News

September 9, 2021

CI Bulletin Vol 2, Issue 10 July 7 2026

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin
Cyber Threat Outlook

Florida’s critical infrastructure operators face an accelerating wave of attacks against the software and network equipment that connects their organizations to the internet, with attackers exploiting newly disclosed flaws within days of disclosure and, in several cases, before a fix even exists. Over the next six to nine months, three patterns will likely dominate the threat landscape: mass-exploitation campaigns against widely used enterprise software, illustrated by the Oracle PeopleSoft vulnerability behind the ShinyHunters extortion campaign that has already struck a national insurance regulator; continued compromise of network perimeter devices, including firewalls, virtual private networks (VPNs, which let remote users connect securely to a private network), and routers that organizations rely on for both security and connectivity; and the abuse of trusted third-party cloud integrations, where attackers steal credentials from one vendor to reach every customer connected to it. Nation-state actors, particularly those linked to Iran and Russia, continue probing government and public safety systems abroad for techniques that could migrate to U.S. targets. For Florida operators, the most effective defenses remain unglamorous but proven: patch internet-facing systems quickly, require multifactor authentication everywhere it is available, and rehearse manual backup procedures so operations can continue if digital systems fail.

Confidence Assessment – High

Executive Summary

All Sectors: Prioritize risk-based vulnerability management across all sectors as automated exploitation of internet-facing vulnerabilities has surpassed credential theft as the leading initial access method for cyber intrusions. Iran-linked threat groups continue demonstrating the ability to disrupt public-safety alerting and operational technology (OT) systems abroad, most recently by silencing emergency sirens in Israel through a known firmware flaw in widely deployed alerting hardware — a technique that could be replicated against the same hardware wherever it is deployed, including in Florida. Florida organizations should accelerate remediation of actively exploited vulnerabilities, inventory any of the affected alerting hardware in their environment, and strengthen identity-centric security controls.

Commercial Facilities: Isolate internet-connected surveillance systems and third-party business platforms, as newly disclosed, high-severity H.VIEW camera vulnerabilities (CVSS 7.2 and 8.6) and recent extortion campaigns demonstrate these technologies remain attractive attack vectors. No vendor patch is currently available for the camera flaws, so isolation is the primary defense. Organizations should rotate privileged credentials, segment backup infrastructure, and monitor for unauthorized administrative activity.

Communications: Strengthen communications infrastructure security as Cisco Secure Digital Wide Area Network (SD-WAN) zero-day exploitation and new Federal Communications Commission (FCC) emergency communications security requirements highlight increasing operational risks. Florida communications providers should prioritize patching, review administrative access controls, and validate continuity procedures supporting emergency communications.

Critical Manufacturing: Apply firmware and software updates rapidly as active exploitation of Ubiquiti UniFi and PTC Windchill platforms continues to threaten manufacturing environments and industrial supply chains. Organizations should restrict access to management interfaces and strengthen segmentation between operational technology and enterprise networks.

Financial Services: Review third-party platform security following the National Association of Insurance Commissioners (NAIC) breach, which was caused by the same Oracle PeopleSoft zero-day vulnerability (CVE-2026-35273) covered under All Sectors above, and demonstrates continuing risks associated with financial reporting and regulatory operations. Financial institutions running Oracle PeopleSoft should treat patching that vulnerability as a financial-sector priority, not only a general IT task, and should enforce least-privilege principles, strengthen authentication controls, and monitor for unauthorized access to sensitive financial data.

Government Services and Facilities: Increase behavioral monitoring, drawing on newly published research showing how the Russian Advanced Persistent Threat (APT) group Gamaredon evolved its PowerShell-based malware and command-and-control tradecraft in 2025. Gamaredon’s documented campaigns remain focused on Ukrainian government and military targets, but its techniques — including abuse of legitimate cloud and tunneling services to hide infrastructure — illustrate broader nation-state tradecraft worth incorporating into defensive planning. Government organizations should validate endpoint detection capabilities and conduct recurring integrity reviews of administrative workstations and privileged accounts.

Healthcare and Public Health: Strengthen third-party access controls as CyberAv3ngers continues targeting public-safety communications while ransomware operators maintain pressure on healthcare providers through data theft and extortion. Healthcare organizations should validate backup and recovery procedures, monitor for data leakage, and ensure continuity plans support uninterrupted patient care.

Information Technology: Remediate Known Exploited Vulnerabilities affecting internet-facing enterprise infrastructure as active exploitation of Palo Alto GlobalProtect, LiteSpeed cPanel, and Joomla vulnerabilities continues to increase operational risk. Organizations should restrict administrative privileges, strengthen endpoint monitoring, and review browser extension security policies.

Water and Wastewater Systems: Enhance remote-access security as recent federal guidance regarding last-mile funding and National Institute of Standards and Technology (NIST) remote-access security reinforces the need for resilient operational technology architectures. Utilities should implement continuous operational technology integrity monitoring and validate manual fallback procedures to maintain essential services during cyber incidents.

All Sectors

Securing The Nation Against Advanced Cryptographic Attacks On June 22, 2026, President Trump signed an Executive Order directing the accelerated transition to Post-Quantum Cryptography (PQC) across federal systems to address emerging “harvest now, decrypt later” threats. Adversaries are increasingly collecting encrypted information with the expectation that future quantum computing capabilities will enable decryption of sensitive data. While the directive establishes federal migration timelines through 2031, Florida critical infrastructure owners and operators should begin identifying cryptographic dependencies, inventorying high-value assets, and coordinating with their Sector Risk Management Agencies (SRMAs) to support long-term cryptographic modernization and reduce future operational risk.

ShinyHunters Hacked Hundreds Leveraging Oracle Bug Throughout June 2026, the ShinyHunters cybercrime group conducted coordinated attacks by exploiting vulnerabilities in widely deployed enterprise platforms, including Oracle PeopleSoft, to compromise organizations across multiple sectors. The campaign exploited CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution flaw in the PeopleSoft Environment Management Hub component, between May 27 and June 9, 2026, before Oracle issued mitigation guidance on June 10. Rather than targeting a single organization, the campaign focused on shared enterprise infrastructure to steal personally identifiable information (PII), financial records, and proprietary business data for extortion. While the campaign affected organizations across government, healthcare, financial services, and other sectors, Google Mandiant’s investigation found that 68 percent of identified targets were in higher education, making it the sector hit hardest by this specific campaign. Because Oracle enterprise resource planning solutions are widely used across government, healthcare, financial services, and commercial organizations, Florida critical infrastructure operators should immediately assess internet-facing Oracle environments, validate backup integrity, and monitor for indicators of unauthorized access.

Cybercriminals Allegedly Hacked Tens of Thousands of Fortinet Firewalls Used by Major Companies All Over the World A large-scale credential exposure campaign compromised administrative and Secure Sockets Layer Virtual Private Network (SSL VPN) credentials associated with more than 73,000 Fortinet FortiGate appliances worldwide. The exposed credentials could enable cyber threat actors to bypass network perimeters, modify firewall configurations, establish persistent access, and conduct lateral movement within enterprise environments. Fortinet characterized the activity as “a resharing of data from previous incidents, as well as bruteforcing of credentials, and is not related to any recent incident or advisory.” Given the widespread deployment of Fortinet technologies throughout Florida government agencies and critical infrastructure sectors, organizations should immediately validate administrative credentials, review firewall configurations, rotate compromised credentials, and prioritize risk-based remediation to prevent unauthorized network access.

North Korean Hiring Fraud Runs on AI and US Laptop Farms Research released in June 2026 identified a sophisticated North Korean employment fraud campaign that combines stolen identities, artificial intelligence-assisted interviews, and U.S.-based laptop farms to infiltrate technology companies. One documented case, publicized in June 2026 but originating from a June 2025 job application, involved an individual posing as a Florida-based artificial intelligence architect who applied for a position at risk-intelligence firm Nisos. Nisos identified the deception during its interview process before extending an offer, then used the engagement to gather intelligence on the broader fraud operation. This activity demonstrates the growing insider threat posed by fraudulent remote hiring schemes. Florida organizations should strengthen identity verification procedures, validate candidate credentials, monitor for anomalous endpoint activity during onboarding, and incorporate insider-threat detection into hiring and human resources security processes. Two technical indicators thsat may be useful for detection are: (a) the use of PiKVM hardware to allow remote, hard-to-detect control of ‘laptop farm’ devices, and (b) the use of Astrill VPN, a service frequently associated with North Korean IT-worker operations, as a connection pattern.

All Sectors Recommendations:

• Inventory cryptographic assets and develop a phased migration strategy for Post-Quantum Cryptography (PQC) in coordination with applicable Sector Risk Management Agencies (SRMAs).

• Audit internet-facing enterprise applications and external gateways to identify vulnerabilities, unauthorized access, and indicators of compromise before they are exploited.

• Enforce phishing-resistant multi-factor authentication, rotate privileged credentials regularly, and continuously monitor remote access infrastructure for unauthorized administrative activity.

• Strengthen hiring and insider-threat detection processes by validating candidate identities, monitoring endpoint activity during onboarding, and identifying indicators associated with fraudulent remote employment campaigns.

• Conduct recurring tabletop exercises and business continuity drills to validate incident response, backup recovery, and operational resilience across all critical infrastructure sectors.

Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

CISA Warns H.VIEW HV-500S6 Cameras: Command Injection & Malicious File Upload Risk On June 25, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) released advisory ICSA-26-176-05 identifying high-severity vulnerabilities affecting H.VIEW HV-500S6 Internet Protocol (IP) cameras running firmware version IPCAM_V4.06.88.251229. The vulnerabilities, tracked as Common Vulnerabilities and Exposures (CVE)-2026-55975 and CVE-2026-56414, allow authenticated attackers to execute operating system commands and upload malicious files capable of establishing persistent access. Because these cameras are commonly deployed within commercial facilities, retail environments, warehouses, and public venues, successful exploitation could provide cyber threat actors with an initial foothold into enterprise networks. Florida commercial facility operators should prioritize firmware updates, isolate surveillance devices from critical business networks, and continuously monitor camera management interfaces for unauthorized activity.

Commercial Facilities Sector Recommendations:

• Identify all deployed H.VIEW HV-500S6 devices and verify whether vulnerable firmware versions remain in operation.

• Because H.View did not respond to CISA’s coordination request, and no vendor patch is currently available, CI operators should prioritize network isolation or removal of affected devices, while organizations attempt direct outreach to the vendor. Apply vendor firmware updates and remove unsupported devices from production environments whenever possible.

• Restrict camera management interfaces from direct internet exposure by implementing network segmentation and firewall protections.

• Rotate administrative credentials, disable unnecessary accounts, and continuously monitor surveillance systems for unauthorized configuration changes or suspicious activity.

• Validate incident response procedures for physical security systems to ensure surveillance infrastructure can be restored quickly following a cyber incident.

Communications Sector

Malicious Hackers Exploit Cisco Zero-Day for Highest Access Level at Communications Service Provider Mandiant disclosed on June 24, 2026, that attackers had exploited a Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Manager zero-day vulnerability (CVE-2026-20245) months earlier, escalating from administrative access first obtained in late 2025 to full root-level control by March 2026. While the attackers established unauthorized peering connections and created root-level privilege escalation, each component exploited separate vulnerabilities: CVE-2026-20127 or CVE-2026-20182 for initial access; CVE-2026-20245 for privilege escalation to root. This is the seventh actively exploited Cisco SD-WAN zero-day disclosed in 2026, indicating a sustained, not isolated, attacker focus on this product line. Because Cisco SD-WAN technologies are widely deployed across government agencies, telecommunications providers, utilities, and other Florida critical infrastructure sectors, exploitation of this vulnerability could enable unauthorized network access, service disruption, and lateral movement across enterprise environments. Florida organizations should prioritize patching, review administrative accounts, and continuously monitor SD-WAN infrastructure for signs of compromise.

FCC Passes New Cybersecurity Rules for Emergency Systems, Undersea Cables On June 25, 2026, the Federal Communications Commission (FCC) adopted new cybersecurity requirements to strengthen the security of the Emergency Alert System (EAS), Wireless Emergency Alerts (WEA), and undersea cable infrastructure. The updated submarine cable rules tighten some cybersecurity and equipment-sourcing requirements while also streamlining the national-security review process for cable operators that self-certify to high security standards, in a trade-off intended to accelerate buildout. Because Florida relies heavily on undersea cable networks and statewide emergency communications to support public safety and disaster response, compliance with these requirements will strengthen operational resilience and reduce the risk of service disruption during cyber incidents.

Communications Sector Recommendations:

• Patch Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) infrastructure immediately to remediate known vulnerabilities and reduce the risk of unauthorized administrative access.

• Audit privileged accounts and configuration changes regularly to identify unauthorized users, rogue administrative accounts, or suspicious modifications.

• Implement the Federal Communications Commission’s (FCC) cybersecurity requirements for the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA), including strong authentication and timely patch management.

• Review business continuity and disaster recovery procedures supporting communications infrastructure to ensure essential services remain available during cyber incidents.

• Monitor network traffic and system logs continuously for indicators of compromise affecting routing infrastructure, emergency communications systems, and undersea cable connectivity.

Critical Manufacturing Sector

CISA Warns of Max Severity Ubiquiti Flaws Exploited in Attacks The Cybersecurity and Infrastructure Security Agency (CISA) added multiple high-severity vulnerabilities affecting Ubiquiti UniFi Operating System (OS) devices to the Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation in the wild. The vulnerabilities (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) allow unauthenticated attackers to bypass security controls and gain unauthorized access to affected systems. Because Ubiquiti networking equipment is widely deployed across manufacturing facilities, distribution centers, and industrial operations, exploitation could disrupt production networks and enable lateral movement into operational technology environments. Florida critical manufacturing organizations should prioritize firmware updates, restrict internet exposure of management interfaces, and continuously monitor network infrastructure for indicators of compromise.

First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild Cyber threat actors are actively exploiting a critical remote code execution vulnerability (CVE-2026-12569) affecting PTC Windchill and FlexPLM Product Lifecycle Management (PLM) platforms. The vulnerability results from improper input validation and allows unauthenticated attackers to execute arbitrary code with system-level privileges. Following confirmed exploitation, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV) and directed organizations to remediate affected systems by June 28, 2026. This is the first PTC product vulnerability ever added to CISA’s KEV catalog, signaling new attacker interest in a previously untargeted vendor. Because Product Lifecycle Management platforms support engineering design, manufacturing operations, and supply chain coordination, successful exploitation could disrupt production processes, expose proprietary engineering data, and impact critical manufacturing operations across Florida.

Critical Manufacturing Sector Recommendations:

• Apply vendor firmware and software updates (UniFi OS Server 5.0.8, released in May 2026) immediately to all affected Ubiquiti UniFi Operating System and PTC Windchill platforms.

• Restrict public access to management interfaces by implementing network segmentation, virtual private networks, and firewall protections.

• Monitor network traffic, authentication logs, and administrative activity for indicators of compromise or unauthorized configuration changes.

• Validate backup and recovery procedures for engineering, manufacturing, and Product Lifecycle Management systems to minimize operational disruption following a cyber incident.

• Conduct regular vulnerability assessments of industrial control and supporting enterprise systems to identify and remediate emerging risks before exploitation occurs.

Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Emergency Services Sector

Team82 Documents Iran-Linked CyberAv3ngers Escalating Cyber-Psychological Warfare Against Civilian Alert Systems Claroty’s Team82 documented CyberAv3ngers exploiting a known firmware vulnerability (CVE-2024-41700) in Barix audio-over-IP devices to silence Israeli emergency sirens and manipulate public alerts. Rather than focusing solely on system disruption, the group seeks to manipulate emergency alerts to create confusion, erode public trust, and disrupt emergency response operations. Barix has released a patch, though it must be applied manually. Because the same vulnerable Barix hardware is also deployed in U.S. public safety and emergency alerting infrastructure, including in Florida, municipalities should treat this as a warning to inventory and patch any Barix devices in their environment rather than evidence of direct targeting.

Emergency Services Sector Recommendations:

• Isolate public safety communication systems and critical alerting infrastructure from internet-facing networks whenever operationally feasible.

• Conduct tabletop exercises involving ransomware, cyber-physical attacks, and emergency communications disruptions to improve organizational preparedness.

Energy Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Financial Services Sector

NAIC Confirms June Data Breach The National Association of Insurance Commissioners (NAIC) confirmed a data breach involving unauthorized access to its PeopleSoft financial reporting environment on or about June 11, 2026. This breach was caused by the same Oracle PeopleSoft zero-day (CVE-2026-35273) already covered as a separate item under All Sectors earlier in the bulletin. Cyber threat actors temporarily accessed sensitive data repositories before the activity was identified, contained, and remediated. The scope of the breach is disputed: the attacker has published a large volume of data, while NAIC maintains the group is unlikely to hold the full scope of regulatory data it has claimed, and confirms no personally identifiable information or payment data was accessed. Nevertheless, the incident highlights the continued risk posed by third-party platforms supporting regulatory reporting and financial operations. Because Florida insurers and the Florida Office of Insurance Regulation rely on similar enterprise systems to exchange regulatory information, organizations should strengthen third-party risk management, continuously monitor privileged access, and validate security controls protecting financial reporting environments.

Financial Services Sector Recommendations:

• Conduct recurring third-party risk assessments of regulatory reporting platforms and financial service providers to identify authentication, access control, and configuration weaknesses.

• Enforce least-privilege access controls and multifactor authentication for users with access to sensitive financial reporting systems.

• Monitor authentication logs, privileged account activity, and data access events continuously for indicators of unauthorized access or credential misuse.

• Review business continuity and incident response procedures to ensure regulatory reporting operations can continue during third-party cybersecurity incidents.

• Coordinate with third-party vendors to validate incident notification procedures and recovery responsibilities following security events.

Food and Agriculture Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Russia APT ‘Gamaredon’ Upgrades Arsenal, Requiring New Defenses The Russian state-sponsored Advanced Persistent Threat (APT) group Gamaredon, also known as Aqua Blizzard, has expanded its malware toolkit by deploying more sophisticated PowerShell-based downloaders and enhanced command-and-control evasion techniques. These updates improve the group’s ability to maintain persistent access while avoiding traditional signature-based detection methods. ESET’s research documents that Gamaredon’s 2025 campaigns exclusively targeted Ukrainian government and military institutions. There is currently no evidence the group is specifically targeting U.S. or Florida government entities directly. The group’s evolving techniques, however — including new PowerShell-based downloaders and abuse of legitimate cloud and tunneling services to conceal command-and-control infrastructure — reflect broader nation-state tradecraft trends that Florida government organizations should incorporate into defensive planning. Florida state and local government organizations should consider proactive measures to strengthen behavioral monitoring, restrict unauthorized PowerShell execution, and continuously monitor outbound network communications for indicators of malicious activity associated with advanced persistent threats.

Government Services and Facilities Sector Recommendations:

• Implement PowerShell execution controls, including Constrained Language Mode, to reduce the risk of unauthorized script execution.

• Monitor endpoint and network telemetry continuously for anomalous PowerShell activity and command-and-control communications.

• Conduct recurring integrity reviews of administrative workstations and privileged accounts to identify persistence mechanisms or unauthorized system modifications.

• Strengthen endpoint detection and response capabilities to improve visibility into advanced persistent threat activity.

• Exercise incident response procedures focused on nation-state cyber threats targeting government networks and essential public services.

Healthcare and Public Health Sector

H-ISAC TLP Green: Ransomware Data Leak Sites Report The Health Information Sharing and Analysis Center (H-ISAC) Traffic Light Protocol (TLP): Green Ransomware Data Leak Sites Report provides healthcare organizations with timely visibility into ransomware groups actively publishing victim data on extortion sites. By monitoring these disclosures, organizations can identify emerging ransomware campaigns, validate potential compromises, and prioritize defensive actions before operational impacts escalate. Because healthcare providers remain frequent ransomware targets, Florida hospitals, clinics, and public health organizations should integrate external threat intelligence with internal security monitoring, continuously assess third-party vendor risk, and validate backup recovery capabilities to support uninterrupted patient care during cyber incidents.

Healthcare and Public Health Sector Recommendations:

• Validate backup integrity and routinely exercise disaster recovery procedures to maintain continuity of patient care during ransomware incidents.

• Monitor ransomware data leak sites continuously and correlate external reporting with internal security logs to identify potential compromises.

• Strengthen third-party vendor risk management programs and validate security controls protecting healthcare information systems.

Information Technology Sector

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Cyber threat actors are actively exploiting an authentication bypass vulnerability (CVE-2026-0257, CVSS 7.8) affecting Palo Alto Networks GlobalProtect Virtual Private Network (VPN) gateways. The flaw allows attackers to forge authentication cookies and establish unauthorized VPN sessions; Palo Alto Networks reports no evidence of subsequent code execution or lateral movement in confirmed cases. The vulnerability only affects devices with authentication override cookies enabled and a certificate shared with another feature, not all GlobalProtect deployments. Because GlobalProtect appliances are widely deployed across government, healthcare, financial services, and other Florida critical infrastructure sectors, exploitation could enable unauthorized network access, operational disruption, and lateral movement throughout enterprise environments. Organizations should immediately apply vendor updates, restrict exposure of management interfaces, and continuously monitor authentication activity for indicators of compromise.

CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-54420 to the Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation affecting LiteSpeed cPanel Plugin deployments. The vulnerability allows attackers with limited access to escalate privileges and potentially obtain administrative control of shared hosting environments. Because shared hosting platforms support many municipal governments, educational institutions, and small businesses throughout Florida, organizations should promptly update affected systems, review administrative privileges, and monitor hosting environments for unauthorized activity.

CISA Orders Feds to Patch Max Severity Joomla Plugin Flaw CISA directed federal agencies to remediate a critical vulnerability (CVE-2026-48907) affecting the Joomla Content Editor (JCE) plugin after adding it to the Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code on vulnerable web servers. It is important to note that patching alone does not remove a web shell that attackers may have already planted on a compromised site before the update was applied, so defenders will need to hunt for Indicators of Compromise (IOCs) to detect them. Because Joomla is widely used to host public-facing government and organizational websites, exploitation could result in website defacement, unauthorized data access, or disruption of public services. Florida organizations should prioritize remediation, review web application security controls, and continuously monitor internet-facing websites for suspicious activity.

Google Vertex AI SDK Flaw Enables Cross-Tenant Model Hijacking Researchers disclosed a critical design flaw affecting the Google Cloud Vertex Artificial Intelligence (AI) Software Development Kit (SDK) for Python that could allow attackers to hijack machine learning model deployments across cloud environments. By exploiting predictable storage bucket naming, attackers may replace legitimate models with malicious versions capable of executing unauthorized code. Because the flaw was responsibly disclosed in March 2026 and fully patched by April 15, 2026 (SDK version 1.148.0), any actively maintained Vertex AI deployment running a current SDK should already be protected. As artificial intelligence adoption continues to expand across government and private industry, Florida organizations using Google Cloud should upgrade affected SDK versions, validate cloud storage configurations, and review software development security practices to reduce supply chain risk.

Salesforce Disables Klue Battlecards Integration Following OAuth Token Theft Cyber threat actors compromised the Klue Battlecards integration platform to steal Open Authorization (OAuth) tokens and access customer information through trusted third-party integrations, including Salesforce environments. The initial entry point was a long-dormant but still-active legacy credential, originally created for an abandoned third-party integration prototype. The incident highlights the growing cybersecurity risks associated with interconnected cloud services and software supply chain dependencies. Florida organizations should review third-party integration permissions, monitor application programming interface (API) activity for anomalous behavior, and regularly revoke unnecessary authorization tokens to reduce the likelihood of unauthorized access.

Malicious Edge Extension Abuses Native Messaging as Bridge to Malware Cyber threat actors are distributing a malicious Microsoft Edge browser extension that abuses the Chrome Native Messaging protocol to bypass browser security controls and execute malicious code on endpoint systems. This technique enables attackers to launch native processes, compromise connected applications, and establish persistent access while avoiding traditional browser protections. The campaign, dubbed ‘Edgecution,’ is linked to an initial access broker associated with the Payouts Kings ransomware operation. It originated with attackers impersonating IT support staff on Microsoft Teams and directing employees to a fraudulent ‘Outlook Updates Management Console’ page under the pretense of a spam-filter update. Because browser extensions are commonly used across enterprise and government environments, Florida organizations should restrict extension installations, monitor endpoint activity for unauthorized native messaging, and educate users on the risks associated with unapproved browser add-ons and the hazards of attackers impersonating IT staff.

Information Technology Sector Recommendations:

• Apply vendor patches immediately for Palo Alto GlobalProtect, LiteSpeed cPanel Plugin, Joomla Content Editor, and other products identified in the Known Exploited Vulnerabilities (KEV) Catalog.

• Check for existing IOCs, which have been published by the JCE security team and independent researchers, to detect existing Joomla plugin flaws.

• Review internet-facing systems routinely to identify exposed services, vulnerable applications, and unauthorized administrative interfaces.

• Strengthen cloud security by validating third-party integrations, restricting Open Authorization (OAuth) permissions, and monitoring application programming interface (API) activity for suspicious behavior.

• Upgrade Google Cloud Vertex Artificial Intelligence (AI) Software Development Kit (SDK) deployments to supported versions and implement secure software development practices for artificial intelligence environments.

• Restrict browser extension installations through enterprise policies and continuously monitor endpoints for unauthorized native messaging activity or other indicators of compromise.

• Conduct continuous vulnerability assessments and threat hunting activities to identify emerging risks before they affect business operations.

Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Water and Wastewater Systems Sector

Last Mile Cybersecurity On June 22, 2026, the Institute for Security and Technology (IST) released a policy memorandum addressing cybersecurity gaps in federally funded infrastructure projects, particularly the lack of cybersecurity requirements tied to grant funding. The guidance emphasizes incorporating cybersecurity planning, risk assessments, and dedicated funding into infrastructure modernization efforts rather than treating cybersecurity as a separate initiative. Policy memoranda notwithstanding, Section 40126 of the Bipartisan Infrastructure Law already requires the Department of Energy to mandate cybersecurity plans for its grant recipients. Because many Florida water and wastewater utilities rely on federal funding while operating with limited cybersecurity resources, integrating security requirements into infrastructure projects will improve operational resilience and reduce long-term cyber risk.

NIST Offers Security Guidance for Water Utilities Using Remote-Access Tools The National Institute of Standards and Technology (NIST) published updated guidance in the final version of NIST Special Publication 1800-45, “Cybersecurity for the Water and Wastewater Sector: Build Architecture” to help water and wastewater utilities strengthen the security of remote-access technologies used to manage operational systems. Notably, Cybersecurity Dive’s reporting notes that remote-access weaknesses of exactly this kind “enabl[ed] several Iran-linked cyberattack campaigns against U.S. water systems.” The recommendations include restricting unnecessary remote access, implementing multifactor authentication, maintaining detailed access logs, and continuously monitoring remote connections for suspicious activity. Because remote-access technologies remain a common attack vector for cyber threat actors targeting critical infrastructure, Florida water utilities should review remote-access architectures, validate authentication controls, and strengthen monitoring capabilities to reduce operational risk.

Water and Wastewater Systems Sector Recommendations:

• Incorporate cybersecurity requirements into infrastructure modernization projects and grant-funded initiatives to improve long-term operational resilience.

• Identify and inventory all internet-facing operational technology (OT) systems, remote-access pathways, and supporting network infrastructure.

• Strengthen remote-access security by implementing multifactor authentication (MFA), network segmentation, and continuous monitoring of privileged connections.

• Conduct recurring cybersecurity assessments of operational technology environments and validate manual operating procedures to maintain essential services during cyber incidents.

• Coordinate proactively with federal and state partners to leverage available cybersecurity resources, technical assistance, and grant opportunities supporting water sector resilience.

CI Bulletin Vol 2, Issue 10 July 7 20262026-07-07T11:51:49-04:00

Rob Whetstine — Fortune 500 Director of Information Security and a rememberer of kindness

Bonus Episode — Rob Whetstine

Rob Whetstine — Fortune 500 Director of Information Security and a rememberer of kindness2026-06-26T13:19:57-04:00

Cyber Bulls-i Critical Infrastructure Support Tool is Here.

Cyber Bulls-i

Statewide platform simplifies cybersecurity assessments and provides customized action plans for Florida organizations at no cost

July 1, 2026—Tampa, Fla—Cyber Florida today announced the launch of Cyber Bulls-i, a first-of-its-kind cybersecurity assessment and planning platform designed specifically for Florida’s critical infrastructure organizations.

As the next generation of Cyber Florida’s Critical Infrastructure Program (CIP), Cyber Bulls-i provides organizations with a faster, easier, and more effective way to assess cybersecurity risks and connect with free resources and expert assistance.

At the heart of the new platform is a significantly streamlined assessment experience. The Florida Cyber Risk Assessment (FCRA), a cornerstone of the CIP, has been reduced from 164 questions to 106 questions, making it easier for organizations to evaluate their cybersecurity posture while still receiving meaningful, actionable insights.

“Cyber Bulls-i reflects years of experience working alongside Florida’s critical infrastructure organizations,” said Emeka Okammor, M.S., CISSP, CISA, cybersecurity resource manager. “We’ve taken what we’ve learned and built a modern platform that reduces barriers, saves time, and helps organizations quickly identify their risks and the resources available to address them.”

Cyber Bulls-i guides participants through three simple steps:

  1. Complete the Florida Cyber Risk Assessment (FCRA) to receive a customized cybersecurity report.
  2. Receive a personalized cybersecurity improvement plan tailored to the organization’s unique needs.
  3. Continue improving over time through progress tracking, updated recommendations, and ongoing support.

The launch comes at a critical time. Recent assessments conducted through the CIP found that approximately half of participating organizations lacked a formal recovery plan. Similarly, nearly half had not implemented formal cybersecurity awareness training. Many organizations also reported limited cybersecurity staffing, expertise, and budgets.

Cyber Bulls-i was specifically designed to address these challenges by providing:

  • No-cost participation through state funding
  • Florida-specific recommendations and resources
  • Customized guidance aligned to organizational needs
  • Secure handling of assessment data
  • Ongoing support to help organizations improve over time

Importantly, many organizations that qualify as critical infrastructure do not realize they fall within that category. While hospitals, utilities, and government agencies are often recognized as critical infrastructure, many small and medium-sized businesses also provide essential goods and services that support Florida’s economy, public safety, and daily operations.

Organizations operating within Florida and serving any of the nation’s 16 critical infrastructure sectors are encouraged to participate, including those in communications, energy, healthcare, transportation, information technology, financial services, manufacturing, agriculture, emergency services, government, and other essential industries.

“Cybersecurity threats continue to evolve, but protecting your organization doesn’t have to be complicated or expensive,” said Okammor. “Cyber Bulls-i gives Florida organizations a practical, user-friendly roadmap to help reduce risk, improve resilience, and meet cybersecurity requirements.”

Participation in Cyber Bulls-i is completely free for eligible Florida organizations. To learn more or begin the assessment process, visit Cyber Florida’s critical infrastructure program webpage.

To receive timely updates about Cyber Florida’s news and resources, please sign up or visit the connect with Cyber Florida webpage.

Media Contact: Cyber Outreach Manager Jennifer Kleman, APR, CPRC
mailto:jennifer437@cyberflorida.org

ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity at the University of South Florida, commonly referred to as Cyber Florida, was established by the Florida Legislature in 2014. Its mission is to position Florida as a national leader in cybersecurity through comprehensive education, cutting-edge research, and extensive outreach. Cyber Florida leads various initiatives to inspire and educate current and future cybersecurity professionals, advance applied research, and enhance cybersecurity awareness and safety of individuals and organizations.

Cyber Bulls-i Critical Infrastructure Support Tool is Here.2026-06-30T09:16:33-04:00

CI Bulletin Vol 2, Issue 9 June 23, 2026

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #11-2026
Cyber Threat Outlook

Over the next six months, Florida critical infrastructure owners and operators will have to navigate a threat environment in which adversaries are moving faster, and defenders are falling further behind. The 2026 Verizon Data Breach Investigations Report (DBIR) documented that automated exploitation of unpatched software vulnerabilities surpassed credential theft as the leading cause of data breaches for the first time in the report’s nineteen-year history, accounting for 31% of confirmed breach entry points. Artificial intelligence is the primary accelerant, compressing the window between a vulnerability’s public disclosure and its active weaponization from months to hours. CISA’s new Binding Operational Directive (BOD) 26-04 formally codifies this reality by replacing flat patching timelines with a graduated, risk-tiered model that mandates remediation within as few as three days, with mandatory forensic analysis to assess whether systems are already compromised, or the highest-risk vulnerabilities.

Iranian state-sponsored actors continue to escalate beyond espionage into active disruption and data destruction targeting water, energy, and defense-adjacent infrastructure. Ransomware groups are expanding their reach through supply chain and third-party vendor compromise. Against this backdrop, the contraction of federal cybersecurity grant funding means organizations cannot wait for external support. Priorities must shift toward risk-tiered vulnerability management aligned with BOD 26-04, network segmentation between operational technology and information technology environments, validated offline backups, and supply chain governance, particularly for software dependencies and cloud storage configurations.

Confidence – High

Executive Summary
  • All Sectors: Automated vulnerability exploitation has officially surpassed credential theft as the primary initial access vector. Driven by frontier AI capabilities, adversaries are weaponizing exploits at machine-speed, necessitating risk-tiered remediation under CISA BOD 26-04, which mandates patch-and-forensic-triage within three days for the highest-risk exposed assets. Iranian state actors have shifted from espionage to active data-wiping and OT disruption. Third-party and vendor-related breaches continue to rise sharply, making supply chain auditing and Zero Trust principles essential.
  • Commercial Facilities: Unauthenticated remote code execution vulnerabilities in Magento servers (CVE-2026-45247) remain under active exploitation. RCI Hospitality Holdings reported a data breach impacting approximately 40,000 individuals.
  • Defense Industrial Base: Department of Defense officials emphasized integrating cyber capabilities into all military operations and strengthening foundational cybersecurity across the defense industrial base. Iranian state actors continue targeting software suppliers and infrastructure connected to the aerospace and defense sectors to establish persistent espionage footholds in supply chains.
  • Energy: High-severity vulnerabilities were disclosed in Hitachi Energy grid control systems (RTU500 and MACH HiDraw).
  • Financial Services: The financially motivated group JINX-0164 targeted cryptocurrency firms using custom macOS malware delivered through fake recruiter lures to steal credentials and access CI/CD environments.
  • Food and Agriculture: Brazilian food delivery platform iFood suffered a data breach exposing sensitive personal information of 1.2 million users, highlighting risks to food supply chain platforms from identity-focused data theft.
  • Government Services and Facilities: The White House accelerated AI adoption through NSPM-11 while tightening control over AI model evaluations. Chinese state-sponsored actors continue targeting government and defense personnel via LinkedIn recruitment lures. The city of St. Paul, Minnesota successfully completed a comprehensive systems recovery following a severe ransomware attack.
  • Healthcare and Public Health: DentaQuest suffered a major data breach exposing sensitive records of approximately 2.6 million accounts. India-based wearable health tech startup Ultrahuman reported a data breach involving unauthorized access to customer wellness data.
  • Information Technology: The National Security Agency (NSA) launched a centralized hub for Zero Trust Implementation Guides (ZIGs). Microsoft’s June 2026 Patch Tuesday addressed nearly 200 vulnerabilities. Actively exploited zero-days affected Veeam, Cisco SD-WAN, Palo Alto Networks PAN-OS, Google Chrome, and Acer Wave 7 mesh routers. Multiple supply chain attacks targeted npm and PyPI repositories through the Miasma and Hades campaigns, variants of the self-replicating Shai-Hulud worm, which infected over 100 packages and extended into Microsoft Azure and GitHub repositories. Cisco released patches for a high-severity server-side request forgery (SSRF) vulnerability.
  • Transportation Systems: SpeedX exposed over 840 million sensitive logistics and customer records. Qilin ransomware claimed responsibility for an attack on the New York/New Jersey Shipping Association.
  • Water and Wastewater Systems: CThe U.S. Government Accountability Office (GAO) warned that many drinking water and wastewater utilities across the United States continue to lack fundamental cybersecurity protections. Water and wastewater systems face persistent, aggressive targeting from Iranian-sponsored entities.
All Sectors

Implementation Guidance for Prioritizing Security Updates Based on Risk BOD 26-04 In response to AI-assisted threat actors narrowing the gap between patch release and mass-exploitation, federal defensive frameworks have overhauled vulnerability remediation. Organizations should look to align their enterprise response with CISA’s Binding Operational Directive (BOD) 26-04. Rather than treating all vulnerabilities with a flat, Common Vulnerability Scoring System (CVSS)-based urgency, defense must be tiered dynamically based on asset exposure, Known Exploited Vulnerabilities (KEV) status, and adversary automation capability. Vulnerabilities meeting the highest-risk criteria, those actively exploited, automatable, and yielding total system control, require remediation and forensic triage within three days. Lower-risk combinations receive graduated timelines up to the next system upgrade cycle. BOD 26-04 formally revokes BOD 22-01, invalidating existing flat 14-day KEV remediation policies. CI organizations supporting federal agencies must update their vulnerability management processes accordingly.

All Sectors Recommendations:

  • Enforce phishing-resistant multi-factor authentication and strict least-privilege policies on all remote access and managed service links.
  • Isolate all public-facing virtual network computing instances behind virtual private networks (VPN) requiring multi-factor authentication.
  • Establish automated vulnerability tracking and scanning mechanisms to outpace accelerated machine-assisted exploitation windows.
  • Conduct technical audits of contractor-managed code environments, cloud storage setups, and cloud collaboration platform configurations.
Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

Mirasvit Vulnerability Exploited to Execute Code on Magento Servers After a critical-severity vulnerability (CVE-2026-45247) in the Mirasvit Full Page Cache Warmer for Magento 2 extension was exploiteded, that CVE was added to the KEV catalog. This PHP object injection flaw, carrying a Common Vulnerability Scoring System (CVSS) score of 9.8, allows unauthenticated remote actors to execute arbitrary code on Magento and Adobe Commerce servers. Exploitation requires no login or special access. A single crafted web request to any vulnerable storefront page is sufficient to trigger full server compromise. The extension, intended to optimize page caching and speed, currently provides a direct pathway for full system compromise and unauthorized data access. Mirasvit released a patch in version 1.11.12. Organizations running any earlier version should update immediately or disable the extension if patching is not immediately possible.

Nightclub Giant RCI Says Data Breach Affects 40,000 Individuals RCI Hospitality Holdings, one of the largest adult nightclub and sports bar operators in the United States, reported a data breach impacting approximately 40,000 individuals. The incident was traced to an insecure direct object reference (IDOR) vulnerability discovered in March 2026 within an IIS web server managed by the company’s internet services subsidiary. The IDOR flaw permitted unauthorized access to personal data of approximately 40,000 independent contractors, including names, dates of birth, Social Security numbers, and driver’s license numbers. Customer records and financial systems were not accessed. This breach highlights the persistent risk of data extortion and PII exposure within large-scale commercial hospitality environments.

Commercial Facilities Sector Recommendations:

  • Perform comprehensive vendor risk assessments for any third parties processing corporate personally identifiable information.
  • Deploy data loss prevention tools and end-to-end encryption on storage repositories hosting consumer or employee records.
  • Formulate incident response scripts addressing pure data extortion, detailing communication pathways for multi-stage extortion tactics.
  • Implement continuous monitoring on corporate file-sharing networks to flag unusual outbound data transfer volume.
Communications Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Critical Manufacturing Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

DOD Wants to Integrate Cyber in All Operations, and Integrate Security into AI Department of Defense officials emphasized integrating cyber capabilities into all military operations and strengthening foundational cybersecurity across the defense industrial base. Officials warned that vulnerabilities among contractors and suppliers can directly affect military readiness and operational effectiveness.

Iran Threat Overview and Advisories Iranian advanced persistent threat (APT) groups continue targeting software suppliers and infrastructure components connected to the aerospace and defense sectors. These long-term campaigns show direct correlations with broader geopolitical activity, deploying custom backdoors and implants to establish highly persistent espionage footholds across supply chain dependencies. Moving forward, Florida’s expansive aerospace clusters and defense contractors must validate code provenance and verify that administrative accesses across engineering pipelines strictly adhere to rigorous internal authorization mechanisms. Florida’s aerospace and defense manufacturing clusters, including Space Coast suppliers and aerospace contractors, represent direct targets for Iranian APT supply chain campaigns.

Defense Industrial Base Sector Recommendations:

  • Conduct rigorous, ongoing evaluations of software sub-vendors, tracking any indicators of long-term state espionage campaigns.
  • Deploy endpoint detection and behavioral tracking systems to uncover unauthorized administrative access or unusual remote connections.
  • Validate the cryptographical signing and provenance of external software additions prior to introduction into production networks.
  • Apply strict least-privilege divisions between supplier-administered assets and core defense software assembly lines.
Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Energy Sector

Vulnerabilities Disclosed in Grid Control Infrastructure Technical vulnerabilities at the OT layer continue to expose power distribution systems. Serious flaws have surfaced in the Hitachi Energy RTU500 series, leaving devices susceptible to NULL pointer dereferences and infinite loops that trigger severe system-level denial of service. Concurrently, the Hitachi Energy MACH HiDraw software is vulnerable to CVE-2026-7310, a medium-severity (CVSS 5.5) heap-based buffer overflow (CVE-2026-7310) in the XML parser, exploitable by an authenticated local user via a specially crafted XML file, potentially resulting in memory corruption, denial of service, or arbitrary code execution. These platforms actively manage grid control and power transmission across international systems. Hitachi Energy has released a fix in MACH HiDraw version 9.23; organizations should contact their Hitachi Energy account team given the complexity of individual upgrade paths. MACH HiDraw is also deployed in Dams and Transportation Systems sectors; operators in those sectors should review the CISA advisory.
Energy Sector Recommendations:

  • Deploy vulnerability shielding or compensatory controls around Hitachi Energy RTU500 and MACH HiDraw systems as a priority, consistent with BOD 26-04 risk-tiered guidance; federal entities should assess KEV catalog status and apply applicable deadlines.
  • Maintain air-gapped configuration backups for power-grid control components to ensure manual operational capacity during cyber-induced disruptions.
  • Monitor for emerging risks associated with increasing data center electricity demand and coordinate with utility partners on grid resilience and capacity planning.
Financial Services Sector

JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware A sophisticated campaign attributed to financially motivated actors (JINX-0164, which shares TTPs with North Korean-linked group UNC1069/Sleet) has targeted cryptocurrency firms using custom macOS malware and fake recruiter lures. The operation aims to steal credentials and move laterally within Continuous Integration/Continuous Deployment (CI/CD) and development infrastructure. JINX-0164 also conducted a confirmed supply chain attack, trojanizing an npm package to deploy a persistent backdoor, extending the threat beyond individual developers to any organization using affected open-source packages. Organizations in the financial and cryptocurrency sectors should review social engineering defenses and endpoint detection for macOS environments.

Financial Services Sector Recommendations:

  • Enforce cryptographic code-signing checks and enable strict commit verification parameters within all software building lines.
  • Monitor macOS environments for unauthorized background modifications, unexpected remote terminal commands, or atypical local repository adjustments.
  • Train technical staff to verify the identity of unsolicited recruiters on LinkedIn and to refuse requests to download or execute software during virtual interviews or onboarding calls.
  • Implement dedicated secrets-scanning utilities to identify and revoke developer keys if local developer endpoints are compromised.
Food and Agriculture Sector

iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil In December 2025, the Brazilian food delivery platform iFood suffered a data breach impacting 1.2 million users, approximately 2% of its customer base. While hackers did not obtain passwords or financial records, they successfully exfiltrated sensitive personal information, including names, phone numbers, addresses, and CPF numbers, which are the Brazilian taxpayer identity documents equivalent to U.S. Social Security Numbers. The incident underscores the vulnerability of food supply chain enablers to identity-focused data theft and extortion operations.

Food and Agriculture Sector Recommendations:

  • Conduct comprehensive audits of third-party food delivery and supply chain platform vendors to identify and remediate gaps in personally identifiable information (PII) storage, access controls, and data retention policies.
  • Enforce strict data minimization and access controls on platforms that aggregate consumer PII, ensuring that sensitive identifiers such as government-issued identification numbers are encrypted at rest and accessible only to explicitly authorized systems.
  • Establish data breach notification workflows that align with both domestic and international regulatory requirements, given the cross-border nature of food supply chain data exposure.
  • Strengthen monitoring and logging on food delivery and agricultural logistics platforms to detect unusual data access or exfiltration activity, particularly involving sensitive customer and supplier information.
Government Services and Facilities Sector

Promoting Advanced Artificial Intelligence Innovation and Security President Trump signed National Security Presidential Memorandum (NSPM-11) to accelerate artificial intelligence adoption across the military, intelligence community, and federal agencies, directing entities to strengthen public-private AI partnerships while expanding procurement workflows. Concurrently, the administration instructed the Center for AI Standards and Innovation to halt the public release of its model safety assessments while an aligned executive order is implemented. These developments reflect a broader White House strategy to accelerate AI integration across federal operations while maintaining executive control over AI model evaluations and disclosures.

Five Eyes Security Alliance Warns of Chinese Spy Threat on Job Sites The United States and its Five Eyes international partners issued a joint operational warning regarding Chinese state-sponsored intelligence services aggressively targeting government, military, and critical infrastructure personnel on LinkedIn. Sophisticated actors pose as legitimate maritime consultancies, think-tank recruiters, and professional headhunters to build relationships with individuals holding active security clearances or specialized technical expertise. Once a connection is established, targets are funneled toward encrypted messaging applications where they are offered financial compensation for internal research, non-public defense insights, or supply-chain logistics data.

How St. Paul, Minnesota, Recovered From a Ransomware Attack The city of St. Paul, Minnesota successfully completed a comprehensive systems recovery following a severe ransomware attack, utilizing a coordinated framework involving municipal departments, state agency responders, and the National Guard. The operation focused on emergency management integration and multi-agency incident response planning to systematically restore public services without paying an extortion demand. Key to St. Paul’s success: a pre-existing multi-agency coordination structure, National Guard cyber support activation, sequenced service restoration prioritizing public safety systems, and refusal to pay the ransom demand. This successful stabilization effort has since become a standard case study in municipal cyber resilience, offering an immediate operational roadmap for Florida’s county and local government facilities facing similar local infrastructure threats.

Government Services and Facilities Sector Recommendations:

  • Assess the cybersecurity and governance implications of accelerating artificial intelligence adoption across government agencies. Focus on protecting AI systems from foreign theft and manipulation while maintaining appropriate oversight of AI model evaluations and disclosures.
  • Train staff with security clearances and access to sensitive information to recognize Chinese state-sponsored recruitment lures on professional networking platforms, as warned by Five Eyes partners. Implement verification procedures for unsolicited job offers from entities posing as consultancies or think tanks.
  • Utilize the St. Paul municipal recovery model to develop multi-agency incident response plans that prioritize service restoration and continuity of operations over extortion payments during ransomware attacks.
Healthcare and Public Health Sector

DentaQuest Data Breach Exposes 2.6 Million Accounts Dental benefits administrator DentaQuest suffered a major data breach that exposed the sensitive personal and health records of approximately 2.6 million accounts. The extortion group ShinyHunters claimed responsibility for the intrusion, leaking 234 gigabytes (GB) of stolen data on a dark web forum after corporate leadership reportedly declined ransom negotiations. The incident follows a persistent operational pattern where advanced extortion groups target third-party health administrators to exfiltrate high-value wellness data and personally identifiable information. Exposed data includes Medicaid IDs, government-issued identification, health insurance records, and contact information. This directly affected individuals enrolled in Medicaid programs managed by DentaQuest in Florida. Because DentaQuest manages dental benefits for a substantial volume of residents across the state, this compromise directly impacts the health, financial, and insurance records of thousands of Florida citizens.

Ultrahuman Says Hackers Accessed Customers’ Wellness Data via Internal Tool India-based wearable health tech startup Ultrahuman r disclosed a data breach on March 27, 2026, involving unauthorized access to an internal analytics tool. Threat actors gained entry by stealing an employee’s credentials through malware to compromise an internal analytics system. Although the company detected the intrusion promptly and took the affected system offline, the breach underscores the escalating risk of malware-driven credential theft targeting centralized health data repositories.

Healthcare and Public Health Sector Recommendations:

  • Apply deep encryption and strict access logging to biometric files and patient wellness data stored in third-party or internal analytics tools.
  • Isolate medical devices and electronic health record (EHR) directories on sub-networks detached from internet-facing boundaries.
  • Practice paper-based admittances and hand-off protocols to sustain care during total IT infrastructure failures.
Information Technology Sector

NSA Launches Zero Trust Implementation Guidelines Resource Webpage The National Security Agency (NSA) launched a centralized hub for Zero Trust Implementation Guides (ZIGs), consolidating legacy technical recommendations and interactive planning tools designed to assist enterprises in strengthening multi-layered infrastructure security. Operating on a “never trust, always verify” framework, the resource center provides a modular, adaptable approach allowing critical infrastructure operators to prioritize defensive integration based on their explicit asset maturity levels and budgets. The interactive platform delivers focused mitigation paths across identity governance, endpoint defense, network isolation, application security, and data protection. Florida infrastructure defenders should immediately utilize these centralized blueprints to transition away from legacy perimeter assumptions and establish validated, continuous authentication controls across state-managed administrative interfaces. The hub is accessible at nsa.gov.

Check Point Warns of Zero-Day Flaw Targeted by Ransomware Affiliate A wave of high-severity network perimeter vulnerabilities is fueling mass-exploitation campaigns targeting virtual private networks (VPNs) and enterprise routing infrastructure. Critical threats include an actively weaponized Cisco Catalyst SD-WAN Manager zero-day (CVE-2026-20245) allowing low-privileged users to execute root-level terminal commands, a Palo Alto Networks PAN-OS cookie-forgery flaw (CVE-2026-0257) enabling unauthorized VPN sessions, and a Check Point Remote Access vulnerability (CVE-2026-50751) actively abused by Qilin ransomware affiliates. Concurrently, Microsoft Exchange Online environments face spoofing risks via the “Ghost-Sender” configuration bypass, while ServiceNow reported unauthorized tenant access incidents, highlighting that Florida public-sector agencies and infrastructure operators must prioritize immediate boundary patching, multi-factor authentication enforcement, and log audits.

Record-Breaking June Patch Tuesday Highlights Enterprise Software Hazards The June 2026 Patch Tuesday cycle marked a historic high, with Microsoft addressing nearly 200 vulnerabilities, including over three dozen critical bugs and an actively exploited Windows Netlogon remote code execution flaw (CVE-2026-41089) carrying a Common Vulnerability Scoring System (CVSS) score of 9.8. This surge is mirrored across the enterprise ecosystem, with Oracle transitioning to a rapid monthly patching model to fix 77 vulnerabilities, Google patching its fifth Chrome browser zero-day of the year (CVE-2026-11645), and Veeam releasing emergency fixes for a critical Backup & Replication flaw (CVE-2026-44963) that allows unauthenticated domain-level takeover. Oracle transitioned to a monthly patching cadence, releasing fixes for 77 vulnerabilities. CI operators using Oracle products should update their patch management schedules accordingly. Because adversaries are increasingly leveraging machine-assisted fuzzing to weaponize these disclosures within days, Florida entities must establish compressed patch timelines to protect internet-facing infrastructure and backup servers.

Sophisticated Supply Chain Tactics Weaponize Open-Source Repositories and AI Coding Tools Security researchers have uncovered distinct software supply chain campaigns engineered to infect upstream development blocks and autonomous programming environments. The ‘Miasma’ campaign infected over 100 npm packages including Red Hat Cloud Services packages and extended into Microsoft Azure and GitHub repositories. Miasma demonstrated worm-like self-propagation by stealing developer credentials to automatically infect and republish additional packages, which extended the compromise from individual developers to entire organizational code repositories. While the ‘Hades’ campaign poisoned 19 PyPI packages to execute automated credential-harvesting scripts. Because the malware executes at Python interpreter startup (not only at runtime of the specific package), any Python environment that has installed the package is at risk even if the package is never imported. Additionally, researchers demonstrated successful security scanner bypasses on Vercel and Cisco platforms, illustrating that automated code-review tools fail to catch malicious AI agent extensions, meaning Florida development teams must implement strict cryptographic dependency validation and code signing.

Acer Working to Patch Max Severity Zero-days in Wave 7 Routers Acer is developing patches for two maximum-severity zero-day vulnerabilities in its Wave 7 mesh routers. One flaw, CVE-2026-49200, involves a broken access control issue allowing unauthenticated attackers to remotely access plaintext credentials stored in log archives. The vulnerability affects routers running firmware version T7c_GBL_1.01.000055 or earlier. Successful exploitation provides an immediate path for initial access and lateral movement within compromised networks.

Cisco Warns of Available PoC for Critical Unified CM Vulnerability Cisco released patches for a high-severity server-side request forgery (SSRF) vulnerability (CVE-2026-20230) affecting Unified Communications Manager (Unified CM) and Session Management Edition (SME). The flaw stems from insufficient input validation in specific HTTP requests, allowing unauthenticated attackers to send crafted requests to internal systems. Cisco warned that proof-of-concept (PoC) code is publicly available, drastically compressing the timeline between patch release and weaponization. This development aligns with the strategic warning regarding AI-assisted machine-speed exploitation, necessitating rapid remediation to outpace automated threats.

Information Technology Sector Recommendations:

  • Implement strict application whitelisting and endpoint execution controls for all developer tooling, integrated development environment (IDE) plugins, and third-party extension marketplaces.
  • Enforce automated secrets-scanning utilities across all internal repositories, code pipelines, and cloud-hosted environments to rapidly discover and revoke exposed keys or cloud credentials.
  • Mandate the complete network segmentation of enterprise backup infrastructure (specifically Veeam architectures) from the primary active directory domain to prevent cross-compromise during ransomware operations.
  • Transition infrastructure administration pipelines to a strict Zero Trust model, enforcing phishing-resistant multi-factor authentication and continuous device posture verification.
  • Establish formal software dependency review protocols, utilizing cryptographic verification and strict commit controls to evaluate open-source Python (PyPI) and JavaScript (npm) additions before introduction into local development chains.
  • Review Exchange Online configurations for the Ghost-Sender bypass and audit ServiceNow tenant access logs for unauthorized activity.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Delivery Mega Leak: 840M+ Files Exposed as US Delivery Company Leaks Massive File Storage Security researchers identified a major cloud database exposure involving SpeedX, a prominent U.S.-based delivery and logistics company, which inadvertently left over 840 million records accessible to the public internet without authentication. The leaked dataset contained highly sensitive corporate and consumer assets, including customer delivery details, unredacted shipping labels, warehouse photographs, and official driver identification documentation. While SpeedX characterizes the incident as a cloud storage configuration issue rather than a confirmed breach, Cybernews researchers dispute this, asserting the exposed container was accessible to anyone who knew the container name. Regardless of characterization, the incident demonstrates the catastrophic scale of data exposure possible from misconfigured cloud storage in transportation logistics environments. The massive exposure highlights the catastrophic privacy and supply chain risks facing transportation hubs that fail to properly audit automated cloud storage environments, making rigorous access control verification necessary for regional logistics providers.

Qilin Ransomware Claims Hack of Major New York and New Jersey Shipping Association The Qilin ransomware group claimed responsibility for a targeted network intrusion against the New York Shipping Association, a vital maritime organization supporting cargo logistics at one of North America’s busiest ports. Although the full operational impact is still being evaluated, the attack represents a direct threat to maritime supply chains, as disruptions to shipping association networks can rapidly trigger cascading delays across port terminal operations, cargo movements, and regional economic activity. This incident serves as an immediate warning for Florida’s major commercial maritime hubs proving that third-party maritime service organizations are primary targets for ransomware syndicates.

Transportation Systems Sector Recommendations:

  • Separate public information display systems, scheduling applications, and passenger portals from core operational transit control planes into distinct, firewalled network zones.
  • Implement immutable offline system state backups and verified gold-image snapshots to facilitate rapid bare-metal recovery following potential data-wiping or ransomware events.
  • Review cloud storage configurations, object bucket access controls, and data exposure settings for all logistics platforms, enforcing regular security audits over third-party transportation technology providers.
  • Conduct ransomware readiness exercises specifically focused on maritime logistics, validating network segmentation boundaries and backup integrity across port community systems and shipping association networks.
  • Assess and strengthen enterprise resilience against Positioning, Navigation, and Timing (PNT) vulnerabilities by establishing secondary, out-of-band communication and redundant tracking workflows for local logistics fleets.
Water and Wastewater Systems Sector

GAO: Actions Needed to Address Persistent Cybersecurity Threats to the Water and Wastewater Sector The U.S. Government Accountability Office (GAO) warned that many drinking water and wastewater utilities across the United States continue to lack fundamental cybersecurity protections. The report found that numerous utilities still do not maintain basic asset inventories, incident response plans, or adequate segmentation between operational technology (OT) and information technology (IT) networks. These deficiencies leave critical water infrastructure vulnerable to cyberattacks that could disrupt service delivery and pose risks to public health and the environment. The GAO called for stronger federal support and sector-wide actions to close long-standing cybersecurity gaps.

Cyber Intel Brief: Handala Claims Breach of California Water Service On June 11, 2026, the Iranian-affiliated threat actor Handala compromised California Water Service, releasing a five-gigabyte dump of customer personally identifiable information and administrative credentials. The adversaries breached an open-source RTKBase GPS correction server on port 10000 and a customer billing database across seven districts, including Chico, California. Critically, there is no evidence of operational technology (OT) or industrial control systems (ICS) compromise. Handala’s claims of disruptive capabilities against water treatment processes remain unproven. This incident highlights vulnerabilities in municipal water infrastructure, signaling elevated risk for Florida utilities operating exposed mapping portals without rigid IT and OT network segmentation.

Water and Wastewater Systems Sector Recommendations:

  • Use automated network mapping to guarantee SCADA networks and PLCs have no unauthenticated public internet exposure.
  • Close GAO-identified gaps by maintaining a comprehensive inventory of all OT assets and hardening the boundary between IT and OT networks.
  • Maintain offline, validated backups to support recovery from disruptive cyber incidents affecting operational technology environments.
  • Actively engage with federal and state funding channels to offset budget shortfalls for cybersecurity posture improvements in smaller districts.

CI Bulletin Vol 2, Issue 9 June 23, 20262026-06-22T14:10:45-04:00

Teacher Spotlight: Mason Lewis

Mason Lewis

Teacher: Mason Lewis

District: Hernando

Mason Lewis is a cybersecurity and computer science teacher at Hernando High School in Brooksville, Florida. Now in his 21st year as an educator, he has taught at the elementary, middle, and high school levels, serving in roles that include elementary education, middle school science, and information and communication technology.

He is currently in his fifth year leading the Academy of Computer Science and Cybersecurity at Hernando High School. Mason has been recognized for his commitment to students and innovation in education, earning honors as a two-time school-level Teacher of the Year, the 2021 Hernando County Teacher of the Year, and the recipient of the 2021 Ron Nieto Digital Educator Award.

This year, Mason’s students earned first place at CyberLaunch, a testament to his dedication to preparing the next generation of cybersecurity professionals. We are grateful for his continued commitment to Florida’s students and the future of cybersecurity education!

Would you like to be featured in our Teacher Spotlight? To nominate yourself or another deserving teacher, complete the interest form below!

Teacher Spotlight: Mason Lewis2026-06-22T11:00:45-04:00

Shane Tews — Non-Resident Senior Fellow at AEI and the person who explained the internet to Capitol Hill

Episode 74 — Shane Tews

Shane Tews — Non-Resident Senior Fellow at AEI and the person who explained the internet to Capitol Hill2026-06-17T09:22:49-04:00

CI Bulletin Vol 2, Issue 8 June 9, 2026

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #10-2026
Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face escalating pressure from three reinforcing threats: Iranian state-sponsored actors targeting energy, water, and transportation OT systems; financially motivated extortion groups exploiting third-party vendors in education, healthcare, and commercial facilities; and automated vulnerability exploitation that is closing the gap between disclosure and weaponization faster than most organizations can patch. The 2026 Verizon Data Breach Investigations Report confirmed that exploitation of unpatched vulnerabilities has surpassed credential theft as the leading breach entry point — a structural shift that favors well-resourced adversaries and penalizes organizations slow to remediate. CISA’s CI Fortify initiative signals that federal planners now treat destructive OT attacks as a near-term contingency, not a theoretical risk. The campaign against LA Metro and ongoing Iranian targeting of gas-station tank gauges and PLCs in water and energy systems demonstrate transferable risk to Florida’s ports, utilities, and transit networks. Critical infrastructure owners should treat supply chain vendors, contractor-managed cloud accounts, and internet-exposed OT devices as the highest-priority attack surface for the foreseeable future.

Confidence – High

Executive Summary
  • All Sectors: CISA’s CI Fortify initiative and continued Iranian OT targeting require Florida operators to test manual fallback procedures and close contractor access gaps.
  • Commercial Facilities: ShinyHunters breached 7-Eleven, exposing personal data on 185,300 individuals after holding the data for ransom and then leaking it publicly.
  • Communications: Major U.S. telecoms launched the C2 ISAC, a new sector-specific threat-sharing body; a Huawei zero-day caused a nationwide telecom outage in Luxembourg.
  • Critical Manufacturing: Nitrogen ransomware breached Foxconn’s North American facilities, exfiltrating 8 TB of data and disrupting production; Four-Faith router exploitation continues at scale.
  • Defense Industrial Base: Iranian APT Seedworm (MuddyWater) maintains persistent access inside a U.S. defense and aerospace software supplier using the previously undocumented Dindoor backdoor.
  • Energy: NEMA and NERC warn of growing data-center grid strain; Iranian actors have breached unprotected automatic tank gauge systems at gas stations across multiple states.
  • Government Services and Facilities: ShinyHunters’ Canvas breach directly hit USF and multiple Florida school districts; Chelan County’s full network shutdown illustrates ransomware risk for Florida municipalities; federal cyber grant reauthorization is in jeopardy.
  • Healthcare and Public Health: OpenLoop Health breach exposed 716,000 individuals; a ransomware attack at another hospital allegedly caused an infant’s death; NYC Health + Hospitals vendor breach exposed 1.8 million patients.
  • Information Technology: Exploited vulnerabilities in Drupal, Gitea, Notepad++, and SonicWall SSL-VPN, combined with GitHub supply chain compromises and novel blockchain-based malware, expand attack surface across developer and CI environments.
  • Transportation Systems: Iranian state-linked actors breached LA Metro in a destructive attack that required weeks of recovery — directly transferable risk to Florida ports, transit, and aviation.
  • Water and Wastewater Systems: CISA CI Fortify guidance is directly applicable to Florida water utilities, which face continued Iranian PLC targeting and reduced federal support.
All Sectors

CISA Unveils New Initiative to Fortify America’s Critical Infrastructure The Cybersecurity and Infrastructure Security Agency (CISA) launched the CI Fortify initiative on May 5, 2026, urging critical infrastructure operators, particularly in energy, water, and government facilities, to prepare for “weeks to months” of information technology/operational technology (IT/OT) isolation and manual operations in the event of sustained state-sponsored cyber campaigns. The guidance emphasizes proactive network segmentation, offline backups of system configurations, and regular drills of manual fallback procedures. It is important to note that the initiative’s planning assumption is that adversaries may already have a foothold inside OT networks during a conflict scenario, requiring operators to plan for continuity under a ‘communications-degraded’ environment in which external vendors, internet connectivity, and third-party dependencies may be unavailable. This is directly relevant to Florida, whose hurricane-prone utilities, ports, and water systems already face compounded risks from Iranian-linked OT targeting campaigns that continue to probe internet-exposed programmable logic controllers.

CISA Adds Seven Known Exploited Vulnerabilities to Catalog CISA added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026, based on confirmed active exploitation in the wild. The additions include CVE-2026-41091 (a link-following vulnerability) in the Microsoft Malware Protection Engine that enables local privilege escalation to SYSTEM level) and CVE-2026-45498 (Microsoft Defender denial of service), along with several legacy but still-weaponized flaws. These vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to federal, state, local, and critical infrastructure entities. Florida operators of Microsoft Defender, Windows systems, and related OT environments should apply patches immediately to prevent privilege escalation and service disruption. Organizations that disable automatic Microsoft Defender engine updates, including some OT-adjacent environments, should verify manually that engine version 1.1.26040.8 or later is installed.

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Verizon’s 2026 Data Breach Investigations Report (DBIR) found that vulnerability exploitation surpassed credential theft as the leading initial access vector in confirmed breaches. The DBIR analyzed more than 31,000 security incidents, of which more than 22,000 were confirmed breaches. Approximately 31% of breaches involved exploitation of unpatched vulnerabilities, highlighting the growing impact of internet-facing systems and delayed remediation cycles. Third-party involvement also rose sharply, reaching 48% of confirmed breaches. That represents a 60% year-over-year increase underscoring the growing risk of vendor and contractor access across CI environments. The report emphasized that organizations continue to struggle with patch management timelines and exposure to third-party applications. These findings reinforce concerns that cyber threat actors are increasingly prioritizing automated exploitation of known vulnerabilities across critical infrastructure sectors.

CISA Admin Leaked AWS GovCloud Keys on Github A public GitHub repository managed by a CISA contractor (Nightwing) inadvertently exposed credentials for several highly privileged Amazon Web Services (AWS) GovCloud accounts as well as a large number of internal CISA systems. The leak prompted legislators to request an urgent classified briefing within 24 hours. This incident underscores persistent third-party and supply chain risks, where basic credential hygiene and repository security failures can have cascading effects. Notably, the contractor had disabled GitHub’s built-in secret-scanning protections, underscoring that policy-level controls are insufficient without enforced technical guardrails that prevent circumvention. Florida critical infrastructure owners and operators should apply the same rigorous scrutiny to contractor-managed code repositories and third-party cloud environments that they apply to external vendors.

Security Update for LiteSpeed cPanel Plugin CISA added CVE-2026-48172, a critical privilege-escalation vulnerability in the LiteSpeed user-end cPanel plugin (before version 2.4.5), to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw allows any authenticated cPanel user, including low-privileged or compromised accounts, to execute arbitrary scripts with root privileges, meaning a single compromised hosting account on a shared server is sufficient for full system takeover. LiteSpeed resolved the issue in version 2.4.5. This development is highly relevant to Florida state agencies, school districts, municipal utilities, and other critical infrastructure entities that use cPanel-hosted web services for public-facing systems.

FBI Warns Extortion Hackers are Visiting US Law Firms to Steal Data The FBI has issued a warning about the Silent Ransom Group (SRG), a cyber extortion gang with roots in the Conti ransomware syndicate that is actively targeting U.S. law firms using an unusually bold mix of phishing, fake IT calls, and in-person office visits. The group’s tactics are exceptionally hard to detect: attackers use legitimate remote management tools and transfer stolen data through trusted platforms such as Google Drive and Microsoft OneDrive, blending in with normal IT activity. Notably, SRG deploys no ransomware encryption — systems remain fully operational throughout the attack with no locked files or ransom screens, making the intrusion effectively invisible until an extortion email arrives. SRG’s reach extends beyond legal services—the FBI notes the group has also hit organizations in healthcare, insurance, and financial sectors. This is pertinent to all Florida critical infrastructure sectors, and law firms frequently hold sensitive legal, financial, and corporate data for CI operators. SRG has been active since at least 2022. They have compromised data from more than 38 law firms, with at least 100 confirmed attacks as of Spring 2026.

All Sectors Recommendations:

  • Implement phishing-resistant multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
  • Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
  • Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.
  • Audit all third-party and contractor-managed code repositories, cloud credentials, and privileged service accounts, and the use of cloud collaboration tools (such as Google Drive and Microsoft OneDrive) for exposed secrets or misconfigured access controls.
  • Immediately inventory, patch, or isolate systems affected by newly added CISA KEVs to prevent active exploitation.
Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

185,000 Likely Impacted by 7-Eleven Data Breach 7-Eleven has confirmed that it was the victim of a data breach. An April 8, 2026 breach of 7-Eleven systems, via their Salesforce environment, exposed personal information (including names, dates of birth, email addresses, phone numbers, and physical addresses) affecting roughly 185,300 individuals. The ShinyHunters extortion group claimed responsibility, initially demanding ransom and later offering the data for sale on a Russian hacking forum. This incident highlights ongoing risks to commercial facilities from extortion groups like ShinyHunters, which have also targeted education vendors serving Florida school districts and higher-education institutions.

Commercial Facilities Sector Recommendations:

  • Conduct regular third-party risk assessments of vendors and service providers that handle customer or employee personally identifiable information (PII).
  • Implement robust data encryption, access controls, and data-loss-prevention monitoring on systems containing sensitive personal or financial data.
  • Develop and regularly test incident response playbooks specifically for data-extortion campaigns, including protocols for ransom demands and mandatory breach notification.
  • Monitor closely for anomalous data exfiltration, especially involving legitimate cloud storage and file-sharing platforms commonly abused by groups like ShinyHunters.
  • Provide targeted security awareness training for staff on advanced social engineering, phishing, and impersonation tactics used in these extortion operations.
Communications Sector

Telecom Sector Launches its Own Private ISAC Major U.S. telecommunications providers launched the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) to improve coordination against AI-enabled cyberattacks, espionage, and nation-state threats targeting communications infrastructure. The initiative aims to strengthen collaboration between telecommunications companies and government cybersecurity partners. Officials warned that adversaries continue targeting telecom infrastructure to support surveillance, espionage, and operational disruption campaigns. This development is relevant to Florida as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services.

Huawei Zero-day Attack Behind Last Year’s Crash of Luxembourg’s Entire Telecoms Network An attack exploiting a previously undisclosed vulnerability in Huawei enterprise router software caused a nationwide telecom outage in Luxembourg, disrupting mobile, landline, and emergency communications for more than three hours. As of this reporting, the vulnerability has not been publicly disclosed or assigned as a CVE identifier. Because no CVE has been assigned, operators cannot rely on standard vulnerability management tools to identify this exposure — network inventory and manual review of Huawei equipment are the only current detection paths. This incident highlights persistent supply-chain risks associated with Chinese-manufactured networking equipment in critical communications infrastructure. Florida’s telecommunications providers, managed service providers, and municipal utilities that rely on similar enterprise routing and OT networking hardware should review Huawei equipment inventories and consider immediate segmentation or replacement strategies where feasible.

Communications Sector Recommendations:

  • Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
  • Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
  • Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
  • Inventory all enterprise routers and OT networking hardware for Huawei or other high-risk vendors and implement strict network segmentation or accelerated replacement to mitigate undisclosed zero-day supply-chain risks.
Critical Manufacturing Sector

Ransomware Hackers Claim Breach at Foxconn, Major Electronics Manufacturer for Apple, Google, and Nvidia The Nitrogen ransomware group claimed responsibility for breaching Foxconn’s North American facilities in Mount Pleasant, Wisconsin and Houston, Texas, alleging theft of more than 11 million files totaling 8 terabytes (TB) of data, including confidential instructions, internal project documentation, technical drawings (including circuit board layouts and integrated circuit documentation), financial files, and temperature sensor records — tied to projects for Apple, Intel, Google, Dell, Nvidia, and AMD. The affected plants have resumed normal production, but the incident highlights downstream supply chain risk to U.S. critical manufacturing. This is highly relevant to Florida, where ports in Jacksonville, Tampa, and Miami serve as key logistics hubs for electronics and aerospace components.

CVE-2024-9643: Four-Faith Router Authentication Bypass Fuels Botnet Activity CrowdSec researchers reported a surge in exploitation of Common Vulnerabilities and Exposures (CVE)-2024-9643, a critical authentication-bypass flaw with hard-coded credentials in Four-Faith F3x36 industrial cellular routers. The activity has escalated into large-scale botnet campaigns targeting utilities, warehouses, and critical infrastructure. These routers are commonly deployed in remote monitoring and operational technology (OT) environments. Florida municipal utilities, water systems, and energy providers using similar industrial routers should immediately inventory, patch, or isolate these devices.

CVE-2026-8153: Command Injection in the PolyScope 5 Dashboard Server Universal Robots disclosed and patched a critical command injection vulnerability (CVE-2026-8153) in the Dashboard Server interface of its PolyScope 5 operating system used on collaborative robots deployed across operational technology environments. The flaw allows unauthenticated remote attackers to execute arbitrary commands, potentially compromising system integrity and physical security safety. Collaborative robots are widely used in manufacturing, energy, and logistics facilities. This development is highly relevant to Florida’s aerospace, critical manufacturing, and port logistics clusters that employ Universal Robots systems.

Critical Manufacturing Sector Recommendations:

  • Harden remote access gateways and segment manufacturing networks from corporate IT systems to limit lateral movement during supply-chain ransomware incidents.
  • Implement immutable offline backups of engineering schematics and design files to ensure rapid recovery without paying ransoms.
  • Conduct immediate third-party risk assessments of electronics and component suppliers to identify exposure from large-scale breaches such as the Foxconn incident.
  • Inventory all collaborative robots and industrial cellular routers (Universal Robots PolyScope and Four-Faith F3x36) for exposed interfaces and apply available patches or implement strict network segmentation.
Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

Iran-Linked Seedworm Maintains Persistent Access in U.S. Defense Supply Chain Networks Symantec reporting (continuing through recent days) describes Iranian APT Seedworm targeting the Israeli operation of a U.S. software company that supplies defense and aerospace. The campaign, which began in early February 2026, is ongoing, and that the activity correlates with U.S. and Israeli military strikes on Iran. The attack using a new Dindoor backdoor and a second, separate Python-based backdoor called Fakeset on networks of a U.S. airport and nonprofit, to engage in espionage and potential follow-on disruption against defense-related environments in the U.S. and allied countries. This activity underscores persistent supply-chain risks to the Defense Industrial Base from Iranian cyber threat actors. Florida’s aerospace clusters and defense contractors should conduct immediate third-party risk assessments of software suppliers.

Defense Industrial Base Sector Recommendations:

  • Conduct rigorous and recurring third-party risk assessments of all software suppliers and service providers supporting defense and aerospace operations, with focused scrutiny on potential Iranian-linked activity.
  • Implement continuous monitoring and behavioral analytics to detect persistent access, backdoors (such as Dindoor), and anomalous activity originating from supply-chain compromises.
  • Enforce strict network segmentation and least-privilege principles between supplier-managed systems and critical internal networks to limit lateral movement.
  • Verify the integrity of all third-party software updates and components prior to deployment in operational environments.
  • Develop and regularly test incident response plans tailored to nation-state supply-chain attacks involving long-term espionage and potential disruptive follow-on operations.
Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Energy Sector

US Annual Electricity Consumption to Grow 55% by 2050: NEMA The National Electrical Manufacturers Association (NEMA) forecast shows accelerating electricity demand from data centers, straining U.S. utilities and raising affordability concerns. Florida utilities are already experiencing similar grid pressure from artificial intelligence (AI)-driven data-center growth.

NERC 2026 Summer Reliability Assessment North American Electric Reliability Corporation’s (NERC) 2026 Summer Reliability Assessment warned that accelerated electricity demand, rapid growth of large data-center loads, and extreme heat conditions may strain portions of the North American electric grid. The assessment highlighted increasing operational pressure associated with AI-driven infrastructure expansion, maintenance outages, and periods of reduced renewable energy generation. Several regions may experience elevated reserve shortfalls during sustained peak-demand conditions. Florida utilities may face similar reliability and operational challenges during hurricane season and summer heat events.

Hackers Have Breached Tank Readers at US Gas Stations; Officials Suspect Iran is Responsible U.S. officials suspect Iranian-linked actors are responsible for a series of breaches targeting automatic tank gauge (ATG) systems. Notably, the affected systems were internet-exposed and unprotected by passwords, which represents a basic configuration failure. CI operators should immediately verify that all ATG systems are removed from the public internet or placed behind password-protected access controls. The attacks focus on operational technology used for real-time inventory and distribution management rather than traditional information technology (IT) networks. The attackers capability, however, was limited to manipulating display readings, not actual fuel levels or distribution flows. U.S. officials suspect Iranian-linked actors are responsible, though a lack of forensic evidence means definitive attribution has not been confirmed. If confirmed, the activity would represent continued Iranian interest in disrupting or gathering intelligence on U.S. energy infrastructure. The incidents are highly relevant to Florida’s extensive fuel distribution networks, ports, and municipal energy providers that rely on similar tank-gauge and monitoring systems.

PJM Gets Emergency Approval to Curtail Data Centers, Large Loads During Hot Weather The Department of Energy authorized PJM Interconnection to curtail power usage by large facilities with backup generation capability, including data centers, amid reserve shortages caused by extreme heat and maintenance outages. The emergency authority reflects growing operational stress on energy infrastructure that supports AI-driven data-center growth and increasing electricity demand. Grid operators continue evaluating emergency procedures to maintain system stability during high-load events. The incident also highlights increasing dependence on resilient backup-generation systems across critical infrastructure sectors.

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s energy providers.

Energy Sector Recommendations:

  • Verify that all operational technology (OT) assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet or placed behind strict network segmentation.
  • Store critical OT configurations and backups in immutable offline formats to enable manual operations during sustained cyber campaigns.
  • Audit third-party vendor accounts and monitor for anomalous remote access to smart-grid and energy-management systems.
  • Inventory and segment all operational technology assets used for fuel storage, tank monitoring, and distribution systems, ensuring they are not internet-exposed and are protected by strict network segmentation.
Financial Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Food and Agriculture Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Aurora Lost Nearly $1.1M from City Bank Accounts After Employee Fell for Phone Scam Authorities in Aurora, Illinois are investigating a cyber-enabled fraud incident that resulted in approximately $1.1 million being transferred from municipal accounts after an employee reportedly fell victim to a phone scam. The incident reflects continuing business email compromise and social-engineering threats targeting local governments and public-sector financial operations. Cyber threat actors increasingly use impersonation techniques and financial fraud schemes to exploit municipal payment processes. Florida municipalities and tourism-dependent communities remain vulnerable to similar financially motivated cyber campaigns.

Chelan County WA Government Shuts Down Networks After Cyberattack Chelan County officials shut down all government computers, networks, and telephone systems on Memorial Day after detecting a malware attack that impacted every county department. The county’s information technology (IT) department identified the malware at 10 a.m. and immediately isolated systems as a safety precaution. Emergency services remained operational. This incident serves as a direct tactical analog for Florida’s numerous county and municipal government facilities that routinely handle high-volume administrative and public safety systems.

State IT Officials Make a Case for Cyber Grant Reauthorization Before House Subcommittee Florida’s Chief Information Officer and technology leaders from Tennessee and New York testified before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection regarding the now-unfunded State and Local Cybersecurity Grant Program (SLCGP). The officials highlighted how the grant program has improved state and local network defenses and urged Congress to reauthorize funding amid escalating nation-state threats and reduced federal support. This testimony is directly relevant to Florida’s municipal, county, and educational networks, which rely on these grants to maintain resilience against ransomware, operational technology (OT) targeting, and supply chain risks.

Canvas Hack: Company Pays Criminals to Delete Students’ Stolen Data Instructure (provider of the widely used Canvas learning management system) reached an agreement with the ShinyHunters group after a major breach that exposed student and staff data from 275 million records across approximately 9,000 institutions, including names, email addresses, student ID numbers, and private messages between students and instructors. across thousands of educational institutions. Instructure reportedly paid a ransom to the ShinyHunters group, receiving digital confirmation that exfiltrated data was destroyed, though no certainty exists that the cybercriminals honored the agreement. The FBI’s Internet Crime Complaint Center (IC3) issued a separate advisory on May 15, 2026 warning students and staff that ShinyHunters may directly contact individuals whose data was exposed. The incident directly impacted the University of South Florida (USF) in Tampa as well as Hillsborough County Public Schools, Pinellas County Schools, and other Florida districts, underscoring the systemic risk to Florida’s K-12 and higher-education systems that rely on third-party education vendors.

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Attackers have exploited a zero-day vulnerability in KnowledgeDeliver, a widely used learning management system (LMS). The flaw stemmed from hardcoded ASP.NET machineKey values shared across installations. With these keys, cyber threat actors performed ViewState deserialization attacks to achieve remote code execution and deployed web shells. This incident demonstrates that cyber threat actors continue to pursue LMS platforms used by schools and government entities. The development is highly relevant to Florida’s K-12 and higher-education systems as well as municipal government facilities that rely on similar third-party administrative and education platforms.

Government Services and Facilities Sector Recommendations:

  • Train staff to verify all financial requests through out-of-band channels before initiating wire transfers or payments.
  • Implement strict multi-factor authentication and least-privilege controls on email and financial systems used by municipal staff.
  • Conduct regular phishing simulations and rigorous vendor risk assessments of third-party learning management systems (LMS), education platforms, and administrative software to reduce exposure to supply-chain and zero-day vulnerabilities.
  • Inventory, promptly patch (or isolate) all internet-facing third-party LMS and web-based administrative applications, with special attention to hardcoded credentials, shared configuration keys, and web-shell risks.
  • Maintain and regularly test offline backups and manual fallback procedures for all county and municipal administrative systems to ensure continuity during ransomware or malware-induced outages.
  • Advocate for and prepare contingency plans around reauthorization of the State and Local Cybersecurity Grant Program to sustain network defenses amid reduced federal support.
Healthcare and Public Health Sector

OpenLoop Health Data Breach Affects 716,000 Individuals OpenLoop Health disclosed a breach exposing names, addresses, email addresses, dates of birth, and medical information (but not Social Security Numbers) of approximately 716,000 individuals. The incident aligns with the broader pattern of persistent data-theft and extortion campaigns targeting the U.S. healthcare sector. Florida’s large healthcare network and retiree population make this a continuing high-priority risk.

Data Breach on New York Public Health System Claims 1.8M Victims, Leaking Biometric Data to Hackers NYC Health + Hospitals confirmed that a vendor-related compromise exposed sensitive patient data, including biometric data, affecting approximately 1.8 million individuals after attackers reportedly maintained access to systems for several months. Exposed information included protected health information and personally identifiable information tied to healthcare operations. The incident highlights the ongoing risks associated with third-party vendors and healthcare-sector supply chain exposure.

Hospital Ransomware Attack Led to Infant’s Death, Lawsuit Alleges A hospital ransomware attack allegedly led to an infant’s death, according to a lawsuit. The incident highlights the severe life-safety risks when ransomware disrupts critical healthcare operations and patient care systems. This is directly relevant to Florida’s large healthcare network and retiree population, where ransomware continues to threaten both patient data and care continuity.

Healthcare and Public Health Sector Recommendations:

  • Isolate electronic health record systems and medical devices on segmented networks to prevent lateral movement during ransomware incidents.
  • Maintain and regularly test manual downtime procedures for all critical patient care and life-safety systems to sustain operations and protect patient safety during IT outages or ransomware events.
  • Perform rigorous third-party risk assessments of billing and health-data vendors to limit exposure from supply-chain breaches.
  • Prioritize patient safety and life-safety system continuity in all ransomware incident response planning and conduct regular drills focused on rapid transition to manual operations.
Information Technology Sector

CISA Releases 18 New ICS Advisories Cybersecurity and Infrastructure Security Agency (CISA) released 18 new industrial control system advisories on May 14, 2026, detailing remotely exploitable vulnerabilities in products used across manufacturing, emergency communications, and supporting OT environments. Florida operators of these systems should apply patches immediately.

GitHub Confirms Breach of 3,800 Repos via Malicious VSCode Extension GitHub confirmed that approximately 3,800 internal repositories were compromised after an employee installed a malicious Visual Studio Code extension. The incident demonstrates the growing threat posed by software supply chain compromises targeting trusted developer environments and third-party extensions. Additional organizations, including major technology firms and artificial intelligence (AI) companies, were reportedly impacted by related activity. The compromise reinforces concerns about dependency trust, extension security, and vulnerabilities in the software development ecosystem.

CISA Adds One Known Exploited Vulnerability to Catalog CISA has added CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core’s database abstraction API, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency ordered federal agencies to patch by May 27, 2026. Drupal is widely used by government agencies, educational institutions, and critical infrastructure entities for managing large-scale websites and content. Florida state agencies, school districts, and municipal utilities running Drupal instances should apply patches immediately to prevent unauthorized database access and potential lateral movement.

Exposing Fox Tempest: A Malware-signing Service Operation Microsoft identified Fox Tempest as a financially motivated cyber threat actor operating a malware-signing-as-a-service platform used by cybercriminals and ransomware operators. The group abuses Microsoft Artifact Signing to generate fraudulent short-lived certificates that allow malicious software to appear legitimate and evade traditional security controls. The operation demonstrates the increasing sophistication of ransomware enablement services and malware delivery infrastructure. Security researchers warned that signed malware continues posing significant detection and trust challenges for defenders.

Patch Bypass Allows Hackers to Exploit Prior Flaw in SonicWall SSL-VPN Cyber threat actors continue to exploit a SonicWall Secure Sockets Layer virtual private network (SSL-VPN) vulnerability that enables attackers to bypass multifactor authentication protections during automated brute-force attacks. Researchers warned that a patch bypass allowed exploitation activity to continue despite earlier remediation efforts. SSL-VPN appliances remain at frequent targets for ransomware operators and cybercriminal groups seeking remote access into enterprise environments. Organizations relying on internet-facing VPN infrastructure continue facing elevated risks from credential attacks and remote-access exploitation.

ClearFake Abuses BSC Testnet Contracts for Resilient C2 Operations Cyber threat actors behind the ClearFake campaign have adopted a novel and highly resilient command-and-control (C2) architecture by leveraging BNB Smart Chain (BSC) testnet smart contracts. This approach embeds malicious JavaScript and instructions within immutable blockchain storage. That means that standard threat intelligence feeds and domain blocklists are ineffective against this C2 channel, so defenders must instead focus on monitoring anomalous outbound connections and JavaScript injection patterns. That makes the infrastructure effectively immune to traditional takedown efforts. The tactic expands supply-chain and developer-pipeline risks for Florida critical infrastructure entities that rely on third-party IT tools and extensions.

Hackers Host JS Malware GHOSTYNETWORKS and OMEGATECH Hackers are abusing two bulletproof hosting providers, GHOSTYNETWORKS and OMEGATECH, to run a global JavaScript (JS) malware infrastructure that powers large-scale malspam and business email compromise (BEC) activity. In March 2026, multiple malspam waves delivered a JavaScript backdoor via ZIP or RAR attachments to organizations across sectors, including energy companies and finance ministries. The financially motivated operators focus on email account compromise and BEC rather than espionage.

Gitea Vulnerability Exposes Private Container Images Without Authentication Cybersecurity researchers disclosed a security flaw in Gitea (CVE-2026-27771, CVSS 8.2) that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring credentials. The vulnerability affects all versions prior to 1.26.2 and likely impacts more than 30,000 deployments worldwide. Florida state agencies, school districts, and critical infrastructure operators running self-hosted Gitea instances should apply the patch immediately.

Critical Notepad++ Flaw Could Enable Remote Code Execution Attacks Notepad++ has released version 8.9.6.1 to address multiple critical vulnerabilities, including CVE-2026-48778, which could allow arbitrary code execution under specific conditions involving improper handling of configuration files. The update patches flaws in versions up to 8.9.6. Developers and administrators across Florida critical infrastructure environments should update immediately to prevent potential supply-chain compromise via developer tools.

Information Technology Sector Recommendations:

  • Apply all CISA Known Exploited Vulnerabilities catalog updates and the latest ICS advisories without delay.
  • Immediately inventory, patch, or isolate all Drupal installations, Gitea instances, and other internet-facing web applications, prioritizing those used by government, educational, and critical infrastructure systems.
  • Enforce strict package verification, code-signing validation, and security checks for all developer tools, extensions (including VSCode), and applications such as Notepad++ to prevent supply-chain and remote code execution attacks.
  • Implement strong authentication and access controls on self-hosted code repositories and container registries (such as Gitea) to block unauthenticated access to private container images and source code.
  • Monitor for and block malicious JavaScript malware campaigns, abuse of bulletproof hosting providers, and resilient C2 techniques such as blockchain-based infrastructure.
  • Scan and restrict internet-facing remote-access services (including SSL-VPN appliances) and apply patches immediately to counter bypass techniques and automated attacks.
  • Strengthen supply-chain security practices to defend against malware-signing-as-a-service operations (such as Fox Tempest) and third-party extension compromises.
Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iranian Hackers Blamed for Breach of Los Angeles Transit System that Took Weeks to Recover Israeli cybersecurity firm Gambit Security attributed a March 2026 breach of the Los Angeles County Metropolitan Transportation Authority (LA Metro) to Iranian government-linked (MOSI) actors—Black Shadow–operating under a hacktivist cover persona of “Ababil of Minab”. Attackers used a virtual machine to delete critical operating system data, stole at least 700 GB of emails/backups/files, and forced multi-week network isolation and recovery. Gambit Security reported that attackers also reached a real-time rail yard control display system, crossing from administrative IT networks into OT territory — though no manipulation of physical operations has been confirmed. This incident demonstrates state-sponsored destructive capabilities against U.S. transportation OT/IT systems. Florida’s ports, transit authorities, and logistics networks that rely on similar interconnected systems should treat this as a transferable risk.

Iranian APT Targets Aviation, Software Companies with Updated Tools Iranian APT Nimbus Manticore has adopted new tactics and malware variants in campaigns against aviation and software companies. Recent operations used updated tooling that enhances persistence and evasion. This activity demonstrates continued Iranian state-sponsored focus on transportation and related supply-chain targets. Florida’s ports, aviation facilities, and transit networks should treat this as transferable risk and review vendor software supply chains.

Transportation Systems Sector Recommendations:

  • Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
  • Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
  • Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
  • Audit and segment all virtual machines, remote-access tools, and OT/IT convergence points in transit and port systems to prevent destructive data-wiping attacks by state actors.
Water and Wastewater Systems Sector

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s municipal water utilities.

Water and Wastewater Systems Sector Recommendations:

  • Immediately remove or isolate all internet-exposed programmable logic controllers and SCADA interfaces.
  • Develop and regularly test manual fallback procedures for water treatment and distribution operations.
  • Monitor anomalous changes to PLC project files and HMI configurations that could indicate manipulation attempts.
  • Accelerate the adoption of AI-assisted defensive tools and conduct regular third-party risk assessments of OT vendors in light of shrinking federal support for water-sector cybersecurity.
CI Bulletin Vol 2, Issue 8 June 9, 20262026-06-09T10:00:00-04:00

Mudita Khurana — Tech Lead at Airbnb and the person who always says, “I got this”

Episode 73 — Mudita Khurana

Mudita Khurana — Tech Lead at Airbnb and the person who always says, “I got this”2026-06-05T13:09:11-04:00