Daily Brief

Palo Alto Networks addressed a critical vulnerability, CVE-2026-0227, in its firewalls that could allow unauthenticated attackers to disable firewall protections through denial-of-service attacks. The flaw impacts next-generation firewalls running PAN-OS 10.1 or later and Prisma Access configurations with GlobalProtect enabled; most cloud-based instances have been patched. The vulnerability allows repeated attacks to push firewalls into maintenance mode, disrupting network security operations for affected organizations. Palo Alto Networks has released security updates for all impacted versions and advises administrators to upgrade to the latest release to mitigate potential risks. Shadowserver monitors nearly 6,000 exposed Palo Alto Networks firewalls online, but the extent of vulnerable configurations remains unclear. No active exploitation of this vulnerability has been reported, but Palo Alto Networks products are frequent targets for attacks exploiting zero-day vulnerabilities. The company's firewalls are widely used by over 70,000 customers, including major U.S. banks and 90% of Fortune 10 companies, highlighting the importance of timely patching.

Palo Alto Networks has addressed a high-severity denial-of-service vulnerability in its GlobalProtect Gateway and Portal, tracked as CVE-2026-0227, with a CVSS score of 7.7. The flaw allows unauthenticated attackers to crash firewalls by exploiting improper checks for exceptional conditions, causing the system to enter maintenance mode. Impacted systems include specific configurations of PAN-OS NGFW or Prisma Access with GlobalProtect enabled, while Cloud Next-Generation Firewall remains unaffected. Discovered by an external researcher, this vulnerability currently has no known workarounds, prompting immediate software updates to mitigate potential risks. Although there is no evidence of active exploitation, repeated scanning of GlobalProtect gateways over the past year indicates potential interest from threat actors. Organizations are urged to prioritize updating affected systems to prevent potential service disruptions and maintain robust network security.

Microsoft dismantled RedVDS, a cybercrime platform linked to $40 million in losses in the U.S. since March 2025, through legal actions and infrastructure seizures. The operation, conducted with Europol and German authorities, involved lawsuits in the U.S. and U.K., targeting RedVDS's marketplace and customer portal. RedVDS offered cybercriminals disposable virtual desktops for $24 monthly, facilitating scalable and untraceable fraud and cyber-enabled crimes globally. The platform's technical fingerprint was a cloned Windows Server 2022 image, aiding investigators in tracking its widespread malicious activities. RedVDS customers used the service for phishing, credential theft, and business email compromise, impacting over 191,000 organizations worldwide. The operation underscores the growing threat of cybercrime-as-a-service platforms, which enhance the scale and anonymity of cyberattacks. Microsoft continues to collaborate with global partners to disrupt similar operations, as seen in the recent takedown of the RaccoonO365 phishing service.

South Korean conglomerate Kyowon Group disclosed a ransomware attack resulting in potential exposure of customer data, affecting its operations and digital services. The attack, which occurred in January, impacted approximately 600 of Kyowon's 800 servers, leading to significant service disruptions. Kyowon is investigating the breach in collaboration with Korea’s Internet & Security Agency and security experts to determine the extent of customer data exposure. The company is in the final stages of restoring its online services and has committed to transparency regarding any confirmed data leaks. No major ransomware group has claimed responsibility for the attack as of this report. This incident follows a series of significant cyberattacks on South Korean companies, highlighting ongoing cybersecurity challenges in the region. Kyowon's response includes notifying affected parties and promising updates as more information becomes available.

Check Point Research has identified VoidLink, a new Linux malware targeting cloud infrastructures, featuring over 30 plugins for credential theft, lateral movement, and container abuse. VoidLink is built in Zig and originates from a Chinese-affiliated development environment, with a command-and-control interface localized for Chinese operators. The malware is designed to operate in Linux-based cloud environments, detecting AWS, Google Cloud Platform, Microsoft Azure, Alibaba, and Tencent, with plans to expand detection capabilities. It features advanced operational-security capabilities, including custom loaders, implants, and kernel-level rootkits, making it more sophisticated than typical Linux malware. VoidLink can self-delete and invoke anti-forensics modules to erase traces if tampering or analysis is detected, complicating detection and response efforts. The framework's design suggests long-term access and data collection, indicating potential use by professional threat actors rather than opportunistic attackers. No real-world infections have been observed yet, but its cloud-first focus poses significant risks to government agencies, enterprises, and critical infrastructure.

The French data protection authority, CNIL, fined Free Mobile and its parent company €42 million for inadequate data protection in a 2024 breach. The breach exposed sensitive information of nearly 23 million subscribers, including IBANs for approximately 25% of those affected. Hackers exploited the company's management tool to steal data, later selling it on a hacker forum under the alias 'drussellx'. CNIL's investigation found Free Mobile violated several GDPR rules, despite subsequent improvements in their cybersecurity measures. The regulatory body has mandated Free Mobile to enhance security measures within three months and manage excess customer data within six months. The incident is part of a broader trend affecting French telecommunications, with similar breaches at Orange France and Bouygues Telecom in 2025. This case highlights the critical importance of robust data protection practices to prevent regulatory penalties and protect customer information.

The Kimwolf botnet has compromised over 2 million Android devices, primarily targeting unsanctioned Android TV streaming devices through an SDK called ByteConnect. Devices are transformed into residential proxies, enabling threat actors to conduct DDoS attacks and relay malicious traffic under the guise of legitimate residential activity. Black Lotus Labs has null-routed traffic to over 550 command-and-control nodes linked to the botnet, disrupting its operations. The botnet's rapid growth included a 300% surge in new bots within a week, with 800,000 bots added by mid-October 2025. Kimwolf exploits security flaws in proxy services, enabling malware deployment on devices with exposed Android Debug Bridge services. The botnet's infrastructure leverages IP addresses from Utah-based hosting provider Resi Rack LLC, which has been linked to proxy service sales on Discord. Recent reports reveal the use of compromised KeeneticOS routers in Russia to expand the proxy network, complicating detection due to their residential IP classification.

A critical vulnerability, CVE-2025-25256, in Fortinet's FortiSIEM was disclosed, allowing remote code execution by unauthenticated attackers via crafted TCP requests. Horizon3.ai identified the flaw, which involves improper neutralization of special elements in OS commands, and published a detailed analysis and exploit code. Fortinet has patched the vulnerability in most development branches, but versions 6.7 and 7.0 remain unsupported and will not receive updates. The flaw impacts FortiSIEM versions 6.7 to 7.5, excluding FortiSIEM 7.5 and FortiSIEM Cloud, which are unaffected by this issue. Fortinet advises limiting access to the phMonitor port (7900) as a temporary workaround for those unable to apply the patch immediately. Horizon3.ai provided indicators of compromise to help organizations detect if systems have been exploited, focusing on specific log entries. The vulnerability has attracted interest from ransomware groups, including Black Basta, indicating potential for exploitation in future attacks.

Microsoft addressed a false positive issue affecting Windows DLL, WinSqlite3.dll, which was incorrectly flagged by security software as vulnerable due to a memory corruption vulnerability (CVE-2025-6965). The issue impacted a wide range of systems, including Windows 10, Windows 11, and Windows Server 2012 through 2025, causing operational disruptions for users. Microsoft released updates on January 13, 2026, to correct the false positive detections, urging users to install the latest updates for improved security and functionality. WinSqlite3.dll, part of core Windows components, was mistakenly identified as vulnerable, while the distinct sqlite3.dll remains unaffected and is updated via Microsoft Store. Previous false positives in Microsoft Defender for Endpoint also flagged SQL Server and Dell BIOS firmware, highlighting ongoing challenges in maintaining accurate threat detection. These incidents emphasize the importance of timely updates and effective communication from vendors to mitigate operational impacts and maintain system integrity.

France's CNIL imposed a €42 million fine on Free and Free Mobile for GDPR violations linked to a breach affecting over 24 million customers. The breach, occurring in October 2024, compromised sensitive data, including financial information like IBANs, impacting both fixed-line and mobile subscribers. Attackers accessed Free's network via a VPN vulnerability, subsequently exploiting the MOBO subscriber management tool to extract customer data. The companies were criticized for inadequate security measures, insufficient breach communication, and non-compliance with data retention laws. CNIL highlighted the lack of robust authentication for VPN access and ineffective detection of abnormal system behavior as key security failings. The breach revealed deficiencies in data management, particularly in retaining and deleting former subscribers' information, prompting regulatory action. This incident underscores the critical need for telecom companies to enhance cybersecurity protocols to protect customer data and ensure regulatory compliance.

AI agents have transitioned from productivity tools to integral components in security, IT, and operational workflows, introducing new access risks within organizations. These agents, designed for broad organizational use, often possess extensive permissions, potentially bypassing traditional user-level access controls. The agents utilize shared service accounts and API keys, enabling continuous operation but creating potential security blind spots. Traditional access models struggle to manage agent-mediated workflows, as actions are attributed to the agent rather than individual users. This can lead to privilege escalation, where users indirectly access data or systems beyond their authorization through AI agents. Security teams face challenges in enforcing least privilege and detecting misuse due to limited visibility and attribution issues. Continuous monitoring and visibility into agent activities are essential to prevent unauthorized access and maintain security integrity. Solutions like Wing Security offer tools to map agent access, correlate activities, and ensure agent permissions align with user authorizations.

Push Security identified a new phishing technique, ConsentFix, targeting Microsoft accounts by exploiting OAuth consent to bypass traditional authentication controls. The attack was conducted across a network of compromised websites, impacting multiple customer environments and leveraging social engineering tactics. ConsentFix allows attackers to take over accounts by hijacking OAuth authorization codes, bypassing even advanced security measures like MFA. Security researchers, including those from Microsoft and Glueck Kanja, have shared analysis and recommendations to counteract this novel threat. The campaign has been linked to Russian state-affiliated APT29, known for sophisticated and stealthy tactics beyond typical phishing methods. Eleven first-party Microsoft apps were identified as vulnerable, with known Conditional Access policy exclusions that attackers exploited. Organizations are advised to enhance monitoring and implement browser-based detection to mitigate this threat, as traditional security tools may be ineffective. The rapid evolution of ConsentFix suggests it will be adopted by both state actors and cybercriminals, necessitating immediate defensive measures.

The DeadLock ransomware group, identified in July 2025, employs blockchain-based methods to evade cybersecurity defenses, targeting a wide array of organizations. Unlike traditional ransomware tactics, DeadLock does not maintain a data leak site, instead threatening to sell stolen data on underground markets. The group uses Polygon smart contracts to obscure its command-and-control infrastructure, complicating efforts to block its operations. Victims are directed to use decentralized messenger Session for communication, facilitated through an HTML file dropped after encryption. This innovative use of smart contracts enables frequent rotation of proxy server URLs, challenging defenders' ability to disrupt the group's infrastructure. Similar techniques have been observed in state-sponsored attacks, with North Korean groups using smart contracts for malware concealment. Details on DeadLock's initial access methods remain unclear, though connections to BYOVD techniques and vulnerability exploitation have been suggested.

A sophisticated malware campaign exploits DLL side-loading in the c-ares library to deploy trojans and stealers, bypassing traditional security measures. Attackers use a malicious DLL paired with a signed GitKraken executable to achieve code execution, targeting employees in finance, procurement, and supply chain roles. The campaign distributes malware such as Agent Tesla, CryptBot, and Remcos RAT, using invoice and request for quote themes to deceive users. Lures are crafted in multiple languages, including Arabic, Spanish, and English, indicating a focus on specific regional targets. The attack leverages search order hijacking, placing malicious DLLs in the same directory as legitimate binaries to execute rogue code. Trellix reports a surge in phishing scams using Browser-in-the-Browser techniques to mimic Facebook login screens and harvest credentials. The phishing campaign abuses legitimate cloud hosting services and URL shorteners to bypass security filters, suggesting a shift towards trusted infrastructure exploitation. Ongoing since July 2025, the campaign highlights the increasing sophistication of threat actors in evading detection and maintaining persistent access.

Researchers at Varonis identified a vulnerability in Microsoft Copilot, termed "Reprompt," allowing attackers to hijack user sessions and exfiltrate data through malicious URLs. The attack leverages the 'q' parameter in URLs to inject commands, bypassing Copilot's protections and maintaining access even after the session is closed. Reprompt does not require additional plugins, making it a low-effort yet effective method for data exfiltration once the victim clicks a phishing link. The vulnerability affected only Copilot Personal, not Microsoft 365 Copilot, which benefits from enhanced security measures like Purview auditing and DLP. Microsoft addressed the issue in the January 2026 Patch Tuesday update, following responsible disclosure by Varonis in August of the previous year. No exploitation of the Reprompt method has been detected in the wild, but immediate application of the latest Windows security update is advised. This incident underscores the importance of continuous monitoring and timely patching to safeguard against evolving threats in AI-integrated applications.