CISA BOD: Replace EoS Edge Devices; Microsoft Office Flaw Exploited by Russian Threat Group; TLS 1.2 is New Minimum, Exchange Online EWS Will Shut Down

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a Binding Operational Directive (BOD) instructing federal civilian executive branch (FCEB) agencies to remove all end-of-support (EoS) edge devices from their networks. CISA notes that "edge devices are attractive targets due to their extensive reach into an organization's network and integrations with identity management systems." The BOD is aligned with an Office of Management and Budget document, "Managing Information as a Strategic Resource," which requires agencies to phase out EoS systems and components. Agencies are advised to update IT lifecycle management practices, to include identifying software and hardware approaching EoS and planning accordingly for decommissioning and replacement. The BOD requires FCEB agencies to immediately update supported devices running EoS software or firmware to supported versions unless doing so would "adversely impact mission critical functionality." Within three months, agencies must provide CISA with an inventory of EoS edge devices; CISA has provided a list of edge devices that will soon reach or have already reached EoS. Within one year, agencies must decommission all EoS edge devices from the list with EoS dates of 12 or fewer months, report the decommissioning to CISA, and provide CISA with an inventory of edge devices that have EoS dates falling within the following 12 months. There are also 18- and 24-month requirements that help agencies establish continuous processes for managing EoS edge devices.

Researchers are warning that a threat group linked to Russian military intelligence has been conducting cyberespionage targeting primarily "maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine," starting to exploit a vulnerability in Microsoft Office within 24 hours of the company's January 26, 2026 emergency security advisory addressing the flaw. CVE-2026-21509, CVSS score 7.8, allows an unauthorized local attacker to bypass Object Linking and Embedding (OLE) mitigations when a targeted user opens a malicious Office file, due to "reliance on untrusted inputs in a security decision." The campaign took the form of a "concentrated 72-hour spear-phishing campaign," exploiting specific "geopolitically charged narratives" in the lures, mentioning weapons shipments, military training programs, diplomatic consultations, and emergency weather bulletins. Once the target opens the malicious Office file, a crafted OLE object executes, retrieving a payload that begins an infection chain resulting in the installation of backdoor malware. Trellix notes this threat actor's "heavy abuse of legitimate cloud services," among other tactics, techniques, and procedures (TTPs) allowing the researchers to attribute the attack to APT28 with high confidence. The researchers provide indicators of compromise (IoCs), also noting the utility of MITRE ATT&CK mapping for threat hunting. "Organizations are urged to apply the latest Office patches (including the emergency fix for CVE-2026-21509) and implement Microsoft’s recommended registry hardening that blocks this OLE exploit path."

On February 3, 2026, Microsoft's Azure storage ended support for Transport Layer Security (TLS) 1.0 and 1.1, making TLS 1.2 the new minimum TLS version. TLS 1.0 was introduced in 1999, and TLS 1.1 was introduced in 2006; both were deprecated in 2021. TLS 1.2 was introduced in 2008, and version 1.3 was published in 2018. Microsoft has held onto TLS 1.0 and 1.1 for this long due in large part to backward compatibility. In October 2024, Microsoft cautioned users that "all clients connecting to Azure storage need to send and receive data by using TLS 1.2, [and] otherwise will not be able to connect to storage using SSL connections." In a separate story, Microsoft has also announced that Exchange Web Services (EWS) will reach end-of-service (EoS) starting later this year, with shut down slates for April 2027. Starting in October 2026, Microsoft will block Exchange Online EWS by default; admins will be able to temporarily maintain access through application allow lists. Microsoft says of the decision, "EWS was built nearly 20 years ago, and while it served the ecosystem well, it no longer aligns with today’s security, scale, or reliability requirements."

Palo Alto Networks Unit 42 has published an investigation report warning of cyberespionage and data theft attacks targeting global governments and critical infrastructure in the past year, dubbed "Shadow Campaigns." The attacks have previously taken the form of phishing campaigns, which trick the target into downloading a ZIP file containing an executable that ultimately installs a Cobalt Strike or VShell payload. The attackers focus on moving laterally and maintaining persistence, employing a wide variety of tools, exploitation kits, and proof-of-concept exploits, including web shells, tunnels, and a previously unseen Linux kernel rootkit. Unit 42 tracks the threat actor as TGR-STA-1030, a state-aligned group based in Asia, active for at least two years. TGR-STA-1030 has been observed conducting reconnaissance scans on 155 countries and successfully breaching at least 70 organizations across 37 countries in Africa, the Americas, Asia, Europe, and Oceania, targeting "ministries and departments of interior, foreign affairs, finance, trade, economy, immigration, mining, justice and energy." Pete Renals, Unit 42's Director of National Security Programs, stated to news sources that "this is probably the most widespread and significant compromise of global government infrastructure by a state-sponsored group since SolarWinds." Unit 42 has contacted affected organizations and is continuing to monitor the threat actor's ongoing activity; the report provides indicators of compromise (IoCs) for threat hunters.

Romanian pipeline operator Conpet is investigating a cyberattack that disrupted the company's corporate systems earlier this week. The incident has not disrupted Conpet's operational technology, although the company website is currently unavailable. La Sapienza, a university in Rome, Italy, has experienced technical disruptions due to a cyberattack. The university is working with Italian CSIRT, experts from Agenzia per la Cybersicurezza Nazionale (ACN), and the Polizia Postale to restore the school's systems from backups.

On Wednesday, February 4, Cisco published five security advisories to address vulnerabilities in multiple products. The flaws include a high-severity arbitrary file upload vulnerability in Cisco Meeting Management (CVE-2026-20098); a high-severity denial-of-service vulnerability in Cisco TelePresence Collaboration Endpoint Software and RoomOS Software (CVE-2026-20119); a medium-severity file bypass vulnerability in Cisco Secure Web Appliance (CVE-2026-20056); a medium-severity stored cross-site scripting vulnerability in Cisco Prime Infrastructure (CVE-2026-20111); and a medium-severity open redirect vulnerability in Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure (CVE-2026-20123). Also on Wednesday, February 4, F5 published its Quarterly Security Notification, which addresses three medium severity and two low-severity vulnerabilities in the company's BIG-IP and NGINX products.

In a recent blog post, GreyNoise Senior Director of Security Research and Detection Engineering Glenn Thorpe writes that last year, the US Cybersecurity and Infrastructure Security Agency (CISA) changed the "Known To Be Used in Ransomware Campaigns" status of 59 CVEs in the Known Exploited Vulnerabilities (KEV) catalog from Unknown to Known, indicating what Thorpe calls "a material change in your risk posture." However, CISA does not issue notifications when a CVE's ransomware use status changes. Research indicates that KEV CVEs designated as known to be used in ransomware campaigns are patched or mitigated 2.5 times faster than those without the designation. Of the 59 CVEs flipped in 2025, 16 involved Microsoft vulnerabilities, six Ivanti vulnerabilities, five Fortinet vulnerabilities, and three vulnerabilities each for Palo Alto Networks and Zimbra. The time between the appearance of the CVE in KEV and the ransomware status change ranges from one day to 1,353 days. In response, GreyNoise has created an RSS feed that alerts subscribers to changes in KEV CVE ransomware status changes.

Newsletter platform Substack is emailing users to disclose a data breach that took place in October 2025 but was not discovered until a system issue was identified on February 3, 2026. Substack states that they have fixed the problem that allowed an unauthorized third party to access user data and are conducting an investigation while working on system improvements. The affected data include email addresses, phone numbers, and internal metadata; Substack encourages users to be wary of suspicious texts and emails. The nature and scope of the attack have not yet been disclosed.

Authorities in Poland have arrested a suspect in connection with a series of distributed denial-of-service (DDoS) attacks on "numerous popular websites" around the world, according to the Central Bureau for Combating Cybercrime (CBZC). Authorities seized computer equipment from the suspect's residence. The unnamed individual is facing charges of disrupting an IT system and obtaining a computer program used for such disruption; if convicted, he could face up to five years in prison. The investigation into the attacks is ongoing and further arrests have not been ruled out.