InfoSec Briefing - February 11, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Tuesday, February 10, 2026. We analyzed 5 articles covering a significant energy sector attack in Poland, active Ivanti exploitation, AI-generated malware, and vulnerability management guidance. All attribution is by the article authors. All article analysis is automated.

According to reports from Midnight Blue and the Cybersecurity and Infrastructure Security Agency, coordinated cyberattacks in December 2025 targeted Poland's energy sector, affecting over 30 renewable energy facilities, a power plant, and a manufacturing facility. The attackers exploited CVE-2024-8036 variants and vulnerable internet-facing devices to deploy wiper malware and bricking tactics against operational technology systems, permanently disabling Hitachi Relion 650 IEDs, Hitachi RTU560 controllers, and Mikronika RTUs through soft-bricking and hard-bricking techniques. The incident exposed critical security gaps including lack of firmware verification capabilities and use of default credentials, requiring physical device replacement rather than remote recovery.

GreyNoise Research reports that active exploitation of Ivanti EPMM vulnerabilities CVE-2026-1281 and CVE-2026-1340 is being driven primarily by a single bulletproof IP address at 193.24.123.42. Attackers are using OAST DNS callbacks to confirm command execution and deploying dormant in-memory sleeper shells, techniques consistent with initial access brokers, while published indicators of compromise are widely misattributed to Oracle WebLogic scanning, creating significant detection gaps.

Ontinue has identified VoidLink, a sophisticated Linux command and control implant that appears to be AI-generated using Large Language Models, targeting multi-cloud environments including AWS, GCP, Alibaba Cloud, and Tencent Cloud. The malware features credential theft capabilities for SSH keys, Git credentials, browser data, and Kubernetes service account tokens, combined with kernel-level rootkit persistence mechanisms, significantly lowering the technical barrier for creating advanced, hard-to-detect threats.

The National Cyber Security Centre has published guidance advising vulnerability researchers, developers, and organizations to improve vulnerability management by learning from past vulnerabilities and addressing their root causes. The guidance emphasizes preventing reintroduction of similar vulnerabilities by assessing ease of mitigation implementation and adapting processes to identify common vulnerability patterns.

That concludes today's briefing.

📰 Articles Covered

On the risk of destructive bricking attacks against OT devices (part 1) - Midnight Blue

On December 29th, 2025, a series of coordinated cyberattacks targeted Poland's electric grid, impacting at least 30 wind and solar farms, as well as a combined heat and power plant 【1】. The attackers utilized a "bricking" tactic, rendering critical Operational Technology (OT) devices inoperable by exploiting a variant of CVE-2024-8036 【1】.

**Who is Affected:**
The attack specifically affected OT devices, including **Hitachi Relion 650 IEDs**, **Hitachi RTU560 controllers**, and **Mikronika RTUs** 【1】. While Moxa NPort 6000 series devices were compromised and reconfigured, they were not bricked 【1】.

**Security Implications:**
The primary security implication is the severe disruption caused by bricked devices. Unlike conventional wiper attacks, bricked devices cannot be recovered remotely and often necessitate physical replacement, leading to extended operational downtime that can last for weeks or months 【1】. This prolonged downtime is exacerbated by the scarcity of spare OT devices and the intricate commissioning processes involved 【1】. Bricking serves as a potent attack amplification strategy, escalating the impact of cyber-physical attacks from hours to weeks 【1】.

**Technical Details:**
The attackers achieved bricking through several methods:
- **Soft-bricking:** This involved deleting essential files on the affected devices 【1】.
- **Hard-bricking:** This was accomplished by uploading malicious firmware 【1】.
- Other potential methods include wiping storage media, malicious firmware updates, or flash cycle exhaustion 【1】.

Recovery from a hard brick typically requires returning the device to the manufacturer or employing invasive methods like JTAG. Soft-bricked devices may be recoverable through local interfaces 【1】.

**What Defenders Should Know:**
Defenders need to be aware that bricking is an advanced tactic that can significantly amplify the impact of cyber-physical attacks 【1】. It is crucial to understand that bricked devices often require physical intervention and can lead to prolonged outages 【1】. Robust security measures are essential in OT environments to mitigate the risk of such attacks 【1】. Defenders should also be prepared for the possibility that recovery might involve complex procedures, including manufacturer involvement or direct hardware manipulation 【1】.
Poland Energy Sector Cyber Incident Highlights OT and ICS Security Gaps - Cybersecurity and Infrastructure Security Agency (CISA)

In December 2025, a cyber incident impacted Poland's energy sector, specifically targeting **operational technology (OT) and industrial control systems (ICS)** 【1】.

**What Happened:**
Malicious actors gained initial access by exploiting **vulnerable internet-facing edge devices**. They then deployed **wiper malware** that caused significant damage. This malware corrupted data on **human machine interfaces (HMIs)**, destroyed data on **remote terminal units (RTUs)**, and damaged the **firmware of OT devices** 【1】. The attack resulted in a loss of communication and control between facilities and distribution system operators 【1】.

**Who is Affected:**
The incident affected **renewable energy plants, a combined heat and power plant, and a manufacturing sector company** within Poland's energy sector 【1】.

**Security Implications:**
This incident underscores the critical need for **enhanced cybersecurity measures** among energy sector stakeholders and critical infrastructure entities, particularly those with vulnerable edge devices 【1】. It highlights the susceptibility of OT devices to permanent damage if they lack firmware verification capabilities 【1】.

**Technical Details:**
- **Initial Access:** Exploitation of vulnerable internet-facing edge devices 【1】.
- **Malware:** Deployment of wiper malware 【1】.
- **Impact:** Damage to RTUs, destruction of data on HMIs, and corruption of OT device firmware 【1】.
- **Consequence:** Loss of view and control between facilities and operators 【1】.

**What Defenders Should Know:**
- **Vulnerable edge devices** are a primary target for attackers 【1】.
- **OT devices without firmware verification** are susceptible to permanent damage 【1】.
- **Default credentials** represent a significant vulnerability 【1】.
- **Recommendations for defenders** include:
- Prioritizing updates for firmware verification 【1】.
- Ensuring incident response plans can accommodate inoperative OT devices 【1】.
- Immediately changing default passwords and enforcing password change requirements for integrators and suppliers 【1】.
Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere - GreyNoise Research

A cybersecurity article details the active exploitation of two critical vulnerabilities in **Ivanti Endpoint Manager Mobile (EPMM)**: **CVE-2026-1281** and **CVE-2026-1340** 【1】.

**What Happened:**
The exploitation campaign is primarily driven by a single IP address (193.24.123.42) associated with bulletproof infrastructure. This indicates a focused and potentially sophisticated attack. The attackers are using Out-of-Band Application Security Testing (OAST) DNS callbacks to confirm command execution, a technique often used by initial access brokers to identify and catalog vulnerable systems for future exploitation. Additionally, dormant in-memory sleeper shells have been observed, meaning compromised systems may not exhibit immediate signs of malicious activity 【1】.

**Who is Affected:**
**Organizations using Ivanti EPMM**, particularly those with unpatched and internet-facing instances, are at risk 【1】.

**Security Implications:**
The exploitation highlights a significant issue with relying solely on published Indicators of Compromise (IOCs), as many shared IOCs for this campaign are misattributed to Oracle WebLogic scanning, potentially causing defenders to overlook the actual threat targeting Ivanti 【1】. This creates a confidence problem in IOC-based defenses and can lead to detection gaps. The presence of dormant implants poses a long-term risk to affected systems 【1】.

**Technical Details:**
- **Exploited Vulnerabilities:** CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM 【1】.
- **Primary Attacker IP:** 193.24.123.42, hosted on PROSPERO OOO (AS200593) 【1】.
- **Exploitation Technique:** Use of OAST DNS callbacks for command execution verification 【1】.
- **Malware Observed:** Dormant in-memory sleeper shells 【1】.
- **Suspicious Path:** The `/mifs/403.jsp` path is associated with the sleeper shell 【1】.

**What Defenders Should Know:**
- **Block the Attacker's Infrastructure:** Block the PROSPERO OOO autonomous system (AS200593) 【1】.
- **Monitor DNS Logs:** Look for OAST DNS callbacks, which can indicate command verification 【1】.
- **Investigate System Activity:** Monitor for the presence of the `/mifs/403.jsp` sleeper shell path 【1】.
- **Consider Server Restarts:** Restarting EPMM application servers may help clear in-memory implants 【1】.
- **Audit Exposure:** Security leadership should audit the exposure of their Mobile Device Management (MDM) infrastructure 【1】.
- **Evaluate IOC Workflows:** Assess how IOCs are ingested and utilized to ensure accuracy 【1】.
- **Immediate Patching:** Administrators must apply the relevant patches immediately 【1】.
- **Investigate Unpatched Systems:** If instances were unpatched and internet-facing during the exposure window, investigate for indicators of compromise 【1】.
VoidLink: Dissecting an AI-Generated C2 Implant - www.ontinue.com

**VoidLink** is a sophisticated Linux C2 (Command and Control) implant that demonstrates the growing trend of AI-generated malware. Its design and capabilities suggest it was created using a Large Language Model (LLM) coding agent, significantly lowering the barrier to entry for developing advanced, hard-to-detect malware 【1】.

**What Happened:**
VoidLink is a Linux C2 framework that generates implant binaries for deployment in cloud and enterprise environments. The "agent" component of VoidLink is designed for persistent access, credential theft, and data exfiltration. Evidence suggests the implant was generated by an AI coding agent, indicated by structured "Phase X:" labels, verbose debug logging, and documentation patterns left within the production binary, implying minimal human review 【1】.

**Who is Affected:**
VoidLink is designed to target **multiple cloud providers**, including **Amazon Web Services (AWS)**, **Google Cloud Platform (GCP)**, **Alibaba Cloud**, and **Tencent Cloud**. It also targets credentials stored locally on systems, such as SSH keys, Git credentials, shell history, and browser data. Furthermore, it can exploit **Kubernetes** environments by accessing service account tokens and namespace information 【1】.

**Security Implications:**
The primary security implication is the **reduced skill barrier for creating advanced malware**. VoidLink combines multi-cloud targeting, container awareness, and kernel-level stealth, making it a potent threat that is difficult to detect and remove 【1】. Its ability to harvest credentials across various platforms and maintain persistence through kernel-level rootkit capabilities poses a significant risk to organizations operating in cloud environments. The AI-generated nature means such implants can be developed and deployed faster than traditional malware 【1】.

**Technical Details:**
- **Language:** The implant is written in **Zig** 【1】.
- **Architecture:** It is a **Linux ELF64 Executable** for x86-64 architecture 【1】.
- **Stealth Capabilities:** VoidLink employs adaptive rootkit functionality based on the detected kernel version:
- **Kernel ≥ 5.5:** Uses eBPF for system call interception (hide\_ss.bpf.o) 【1】.
- **Kernel 4.x – 5.x:** Utilizes Loadable Kernel Modules (LKM) (vl\_stealth.ko, stealth\_netstat.ko) 【1】.
- **Kernel < 4.0:** Leverages LD\_PRELOAD for userland hooking 【1】.
The rootkit can also dynamically hide specific ports, processes, and files 【1】.
- **Credential Harvesting:** It targets cloud environment variables (AWS, GCP), local credential stores (SSH keys, Git, shell history, browser data), and Kubernetes secrets 【1】.
- **Cloud Fingerprinting:** Queries metadata APIs (e.g., 169.254.169.254) to identify the cloud provider, region, instance ID, and type, adapting its behavior accordingly 【1】.
- **Command and Control (C2):**
- Uses **AES-256-GCM encryption** over **HTTPS** 【1】.
- Communications are disguised as normal web traffic, mimicking legitimate API endpoints 【1】.
- A hard-coded C2 IP address of `8.149.128.10` has been identified 【1】.
- **Container Awareness:** The implant is designed to escape container boundaries and exploit Kubernetes 【1】.
- **Entropy:** The binary exhibits high entropy (7.24/8.0), indicating it is packed or encrypted 【1】.

**What Defenders Should Know:**
Defenders should be aware that **AI-generated malware like VoidLink is becoming more prevalent and sophisticated** 【1】. Organizations need to enhance their detection capabilities to identify implants that exhibit characteristics of AI-generated code, such as unusual code structures, verbose logging, and embedded documentation 【1】.

Key defensive considerations include:
- **Multi-Cloud Security:** Implement robust security measures across all cloud environments targeted by VoidLink (AWS, GCP, Alibaba, Tencent) 【1】.
- **Endpoint Detection and Response (EDR):** Deploy EDR solutions capable of detecting kernel-level rootkits and advanced stealth techniques 【1】.
- **Network Monitoring:** Scrutinize network traffic for C2 communications disguised as legitimate HTTPS traffic 【1】.
- **Credential Hygiene:** Enforce strong credential management practices and monitor for unauthorized access attempts to cloud credentials and local secrets 【1】.
- **Container Security:** Strengthen security within containerized environments and Kubernetes clusters to prevent exploitation 【1】.
- **Threat Intelligence:** Stay updated on emerging threats and malware development trends, particularly those involving AI-powered tools 【1】.
Improving your response to vulnerability management - National Cyber Security Centre (NCSC)

This article from the NCSC.GOV.UK discusses improving the response to **vulnerability management** by focusing on retaining and applying lessons learned from past vulnerabilities to prevent future occurrences. The core idea is to reframe "unforgivable vulnerabilities" by assessing the **ease of implementation for mitigations**, considering factors like technical feasibility, cost, and required knowledge. The ultimate aim is to adapt processes to identify and fix vulnerabilities with common root causes, thereby preventing their reintroduction into future products and services.

**Who is affected:**
The advice is relevant to **vulnerability researchers, developers, and organizations** involved in managing vulnerabilities.

**Security implications:**
The article emphasizes that learning from mistakes in vulnerability management can **reduce harm, exposure, and reputational risk** for organizations. By addressing common root causes, the reintroduction of vulnerabilities can be prevented, leading to a more secure ecosystem.

**Technical details:**
While the article doesn't delve into specific technical vulnerabilities, it focuses on the **process of vulnerability management**. It advocates for maturing these frameworks by identifying and mitigating the root causes of vulnerabilities.

**What defenders should know:**
Defenders should implement **robust vulnerability management processes**. A key takeaway is the importance of **learning from past vulnerabilities** by identifying and mitigating their underlying root causes to prevent recurrence.