The IT Nerd

Fortra Intelligence and Research Experts (FIRE) are tracking a previously unseen threat campaign abusing Datto’s legitimate RMM platform as a stealthy command‑and‑control channel. By routing attacker traffic through the legitimate Datto infrastructure, threat actors gain full, persistent remote access to victim systems while evading standard network and endpoint defenses.

For businesses, the impact could be severe: undetected access enables data theft, lateral movement, and ransomware staging, all masked as normal IT activity. The campaign is actively maintained, uses weekly‑recompiled malware, and underscores a growing risk – attackers weaponizing trusted enterprise tools to make compromise effectively invisible.

You can read the details here: https://www.fortra.com/blog/fortra-discovers-datto-living-land-binary

Fortra announced today the acquisition of Zero-Point Security, a specialized cybersecurity training firm based in Warrington, UK. This will expand Fortra’s offensive security education capabilities, bringing additional training expertise in red team operations, adversary emulation, and penetration testing. Zero‑Point Security is widely recognized for its trusted red team operations training and has built a strong reputation delivering its high-demand, self-paced courses to individuals and businesses seeking advanced offensive operations skills.

Zero-Point Security’s well-known courses include Red Team Operations I and II, which meet the high standards to be certified by the Council of Registered Ethical Security Testers (CREST). Successful completion of these programs helps participants achieve Certified Red Team Operator (CRTO) status, an industry-respected credential that validates expertise in offensive security techniques.

Further details and timelines will follow.

Browser extensions have quietly become one of the more dangerous and overlooked attack surfaces within the enterprise. Fortra Intelligence and Research Experts (FIRE) have released a new Browser Extension Threat Guide that breaks down why this risk is escalating and what security teams need to do now to close the gap.

This in‑depth guide covers:

• A deep forensic analysis of the GhostPoster campaign, including staged payloads, obfuscation techniques, and real-world impact.
• How modern extension malware evades EDR by hiding inside legitimate browser processes and abusing trusted APIs.
• Actionable detection and threat hunting playbooks focused on manifest analysis, sideloading identification, and high‑risk behaviors.
• Clear mitigation strategies, including extension governance, default‑deny controls, and browser-layer security recommendations.

If extensions aren’t already on your threat model, this guide will show you why they need to be. You can access it here: https://www.fortra.com/resources/guides/browser-extension-threat-guide

By Tyler Reguly, Associate Director, Security R&D, Fortra

I’m sure that everyone will be talking about CVE-2026-26118 today. After all, it contains those magical three letters MCP – Must Create Panic! The old adage has changed a little these days to become, “AI sells,”, so that’s what everyone needs to talk about. The reality is that there’s an update available, this was never publicly disclosed, and Microsoft lists exploitation as less likely. So, instead of trying to create panic, I’m going to keep a level head and say that this is a great reminder for all CSOs to make sure they know how AI is being used within their organization. Instead of worrying about a single CVE that we don’t really need to talk about, look at your organizations AI policy, look at your tooling, and look at how your data is flowing. If you know that, you’re fine. If not, shadow AI might be the actual reason that you need to panic and that’s not a Patch Tuesday thing, that’s just an everyday thing.

Let’s agree to call this the month of no 0-days. I’m sure some people will try to call the two publicly disclosed vulnerabilities 0-days, but they’re wrong… and let’s just leave it at that. Instead, let’s talk about how even the publicly disclosed vulnerabilities are pretty much nothingburgers this month. We have CVE-2026-21262, which is a privilege escalation in SQL Server, but you have to already be an authenticated SQL user to exploit this. The other, CVE-2026-26127, is a .NET denial of service. Neither of these are very important. Neither of them should stress anybody out.

In total this month, we have 83 Microsoft CVEs and 10 non-Microsoft CVEs and I don’t see a lot of reasons for people to stress. The only CVE above an 8.8 is CVE-2026-21536, a 9.8 in Microsoft Devices Pricing Program, a vulnerability that is marked as no customer action required because it is already updated. The messaging this month should be, “Apply your patches after you finish your testing cycles.” There’s nothing that requires rushing patches, nothing that requires panic… this is just a nice, quiet Patch Tuesday (and I definitely won’t regret using the Q-word).

The only thing that people may want to pay close attention to is the Azure vulnerabilities. As I’ve mentioned before, the cloud ecosystem doesn’t really handle patching well… it’s a relatively immature process and the way that Microsoft handles these products really demonstrates that. The CVE impacting Azure Linux Virtual Machines (CVE-2026-23665) or the multiple CVEs impacting Azure IoT Explorer require pretty non-standard patching mechanisms and those may require a little additional effort from IT teams. CSOs should ensure that they have solid asset inventories around the deployment of cloud related systems and tools, so that admins know where these things exist and when they need to be fixed. This is the best way to empower your sys admins and security teams on a quiet month like this.

The Fortra Intelligence and Research Experts (FIRE) team have uncovered a new phishing tactic that abuses legitimate GitHub notification emails to deliver vishing scams. The research shows how attackers are using trusted infrastructure to get malicious messages into inboxes.

Key findings:

• Attackers hide vishing lures in GitHub commit messages, which generate legitimate notification emails from noreply@github.com.
• Researchers say this is the first observed use of GitHub commit messages to distribute vishing scams.
• Notifications are forwarded through Microsoft 365, helping the messages pass authentication checks and evade filters.
• The lures impersonate brands such as PayPal and Norton and urge victims to call fake support numbers.

The report is published here: https://www.fortra.com/blog/threat-actors-abuse-github-notifications-to-deliver-vishing-attacks

The viral Instagram “AI work caricature” trend is exposing a serious shadow AI risk. By prompting ChatGPT to create job-based caricatures and posting the results publicly, users are unintentionally signaling their access to sensitive systems, their use of public LLMs for work, and potential data leakage in prompts. Millions are tied to real profiles, helping threat actors identify high‑value targets and potential exploitation of LLMs via prompt injection or jailbreaking.

This seemingly harmless trend is a roadmap for targeted cyber and data‑exfiltration attacks.

Fortra cybersecurity expert Josh Davies has just published an article informing of these risks, which you can read here: https://www.fortra.com/blog/what-can-ai-work-caricature-trend-teach-us-about-risks-shadow-ai 

UPDATE: Reinforcing that this is a top of mind issue at the moment, Bob Long, President, Americas at Daon had this comment:

“Preventing identity fraud on the internet can be a serious challenge. Everyone knows that it’s vital not to share high-value personal information like your social security number or credit card information, but that is just a start to truly protecting your identity. There are multiple ways that bad actors take advantage of people in order to break into their accounts. Stealing your login information through a data breach is just the most visible method of attack. The most common is something most people don’t even see until after their information is compromised—social engineering. Social engineering is a broad term for a number of methods of luring people into handing over their login credentials willingly. Phishing is the most well known of these techniques, but there are many others. One thing they all have in common is the more a fraudster knows about their target, the easier it is to fool them.

That’s where things like the new trend of having Generative AI create a caricature of you based on everything it knows about you moves from being a fun exercise to a security threat. By creating one of these images and posting it on social media, you are doing fraudsters’ work for them—giving them a visual representation of who you are. This is literally the modern version of the “40 things about me” posts that used to be popular on social channels, creating a quick access, public record of who you are so people with bad intentions can exploit it. The fact that it explicitly prompts AI to include everything it knows about you makes it sound like it was intentionally started by a fraudster looking to make their job easy. It not only tells them a lot about the person, but it tells them which people have a lot of accessible information and which don’t. Until all businesses move away from passwords and other knowledge based forms of authentication, people will need to remain vigilant about what information about them is publicly available.

Of course, the argument against giving your image to Generative AI also stands. Unless you know, for certain, what will be done with that image outside of providing the requested output, you are at risk of your image being used for anything from training AI image generators to populating less-than-legal tracking software. Sharing personal information, including your image, with AI should only be done when you know and trust the organization making the request.”

By Tyler Reguly, Associate Director, Security R&D, Fortra

On first pass, this month looks pretty reasonable – 60 CVEs, including one assigned by the Chrome CNA. When you look a little more closely, you start to realize that there is a lot going on here. February can be a bit of a cold, dull month, but Microsoft has decided to heat things up a bit. The good news, there’s not a lot of CVEs to deal with, the bad news, there’s actually a lot to unpack here.

We can’t ignore the fact that there are 6 actively exploited vulnerabilities included in this month’s patch drop. 10% of this month’s vulnerabilities are listed by Microsoft as exploit detected. That’s a significant portion of them.

There’s some common language in there too, with vulnerabilities impacting Windows Shell (CVE-2026-21510), MSHTML Framework (CVE-2026-21513), and Microsoft Word (CVE-2026-21514) all including the words ‘security feature bypass.’ Similarly, two of these vulnerabilities – CVE-2026-21519 in Desktop Windows Manager and CVE-2026-21533 in Windows Remote Desktop Services – both allowing elevation of privilege to SYSTEM. The odd vulnerability out in this list is the Windows Remote Access Connection Manager vulnerability (CVE-2026-21525) because it is a local denial of service, something that Microsoft often rejects – refusing to assign CVEs and issue patches for these types of vulnerabilities on a regular basis.

The upside to this many actively exploited vulnerabilities? They are easy to resolve with regular Microsoft patches for Windows and Office and none of them require any post patch configuration steps.

If I’m a CSO this month, I’m less concerned about what my desktop and server security teams are patching and more concerned with my cloud ops teams. Sure, there are a lot of actively exploited vulnerabilities, but the normal patching process will resolve those. The 10 Azure CVEs representing 16.6% of the CVEs released this month are what I would be concerned about. While 3 of these (CVE-2026-21532, CVE-2026-24300, and CVE-2026-24302) are all marked as ‘No Customer Action Required,’ I’d still want to ensure that there was no evidence of issues in my cloud (or cloud adjacent) environments. For the other 7 CVEs, however, I’d hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment.

It’s rather amusing to me to watch as we migrate everything to the cloud. With on-prem deployments, the vulnerability resolution process is mature – we know what patches look like, how to find unpatched software, and how to roll out the standard patch to multiple systems. With the cloud, we rely on scripts, full app replacements, and manual configuration to resolve a lot of the vulnerabilities. This puts a lot more pressure on the cloud ops team to fix these as well as the development teams that may be utilizing the related SDKs. This shifts the responsibility for maintaining systems away from traditional vulnerability management programs and may present headaches to CSOs trying to inventory and track the usage of these components in their environments.

LevelBlue, the world’s largest pure-play provider of managed security services, today announced a strategic partnership with Fortra, a global leader in cybersecurity solutions. This collaboration integrates Fortra’s best-in-class solutions with LevelBlue’s elite managed services, delivering a comprehensive security offering designed to combat the evolving threat landscape.

The partnership marks a major milestone in LevelBlue’s mission to deliver world-class, proactive cybersecurity and secure what’s next for its clients, while also representing a significant step forward in Fortra’s evolution as a channel-first company focused on empowering resellers, service providers, and distributors to deliver its solutions.

As part of this long-term partnership, LevelBlue will acquire the managed services of Fortra’s Alert Logic Managed Detection and Response (MDR), Extended Detection and Response (XDR), and Web Application Firewall (WAF) solutions. LevelBlue’s expanded MDR platform, strengthened through recent acquisitions, will provide Alert Logic’s client base with access to a larger global footprint, broader threat telemetry, and accelerated detection and response across complex environments. In parallel, Fortra will become one of LevelBlue’s leading cybersecurity partners, making its best-in-class software and platforms available to LevelBlue’s global client base.

Fortra’s technologies complement and extend LevelBlue’s existing strengths across data security, brand protection, email security, and offensive security, adding additional depth, optionality, and specialization for LevelBlue clients. Together, LevelBlue and Fortra will provide clients with greater choice, broader coverage across the attack surface, and improved security outcomes, all delivered through LevelBlue’s managed services model.

This partnership further reinforces LevelBlue’s position as the global pure-play leader in MDR and managed cybersecurity services, while underscoring Fortra’s role as a global leader in cybersecurity software and solutions. Following the launch of Fortra’s new partner program, Fortra Protect, last year, the partnership with LevelBlue further illustrates Fortra’s commitment to work with the world’s best service providers and channel experts to serve cyber clients.

LevelBlue, an innovator in cloud-based, AI-driven managed security services, continues to expand its leadership as the world’s largest pure-play MSSP, offering one of the most comprehensive portfolios spanning managed security, offensive security, incident response, threat intelligence, and MDR. This scale and breadth enables clients and partners to accelerate threat detection, streamline security operations, reduce cyber risk, and continuously mature their cybersecurity posture, now with even more choice and value through Fortra’s complementary technologies.

Santander served as the exclusive financial advisor to LevelBlue in this transaction and Stephens served as the exclusive financial advisor to Fortra/Alert Logic.

Fortra’s Intelligence and Research Experts (FIRE) are tracking HaxorSEO (HxSEO), an active cybercrime marketplace that poses a direct threat to financial institutions by manipulating search rankings to drive phishing and fraud. Operating on Telegram and WhatsApp, HxSEO sells backlinks from long‑trusted, compromised domains, allowing fake financial login pages to outrank legitimate ones. For just a few dollars, attackers can scale account takeover, fraud, and malware delivery, turning routine online banking searches for customers into high‑risk activities.

You can read the report here: https://www.fortra.com/blog/seo-poisoning-marketplace-topping-search-results-impersonating-top-financial-institutions

By Tyler Reguly, Associate Director, Security R&D, Fortra

CISOs this month should be paying a lot of attention to CVE-2026-21265 and the guidance associated with it. More specifically, they should be looking at the Windows Secure Boot certificate expiration and CA Updates that Microsoft published June 26, 2025. When the Secure Boot certificates expire in June of this year, organizations that haven’t prepared will not only find Secure Boot no longer operational, but they may also find that Windows boot manager and Secure Boot vulnerabilities have become an issue. It is important to note that the document is not a single page, but contains a multitude of links – including an entire deployment playbook for IT professionals. With less than half a year to prepare, it is time to ensure that environments and teams are prepared for this update.

One of the more interesting updates this month is the Windows Agere Soft Modem Driver elevation of privilege (CVE-2023-31096). It is not often that you see a CVE from 3 years ago show up, but Microsoft is finally cleaning up a problem that has been around for a while. This driver ships with Microsoft Windows, but according to a post about this vulnerability, the driver has been EOL since 2016. The solution to this vulnerability is simply to remove the impacted drivers, agrsm64.sys and agrsm.sys, from systems.

If you’re a fan of statistics, here’s one for you. Microsoft moved away from the security bulletin system in February of 2017 and ushered in the new era of security guidance. Last year, January 2025, saw the largest January Patch Tuesday under this new system with 162 CVEs. This year, we see the third largest January Patch Tuesday with 115 CVEs. For those wondering, 2022 had the second largest January Patch Tuesday with 127 CVEs. This is also only the third time that we’ve seen more than 100 CVEs under the security guidance system. We’re sitting above the average 89 CVEs that we’ve seen over the 9 January Patch Tuesdays that we’ve had under the new system.