Lazarus Group Hits Healthcare and SolarWinds Fixes Root [Prime Cyber Insights]

[00:00] Aaron Cole: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers. [00:06] Chad Thompson: Welcome to Prime Cyber Insights for February 24, 2026. [00:12] Chad Thompson: We are opening today's briefing by tracking a high-velocity wave of infrastructure attacks [00:17] Chad Thompson: and critical software vulnerabilities that demand immediate attention from security teams globally. [00:22] Chad Thompson: I am joined, as always, by Lauren to help break down these complex developments. [00:27] Chad Thompson: Thanks, Aaron. [00:28] Chad Thompson: It is a packed morning for the security community. [00:31] Chad Thompson: Joining us today is Chad Thompson, a director-level AI and security leader. [00:36] Chad Thompson: Chad brings a deep systems-level perspective on automation, enterprise risk, and operational [00:42] Chad Thompson: resilience, which is exactly what we need to navigate today's stories. [00:46] Chad Thompson: Chad, great to have you. [00:48] Chad Thompson: Erin, we have to start with the urgent patches coming out of SolarWinds today. [00:53] Lauren Mitchell: It is great to be here, Lauren. [00:56] Lauren Mitchell: Looking at the landscape this morning, it is clear that the intersection of legacy infrastructure and modern automation is creating some unique pressure points for the enterprise. [01:09] Chad Thompson: SolarWinds has released critical updates for its ServeU-FaW transfer software. [01:15] Chad Thompson: The most severe flaw, CVE 2025 to 40,538, is a broken access control vulnerability. [01:23] Chad Thompson: This is a nightmare scenario because it allows an attacker to effectively create a system [01:29] Chad Thompson: admin account and execute code as root. [01:31] Chad Thompson: With over 12,000 servers currently exposed online, this has to be a top-tier patching priority for any enterprise using their managed file transfer or FTP capabilities. [01:42] Chad Thompson: If that server is internet-facing, you are in the crosshairs. [01:46] Chad Thompson: Moving from software flaws to active threat actors, the Lazarus Group is making headlines for a significant tactical shift – [01:54] Chad Thompson: Reporting from Symantec and Carbon Black indicates the North Korean group is now using Medusa ransomware to target health care organizations across the U.S. and the Middle East. [02:06] Chad Thompson: They appeared to be moving away from their traditional custom payloads in favor of established ransomware as a service models. [02:14] Chad Thompson: This allows them to save on development costs while maintaining high-impact extortion campaigns. [02:19] Lauren Mitchell: This is a very pragmatic move by Lazarus. [02:22] Lauren Mitchell: By leveraging existing RAS infrastructure, they can increase their operational tempo without the overhead of maintaining bespoke code. [02:31] Lauren Mitchell: For a state-sponsored actor, it is about maximum ROI and plausible deniability. [02:38] Lauren Mitchell: In the healthcare sector, where downtime can literally be a matter of life or death, the pressure to pay these ransoms is immense. [02:48] Chad Thompson: It definitely increases their lethality, Lauren. [02:50] Chad Thompson: Speaking of persistent threats, a report released yesterday by Bloomberg has uncovered a major [02:55] Chad Thompson: 2021 breach at Ivante subsidiary, Pulse Secure. [02:59] Chad Thompson: Chinese hackers reportedly planted a backdoor that compromised 119 organizations, including [03:05] Chad Thompson: several military contractors. [03:07] Chad Thompson: The report explicitly links the decline in security quality to aggressive cost-cutting [03:12] Chad Thompson: in layoffs that followed private equity acquisitions of the firm. [03:15] Chad Thompson: Exactly. This highlights a pattern where technical debt meets active exploitation. [03:22] Chad Thompson: While we discuss those broader implications, we also have to look at the immediate crisis in New York. [03:28] Chad Thompson: The Keelan Ransomware Group claims to have breached the union representing 41,000 transit workers. [03:35] Chad Thompson: They have allegedly leaked sensitive, personally identifiable information onto the dark web, [03:41] Chad Thompson: including salary details and medical data. [03:43] Lauren Mitchell: When you look at the Avanti story alongside the Killeen attack, [03:47] Lauren Mitchell: you see two sides of the same coin. [03:50] Lauren Mitchell: On one hand, you have the systemic risk introduced by financial restructuring [03:55] Lauren Mitchell: that deprioritizes security hygiene. [04:00] Lauren Mitchell: On the other, you have the human impact of data theft. [04:05] Lauren Mitchell: For those 41,000 transit workers, [04:09] Lauren Mitchell: This isn't just a corporate breach. [04:13] Lauren Mitchell: It is a profound violation of their personal privacy and financial security. [04:18] Chad Thompson: The pressure is also mounting in the Netherlands, Lauren. [04:22] Chad Thompson: Today, the Shiny Hunter's extortion gang added Dutch telecom Odido to their leak site, [04:27] Chad Thompson: claiming to have stolen 21 million records. [04:31] Chad Thompson: While Odido initially reported the breach affected 6.2 million customers, [04:36] Chad Thompson: the hackers are now threatening a final warning to the company. [04:40] Chad Thompson: It is a stark reminder of how vulnerable large-scale PII repositories remain and how quickly these situations can escalate beyond initial company estimates. [04:50] Chad Thompson: And it isn't just direct breaches we need to worry about. [04:53] Chad Thompson: New research out today shows that nearly one in three meta-ads in the EU and UK are actually malicious, pointing to phishing or malware. [05:02] Chad Thompson: I mean, this industrial-scale operation is leveraging the same engagement algorithms used for legitimate marketing to maximize victim counts. [05:11] Chad Thompson: The infrastructure for this appears heavily linked to Hong Kong and China, showing just how weaponized social media advertising has become. [05:18] Chad Thompson: Despite these digital headwinds, there is a major win for operational resilience in the space sector. [05:26] Chad Thompson: Last Friday, NASA confirmed that the latest fueling test for the Artemis 1 SLS rocket [05:33] Chad Thompson: was a success. [05:34] Chad Thompson: Technicians swapped out the hydrogen seals that caused issues earlier this month, and those [05:40] Chad Thompson: new seals held firm during the test. [05:43] Chad Thompson: This keeps the earliest launch target of March 6th on the calendar, which is a massive [05:49] Chad Thompson: milestone for the program. [05:50] Chad Thompson: It is a rare bit of good news in a week dominated by ransomware and root access exploits. [05:57] Chad Thompson: We have covered everything from Lazarus's new medical targets to the systemic risks of private equity-owned security firms. [06:04] Chad Thompson: Aaron, the urgency for secure-by-design principles has never been higher. [06:09] Chad Thompson: For the full technical breakdown on any of today's stories, visit pci.neuralnewscast.com. [06:16] Chad Thompson: Stay resilient, stay patched, and we will see you in the next update. [06:20] Chad Thompson: Neural Newscast is AI-assisted, human-reviewed. [06:24] Chad Thompson: View our AI Transparency Policy at neuralnewscast.com. [06:29] Aaron Cole: This has been Prime Cyber Insights on Neural Newscast. [06:32] Aaron Cole: Intelligence for defenders, leaders, and decision makers. [06:36] Aaron Cole: Neural Newscast uses artificial intelligence in content creation [06:39] Aaron Cole: with human editorial review prior to publication. [06:43] Aaron Cole: While we strive for factual, unbiased reporting, AI-assisted content may occasionally contain [06:48] Aaron Cole: errors. Verify critical information with trusted sources. Learn more at neuralnewscast.com.