Real-World Cloud Attack Intelligence

In February 2026, the U.S. Department of Justice (DoJ) seized over $61 million in Tether (USDT) linked to 'pig butchering' cryptocurrency scams. These schemes involved fraudsters building trust with victims through fake romantic relationships, then persuading them to invest in fraudulent cryptocurrency platforms that displayed fabricated high returns. When victims attempted to withdraw funds, they were met with demands for additional fees, leading to further financial loss. The seized funds were traced to cryptocurrency addresses used to launder proceeds from these scams. ([justice.gov](https://www.justice.gov/usao-ednc/pr/us-attorneys-office-ednc-announces-seizure-61-million-dollars-worth-cryptocurrency?utm_source=openai)) This incident underscores the growing prevalence of sophisticated social engineering tactics in financial fraud, particularly within the cryptocurrency sector. It highlights the need for increased vigilance and regulatory measures to protect individuals from such deceptive practices.

In December 2025, over 900 Sangoma FreePBX instances were compromised through the exploitation of CVE-2025-64328, a high-severity command injection vulnerability. This flaw allowed authenticated users to execute arbitrary shell commands, leading to the deployment of the EncystPHP web shell by the threat actor group INJ3CTOR3. The attacks resulted in unauthorized remote access and control over affected VoIP infrastructures, with significant concentrations of compromised systems in the U.S., Brazil, Canada, Germany, and France. ([thehackernews.com](https://thehackernews.com/2026/02/900-sangoma-freepbx-instances.html?utm_source=openai)) The incident underscores the critical importance of timely patch management and restricting administrative access to prevent exploitation of known vulnerabilities. Organizations are urged to update their FreePBX deployments to the latest version and implement stringent access controls to mitigate similar threats. ([securityweek.com](https://www.securityweek.com/900-sangoma-freepbx-instances-infected-with-web-shells/?utm_source=openai))

In August 2025, Marquis Software Solutions, a Texas-based fintech firm serving over 700 banks and credit unions, experienced a ransomware attack. The breach was traced back to unauthorized access through its SonicWall firewall, leading to the exposure of sensitive data, including names, addresses, Social Security numbers, and financial account information of over 400,000 individuals associated with 74 financial institutions. The attackers exploited a known but unpatched vulnerability in SonicWall’s firewall software (CVE-2024-40766), allowing them to infiltrate Marquis's network and deploy ransomware. This incident underscores the critical importance of timely patch management and the potential risks associated with third-party service providers. ([techradar.com](https://www.techradar.com/pro/security/over-70-us-banks-and-credit-unions-affected-by-marquis-ransomware-breach-heres-what-we-know?utm_source=openai)) The Marquis breach highlights the escalating trend of cyberattacks targeting supply chain vulnerabilities, emphasizing the need for organizations to scrutinize the security postures of their vendors. Additionally, it serves as a stark reminder of the consequences of delayed patching, as threat actors increasingly exploit known vulnerabilities to gain unauthorized access to sensitive data.

In February 2026, Cisco disclosed a critical zero-day vulnerability (CVE-2026-20127) in its Catalyst SD-WAN Controller and Manager, which had been actively exploited since at least 2023. The flaw allowed unauthenticated remote attackers to bypass authentication mechanisms, granting them high-privileged access to manipulate network configurations via the NETCONF protocol. This exploitation enabled the addition of rogue peers and potential disruption of network operations. ([thehackernews.com](https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html?utm_source=openai)) The incident underscores the persistent targeting of network infrastructure by sophisticated threat actors, emphasizing the need for organizations to prioritize timely patching and robust security measures to protect critical systems. ([thehackernews.com](https://thehackernews.com/2026/02/cisco-sd-wan-zero-day-cve-2026-20127.html?utm_source=openai))

In February 2026, multiple critical vulnerabilities were identified in Johnson Controls' Frick Controls Quantum HD systems, versions 10.22 and prior. These vulnerabilities include unauthenticated remote code execution, code injection, and plaintext storage of passwords, potentially allowing attackers to execute arbitrary code, access sensitive information, and compromise system integrity. The affected systems are widely deployed in critical infrastructure sectors, including food and agriculture, posing significant security risks. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-21659?utm_source=openai)) The discovery of these vulnerabilities underscores the ongoing challenges in securing industrial control systems (ICS) against sophisticated cyber threats. Organizations utilizing these systems must prioritize timely updates and adhere to recommended security practices to mitigate potential exploitation and safeguard critical operations.

In February 2026, multiple critical vulnerabilities were identified in SWITCH EV's swtchenergy.com platform, affecting all versions. These vulnerabilities include missing authentication for critical functions (CVE-2026-27767), improper restriction of excessive authentication attempts (CVE-2026-25113), insufficient session expiration (CVE-2026-25778), and insufficiently protected credentials (CVE-2026-27773). Exploitation of these flaws could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic, and manipulate data sent to the backend, potentially leading to large-scale denial of service and unauthorized control over charging infrastructure. ([cvedetails.com](https://www.cvedetails.com/cve/CVE-2026-27767/?utm_source=openai)) The increasing reliance on electric vehicle (EV) infrastructure underscores the critical need for robust cybersecurity measures. These vulnerabilities highlight the potential risks associated with inadequate authentication and session management in critical infrastructure systems, emphasizing the importance of implementing comprehensive security protocols to safeguard against such threats.

In February 2026, multiple critical vulnerabilities were identified in EV2GO's ev2go.io charging management platform, affecting all versions. These flaws include missing authentication for critical functions (CVE-2026-24731), improper restriction of excessive authentication attempts (CVE-2026-25945), insufficient session expiration (CVE-2026-20895), and insufficiently protected credentials (CVE-2026-22890). Exploitation could allow attackers to impersonate charging stations, hijack sessions, misroute traffic causing large-scale denial of service, and manipulate backend data. ([therealistjuggernaut.com](https://therealistjuggernaut.com/2026/02/26/trj-cybersecurity-ev2go-charging-platform-exposed-authentication-failures-create-high-risk-entry-points-across-global-ev-infrastructure/?utm_source=openai)) The absence of vendor response and lack of available patches heighten the urgency for organizations to implement immediate defensive measures. This incident underscores the critical need for robust authentication mechanisms and proactive vulnerability management in infrastructure systems to prevent potential exploitation and operational disruptions.

In February 2026, multiple critical vulnerabilities were identified in EV Energy's ev.energy platform, a UK-based provider of electric vehicle charging software. These vulnerabilities include missing authentication for critical functions (CVE-2026-27772), improper restriction of excessive authentication attempts (CVE-2026-24445), insufficient session expiration (CVE-2026-26290), and insufficiently protected credentials (CVE-2026-25774). Exploitation of these flaws could allow attackers to gain unauthorized control over charging stations, disrupt services, and compromise data integrity. ([beyondmachines.net](https://beyondmachines.net/event_details/critical-vulnerabilities-in-ev-energy-charging-platform-allow-remote-hijacking-b-x-t-d-l?utm_source=openai)) The increasing integration of electric vehicle infrastructure with the power grid underscores the urgency of addressing these security gaps. As cyberattacks on EV charging stations rise, ensuring robust authentication and session management mechanisms is critical to prevent potential disruptions and maintain trust in the EV ecosystem. ([yahoo.com](https://www.yahoo.com/news/cyberattacks-ev-charging-stations-rise-120000365.html?utm_source=openai))

In February 2026, multiple critical vulnerabilities were identified in CloudCharge's cloudcharge.se platform, which manages electric vehicle (EV) charging infrastructure globally. These vulnerabilities include missing authentication for critical functions (CVE-2026-20781), improper restriction of excessive authentication attempts (CVE-2026-25114), insufficient session expiration (CVE-2026-27652), and insufficiently protected credentials (CVE-2026-20733). Exploitation of these flaws could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic, and manipulate data sent to the backend, potentially leading to large-scale denial of service and unauthorized control over charging infrastructure. ([therealistjuggernaut.com](https://therealistjuggernaut.com/2026/02/26/trj-cybersecurity-cloudcharge-platform-vulnerabilities-open-global-ev-charging-networks-to-session-hijack-and-impersonation-risk/?utm_source=openai)) The discovery of these vulnerabilities underscores the urgent need for robust authentication and session management mechanisms in critical infrastructure systems. As the adoption of EVs continues to rise, ensuring the security of charging networks is paramount to prevent potential disruptions and maintain public trust in these technologies.

In February 2026, multiple critical vulnerabilities were identified in Mobility46's charging station management platform, mobility46.se. These vulnerabilities include missing authentication for critical functions (CVE-2026-27028), improper restriction of excessive authentication attempts (CVE-2026-26305), insufficient session expiration (CVE-2026-27647), and insufficiently protected credentials (CVE-2026-22878). Exploitation of these flaws could allow attackers to gain unauthorized administrative control over charging stations or disrupt services through denial-of-service attacks. ([cvefeed.io](https://cvefeed.io/vuln/detail/CVE-2026-27028?utm_source=openai)) The increasing reliance on electric vehicle (EV) infrastructure underscores the importance of securing such platforms. These vulnerabilities highlight the need for robust authentication mechanisms and session management to prevent unauthorized access and ensure the integrity of critical infrastructure services.

In February 2026, a critical authentication bypass vulnerability (CVE-2026-1241) was identified in Pelco, Inc.'s Sarix Pro 3 Series IP Cameras, affecting firmware versions up to 02.52. This flaw allows unauthorized access to the cameras' web management interface, enabling attackers to view live video streams and potentially manipulate device settings without proper authentication. The vulnerability poses significant privacy risks and operational challenges for organizations utilizing these surveillance systems. The incident underscores the growing threat landscape targeting IoT devices, particularly in critical infrastructure sectors such as commercial facilities, defense, energy, healthcare, and transportation. As cyber adversaries increasingly exploit vulnerabilities in connected devices, it is imperative for organizations to prioritize regular firmware updates, implement robust access controls, and conduct comprehensive security assessments to mitigate potential risks.

In February 2026, multiple vulnerabilities were identified in Yokogawa Electric Corporation's Vnet/IP Interface Package, affecting CENTUM VP R6 and R7 systems. These vulnerabilities, including CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, and CVE-2025-48023, could allow attackers on adjacent networks to send maliciously crafted packets, leading to denial-of-service conditions or arbitrary code execution. The affected versions are Vnet/IP Interface Package R1.07.00 and earlier. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2025-48020?utm_source=openai)) The discovery of these vulnerabilities underscores the critical need for robust security measures in industrial control systems. As cyber threats targeting critical infrastructure continue to evolve, organizations must prioritize timely patching, network segmentation, and continuous monitoring to mitigate potential risks.