Cloud Baselines Tighten, Cisco Patches Urgent, OT Threats Evolve

Cloud providers advanced baseline controls and operational guardrails, with Google Cloud publishing a prescriptive security checklist and findings from network security director now flowing into Security Hub. Performance and resilience upgrades landed at the client and network edge, while patching urgency persisted across enterprise appliances. Threat reporting detailed state-linked preparation for operational technology (OT) disruption, a broad zero‑day census, and a major phishing‑as‑a‑service takedown.

Baselines and Cloud Operations Mature

Google Cloud introduced a recommended security checklist that distills 60 controls into Basic, Intermediate, and Advanced tiers across authentication, resource management, data protection, network security, and monitoring. The guidance is automation‑ready via Terraform and aligns with initiatives like the Secure AI Framework and SLSA. The checklist targets the leading failure modes called out in Threat Horizons — weak credentials and misconfigurations — and is framed as an AI‑ready baseline so teams can adopt new agentic capabilities more safely. Early users reported faster hardening and clearer prioritization.

Findings from the previewed network security director now appear in AWS Security Hub, adding continuous analysis of WAF, security groups, and network ACL coverage across accounts. Each result carries remediation guidance and a severity that factors in both the misconfiguration and the affected topology, helping teams prioritize exposure‑reducing fixes. In parallel, Elastic Beanstalk added AI‑powered environment analysis using Amazon Bedrock to summarize logs, metrics, and events into step‑by‑step troubleshooting tailored to the current state. The aim is to shorten diagnosis and standardize remediation, with data handling considerations noted since environment data is sent to Bedrock.

GKE now supports native custom pod metrics for autoscaling, letting operators declare application‑specific signals without external adapters or agents. The agentless design introduces an AutoscalingMetric controller that sources pod metrics directly and exposes them to HPAs using a standardized format, cutting round‑trip latency, IAM sprawl, and ingestion cost for autoscaling‑only metrics. Google positions this as a step toward intent‑based autoscaling and highlights applicability to AI inference, bursty jobs, gaming, caching, and financial services.

AI in Production, With Guardrails

Google summarized February’s AI releases spanning model upgrades, creative tools, and provenance. Highlights include Gemini 3.1 Pro for improved reasoning, a Deep Think upgrade opening to researchers and enterprises, Nano Banana 2 for faster image generation, Flow enhancements for unified image/video creation, and Lyria 3 for short music. Content provenance advances such as SynthID aim to help identify AI‑generated material, while broader initiatives — from skills investment to collaborative resilience messaging — seek to pair capability with responsibility.

AWS made Connect Health generally available, packaging purpose‑built agentic AI for healthcare workflows. Prebuilt agents cover patient verification and ambient documentation at GA, with appointment management, patient insights, and medical coding in preview. The service integrates with Amazon Connect and EHR/telehealth systems, is described as HIPAA‑eligible, and targets faster deployment of identity verification, scheduling, note‑taking, and coding to reduce administrative burden and accelerate access to care.

Network and Edge Performance Upgrades

The Cloudflare One Client adopted RFC 8899 Datagram Packetization Layer Path MTU Discovery to end “silent drops” from mismatched MTUs. Using MASQUE over QUIC, Cloudflare One actively probes and sets the usable path MTU, preserving sessions during network changes and NAT‑heavy conditions. In parallel, Automatic Return Routing (ARR) entered Closed Beta to address overlapping private IP space by recording the ingress tunnel for a flow and proxying return traffic to the same path, allowing duplicate subnets to coexist without complex VRFs or per‑site NAT. ARR builds on Unified Routing and a userspace flow plane to make consistent, session‑aware decisions and is initially scoped to Secure Web Gateway egress.

Separately, Cloudflare re‑engineered proxy mode to encapsulate TCP directly in QUIC using HTTP/3 CONNECT and MASQUE, eliminating an L4→L3 translation layer that limited throughput on concurrent, media‑heavy workloads. In testing, proxy mode roughly doubled upload/download rates and reduced latency, benefiting browsing, video, large transfers, and remote API use. The change targets coexistence with legacy VPNs, selective gateway steering, and developer SOCKS5 workflows, and is configurable via Local proxy mode with MASQUE.

Vulnerabilities, Incidents, and Threat Activity

Cisco issued an emergency firewall update addressing 25 advisories and 48 CVEs across Secure Firewall products. The most severe are two CVSS 10 flaws in Secure Firewall Management Center — CVE‑2026‑20079 (authentication bypass via crafted HTTP) and CVE‑2026‑20131 (insecure deserialization to the web interface) — that can yield unauthenticated root access and arbitrary code execution. There are no workarounds for either; restricting FMC’s internet exposure reduces risk for one case. Cisco advises using software checkers and compatibility guides to select the correct update path, noting patch urgency given web‑management vectors and the likelihood of rapid weaponization. Coverage: CSOonline.

Researchers disclosed a zero‑click RCE in the open‑source helpdesk platform FreeScout. Tracked as CVE‑2026‑28289 (Mail2Shell), it bypasses a prior fix and enables unauthenticated code execution when a crafted email is processed by a FreeScout‑configured address. The vendor recommends upgrading to v1.8.207+ and disabling AllowOverrideAll in Apache even after updating. Exposure includes ticket data and mailboxes with potential for lateral movement. Details: Infosecurity.

Industrial threat activity shows a pivot from access maintenance to disruption readiness. A Dragos‑profiled set of state‑linked teams exfiltrated engineering files, mapped control loops, and tested wiper and firmware‑corruption techniques, with one late‑2025 action in Poland destroying HMI data and corrupting device firmware across distributed energy resources. Visibility remains thin — under 10% of OT networks have monitoring, and most asset owners lack clear investigation thresholds. Reporting via CSOonline. In parallel, BleepingComputer covered a China‑linked campaign against South American telcos using three new malware families, including a multi‑arch Linux backdoor that leverages BitTorrent for peer‑to‑peer command‑and‑control and tooling to conscript hosts into brute‑force relays — raising risks of covert proxying and service disruption at the network edge. Why it matters: both reports emphasize edge and embedded systems as durable footholds with outsized operational impact.

GTIG cataloged 90 in‑the‑wild zero‑days in 2025, with a record 48% hitting enterprise technologies — roughly half in security and networking products with limited host visibility. End‑user platforms accounted for 52%, with operating systems most targeted; mobile exploitation rebounded to 15 zero‑days. GTIG attributes an expanding share to commercial surveillance vendors and documents technique shifts, from chaining n‑days with zero‑days on appliances to exploiting GPU/driver memory bugs to escape sandboxes. The guidance centers on architectural hardening, asset inventory, rapid patching, and defined response when patches lag.

On operations, a court‑authorized action seized 330 domains supporting the Tycoon2FA phishing‑as‑a‑service, which captured credentials, MFA codes, and session cookies via reverse‑proxy techniques and short‑lived subdomains. Microsoft‑led disruption, coordinated with Europol and several partners, is linked to tens of thousands of incidents and more than 30 million blocked emails in a single month at its peak. Coverage: CSOonline. Separately, reports describe an Israeli operation that penetrated Iranian traffic camera networks to support targeting, illustrating how civilian surveillance systems can be repurposed when defaults, exposed interfaces, and unpatched firmware expand the attack surface; analysts urge basic hygiene — strong authentication, timely updates, segmentation, monitoring. Source: Schneier.

Mobile users also face a broad iOS exploitation framework. Infosecurity details “Coruna,” which bundles five full exploit chains and 23 vulnerabilities to target iOS 13.0–17.2.1, profiling devices to select web‑based chains and deploying a payload that prioritizes financial data theft. Google has added related domains to Safe Browsing and advises updating to the latest iOS release or enabling Lockdown Mode where updates are not possible.