Daily Brief

Continuous Threat Exposure Management (CTEM) integrates threat and vulnerability management, focusing on exploitable exposures to enhance security posture effectively. CTEM emphasizes a continuous cycle of identifying, prioritizing, and remediating exposures, moving beyond isolated threat and vulnerability assessments. The approach unifies various cybersecurity processes, including vulnerability assessment, attack surface management, and simulation, to address real, exploitable risks. Threat intelligence plays a crucial role in CTEM by connecting vulnerabilities to adversary tactics, techniques, and procedures, enabling organizations to prioritize remediation efforts. CTEM requires strategic implementation across security teams, breaking down silos and improving workflows, rather than relying on a single tool or technology. Validation through testing, breach simulations, and exercises is essential to ensure security controls are effective against probable attack paths and vulnerabilities. Effective CTEM answers critical security questions with evidence, focusing on what can harm the organization, how it could occur, and whether it can be prevented.

The High Court is set to hear a case challenging the Metropolitan Police's use of live facial recognition (LFR) technology, focusing on potential human rights violations. Civil liberties group Big Brother Watch and claimant Shaun Thompson argue the Met's LFR policies infringe on privacy rights under the European Convention on Human Rights. Thompson, misidentified by LFR in Croydon, faced demands for fingerprints despite no wrongdoing, raising concerns over the technology's accuracy and fairness. The legal challenge questions the broad application of LFR in "crime hotspots," potentially covering vast areas of London and affecting public freedoms. Critics argue that LFR's mass surveillance capabilities threaten civil liberties, reversing the presumption of innocence and compromising privacy. The hearing coincides with UK government plans to expand police use of facial recognition, citing its effectiveness in apprehending criminals. The outcome could influence future regulations and safeguards for AI-driven surveillance technologies in the UK.

Microsoft issued an emergency patch for a zero-day vulnerability, CVE-2026-21509, affecting Office 2016, 2019, and other versions, following real-world exploitations. The vulnerability, with a CVSS score of 7.8, allows attackers to bypass security features by exploiting legacy components like COM and OLE. Exploitation requires convincing a user to open a malicious Office file, bypassing protections without relying on the preview pane. Microsoft has released updates for newer Office versions, but users of Office 2016 and 2019 must apply registry tweaks as a temporary mitigation. The workaround involves blocking vulnerable COM and OLE controls via the Windows registry, a challenging task for large organizations. The US Cybersecurity and Infrastructure Security Agency has added the flaw to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply fixes by February 16. This patch follows closely on the heels of another critical Windows vulnerability, indicating a challenging year for Microsoft security teams.

A critical flaw in Grist-Core, identified as CVE-2026-24002, allows remote code execution through spreadsheet formulas, posing significant risks for users of this open-source platform. The vulnerability, named Cellbreak, exploits a Pyodide sandbox escape, similar to a recent issue in n8n, allowing malicious formulas to execute OS commands and JavaScript. The flaw is rooted in Grist's Python formula execution, which can bypass sandbox restrictions, leading to potential command execution and unauthorized access to sensitive data. Grist has released version 1.7.9 to address this issue, urging users to update immediately to prevent exploitation, especially if using the Pyodide sandboxing method. Users should verify their sandbox settings in the Admin Panel and switch to "gvisor" to mitigate risks temporarily, avoiding configurations that allow Pyodide without Deno. The incident underscores the need for capability-based and defense-in-depth sandboxing to prevent trust boundary collapses and protect against data breaches. Organizations using Grist should review their security practices and ensure all systems are updated to safeguard against potential exploitation of this vulnerability.

Cybersecurity researchers identified the PeckBirdy JavaScript C2 framework, used by China-aligned APTs since 2023, targeting gambling industries and Asian government entities. PeckBirdy employs JScript to operate across various environments using living-off-the-land binaries, facilitating remote malware delivery and execution. The framework's campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, target Chinese gambling sites and Asian government systems, respectively, for credential harvesting and lateral movement. PeckBirdy's versatility allows operation through web browsers, MSHTA, WScript, and other platforms, adapting to different execution contexts and communication methods. The framework's infrastructure supports multiple APIs, enabling delivery of scripts tailored to specific environments, complicating detection by traditional security measures. Additional backdoors, HOLODONUT and MKDOOR, were discovered on PeckBirdy's servers, suggesting complex, modular attack strategies. The campaigns' dynamic nature and lack of persistent file artifacts pose significant challenges to endpoint security, highlighting the need for advanced detection strategies.

Microsoft released an out-of-band patch for a critical zero-day vulnerability, CVE-2026-21509, affecting Microsoft Office with a CVSS score of 7.8. The vulnerability allows attackers to bypass security features in Microsoft Office by exploiting untrusted inputs, posing significant risks if left unpatched. Exploitation involves sending a specially crafted Office file to users, requiring them to open it, though the Preview Pane is not a vector. Microsoft automatically protects Office 2021 and later users via a service-side change, necessitating an application restart for full protection. Users of Office 2016 and 2019 must manually install updates and apply a Windows Registry change as a mitigation measure. The U.S. CISA has added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog, mandating patch application by February 16, 2026, for federal agencies. Microsoft's Threat Intelligence Center, Security Response Center, and Office Product Group Security Team were instrumental in identifying and addressing the flaw.

A new malware-as-a-service (MaaS) called 'Stanley' is offering malicious Chrome extensions that can bypass Google's review process and be published on the Chrome Web Store. Researchers from Varonis identified Stanley, which enables phishing attacks by overlaying a webpage with a full-screen iframe containing attacker-controlled content. Stanley's service includes silent auto-installation on Chrome, Edge, and Brave browsers, with subscription tiers offering features like a web panel and publishing support. The malware supports IP-based victim identification, geographic targeting, and persistent command-and-control polling every 10 seconds to maintain communication. Despite its lack of advanced features, Stanley's ability to pass Chrome Web Store reviews poses a significant threat to browser security and user trust. Varonis advises users to minimize installed extensions, review user feedback, and verify publisher credibility to mitigate risks associated with malicious extensions. Google has been contacted for comment, and updates will follow as more information becomes available.

ShinyHunters launched a credential-stealing campaign targeting Okta SSO accounts of approximately 100 companies, including Canva, Atlassian, and RingCentral, as reported by Silent Push researchers. The campaign employs advanced voice-phishing techniques to compromise SSO credentials and enroll threat actor devices into victim multi-factor authentication (MFA) systems. Mandiant confirmed the campaign's ongoing status, noting that attackers pivot into SaaS environments to exfiltrate sensitive data post-initial access. ShinyHunters reportedly accessed Crunchbase and Betterment, leaking over 22 million records combined, though the full extent of breaches remains unconfirmed. Organizations are advised to implement phishing-resistant MFA solutions like FIDO2 security keys to mitigate risks associated with social engineering attacks. Monitoring for anomalous API activity and unauthorized device enrollments is recommended to detect potential breaches early. Okta alerted companies to the threat, emphasizing the importance of robust authentication practices to protect against such identity theft campaigns.

A recent campaign exploits Windows App-V scripts to deliver the Amatera infostealer using the ClickFix method, combining fake CAPTCHA and signed scripts to mask malicious activity. The attack leverages Microsoft's App-V feature, which allows applications to run in isolated environments, disguising the execution of PowerShell commands through a trusted component. Attackers initiate the process with a fake CAPTCHA, tricking users into executing commands that abuse legitimate App-V scripts to launch PowerShell and evade security solutions. The malware retrieves configuration data from a public Google Calendar file and uses steganography to hide payloads in PNG images, dynamically loading them via WinINet APIs. Amatera, based on the ACR infostealer, is under active development as malware-as-a-service, capable of collecting browser data and credentials from infected systems. Researchers recommend restricting access to the Windows Run dialog, removing unnecessary App-V components, enabling PowerShell logging, and monitoring outbound connections for anomalies. This attack illustrates the evolving sophistication of malware delivery methods, emphasizing the need for robust security measures and continuous monitoring to protect enterprise environments.

Microsoft issued an urgent security update to address a high-severity zero-day vulnerability in Microsoft Office, known as CVE-2026-21509, affecting multiple Office versions and Microsoft 365 Apps. The vulnerability allows unauthorized attackers to bypass security features using low-complexity attacks that require user interaction, potentially compromising systems. Affected Office versions include 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps, though patches for Office 2016 and 2019 are pending. Microsoft advises users to implement temporary mitigation measures, involving registry changes, to reduce the risk of exploitation until official patches are available. The vulnerability involves bypassing OLE mitigations, which are designed to protect users from vulnerable COM/OLE controls within Office applications. This emergency update follows Microsoft's recent Patch Tuesday release, which addressed 114 security flaws, including other zero-day vulnerabilities. Organizations are advised to apply the latest updates promptly and follow Microsoft's mitigation guidance to safeguard against potential attacks.

Cloudflare experienced a 25-minute BGP route leak, affecting IPv6 traffic and resulting in significant congestion and approximately 12 Gbps of dropped traffic. The incident stemmed from a policy misconfiguration on a router, impacting external networks beyond Cloudflare's direct customers. BGP route leaks occur when routing policies are violated, potentially allowing unauthorized traffic interception and analysis. Cloudflare quickly identified the issue, manually reverted the configuration, and paused automation to mitigate the impact. The incident is akin to a similar event in July 2020, prompting Cloudflare to propose stricter export safeguards and enhanced detection measures. Future prevention strategies include community-based export safeguards, CI/CD policy checks, and promoting RPKI ASPA adoption. This event underscores the importance of rigorous network configuration management to maintain internet reliability and security.

A phishing campaign is targeting Indian users by impersonating the Income Tax Department to deliver Blackmoon malware, aiming for espionage and data theft. The attack uses phishing emails to distribute a malicious archive, granting attackers persistent access to victims' systems for continuous monitoring. The campaign employs Blackmoon, a known banking trojan, and SyncFuture TSM, a legitimate tool repurposed for espionage, to enhance its capabilities. Attackers use advanced techniques such as DLL sideloading, privilege escalation, and anti-analysis measures to evade detection and maintain persistence. The malware adapts its behavior based on the presence of Avast Free Antivirus, using automated actions to bypass its security features. The campaign's sophisticated methods demonstrate a high level of technical capability, though no specific threat actor has been identified. Organizations are advised to enhance their phishing defenses and monitor for unusual activity to mitigate potential impacts.

Researchers identified two malicious Visual Studio Code extensions posing as AI coding assistants, secretly exfiltrating developer data to servers in China, with 1.5 million installations recorded. The extensions operate as advertised, offering coding suggestions while covertly capturing and transmitting file contents and modifications without user consent. The malicious code encodes data in Base64 format and sends it to a Chinese server, triggered with every file edit, raising significant data security concerns. A real-time monitoring feature can be remotely activated, allowing up to 50 files to be exfiltrated from the user's workspace, increasing potential data loss. Embedded within the extensions is a hidden zero-pixel iframe loading four Chinese analytics SDKs, enabling device fingerprinting and extensive user profiling. The discovery of these extensions underscores the need for vigilance in vetting third-party tools, particularly those with access to sensitive development environments. Organizations are urged to review installed extensions and consider security measures to protect against unauthorized data access and exfiltration.

Shadowserver is monitoring nearly 800,000 IP addresses with Telnet fingerprints vulnerable to a critical authentication bypass flaw in GNU InetUtils telnetd server. The flaw, CVE-2026-24061, affects versions 1.9.3 through 2.7, allowing attackers to log in as root by exploiting the USER environment variable. A patch was released on January 20, but the extent of secured devices remains unclear, with significant exposure in Asia, South America, and Europe. GreyNoise has detected limited exploitation of the vulnerability from 18 IP addresses, targeting the root user in over 83% of cases. Attackers attempted to deploy Python malware post-compromise, but these efforts failed due to missing directories and binaries. Administrators are urged to disable the vulnerable telnetd service or block TCP port 23 if immediate patching is not feasible. The vulnerability highlights the persistent risk posed by unpatched legacy systems, particularly in IoT environments.

As organizations increasingly rely on Okta for identity management, maintaining robust security configurations is crucial to prevent potential breaches and misconfigurations. Recent breaches have shown that even advanced organizations can be vulnerable if Okta security settings are not properly managed and updated. Six essential security configurations for Okta include strong password policies, phishing-resistant two-factor authentication, and Okta ThreatInsight to block suspicious activity. Additional measures such as admin session ASN binding and session lifetime settings further reduce risks of unauthorized access and session hijacking. Implementing behavior rules in Okta allows detection of anomalous user behavior, triggering additional security measures when necessary. Continuous monitoring and management of Okta security posture, possibly with tools like Nudge Security, can help organizations adapt to evolving threats. Nudge Security provides a comprehensive solution to identify and rectify common Okta security misconfigurations, enhancing overall SaaS security and governance.