Daily Brief

Microsoft plans to disable the NTLM authentication protocol by default in upcoming Windows releases, addressing longstanding security vulnerabilities that expose organizations to cyberattacks. NTLM, introduced in 1993, has been widely exploited in relay and pass-the-hash attacks, allowing attackers to escalate privileges and control Windows domains. Despite being superseded by Kerberos, NTLM remains in use as a fallback method, posing risks like those seen in PetitPotam and RemotePotato0 vulnerabilities. Microsoft outlines a three-phase transition plan, starting with enhanced auditing tools in Windows 11 24H2 and Windows Server 2025 to identify NTLM usage. By the second half of 2026, Microsoft will introduce features like IAKerb and a Local Key Distribution Center to address scenarios triggering NTLM fallback. The final phase will see NTLM disabled by default, though it can be re-enabled through policy controls, marking a shift to Kerberos-based authentication. This move aligns with Microsoft's broader push toward passwordless, phishing-resistant authentication, enhancing security across Windows environments.

Cybersecurity researchers identified malicious Chrome extensions that hijack affiliate links, steal data, and collect ChatGPT authentication tokens, impacting various e-commerce platforms and social media content creators. The Amazon Ads Blocker extension, part of a cluster of 29 add-ons, injects the developer's affiliate tag into Amazon product links, violating Chrome Web Store policies. Extensions also exfiltrate product data to external servers and manipulate user behavior with false "LIMITED TIME DEAL" countdowns, affecting platforms like AliExpress. A network of 16 additional extensions targets ChatGPT, intercepting authentication tokens and allowing attackers to access users' conversation histories and data. The rise of AI-related extensions in enterprise environments presents a new attack surface, exploiting user trust in popular AI brands. A malware-as-a-service toolkit named Stanley was found on a Russian cybercrime forum, enabling the creation of malicious Chrome extensions for phishing, with a premium tier bypassing Google's vetting process. The toolkit's disappearance following public disclosure raises concerns about potential re-emergence under different branding, emphasizing the need for vigilance in extension management.

Cisco Talos identified a China-linked threat actor, UAT-8099, targeting IIS servers in Asia, focusing on Thailand and Vietnam, using BadIIS malware for SEO fraud. The campaign, active between late 2025 and early 2026, exploits vulnerabilities in IIS servers, leveraging web shells and PowerShell scripts for remote access. UAT-8099 employs tools like GotoHTTP, SoftEther VPN, and EasyTier to control compromised servers, adapting tactics for regional specificity and long-term persistence. The malware variants, BadIIS IISHijack and BadIIS asdSearchEngine, target specific regions, redirecting search engine crawlers to fraudulent sites while injecting malicious scripts for regular users. The attack chain involves exploiting server vulnerabilities, deploying web shells, and creating hidden accounts to maintain access and evade detection. The campaign's evolution includes refined SEO tactics and the use of legitimate tools to avoid detection, indicating a sophisticated operational strategy. Evidence of ongoing development includes a Linux version of BadIIS, suggesting continued focus on expanding the malware's capabilities. Organizations are advised to strengthen server configurations and monitor for unusual activity to mitigate the risk posed by such advanced persistent threats.

Orange Cyberdefense compiled a dataset of 418 law enforcement actions from 2021 to mid-2025, revealing a global push against cybercrime. Extortion, malware distribution, and unauthorized access are the top criminal acts targeted by authorities, indicating a focus on financially motivated cyber offenses. The United States leads in cyber law enforcement activities, with significant contributions from European nations, Russia, and Ukraine, showcasing international collaboration. Arrests make up 29% of actions, emphasizing individual accountability, while takedowns and charges highlight efforts to dismantle criminal networks. Private organizations are increasingly involved, with 74 entities supporting law enforcement, underscoring the importance of public-private partnerships in combating cybercrime. Cybercrime offenders are predominantly male, aged 25-44, with activities shifting from technical exploits in younger cohorts to profit-driven crimes in older groups. The dataset shows a concentration of offenders from Russia, the U.S., China, Ukraine, and North Korea, reflecting geopolitical influences on cybercrime trends. The findings illustrate the complexity of cybercrime and the need for coordinated international responses to effectively address evolving threats.

Linwei Ding, a former Google engineer, was convicted in the U.S. for stealing over 2,000 AI-related trade secrets to aid a Chinese startup, Shanghai Zhisuan Technologies Co. Ding faced charges of economic espionage and theft of trade secrets, with a federal jury finding him guilty of transferring sensitive Google data to his personal cloud account. The stolen documents included Google's supercomputing infrastructure details, AI models, and Cluster Management System software, critical to the company's AI operations. Ding's actions were linked to his affiliations with two Chinese tech firms, where he held leadership roles, including founding a startup focused on AI and machine learning. The theft occurred between May 2022 and April 2023, with Ding using deceitful tactics to cover his tracks, including manipulating access records and presenting in China. Prosecutors highlighted Ding's involvement in a Beijing-sponsored talent program aimed at enhancing China's technological capabilities, further implicating state interests. Ding faces significant legal consequences, with potential sentences of up to 10 years for each theft count and 15 years for each economic espionage count. This case underscores the ongoing risk of intellectual property theft by foreign entities and the importance of safeguarding national security-related technologies.

SmarterTools has released patches for critical vulnerabilities in SmarterMail software, including CVE-2026-24423, which allows unauthenticated remote code execution with a CVSS score of 9.3. The flaw in the ConnectToHub API could let attackers execute malicious OS commands via a compromised HTTP server, posing significant risks to users. Researchers from watchTowr, CODE WHITE GmbH, and VulnCheck identified and reported these vulnerabilities, prompting a swift response from SmarterTools. The critical vulnerabilities have been addressed in SmarterMail Build 9511 and Build 9518, released on January 15 and January 22, 2026, respectively. Another critical flaw, CVE-2026-23760, was actively exploited before being patched, emphasizing the need for immediate updates to safeguard systems. A medium-severity vulnerability, CVE-2026-25067, enabling NTLM relay attacks, was also patched, preventing unauthorized network authentication risks. Organizations using SmarterMail are urged to update to the latest software version promptly to mitigate potential exploitation threats.

Ivanti has issued security updates for two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) software, actively exploited and now listed in CISA's Known Exploited Vulnerabilities catalog. The vulnerabilities, CVE-2026-1281 and CVE-2026-1340, impact the In-House Application Distribution and Android File Transfer Configuration features, posing a critical risk to affected systems. Successful exploitation allows arbitrary code execution and potential lateral movement within connected environments, with sensitive device information at risk. Ivanti advises users to monitor Apache access logs for 404 HTTP response codes, indicating potential exploitation attempts, and to review system configurations for unauthorized changes. Affected users are urged to apply the RPM patch, which must be reapplied after version upgrades, until a permanent fix is available in EPMM version 12.8.0.0, slated for release in Q1 2026. In cases of detected compromise, Ivanti recommends restoring affected devices from a known good backup or rebuilding and migrating data to a new EPMM device. CISA mandates Federal Civilian Executive Branch agencies to implement the updates by February 1, 2026, to mitigate potential threats.

A BellSoft survey of 427 developers indicates 48% prefer pre-hardened container images to managing security vulnerabilities themselves, reflecting a desire to offload security responsibilities. Security was the top priority for 29% of respondents when selecting base container images, followed by performance and image size, highlighting ongoing security concerns. The survey found 23% of developers experienced container-related security incidents in the past year, showcasing the prevalent challenges in container security management. Human error accounts for 62% of security mistakes, with patching difficulties and false positives also contributing to security challenges, indicating a need for improved processes and tools. Developers reported using trusted container registries (45%) and vulnerability scanning (43%) as primary security measures, but organizational constraints hinder comprehensive security efforts. BellSoft suggests that adopting hardened images can reduce security and maintenance burdens, promoting efficiency and cost savings for development teams. The survey highlights a disconnect between desired security outcomes and current practices, driven by resource limitations and reliance on general-purpose software tools.

CISA's acting director reportedly uploaded sensitive documents to ChatGPT, raising insider threat concerns within the federal cybersecurity agency. This incident triggered automated security alerts, highlighting potential risks of using public AI tools for handling sensitive government information. CISA's recent guidance on insider threat management emphasizes the importance of multidisciplinary teams to mitigate risks from both malicious insiders and accidental disclosures. The agency offers resources, including a mitigation guide and evaluation tools, to assist organizations in developing robust insider threat programs. Despite CISA's security measures, the director's actions underscore the challenges of balancing AI innovation with data security in government operations. The timing of CISA's insider threat guidance, following the director's security lapse, has drawn attention to the need for federal agencies to adhere to their own recommendations. This incident serves as a reminder of the growing risks associated with AI and the need for stringent controls to protect sensitive data.

Ivanti has identified two critical zero-day vulnerabilities, CVE-2026-1281 and CVE-2026-1340, in its Endpoint Manager Mobile (EPMM), with a CVSS score of 9.8. These code-injection vulnerabilities allow remote attackers to execute arbitrary code without authentication, impacting a limited number of customers. Ivanti has released RPM scripts to mitigate the vulnerabilities, advising immediate application, though these fixes require reapplication after version upgrades. The permanent resolution is scheduled for release in EPMM version 12.8.0.0, expected later in Q1 2026. Exploitation of these flaws can expose sensitive data, including administrator credentials and device information, potentially compromising network security. Ivanti recommends reviewing access logs for suspicious activity and restoring systems from known-good backups if compromise is suspected. The U.S. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by February 1, 2026. Organizations should monitor for potential lateral movement and recon activities, especially if EPMM is integrated with internal network assets.

Bitdefender researchers identified a campaign using Hugging Face to host thousands of Android malware variants, targeting financial and payment service credentials. The attack employs a dropper app, TrustBastion, masquerading as a security tool, to lure users into installing malicious software. TrustBastion uses scareware tactics and mimics Google Play updates to redirect users to malicious APKs hosted on Hugging Face's infrastructure. The campaign utilizes server-side polymorphism, generating new malware variants every 15 minutes to evade detection. The malware exploits Android’s Accessibility Services to perform unauthorized actions, including screen overlays and capturing user data. Fake login interfaces for services like Alipay and WeChat are used to steal user credentials and lock screen codes. Bitdefender notified Hugging Face, leading to the removal of the malicious repositories, though the operation reemerged under a new name. Users are advised to avoid third-party app stores and scrutinize app permissions to prevent unauthorized access and potential data theft.

Google Threat Intelligence Group, with industry partners, dismantled IPIDEA, a vast residential proxy network linked to malware distribution and malicious activities worldwide. IPIDEA, advertised as a VPN service, covertly used 6.7 million users' devices as proxy exit nodes, enabling threat actors to mask illegal activities. The network was exploited by over 550 threat groups, including those from China, Iran, Russia, and North Korea, for activities such as account takeovers and credential theft. IPIDEA's infrastructure supported large-scale DDoS botnets and was linked to brute-force attacks targeting VPN and SSH services. Google identified at least 600 trojanized Android apps and 3,000 Windows binaries that embedded IPIDEA's proxying SDKs, turning devices into exit nodes without user consent. Google Play Protect now blocks applications with IPIDEA-related SDKs on certified Android devices, enhancing user protection against this threat. Despite the disruption, IPIDEA operators remain unidentified, and there is potential for the network to be rebuilt; vigilance against suspicious apps is advised.

SentinelOne and Censys identified 175,000 publicly exposed Ollama AI servers across 130 countries, predominantly in China, posing significant security risks. These servers, part of an open-source AI framework, operate outside standard security protocols, increasing vulnerability to unauthorized access and exploitation. Nearly half of these hosts have tool-calling capabilities, allowing execution of code and interaction with external systems, thereby altering traditional threat models. The exposure of these systems could lead to LLMjacking, where threat actors exploit AI resources for malicious activities like spam generation and cryptocurrency mining. A criminal operation, dubbed Operation Bizarre Bazaar, actively targets these vulnerabilities, commercializing access to compromised AI infrastructure. The decentralized nature of Ollama's deployment complicates governance, necessitating new security strategies to manage unmanaged AI compute environments. Organizations must implement robust authentication, monitoring, and network controls to safeguard AI deployments, treating them as critical infrastructure.

Match Group confirmed a cybersecurity incident impacting user data from Tinder, Match.com, OkCupid, and Hinge, with the ShinyHunters group claiming responsibility. Approximately 10 million user records and internal documents were compromised, though user log-in credentials and financial data remain secure. The breach was facilitated by a compromised Okta SSO account, granting access to AppsFlyer, Google Drive, and Dropbox. Match Group has initiated an investigation with external experts and is notifying affected users. The incident is part of a broader ShinyHunters campaign targeting SSO accounts at major tech firms. Experts recommend adopting phishing-resistant MFA solutions, such as FIDO2 keys, to mitigate social engineering threats. Organizations are advised to implement strict app authorization policies and monitor for unusual API activity to enhance security.

Marquis Software Solutions, serving over 700 financial institutions, experienced a ransomware attack affecting numerous U.S. banks and credit unions in August 2025. The breach was attributed to unauthorized access to SonicWall's MySonicWall portal, where attackers extracted firewall configuration backup files. Initial assumptions of an unpatched firewall exploit were corrected; the breach stemmed from compromised cloud backup data. SonicWall's September 17 disclosure indicated only 5% of firewall customers were affected, but later updates confirmed all cloud backup users were impacted. A Mandiant investigation linked the breach to state-sponsored actors, though unrelated to the Akira ransomware attacks on SonicWall VPN accounts. Marquis is considering legal actions against SonicWall for financial recovery related to the breach response costs. The incident underscores the critical need for robust security measures around cloud services and customer portals.