Weekly Cybersecurity News: Trust Exploited as Cyber Attacks Hit Identity, Access and Infrastructure

We see a recurring pattern across recent cybersecurity incidents where trust, and identity controls are being exploited across government systems, critical infrastructure, and financial platforms. From ransomware disrupting water utilities to the abuse of legitimate tools and insider access, the incidents point to the evolving attacker tactics. 

Crystal Morin, Senior Cybersecurity Strategist at Sysdig, warns that “identity will remain the primary cyberattack vector in 2026, and poorly managed machine identities could be the weak link that sparks the first globally disruptive AI-driven breach.”

DHS Reviews Polygraph Incident Involving Acting CISA Director

An internal DHS investigation followed a disputed polygraph examination taken by Acting CISA Director Madhu Gottumukkala during a classified access request. Current and former officials told Politico the test was linked to access to highly sensitive intelligence. DHS denies the polygraph was sanctioned and disputes claims that Gottumukkala failed it.

Legitimate Nezha Monitoring Tool Abused as a RAT, Allowing Control Over Hosts

Ontinue researchers observed attackers abusing Nezha, a legitimate open-source server monitoring tool, as a post-exploitation remote access capability. The tool provides SYSTEM or root-level access, interactive terminals, and file management through standard web protocols. Because the Nezha binary is legitimate software, VirusTotal showed zero detections during testing.

Romania Water Agency Hit by Massive BitLocker Ransomware Attack Impacting 1,000 Computer Systems

Romania’s national water agency confirmed a ransomware incident that disrupted access to around 1,000 IT and communications systems. Authorities said attackers abused Windows BitLocker to encrypt systems, forcing staff to rely on phone and radio communications. Romania’s cyber authority advised against ransom payments as remediation and restoration efforts continue.

DOJ Seizes Stolen Password Database and Domain to Halt Account Takeovers and Fraud

The U.S. Justice Department seized a domain and database used in bank account takeover fraud operations. Officials said criminals used fake search ads to redirect victims to phishing sites impersonating banks. At least 19 victims suffered actual losses of about $14.6 million, with attempted losses nearing $28 million. The seizure disrupted access to stolen credentials used to drain real bank accounts.

Interpol-Led Action Decrypts Six Ransomware Strains, Arrests Hundreds

An Interpol-coordinated global enforcement operation resulted in decryption keys for six ransomware families and the arrest of hundreds of alleged ransomware affiliates and operators across multiple countries. Authorities also seized infrastructure linked to ransomware distribution and disruption, supporting ongoing international cybercrime efforts.

Cybercriminals Recruiting Insiders at Banks, Telecoms and Tech

Checkpoint Research reports that threat actors are increasingly targeting employees within banking, telecommunications, and technology firms to recruit insiders who can facilitate unauthorized access, data theft, or fraud. The trend spans multiple regions and uses social engineering and financial incentive.

Fortinet Warns July-Disclosed SSL VPN Flaw is Being Used to Bypass 2FA

Fortinet has issued a fresh warning on active exploitation of a vulnerability in FortiOS SSL VPN. It can bypass two-factor authentication under specific configurations. Attackers are bypassing SSL VPN two-factor authentication. The issue affects misconfigured and legacy deployments. Admins are urged to review configs and apply mitigations.

Trust Wallet Investigates How Hackers Submitted New Extension Version After $7 Million Security Incident

Trust Wallet confirmed a security incident affecting version 2.68 of its browser extension. Users were urged to disable the affected version and upgrade immediately. Binance founder Changpeng Zhao said about $7 million was affected and losses would be covered. The company is investigating how attackers were able to submit a new extension version.

Georgia Arrests Ex-Spy Chief Over Alleged Protection Of Scam Call Centers

Georgian prosecutors have arrested the former head of the country’s security service on bribery charges, alleging he accepted payments to shield scam call centers. Authorities say investigations are ongoing, and prosecutors have not specified which operations he is accused of protecting.

Disruptive Exploitation of Trust, Identity, and Infrastructure

Attackers are operating through trusted paths, skipping overt compromise. Ram Varadarajan, CEO at Acalvio, says that reactive defenses can't operate at machine speed. He adds that defense is no longer about building higher walls. “It's about becoming an unpredictable, moving target.”

At the organizational level, pressure continues to build especially due to the AI talent gap. Randolph Barr, Chief Information Security Officer at Cequence Security, says, “As boards push harder for rapid AI deployment in 2026, companies will hit a breaking point between the pressure to innovate and the slow, talent-heavy reality of building AI products.”

There is also a growing need for communication and transparency as Alex Kreilein, Vice President of Product Security and Public Sector Solutions at Qualys, highlights, saying that “radically transparent incident disclosure, in near real time, is much needed in 2026,” and organizations must communicate with customers early, even before the full scope of an incident is understood.