From BRICKSTORM to GRIMBOLT: UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day
Google’s threat intel team says a suspected PRC-nexus cluster (UNC6201) has been exploiting a Dell RecoverPoint for Virtual Machines zero-day (CVE-2026-22769, CVSS 10.0) since at least mid-2024. The writeup ties exploitation to lateral movement, persistence, and multiple malware families, including BRICKSTORM and a newly tracked backdoor. If you run RecoverPoint for VMs, treat this as “assume compromise” risk and prioritize patching, scoping, and hunting for the IOCs/TTPs they list.
Microsoft says Office bug exposed customers’ confidential emails to Copilot AI
Microsoft confirmed a bug that let Copilot Chat summarize email content even when messages were labeled confidential and protected by DLP controls, according to reporting that cites Microsoft’s own issue tracking. The key takeaway is that sensitivity labels plus DLP did not behave as admins expected, which matters if you’re relying on those controls to gate AI access to regulated or confidential data. Microsoft says it started rolling out a fix in early February and is monitoring the deployment. This is also a good prompt to review your Copilot data boundaries and test them, not just assume policy equals enforcement.
Critical infra Honeywell CCTVs vulnerable to auth bypass flaw
CISA warned about a critical Honeywell CCTV issue (CVE-2026-1670, CVSS 9.8) where an unauthenticated attacker can abuse an exposed API endpoint to change the password-recovery email, enabling account takeover and access to camera feeds. The impacted models appear to be common in SMB and commercial deployments, including environments that may be considered critical facilities. Even if there’s no confirmed public exploitation yet, this is the kind of bug that gets commoditized fast. Inventory these devices, restrict management interfaces, and get vendor patch guidance in writing.
Massiv: When your IPTV app terminates your savings
ThreatFabric details a new Android banking trojan, Massiv, being distributed via sideloaded IPTV-themed apps and used for device takeover (DTO) style fraud. The report highlights remote control capabilities (including accessibility abuse), overlays, keylogging, and interception to steal credentials and drive fraudulent transactions. They describe targeted campaigns in southern Europe and note the broader trend of malware masquerading as IPTV apps because users already expect those to be installed outside official stores. The practical takeaway is the same: sideloading plus accessibility permissions is a high-risk combo you should message loudly to users.
Password managers less secure than promised
ETH Zurich researchers say that “zero-knowledge encryption” marketing claims can break down under a malicious-server threat model for several popular cloud password managers. In their testing, they were able to view and even modify stored passwords by having the server behave dishonestly during normal client interactions like login, vault open, and sync. They attribute much of the exposure to complexity, especially around recovery and sharing features, and they note they gave vendors time to address issues before publication. This is worth reading as a reminder that your threat model matters, and that server-side compromise can still be catastrophic even with strong client crypto claims.
Phobos ransomware affiliate arrested in Poland
Poland’s cybercrime bureau (CBZC) detained a 47-year-old suspect tied to the Phobos ransomware ecosystem, as part of a Europol-coordinated effort. Reporting says investigators seized devices and found data such as credentials, passwords, credit card numbers, and server IPs, and that the suspect used encrypted messaging to communicate with the group. This is another example of pressure landing on affiliates and operators, not just infrastructure. Expect more follow-on actions and opportunistic copycats using the Phobos brand as law enforcement disruption continues.
Deutsche Bahn back on track after DDoS yanks the brakes
Deutsche Bahn said a DDoS attack disrupted its booking and timetable systems, impacting the website and mobile app in waves before services were restored with temporary limitations. Public details on attribution are thin, but the incident is a useful reminder that availability attacks still create real-world disruption even without data theft. For orgs with customer-facing portals, this is a good moment to sanity-check your DDoS posture: upstream protections, rate-limits, failover, and what your comms plan looks like when core digital channels are degraded.
