Why Zero-Day Exploits and RMM Abuse Are Surging in 2026 [Prime Cyber Insights]

[00:00] Aaron Cole: The cybersecurity landscape just hit a high-velocity shift this week, and we are seeing a dangerous [00:07] Aaron Cole: convergence of unpatched zero days and legitimate tool abuse. [00:11] Aaron Cole: I'm Aaron Cole. [00:12] Aaron Cole: Joining us today is Chad Thompson, who brings a systems-level perspective on AI, automation, [00:18] Aaron Cole: and security. [00:19] Aaron Cole: blending technical depth, real-world experience, and creative insight drawn from engineering [00:25] Aaron Cole: and music production. [00:26] Aaron Cole: Chad, welcome. [00:28] Lauren Mitchell: And I'm Lauren Mitchell. [00:29] Lauren Mitchell: We're starting with a triple threat of zero days. [00:33] Lauren Mitchell: Dell just patched a critical flaw in its recover point software that was exploited for nearly [00:38] Lauren Mitchell: two years by the Chinese-linked group UNC6201. [00:42] Lauren Mitchell: Meanwhile, Apple and Google have both issued emergency updates for actively exploited [00:48] Lauren Mitchell: vulnerabilities. [00:48] Lauren Mitchell: Erin, the persistence here is what's staggering. [00:51] Chad Thompson: It really is, Lauren. [00:54] Chad Thompson: With that DEL flaw, CVE-2269-769, [01:00] Chad Thompson: attackers were using ghost Nix's to move laterally. [01:04] Chad Thompson: They've been dwelling in networks for over 400 days. [01:08] Chad Thompson: When you look at the Apple DELD flaw, [01:11] Chad Thompson: CVE-2026-1700, [01:16] Chad Thompson: Google's threat analysis group is calling it extremely sophisticated. [01:21] Chad Thompson: These aren't just quick hits. [01:23] Chad Thompson: They are architectural infiltrations. [01:26] Aaron Cole: It's not just zero days, Chad. [01:29] Aaron Cole: The Huntress 2026 Cyber Threat Report dropped, and the headline is a 277% explosion in the abuse of RMM tools like Screen Connect and AnyDesk. [01:39] Aaron Cole: Attackers are ditching custom malware because why build a virus when you can just use the victim's own remote management tools to walk through the front door? [01:47] Lauren Mitchell: Exactly, Aaron. [01:48] Lauren Mitchell: We're seeing this play out in Operation Doppelbrand. [01:52] Lauren Mitchell: The threat actor GS7 has been impersonating Fortune 500 giants like Wells Fargo and USAA using over 150 domains. [02:03] Lauren Mitchell: They're leveraging those RMM tools for remote access and privilege escalation. [02:09] Lauren Mitchell: Simultaneously, Drago's reported yesterday that 119 ransomware groups are now specifically targeting industrial control systems. [02:20] Chad Thompson: From a system's perspective, the R-M-M shift is brilliant but devastating. [02:26] Chad Thompson: These tools are ubiquitous and trusted. [02:29] Chad Thompson: If you're an admin, you see screen connect traffic and think nothing of it. [02:34] Chad Thompson: But for actors like Sylvanite or Azurite. [02:38] Chad Thompson: Targeting our electric and water utilities, it's the perfect skeleton key. [02:44] Chad Thompson: We are seeing a 42-day average dwell time in industrial environments before they even hit the encrypt button. [02:51] Lauren Mitchell: While we fight the technical battles, the legal and financial fallout continues. [02:56] Lauren Mitchell: A judge approved a $3.25 million settlement yesterday for 23andMe, now Chrome Holding [03:03] Lauren Mitchell: Co., to resolve claims for Canadian customers. [03:07] Lauren Mitchell: And URAIL is currently being extorted on Telegram after hackers accessed passport and [03:13] Lauren Mitchell: travel data in mid-January. [03:15] Lauren Mitchell: The extortion model is replacing simple encryption. [03:18] Lauren Mitchell: It's a grim picture. [03:20] Lauren Mitchell: Especially when you consider that the defense is being hampered by politics. [03:26] Lauren Mitchell: Congress reauthorized the state and local cybersecurity grant program this month. [03:31] Lauren Mitchell: But because of the DHS shutdown that started on February 7th, those funds are completely frozen. [03:39] Lauren Mitchell: State governments are literally waiting for a budget deal to fund their defenses. [03:44] Lauren Mitchell: The urgency couldn't be higher. [03:47] Lauren Mitchell: Patch your Dell instances, update Chrome to version 144, and for the love of your network, [03:53] Lauren Mitchell: audit your RMM access today. [03:55] Lauren Mitchell: Chad, thanks for the insight. [03:57] Lauren Mitchell: I'm Aaron Cole. [03:59] Lauren Mitchell: Absolutely, Aaron. [04:00] Lauren Mitchell: I'm Lauren Mitchell. [04:02] Lauren Mitchell: For more in-depth reporting and show notes, check out pci.neuralnewscast.com. [04:08] Lauren Mitchell: We'll see you next time on Prime Cyber Insights. [04:13] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed. [04:17] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com.