Published March 3, 2026 | ← Back to All Threat Intelligence
February 2026 delivered another harsh reminder that no sector is immune from cyber disruption. From financial platforms like Betterment and PayPal to critical infrastructure like France's National Bank Account Registry (FICOBA), attackers exploited credential weaknesses, third-party dependencies, and identity-driven vulnerabilities across the board.
VMware ESXi Exploitation (Feb 4): CISA issued an urgent advisory after ransomware operators began actively exploiting a critical VMware ESXi sandbox-escape vulnerability. The flaw gave attackers deep access to virtualized environments, threatening the infrastructure that many enterprises rely on for their core operations.
Sapienza University of Rome (Feb 5): One of Europe's largest universities was knocked offline for days after a cyber attack using BabLock/Rorschach malware. Major IT systems were shut down, disrupting online services and communications while recovery was carried out from unaffected backups.
Conpet S.A. (Feb 5): Romania's national oil pipeline operator was hit by Qilin ransomware. While core oil transport operations continued, corporate IT systems and the company website were disrupted, and attackers claimed to have stolen large volumes of internal data.
BridgePay (Feb 7): A ransomware attack on the payments platform BridgePay disrupted payment infrastructure nationwide, knocking critical processing systems offline and affecting merchants across the United States.
Betterment (Feb 10): The financial platform disclosed unauthorized access to customer investment account information. The breach exposed account balances, transaction histories, and personal identification data for an undisclosed number of users.
Iron Mountain (Feb 15): The information management giant confirmed a data breach affecting customer records stored across multiple facilities. The incident raised concerns about the security of physical-to-digital document management services.
Panera Bread (Feb 20): The restaurant chain experienced another data incident, with customer loyalty program data exposed through a misconfigured API endpoint. This marked the second significant breach for the company in recent years.
Tycoon 2FA Takedown: A major coordinated disruption involving Proofpoint, Microsoft, Europol, and international law enforcement seized 330 control panel domains linked to one of the most prolific adversary-in-the-middle (AiTM) phishing-as-a-service platforms. Despite the takedown, security researchers warned that operators would likely reconstitute under new infrastructure.
BeyondTrust Zero-Day (CVE-2026-1731): A pre-authentication remote code execution flaw in BeyondTrust Remote Support was exploited in active ransomware campaigns. CISA issued a three-day patch mandate for federal agencies.
VMware Aria Operations RCE (CVE-2026-22719): A second management platform vulnerability in the same month landed on CISA's Known Exploited Vulnerabilities list, reinforcing an emerging pattern of attackers targeting the infrastructure defenders rely on most.
February's attacks on VMware ESXi, BeyondTrust, and VMware Aria Operations reveal a disturbing trend: attackers are targeting the management and security tools that organizations depend on. Defense contractors using these platforms must verify their patch levels immediately. The BeyondTrust zero-day (CVE-2026-1731) is particularly concerning for contractors using remote support tools in their CMMC-scoped environments.
Don't wait for an attack to discover your gaps. Apply for a CGA CMMC Gap Assessment Grant to identify vulnerabilities across all 110 NIST SP 800-171 controls.
