Executive Summary
- Russian APT28 conducting large-scale DNS hijacking campaign via compromised SOHO routers to steal Microsoft Office authentication tokens
- Iranian state-linked hackers targeting U.S. critical infrastructure, including PLCs and SCADA systems in energy and water sectors
- Multiple critical vulnerabilities under active exploitation: Docker CVE-2026-34040, Flowise CVE-2025-59528, and Ninja Forms WordPress plugin RCE
- ComfyUI instances being weaponized into cryptomining botnets; over 1,000 exposed instances already compromised
- Healthcare sector under attack: Massachusetts hospital redirecting ambulances after cyberattack; Stryker medtech firm hit by Iran-backed wiper attack
Top Threats Today
1. Russian APT28 Router Exploitation and Token Harvesting Campaign
Severity: Critical Affected: Defense, Government, Technology
APT28 (Forest Blizzard) is compromising insecure MikroTik and TP-Link routers globally, modifying their DNS settings to redirect traffic and harvest Microsoft Office 365 authentication tokens. This infrastructure-level attack enables persistent espionage access to organizations whose users connect through compromised routers. The campaign represents a sophisticated supply-chain attack vector targeting both SOHO and enterprise environments.
Recommended Action
- Immediately inventory and audit all network edge devices (routers, switches, firewalls) for outdated firmware and non-default credentials
- Implement network segmentation to isolate IoT/OT devices from critical systems; block unauthorized DNS modifications at perimeter
- Force Microsoft 365 re-authentication for all users; review conditional access policies and enable passwordless sign-in
- Monitor outbound DNS traffic for anomalies; implement DNS query logging and threat intelligence feeds for known malicious resolvers
2. Iranian State Hackers Targeting U.S. Critical Infrastructure PLCs
Severity: Critical Affected: Energy, Government, Transportation
FBI and Pentagon warn that Iranian-linked threat actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers (PLCs) across U.S. critical infrastructure. Attacks focus on local municipal governments, water/wastewater systems, and energy sector assets. Successful exploitation could enable disruptive operational technology attacks with cascading civilian impact.
Recommended Action
- Immediately remove all PLCs and SCADA systems from public internet exposure; implement air-gapped or VPN-protected remote access only
- Patch Rockwell Automation systems to latest versions; apply all available industrial control system security updates
- Deploy behavioral monitoring on OT networks to detect unauthorized configuration changes or suspicious command sequences
- Establish incident response protocols specifically for OT environments; coordinate with CISA and relevant ISACs for real-time threat intelligence
3. Critical Docker and Flowise Vulnerabilities Under Active Exploitation
Severity: Critical Affected: Technology, Finance, Defense
CVE-2026-34040 in Docker Engine (CVSS 8.8) allows authorization bypass to gain host access; CVE-2025-59528 in Flowise platform (max severity) permits arbitrary code execution. Both vulnerabilities are actively exploited in the wild. Docker bypass stems from incomplete prior fixes, creating regression risk across containerized infrastructure. Flowise RCE exploits improper JavaScript validation in LLM application builders.
Recommended Action
- Upgrade Docker Engine to patched version immediately; audit all running containers for unauthorized privilege escalation
- Identify and patch all Flowise deployments; disable JavaScript execution in user-supplied inputs pending patches
- Review container runtime security policies; implement AppArmor/SELinux profiles limiting host access from container escapes
- Monitor container registries for unauthorized image modifications; implement image signing and verification at deployment
4. ComfyUI Instances Weaponized Into Cryptomining Botnet
Severity: High Affected: Technology, Finance
Over 1,000 internet-exposed ComfyUI instances (stable diffusion platform) have been compromised and enrolled into a cryptocurrency mining and proxy botnet. Attackers deployed a purpose-built Python scanner automatically sweeping cloud IP ranges. Compromised instances are being used for cryptomining and as proxy infrastructure for secondary attacks.
Recommended Action
- Scan for exposed ComfyUI instances on internal networks and remove from public internet access immediately
- Implement authentication and API key requirements for all ComfyUI deployments; disable default credentials
- Monitor CPU/GPU utilization and network egress for signs of cryptomining activity; review process logs for unauthorized daemons
- Deploy host-based intrusion detection (HIDS) to detect process injection and unauthorized resource consumption
5. Healthcare Sector Disrupted by Ransomware and Wiper Attacks
Severity: Critical Affected: Healthcare
Massachusetts hospital (Signature Healthcare) redirecting ambulances due to cyberattack impact on information systems; Stryker medtech firm disrupted by Iran-backed wiper attack. Healthcare organizations face dual threats: financially-motivated ransomware and state-sponsored data destruction. Patient care and operational continuity are directly threatened, creating public safety risk.
Recommended Action
- Activate incident response and business continuity plans; ensure manual patient care workflows are operational and staff trained
- Isolate affected systems from network; preserve forensic evidence and engage law enforcement (FBI/HHS)
- Verify backup integrity and air-gap critical backups from network; test restoration procedures for clinical systems
- Implement zero-trust access controls for EHR systems; deploy EDR with behavioral detection focused on data exfiltration patterns
Today’s Action Checklist
- ☐ URGENT: Inventory all network edge devices (routers, firewalls) and verify firmware is current; identify MikroTik/TP-Link SOHO devices for immediate hardening
- ☐ URGENT: Audit and remove all internet-exposed OT/ICS systems (PLCs, SCADA); implement air-gap or VPN-protected access
- ☐ URGENT: Patch Docker Engine and identify/remediate all Flowise instances; test authorization plugins post-upgrade
- ☐ URGENT: Force Microsoft 365 re-authentication for all users; review and strengthen conditional access policies
- ☐ HIGH: Scan for exposed ComfyUI, Ninja Forms WordPress plugins, and other internet-facing development tools; remove from public access
- ☐ HIGH: Review DNS traffic logs for anomalies; implement DNS security (DNSSEC, threat intelligence feeds)
- ☐ HIGH: Verify backup integrity and test disaster recovery procedures; ensure backups are air-gapped from production
- ☐ MEDIUM: Conduct identity and access review; prioritize eliminating credential gaps in identity programs
- ☐ MEDIUM: Review and update incident response procedures for state-sponsored threats; coordinate with industry ISACs and CISA