Executive Summary
- Iranian-backed threat actors are actively targeting 4,000+ exposed U.S. industrial devices (PLCs) with potential for critical infrastructure disruption
- Critical RCE vulnerability in Marimo (CVE-2026-39987) exploited within 10 hours of disclosure; developers at immediate risk
- Russian military intelligence harvesting Microsoft Office authentication tokens via router compromises; widespread credential theft campaign underway
- GlassWorm campaign evolving to target developer IDEs with Zig dropper; supply-chain risk to software development pipeline
- Law enforcement surveillance system (Webloc) attributed to tracking 500 million devices globally via ad data; privacy and civil liberties implications
Top Threats Today
1. Iranian Cyberattacks on U.S. Industrial Controllers
Severity: CRITICAL Affected: energy, manufacturing, government
Nearly 4,000 Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation have been identified as targets in cyberattacks attributed to Iranian-linked threat actors. These devices control critical infrastructure systems. The attacks represent a direct threat to operational technology (OT) environments supporting power grids, water treatment, and manufacturing facilities.
Recommended Action
- Immediately audit all Rockwell Automation PLC deployments for Internet exposure and implement network segmentation
- Apply all available security patches and firmware updates from Rockwell Automation
- Deploy enhanced monitoring and detection rules specifically for Iranian APT TTPs on OT networks
- Coordinate with CISA and sector-specific ISACs for threat intelligence sharing
2. Marimo RCE Exploitation (CVE-2026-39987)
Severity: CRITICAL Affected: technology, finance, education
A critical pre-authentication remote code execution vulnerability in Marimo (CVSS 9.3) was actively exploited within 10 hours of public disclosure. Marimo is widely used by data scientists and analysts for Python notebook development. This represents a supply-chain risk to any organization using this tool for data analysis workflows.
Recommended Action
- Immediately update Marimo to the patched version across all development environments
- Scan development systems for indicators of compromise from exploitation attempts
- Review access logs for Marimo instances deployed on Internet-accessible systems
- Restrict Marimo deployments to isolated development networks until patching is complete
3. Russian State-Sponsored Microsoft Office Token Theft
Severity: CRITICAL Affected: government, defense, finance, technology
Hackers linked to Russia’s military intelligence (GRU) are mass harvesting Microsoft Office authentication tokens by exploiting known vulnerabilities in older Internet routers. This campaign enables state-sponsored actors to quietly gain persistent access to Office 365 accounts and sensitive organizational data. The attack targets known router flaws, making it highly scalable.
Recommended Action
- Audit all edge routers for end-of-life status and replace or patch immediately
- Implement device-bound session credentials (DBSC) in Chrome 146+ for Windows users to prevent token theft
- Deploy conditional access policies in Microsoft 365 to detect anomalous token usage patterns
- Monitor for unauthorized Office 365 access from unexpected geographic locations and IP ranges
4. GlassWorm Campaign IDE Infection via Zig Dropper
Severity: HIGH Affected: technology, finance, manufacturing
The ongoing GlassWorm campaign has evolved to use a Zig-based dropper targeting integrated development environments (IDEs) including VSCode extensions. The malware silently infects all IDEs on a developer’s machine, potentially compromising source code and build pipelines. This poses significant supply-chain risks to organizations using compromised development environments.
Recommended Action
- Audit installed VSCode and IDE extensions; remove any from untrusted publishers
- Review Open VSX registry and official extension stores for malicious packages
- Implement code signing and verification for all IDE plugins organization-wide
- Scan development machines for persistence mechanisms and credential dumpers associated with GlassWorm
5. Law Enforcement Webloc Surveillance System (500M Devices)
Severity: HIGH Affected: government, legal
Citizen Lab reports that law enforcement agencies in Hungary, El Salvador, and multiple U.S. jurisdictions have deployed Webloc, an advertising-based global geolocation surveillance system developed by Israeli company Cobwebs Technologies. The system has tracked approximately 500 million devices. This revelation raises significant privacy and civil liberties concerns regarding warrantless mass surveillance capabilities.
Recommended Action
- Review organizational privacy policies and data handling procedures for legal compliance
- Audit mobile device management (MDM) policies for location tracking and data sharing restrictions
- Consult legal counsel regarding regulatory implications and disclosure obligations
- Implement location privacy controls at the network and device level where applicable
Today’s Action Checklist
- ☐ URGENT: Identify and patch all Rockwell Automation PLC devices; assess Internet exposure immediately
- ☐ URGENT: Update Marimo across all development environments and scan for compromise
- ☐ URGENT: Audit router firmware versions; prioritize replacement of devices running vulnerable legacy software
- ☐ URGENT: Enable and deploy Device Bound Session Credentials (DBSC) in Chrome 146+ for Windows users
- ☐ URGENT: Scan all development machines for GlassWorm persistence indicators and malicious IDE extensions
- ☐ HIGH: Review Microsoft 365 conditional access policies and implement anomalous token usage detection
- ☐ HIGH: Brief legal and compliance teams on Webloc surveillance disclosures and privacy obligations
- ☐ HIGH: Validate Chrome 147 deployment status; note 60 vulnerabilities patched including 2 critical WebML flaws
- ☐ MEDIUM: Review Juniper Junos OS devices for critical unauthenticated RCE vulnerability patches
- ☐ MEDIUM: Monitor for CanisterWorm wiper activity; assess exposure if systems use Iran timezone or Farsi language settings