Espionage Disrupted, SD‑WAN Urgency, And AI‑Driven Defenses
Coverage: 25 Feb 2026 (UTC)
< view all daily briefs >Security teams balanced proactive rollouts with urgent response today, as new AI‑assisted defenses reached SOCs and mobile devices while regulators pressed organizations to investigate and harden critical network control planes. Alongside those measures, researchers detailed the takedown of a globe‑spanning espionage operation that abused legitimate SaaS for covert control, and the courts and civil complaints underscored the consequences of weak controls and insider theft.
AI‑Enabled Defense Tools Roll Out
A major release of the Cortex platform from Palo Alto embeds agentic AI across detection, investigation and response. The update expands the AI‑ready data foundation with Cortex XDL 2.0 for long‑term retention, federated search and GenAI‑driven parser generation, and introduces more task‑specific agents, including Case Investigation, Cloud Posture and Automation Engineer. New agentic playbooks weave AI steps into automation so workflows adapt in real time, and the standalone Cortex Agentix platform brings AI orchestration to SOAR with extensive playbooks and integrations. The company frames the shift as a response to faster attack tempos, cites customer impact claims, and notes some items may be forward‑looking, advising purchases be based on currently available features.
The Security Blog post from Google details expanded Android scam protections powered by on‑device AI. The systems analyze more than 10 billion suspected malicious calls and messages each month; call warnings are available on Pixel devices across multiple countries and are extending to the Samsung Galaxy S26 series in the U.S., with plans to work with additional manufacturers. Messages protections now span 20+ countries and several languages, and the on‑device Gemini model on recent flagships improves detection of nuanced social‑engineering like job‑offer lures and romance scams. The post emphasizes privacy and user control: processing is on‑device, the feature is off by default, and it does not run on calls with contacts.
SD‑WAN Exploitation Triggers Urgent Actions
Joint guidance from CISA and international partners addresses ongoing malicious activity against Cisco SD‑WAN, adding CVE‑2026‑20127 and CVE‑2022‑20775 to the Known Exploited Vulnerabilities Catalog and issuing Emergency Directive 26‑03. The alert describes initial access through an authentication bypass and subsequent privilege escalation and persistence, and directs agencies to inventory affected systems, collect forensic artifacts, patch fully, and actively hunt for compromise. The bundle points to the Catalyst SD‑WAN Hardening Guide and specific mitigations, such as placing control components behind firewalls, isolating VPN 512 interfaces, replacing self‑signed certificates, enabling pairwise keys, setting minimal session timeouts, and forwarding logs to remote syslog.
Separately, researchers at Check Point disclosed critical issues in Claude Code that allow a crafted repository to execute hidden commands and exfiltrate Anthropic API keys on clone/open. The weaknesses leverage hooks, MCP integrations and environment handling to bypass repository trust checks and redirect authenticated API traffic before consent prompts. Reported CVEs were fixed across late‑2025 and early‑2026 releases; mitigations include updating to patched versions, rotating exposed keys, restricting token scopes and workspace permissions, disabling or tightly controlling automatic execution of repository configuration, and auditing hooks and third‑party integrations. Why it matters: repository metadata and developer tooling are part of the execution surface and need the same controls as application code.
Espionage Disrupted, With Legal Fallout
A detailed report from Google Cloud describes coordinated disruption of a suspected PRC‑nexus actor UNC2814 using a previously undocumented backdoor dubbed GRIDTIDE. The campaign hit 53 confirmed victims across 42 countries, targeting telecommunications and government organizations. GRIDTIDE repurposes Google Sheets as covert command‑and‑control, decrypting Drive configuration with a 16‑byte AES‑128‑CBC key, then polling and updating spreadsheet cells to receive commands and move files in ~45 KB fragments using URL‑safe Base64. The malware executes shell commands, transfers files, and records host fingerprints and PII consistent with telecom‑focused espionage. In response, teams terminated attacker‑controlled cloud projects, disabled accounts and abused API access, sinkholed infrastructure, and released extensive IOCs, a YARA rule and hunting queries. Defenders are advised to hunt for non‑browser processes calling sheets.googleapis.com (including batchClear and batchUpdate), artifacts such as xapt, xapt.cfg and xapt.service, suspicious file creation in /usr/sbin, /sbin and /var/tmp, and other published detections.
In legal and accountability developments, BleepingComputer reports a former L3Harris executive received an 87‑month sentence for stealing and selling zero‑day components to a Russian exploit broker, with prosecutors citing significant national security risks and losses. In a separate civil action, BleepingComputer details a lawsuit alleging a SonicWall cloud‑backup access gap enabled a ransomware intrusion despite patched firewalls and MFA, with claims of widespread customer impact, sensitive data theft and service disruption. Together these cases highlight the stakes of supply‑chain trust and the ripple effects when control‑plane or backup systems are exposed.
Cloud Infrastructure Expands For Performance And Reach
A what’s‑new post from AWS introduces metal‑24xl and metal‑48xl sizes for EC2 M8gn and M8gb, extending Graviton4‑powered bare‑metal options with up to 600 Gbps networking (M8gn) and up to 300 Gbps EBS bandwidth (M8gb), plus EFA support for tightly coupled workloads. Another update from AWS makes EC2 R8a generally available in Europe (Ireland), offering up to 30% higher compute performance and up to 19% better price‑performance over the prior generation, 45% higher memory bandwidth, and SAP‑certified gains. For operators, higher throughput and bare‑metal access can improve performance but also shift responsibility for OS hardening, monitoring and egress controls.
Developer and regional expansion also continued. New integrations for Aurora DSQL from AWS add Tortoise (Python), a Flyway dialect and Prisma CLI utilities with automated IAM token generation and compatibility handling for distributed SQL migrations, reducing integration risk and misconfiguration. In parallel, AWS launched EC2 M8i and M8i‑flex in Africa (Cape Town), bringing Intel Xeon 6‑based instances with improved price‑performance and memory bandwidth to the region, which can lower latency and ease data‑residency needs for local workloads.