ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, and Ransomware Surges

ThreatsDay Bulletin: OpenSSL RCE, Foxit 0-Days, Copilot Leak, AI Password Flaws & 20+ Stories

The cybersecurity landscape in February 2026 is marked by a 49% surge in industrial ransomware groups and the discovery of critical RCE vulnerabilities in OpenSSL. Threat actors are increasingly weaponizing legitimate Remote Monitoring and Management (RMM) tools, which saw a 277% increase in abuse year-over-year according to Huntress. This shift indicates a move away from traditional hacking tools toward living-off-the-land tactics in enterprise environments.

Why This Matters

The technical reality reveals a widening gap between idealized security models—such as Data Loss Prevention (DLP) policies and Kerberos delegation—and their actual implementation in production environments. For example, Microsoft 365 Copilot bypassed DLP safeguards to summarize confidential ‘Sent Items’ for weeks, while the discovery that Kerberos delegation applies to machine accounts exposes domain controllers to unauthorized administrative actions. These failures demonstrate that even trusted platforms and protocols harbor architectural blind spots that attackers are now actively exploiting at scale.

Key Insights

• Industrial ransomware targeting surged 49% in 2025, hitting 3,300 organizations globally according to Dragos.
• OpenSSL patched CVE-2025-15467, a stack buffer overflow in CMS data processing that allows remote code execution via maliciously crafted AEAD parameters.
• RMM software abuse increased by 277% year-over-year, now accounting for 24% of all observed incidents per Huntress (2026).
• ClickFix social engineering fueled 53% of all malware loader activity in 2025, according to Huntress data.
• Phobos ransomware affiliates have extorted over $16 million from more than 1,000 organizations globally using RaaS models.
• New research by Irregular confirms LLM-generated passwords lack true randomness, as models are optimized for predictability rather than secure sampling.
• Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2026-1281 and CVE-2026-1340 allow unauthenticated RCE on MDM infrastructure.

Working Examples

Command to mitigate Kerberos delegation risks for sensitive machine accounts by preventing them from being delegated.

Set-ADAccountControl -Identity "HOST01$" -AccountNotDelegated $true

Practical Applications

• Use Case: Organizations should audit Ivanti EPMM systems for IoCs dating back to July 2025 to detect persistent backdoors. Pitfall: Applying patches without forensic auditing can leave dormant JSP web shells active on MDM infrastructure.
• Use Case: Developers must use cryptographically secure random number generators instead of LLM-generated passwords for code development. Pitfall: Relying on AI coding agents for credentials leads to predictable, non-random strings vulnerable to token prediction attacks.
• Use Case: Enterprises using Android 17 must migrate to Network Security Configuration files to manage encrypted traffic. Pitfall: Relying on the deprecated ‘usesCleartextTraffic=true’ attribute will result in blocked cleartext traffic by default for apps targeting the new SDK.
• Use Case: Administrators should implement DKIM replay protection to prevent attackers from forwarding legitimate vendor-generated invoices with malicious custom notes. Pitfall: Over-reliance on DMARC checks alone can allow forwarded scam instructions from trusted domains like PayPal to reach users.

References:

• http://thehackernews.com/2026/02/threatsday-bulletin-openssl-rce-foxit-0.html