Jennifer Kleman

About Jennifer Kleman

This author has not yet filled in any details.
So far Jennifer Kleman has created 97 blog entries.

Cyber Bulls-i Critical Infrastructure Support Tool is Here.

Cyber Bulls-i

Statewide platform simplifies cybersecurity assessments and provides customized action plans for Florida organizations at no cost

July 1, 2026—Tampa, Fla—Cyber Florida today announced the launch of Cyber Bulls-i, a first-of-its-kind cybersecurity assessment and planning platform designed specifically for Florida’s critical infrastructure organizations.

As the next generation of Cyber Florida’s Critical Infrastructure Program (CIP), Cyber Bulls-i provides organizations with a faster, easier, and more effective way to assess cybersecurity risks and connect with free resources and expert assistance.

At the heart of the new platform is a significantly streamlined assessment experience. The Florida Cyber Risk Assessment (FCRA), a cornerstone of the CIP, has been reduced from 164 questions to 106 questions, making it easier for organizations to evaluate their cybersecurity posture while still receiving meaningful, actionable insights.

“Cyber Bulls-i reflects years of experience working alongside Florida’s critical infrastructure organizations,” said Emeka Okammor, M.S., CISSP, CISA, cybersecurity resource manager. “We’ve taken what we’ve learned and built a modern platform that reduces barriers, saves time, and helps organizations quickly identify their risks and the resources available to address them.”

Cyber Bulls-i guides participants through three simple steps:

  1. Complete the Florida Cyber Risk Assessment (FCRA) to receive a customized cybersecurity report.
  2. Receive a personalized cybersecurity improvement plan tailored to the organization’s unique needs.
  3. Continue improving over time through progress tracking, updated recommendations, and ongoing support.

The launch comes at a critical time. Recent assessments conducted through the CIP found that approximately half of participating organizations lacked a formal recovery plan. Similarly, nearly half had not implemented formal cybersecurity awareness training. Many organizations also reported limited cybersecurity staffing, expertise, and budgets.

Cyber Bulls-i was specifically designed to address these challenges by providing:

  • No-cost participation through state funding
  • Florida-specific recommendations and resources
  • Customized guidance aligned to organizational needs
  • Secure handling of assessment data
  • Ongoing support to help organizations improve over time

Importantly, many organizations that qualify as critical infrastructure do not realize they fall within that category. While hospitals, utilities, and government agencies are often recognized as critical infrastructure, many small and medium-sized businesses also provide essential goods and services that support Florida’s economy, public safety, and daily operations.

Organizations operating within Florida and serving any of the nation’s 16 critical infrastructure sectors are encouraged to participate, including those in communications, energy, healthcare, transportation, information technology, financial services, manufacturing, agriculture, emergency services, government, and other essential industries.

“Cybersecurity threats continue to evolve, but protecting your organization doesn’t have to be complicated or expensive,” said Okammor. “Cyber Bulls-i gives Florida organizations a practical, user-friendly roadmap to help reduce risk, improve resilience, and meet cybersecurity requirements.”

Participation in Cyber Bulls-i is completely free for eligible Florida organizations. To learn more or begin the assessment process, visit Cyber Florida’s critical infrastructure program webpage.

To receive timely updates about Cyber Florida’s news and resources, please sign up or visit the connect with Cyber Florida webpage.

Media Contact: Cyber Outreach Manager Jennifer Kleman, APR, CPRC
mailto:jennifer437@cyberflorida.org

ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Cyber Bulls-i Critical Infrastructure Support Tool is Here.2026-06-30T09:16:33-04:00

CI Bulletin Vol 2, Issue 9 June 23, 2026

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #11-2026
Cyber Threat Outlook

Over the next six months, Florida critical infrastructure owners and operators will have to navigate a threat environment in which adversaries are moving faster, and defenders are falling further behind. The 2026 Verizon Data Breach Investigations Report (DBIR) documented that automated exploitation of unpatched software vulnerabilities surpassed credential theft as the leading cause of data breaches for the first time in the report’s nineteen-year history, accounting for 31% of confirmed breach entry points. Artificial intelligence is the primary accelerant, compressing the window between a vulnerability’s public disclosure and its active weaponization from months to hours. CISA’s new Binding Operational Directive (BOD) 26-04 formally codifies this reality by replacing flat patching timelines with a graduated, risk-tiered model that mandates remediation within as few as three days, with mandatory forensic analysis to assess whether systems are already compromised, or the highest-risk vulnerabilities.

Iranian state-sponsored actors continue to escalate beyond espionage into active disruption and data destruction targeting water, energy, and defense-adjacent infrastructure. Ransomware groups are expanding their reach through supply chain and third-party vendor compromise. Against this backdrop, the contraction of federal cybersecurity grant funding means organizations cannot wait for external support. Priorities must shift toward risk-tiered vulnerability management aligned with BOD 26-04, network segmentation between operational technology and information technology environments, validated offline backups, and supply chain governance, particularly for software dependencies and cloud storage configurations.

Confidence – High

Executive Summary
  • All Sectors: Automated vulnerability exploitation has officially surpassed credential theft as the primary initial access vector. Driven by frontier AI capabilities, adversaries are weaponizing exploits at machine-speed, necessitating risk-tiered remediation under CISA BOD 26-04, which mandates patch-and-forensic-triage within three days for the highest-risk exposed assets. Iranian state actors have shifted from espionage to active data-wiping and OT disruption. Third-party and vendor-related breaches continue to rise sharply, making supply chain auditing and Zero Trust principles essential.
  • Commercial Facilities: Unauthenticated remote code execution vulnerabilities in Magento servers (CVE-2026-45247) remain under active exploitation. RCI Hospitality Holdings reported a data breach impacting approximately 40,000 individuals.
  • Defense Industrial Base: Department of Defense officials emphasized integrating cyber capabilities into all military operations and strengthening foundational cybersecurity across the defense industrial base. Iranian state actors continue targeting software suppliers and infrastructure connected to the aerospace and defense sectors to establish persistent espionage footholds in supply chains.
  • Energy: High-severity vulnerabilities were disclosed in Hitachi Energy grid control systems (RTU500 and MACH HiDraw).
  • Financial Services: The financially motivated group JINX-0164 targeted cryptocurrency firms using custom macOS malware delivered through fake recruiter lures to steal credentials and access CI/CD environments.
  • Food and Agriculture: Brazilian food delivery platform iFood suffered a data breach exposing sensitive personal information of 1.2 million users, highlighting risks to food supply chain platforms from identity-focused data theft.
  • Government Services and Facilities: The White House accelerated AI adoption through NSPM-11 while tightening control over AI model evaluations. Chinese state-sponsored actors continue targeting government and defense personnel via LinkedIn recruitment lures. The city of St. Paul, Minnesota successfully completed a comprehensive systems recovery following a severe ransomware attack.
  • Healthcare and Public Health: DentaQuest suffered a major data breach exposing sensitive records of approximately 2.6 million accounts. India-based wearable health tech startup Ultrahuman reported a data breach involving unauthorized access to customer wellness data.
  • Information Technology: The National Security Agency (NSA) launched a centralized hub for Zero Trust Implementation Guides (ZIGs). Microsoft’s June 2026 Patch Tuesday addressed nearly 200 vulnerabilities. Actively exploited zero-days affected Veeam, Cisco SD-WAN, Palo Alto Networks PAN-OS, Google Chrome, and Acer Wave 7 mesh routers. Multiple supply chain attacks targeted npm and PyPI repositories through the Miasma and Hades campaigns, variants of the self-replicating Shai-Hulud worm, which infected over 100 packages and extended into Microsoft Azure and GitHub repositories. Cisco released patches for a high-severity server-side request forgery (SSRF) vulnerability.
  • Transportation Systems: SpeedX exposed over 840 million sensitive logistics and customer records. Qilin ransomware claimed responsibility for an attack on the New York/New Jersey Shipping Association.
  • Water and Wastewater Systems: CThe U.S. Government Accountability Office (GAO) warned that many drinking water and wastewater utilities across the United States continue to lack fundamental cybersecurity protections. Water and wastewater systems face persistent, aggressive targeting from Iranian-sponsored entities.
All Sectors

Implementation Guidance for Prioritizing Security Updates Based on Risk BOD 26-04 In response to AI-assisted threat actors narrowing the gap between patch release and mass-exploitation, federal defensive frameworks have overhauled vulnerability remediation. Organizations should look to align their enterprise response with CISA’s Binding Operational Directive (BOD) 26-04. Rather than treating all vulnerabilities with a flat, Common Vulnerability Scoring System (CVSS)-based urgency, defense must be tiered dynamically based on asset exposure, Known Exploited Vulnerabilities (KEV) status, and adversary automation capability. Vulnerabilities meeting the highest-risk criteria, those actively exploited, automatable, and yielding total system control, require remediation and forensic triage within three days. Lower-risk combinations receive graduated timelines up to the next system upgrade cycle. BOD 26-04 formally revokes BOD 22-01, invalidating existing flat 14-day KEV remediation policies. CI organizations supporting federal agencies must update their vulnerability management processes accordingly.

All Sectors Recommendations:

  • Enforce phishing-resistant multi-factor authentication and strict least-privilege policies on all remote access and managed service links.
  • Isolate all public-facing virtual network computing instances behind virtual private networks (VPN) requiring multi-factor authentication.
  • Establish automated vulnerability tracking and scanning mechanisms to outpace accelerated machine-assisted exploitation windows.
  • Conduct technical audits of contractor-managed code environments, cloud storage setups, and cloud collaboration platform configurations.
Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

Mirasvit Vulnerability Exploited to Execute Code on Magento Servers After a critical-severity vulnerability (CVE-2026-45247) in the Mirasvit Full Page Cache Warmer for Magento 2 extension was exploiteded, that CVE was added to the KEV catalog. This PHP object injection flaw, carrying a Common Vulnerability Scoring System (CVSS) score of 9.8, allows unauthenticated remote actors to execute arbitrary code on Magento and Adobe Commerce servers. Exploitation requires no login or special access. A single crafted web request to any vulnerable storefront page is sufficient to trigger full server compromise. The extension, intended to optimize page caching and speed, currently provides a direct pathway for full system compromise and unauthorized data access. Mirasvit released a patch in version 1.11.12. Organizations running any earlier version should update immediately or disable the extension if patching is not immediately possible.

Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals RCI Hospitality Holdings, one of the largest adult nightclub and sports bar operators in the United States, reported a data breach impacting approximately 40,000 individuals. The incident was traced to an insecure direct object reference (IDOR) vulnerability discovered in March 2026 within an IIS web server managed by the company’s internet services subsidiary. The IDOR flaw permitted unauthorized access to personal data of approximately 40,000 independent contractors, including names, dates of birth, Social Security numbers, and driver’s license numbers. Customer records and financial systems were not accessed. This breach highlights the persistent risk of data extortion and PII exposure within large-scale commercial hospitality environments.

Commercial Facilities Sector Recommendations:

  • Perform comprehensive vendor risk assessments for any third parties processing corporate personally identifiable information.
  • Deploy data loss prevention tools and end-to-end encryption on storage repositories hosting consumer or employee records.
  • Formulate incident response scripts addressing pure data extortion, detailing communication pathways for multi-stage extortion tactics.
  • Implement continuous monitoring on corporate file-sharing networks to flag unusual outbound data transfer volume.
Communications Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Critical Manufacturing Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

DOD Wants to Integrate Cyber in All Operations, and Integrate Security into AI Department of Defense officials emphasized integrating cyber capabilities into all military operations and strengthening foundational cybersecurity across the defense industrial base. Officials warned that vulnerabilities among contractors and suppliers can directly affect military readiness and operational effectiveness.

Iran Threat Overview and Advisories Iranian advanced persistent threat (APT) groups continue targeting software suppliers and infrastructure components connected to the aerospace and defense sectors. These long-term campaigns show direct correlations with broader geopolitical activity, deploying custom backdoors and implants to establish highly persistent espionage footholds across supply chain dependencies. Moving forward, Florida’s expansive aerospace clusters and defense contractors must validate code provenance and verify that administrative accesses across engineering pipelines strictly adhere to rigorous internal authorization mechanisms. Florida’s aerospace and defense manufacturing clusters, including Space Coast suppliers and aerospace contractors, represent direct targets for Iranian APT supply chain campaigns.

Defense Industrial Base Sector Recommendations:

  • Conduct rigorous, ongoing evaluations of software sub-vendors, tracking any indicators of long-term state espionage campaigns.
  • Deploy endpoint detection and behavioral tracking systems to uncover unauthorized administrative access or unusual remote connections.
  • Validate the cryptographical signing and provenance of external software additions prior to introduction into production networks.
  • Apply strict least-privilege divisions between supplier-administered assets and core defense software assembly lines.
Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Energy Sector

Vulnerabilities Disclosed in Grid Control Infrastructure Technical vulnerabilities at the OT layer continue to expose power distribution systems. Serious flaws have surfaced in the Hitachi Energy RTU500 series, leaving devices susceptible to NULL pointer dereferences and infinite loops that trigger severe system-level denial of service. Concurrently, the Hitachi Energy MACH HiDraw software is vulnerable to CVE-2026-7310, a medium-severity (CVSS 5.5) heap-based buffer overflow (CVE-2026-7310) in the XML parser, exploitable by an authenticated local user via a specially crafted XML file, potentially resulting in memory corruption, denial of service, or arbitrary code execution. These platforms actively manage grid control and power transmission across international systems. Hitachi Energy has released a fix in MACH HiDraw version 9.23; organizations should contact their Hitachi Energy account team given the complexity of individual upgrade paths. MACH HiDraw is also deployed in Dams and Transportation Systems sectors; operators in those sectors should review the CISA advisory.
Energy Sector Recommendations:

  • Deploy vulnerability shielding or compensatory controls around Hitachi Energy RTU500 and MACH HiDraw systems as a priority, consistent with BOD 26-04 risk-tiered guidance; federal entities should assess KEV catalog status and apply applicable deadlines.
  • Maintain air-gapped configuration backups for power-grid control components to ensure manual operational capacity during cyber-induced disruptions.
  • Monitor for emerging risks associated with increasing data center electricity demand and coordinate with utility partners on grid resilience and capacity planning.
Financial Services Sector

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware A sophisticated campaign attributed to financially motivated actors (JINX-0164, which shares TTPs with North Korean-linked group UNC1069/Sleet) has targeted cryptocurrency firms using custom macOS malware and fake recruiter lures. The operation aims to steal credentials and move laterally within Continuous Integration/Continuous Deployment (CI/CD) and development infrastructure. JINX-0164 also conducted a confirmed supply chain attack, trojanizing an npm package to deploy a persistent backdoor, extending the threat beyond individual developers to any organization using affected open-source packages. Organizations in the financial and cryptocurrency sectors should review social engineering defenses and endpoint detection for macOS environments.

Financial Services Sector Recommendations:

  • Enforce cryptographic code-signing checks and enable strict commit verification parameters within all software building lines.
  • Monitor macOS environments for unauthorized background modifications, unexpected remote terminal commands, or atypical local repository adjustments.
  • Train technical staff to verify the identity of unsolicited recruiters on LinkedIn and to refuse requests to download or execute software during virtual interviews or onboarding calls.
  • Implement dedicated secrets-scanning utilities to identify and revoke developer keys if local developer endpoints are compromised.
Food and Agriculture Sector

iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil In December 2025, the Brazilian food delivery platform iFood suffered a data breach impacting 1.2 million users, approximately 2% of its customer base. While hackers did not obtain passwords or financial records, they successfully exfiltrated sensitive personal information, including names, phone numbers, addresses, and CPF numbers, which are the Brazilian taxpayer identity documents equivalent to U.S. Social Security Numbers. The incident underscores the vulnerability of food supply chain enablers to identity-focused data theft and extortion operations.

Food and Agriculture Sector Recommendations:

  • Conduct comprehensive audits of third-party food delivery and supply chain platform vendors to identify and remediate gaps in personally identifiable information (PII) storage, access controls, and data retention policies.
  • Enforce strict data minimization and access controls on platforms that aggregate consumer PII, ensuring that sensitive identifiers such as government-issued identification numbers are encrypted at rest and accessible only to explicitly authorized systems.
  • Establish data breach notification workflows that align with both domestic and international regulatory requirements, given the cross-border nature of food supply chain data exposure.
  • Strengthen monitoring and logging on food delivery and agricultural logistics platforms to detect unusual data access or exfiltration activity, particularly involving sensitive customer and supplier information.
Government Services and Facilities Sector

Promoting Advanced Artificial Intelligence Innovation and Security President Trump signed National Security Presidential Memorandum (NSPM-11) to accelerate artificial intelligence adoption across the military, intelligence community, and federal agencies, directing entities to strengthen public-private AI partnerships while expanding procurement workflows. Concurrently, the administration instructed the Center for AI Standards and Innovation to halt the public release of its model safety assessments while an aligned executive order is implemented. These developments reflect a broader White House strategy to accelerate AI integration across federal operations while maintaining executive control over AI model evaluations and disclosures.

Five Eyes Security Alliance Warns of Chinese Spy Threat on Job Sites The United States and its Five Eyes international partners issued a joint operational warning regarding Chinese state-sponsored intelligence services aggressively targeting government, military, and critical infrastructure personnel on LinkedIn. Sophisticated actors pose as legitimate maritime consultancies, think-tank recruiters, and professional headhunters to build relationships with individuals holding active security clearances or specialized technical expertise. Once a connection is established, targets are funneled toward encrypted messaging applications where they are offered financial compensation for internal research, non-public defense insights, or supply-chain logistics data.

How St. Paul, Minnesota, Recovered From a Ransomware Attack The city of St. Paul, Minnesota successfully completed a comprehensive systems recovery following a severe ransomware attack, utilizing a coordinated framework involving municipal departments, state agency responders, and the National Guard. The operation focused on emergency management integration and multi-agency incident response planning to systematically restore public services without paying an extortion demand. Key to St. Paul’s success: a pre-existing multi-agency coordination structure, National Guard cyber support activation, sequenced service restoration prioritizing public safety systems, and refusal to pay the ransom demand. This successful stabilization effort has since become a standard case study in municipal cyber resilience, offering an immediate operational roadmap for Florida’s county and local government facilities facing similar local infrastructure threats.

Government Services and Facilities Sector Recommendations:

  • Assess the cybersecurity and governance implications of accelerating artificial intelligence adoption across government agencies. Focus on protecting AI systems from foreign theft and manipulation while maintaining appropriate oversight of AI model evaluations and disclosures.
  • Train staff with security clearances and access to sensitive information to recognize Chinese state-sponsored recruitment lures on professional networking platforms, as warned by Five Eyes partners. Implement verification procedures for unsolicited job offers from entities posing as consultancies or think tanks.
  • Utilize the St. Paul municipal recovery model to develop multi-agency incident response plans that prioritize service restoration and continuity of operations over extortion payments during ransomware attacks.
Healthcare and Public Health Sector

DentaQuest Data Breach Exposes 2.6 Million Accounts Dental benefits administrator DentaQuest suffered a major data breach that exposed the sensitive personal and health records of approximately 2.6 million accounts. The extortion group ShinyHunters claimed responsibility for the intrusion, leaking 234 gigabytes (GB) of stolen data on a dark web forum after corporate leadership reportedly declined ransom negotiations. The incident follows a persistent operational pattern where advanced extortion groups target third-party health administrators to exfiltrate high-value wellness data and personally identifiable information. Exposed data includes Medicaid IDs, government-issued identification, health insurance records, and contact information. This directly affected individuals enrolled in Medicaid programs managed by DentaQuest in Florida. Because DentaQuest manages dental benefits for a substantial volume of residents across the state, this compromise directly impacts the health, financial, and insurance records of thousands of Florida citizens.

Ultrahuman Says Hackers Accessed Customers’ Wellness Data via Internal Tool India-based wearable health tech startup Ultrahuman r disclosed a data breach on March 27, 2026, involving unauthorized access to an internal analytics tool. Threat actors gained entry by stealing an employee’s credentials through malware to compromise an internal analytics system. Although the company detected the intrusion promptly and took the affected system offline, the breach underscores the escalating risk of malware-driven credential theft targeting centralized health data repositories.

Healthcare and Public Health Sector Recommendations:

  • Apply deep encryption and strict access logging to biometric files and patient wellness data stored in third-party or internal analytics tools.
  • Isolate medical devices and electronic health record (EHR) directories on sub-networks detached from internet-facing boundaries.
  • Practice paper-based admittances and hand-off protocols to sustain care during total IT infrastructure failures.
Information Technology Sector

NSA Launches Zero Trust Implementation Guidelines Resource Webpage The National Security Agency (NSA) launched a centralized hub for Zero Trust Implementation Guides (ZIGs), consolidating legacy technical recommendations and interactive planning tools designed to assist enterprises in strengthening multi-layered infrastructure security. Operating on a “never trust, always verify” framework, the resource center provides a modular, adaptable approach allowing critical infrastructure operators to prioritize defensive integration based on their explicit asset maturity levels and budgets. The interactive platform delivers focused mitigation paths across identity governance, endpoint defense, network isolation, application security, and data protection. Florida infrastructure defenders should immediately utilize these centralized blueprints to transition away from legacy perimeter assumptions and establish validated, continuous authentication controls across state-managed administrative interfaces. The hub is accessible at nsa.gov.

Check Point Warns of Zero-Day Flaw Targeted by Ransomware Affiliate A wave of high-severity network perimeter vulnerabilities is fueling mass-exploitation campaigns targeting virtual private networks (VPNs) and enterprise routing infrastructure. Critical threats include an actively weaponized Cisco Catalyst SD-WAN Manager zero-day (CVE-2026-20245) allowing low-privileged users to execute root-level terminal commands, a Palo Alto Networks PAN-OS cookie-forgery flaw (CVE-2026-0257) enabling unauthorized VPN sessions, and a Check Point Remote Access vulnerability (CVE-2026-50751) actively abused by Qilin ransomware affiliates. Concurrently, Microsoft Exchange Online environments face spoofing risks via the “Ghost-Sender” configuration bypass, while ServiceNow reported unauthorized tenant access incidents, highlighting that Florida public-sector agencies and infrastructure operators must prioritize immediate boundary patching, multi-factor authentication enforcement, and log audits.

Record-Breaking June Patch Tuesday Highlights Enterprise Software Hazards The June 2026 Patch Tuesday cycle marked a historic high, with Microsoft addressing nearly 200 vulnerabilities, including over three dozen critical bugs and an actively exploited Windows Netlogon remote code execution flaw (CVE-2026-41089) carrying a Common Vulnerability Scoring System (CVSS) score of 9.8. This surge is mirrored across the enterprise ecosystem, with Oracle transitioning to a rapid monthly patching model to fix 77 vulnerabilities, Google patching its fifth Chrome browser zero-day of the year (CVE-2026-11645), and Veeam releasing emergency fixes for a critical Backup & Replication flaw (CVE-2026-44963) that allows unauthenticated domain-level takeover. Oracle transitioned to a monthly patching cadence, releasing fixes for 77 vulnerabilities. CI operators using Oracle products should update their patch management schedules accordingly. Because adversaries are increasingly leveraging machine-assisted fuzzing to weaponize these disclosures within days, Florida entities must establish compressed patch timelines to protect internet-facing infrastructure and backup servers.

Sophisticated Supply Chain Tactics Weaponize Open-Source Repositories and AI Coding Tools Security researchers have uncovered distinct software supply chain campaigns engineered to infect upstream development blocks and autonomous programming environments. The ‘Miasma’ campaign infected over 100 npm packages including Red Hat Cloud Services packages and extended into Microsoft Azure and GitHub repositories. Miasma demonstrated worm-like self-propagation by stealing developer credentials to automatically infect and republish additional packages, which extended the compromise from individual developers to entire organizational code repositories. While the ‘Hades’ campaign poisoned 19 PyPI packages to execute automated credential-harvesting scripts. Because the malware executes at Python interpreter startup (not only at runtime of the specific package), any Python environment that has installed the package is at risk even if the package is never imported. Additionally, researchers demonstrated successful security scanner bypasses on Vercel and Cisco platforms, illustrating that automated code-review tools fail to catch malicious AI agent extensions, meaning Florida development teams must implement strict cryptographic dependency validation and code signing.

Acer Working to Patch Max Severity Zero-days in Wave 7 Routers Acer is developing patches for two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers. One flaw, CVE-2026-49200, involves a broken access control issue allowing unauthenticated attackers to remotely access plaintext credentials stored in log archives. The vulnerability affects routers running firmware version T7c_GBL_1.01.000055 or earlier. Successful exploitation provides an immediate path for initial access and lateral movement within compromised networks.

Cisco Warns of Available PoC for Critical Unified CM Vulnerability Cisco released patches for a high-severity server-side request forgery (SSRF) vulnerability (CVE-2026-20230) affecting Unified Communications Manager (Unified CM) and Session Management Edition (SME). The flaw stems from insufficient input validation in specific HTTP requests, allowing unauthenticated attackers to send crafted requests to internal systems. Cisco warned that proof-of-concept (PoC) code is publicly available, drastically compressing the timeline between patch release and weaponization. This development aligns with the strategic warning regarding AI-assisted machine-speed exploitation, necessitating rapid remediation to outpace automated threats.

Information Technology Sector Recommendations:

  • Implement strict application whitelisting and endpoint execution controls for all developer tooling, integrated development environment (IDE) plugins, and third-party extension marketplaces.
  • Enforce automated secrets-scanning utilities across all internal repositories, code pipelines, and cloud-hosted environments to rapidly discover and revoke exposed keys or cloud credentials.
  • Mandate the complete network segmentation of enterprise backup infrastructure (specifically Veeam architectures) from the primary active directory domain to prevent cross-compromise during ransomware operations.
  • Transition infrastructure administration pipelines to a strict Zero Trust model, enforcing phishing-resistant multi-factor authentication and continuous device posture verification.
  • Establish formal software dependency review protocols, utilizing cryptographic verification and strict commit controls to evaluate open-source Python (PyPI) and JavaScript (npm) additions before introduction into local development chains.
  • Review Exchange Online configurations for the Ghost-Sender bypass and audit ServiceNow tenant access logs for unauthorized activity.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Delivery Mega Leak: 840M+ Files Exposed as US Delivery Company Leaks Massive File Storage Security researchers identified a major cloud database exposure involving SpeedX, a prominent U.S.-based delivery and logistics company, which inadvertently left over 840 million records accessible to the public internet without authentication. The leaked dataset contained highly sensitive corporate and consumer assets, including customer delivery details, unredacted shipping labels, warehouse photographs, and official driver identification documentation. While SpeedX characterizes the incident as a cloud storage configuration issue rather than a confirmed breach, Cybernews researchers dispute this, asserting the exposed container was accessible to anyone who knew the container name. Regardless of characterization, the incident demonstrates the catastrophic scale of data exposure possible from misconfigured cloud storage in transportation logistics environments. The massive exposure highlights the catastrophic privacy and supply chain risks facing transportation hubs that fail to properly audit automated cloud storage environments, making rigorous access control verification necessary for regional logistics providers.

Qilin Ransomware Claims Hack of Major New York and New Jersey Shipping Association The Qilin ransomware group claimed responsibility for a targeted network intrusion against the New York Shipping Association, a vital maritime organization supporting cargo logistics at one of North America’s busiest ports. Although the full operational impact is still being evaluated, the attack represents a direct threat to maritime supply chains, as disruptions to shipping association networks can rapidly trigger cascading delays across port terminal operations, cargo movements, and regional economic activity. This incident serves as an immediate warning for Florida’s major commercial maritime hubs proving that third-party maritime service organizations are primary targets for ransomware syndicates.

Transportation Systems Sector Recommendations:

  • Separate public information display systems, scheduling applications, and passenger portals from core operational transit control planes into distinct, firewalled network zones.
  • Implement immutable offline system state backups and verified gold-image snapshots to facilitate rapid bare-metal recovery following potential data-wiping or ransomware events.
  • Review cloud storage configurations, object bucket access controls, and data exposure settings for all logistics platforms, enforcing regular security audits over third-party transportation technology providers.
  • Conduct ransomware readiness exercises specifically focused on maritime logistics, validating network segmentation boundaries and backup integrity across port community systems and shipping association networks.
  • Assess and strengthen enterprise resilience against Positioning, Navigation, and Timing (PNT) vulnerabilities by establishing secondary, out-of-band communication and redundant tracking workflows for local logistics fleets.
Water and Wastewater Systems Sector

GAO: Actions Needed to Address Persistent Cybersecurity Threats to the Water and Wastewater Sector The U.S. Government Accountability Office (GAO) warned that many drinking water and wastewater utilities across the United States continue to lack fundamental cybersecurity protections. The report found that numerous utilities still do not maintain basic asset inventories, incident response plans, or adequate segmentation between operational technology (OT) and information technology (IT) networks. These deficiencies leave critical water infrastructure vulnerable to cyberattacks that could disrupt service delivery and pose risks to public health and the environment. The GAO called for stronger federal support and sector-wide actions to close long-standing cybersecurity gaps.

Cyber Intel Brief: Handala Claims Breach of California Water Service On June 11, 2026, the Iranian-affiliated threat actor Handala compromised California Water Service, releasing a five-gigabyte dump of customer personally identifiable information and administrative credentials. The adversaries breached an open-source RTKBase GPS correction server on port 10000 and a customer billing database across seven districts, including Chico, California. Critically, there is no evidence of operational technology (OT) or industrial control systems (ICS) compromise. Handala’s claims of disruptive capabilities against water treatment processes remain unproven. This incident highlights vulnerabilities in municipal water infrastructure, signaling elevated risk for Florida utilities operating exposed mapping portals without rigid IT and OT network segmentation.

Water and Wastewater Systems Sector Recommendations:

  • Use automated network mapping to guarantee SCADA networks and PLCs have no unauthenticated public internet exposure.
  • Close GAO-identified gaps by maintaining a comprehensive inventory of all OT assets and hardening the boundary between IT and OT networks.
  • Maintain offline, validated backups to support recovery from disruptive cyber incidents affecting operational technology environments.
  • Actively engage with federal and state funding channels to offset budget shortfalls for cybersecurity posture improvements in smaller districts.

CI Bulletin Vol 2, Issue 9 June 23, 20262026-06-22T14:10:45-04:00

Teacher Spotlight: Mason Lewis

Mason Lewis

Teacher: Mason Lewis

District: Hernando

Mason Lewis is a cybersecurity and computer science teacher at Hernando High School in Brooksville, Florida. Now in his 21st year as an educator, he has taught at the elementary, middle, and high school levels, serving in roles that include elementary education, middle school science, and information and communication technology.

He is currently in his fifth year leading the Academy of Computer Science and Cybersecurity at Hernando High School. Mason has been recognized for his commitment to students and innovation in education, earning honors as a two-time school-level Teacher of the Year, the 2021 Hernando County Teacher of the Year, and the recipient of the 2021 Ron Nieto Digital Educator Award.

This year, Mason’s students earned first place at CyberLaunch, a testament to his dedication to preparing the next generation of cybersecurity professionals. We are grateful for his continued commitment to Florida’s students and the future of cybersecurity education!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Mason Lewis2026-06-22T11:00:45-04:00

CI Bulletin Vol 2, Issue 8 June 9, 2026

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #10-2026
Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face escalating pressure from three reinforcing threats: Iranian state-sponsored actors targeting energy, water, and transportation OT systems; financially motivated extortion groups exploiting third-party vendors in education, healthcare, and commercial facilities; and automated vulnerability exploitation that is closing the gap between disclosure and weaponization faster than most organizations can patch. The 2026 Verizon Data Breach Investigations Report confirmed that exploitation of unpatched vulnerabilities has surpassed credential theft as the leading breach entry point — a structural shift that favors well-resourced adversaries and penalizes organizations slow to remediate. CISA’s CI Fortify initiative signals that federal planners now treat destructive OT attacks as a near-term contingency, not a theoretical risk. The campaign against LA Metro and ongoing Iranian targeting of gas-station tank gauges and PLCs in water and energy systems demonstrate transferable risk to Florida’s ports, utilities, and transit networks. Critical infrastructure owners should treat supply chain vendors, contractor-managed cloud accounts, and internet-exposed OT devices as the highest-priority attack surface for the foreseeable future.

Confidence – High

Executive Summary
  • All Sectors: CISA’s CI Fortify initiative and continued Iranian OT targeting require Florida operators to test manual fallback procedures and close contractor access gaps.
  • Commercial Facilities: ShinyHunters breached 7-Eleven, exposing personal data on 185,300 individuals after holding the data for ransom and then leaking it publicly.
  • Communications: Major U.S. telecoms launched the C2 ISAC, a new sector-specific threat-sharing body; a Huawei zero-day caused a nationwide telecom outage in Luxembourg.
  • Critical Manufacturing: Nitrogen ransomware breached Foxconn’s North American facilities, exfiltrating 8 TB of data and disrupting production; Four-Faith router exploitation continues at scale.
  • Defense Industrial Base: Iranian APT Seedworm (MuddyWater) maintains persistent access inside a U.S. defense and aerospace software supplier using the previously undocumented Dindoor backdoor.
  • Energy: NEMA and NERC warn of growing data-center grid strain; Iranian actors have breached unprotected automatic tank gauge systems at gas stations across multiple states.
  • Government Services and Facilities: ShinyHunters’ Canvas breach directly hit USF and multiple Florida school districts; Chelan County’s full network shutdown illustrates ransomware risk for Florida municipalities; federal cyber grant reauthorization is in jeopardy.
  • Healthcare and Public Health: OpenLoop Health breach exposed 716,000 individuals; a ransomware attack at another hospital allegedly caused an infant’s death; NYC Health + Hospitals vendor breach exposed 1.8 million patients.
  • Information Technology: Exploited vulnerabilities in Drupal, Gitea, Notepad++, and SonicWall SSL-VPN, combined with GitHub supply chain compromises and novel blockchain-based malware, expand attack surface across developer and CI environments.
  • Transportation Systems: Iranian state-linked actors breached LA Metro in a destructive attack that required weeks of recovery — directly transferable risk to Florida ports, transit, and aviation.
  • Water and Wastewater Systems: CISA CI Fortify guidance is directly applicable to Florida water utilities, which face continued Iranian PLC targeting and reduced federal support.
All Sectors

CISA Unveils New Initiative to Fortify America’s Critical Infrastructure The Cybersecurity and Infrastructure Security Agency (CISA) launched the CI Fortify initiative on May 5, 2026, urging critical infrastructure operators, particularly in energy, water, and government facilities, to prepare for “weeks to months” of information technology/operational technology (IT/OT) isolation and manual operations in the event of sustained state-sponsored cyber campaigns. The guidance emphasizes proactive network segmentation, offline backups of system configurations, and regular drills of manual fallback procedures. It is important to note that the initiative’s planning assumption is that adversaries may already have a foothold inside OT networks during a conflict scenario, requiring operators to plan for continuity under a ‘communications-degraded’ environment in which external vendors, internet connectivity, and third-party dependencies may be unavailable. This is directly relevant to Florida, whose hurricane-prone utilities, ports, and water systems already face compounded risks from Iranian-linked OT targeting campaigns that continue to probe internet-exposed programmable logic controllers.

CISA Adds Seven Known Exploited Vulnerabilities to Catalog CISA added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026, based on confirmed active exploitation in the wild. The additions include CVE-2026-41091 (a link-following vulnerability) in the Microsoft Malware Protection Engine that enables local privilege escalation to SYSTEM level) and CVE-2026-45498 (Microsoft Defender denial of service), along with several legacy but still-weaponized flaws. These vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to federal, state, local, and critical infrastructure entities. Florida operators of Microsoft Defender, Windows systems, and related OT environments should apply patches immediately to prevent privilege escalation and service disruption. Organizations that disable automatic Microsoft Defender engine updates, including some OT-adjacent environments, should verify manually that engine version 1.1.26040.8 or later is installed.

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Verizon’s 2026 Data Breach Investigations Report (DBIR) found that vulnerability exploitation surpassed credential theft as the leading initial access vector in confirmed breaches. The DBIR analyzed more than 31,000 security incidents, of which more than 22,000 were confirmed breaches. Approximately 31% of breaches involved exploitation of unpatched vulnerabilities, highlighting the growing impact of internet-facing systems and delayed remediation cycles. Third-party involvement also rose sharply, reaching 48% of confirmed breaches. That represents a 60% year-over-year increase underscoring the growing risk of vendor and contractor access across CI environments. The report emphasized that organizations continue to struggle with patch management timelines and exposure to third-party applications. These findings reinforce concerns that cyber threat actors are increasingly prioritizing automated exploitation of known vulnerabilities across critical infrastructure sectors.

CISA Admin Leaked AWS GovCloud Keys on Github A public GitHub repository managed by a CISA contractor (Nightwing) inadvertently exposed credentials for several highly privileged Amazon Web Services (AWS) GovCloud accounts as well as a large number of internal CISA systems. The leak prompted legislators to request an urgent classified briefing within 24 hours. This incident underscores persistent third-party and supply chain risks, where basic credential hygiene and repository security failures can have cascading effects. Notably, the contractor had disabled GitHub’s built-in secret-scanning protections, underscoring that policy-level controls are insufficient without enforced technical guardrails that prevent circumvention. Florida critical infrastructure owners and operators should apply the same rigorous scrutiny to contractor-managed code repositories and third-party cloud environments that they apply to external vendors.

Security Update for LiteSpeed cPanel Plugin CISA added CVE-2026-48172, a critical privilege-escalation vulnerability in the LiteSpeed user-end cPanel plugin (before version 2.4.5), to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw allows any authenticated cPanel user, including low-privileged or compromised accounts, to execute arbitrary scripts with root privileges, meaning a single compromised hosting account on a shared server is sufficient for full system takeover. LiteSpeed resolved the issue in version 2.4.5. This development is highly relevant to Florida state agencies, school districts, municipal utilities, and other critical infrastructure entities that use cPanel-hosted web services for public-facing systems.

FBI Warns Extortion Hackers are Visiting US Law Firms to Steal Data The FBI has issued a warning about the Silent Ransom Group (SRG), a cyber extortion gang with roots in the Conti ransomware syndicate that is actively targeting U.S. law firms using an unusually bold mix of phishing, fake IT calls, and in-person office visits. The group’s tactics are exceptionally hard to detect: attackers use legitimate remote management tools and transfer stolen data through trusted platforms such as Google Drive and Microsoft OneDrive, blending in with normal IT activity. Notably, SRG deploys no ransomware encryption — systems remain fully operational throughout the attack with no locked files or ransom screens, making the intrusion effectively invisible until an extortion email arrives. SRG’s reach extends beyond legal services—the FBI notes the group has also hit organizations in healthcare, insurance, and financial sectors. This is pertinent to all Florida critical infrastructure sectors, and law firms frequently hold sensitive legal, financial, and corporate data for CI operators. SRG has been active since at least 2022. They have compromised data from more than 38 law firms, with at least 100 confirmed attacks as of Spring 2026.

All Sectors Recommendations:

  • Implement phishing-resistant multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
  • Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
  • Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.
  • Audit all third-party and contractor-managed code repositories, cloud credentials, and privileged service accounts, and the use of cloud collaboration tools (such as Google Drive and Microsoft OneDrive) for exposed secrets or misconfigured access controls.
  • Immediately inventory, patch, or isolate systems affected by newly added CISA KEVs to prevent active exploitation.
Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

185,000 Likely Impacted by 7-Eleven Data Breach 7-Eleven has confirmed that it was the victim of a data breach. An April 8, 2026 breach of 7-Eleven systems, via their Salesforce environment, exposed personal information (including names, dates of birth, email addresses, phone numbers, and physical addresses) affecting roughly 185,300 individuals. The ShinyHunters extortion group claimed responsibility, initially demanding ransom and later offering the data for sale on a Russian hacking forum. This incident highlights ongoing risks to commercial facilities from extortion groups like ShinyHunters, which have also targeted education vendors serving Florida school districts and higher-education institutions.

Commercial Facilities Sector Recommendations:

  • Conduct regular third-party risk assessments of vendors and service providers that handle customer or employee personally identifiable information (PII).
  • Implement robust data encryption, access controls, and data-loss-prevention monitoring on systems containing sensitive personal or financial data.
  • Develop and regularly test incident response playbooks specifically for data-extortion campaigns, including protocols for ransom demands and mandatory breach notification.
  • Monitor closely for anomalous data exfiltration, especially involving legitimate cloud storage and file-sharing platforms commonly abused by groups like ShinyHunters.
  • Provide targeted security awareness training for staff on advanced social engineering, phishing, and impersonation tactics used in these extortion operations.
Communications Sector

Telecom Sector Launches its Own Private ISAC Major U.S. telecommunications providers launched the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) to improve coordination against AI-enabled cyberattacks, espionage, and nation-state threats targeting communications infrastructure. The initiative aims to strengthen collaboration between telecommunications companies and government cybersecurity partners. Officials warned that adversaries continue targeting telecom infrastructure to support surveillance, espionage, and operational disruption campaigns. This development is relevant to Florida as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services.

Huawei Zero-day Attack Behind Last Year’s Crash of Luxembourg’s Entire Telecoms Network An attack exploiting a previously undisclosed vulnerability in Huawei enterprise router software caused a nationwide telecom outage in Luxembourg, disrupting mobile, landline, and emergency communications for more than three hours. As of this reporting, the vulnerability has not been publicly disclosed or assigned as a CVE identifier. Because no CVE has been assigned, operators cannot rely on standard vulnerability management tools to identify this exposure — network inventory and manual review of Huawei equipment are the only current detection paths. This incident highlights persistent supply-chain risks associated with Chinese-manufactured networking equipment in critical communications infrastructure. Florida’s telecommunications providers, managed service providers, and municipal utilities that rely on similar enterprise routing and OT networking hardware should review Huawei equipment inventories and consider immediate segmentation or replacement strategies where feasible.

Communications Sector Recommendations:

  • Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
  • Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
  • Inventory all enterprise routers and OT networking hardware for Huawei or other high-risk vendors and implement strict network segmentation or accelerated replacement to mitigate undisclosed zero-day supply-chain risks.
Critical Manufacturing Sector

Ransomware Hackers Claim Breach at Foxconn, Major Electronics Manufacturer for Apple, Google, and Nvidia The Nitrogen ransomware group claimed responsibility for breaching Foxconn’s North American facilities in Mount Pleasant, Wisconsin and Houston, Texas, alleging theft of more than 11 million files totaling 8 terabytes (TB) of data, including confidential instructions, internal project documentation, technical drawings (including circuit board layouts and integrated circuit documentation), financial files, and temperature sensor records — tied to projects for Apple, Intel, Google, Dell, Nvidia, and AMD. The affected plants have resumed normal production, but the incident highlights downstream supply chain risk to U.S. critical manufacturing. This is highly relevant to Florida, where ports in Jacksonville, Tampa, and Miami serve as key logistics hubs for electronics and aerospace components.

CVE-2024-9643: Four-Faith Router Authentication Bypass Fuels Botnet Activity CrowdSec researchers reported a surge in exploitation of Common Vulnerabilities and Exposures (CVE)-2024-9643, a critical authentication-bypass flaw with hard-coded credentials in Four-Faith F3x36 industrial cellular routers. The activity has escalated into large-scale botnet campaigns targeting utilities, warehouses, and critical infrastructure. These routers are commonly deployed in remote monitoring and operational technology (OT) environments. Florida municipal utilities, water systems, and energy providers using similar industrial routers should immediately inventory, patch, or isolate these devices.

CVE-2026-8153: Command Injection in the PolyScope 5 Dashboard Server Universal Robots disclosed and patched a critical command injection vulnerability (CVE-2026-8153) in the Dashboard Server interface of its PolyScope 5 operating system used on collaborative robots deployed across operational technology environments. The flaw allows unauthenticated remote attackers to execute arbitrary commands, potentially compromising system integrity and physical security safety. Collaborative robots are widely used in manufacturing, energy, and logistics facilities. This development is highly relevant to Florida’s aerospace, critical manufacturing, and port logistics clusters that employ Universal Robots systems.

Critical Manufacturing Sector Recommendations:

  • Harden remote access gateways and segment manufacturing networks from corporate IT systems to limit lateral movement during supply-chain ransomware incidents.
  • Implement immutable offline backups of engineering schematics and design files to ensure rapid recovery without paying ransoms.
  • Conduct immediate third-party risk assessments of electronics and component suppliers to identify exposure from large-scale breaches such as the Foxconn incident.
  • Inventory all collaborative robots and industrial cellular routers (Universal Robots PolyScope and Four-Faith F3x36) for exposed interfaces and apply available patches or implement strict network segmentation.
Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

Iran-Linked Seedworm Maintains Persistent Access in U.S. Defense Supply Chain Networks Symantec reporting (continuing through recent days) describes Iranian APT Seedworm targeting the Israeli operation of a U.S. software company that supplies defense and aerospace. The campaign, which began in early February 2026, is ongoing, and that the activity correlates with U.S. and Israeli military strikes on Iran. The attack using a new Dindoor backdoor and a second, separate Python-based backdoor called Fakeset on networks of a U.S. airport and nonprofit, to engage in espionage and potential follow-on disruption against defense-related environments in the U.S. and allied countries. This activity underscores persistent supply-chain risks to the Defense Industrial Base from Iranian cyber threat actors. Florida’s aerospace clusters and defense contractors should conduct immediate third-party risk assessments of software suppliers.

Defense Industrial Base Sector Recommendations:

  • Conduct rigorous and recurring third-party risk assessments of all software suppliers and service providers supporting defense and aerospace operations, with focused scrutiny on potential Iranian-linked activity.
  • Implement continuous monitoring and behavioral analytics to detect persistent access, backdoors (such as Dindoor), and anomalous activity originating from supply-chain compromises.
  • Enforce strict network segmentation and least-privilege principles between supplier-managed systems and critical internal networks to limit lateral movement.
  • Verify the integrity of all third-party software updates and components prior to deployment in operational environments.
  • Develop and regularly test incident response plans tailored to nation-state supply-chain attacks involving long-term espionage and potential disruptive follow-on operations.
Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Energy Sector

US Annual Electricity Consumption to Grow 55% by 2050: NEMA The National Electrical Manufacturers Association (NEMA) forecast shows accelerating electricity demand from data centers, straining U.S. utilities and raising affordability concerns. Florida utilities are already experiencing similar grid pressure from artificial intelligence (AI)-driven data-center growth.

NERC 2026 Summer Reliability Assessment North American Electric Reliability Corporation’s (NERC) 2026 Summer Reliability Assessment warned that accelerated electricity demand, rapid growth of large data-center loads, and extreme heat conditions may strain portions of the North American electric grid. The assessment highlighted increasing operational pressure associated with AI-driven infrastructure expansion, maintenance outages, and periods of reduced renewable energy generation. Several regions may experience elevated reserve shortfalls during sustained peak-demand conditions. Florida utilities may face similar reliability and operational challenges during hurricane season and summer heat events.

Hackers Have Breached Tank Readers at US Gas Stations; Officials Suspect Iran is Responsible U.S. officials suspect Iranian-linked actors are responsible for a series of breaches targeting automatic tank gauge (ATG) systems. Notably, the affected systems were internet-exposed and unprotected by passwords, which represents a basic configuration failure. CI operators should immediately verify that all ATG systems are removed from the public internet or placed behind password-protected access controls. The attacks focus on operational technology used for real-time inventory and distribution management rather than traditional information technology (IT) networks. The attackers capability, however, was limited to manipulating display readings, not actual fuel levels or distribution flows. U.S. officials suspect Iranian-linked actors are responsible, though a lack of forensic evidence means definitive attribution has not been confirmed. If confirmed, the activity would represent continued Iranian interest in disrupting or gathering intelligence on U.S. energy infrastructure. The incidents are highly relevant to Florida’s extensive fuel distribution networks, ports, and municipal energy providers that rely on similar tank-gauge and monitoring systems.

PJM Gets Emergency Approval to Curtail Data Centers, Large Loads During Hot Weather The Department of Energy authorized PJM Interconnection to curtail power usage by large facilities with backup generation capability, including data centers, amid reserve shortages caused by extreme heat and maintenance outages. The emergency authority reflects growing operational stress on energy infrastructure that supports AI-driven data-center growth and increasing electricity demand. Grid operators continue evaluating emergency procedures to maintain system stability during high-load events. The incident also highlights increasing dependence on resilient backup-generation systems across critical infrastructure sectors.

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s energy providers.

Energy Sector Recommendations:

  • Verify that all operational technology (OT) assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet or placed behind strict network segmentation.
  • Store critical OT configurations and backups in immutable offline formats to enable manual operations during sustained cyber campaigns.
  • Audit third-party vendor accounts and monitor for anomalous remote access to smart-grid and energy-management systems.
  • Inventory and segment all operational technology assets used for fuel storage, tank monitoring, and distribution systems, ensuring they are not internet-exposed and are protected by strict network segmentation.
Financial Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Food and Agriculture Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Aurora Lost Nearly $1.1M from City Bank Accounts After Employee Fell for Phone Scam Authorities in Aurora, Illinois are investigating a cyber-enabled fraud incident that resulted in approximately $1.1 million being transferred from municipal accounts after an employee reportedly fell victim to a phone scam. The incident reflects continuing business email compromise and social-engineering threats targeting local governments and public-sector financial operations. Cyber threat actors increasingly use impersonation techniques and financial fraud schemes to exploit municipal payment processes. Florida municipalities and tourism-dependent communities remain vulnerable to similar financially motivated cyber campaigns.

Chelan County WA Government Shuts Down Networks After Cyberattack Chelan County officials shut down all government computers, networks, and telephone systems on Memorial Day after detecting a malware attack that impacted every county department. The county’s information technology (IT) department identified the malware at 10 a.m. and immediately isolated systems as a safety precaution. Emergency services remained operational. This incident serves as a direct tactical analog for Florida’s numerous county and municipal government facilities that routinely handle high-volume administrative and public safety systems.

State IT Officials Make a Case for Cyber Grant Reauthorization Before House Subcommittee Florida’s Chief Information Officer and technology leaders from Tennessee and New York testified before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection regarding the now-unfunded State and Local Cybersecurity Grant Program (SLCGP). The officials highlighted how the grant program has improved state and local network defenses and urged Congress to reauthorize funding amid escalating nation-state threats and reduced federal support. This testimony is directly relevant to Florida’s municipal, county, and educational networks, which rely on these grants to maintain resilience against ransomware, operational technology (OT) targeting, and supply chain risks.

Canvas Hack: Company Pays Criminals to Delete Students’ Stolen Data Instructure (provider of the widely used Canvas learning management system) reached an agreement with the ShinyHunters group after a major breach that exposed student and staff data from 275 million records across approximately 9,000 institutions, including names, email addresses, student ID numbers, and private messages between students and instructors. across thousands of educational institutions. Instructure reportedly paid a ransom to the ShinyHunters group, receiving digital confirmation that exfiltrated data was destroyed, though no certainty exists that the cybercriminals honored the agreement. The FBI’s Internet Crime Complaint Center (IC3) issued a separate advisory on May 15, 2026 warning students and staff that ShinyHunters may directly contact individuals whose data was exposed. The incident directly impacted the University of South Florida (USF) in Tampa as well as Hillsborough County Public Schools, Pinellas County Schools, and other Florida districts, underscoring the systemic risk to Florida’s K-12 and higher-education systems that rely on third-party education vendors.

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Attackers have exploited a zero-day vulnerability in KnowledgeDeliver, a widely used learning management system (LMS). The flaw stemmed from hardcoded ASP.NET machineKey values shared across installations. With these keys, cyber threat actors performed ViewState deserialization attacks to achieve remote code execution and deployed web shells. This incident demonstrates that cyber threat actors continue to pursue LMS platforms used by schools and government entities. The development is highly relevant to Florida’s K-12 and higher-education systems as well as municipal government facilities that rely on similar third-party administrative and education platforms.

Government Services and Facilities Sector Recommendations:

  • Train staff to verify all financial requests through out-of-band channels before initiating wire transfers or payments.
  • Implement strict multi-factor authentication and least-privilege controls on email and financial systems used by municipal staff.
  • Conduct regular phishing simulations and rigorous vendor risk assessments of third-party learning management systems (LMS), education platforms, and administrative software to reduce exposure to supply-chain and zero-day vulnerabilities.
  • Inventory, promptly patch (or isolate) all internet-facing third-party LMS and web-based administrative applications, with special attention to hardcoded credentials, shared configuration keys, and web-shell risks.
  • Maintain and regularly test offline backups and manual fallback procedures for all county and municipal administrative systems to ensure continuity during ransomware or malware-induced outages.
  • Advocate for and prepare contingency plans around reauthorization of the State and Local Cybersecurity Grant Program to sustain network defenses amid reduced federal support.
Healthcare and Public Health Sector

OpenLoop Health Data Breach Affects 716,000 Individuals OpenLoop Health disclosed a breach exposing names, addresses, email addresses, dates of birth, and medical information (but not Social Security Numbers) of approximately 716,000 individuals. The incident aligns with the broader pattern of persistent data-theft and extortion campaigns targeting the U.S. healthcare sector. Florida’s large healthcare network and retiree population make this a continuing high-priority risk.

Data Breach on New York Public Health System Claims 1.8M Victims, Leaking Biometric Data to Hackers NYC Health + Hospitals confirmed that a vendor-related compromise exposed sensitive patient data, including biometric data, affecting approximately 1.8 million individuals after attackers reportedly maintained access to systems for several months. Exposed information included protected health information and personally identifiable information tied to healthcare operations. The incident highlights the ongoing risks associated with third-party vendors and healthcare-sector supply chain exposure.

Hospital Ransomware Attack Led to Infant’s Death, Lawsuit Alleges A hospital ransomware attack allegedly led to an infant’s death, according to a lawsuit. The incident highlights the severe life-safety risks when ransomware disrupts critical healthcare operations and patient care systems. This is directly relevant to Florida’s large healthcare network and retiree population, where ransomware continues to threaten both patient data and care continuity.

Healthcare and Public Health Sector Recommendations:

  • Isolate electronic health record systems and medical devices on segmented networks to prevent lateral movement during ransomware incidents.
  • Maintain and regularly test manual downtime procedures for all critical patient care and life-safety systems to sustain operations and protect patient safety during IT outages or ransomware events.
  • Perform rigorous third-party risk assessments of billing and health-data vendors to limit exposure from supply-chain breaches.
  • Prioritize patient safety and life-safety system continuity in all ransomware incident response planning and conduct regular drills focused on rapid transition to manual operations.
Information Technology Sector

CISA Releases 18 New ICS Advisories Cybersecurity and Infrastructure Security Agency (CISA) released 18 new industrial control system advisories on May 14, 2026, detailing remotely exploitable vulnerabilities in products used across manufacturing, emergency communications, and supporting OT environments. Florida operators of these systems should apply patches immediately.

GitHub Confirms Breach of 3,800 Repos via Malicious VSCode Extension GitHub confirmed that approximately 3,800 internal repositories were compromised after an employee installed a malicious Visual Studio Code extension. The incident demonstrates the growing threat posed by software supply chain compromises targeting trusted developer environments and third-party extensions. Additional organizations, including major technology firms and artificial intelligence (AI) companies, were reportedly impacted by related activity. The compromise reinforces concerns about dependency trust, extension security, and vulnerabilities in the software development ecosystem.

CISA Adds One Known Exploited Vulnerability to Catalog CISA has added CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core’s database abstraction API, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency ordered federal agencies to patch by May 27, 2026. Drupal is widely used by government agencies, educational institutions, and critical infrastructure entities for managing large-scale websites and content. Florida state agencies, school districts, and municipal utilities running Drupal instances should apply patches immediately to prevent unauthorized database access and potential lateral movement.

Exposing Fox Tempest: A Malware-signing Service Operation Microsoft identified Fox Tempest as a financially motivated cyber threat actor operating a malware-signing-as-a-service platform used by cybercriminals and ransomware operators. The group abuses Microsoft Artifact Signing to generate fraudulent short-lived certificates that allow malicious software to appear legitimate and evade traditional security controls. The operation demonstrates the increasing sophistication of ransomware enablement services and malware delivery infrastructure. Security researchers warned that signed malware continues posing significant detection and trust challenges for defenders.

Patch Bypass Allows Hackers to Exploit Prior Flaw in SonicWall SSL-VPN Cyber threat actors continue to exploit a SonicWall Secure Sockets Layer virtual private network (SSL-VPN) vulnerability that enables attackers to bypass multifactor authentication protections during automated brute-force attacks. Researchers warned that a patch bypass allowed exploitation activity to continue despite earlier remediation efforts. SSL-VPN appliances remain at frequent targets for ransomware operators and cybercriminal groups seeking remote access into enterprise environments. Organizations relying on internet-facing VPN infrastructure continue facing elevated risks from credential attacks and remote-access exploitation.

ClearFake Abuses BSC Testnet Contracts for Resilient C2 Operations Cyber threat actors behind the ClearFake campaign have adopted a novel and highly resilient command-and-control (C2) architecture by leveraging BNB Smart Chain (BSC) testnet smart contracts. This approach embeds malicious JavaScript and instructions within immutable blockchain storage. That means that standard threat intelligence feeds and domain blocklists are ineffective against this C2 channel, so defenders must instead focus on monitoring anomalous outbound connections and JavaScript injection patterns. That makes the infrastructure effectively immune to traditional takedown efforts. The tactic expands supply-chain and developer-pipeline risks for Florida critical infrastructure entities that rely on third-party IT tools and extensions.

Hackers Host JS Malware GHOSTYNETWORKS and OMEGATECH Hackers are abusing two bulletproof hosting providers, GHOSTYNETWORKS and OMEGATECH, to run a global JavaScript (JS) malware infrastructure that powers large-scale malspam and business email compromise (BEC) activity. In March 2026, multiple malspam waves delivered a JavaScript backdoor via ZIP or RAR attachments to organizations across sectors, including energy companies and finance ministries. The financially motivated operators focus on email account compromise and BEC rather than espionage.

Gitea Vulnerability Exposes Private Container Images Without Authentication Cybersecurity researchers disclosed a security flaw in Gitea (CVE-2026-27771, CVSS 8.2) that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring credentials. The vulnerability affects all versions prior to 1.26.2 and likely impacts more than 30,000 deployments worldwide. Florida state agencies, school districts, and critical infrastructure operators running self-hosted Gitea instances should apply the patch immediately.

Critical Notepad++ Flaw Could Enable Remote Code Execution Attacks Notepad++ has released version 8.9.6.1 to address multiple critical vulnerabilities, including CVE-2026-48778, which could allow arbitrary code execution under specific conditions involving improper handling of configuration files. The update patches flaws in versions up to 8.9.6. Developers and administrators across Florida critical infrastructure environments should update immediately to prevent potential supply-chain compromise via developer tools.

Information Technology Sector Recommendations:

  • Apply all CISA Known Exploited Vulnerabilities catalog updates and the latest ICS advisories without delay.
  • Immediately inventory, patch, or isolate all Drupal installations, Gitea instances, and other internet-facing web applications, prioritizing those used by government, educational, and critical infrastructure systems.
  • Enforce strict package verification, code-signing validation, and security checks for all developer tools, extensions (including VSCode), and applications such as Notepad++ to prevent supply-chain and remote code execution attacks.
  • Implement strong authentication and access controls on self-hosted code repositories and container registries (such as Gitea) to block unauthenticated access to private container images and source code.
  • Monitor for and block malicious JavaScript malware campaigns, abuse of bulletproof hosting providers, and resilient C2 techniques such as blockchain-based infrastructure.
  • Scan and restrict internet-facing remote-access services (including SSL-VPN appliances) and apply patches immediately to counter bypass techniques and automated attacks.
  • Strengthen supply-chain security practices to defend against malware-signing-as-a-service operations (such as Fox Tempest) and third-party extension compromises.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iranian Hackers Blamed for Breach of Los Angeles Transit System that Took Weeks to Recover Israeli cybersecurity firm Gambit Security attributed a March 2026 breach of the Los Angeles County Metropolitan Transportation Authority (LA Metro) to Iranian government-linked (MOSI) actors—Black Shadow–operating under a hacktivist cover persona of “Ababil of Minab”. Attackers used a virtual machine to delete critical operating system data, stole at least 700 GB of emails/backups/files, and forced multi-week network isolation and recovery. Gambit Security reported that attackers also reached a real-time rail yard control display system, crossing from administrative IT networks into OT territory — though no manipulation of physical operations has been confirmed. This incident demonstrates state-sponsored destructive capabilities against U.S. transportation OT/IT systems. Florida’s ports, transit authorities, and logistics networks that rely on similar interconnected systems should treat this as a transferable risk.

Iranian APT Targets Aviation, Software Companies with Updated Tools Iranian APT Nimbus Manticore has adopted new tactics and malware variants in campaigns against aviation and software companies. Recent operations used updated tooling that enhances persistence and evasion. This activity demonstrates continued Iranian state-sponsored focus on transportation and related supply-chain targets. Florida’s ports, aviation facilities, and transit networks should treat this as transferable risk and review vendor software supply chains.

Transportation Systems Sector Recommendations:

  • Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
  • Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
  • Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
  • Audit and segment all virtual machines, remote-access tools, and OT/IT convergence points in transit and port systems to prevent destructive data-wiping attacks by state actors.
Water and Wastewater Systems Sector

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s municipal water utilities.

Water and Wastewater Systems Sector Recommendations:

  • Immediately remove or isolate all internet-exposed programmable logic controllers and SCADA interfaces.
  • Develop and regularly test manual fallback procedures for water treatment and distribution operations.
  • Monitor anomalous changes to PLC project files and HMI configurations that could indicate manipulation attempts.
  • Accelerate the adoption of AI-assisted defensive tools and conduct regular third-party risk assessments of OT vendors in light of shrinking federal support for water-sector cybersecurity.
CI Bulletin Vol 2, Issue 8 June 9, 20262026-06-09T10:00:00-04:00

Career Launch Series: From SOCAP to Security Engineering

Sanaan Wani

Meet Sanaan Wani, an accomplished student, now a cybersecurity professional at Amazon

For recent USF graduate Sanaan Wani, cybersecurity has never been just a career path; it has been a challenge worth pursuing.

After years of competing, researching, building tools, and securing systems, Wani is now taking the next step in his professional journey. This summer, he will relocate to Dallas, Texas, to begin a full-time role as a security engineer with Amazon. Before graduation, however, he added another impressive accomplishment to an already distinguished résumé: the discovery and responsible disclosure of a software vulnerability that earned an official Common Vulnerabilities and Exposures (CVE) designation.

His journey reflects the hands-on learning, mentorship, and real-world experience that define Cyber Florida’s Security Operations Center Analyst Program (SOCAP).

Finding his place in cybersecurity

Wani graduated from USF in May with a degree in computer science, but his interest in cybersecurity began outside the classroom.

Toward the end of his freshman year, he started attending meetings hosted by USF’s cybersecurity student organizations and quickly discovered that protecting systems was more compelling to him than simply building software.

“I realized I found securing systems much more interesting than just building software,” Wani said.

That curiosity led him to become involved with CyberHerd, USF’s nationally recognized cybersecurity competition team, where he eventually served as blue team captain. Through competitions, training opportunities, and mentorship from coaches and faculty advisors, Wani developed both technical skills and a passion for solving difficult security challenges.

His path to joining the SOCAP began through Cyber Florida’s NIST-funded Industrial Control Systems (ICS) training program, where he learned from Cyber Florida faculty and staff and completed a SANS certification funded through the program. After successfully earning the certification, he applied to SOCAP and officially joined the team in August 2025.

Building skills through real-world security operations

As a SOCAP analyst, Wani worked alongside other students to help monitor and secure networks, investigate security incidents, and support clients across Florida.

His responsibilities ranged from incident response and threat analysis to developing operational improvements for the security operations center itself. One project involved collaborating with fellow SOCAP students to develop a SOC console designed to streamline ticket processing and accelerate response times.

“We do a bit of everything,” Wani said. “From weekly incident responses to writing threat advisories.”

The experience gave him exposure to the realities of cybersecurity operations while also allowing him to pursue emerging areas of research that interested him.

Discovering a vulnerability through AI-assisted research

Outside of his operational work, Wani has spent significant time exploring the intersection of artificial intelligence and cybersecurity. Inspired and encouraged by his CyberHerd teammate, Yeran Gamage, he began building his own autonomous tools to identify security weaknesses in open-source software projects.

“Seeing his success with finding vulnerabilities really inspired me,” Wani said. “He encouraged me to start looking into securing open-source software, which is what originally got me started in vulnerability research.”

Because open-source software powers much of today’s technology ecosystem, Wani saw vulnerability research as an opportunity to strengthen tools used by organizations around the world.

His AI-powered systems scan software repositories for potential security flaws. Once a possible issue is identified, he manually investigates the findings, validates the results, and determines whether the vulnerability could have broader security implications.

That process recently led to the discovery of CVE-2026-45675, a vulnerability in Open WebUI.

The flaw involved a race condition in the platform’s authentication process. During an initial deployment, the first user to log in is intended to become the system administrator. Because of the vulnerability, however, multiple users logging in simultaneously could potentially receive full administrator privileges.

In practical terms, that could allow an unauthorized individual to gain complete administrative control over the platform and its data.

Responsible disclosure in action

After identifying and validating the vulnerability, Wani followed the industry’s responsible disclosure process.

Because Open WebUI accepts vulnerability reports through GitHub, he submitted his findings directly to the project’s maintainers. The development team reviewed the report, verified the issue, implemented a fix, and ultimately assigned an official CVE identifier.

For Wani, the milestone was meaningful not simply because of the CVE designation itself, but because it validated the effectiveness of the research methodology he had been developing.

“I’ve been using my AI tooling to find and submit vulnerabilities for a while now,” he said. “Having this one fully verified, patched, and assigned a CVE was a nice nod that the methodology works.”

The accomplishment may be his first officially assigned CVE, but it is unlikely to be his last. He currently has additional vulnerability reports under review and remediation.

The power of mentorship

Wani credits much of his success to the mentors and teammates who encouraged him to pursue ambitious goals.

Within SOCAP, he found a culture that supported innovation and exploration. He points to Duy Dao, assistant security operations center manager, as a major influence on his interest in AI-driven security research.

“Duy encouraged us to consider new research and tools in the AI space,” Wani said. “He didn’t just talk about concepts; he built things and showed them to us.”

He also credits SOCAP Program Manager Ryan Irving for creating an environment where student accomplishments are recognized and celebrated.

“There was a point where I worried I wasn’t completing enough tickets because I was spending so much time focused on AI vulnerability research,” Wani said. “Ryan and Duy were incredibly supportive. They encouraged me to keep going and fully supported my work.”

That encouragement helped him continue pursuing research that ultimately resulted in a verified vulnerability disclosure and CVE assignment.

Looking ahead

With graduation complete, Wani is preparing for his next chapter as a security engineer at Amazon. Having previously interned with the company’s red team, he is eager to return and continue building his career in cybersecurity.

Beyond his professional goals, he hopes to make cybersecurity and artificial intelligence more accessible to broader audiences. One of his long-term aspirations is to create educational content that helps people better understand complex technical concepts.

“Breaking down complex technical concepts into ideas that are accessible and engaging for everyone is a fun challenge,” he said. “I think bridging that knowledge gap is incredibly important.”

Outside of cybersecurity, Wani channels his competitive nature into soccer and competitive gaming, particularly Counter-Strike 2 and Valorant.

Whether on the field, in competition, or researching the next vulnerability, he is constantly looking for opportunities to learn, improve, and push himself further. As he begins his professional career, his accomplishments already demonstrate what can happen when technical talent, curiosity, mentorship, and hands-on experience come together.

Career Launch Series: From SOCAP to Security Engineering2026-06-02T17:24:32-04:00

Cyber Florida Seeks Fla Residents for Fall CyberWorks Training Program

12-week virtual cybersecurity training program accepts Florida’s veterans, first responders, military spouses, government employees

June 1, 2026—Tampa, Fla—Cyber Florida is accepting applications for the Fall 2026 cohort of CyberWorks, its workforce development program designed to prepare Florida’s public-minded professionals for careers in cybersecurity. The new cohort begins in September 2026 and is available at no cost to eligible participants. The deadline to apply is August 31.

CyberWorks is a 12-week, fully virtual training program that guides participants toward earning the CompTIA Security+ certification, one of the most widely recognized credentials for entry-level cybersecurity roles. In addition to technical training, participants gain access to a network of peers and mentors, career-advancement support, and a collaborative learning community.

Cyber Florida welcomes applications from Florida residents who are:

  • Veterans
  • Transitioning military personnel
  • First responders
  • Military spouses
  • Government employees (federal, state, local, tribal, or territorial)

“Our goal with CyberWorks is to create opportunities for those who serve and support our nation to build new skills, advance their careers, and step confidently into Florida’s growing cybersecurity workforce,” said Cyber Florida’s CyberWorks Assistant Cyber Program Manager Mai Ensmann. “This program is designed to meet learners where they are and help them succeed.”

CyberWorks is funded by the DoW CIO Cyber Academic Engagement Office and the NSA National Centers of Academic Excellence in Cybersecurity Program.

Those interested are encouraged to apply early, as space is limited. For more information or to apply, visit the CyberWorks page on the Cyber Florida website. To hear from CyberWorks graduates, check out the CyberWorks playlist on the Cyber Florida YouTube channel.

Media Contact: Cyber Outreach Manager Jennifer Kleman, APR, CPRC
mailto:jennifer437@cyberflorida.org

 

ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Cyber Florida Seeks Fla Residents for Fall CyberWorks Training Program2026-06-16T09:59:10-04:00

Teacher Spotlight: Susan Garcia

OpK12 Teacher Spotlight Susan Garcia

Teacher: Susan Garcia

District: Palm Beach County

For more than 20 years, Susan Garcia has inspired Jupiter High School students through innovative, real-world computer science and cybersecurity education. A former programmer and computer coordinator at Pratt & Whitney, she brings industry experience into the classroom to build students’ creativity, critical thinking, and problem-solving skills.

Garcia expanded cybersecurity and programming pathways by founding the Computer Science Honor Society and helping grow the school’s Cybersecurity Academy. Her students compete in leading national programs and competitions, including AFA CyberPatriot, CISCO Networking Academy, Lockheed Martin Cyber Quest and Code Quest, CyberLaunch, and multiple collegiate-level programming tournaments.

She is now leading the launch of Jupiter High School’s Esports Academy, developing a curriculum that integrates Scratch, Minecraft MakeCode, Minecraft AI and Cybersecurity, and Unity with C# to deliver hands-on learning in coding, game development, simulations, and cybersecurity.

Garcia was recently named a Final Four finalist for the 2026 Dwyer Award in the STEM category, recognizing her impact on students and the future cybersecurity and computer science workforce.

Thanks for all you do, Ms. Garcia!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Susan Garcia2026-05-26T08:37:00-04:00

Jack Voltaic® Tampa Strengthens Regional Cyber Readiness

Aligned Realistic Cyberattack Simulation Range

Successful Multi-Sector Cyber Exercise Strengthens Tampa Bay Preparedness

From May 18–20, 2026, Cyber Florida, in partnership with the Army Cyber Institute and a broad coalition of federal, state, local, military, academic, and private-sector partners, successfully completed the Jack Voltaic® Tampa Cyber Incident Exercise at the University of South Florida Marshall Student Center.

The three-day, immersive exercise simulated a coordinated cyberattack targeting Tampa Bay’s critical water infrastructure, creating cascading impacts across essential services and adjacent military operations. The event brought together decision makers and technical responders to test coordination, improve readiness, and strengthen cyber resilience across the region.

About Jack Voltaic®

Jack Voltaic® is an initiative led by the Army Cyber Institute designed to evaluate and enhance the resilience of communities surrounding U.S. military installations.

Because modern infrastructure systems are deeply interconnected, disruptions in cyber-physical systems, such as water, energy, transportation, and communications, can quickly ripple across both civilian and defense environments.

Since its launch in 2016, the Jack Voltaic® series has focused on:

  • Strengthening civil-military cyber coordination
  • Testing multi-sector incident response capabilities
  • Identifying infrastructure interdependencies and vulnerabilities
  • Improving regional resilience through realistic scenario-based training

The 2026 Tampa exercise built on this foundation with an expanded focus on operational execution and cross-sector integration.

Exercise Scenario: Coordinated Cyberattack on Water Infrastructure

Participants worked through a realistic, escalating cyber incident affecting water treatment and distribution systems in the Tampa Bay region. The scenario was designed to reflect the complexity of modern cyberattacks against operational technology (OT) and critical infrastructure environments.

Scenario progression included:

  • Corruption of vendor-managed PLC systems
  • Altered chemical setpoints impacting water treatment processes
  • Theft of sensitive utility operational data
  • Loss of SCADA control and degraded system visibility

These events created cascading operational challenges for utilities, emergency managers, and defense-supporting infrastructure, requiring coordinated response across multiple jurisdictions.

Exercise Objectives and Outcomes

The exercise successfully met its core objectives:

  1. Strengthening Regional Response Capabilities

Participants tested and refined the ability of the Tampa Bay region to respond to a sophisticated, multi-sector cyberattack under realistic operational pressure.

  1. Evaluating Emergency Management Under Stress

State and local agencies examined response coordination in an environment reflecting concurrent emergency demands and infrastructure disruption.

  1. Demonstrating Regional Leadership

The Tampa Bay region further established itself as a national leader in cyber incident preparedness and cross-sector collaboration.

  1. Assessing Defense Operational Impacts

The exercise highlighted potential implications for nearby defense installations, including MacDill Air Force Base, as well as U.S. Central Command and U.S. Special Operations Command.

A Dual-Track Training Environment: Tabletop and Live-Fire Integration

A defining feature of the 2026 exercise was the integration of two complementary training environments: a facilitated tabletop exercise (TTX) and a live-fire cyber range exercise (LFX).

Tabletop Exercise (TTX): Strategic Decision-Making in Action

Led in partnership with Norwich University Applied Research Institutes, the tabletop exercise brought together leadership from across sectors to:

  • Evaluate response plans and procedures
  • Coordinate crisis communications strategies
  • Identify gaps in interagency coordination
  • Discuss policy, governance, and resource alignment

Facilitated discussions enabled participants to test assumptions and refine decision-making frameworks under evolving scenario conditions.

Live-Fire Exercise (LFX): Operational Execution at Scale

The live-fire exercise, powered by SimSpace, provided participants with a realistic cyber range environment where technical teams:

  • Analyzed live telemetry, logs, and simulated alerts
  • Identified indicators of compromise across IT and OT systems
  • Implemented containment and mitigation strategies
  • Coordinated across SOC, engineering, and leadership roles
  • Delivered operational briefings to executive stakeholders

The LFX environment enabled participants to directly translate tabletop decisions into technical execution, reinforcing real-world readiness.

Broad Cross-Sector Participation

The exercise brought together an extensive coalition of partners, including:

Federal and Military Partners

State and Local Government

Critical Infrastructure and Industry

Key infrastructure partners included:

  • TECO Energy
  • Tampa Bay Water
  • Tampa General Hospital
  • BayCare Health System
  • AdventHealth
  • US Water Services Corporation
  • Academic and Research Partners

Idaho National Laboratory and the University of South Florida played key roles in supporting scenario design, technical integration, and research-informed facilitation.

Key Outcomes and Takeaways

Across all three days, participants identified several critical outcomes:

Stronger Cross-Sector Coordination

The exercise reinforced the importance of pre-established relationships between government, industry, and military stakeholders in responding to cyber incidents affecting shared infrastructure.

Improved Operational Awareness

Participants demonstrated improved ability to maintain shared situational awareness across IT and OT environments during rapidly evolving incidents.

Identification of Infrastructure Interdependencies

The scenario highlighted how disruptions in water systems can cascade into healthcare, energy, and defense operations.

Enhanced Crisis Communication Practices

Leadership teams refined strategies for communicating risk, coordinating messaging, and maintaining public trust during cyber disruptions.

After-Action Review and Next Steps

Following the exercise, participants contributed to a comprehensive after-action review capturing:

  • Key strengths in coordination and response
  • Gaps in technical and organizational capabilities
  • Opportunities to improve communication and decision-making workflows
  • Recommendations for future regional cyber preparedness efforts

These findings will inform ongoing efforts to strengthen cyber resilience across Florida’s critical infrastructure ecosystem.

Advancing Cyber Resilience for the Future

The successful completion of the Jack Voltaic® Tampa Cyber Incident Exercise underscored the value of sustained, cross-sector collaboration in addressing today’s evolving cyber threats.

By bringing together civilian leadership, military commands, infrastructure operators, and cybersecurity practitioners in a shared training environment, the exercise strengthened both relationships and operational readiness across the Tampa Bay region.

Cyber Florida and its partners remain committed to advancing this collaborative model, ensuring Florida continues to lead in building resilient, secure, and well-coordinated cyber defense capabilities.

Cyber Florida’s services and resources are available at no charge. To arrange for access to the ARCS Range, visit https://cyberflorida.org/arcs-range/. To explore no-cost cybersecurity training and educational opportunities for all levels of public sector employees, including certification preparation, visit our FirstLine page at https://cyberflorida.org/firstline/. Critical infrastructure organizations interested in completing the Florida Cyber Risk Assessment to access free resources and expert help should visit https://cyberflorida.org/cip/.

Jack Voltaic® Tampa Strengthens Regional Cyber Readiness2026-06-01T13:31:21-04:00

CI Bulletin Vol 2, Issue 7 May 19, 2026

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #09-2026
Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face a rapidly deteriorating threat environment shaped by three converging forces: (1) machine-speed exploitation driven by AI-assisted automation, (2) the deliberate targeting of IT/OT convergence points by nation-state actors, and (3) an expanding supply chain attack surface that includes managed service providers, code repositories, and certificate authorities. Threat actors are using generative AI and agentic workflows to discover vulnerabilities, fabricate phishing lures at scale, and automate credential exfiltration through poisoned development pipelines. Simultaneously, state-sponsored actors—particularly Iranian and Chinese-affiliated groups—are refining destructive and persistent techniques against internet-exposed operational technology, including programmable logic controllers and energy management gateways. These trends are compressing the window between vulnerability disclosure and active exploitation to hours or days. Organizations relying solely on periodic patching and signature-based detection are no longer adequately protected. CI owners and operators must treat operational resilience—including tested manual fallback procedures and isolated OT network architectures—as a baseline operational requirement, not a contingency plan. CISA’s new CI Fortify initiative, structured around proactive isolation and systematic recovery, provides a practical starting framework for this transition.

Confidence – High

Executive Summary
  • All Sectors: GenAI and automated tools are lowering the barrier for cyber threat actors to execute high-fidelity phishing and machine-speed exploitation, necessitating a strategic shift toward operational resilience and manual fallback capabilities.
  • Commercial Facilities: Large hospitality venues and building automation systems face data extortion and BAS hijacking risk. The Carnival Corporation incident in which ShinyHunters claims, via phishing, to have stolen 8.7 million records, demonstrates that pure data-extortion operations without encryption are increasingly common and may bypass traditional ransomware detection.
  • Communications: Telecommunications carriers and managed service providers (MSPs) face elevated ransomware targeting as adversaries seek to launch cascading attacks against downstream municipal utilities.
  • Critical Manufacturing: Financially motivated actors continue to target the aerospace supply chain with ransomware, highlighting the critical need to harden remote access gateways and segment manufacturing operations.
  • Defense Industrial Base: Persistent targeting of third-party application programming interfaces (APIs) and supply chain vulnerabilities.
  • Energy: Energy providers face multi-vector threats from Iranian-affiliated actors actively probing internet-facing OT systems, a new destructive wiper (Lotus) with no financial motive—indicating state-sponsored intent—and a supply chain breach at smart-meter provider Itron that underscores vendor access risk.
  • Financial Services: The financial sector remains a top target for ransomware and phishing campaigns abusing legitimate management platforms, requiring robust vendor management and anti-money laundering (AML) controls.
  • Government Facilities: Municipal and educational institutions face ransomware, third-party vendor breaches, and identity fraud involving the fabrication of official government credentials.
  • Healthcare and Public Health: Hospitals remain a primary target for sophisticated double-extortion ransomware and medical device targeting, necessitating the adoption of manual-first downtime procedures to sustain patient care.
  • Information Technology: Developer environments and automated build pipelines are experiencing a surge in supply-chain attacks utilizing poisoned open-source packages, agentic AI backdoors, and compromised administrative portals.
  • Transportation Systems: Commercial maritime traffic networks face emerging operational risks from advanced electronic warfare tactics, including localized spoofing and the targeted interception of vessel communication systems.
  • Water and Wastewater Systems: Water utilities must defend against AI-assisted exploitation of PLCs and persistent living-off-the-land (LOTL) administrative access.
All Sectors

Cybersecurity and Infrastructure Security Agency Tells Critical Organizations to Prepare for Cyber Outages The Cybersecurity and Infrastructure Security Agency (CISA) has launched the CI Fortify initiative, a formal CI emergency planning framework to enhance preparation for significant cyber outages. The initiative centers on two operational objectives: (1) isolation—proactively severing connections from third-party and business networks to protect OT environments, and (2) recovery—documenting system configurations, backing up critical files offline, and practicing restoration or transition to manual operations. CISA emphasizes that in the current geopolitical context, as adversaries refine their disruptive capabilities (e.g., Volt Typhoon-style prepositioning), the focus must shift from pure prevention to operational resilience and the ability to maintain essential services during a sustained technical failure. This development is relevant to Florida because the state’s reliance on integrated digital systems for power and water management means that an outage in one sector can quickly cascade into others, requiring tested manual fallback procedures to protect public safety.

Europol IOCTA 2026 Report Highlights Evolving Threat Landscape and the Proliferation of Artificial Intelligence Europol released its 2026 Internet Organised Crime Threat Assessment (IOCTA), detailing a strategic shift toward multi-staged cyber operations. The report emphasizes how generative artificial intelligence (GenAI) lowers the barrier for entry by facilitating high-fidelity phishing and basic malware creation. Additionally, it identifies the expansion of “as-a-service” models into initial access brokerage and distributed denial-of-service (DDoS). This development is significant for Florida’s critical infrastructure (CI) as it signals an increased volume of non-state threats targeting essential services through automated exploitation.

BlueKit Phishing Kit Targets Multiple Platforms with Sophisticated MFA Bypass Attacks The emergence of the “BlueKit” phishing kit marks a significant escalation in credential-harvesting tactics by multi-factor authentication (MFA) bypass through adversary-in-the-middle (AitM) techniques. Bluekit operates as a Phishing-as-a-Service (PhaaS) platform, consolidating all attack functions—domain purchase, phishing page deployment, victim session monitoring, and credential exfiltration via Telegram—into a single commercial dashboard. The kit targets over 40 platforms, including Gmail, Outlook, iCloud, GitHub, ProtonMail, and cryptocurrency services, to capture session cookies and bypass traditional authentication guardrails. Because Bluekit steals authenticated session cookies rather than just credentials, standard one-time-password (OTP) and push-notification MFA are not effective defenses. Only FIDO2-compliant hardware security keys fully mitigate this threat class. This development is relevant to Florida as state agencies and municipal utilities increasingly rely on these cloud platforms for administrative operations.

Pro-Russian Hacker Group Gamifies Cyberattacks on Europe with Cryptocurrency Rewards. An investigation revealed that a pro-Russian hacktivist collective is utilizing a gamified platform to coordinate cyberattacks against European infrastructure. Participants earn cryptocurrency rewards for successfully carrying out DDoS attacks or defacing government websites. While currently focused on European targets, the industrialized scale and crowdsourced nature of this campaign represent a transferable risk to the United States infrastructure. This news is relevant to Florida as it highlights how ideological adversaries can incentivize widespread disruption of municipal or utility networks through decentralized financial incentives and automated attack platforms.

Hundreds of Internet-Facing VNC Servers Expose Industrial Control Systems and Operational Technology A global scan by security researchers has identified hundreds of internet-facing virtual network computing (VNC) servers that provide direct access to industrial control systems (ICS) and operational technology (OT) environments. These servers are often configured without authentication or with weak credentials, allowing unauthorized actors to manipulate human-machine interface (HMI) screens and control logic. This exposure is highly relevant to Florida as many municipal water and energy utilities utilize VNC for remote monitoring.

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia The Chinese-affiliated advanced persistent threat (APT) group Silver Fox is targeting organizations across the industrial, consulting, retail, and transportation sectors using a new Python-based backdoor dubbed ABCDoor alongside the ValleyRAT malware. The campaign sent over 1,600 malicious emails between early January and early February 2026. The attack chain begins with tax-themed phishing emails containing PDF files with malicious links to ZIP or RAR archives hosted on abc.haijing88[.]com. The archives contain a modified RustSL loader that unpacks the payload and employs phantom persistence to hijack system reboot sequences for survival. While current targeting focuses heavily on Russia and India, Florida’s critical infrastructure operators should monitor for these tactics, techniques, and procedures.

Fortinet Flags Industrial-Scale Cybercrime Driven by Continuous Machine-Speed Attacks A recent report from Fortinet highlights a strategic shift toward industrial-scale cybercrime where attackers utilize automated tools to conduct machine-speed exploitation of vulnerabilities. These campaigns do not rely on manual interaction; instead, they use scripts to identify and compromise thousands of targets simultaneously. This trend is significant for Florida as the state’s large footprint of small and medium-sized municipal utilities may lack the automated defensive tools necessary to counter these high-velocity attacks, making them susceptible to rapid, widespread compromise of their administrative and OT networks.

Security Professionals Identify Identity Management as a Growing Challenge A recent industry survey indicates that the vast majority of cybersecurity professionals now view identity and access management (IAM) as their primary operational hurdle. The rise of GenAI-powered social engineering has made traditional authentication methods less effective, leading to increased unauthorized access. Florida organizations must recognize that identity is the new perimeter and prioritize phishing-resistant MFA to protect sensitive administrative credentials.

Mirai-Based XLabsV1 Botnet Exploits Android Debugging Interfaces Security researchers have identified a new Mirai-based botnet variant, XLabsV1, which is actively exploiting exposed Android Debug Bridge (ADB) interfaces to enlist devices into a DDoS network. The botnet targets Internet of Things (IoT) devices and industrial sensors that have remained insecurely connected to the public internet. This trend is relevant to Florida’s critical infrastructure because of the high density of connected sensors used in smart-city and environmental-monitoring applications across the state.

United States Lists Offensive Cyberattacks in Counterterrorism Strategy The White House has released the 2026 United States Counterterrorism Strategy, which for the first time explicitly integrates offensive cyber operations to proactively disrupt the digital infrastructure of threat actors. This strategy aims to dismantle command and control (C2) nodes before they can be utilized for coordinated physical or cyber strikes. This development is significant for Florida as it signals a shift toward federal pre-emptive actions that may decrease the volume of sophisticated external threats targeting state municipal networks.

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access The Google Threat Intelligence Group (GTIG) has identified the first known instance of a zero-day exploit developed with the assistance of a large language model (LLM). A prominent cybercrime group utilized AI to create a Python script designed to bypass two-factor authentication (2FA) on a popular open-source system administration tool. Additionally, Chinese threat groups (UNC2814) and North Korean actors (APT45) are increasingly using “agentic” workflows to recursively analyze technical documentation and automate vulnerability discovery in embedded devices. This development is highly relevant to Florida as state agencies and municipal utilities rely on these ubiquitous administration tools and connected hardware for public service delivery. Relevant forensic data are being exfiltrated via AI-assisted reconnaissance to facilitate mass exploitation. Organizations must shift toward automated vulnerability management and reduce exposure windows as AI-assisted weaponization compresses the time between disclosure and exploitation.

New Ghostlock Tool Abuses Windows API to Block File Access and Facilitate Extortion The “Ghostlock” tool has emerged as a novel extortion mechanism that abuses legitimate Windows APIs to lock file access without performing traditional encryption. By manipulating system permissions and handles, the tool renders data inaccessible to users, allowing threat actors to demand payment for restoration. These tactics, techniques, and procedures (TTPs) is relevant to Florida CI because it bypasses many signature-based ransomware detection tools that monitor specifically for intermittent file encryption patterns or mass file renaming.

Critical Infrastructure Coalition ACI Government Partners with Federal Agencies to Bolster Defense A new coalition of critical infrastructure providers has partnered with federal agencies to streamline threat intelligence sharing and incident response coordination. This partnership is highly relevant to Florida, where the decentralized nature of municipal utilities requires a unified reporting structure.

Mini Shai-Hulud Worm Compromises Development Pipelines via Malicious npm Packages Security researchers have identified a successor to the Bitwarden CLI worm, dubbed “Mini Shai-Hulud,” that uses poisoned npm packages to automate credential exfiltration from continuous integration and continuous delivery (CI/CD) pipelines. The worm targets cloud provider tokens and exfiltrates them to public repositories, mimicking legitimate developer activity. This trend is significant for Florida’s IT and administrative sectors, as automated deployment pipelines are increasingly utilized for municipal web services and infrastructure management.

All Sectors Recommendations:

  • Implement phishing-resistant multi-factor authentication, such as FIDO2-compliant security keys, to mitigate session hijacking via automated adversary-in-the-middle attacks.
  • Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
  • Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
  • Disable exposed ADB interfaces on internet-connected sensors and internet-of-things devices to prevent enrollment in distributed denial-of-service botnets.
  • Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.
Chemical Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

Carnival Corporation Targeted in Ransomware Attack
ShinyHunters, a group known for data extortion, claimed responsibility for the theft of approximately 8.7 million Carnival Corporation records, including names, dates of birth, and loyalty program data, after gaining access through a phishing attack on a single employee account. Carnival confirmed the unauthorized access and activated its incident response plan but has not confirmed whether customer data was compromised. This incident highlights the ongoing exposure of large hospitality and entertainment venues within the commercial facilities infrastructure. Florida serves as the global epicenter for the cruise industry, with major hubs in Miami and Fort Lauderdale, making this breach directly relevant to the state’s economic and maritime safety. Relevant data are often exfiltrated to pressure operators during peak travel seasons. Organizations must prioritize segmenting guest services from core vessel navigation and administrative systems.

EnOcean SmartServer Flaws Expose Building Automation Systems to Remote Hijacking Security researchers disclosed multiple critical vulnerabilities in the EnOcean SmartServer IoT gateway, which is widely used in building automation systems (BAS). The flaws allow unauthenticated remote code execution (RCE) on the device, potentially giving attackers control over physical building systems, including lighting, climate control, and electronic locks. This discovery is relevant to Florida as many large-scale commercial facilities, such as stadiums and convention centers, rely on these gateways for facility management. Compromised systems could be used to disrupt operations or facilitate unauthorized physical access during high-traffic public events.

Commercial Facilities Sector Recommendations:

  • Segment guest services and public-facing networks from core vessel navigation and administrative systems to prevent lateral movement during a ransomware intrusion.
  • Patch EnOcean SmartServer IoT gateways immediately and restrict external network access to building automation systems to block unauthenticated remote code execution attempts.
  • Monitor network environments for unauthorized data exfiltration activities that frequently precede ransomware deployment and extortion demands during peak operational seasons.
Communications Sector

VECTR-CAST: Elevated Telecom and MSP Targeting in Next 14 Days A private threat-forecast report released on May 4, 2026, highlights a heightened risk of ransomware and data-theft operations against United States telecommunications carriers and managed service providers (MSPs) over the next two weeks. The report notes that several ransomware groups have expanded affiliate recruiting and are prioritizing service providers with downstream critical infrastructure (CI) customers. This development is highly relevant to Florida, as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services, making these providers prime targets for “cascading” attacks designed to disrupt multiple downstream entities simultaneously.

Communications Sector Recommendations:

  • Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
  • Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
  • Back up all critical configuration files and operational data to secure, offline storage to ensure rapid recovery capabilities for downstream local government services during a data-theft or encryption event.
Critical Manufacturing Sector

Stelia Aerospace Targeted in Apparent Ransomware Attack Impacting Industrial Operations Stelia North America, a major Airbus Atlantic subsidiary specializing in aerostructures, reportedly experienced a ransomware attack that disrupted its internal information technology (IT) systems. While the company stated that the incident was strictly contained to the Stelia North America IT environment and does not impact the broader Airbus Atlantic network, the breach highlights the persistent targeting of the aerospace supply chain by financially motivated actors. Rhysida, the ransomware group responsible, issued a $2.07 million ransom demand and claimed to possess 10 TB of data, including records associated with defense contractors such as Lockheed Martin, Northrop Grumman, Sikorsky, and Boeing. This incident is highly relevant to Florida’s extensive aerospace and defense technology clusters, particularly in the Space Coast and Northwest Florida regions. Relevant production data are often exfiltrated during these intrusions to pressure victims into payment. Manufacturers must prioritize hardening remote access gateways and implement immutable, offline backups of all critical engineering workstations and design files.

Critical Manufacturing Sector Recommendations:

  • Harden remote access gateways to prevent initial unauthorized access by financially motivated threat actors targeting the aerospace supply chain.
  • Implement immutable, offline backups for all critical engineering workstations and design files to ensure resilience against ransomware encryption and data extortion.
  • Monitor internal information technology systems for unauthorized data exfiltration activities that frequently precede ransomware deployment and operational disruption.
  • Segment critical manufacturing operations from internal information technology networks to prevent lateral movement and maintain operational resilience during a breach.
Dams Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector (Updated)

Critical API Flaw In Defense Contractor Platform Exposes Military Data A high-severity vulnerability was identified in an application programming interface (API) used by a DoD contractor, which could have allowed unauthorized access to sensitive military logistics data. The flaw involved improper authentication handling, which allowed unprivileged users to query restricted records. This incident is highly relevant to Florida’s extensive defense industrial base, as many regional contractors utilize similar third-party APIs for automated data exchange, necessitating immediate audits of all external-facing service points.

Pentagon Changing Cybersecurity Training Requirement to Focus on Continuous Assessment The Pentagon is transitioning its cybersecurity training requirements from periodic annual certifications to a model of continuous, hands-on technical assessment. This change is designed to ensure the defense workforce remains proficient against rapidly evolving threats like AI-assisted exploitation. Florida-based defense contractors should anticipate updated compliance mandates that prioritize active defense skills and verified technical competency over traditional awareness training

Army Integrates Defense Industry Hackathon To Identify Supply Chain Flaws The United States Army has launched a new initiative to integrate defense industry partners into collaborative “hackathons” designed to identify vulnerabilities in the military supply chain. These events allow security researchers to probe contractor systems for weaknesses in a controlled environment. This development is significant for Florida contractors as it provides a proactive avenue to identify and remediate flaws before they can be exploited by advanced persistent threats (APTs).

Defense Industrial Base Sector Recommendations:

  • Audit all external-facing APIs and service points to identify and remediate improper authentication handling.
  • Transition internal training models to prioritize continuous technical assessments and hands-on skills over traditional annual awareness certifications.
  • Incorporate high-speed data processing and AI-driven trajectory prediction into defense-related software to align with future command-and-control procurement standards.
Emergency Services Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Energy Sector

Operational Technology Information Sharing and Analysis Center Flags Rising Cyber Risk to Energy Environments The Operational Technology Cybersecurity Information Sharing and Analysis Center (OT-ISAC) issued an advisory regarding escalating risks to energy-sector operational technology. This warning cites recent destructive attacks abroad and the ongoing exploitation of internet-facing programmable logic controllers (PLCs) by Iranian-affiliated actors. Groups such as CyberAv3ngers are specifically refining attacks against Rockwell Automation and Allen-Bradley devices used in power generation. This development is relevant to Florida, where municipal power utilities rely on these specific controller types. Relevant telemetry data are often targeted to cause localized disruptions. Operators should verify that all OT assets are removed from the public internet.

Destructive Lotus Wiper Malware Targets Regional Energy Providers and Utilities Security researchers identified a new destructive malware variant, dubbed “Lotus,” utilized in targeted attacks against energy providers and utilities in Venezuela. The wiper is specifically engineered to permanently delete critical system files and master boot records (MBR), rendering affected systems permanently inoperable and unrecoverable. While this specific campaign is regional, the tradecraft used to bypass industrial security controls represents a significant “transferable risk” to United States energy infrastructure. Unlike ransomware, Lotus Wiper contains no payment demand or extortion mechanism. The sole objective is permanent, irreversible system destruction—indicating state-sponsored targeting rather than financial motivation. Standard ransomware response protocols do not apply. This news is relevant to Florida because state utility operators use similar industrial control systems (ICS) that could be targeted by malicious actors during periods of geopolitical escalation. Relevant telemetry data are essential for identifying unauthorized changes to system logic files. Energy providers should ensure that all critical configurations and backups for operational technology (OT) are stored in an immutable, offline format to ensure rapid recovery.

Itron Hackers Accessed Critical Infrastructure Operators Hackers breached Itron, a major provider of smart meters and grid management systems, though he breach was confined to Itron’s own corporate IT network and no unauthorized activity was observed in the customer-hosted portion of its systems and operations continued without material disruption. The full scope of the breach—including what data may have been accessed—remains under investigation. Given Itron’s role as a foundational supplier to energy and water utilities, this incident represents a significant third-party supply chain risk for Florida operators who rely on Itron’s platforms. While operational disruption to the grid has not been confirmed, the access granted to attackers potentially provided control over energy distribution endpoints. This is highly relevant to Florida’s Energy and Water sectors, which rely on similar AMI deployments. Florida operators should audit all third-party service account permissions and monitor for anomalous remote access activity originating from vendor-managed gateways.

Iranian-Linked Actors Continue OT Targeting Of U.S. Energy Sector A May 3, 2026, legal-sector brief reiterates that Iranian-linked cyber actors are actively probing and exploiting internet-facing OT used in United States energy facilities. These actors focus on insecure remote access, misconfigurations, and limited OT visibility to enable disruptive physical effects rather than pure data theft. This activity remains highly relevant to Florida as state energy providers rely heavily on internet-connected industrial hardware, making them susceptible to targeted efforts designed to cause operational downtime during periods of geopolitical escalation.

DOE’s Skyfall Testbed Highlights U.S. Preparation for Power-Grid Cyberattacks Lawrence Livermore National Laboratory (LLNL) publicized its Skyfall facility, a platform for modeling malware-driven attacks on power-grid ICS. The testbed is designed to evaluate defenses against Ukraine-style grid intrusions that could be replicated against United States utilities. This project is significant for Florida energy providers, as it provides a validated framework for testing the resilience of the state’s electric grid against sophisticated, state-sponsored, disruptive malware.

Nuclear Power Reaches Record 41 Percent Of Tennessee Valley Authority Generation Nuclear generation has reached a record high of 41 percent of the total power supply for the Tennessee Valley Authority (TVA), highlighting the growing reliance on nuclear energy for regional grid stability. This trend emphasizes the critical need to secure nuclear infrastructure against cyber-physical disruption. Florida’s energy providers must recognize that as nuclear generation becomes more foundational to the grid, the OT managing these facilities becomes a primary target for state-sponsored adversaries.

EPA Plan Allows Work on Data Centers and Power Plants Before Air Permits are Finalized A new Environmental Protection Agency (EPA) proposal would allow developers to begin preliminary work on data centers and power plants before final air quality permits are issued. The move aims to accelerate infrastructure growth to meet the energy demands of artificial intelligence. This development is significant for Florida’s energy sector, as it may lead to faster deployment of regional generation facilities but also necessitates a proactive approach to securing these new construction sites against physical and cyber intrusions.

PPL Corporation and Blackstone Announce Major Data Center Pipeline for Grid Stability PPL Corporation and Blackstone have announced a massive new pipeline for data center construction, highlighting the immense load growth currently challenging grid operators. The expansion focuses on facilities optimized for AI workloads, which require significantly higher power density than traditional data centers. This trend is highly relevant to Florida as the state’s own data center boom places increased strain on municipal power generation and requires coordinated load-shedding agreements with industrial consumers.

Energy Sector Recommendations:

  • Verify all OT assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet.
  • Store all critical OT system configurations and industrial control system backups in an immutable, offline format to enable rapid recovery from destructive wiper attacks.
  • Audit third-party service account permissions and monitor vendor-managed gateways for anomalous remote access activity impacting smart meter management systems.
Financial Services Sector

Federal Bureau of Investigation Identifies Financial Services as Second-Most Targeted Critical Infrastructure Sector (Source also cited under Healthcare and Public Health) Newly released Federal Bureau of Investigation (FBI) statistics show that the financial services sector experienced 447 combined ransomware and data-breach incidents in 2025. This makes it the second-most targeted critical infrastructure sector, just behind healthcare. The sustained pressure on banks, insurers, and payment processors underscores the high value that criminal actors place on financial records. Florida has a significant financial hub in Miami, making this trend relevant to the state’s economic stability. Relevant data are frequently targeted for financial fraud or high-stakes extortion. Organizations should prioritize real-time monitoring of external data flows and more rigorous vendor management protocols.

Threat Actors Abuse Google Ads for GoDaddy and ManageWP Phishing Campaigns Hackers are utilizing malicious Google Ads to impersonate legitimate GoDaddy and ManageWP login pages, targeting website administrators with sophisticated phishing campaigns. These ads lead to “poisoned” landing pages that harvest credentials to gain access to financial and administrative portals. This development is relevant to Florida, as many small businesses and financial service providers rely on these platforms for web management, making them susceptible to account takeovers that could facilitate further financial fraud.

Financial Services Sector Recommendations:

  • Prioritize real-time monitoring of external data flows to identify and block unauthorized exfiltration of sensitive financial records.
  • Enforce phishing-resistant multi-factor authentication on all web management and administrative portals to prevent account takeovers via poisoned landing pages.
  • Implement robust AML controls and formal incident response protocols to mitigate the legal and operational risks associated with ransomware interactions.
  • Perform rigorous vendor management assessments to identify and secure vulnerabilities within the supply chain that could facilitate financial fraud.
Food and Agriculture Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Federal Shutdown Ends as Cybersecurity and Infrastructure Security Agency Faces Long Recovery Window Following the end of a record 75-day partial government shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) is facing a significant backlog in vulnerability assessments and incident response support. The shutdown disrupted critical monitoring of state and local government networks, potentially allowing adversaries to establish persistent footholds. This development is significant for Florida as municipal agencies often rely on CISA for specialized technical support. Government facilities should conduct comprehensive audits of their perimeter hardware to identify any indicators of compromise (IOCs) that may have occurred during the reduced-oversight period.

Cyberattack Continues to Disrupt County Tax Operations In Mississippi As of May 3, 2026, a cyberattack continues to disrupt county tax operations in Adams County, Mississippi, specifically impacting the “car tag” processing system. The incident has forced officials to rely on manual workarounds, causing significant delays for residents as restoration efforts continue. While the specific attack type or actor has not been confirmed, this event serves as a tactical analog for Florida municipal government facilities, highlighting the immediate operational impact and public service strain caused by disruptions to specialized administrative tax and registration databases.

Hawaii AG Claims Someone is Impersonating the State’s CTO, a Role that Doesn’t Exist The Hawaii Department of the Attorney General issued a public warning in April 2026 that an individual named Iqbal Khowaja was fraudulently presenting himself as the ‘CTO of the State of Hawaii’ at national conferences, including the Bitcoin 2026 conference in Las Vegas, and on social media platforms. Hawaii has no state CTO position; the relevant leadership role is held by Chief Information Officer Christine Sakuda. This incident is relevant to Florida as a reminder that government officials and vendors should verify the credentials of individuals claiming to represent state technology agencies before sharing operational or organizational information.

Instructure Data Breach Highlights Risks Of School District Vendor Dependence A data breach at Instructure, the provider of the Canvas learning management system, has exposed sensitive information from multiple school districts. The breach resulted from unauthorized access to a third-party vendor environment where administrative data were stored. This incident underscores the systemic risk to Florida’s educational institutions, which rely heavily on centralized vendors for student and faculty data management, necessitating more rigorous third-party risk assessments.

Russia Operates Top-Secret Spy School For Hacking And Western Electoral Interference A joint investigation has revealed the existence of a specialized Russian intelligence facility dedicated to training operatives in advanced hacking and social engineering for Western electoral interference. The school focuses on bypass techniques for modern security software and the industrialization of “fake news” campaigns. This development is significant for Florida as the state’s political and government infrastructure remains a priority target for foreign influence and disruptive cyber operations.

San Diego Colleges Hit by Sophisticated Cyberattack Disrupting Campus Operations Several colleges in the San Diego area have experienced a major cyberattack that has disrupted campus networks, administrative systems, and student services. The incident forced the institutions to take many systems offline, impacting registration and financial aid processing. This event is a critical reminder to Florida’s higher education institutions that educational facilities are prime targets for ransomware and other disruptive attacks, necessitating robust network segmentation and off-site backups of essential academic and financial records.

Government Services and Facilities Sector Recommendations:

  • Perform comprehensive audits of perimeter hardware to identify indicators of compromise that may have occurred during periods of reduced oversight.
  • Verify mobile device management policies and ensure all government-issued hardware is strictly inventoried and secured with updated software.
  • Implement rigorous third-party risk assessments for all administrative and educational vendors to mitigate systemic supply chain vulnerabilities.
  • Conduct employee training on emerging social engineering tactics, including deepfake audio impersonation, to prevent unauthorized disclosure of network configurations.
Healthcare and Public Health Sector

Global Medical Device Manufacturer Medtronic Discloses Cyberattack on Internal Information Technology Network Medtronic, one of the world’s largest medical device manufacturers, disclosed that its internal information technology (IT) network was targeted in a sophisticated cyberattack on April 27, 2026. The company reported that while corporate systems were accessed, the intrusion did not disrupt manufacturing operations or impact the safety of patient devices. This incident highlights the persistent targeting of the medical technology supply chain by advanced persistent threat (APT) actors. This event is relevant to Florida healthcare networks because Medtronic products, including pacemakers and insulin pumps, are ubiquitous in clinical settings and widely used by the state’s large retiree population. Compromised corporate data are often utilized to identify vulnerabilities in product firmware or to facilitate social engineering against healthcare providers. Florida hospitals must prioritize vendor risk management and ensure that all medical devices are isolated on dedicated, non-routed network segments to prevent lateral movement.

FBI Urges Hospitals to Elevate Cybersecurity as a Patient Safety Priority A recent Federal Bureau of Investigation (FBI) briefing reports that the healthcare sector was the most targeted critical infrastructure sector in 2025, with 460 ransomware attacks and 182 data breaches. Organized cybercrime groups are deliberately prioritizing hospitals due to the life-or-death pressure to restore systems, prompting policy experts to call for terrorism designations for these attacks. This development is relevant to Florida’s extensive healthcare network and large retiree population, where disruptions to care can have immediate consequences. Relevant data are often exfiltrated to maximize extortion leverage. Hospitals should integrate cybersecurity into their broader clinical safety protocols and maintain redundant communication protocols for emergencies.

Sandhills Medical Foundation Discloses Ransomware Breach Affecting 170,000 Individuals Sandhills Medical Foundation confirmed a significant data breach following a ransomware attack that impacted the records of approximately 170,000 individuals. The compromised information included patient names, Social Security numbers, and clinical data. While the medical facility maintained clinical continuity, the large-scale exposure of sensitive records highlights the persistent threat to municipal healthcare systems. This incident is relevant to Florida as state medical networks and community health centers are primary targets for double-extortion campaigns. Relevant patient data are often exfiltrated before encryption to maximize extortion leverage. Healthcare providers should implement robust network segmentation and prioritize protecting diagnostic imaging and patient record systems.

Ransomware and Data-Theft Campaigns Persistent Threat to Healthcare Infrastructure Aggregated April 2026 incident reporting highlights that ransomware and data-theft campaigns against healthcare providers and medical technology firms continue to disrupt clinical operations. These attacks, which have included hospital IT outages that forced ambulance diversions and major breaches at global medical device manufacturers, expose large volumes of patient records. Ransomware remains a dominant threat to healthcare infrastructure, frequently using double-extortion tactics to pressure victims into paying. This development is relevant to Florida because the state’s large healthcare sector and major trauma centers are primary targets for sophisticated threat actors seeking high-leverage data. Relevant patient data are often exfiltrated before the encryption phase, necessitating a shift toward hardware-enforced protections. Organizations must prioritize developing clinical downtime procedures and isolating legacy medical devices to maintain life-safety services during a sustained technical outage.

U.S. Hospital Sector Launches New Cybersecurity Readiness Initiative After FBI Notes Healthcare as Top Ransomware Target In 2025 The American Hospital Association (AHA) and The Joint Commission announced a joint cybersecurity readiness effort to strengthen hospital defenses and incident response. This initiative follows the FBI’s report identifying healthcare as the leading sector for ransomware and cyber threats in 2025. Florida health systems are urged to participate in these voluntary readiness programs to align with national standards and mitigate the risks associated with high-volume ransomware attacks.

Data Breaches At Four Healthcare Providers Expose Sensitive Records In May 2026 Four major healthcare providers reported significant data breaches in early May 2026, resulting in the unauthorized exposure of patient medical records and personally identifiable information (PII). These incidents involved a mix of direct credential-stuffing attacks and the exploitation of vulnerabilities in third-party billing platforms. This trend is relevant to Florida, as the state’s large healthcare sector remains a primary target for ransomware groups seeking high-leverage data for double-extortion tactics.

Artificial Intelligence Finds Thirty-Eight Security Flaws In OpenEMR Healthcare Software Security researchers utilizing an AI-assisted software scanner identified thirty-eight previously unknown security vulnerabilities in OpenEMR, a widely used open-source electronic health record (EHR) platform. These flaws include critical remote code execution (RCE) and Structured Query Language (SQL) injection vulnerabilities that could allow unauthorized access to patients’ medical records. This development is significant for Florida, as many municipal health departments and smaller clinics utilize open-source EHR solutions for patient management. Relevant diagnostic data are at risk if APTs exploit these vulnerabilities. Organizations are urged to verify their OpenEMR versions and apply the latest security patches immediately.

Ransomware Group ‘The Gentlemen’ Claims Attack On Puerto Rico Community Hospital Caribbean Medical Center in Fajardo, Puerto Rico, disclosed a February ransomware attack claimed by “The Gentlemen,” an emerging double-extortion group. The intrusion led to the theft of data affecting approximately 92,000 patients, which was subsequently posted to the group’s leak site. This incident underscores the growing threat to regional healthcare providers and is relevant to Florida, given the close medical and social ties between the state and Puerto Rico.

Gentleman Ransomware Group Suffers Data Breach Exposing Internal Negotiator Communications In a significant turn, the “Gentleman” ransomware group, known for targeting healthcare providers, has reportedly suffered a data breach. The leak includes internal chat logs and negotiator communications, providing researchers with rare insight into the group’s operational structure and double-extortion tactics, techniques, and procedures (TTPs). This development is relevant to Florida healthcare networks as the exfiltrated data are being used to refine defensive strategies and better prepare hospital negotiators for future interactions with this specific threat cluster.

Healthcare and Public Health Sector Recommendations:

  • Isolate all medical devices, such as pacemakers and insulin pumps, on dedicated, non-routed network segments to prevent lateral movement.
  • Verify OpenEMR versions immediately and apply security patches to remediate remote code execution and SQL injection vulnerabilities.
  • Integrate cybersecurity into clinical safety protocols and develop “manual-first” downtime procedures to sustain patient care during sustained technical outages.
  • Participate in national readiness initiatives and implement phishing-resistant multi-factor authentication to protect sensitive patient records from credential-stuffing attacks.
Information Technology Sector

Malicious SAP npm Packages Compromised in Supply Chain Attack Targeting Developer Pipelines Security researchers identified several malicious packages on the npm registry that impersonate legitimate systems, applications, and product libraries (e.g., SAP) to facilitate supply chain compromises. These “poisoned” packages are designed to exfiltrate environment variables, cloud provider credentials, and Secure Shell (SSH) keys from developer workstations during installation. This incident is significant for Florida because many large-scale enterprises and municipal utilities use SAP for enterprise resource planning (ERP) and supply chain management. Relevant credential data is often stolen to facilitate further lateral movement into production environments. Florida development and operations (DevOps) teams must implement strict package verification and audit all package.json files for unauthorized dependencies.

New MOVEit Vulnerabilities Prompt Urgent Patch Warning Progress Software has issued an urgent advisory for two newly discovered vulnerabilities in its MOVEit Automation file transfer tool: CVE-2026-4670, a critical authentication bypass, and CVE-2026-5174, and improper input validation vulnerability that allows a high-severity privilege escalation. Exploitation of these flaws allows unauthorized access, administrative control, and data exposure. Scans indicate that over 1,440 internet-connected devices are running vulnerable versions, including those in state and local government agencies. o remediate these vulnerabilities, organizations must upgrade to a patched release using the full software installer, a process that requires temporarily taking the MOVEit Automation service offline. Scans indicate over 1,440 internet-connected devices are running vulnerable versions, including those in state and local government agencies. As of this bulletin’s publication, no confirmed in-the-wild exploitation has been reported. However, given the 2023 Cl0p campaign that weaponized a prior MOVEit flaw within hours of public disclosure, treating this as an imminent exploitation risk is prudent. Florida critical infrastructure entities relying on MOVEit Automation should immediately apply updates to prevent unauthorized data access.

Palo Alto PAN-OS Flaw Under Active Exploitation Leads to Remote Code Execution A critical vulnerability in Palo Alto Networks PAN-OS (CVE-2026-0300) is being actively exploited in the wild, allowing unauthenticated attackers to achieve root RCE. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026. The flaw exists in the User-ID Authentication Portal (Captive Portal) and has been used to deploy backdoors and harvest internal credentials. As of May 14, 2026, a patch has been available. This development is highly relevant to Florida’s public and private sectors, where Palo Alto firewalls are widely deployed as perimeter defenses; failure to patch immediately could result in a complete network compromise.

PyTorch Lightning Compromised in Supply Chain Attack via Python Package Index Security researchers identified a malicious version of the PyTorch Lightning library uploaded to the Python Package Index (PyPI). The compromised version contained a backdoor designed to exfiltrate developer secrets and establish persistent access to cloud environments. This supply chain attack targets the automated build pipelines of artificial intelligence (AI) developers. This news is significant for Florida’s information technology IT sector as local technology firms increasingly utilize these libraries for AI development. Relevant data are often exfiltrated through malicious environment variables, necessitating strict verification of all third-party libraries used in the software development life cycle (SDLC).

Google Remediates High-Severity Remote Code Execution Vulnerability in Gemini CLI Tool Google has issued a critical security patch to remediate a high-severity remote code execution (RCE) vulnerability in its Gemini Command-Line Interface (CLI) tool. The flaw, which received a Common Vulnerability Scoring System CVSS score of 10.0, allowed unauthenticated attackers to execute arbitrary commands within continuous integration and continuous delivery (CI/CD) pipelines. This vulnerability is highly relevant to Florida as state agency developers and municipal IT teams increasingly adopt AI-assisted automation for infrastructure management. Relevant build data may be exposed if the CLI tool remains unpatched. Organizations should immediately update all developer workstations and automated build environments to the latest version of the Gemini CLI.

Ransomware Groups Pivot to Abusing Remote-Access Pathways and SaaS Administrative Portals Ransomware intelligence reporting from the first quarter of 2026 shows that encryption-focused groups such as Inc, Akira, and Qilin are increasingly abusing remote-access pathways rather than using legacy virtual private networks (VPNs). Threat actors utilize compromised Single Sign-On (SSO), OAuth tokens, and Software-as-a-Service (SaaS) administrative access to infiltrate enterprise information technology (IT) environments. Once access is established, adversaries use extensive lateral movement to stage extortion operations against organizations that support critical infrastructure. This trend is significant for Florida because many state agencies and municipal utilities are migrating to cloud-based SaaS solutions, expanding the digital attack surface. Relevant credential data are often harvested through sophisticated phishing or by exploiting unpatched vulnerabilities in remote-access utilities. Organizations are urged to enforce phishing-resistant multi-factor authentication (MFA) and implement strict monitoring of administrative logs to detect unauthorized access to cloud-based management platforms.

National Security Agency Testing Anthropic Mythos AI Model to Identify Microsoft Software Flaws The National Security Agency (NSA) is reportedly testing Anthropic’s high-capability “Mythos” AI model to identify previously unknown vulnerabilities in Microsoft software. The model’s agentic capabilities allow it to perform complex, multi-step exploitation simulations. This development highlights a shift where AI is used to accelerate vulnerability discovery. This is relevant to Florida as the use of AI to find flaws could significantly collapse the patching window for state agencies and municipal utilities. Relevant data are being used to automate exploit discovery, necessitating that organizations move toward more rapid, automated responses to security patches.

Analysis Warns of Converging Cyber-Physical Threats to Critical Infrastructure and Agentic-AI-Driven OT Attacks An industry analysis outlined how cyber-physical threats are escalating as adversaries increasingly utilize operational technology (OT), artificial intelligence (AI) assisted tooling, and living-off-the-land (LOTL) techniques. These threats target the convergence points between OT and IT, hardening these gateway systems and auditing IT, particularly in the energy, water, and manufacturing sectors. Florida IT providers supporting critical infrastructure must prioritize hardening these gateway systems and auditing AI-assisted automation for potential prompt injection or unauthorized code execution.

OpenClaw Supply Chain Scanner Detects Backdoor in AI Agent Repositories The discovery of the “OpenClaw” backdoor in several open-source AI agent repositories highlights a significant supply-chain risk for DevOps teams. The malicious code allows for unauthorized RCE on systems where the AI agent is deployed. This is highly relevant to Florida IT providers that utilize AI-assisted automation, as failure to scan repositories could result in a complete compromise of sensitive administrative environments.

Researchers Spot Significant Uptick in Malicious Activity Targeting Vercel Infrastructure Cybersecurity researchers have identified a significant uptick in targeted attacks against Vercel infrastructure, focusing on the theft of environment variables and API keys. Attackers are leveraging “nested” supply-chain tactics to reach large-scale platform providers through smaller analytics firms. Florida IT organizations utilizing Vercel or similar CI/CD platforms should immediately rotate all production secrets and audit access logs for unauthorized activity.

Critical Security Flaws in Redis Expose Thousands of Servers to Unauthorized Access Multiple critical vulnerabilities have been disclosed in Redis, an open-source in-memory data structure store, that allow remote code execution and unauthorized data access. These flaws are being actively probed by botnets seeking to enlist servers into distributed-denial-of-service (DDoS) networks. This news is significant for Florida as Redis is widely used in the backend architectures of many state and municipal web applications, necessitating immediate patching to prevent system takeover.

Malicious NuGet Packages Distribution Campaign Targets Developer Workstations A new campaign is distributing “poisoned” NuGet packages designed to exfiltrate sensitive developer data, including SSH keys and cloud provider credentials. The packages impersonate legitimate libraries used for encryption and data processing. This attack targets the automated build pipelines of software developers, potentially allowing malware to propagate into enterprise applications. DevOps is used by software developers, potentially enabling teams to implement strict verification procedures for all third-party libraries.

DigiCert Revokes Certificates after Support Portal Hack In early April 2026, an unknown threat actor breached DigiCert’s internal support portal by infecting an analyst’s endpoint via a malicious payload disguised as a screenshot in a customer chat channel. The attackers proxy-accessed customer accounts to fraudulently obtain EV Code Signing certificates, allowing signed malware to bypass standard endpoint security controls. The campaign has been linked to GoldenEyeDog (APT-Q-27), a Chinese e-crime group associated with cryptocurrency theft. DigiCert subsequently revoked 60 certificates, including 27 explicitly linked to the attackers, that were used to sign the Zhong Stealer malware family. As a critical infrastructure-enabling vector, this breach presents supply chain risks for Florida critical infrastructure organizations that utilize DigiCert services or encounter newly signed malicious binaries.

Researchers Report Amazon SES Abused in Phishing to Evade Detection Cybersecurity researchers at Kaspersky report a significant increase in threat actors abusing the Amazon Simple Email Service (SES) to distribute convincing phishing emails that bypass standard reputation-based blocks and authentication checks. Attackers are leveraging automated bots like TruffleHog to harvest exposed Amazon Web Services (AWS), identity and access management (IAM) keys from GitHub repositories, .env files, and S3 buckets. Campaigns deliver fake document-signing notifications that imitate DocuSign and business email compromise attacks. Florida critical infrastructure organizations that utilize AWS should enforce least-privilege principles, enable multi-factor authentication, and regularly rotate IAM keys to mitigate exposure.

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities Security researchers have disclosed two critical vulnerabilities, CVE-2026-2005 and CVE-2026-2006, affecting the pgcrypto extension in PostgreSQL databases, which are present in numerous enterprise environments. CVE-2026-2005 involves a buffer overflow in pgp_parse_pubenc_sesskey during public key decryption, while CVE-2026-2006 causes out-of-bounds reads and writes via malformed UTF-8 in symmetric decryption. Exploitation permits logged-in users with basic create privileges to execute code as the database owner. Florida critical infrastructure administrators should immediately apply patches released for branches 14.21 through 18.2, restrict extension creation, and audit logs for anomalous Pretty Good Privacy (PGP) or JavaScript Object Notation (JSON) activity.

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited Via Debug API Threat actors are actively exploiting CVE-2026-22679, a critical unauthenticated RCE vulnerability in the Weaver E-cology enterprise office automation platform. The flaw affects versions before 20260312 and is triggered via the /papi/esearch/data/devops/dubboApi/debug/method endpoint. Attackers craft POST requests with manipulated interfaceName and methodName parameters to achieve arbitrary command execution. Observed campaigns involved dropping an MSI installer named fanwei0324.msi and executing discovery commands like whoami and ipconfig. Florida critical infrastructure networks running Weaver E-cology should immediately apply the vendor patches and restrict exposure of application programming interfaces for debugging.

New Stealthy Quasar Linux Malware Targets Software Developers via Supply Chain Attack Security researchers have identified a new variant of the Quasar Remote Access Trojan (RAT) specifically designed to target Linux environments used by software developers. The malware is distributed through compromised open-source repositories and is designed to exfiltrate SSH keys, API tokens, and cloud credentials. This trend is significant for Florida’s growing technology sector, as a compromise of a local developer could facilitate a supply-chain attack on larger enterprise or government platforms.

Argo CD ServerSideDiff Flaw Allows for Unauthorized Access to Kubernetes Environments A high-severity vulnerability in the Argo CD continuous delivery tool (CVE-2026-29014) allows unauthenticated users to gain access to sensitive information within Kubernetes environments. The flaw involves an improper implementation of the ServerSideDiff feature, which can be exploited to exfiltrate cluster configurations. This news is relevant to Florida as many state and municipal IT organizations utilize Argo CD for automated cloud deployments, necessitating immediate updates to version 2.11.0 or higher.

Poisoned Truth: The Quiet Security Threat inside Enterprise Artificial Intelligence Security researchers have disclosed a new class of threat dubbed “Poisoned Truth” attacks, which target the inference pipelines of enterprise AI models. By injecting malicious data into the model’s feedback loop, attackers can manipulate the AI to provide incorrect security guidance or bypass automated guardrails. This development is relevant to Florida’s critical infrastructure because the growing adoption of AI-assisted automation in municipal operations could be compromised, facilitating unauthorized access or operational sabotage.

SailPoint GitHub Repository Targeted in Third-Party Cyberattack Exposing Internal Tooling Identity management firm SailPoint confirmed that its GitHub repository was targeted in a cyberattack after an attacker compromised a third-party contractor’s credentials. The breach exposed internal tooling and configuration files, highlighting the persistent threat of “nested” supply chain attacks. This news is significant for Florida, as many state agencies use SailPoint for identity governance, making the security of its source code critical to regional administrative integrity.

Fake Claude Code Installer Distributes Malware Targeting Developer Credentials A malicious campaign is distributing fake installers for the “Claude Code” AI-assisted programming tool to infect developer workstations with infostealers. The installer appears legitimate but silently exfiltrates SSH keys and cloud provider tokens upon execution. This trend is relevant to Florida IT providers as local developers increasingly adopt AI-assisted coding tools, making them high-value targets for adversaries seeking access to enterprise deployment pipelines.

FCC Slightly Relaxes Foreign Router Ban to Allow Critical Software Updates Through 2029 The Federal Communications Commission (FCC) has slightly relaxed its ban on high-risk foreign routers, allowing for critical security software updates until 2029. The move aims to prevent existing hardware from becoming even more vulnerable while organizations transition to approved alternatives. This is significant for Florida’s IT sector as it provides a limited window for municipal utilities and agencies to maintain legacy perimeter hardware while planning for a comprehensive “rip-and-replace” cycle.

Information Technology Sector Recommendations:

  • Apply critical security patches for Palo Alto PAN-OS, MOVEit Automation, and Redis instances immediately to remediate remote code execution and authentication bypass vulnerabilities.
  • Implement strict package verification and audit all developer manifests for unauthorized npm, PyPI, and NuGet dependencies to prevent the exfiltration of administrative credentials.
  • Enforce phishing-resistant multi-factor authentication on all Software-as-a-Service administrative portals to mitigate the risk of account takeover via session and token theft.
  • Rotate all production secrets, including Amazon Web Services Identity and Access Management keys and Secure Shell keys, if unauthorized activity is detected in build environments.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iran Utilizes Cyber Capabilities to Monitor and Threaten Maritime Traffic in Strait of Hormuz New analysis details how Iran is utilizing sophisticated cyber and electronic warfare capabilities to monitor and potentially disrupt maritime traffic through the Strait of Hormuz. These activities include Global Positioning System (GPS) spoofing and the interception of vessel communication systems to interfere with navigation. This development is relevant to Florida as a major maritime state, as the tradecraft used in these regional conflicts could be adapted to target Florida’s commercial ports and logistics networks during periods of geopolitical escalation.

Transportation Systems Sector Recommendations:

  • Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
  • Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
  • Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
  • Establish manual navigation fallback protocols and drill operational contingencies for commercial ports facing targeted electronic interference.
Water and Wastewater Systems Sector

Dragos Intelligence Brief Details AI-Assisted Cyberattack on Water Infrastructure A tactical intelligence brief from Dragos detailed a sophisticated cyberattack targeting water infrastructure, in which threat actors used artificial intelligence (AI) to identify and exploit vulnerabilities in programmable logic controllers (PLCs). The attack resulted in the unauthorized manipulation of water pressure and treatment levels. This event provides a tactical analog for Florida water utilities, as the use of AI to automate vulnerability discovery significantly compresses the window for patching and defensive hardening of municipal water supplies.

UK Water Company Fined After Hackers Lurked Undetected for Nearly Two Years A major United Kingdom water utility was fined after the Cl0p ransomware group maintained undetected access to its IT network for nearly two years, exposing the personal data of over 630,000 individuals. The attackers exploited critical unpatched vulnerabilities, legacy operating systems, and excessive domain administrator privileges. This incident serves as a critical tactical analog for Florida water utilities, highlighting the need for comprehensive security operations center coverage, continuous vulnerability scanning, and strict enforcement of least privilege principles.

Water and Wastewater Systems Sector Recommendations:

  • Prioritize the patching and defensive hardening of programmable logic controllers to defend against rapid, automated vulnerability discovery, and strictly monitor for unauthorized manipulations of water pressure or treatment levels.
  • Execute deep behavioral monitoring across operational networks to detect adversaries utilizing living-off-the-land tactics that intentionally blend in with legitimate administrative activity.
  • Remove all stale administrative accounts immediately and continuously audit administrative privileges to prevent state-sponsored actors from establishing and maintaining long-term persistent access.
CI Bulletin Vol 2, Issue 7 May 19, 20262026-05-19T10:47:19-04:00

Teacher Spotlight: Phillip Lynch

Phillip Lynch

Teacher: Phillip Lynch

District: Palm Beach County

For more than nine years, Phillip Lynch has worked to make learning engaging, relevant, and connected to the world students experience every day. A teacher at Palm Beach Lakes Community High School, Lynch primarily teaches history while integrating technology into the classroom to help students better understand both the past and the rapidly evolving digital future.

Before becoming an educator, Lynch built a strong foundation in the technology industry through his work with Apple and Tesla. Today, he also serves on his school’s AI implementation team, helping guide conversations around emerging technologies and their impact on education.

Although cybersecurity is not his primary subject area, Lynch recognizes its growing importance for students of all backgrounds and career interests. He believes cybersecurity education plays a critical role in helping students protect personal information, navigate the digital landscape safely, and prepare for careers in an increasingly technology-driven world.

“What I enjoy most about being involved in technology education is helping students understand how technology shapes both our world and their futures,” Lynch said. “Whether through AI, historical connections, or digital tools, I strive to make complex concepts accessible, relevant, and engaging for my students.”

Thank you, Mr. Lynch, for all you do!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Phillip Lynch2026-05-11T10:13:27-04:00