Iran-Linked Seedworm Maintains Persistent Access in U.S. Defense Supply Chain Networks Symantec reporting (continuing through recent days) describes Iranian APT Seedworm targeting the Israeli operation of a U.S. software company that supplies defense and aerospace. The campaign, which began in early February 2026, is ongoing, and that the activity correlates with U.S. and Israeli military strikes on Iran. The attack using a new Dindoor backdoor and a second, separate Python-based backdoor called Fakeset on networks of a U.S. airport and nonprofit, to engage in espionage and potential follow-on disruption against defense-related environments in the U.S. and allied countries. This activity underscores persistent supply-chain risks to the Defense Industrial Base from Iranian cyber threat actors. Florida’s aerospace clusters and defense contractors should conduct immediate third-party risk assessments of software suppliers.

Defense Industrial Base Sector Recommendations:

  • Conduct rigorous and recurring third-party risk assessments of all software suppliers and service providers supporting defense and aerospace operations, with focused scrutiny on potential Iranian-linked activity.
  • Implement continuous monitoring and behavioral analytics to detect persistent access, backdoors (such as Dindoor), and anomalous activity originating from supply-chain compromises.
  • Enforce strict network segmentation and least-privilege principles between supplier-managed systems and critical internal networks to limit lateral movement.
  • Verify the integrity of all third-party software updates and components prior to deployment in operational environments.
  • Develop and regularly test incident response plans tailored to nation-state supply-chain attacks involving long-term espionage and potential disruptive follow-on operations.
Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Energy Sector

US Annual Electricity Consumption to Grow 55% by 2050: NEMA The National Electrical Manufacturers Association (NEMA) forecast shows accelerating electricity demand from data centers, straining U.S. utilities and raising affordability concerns. Florida utilities are already experiencing similar grid pressure from artificial intelligence (AI)-driven data-center growth.

NERC 2026 Summer Reliability Assessment North American Electric Reliability Corporation’s (NERC) 2026 Summer Reliability Assessment warned that accelerated electricity demand, rapid growth of large data-center loads, and extreme heat conditions may strain portions of the North American electric grid. The assessment highlighted increasing operational pressure associated with AI-driven infrastructure expansion, maintenance outages, and periods of reduced renewable energy generation. Several regions may experience elevated reserve shortfalls during sustained peak-demand conditions. Florida utilities may face similar reliability and operational challenges during hurricane season and summer heat events.

Hackers Have Breached Tank Readers at US Gas Stations; Officials Suspect Iran is Responsible U.S. officials suspect Iranian-linked actors are responsible for a series of breaches targeting automatic tank gauge (ATG) systems. Notably, the affected systems were internet-exposed and unprotected by passwords, which represents a basic configuration failure. CI operators should immediately verify that all ATG systems are removed from the public internet or placed behind password-protected access controls. The attacks focus on operational technology used for real-time inventory and distribution management rather than traditional information technology (IT) networks. The attackers capability, however, was limited to manipulating display readings, not actual fuel levels or distribution flows. U.S. officials suspect Iranian-linked actors are responsible, though a lack of forensic evidence means definitive attribution has not been confirmed. If confirmed, the activity would represent continued Iranian interest in disrupting or gathering intelligence on U.S. energy infrastructure. The incidents are highly relevant to Florida’s extensive fuel distribution networks, ports, and municipal energy providers that rely on similar tank-gauge and monitoring systems.

PJM Gets Emergency Approval to Curtail Data Centers, Large Loads During Hot Weather The Department of Energy authorized PJM Interconnection to curtail power usage by large facilities with backup generation capability, including data centers, amid reserve shortages caused by extreme heat and maintenance outages. The emergency authority reflects growing operational stress on energy infrastructure that supports AI-driven data-center growth and increasing electricity demand. Grid operators continue evaluating emergency procedures to maintain system stability during high-load events. The incident also highlights increasing dependence on resilient backup-generation systems across critical infrastructure sectors.

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s energy providers.

Energy Sector Recommendations:

  • Verify that all operational technology (OT) assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet or placed behind strict network segmentation.
  • Store critical OT configurations and backups in immutable offline formats to enable manual operations during sustained cyber campaigns.
  • Audit third-party vendor accounts and monitor for anomalous remote access to smart-grid and energy-management systems.
  • Inventory and segment all operational technology assets used for fuel storage, tank monitoring, and distribution systems, ensuring they are not internet-exposed and are protected by strict network segmentation.
Financial Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Food and Agriculture Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Aurora Lost Nearly $1.1M from City Bank Accounts After Employee Fell for Phone Scam Authorities in Aurora, Illinois are investigating a cyber-enabled fraud incident that resulted in approximately $1.1 million being transferred from municipal accounts after an employee reportedly fell victim to a phone scam. The incident reflects continuing business email compromise and social-engineering threats targeting local governments and public-sector financial operations. Cyber threat actors increasingly use impersonation techniques and financial fraud schemes to exploit municipal payment processes. Florida municipalities and tourism-dependent communities remain vulnerable to similar financially motivated cyber campaigns.

Chelan County WA Government Shuts Down Networks After Cyberattack Chelan County officials shut down all government computers, networks, and telephone systems on Memorial Day after detecting a malware attack that impacted every county department. The county’s information technology (IT) department identified the malware at 10 a.m. and immediately isolated systems as a safety precaution. Emergency services remained operational. This incident serves as a direct tactical analog for Florida’s numerous county and municipal government facilities that routinely handle high-volume administrative and public safety systems.

State IT Officials Make a Case for Cyber Grant Reauthorization Before House Subcommittee Florida’s Chief Information Officer and technology leaders from Tennessee and New York testified before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection regarding the now-unfunded State and Local Cybersecurity Grant Program (SLCGP). The officials highlighted how the grant program has improved state and local network defenses and urged Congress to reauthorize funding amid escalating nation-state threats and reduced federal support. This testimony is directly relevant to Florida’s municipal, county, and educational networks, which rely on these grants to maintain resilience against ransomware, operational technology (OT) targeting, and supply chain risks.

Canvas Hack: Company Pays Criminals to Delete Students’ Stolen Data Instructure (provider of the widely used Canvas learning management system) reached an agreement with the ShinyHunters group after a major breach that exposed student and staff data from 275 million records across approximately 9,000 institutions, including names, email addresses, student ID numbers, and private messages between students and instructors. across thousands of educational institutions. Instructure reportedly paid a ransom to the ShinyHunters group, receiving digital confirmation that exfiltrated data was destroyed, though no certainty exists that the cybercriminals honored the agreement. The FBI’s Internet Crime Complaint Center (IC3) issued a separate advisory on May 15, 2026 warning students and staff that ShinyHunters may directly contact individuals whose data was exposed. The incident directly impacted the University of South Florida (USF) in Tampa as well as Hillsborough County Public Schools, Pinellas County Schools, and other Florida districts, underscoring the systemic risk to Florida’s K-12 and higher-education systems that rely on third-party education vendors.

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Attackers have exploited a zero-day vulnerability in KnowledgeDeliver, a widely used learning management system (LMS). The flaw stemmed from hardcoded ASP.NET machineKey values shared across installations. With these keys, cyber threat actors performed ViewState deserialization attacks to achieve remote code execution and deployed web shells. This incident demonstrates that cyber threat actors continue to pursue LMS platforms used by schools and government entities. The development is highly relevant to Florida’s K-12 and higher-education systems as well as municipal government facilities that rely on similar third-party administrative and education platforms.

Government Services and Facilities Sector Recommendations:

  • Train staff to verify all financial requests through out-of-band channels before initiating wire transfers or payments.
  • Implement strict multi-factor authentication and least-privilege controls on email and financial systems used by municipal staff.
  • Conduct regular phishing simulations and rigorous vendor risk assessments of third-party learning management systems (LMS), education platforms, and administrative software to reduce exposure to supply-chain and zero-day vulnerabilities.
  • Inventory, promptly patch (or isolate) all internet-facing third-party LMS and web-based administrative applications, with special attention to hardcoded credentials, shared configuration keys, and web-shell risks.
  • Maintain and regularly test offline backups and manual fallback procedures for all county and municipal administrative systems to ensure continuity during ransomware or malware-induced outages.
  • Advocate for and prepare contingency plans around reauthorization of the State and Local Cybersecurity Grant Program to sustain network defenses amid reduced federal support.
Healthcare and Public Health Sector

OpenLoop Health Data Breach Affects 716,000 Individuals OpenLoop Health disclosed a breach exposing names, addresses, email addresses, dates of birth, and medical information (but not Social Security Numbers) of approximately 716,000 individuals. The incident aligns with the broader pattern of persistent data-theft and extortion campaigns targeting the U.S. healthcare sector. Florida’s large healthcare network and retiree population make this a continuing high-priority risk.

Data Breach on New York Public Health System Claims 1.8M Victims, Leaking Biometric Data to Hackers NYC Health + Hospitals confirmed that a vendor-related compromise exposed sensitive patient data, including biometric data, affecting approximately 1.8 million individuals after attackers reportedly maintained access to systems for several months. Exposed information included protected health information and personally identifiable information tied to healthcare operations. The incident highlights the ongoing risks associated with third-party vendors and healthcare-sector supply chain exposure.

Hospital Ransomware Attack Led to Infant’s Death, Lawsuit Alleges A hospital ransomware attack allegedly led to an infant’s death, according to a lawsuit. The incident highlights the severe life-safety risks when ransomware disrupts critical healthcare operations and patient care systems. This is directly relevant to Florida’s large healthcare network and retiree population, where ransomware continues to threaten both patient data and care continuity.

Healthcare and Public Health Sector Recommendations:

  • Isolate electronic health record systems and medical devices on segmented networks to prevent lateral movement during ransomware incidents.
  • Maintain and regularly test manual downtime procedures for all critical patient care and life-safety systems to sustain operations and protect patient safety during IT outages or ransomware events.
  • Perform rigorous third-party risk assessments of billing and health-data vendors to limit exposure from supply-chain breaches.
  • Prioritize patient safety and life-safety system continuity in all ransomware incident response planning and conduct regular drills focused on rapid transition to manual operations.
Information Technology Sector

CISA Releases 18 New ICS Advisories Cybersecurity and Infrastructure Security Agency (CISA) released 18 new industrial control system advisories on May 14, 2026, detailing remotely exploitable vulnerabilities in products used across manufacturing, emergency communications, and supporting OT environments. Florida operators of these systems should apply patches immediately.

GitHub Confirms Breach of 3,800 Repos via Malicious VSCode Extension GitHub confirmed that approximately 3,800 internal repositories were compromised after an employee installed a malicious Visual Studio Code extension. The incident demonstrates the growing threat posed by software supply chain compromises targeting trusted developer environments and third-party extensions. Additional organizations, including major technology firms and artificial intelligence (AI) companies, were reportedly impacted by related activity. The compromise reinforces concerns about dependency trust, extension security, and vulnerabilities in the software development ecosystem.

CISA Adds One Known Exploited Vulnerability to Catalog CISA has added CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core’s database abstraction API, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency ordered federal agencies to patch by May 27, 2026. Drupal is widely used by government agencies, educational institutions, and critical infrastructure entities for managing large-scale websites and content. Florida state agencies, school districts, and municipal utilities running Drupal instances should apply patches immediately to prevent unauthorized database access and potential lateral movement.

Exposing Fox Tempest: A Malware-signing Service Operation Microsoft identified Fox Tempest as a financially motivated cyber threat actor operating a malware-signing-as-a-service platform used by cybercriminals and ransomware operators. The group abuses Microsoft Artifact Signing to generate fraudulent short-lived certificates that allow malicious software to appear legitimate and evade traditional security controls. The operation demonstrates the increasing sophistication of ransomware enablement services and malware delivery infrastructure. Security researchers warned that signed malware continues posing significant detection and trust challenges for defenders.

Patch Bypass Allows Hackers to Exploit Prior Flaw in SonicWall SSL-VPN Cyber threat actors continue to exploit a SonicWall Secure Sockets Layer virtual private network (SSL-VPN) vulnerability that enables attackers to bypass multifactor authentication protections during automated brute-force attacks. Researchers warned that a patch bypass allowed exploitation activity to continue despite earlier remediation efforts. SSL-VPN appliances remain at frequent targets for ransomware operators and cybercriminal groups seeking remote access into enterprise environments. Organizations relying on internet-facing VPN infrastructure continue facing elevated risks from credential attacks and remote-access exploitation.

ClearFake Abuses BSC Testnet Contracts for Resilient C2 Operations Cyber threat actors behind the ClearFake campaign have adopted a novel and highly resilient command-and-control (C2) architecture by leveraging BNB Smart Chain (BSC) testnet smart contracts. This approach embeds malicious JavaScript and instructions within immutable blockchain storage. That means that standard threat intelligence feeds and domain blocklists are ineffective against this C2 channel, so defenders must instead focus on monitoring anomalous outbound connections and JavaScript injection patterns. That makes the infrastructure effectively immune to traditional takedown efforts. The tactic expands supply-chain and developer-pipeline risks for Florida critical infrastructure entities that rely on third-party IT tools and extensions.

Hackers Host JS Malware GHOSTYNETWORKS and OMEGATECH Hackers are abusing two bulletproof hosting providers, GHOSTYNETWORKS and OMEGATECH, to run a global JavaScript (JS) malware infrastructure that powers large-scale malspam and business email compromise (BEC) activity. In March 2026, multiple malspam waves delivered a JavaScript backdoor via ZIP or RAR attachments to organizations across sectors, including energy companies and finance ministries. The financially motivated operators focus on email account compromise and BEC rather than espionage.

Gitea Vulnerability Exposes Private Container Images Without Authentication Cybersecurity researchers disclosed a security flaw in Gitea (CVE-2026-27771, CVSS 8.2) that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring credentials. The vulnerability affects all versions prior to 1.26.2 and likely impacts more than 30,000 deployments worldwide. Florida state agencies, school districts, and critical infrastructure operators running self-hosted Gitea instances should apply the patch immediately.

Critical Notepad++ Flaw Could Enable Remote Code Execution Attacks Notepad++ has released version 8.9.6.1 to address multiple critical vulnerabilities, including CVE-2026-48778, which could allow arbitrary code execution under specific conditions involving improper handling of configuration files. The update patches flaws in versions up to 8.9.6. Developers and administrators across Florida critical infrastructure environments should update immediately to prevent potential supply-chain compromise via developer tools.

Information Technology Sector Recommendations:

  • Apply all CISA Known Exploited Vulnerabilities catalog updates and the latest ICS advisories without delay.
  • Immediately inventory, patch, or isolate all Drupal installations, Gitea instances, and other internet-facing web applications, prioritizing those used by government, educational, and critical infrastructure systems.
  • Enforce strict package verification, code-signing validation, and security checks for all developer tools, extensions (including VSCode), and applications such as Notepad++ to prevent supply-chain and remote code execution attacks.
  • Implement strong authentication and access controls on self-hosted code repositories and container registries (such as Gitea) to block unauthenticated access to private container images and source code.
  • Monitor for and block malicious JavaScript malware campaigns, abuse of bulletproof hosting providers, and resilient C2 techniques such as blockchain-based infrastructure.
  • Scan and restrict internet-facing remote-access services (including SSL-VPN appliances) and apply patches immediately to counter bypass techniques and automated attacks.
  • Strengthen supply-chain security practices to defend against malware-signing-as-a-service operations (such as Fox Tempest) and third-party extension compromises.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iranian Hackers Blamed for Breach of Los Angeles Transit System that Took Weeks to Recover Israeli cybersecurity firm Gambit Security attributed a March 2026 breach of the Los Angeles County Metropolitan Transportation Authority (LA Metro) to Iranian government-linked (MOSI) actors—Black Shadow–operating under a hacktivist cover persona of “Ababil of Minab”. Attackers used a virtual machine to delete critical operating system data, stole at least 700 GB of emails/backups/files, and forced multi-week network isolation and recovery. Gambit Security reported that attackers also reached a real-time rail yard control display system, crossing from administrative IT networks into OT territory — though no manipulation of physical operations has been confirmed. This incident demonstrates state-sponsored destructive capabilities against U.S. transportation OT/IT systems. Florida’s ports, transit authorities, and logistics networks that rely on similar interconnected systems should treat this as a transferable risk.

Iranian APT Targets Aviation, Software Companies with Updated Tools Iranian APT Nimbus Manticore has adopted new tactics and malware variants in campaigns against aviation and software companies. Recent operations used updated tooling that enhances persistence and evasion. This activity demonstrates continued Iranian state-sponsored focus on transportation and related supply-chain targets. Florida’s ports, aviation facilities, and transit networks should treat this as transferable risk and review vendor software supply chains.

Transportation Systems Sector Recommendations:

  • Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
  • Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
  • Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
  • Audit and segment all virtual machines, remote-access tools, and OT/IT convergence points in transit and port systems to prevent destructive data-wiping attacks by state actors.
Water and Wastewater Systems Sector

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s municipal water utilities.

Water and Wastewater Systems Sector Recommendations:

  • Immediately remove or isolate all internet-exposed programmable logic controllers and SCADA interfaces.
  • Develop and regularly test manual fallback procedures for water treatment and distribution operations.
  • Monitor anomalous changes to PLC project files and HMI configurations that could indicate manipulation attempts.
  • Accelerate the adoption of AI-assisted defensive tools and conduct regular third-party risk assessments of OT vendors in light of shrinking federal support for water-sector cybersecurity.