Florida Critical Infrastructure Cybersecurity Intelligence

Vulnerabilities Disclosed in Grid Control Infrastructure Technical vulnerabilities at the OT layer continue to expose power distribution systems. Serious flaws have surfaced in the Hitachi Energy RTU500 series, leaving devices susceptible to NULL pointer dereferences and infinite loops that trigger severe system-level denial of service. Concurrently, the Hitachi Energy MACH HiDraw software is vulnerable to CVE-2026-7310, a medium-severity (CVSS 5.5) heap-based buffer overflow (CVE-2026-7310) in the XML parser, exploitable by an authenticated local user via a specially crafted XML file, potentially resulting in memory corruption, denial of service, or arbitrary code execution. These platforms actively manage grid control and power transmission across international systems. Hitachi Energy has released a fix in MACH HiDraw version 9.23; organizations should contact their Hitachi Energy account team given the complexity of individual upgrade paths. MACH HiDraw is also deployed in Dams and Transportation Systems sectors; operators in those sectors should review the CISA advisory.
Energy Sector Recommendations:

• Deploy vulnerability shielding or compensatory controls around Hitachi Energy RTU500 and MACH HiDraw systems as a priority, consistent with BOD 26-04 risk-tiered guidance; federal entities should assess KEV catalog status and apply applicable deadlines.
• Maintain air-gapped configuration backups for power-grid control components to ensure manual operational capacity during cyber-induced disruptions.
• Monitor for emerging risks associated with increasing data center electricity demand and coordinate with utility partners on grid resilience and capacity planning.

Financial Services Sector

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware A sophisticated campaign attributed to financially motivated actors (JINX-0164, which shares TTPs with North Korean-linked group UNC1069/Sleet) has targeted cryptocurrency firms using custom macOS malware and fake recruiter lures. The operation aims to steal credentials and move laterally within Continuous Integration/Continuous Deployment (CI/CD) and development infrastructure. JINX-0164 also conducted a confirmed supply chain attack, trojanizing an npm package to deploy a persistent backdoor, extending the threat beyond individual developers to any organization using affected open-source packages. Organizations in the financial and cryptocurrency sectors should review social engineering defenses and endpoint detection for macOS environments.

Financial Services Sector Recommendations:

• Enforce cryptographic code-signing checks and enable strict commit verification parameters within all software building lines.
• Monitor macOS environments for unauthorized background modifications, unexpected remote terminal commands, or atypical local repository adjustments.
• Train technical staff to verify the identity of unsolicited recruiters on LinkedIn and to refuse requests to download or execute software during virtual interviews or onboarding calls.
• Implement dedicated secrets-scanning utilities to identify and revoke developer keys if local developer endpoints are compromised.

Food and Agriculture Sector

iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil In December 2025, the Brazilian food delivery platform iFood suffered a data breach impacting 1.2 million users, approximately 2% of its customer base. While hackers did not obtain passwords or financial records, they successfully exfiltrated sensitive personal information, including names, phone numbers, addresses, and CPF numbers, which are the Brazilian taxpayer identity documents equivalent to U.S. Social Security Numbers. The incident underscores the vulnerability of food supply chain enablers to identity-focused data theft and extortion operations.

Food and Agriculture Sector Recommendations:

• Conduct comprehensive audits of third-party food delivery and supply chain platform vendors to identify and remediate gaps in personally identifiable information (PII) storage, access controls, and data retention policies.
• Enforce strict data minimization and access controls on platforms that aggregate consumer PII, ensuring that sensitive identifiers such as government-issued identification numbers are encrypted at rest and accessible only to explicitly authorized systems.
• Establish data breach notification workflows that align with both domestic and international regulatory requirements, given the cross-border nature of food supply chain data exposure.
• Strengthen monitoring and logging on food delivery and agricultural logistics platforms to detect unusual data access or exfiltration activity, particularly involving sensitive customer and supplier information.

Government Services and Facilities Sector

Promoting Advanced Artificial Intelligence Innovation and Security President Trump signed National Security Presidential Memorandum (NSPM-11) to accelerate artificial intelligence adoption across the military, intelligence community, and federal agencies, directing entities to strengthen public-private AI partnerships while expanding procurement workflows. Concurrently, the administration instructed the Center for AI Standards and Innovation to halt the public release of its model safety assessments while an aligned executive order is implemented. These developments reflect a broader White House strategy to accelerate AI integration across federal operations while maintaining executive control over AI model evaluations and disclosures.

Five Eyes Security Alliance Warns of Chinese Spy Threat on Job Sites The United States and its Five Eyes international partners issued a joint operational warning regarding Chinese state-sponsored intelligence services aggressively targeting government, military, and critical infrastructure personnel on LinkedIn. Sophisticated actors pose as legitimate maritime consultancies, think-tank recruiters, and professional headhunters to build relationships with individuals holding active security clearances or specialized technical expertise. Once a connection is established, targets are funneled toward encrypted messaging applications where they are offered financial compensation for internal research, non-public defense insights, or supply-chain logistics data.

How St. Paul, Minnesota, Recovered From a Ransomware Attack The city of St. Paul, Minnesota successfully completed a comprehensive systems recovery following a severe ransomware attack, utilizing a coordinated framework involving municipal departments, state agency responders, and the National Guard. The operation focused on emergency management integration and multi-agency incident response planning to systematically restore public services without paying an extortion demand. Key to St. Paul’s success: a pre-existing multi-agency coordination structure, National Guard cyber support activation, sequenced service restoration prioritizing public safety systems, and refusal to pay the ransom demand. This successful stabilization effort has since become a standard case study in municipal cyber resilience, offering an immediate operational roadmap for Florida’s county and local government facilities facing similar local infrastructure threats.

Government Services and Facilities Sector Recommendations:

• Assess the cybersecurity and governance implications of accelerating artificial intelligence adoption across government agencies. Focus on protecting AI systems from foreign theft and manipulation while maintaining appropriate oversight of AI model evaluations and disclosures.
• Train staff with security clearances and access to sensitive information to recognize Chinese state-sponsored recruitment lures on professional networking platforms, as warned by Five Eyes partners. Implement verification procedures for unsolicited job offers from entities posing as consultancies or think tanks.
• Utilize the St. Paul municipal recovery model to develop multi-agency incident response plans that prioritize service restoration and continuity of operations over extortion payments during ransomware attacks.

Healthcare and Public Health Sector

DentaQuest Data Breach Exposes 2.6 Million Accounts Dental benefits administrator DentaQuest suffered a major data breach that exposed the sensitive personal and health records of approximately 2.6 million accounts. The extortion group ShinyHunters claimed responsibility for the intrusion, leaking 234 gigabytes (GB) of stolen data on a dark web forum after corporate leadership reportedly declined ransom negotiations. The incident follows a persistent operational pattern where advanced extortion groups target third-party health administrators to exfiltrate high-value wellness data and personally identifiable information. Exposed data includes Medicaid IDs, government-issued identification, health insurance records, and contact information. This directly affected individuals enrolled in Medicaid programs managed by DentaQuest in Florida. Because DentaQuest manages dental benefits for a substantial volume of residents across the state, this compromise directly impacts the health, financial, and insurance records of thousands of Florida citizens.

Ultrahuman Says Hackers Accessed Customers’ Wellness Data via Internal Tool India-based wearable health tech startup Ultrahuman r disclosed a data breach on March 27, 2026, involving unauthorized access to an internal analytics tool. Threat actors gained entry by stealing an employee’s credentials through malware to compromise an internal analytics system. Although the company detected the intrusion promptly and took the affected system offline, the breach underscores the escalating risk of malware-driven credential theft targeting centralized health data repositories.

Healthcare and Public Health Sector Recommendations:

• Apply deep encryption and strict access logging to biometric files and patient wellness data stored in third-party or internal analytics tools.
• Isolate medical devices and electronic health record (EHR) directories on sub-networks detached from internet-facing boundaries.
• Practice paper-based admittances and hand-off protocols to sustain care during total IT infrastructure failures.

Information Technology Sector

NSA Launches Zero Trust Implementation Guidelines Resource Webpage The National Security Agency (NSA) launched a centralized hub for Zero Trust Implementation Guides (ZIGs), consolidating legacy technical recommendations and interactive planning tools designed to assist enterprises in strengthening multi-layered infrastructure security. Operating on a “never trust, always verify” framework, the resource center provides a modular, adaptable approach allowing critical infrastructure operators to prioritize defensive integration based on their explicit asset maturity levels and budgets. The interactive platform delivers focused mitigation paths across identity governance, endpoint defense, network isolation, application security, and data protection. Florida infrastructure defenders should immediately utilize these centralized blueprints to transition away from legacy perimeter assumptions and establish validated, continuous authentication controls across state-managed administrative interfaces. The hub is accessible at nsa.gov.

Check Point Warns of Zero-Day Flaw Targeted by Ransomware Affiliate A wave of high-severity network perimeter vulnerabilities is fueling mass-exploitation campaigns targeting virtual private networks (VPNs) and enterprise routing infrastructure. Critical threats include an actively weaponized Cisco Catalyst SD-WAN Manager zero-day (CVE-2026-20245) allowing low-privileged users to execute root-level terminal commands, a Palo Alto Networks PAN-OS cookie-forgery flaw (CVE-2026-0257) enabling unauthorized VPN sessions, and a Check Point Remote Access vulnerability (CVE-2026-50751) actively abused by Qilin ransomware affiliates. Concurrently, Microsoft Exchange Online environments face spoofing risks via the “Ghost-Sender” configuration bypass, while ServiceNow reported unauthorized tenant access incidents, highlighting that Florida public-sector agencies and infrastructure operators must prioritize immediate boundary patching, multi-factor authentication enforcement, and log audits.

Record-Breaking June Patch Tuesday Highlights Enterprise Software Hazards The June 2026 Patch Tuesday cycle marked a historic high, with Microsoft addressing nearly 200 vulnerabilities, including over three dozen critical bugs and an actively exploited Windows Netlogon remote code execution flaw (CVE-2026-41089) carrying a Common Vulnerability Scoring System (CVSS) score of 9.8. This surge is mirrored across the enterprise ecosystem, with Oracle transitioning to a rapid monthly patching model to fix 77 vulnerabilities, Google patching its fifth Chrome browser zero-day of the year (CVE-2026-11645), and Veeam releasing emergency fixes for a critical Backup & Replication flaw (CVE-2026-44963) that allows unauthenticated domain-level takeover. Oracle transitioned to a monthly patching cadence, releasing fixes for 77 vulnerabilities. CI operators using Oracle products should update their patch management schedules accordingly. Because adversaries are increasingly leveraging machine-assisted fuzzing to weaponize these disclosures within days, Florida entities must establish compressed patch timelines to protect internet-facing infrastructure and backup servers.

Sophisticated Supply Chain Tactics Weaponize Open-Source Repositories and AI Coding Tools Security researchers have uncovered distinct software supply chain campaigns engineered to infect upstream development blocks and autonomous programming environments. The ‘Miasma’ campaign infected over 100 npm packages including Red Hat Cloud Services packages and extended into Microsoft Azure and GitHub repositories. Miasma demonstrated worm-like self-propagation by stealing developer credentials to automatically infect and republish additional packages, which extended the compromise from individual developers to entire organizational code repositories. While the ‘Hades’ campaign poisoned 19 PyPI packages to execute automated credential-harvesting scripts. Because the malware executes at Python interpreter startup (not only at runtime of the specific package), any Python environment that has installed the package is at risk even if the package is never imported. Additionally, researchers demonstrated successful security scanner bypasses on Vercel and Cisco platforms, illustrating that automated code-review tools fail to catch malicious AI agent extensions, meaning Florida development teams must implement strict cryptographic dependency validation and code signing.

Acer Working to Patch Max Severity Zero-days in Wave 7 Routers Acer is developing patches for two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers. One flaw, CVE-2026-49200, involves a broken access control issue allowing unauthenticated attackers to remotely access plaintext credentials stored in log archives. The vulnerability affects routers running firmware version T7c_GBL_1.01.000055 or earlier. Successful exploitation provides an immediate path for initial access and lateral movement within compromised networks.

Cisco Warns of Available PoC for Critical Unified CM Vulnerability Cisco released patches for a high-severity server-side request forgery (SSRF) vulnerability (CVE-2026-20230) affecting Unified Communications Manager (Unified CM) and Session Management Edition (SME). The flaw stems from insufficient input validation in specific HTTP requests, allowing unauthenticated attackers to send crafted requests to internal systems. Cisco warned that proof-of-concept (PoC) code is publicly available, drastically compressing the timeline between patch release and weaponization. This development aligns with the strategic warning regarding AI-assisted machine-speed exploitation, necessitating rapid remediation to outpace automated threats.

Information Technology Sector Recommendations:

• Implement strict application whitelisting and endpoint execution controls for all developer tooling, integrated development environment (IDE) plugins, and third-party extension marketplaces.
• Enforce automated secrets-scanning utilities across all internal repositories, code pipelines, and cloud-hosted environments to rapidly discover and revoke exposed keys or cloud credentials.
• Mandate the complete network segmentation of enterprise backup infrastructure (specifically Veeam architectures) from the primary active directory domain to prevent cross-compromise during ransomware operations.
• Transition infrastructure administration pipelines to a strict Zero Trust model, enforcing phishing-resistant multi-factor authentication and continuous device posture verification.
• Establish formal software dependency review protocols, utilizing cryptographic verification and strict commit controls to evaluate open-source Python (PyPI) and JavaScript (npm) additions before introduction into local development chains.
• Review Exchange Online configurations for the Ghost-Sender bypass and audit ServiceNow tenant access logs for unauthorized activity.

Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Delivery Mega Leak: 840M+ Files Exposed as US Delivery Company Leaks Massive File Storage Security researchers identified a major cloud database exposure involving SpeedX, a prominent U.S.-based delivery and logistics company, which inadvertently left over 840 million records accessible to the public internet without authentication. The leaked dataset contained highly sensitive corporate and consumer assets, including customer delivery details, unredacted shipping labels, warehouse photographs, and official driver identification documentation. While SpeedX characterizes the incident as a cloud storage configuration issue rather than a confirmed breach, Cybernews researchers dispute this, asserting the exposed container was accessible to anyone who knew the container name. Regardless of characterization, the incident demonstrates the catastrophic scale of data exposure possible from misconfigured cloud storage in transportation logistics environments. The massive exposure highlights the catastrophic privacy and supply chain risks facing transportation hubs that fail to properly audit automated cloud storage environments, making rigorous access control verification necessary for regional logistics providers.

Qilin Ransomware Claims Hack of Major New York and New Jersey Shipping Association The Qilin ransomware group claimed responsibility for a targeted network intrusion against the New York Shipping Association, a vital maritime organization supporting cargo logistics at one of North America’s busiest ports. Although the full operational impact is still being evaluated, the attack represents a direct threat to maritime supply chains, as disruptions to shipping association networks can rapidly trigger cascading delays across port terminal operations, cargo movements, and regional economic activity. This incident serves as an immediate warning for Florida’s major commercial maritime hubs proving that third-party maritime service organizations are primary targets for ransomware syndicates.

Transportation Systems Sector Recommendations:

• Separate public information display systems, scheduling applications, and passenger portals from core operational transit control planes into distinct, firewalled network zones.
• Implement immutable offline system state backups and verified gold-image snapshots to facilitate rapid bare-metal recovery following potential data-wiping or ransomware events.
• Review cloud storage configurations, object bucket access controls, and data exposure settings for all logistics platforms, enforcing regular security audits over third-party transportation technology providers.
• Conduct ransomware readiness exercises specifically focused on maritime logistics, validating network segmentation boundaries and backup integrity across port community systems and shipping association networks.
• Assess and strengthen enterprise resilience against Positioning, Navigation, and Timing (PNT) vulnerabilities by establishing secondary, out-of-band communication and redundant tracking workflows for local logistics fleets.

Water and Wastewater Systems Sector

GAO: Actions Needed to Address Persistent Cybersecurity Threats to the Water and Wastewater Sector The U.S. Government Accountability Office (GAO) warned that many drinking water and wastewater utilities across the United States continue to lack fundamental cybersecurity protections. The report found that numerous utilities still do not maintain basic asset inventories, incident response plans, or adequate segmentation between operational technology (OT) and information technology (IT) networks. These deficiencies leave critical water infrastructure vulnerable to cyberattacks that could disrupt service delivery and pose risks to public health and the environment. The GAO called for stronger federal support and sector-wide actions to close long-standing cybersecurity gaps.

Cyber Intel Brief: Handala Claims Breach of California Water Service On June 11, 2026, the Iranian-affiliated threat actor Handala compromised California Water Service, releasing a five-gigabyte dump of customer personally identifiable information and administrative credentials. The adversaries breached an open-source RTKBase GPS correction server on port 10000 and a customer billing database across seven districts, including Chico, California. Critically, there is no evidence of operational technology (OT) or industrial control systems (ICS) compromise. Handala’s claims of disruptive capabilities against water treatment processes remain unproven. This incident highlights vulnerabilities in municipal water infrastructure, signaling elevated risk for Florida utilities operating exposed mapping portals without rigid IT and OT network segmentation.

Water and Wastewater Systems Sector Recommendations:

• Use automated network mapping to guarantee SCADA networks and PLCs have no unauthenticated public internet exposure.
• Close GAO-identified gaps by maintaining a comprehensive inventory of all OT assets and hardening the boundary between IT and OT networks.
• Maintain offline, validated backups to support recovery from disruptive cyber incidents affecting operational technology environments.
• Actively engage with federal and state funding channels to offset budget shortfalls for cybersecurity posture improvements in smaller districts.