Florida Critical Infrastructure Cybersecurity Intelligence
This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.
Situational Awareness Bulletin
Cyber Threat Outlook
Florida’s critical infrastructure operators face an accelerating wave of attacks against the software and network equipment that connects their organizations to the internet, with attackers exploiting newly disclosed flaws within days of disclosure and, in several cases, before a fix even exists. Over the next six to nine months, three patterns will likely dominate the threat landscape: mass-exploitation campaigns against widely used enterprise software, illustrated by the Oracle PeopleSoft vulnerability behind the ShinyHunters extortion campaign that has already struck a national insurance regulator; continued compromise of network perimeter devices, including firewalls, virtual private networks (VPNs, which let remote users connect securely to a private network), and routers that organizations rely on for both security and connectivity; and the abuse of trusted third-party cloud integrations, where attackers steal credentials from one vendor to reach every customer connected to it. Nation-state actors, particularly those linked to Iran and Russia, continue probing government and public safety systems abroad for techniques that could migrate to U.S. targets. For Florida operators, the most effective defenses remain unglamorous but proven: patch internet-facing systems quickly, require multifactor authentication everywhere it is available, and rehearse manual backup procedures so operations can continue if digital systems fail.
Confidence Assessment – High
Executive Summary
All Sectors: Prioritize risk-based vulnerability management across all sectors as automated exploitation of internet-facing vulnerabilities has surpassed credential theft as the leading initial access method for cyber intrusions. Iran-linked threat groups continue demonstrating the ability to disrupt public-safety alerting and operational technology (OT) systems abroad, most recently by silencing emergency sirens in Israel through a known firmware flaw in widely deployed alerting hardware — a technique that could be replicated against the same hardware wherever it is deployed, including in Florida. Florida organizations should accelerate remediation of actively exploited vulnerabilities, inventory any of the affected alerting hardware in their environment, and strengthen identity-centric security controls.
Commercial Facilities: Isolate internet-connected surveillance systems and third-party business platforms, as newly disclosed, high-severity H.VIEW camera vulnerabilities (CVSS 7.2 and 8.6) and recent extortion campaigns demonstrate these technologies remain attractive attack vectors. No vendor patch is currently available for the camera flaws, so isolation is the primary defense. Organizations should rotate privileged credentials, segment backup infrastructure, and monitor for unauthorized administrative activity.
Communications: Strengthen communications infrastructure security as Cisco Secure Digital Wide Area Network (SD-WAN) zero-day exploitation and new Federal Communications Commission (FCC) emergency communications security requirements highlight increasing operational risks. Florida communications providers should prioritize patching, review administrative access controls, and validate continuity procedures supporting emergency communications.
Critical Manufacturing: Apply firmware and software updates rapidly as active exploitation of Ubiquiti UniFi and PTC Windchill platforms continues to threaten manufacturing environments and industrial supply chains. Organizations should restrict access to management interfaces and strengthen segmentation between operational technology and enterprise networks.
Financial Services: Review third-party platform security following the National Association of Insurance Commissioners (NAIC) breach, which was caused by the same Oracle PeopleSoft zero-day vulnerability (CVE-2026-35273) covered under All Sectors above, and demonstrates continuing risks associated with financial reporting and regulatory operations. Financial institutions running Oracle PeopleSoft should treat patching that vulnerability as a financial-sector priority, not only a general IT task, and should enforce least-privilege principles, strengthen authentication controls, and monitor for unauthorized access to sensitive financial data.
Government Services and Facilities: Increase behavioral monitoring, drawing on newly published research showing how the Russian Advanced Persistent Threat (APT) group Gamaredon evolved its PowerShell-based malware and command-and-control tradecraft in 2025. Gamaredon’s documented campaigns remain focused on Ukrainian government and military targets, but its techniques — including abuse of legitimate cloud and tunneling services to hide infrastructure — illustrate broader nation-state tradecraft worth incorporating into defensive planning. Government organizations should validate endpoint detection capabilities and conduct recurring integrity reviews of administrative workstations and privileged accounts.
Healthcare and Public Health: Strengthen third-party access controls as CyberAv3ngers continues targeting public-safety communications while ransomware operators maintain pressure on healthcare providers through data theft and extortion. Healthcare organizations should validate backup and recovery procedures, monitor for data leakage, and ensure continuity plans support uninterrupted patient care.
Information Technology: Remediate Known Exploited Vulnerabilities affecting internet-facing enterprise infrastructure as active exploitation of Palo Alto GlobalProtect, LiteSpeed cPanel, and Joomla vulnerabilities continues to increase operational risk. Organizations should restrict administrative privileges, strengthen endpoint monitoring, and review browser extension security policies.
Water and Wastewater Systems: Enhance remote-access security as recent federal guidance regarding last-mile funding and National Institute of Standards and Technology (NIST) remote-access security reinforces the need for resilient operational technology architectures. Utilities should implement continuous operational technology integrity monitoring and validate manual fallback procedures to maintain essential services during cyber incidents.
All Sectors
Securing The Nation Against Advanced Cryptographic Attacks On June 22, 2026, President Trump signed an Executive Order directing the accelerated transition to Post-Quantum Cryptography (PQC) across federal systems to address emerging “harvest now, decrypt later” threats. Adversaries are increasingly collecting encrypted information with the expectation that future quantum computing capabilities will enable decryption of sensitive data. While the directive establishes federal migration timelines through 2031, Florida critical infrastructure owners and operators should begin identifying cryptographic dependencies, inventorying high-value assets, and coordinating with their Sector Risk Management Agencies (SRMAs) to support long-term cryptographic modernization and reduce future operational risk.
ShinyHunters Hacked Hundreds Leveraging Oracle Bug Throughout June 2026, the ShinyHunters cybercrime group conducted coordinated attacks by exploiting vulnerabilities in widely deployed enterprise platforms, including Oracle PeopleSoft, to compromise organizations across multiple sectors. The campaign exploited CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution flaw in the PeopleSoft Environment Management Hub component, between May 27 and June 9, 2026, before Oracle issued mitigation guidance on June 10. Rather than targeting a single organization, the campaign focused on shared enterprise infrastructure to steal personally identifiable information (PII), financial records, and proprietary business data for extortion. While the campaign affected organizations across government, healthcare, financial services, and other sectors, Google Mandiant’s investigation found that 68 percent of identified targets were in higher education, making it the sector hit hardest by this specific campaign. Because Oracle enterprise resource planning solutions are widely used across government, healthcare, financial services, and commercial organizations, Florida critical infrastructure operators should immediately assess internet-facing Oracle environments, validate backup integrity, and monitor for indicators of unauthorized access.
Cybercriminals Allegedly Hacked Tens of Thousands of Fortinet Firewalls Used by Major Companies All Over the World A large-scale credential exposure campaign compromised administrative and Secure Sockets Layer Virtual Private Network (SSL VPN) credentials associated with more than 73,000 Fortinet FortiGate appliances worldwide. The exposed credentials could enable cyber threat actors to bypass network perimeters, modify firewall configurations, establish persistent access, and conduct lateral movement within enterprise environments. Fortinet characterized the activity as “a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.” Given the widespread deployment of Fortinet technologies throughout Florida government agencies and critical infrastructure sectors, organizations should immediately validate administrative credentials, review firewall configurations, rotate compromised credentials, and prioritize risk-based remediation to prevent unauthorized network access.
North Korean Hiring Fraud Runs on AI and US Laptop Farms Research released in June 2026 identified a sophisticated North Korean employment fraud campaign that combines stolen identities, artificial intelligence-assisted interviews, and U.S.-based laptop farms to infiltrate technology companies. One documented case, publicized in June 2026 but originating from a June 2025 job application, involved an individual posing as a Florida-based artificial intelligence architect who applied for a position at risk-intelligence firm Nisos. Nisos identified the deception during its interview process before extending an offer, then used the engagement to gather intelligence on the broader fraud operation. This activity demonstrates the growing insider threat posed by fraudulent remote hiring schemes. Florida organizations should strengthen identity verification procedures, validate candidate credentials, monitor for anomalous endpoint activity during onboarding, and incorporate insider-threat detection into hiring and human resources security processes. Two technical indicators thsat may be useful for detection are: (a) the use of PiKVM hardware to allow remote, hard-to-detect control of ‘laptop farm’ devices, and (b) the use of Astrill VPN, a service frequently associated with North Korean IT-worker operations, as a connection pattern.
All Sectors Recommendations:
• Inventory cryptographic assets and develop a phased migration strategy for Post-Quantum Cryptography (PQC) in coordination with applicable Sector Risk Management Agencies (SRMAs).
• Audit internet-facing enterprise applications and external gateways to identify vulnerabilities, unauthorized access, and indicators of compromise before they are exploited.
• Enforce phishing-resistant multi-factor authentication, rotate privileged credentials regularly, and continuously monitor remote access infrastructure for unauthorized administrative activity.
• Strengthen hiring and insider-threat detection processes by validating candidate identities, monitoring endpoint activity during onboarding, and identifying indicators associated with fraudulent remote employment campaigns.
• Conduct recurring tabletop exercises and business continuity drills to validate incident response, backup recovery, and operational resilience across all critical infrastructure sectors.
Chemical Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Commercial Facilities Sector
CISA Warns H.VIEW HV-500S6 Cameras: Command Injection & Malicious File Upload Risk On June 25, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) released advisory ICSA-26-176-05 identifying high-severity vulnerabilities affecting H.VIEW HV-500S6 Internet Protocol (IP) cameras running firmware version IPCAM_V4.06.88.251229. The vulnerabilities, tracked as Common Vulnerabilities and Exposures (CVE)-2026-55975 and CVE-2026-56414, allow authenticated attackers to execute operating system commands and upload malicious files capable of establishing persistent access. Because these cameras are commonly deployed within commercial facilities, retail environments, warehouses, and public venues, successful exploitation could provide cyber threat actors with an initial foothold into enterprise networks. Florida commercial facility operators should prioritize firmware updates, isolate surveillance devices from critical business networks, and continuously monitor camera management interfaces for unauthorized activity.
Commercial Facilities Sector Recommendations:
• Identify all deployed H.VIEW HV-500S6 devices and verify whether vulnerable firmware versions remain in operation.
• Because H.View did not respond to CISA’s coordination request, and no vendor patch is currently available, CI operators should prioritize network isolation or removal of affected devices, while organizations attempt direct outreach to the vendor. Apply vendor firmware updates and remove unsupported devices from production environments whenever possible.
• Restrict camera management interfaces from direct internet exposure by implementing network segmentation and firewall protections.
• Rotate administrative credentials, disable unnecessary accounts, and continuously monitor surveillance systems for unauthorized configuration changes or suspicious activity.
• Validate incident response procedures for physical security systems to ensure surveillance infrastructure can be restored quickly following a cyber incident.
Communications Sector
Malicious Hackers Exploit Cisco Zero-Day for Highest Access Level at Communications Service Provider Mandiant disclosed on June 24, 2026, that attackers had exploited a Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Manager zero-day vulnerability (CVE-2026-20245) months earlier, escalating from administrative access first obtained in late 2025 to full root-level control by March 2026. While the attackers established unauthorized peering connections and created root-level privilege escalation, each component exploited separate vulnerabilities: CVE-2026-20127 or CVE-2026-20182 for initial access; CVE-2026-20245 for privilege escalation to root. This is the seventh actively exploited Cisco SD-WAN zero-day disclosed in 2026, indicating a sustained, not isolated, attacker focus on this product line. Because Cisco SD-WAN technologies are widely deployed across government agencies, telecommunications providers, utilities, and other Florida critical infrastructure sectors, exploitation of this vulnerability could enable unauthorized network access, service disruption, and lateral movement across enterprise environments. Florida organizations should prioritize patching, review administrative accounts, and continuously monitor SD-WAN infrastructure for signs of compromise.
FCC Passes New Cybersecurity Rules for Emergency Systems, Undersea Cables On June 25, 2026, the Federal Communications Commission (FCC) adopted new cybersecurity requirements to strengthen the security of the Emergency Alert System (EAS), Wireless Emergency Alerts (WEA), and undersea cable infrastructure. The updated submarine cable rules tighten some cybersecurity and equipment-sourcing requirements while also streamlining the national-security review process for cable operators that self-certify to high security standards, in a trade-off intended to accelerate buildout. Because Florida relies heavily on undersea cable networks and statewide emergency communications to support public safety and disaster response, compliance with these requirements will strengthen operational resilience and reduce the risk of service disruption during cyber incidents.
Communications Sector Recommendations:
• Patch Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) infrastructure immediately to remediate known vulnerabilities and reduce the risk of unauthorized administrative access.
• Audit privileged accounts and configuration changes regularly to identify unauthorized users, rogue administrative accounts, or suspicious modifications.
• Implement the Federal Communications Commission’s (FCC) cybersecurity requirements for the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA), including strong authentication and timely patch management.
• Review business continuity and disaster recovery procedures supporting communications infrastructure to ensure essential services remain available during cyber incidents.
• Monitor network traffic and system logs continuously for indicators of compromise affecting routing infrastructure, emergency communications systems, and undersea cable connectivity.
Critical Manufacturing Sector
CISA Warns of Max Severity Ubiquiti Flaws Exploited in Attacks The Cybersecurity and Infrastructure Security Agency (CISA) added multiple high-severity vulnerabilities affecting Ubiquiti UniFi Operating System (OS) devices to the Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation in the wild. The vulnerabilities (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) allow unauthenticated attackers to bypass security controls and gain unauthorized access to affected systems. Because Ubiquiti networking equipment is widely deployed across manufacturing facilities, distribution centers, and industrial operations, exploitation could disrupt production networks and enable lateral movement into operational technology environments. Florida critical manufacturing organizations should prioritize firmware updates, restrict internet exposure of management interfaces, and continuously monitor network infrastructure for indicators of compromise.
First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild Cyber threat actors are actively exploiting a critical remote code execution vulnerability (CVE-2026-12569) affecting PTC Windchill and FlexPLM Product Lifecycle Management (PLM) platforms. The vulnerability results from improper input validation and allows unauthenticated attackers to execute arbitrary code with system-level privileges. Following confirmed exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV) and directed organizations to remediate affected systems by June 28, 2026. This is the first PTC product vulnerability ever added to CISA’s KEV catalog, signaling new attacker interest in a previously untargeted vendor. Because Product Lifecycle Management platforms support engineering design, manufacturing operations, and supply chain coordination, successful exploitation could disrupt production processes, expose proprietary engineering data, and impact critical manufacturing operations across Florida.
Critical Manufacturing Sector Recommendations:
• Apply vendor firmware and software updates (UniFi OS Server 5.0.8, released in May 2026) immediately to all affected Ubiquiti UniFi Operating System and PTC Windchill platforms.
• Restrict public access to management interfaces by implementing network segmentation, virtual private networks, and firewall protections.
• Monitor network traffic, authentication logs, and administrative activity for indicators of compromise or unauthorized configuration changes.
• Validate backup and recovery procedures for engineering, manufacturing, and Product Lifecycle Management systems to minimize operational disruption following a cyber incident.
• Conduct regular vulnerability assessments of industrial control and supporting enterprise systems to identify and remediate emerging risks before exploitation occurs.
Dams Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Defense Industrial Base Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Emergency Services Sector
Team82 Documents Iran-Linked CyberAv3ngers Escalating Cyber-Psychological Warfare Against Civilian Alert Systems Claroty’s Team82 documented CyberAv3ngers exploiting a known firmware vulnerability (CVE-2024-41700) in Barix audio-over-IP devices to silence Israeli emergency sirens and manipulate public alerts. Rather than focusing solely on system disruption, the group seeks to manipulate emergency alerts to create confusion, erode public trust, and disrupt emergency response operations. Barix has released a patch, though it must be applied manually. Because the same vulnerable Barix hardware is also deployed in U.S. public safety and emergency alerting infrastructure, including in Florida, municipalities should treat this as a warning to inventory and patch any Barix devices in their environment rather than evidence of direct targeting.
Emergency Services Sector Recommendations:
• Isolate public safety communication systems and critical alerting infrastructure from internet-facing networks whenever operationally feasible.
• Conduct tabletop exercises involving ransomware, cyber-physical attacks, and emergency communications disruptions to improve organizational preparedness.
Energy Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Financial Services Sector
NAIC Confirms June Data Breach The National Association of Insurance Commissioners (NAIC) confirmed a data breach involving unauthorized access to its PeopleSoft financial reporting environment on or about June 11, 2026. This breach was caused by the same Oracle PeopleSoft zero-day (CVE-2026-35273) already covered as a separate item under All Sectors earlier in the bulletin. Cyber threat actors temporarily accessed sensitive data repositories before the activity was identified, contained, and remediated. The scope of the breach is disputed: the attacker has published a large volume of data, while NAIC maintains the group is unlikely to hold the full scope of regulatory data it has claimed, and confirms no personally identifiable information or payment data was accessed. Nevertheless, the incident highlights the continued risk posed by third-party platforms supporting regulatory reporting and financial operations. Because Florida insurers and the Florida Office of Insurance Regulation rely on similar enterprise systems to exchange regulatory information, organizations should strengthen third-party risk management, continuously monitor privileged access, and validate security controls protecting financial reporting environments.
Financial Services Sector Recommendations:
• Conduct recurring third-party risk assessments of regulatory reporting platforms and financial service providers to identify authentication, access control, and configuration weaknesses.
• Enforce least-privilege access controls and multifactor authentication for users with access to sensitive financial reporting systems.
• Monitor authentication logs, privileged account activity, and data access events continuously for indicators of unauthorized access or credential misuse.
• Review business continuity and incident response procedures to ensure regulatory reporting operations can continue during third-party cybersecurity incidents.
• Coordinate with third-party vendors to validate incident notification procedures and recovery responsibilities following security events.
Food and Agriculture Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Government Services and Facilities Sector
Russia APT ‘Gamaredon’ Upgrades Arsenal, Requiring New Defenses The Russian state-sponsored Advanced Persistent Threat (APT) group Gamaredon, also known as Aqua Blizzard, has expanded its malware toolkit by deploying more sophisticated PowerShell-based downloaders and enhanced command-and-control evasion techniques. These updates improve the group’s ability to maintain persistent access while avoiding traditional signature-based detection methods. ESET’s research documents that Gamaredon’s 2025 campaigns exclusively targeted Ukrainian government and military institutions. There is currently no evidence the group is specifically targeting U.S. or Florida government entities directly. The group’s evolving techniques, however — including new PowerShell-based downloaders and abuse of legitimate cloud and tunneling services to conceal command-and-control infrastructure — reflect broader nation-state tradecraft trends that Florida government organizations should incorporate into defensive planning. Florida state and local government organizations should consider proactive measures to strengthen behavioral monitoring, restrict unauthorized PowerShell execution, and continuously monitor outbound network communications for indicators of malicious activity associated with advanced persistent threats.
Government Services and Facilities Sector Recommendations:
• Implement PowerShell execution controls, including Constrained Language Mode, to reduce the risk of unauthorized script execution.
• Monitor endpoint and network telemetry continuously for anomalous PowerShell activity and command-and-control communications.
• Conduct recurring integrity reviews of administrative workstations and privileged accounts to identify persistence mechanisms or unauthorized system modifications.
• Strengthen endpoint detection and response capabilities to improve visibility into advanced persistent threat activity.
• Exercise incident response procedures focused on nation-state cyber threats targeting government networks and essential public services.
Healthcare and Public Health Sector
H-ISAC TLP Green: Ransomware Data Leak Sites Report The Health Information Sharing and Analysis Center (H-ISAC) Traffic Light Protocol (TLP): Green Ransomware Data Leak Sites Report provides healthcare organizations with timely visibility into ransomware groups actively publishing victim data on extortion sites. By monitoring these disclosures, organizations can identify emerging ransomware campaigns, validate potential compromises, and prioritize defensive actions before operational impacts escalate. Because healthcare providers remain frequent ransomware targets, Florida hospitals, clinics, and public health organizations should integrate external threat intelligence with internal security monitoring, continuously assess third-party vendor risk, and validate backup recovery capabilities to support uninterrupted patient care during cyber incidents.
Healthcare and Public Health Sector Recommendations:
• Validate backup integrity and routinely exercise disaster recovery procedures to maintain continuity of patient care during ransomware incidents.
• Monitor ransomware data leak sites continuously and correlate external reporting with internal security logs to identify potential compromises.
• Strengthen third-party vendor risk management programs and validate security controls protecting healthcare information systems.
Information Technology Sector
Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Cyber threat actors are actively exploiting an authentication bypass vulnerability (CVE-2026-0257, CVSS 7.8) affecting Palo Alto Networks GlobalProtect Virtual Private Network (VPN) gateways. The flaw allows attackers to forge authentication cookies and establish unauthorized VPN sessions; Palo Alto Networks reports no evidence of subsequent code execution or lateral movement in confirmed cases. The vulnerability only affects devices with authentication override cookies enabled and a certificate shared with another feature, not all GlobalProtect deployments. Because GlobalProtect appliances are widely deployed across government, healthcare, financial services, and other Florida critical infrastructure sectors, exploitation could enable unauthorized network access, operational disruption, and lateral movement throughout enterprise environments. Organizations should immediately apply vendor updates, restrict exposure of management interfaces, and continuously monitor authentication activity for indicators of compromise.
CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-54420 to the Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation affecting LiteSpeed cPanel Plugin deployments. The vulnerability allows attackers with limited access to escalate privileges and potentially obtain administrative control of shared hosting environments. Because shared hosting platforms support many municipal governments, educational institutions, and small businesses throughout Florida, organizations should promptly update affected systems, review administrative privileges, and monitor hosting environments for unauthorized activity.
CISA Orders Feds to Patch Max Severity Joomla Plugin Flaw CISA directed federal agencies to remediate a critical vulnerability (CVE-2026-48907) affecting the Joomla Content Editor (JCE) plugin after adding it to the Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code on vulnerable web servers. It is important to note that patching alone does not remove a web shell that attackers may have already planted on a compromised site before the update was applied, so defenders will need to hunt for Indicators of Compromise (IOCs) to detect them. Because Joomla is widely used to host public-facing government and organizational websites, exploitation could result in website defacement, unauthorized data access, or disruption of public services. Florida organizations should prioritize remediation, review web application security controls, and continuously monitor internet-facing websites for suspicious activity.
Google Vertex AI SDK Flaw Enables Cross-Tenant Model Hijacking Researchers disclosed a critical design flaw affecting the Google Cloud Vertex Artificial Intelligence (AI) Software Development Kit (SDK) for Python that could allow attackers to hijack machine learning model deployments across cloud environments. By exploiting predictable storage bucket naming, attackers may replace legitimate models with malicious versions capable of executing unauthorized code. Because the flaw was responsibly disclosed in March 2026 and fully patched by April 15, 2026 (SDK version 1.148.0), any actively maintained Vertex AI deployment running a current SDK should already be protected. As artificial intelligence adoption continues to expand across government and private industry, Florida organizations using Google Cloud should upgrade affected SDK versions, validate cloud storage configurations, and review software development security practices to reduce supply chain risk.
Salesforce Disables Klue Battlecards Integration Following OAuth Token Theft Cyber threat actors compromised the Klue Battlecards integration platform to steal Open Authorization (OAuth) tokens and access customer information through trusted third-party integrations, including Salesforce environments. The initial entry point was a long-dormant but still-active legacy credential, originally created for an abandoned third-party integration prototype. The incident highlights the growing cybersecurity risks associated with interconnected cloud services and software supply chain dependencies. Florida organizations should review third-party integration permissions, monitor application programming interface (API) activity for anomalous behavior, and regularly revoke unnecessary authorization tokens to reduce the likelihood of unauthorized access.
Malicious Edge Extension Abuses Native Messaging as Bridge to Malware Cyber threat actors are distributing a malicious Microsoft Edge browser extension that abuses the Chrome Native Messaging protocol to bypass browser security controls and execute malicious code on endpoint systems. This technique enables attackers to launch native processes, compromise connected applications, and establish persistent access while avoiding traditional browser protections. The campaign, dubbed ‘Edgecution,’ is linked to an initial access broker associated with the Payouts Kings ransomware operation. It originated with attackers impersonating IT support staff on Microsoft Teams and directing employees to a fraudulent ‘Outlook Updates Management Console’ page under the pretense of a spam-filter update. Because browser extensions are commonly used across enterprise and government environments, Florida organizations should restrict extension installations, monitor endpoint activity for unauthorized native messaging, and educate users on the risks associated with unapproved browser add-ons and the hazards of attackers impersonating IT staff.
Information Technology Sector Recommendations:
• Apply vendor patches immediately for Palo Alto GlobalProtect, LiteSpeed cPanel Plugin, Joomla Content Editor, and other products identified in the Known Exploited Vulnerabilities (KEV) Catalog.
• Check for existing IOCs, which have been published by the JCE security team and independent researchers, to detect existing Joomla plugin flaws.
• Review internet-facing systems routinely to identify exposed services, vulnerable applications, and unauthorized administrative interfaces.
• Strengthen cloud security by validating third-party integrations, restricting Open Authorization (OAuth) permissions, and monitoring application programming interface (API) activity for suspicious behavior.
• Upgrade Google Cloud Vertex Artificial Intelligence (AI) Software Development Kit (SDK) deployments to supported versions and implement secure software development practices for artificial intelligence environments.
• Restrict browser extension installations through enterprise policies and continuously monitor endpoints for unauthorized native messaging activity or other indicators of compromise.
• Conduct continuous vulnerability assessments and threat hunting activities to identify emerging risks before they affect business operations.
Nuclear Reactors, Materials, and Waste Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Transportation Systems Sector
No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.
Water and Wastewater Systems Sector
Last Mile Cybersecurity On June 22, 2026, the Institute for Security and Technology (IST) released a policy memorandum addressing cybersecurity gaps in federally funded infrastructure projects, particularly the lack of cybersecurity requirements tied to grant funding. The guidance emphasizes incorporating cybersecurity planning, risk assessments, and dedicated funding into infrastructure modernization efforts rather than treating cybersecurity as a separate initiative. Policy memoranda notwithstanding, Section 40126 of the Bipartisan Infrastructure Law already requires the Department of Energy to mandate cybersecurity plans for its grant recipients. Because many Florida water and wastewater utilities rely on federal funding while operating with limited cybersecurity resources, integrating security requirements into infrastructure projects will improve operational resilience and reduce long-term cyber risk.
NIST Offers Security Guidance for Water Utilities Using Remote-Access Tools The National Institute of Standards and Technology (NIST) published updated guidance in the final version of NIST Special Publication 1800-45, “Cybersecurity for the Water and Wastewater Sector: Build Architecture” to help water and wastewater utilities strengthen the security of remote-access technologies used to manage operational systems. Notably, Cybersecurity Dive’s reporting notes that remote-access weaknesses of exactly this kind “enabl[ed] several Iran-linked cyberattack campaigns against U.S. water systems.” The recommendations include restricting unnecessary remote access, implementing multifactor authentication, maintaining detailed access logs, and continuously monitoring remote connections for suspicious activity. Because remote-access technologies remain a common attack vector for cyber threat actors targeting critical infrastructure, Florida water utilities should review remote-access architectures, validate authentication controls, and strengthen monitoring capabilities to reduce operational risk.
Water and Wastewater Systems Sector Recommendations:
• Incorporate cybersecurity requirements into infrastructure modernization projects and grant-funded initiatives to improve long-term operational resilience.
• Identify and inventory all internet-facing operational technology (OT) systems, remote-access pathways, and supporting network infrastructure.
• Strengthen remote-access security by implementing multifactor authentication (MFA), network segmentation, and continuous monitoring of privileged connections.
• Conduct recurring cybersecurity assessments of operational technology environments and validate manual operating procedures to maintain essential services during cyber incidents.
• Coordinate proactively with federal and state partners to leverage available cybersecurity resources, technical assistance, and grant opportunities supporting water sector resilience.
