Daily Brief

U.S. Senator Maria Cantwell is pressing AT&T and Verizon to disclose their security measures following the Salt Typhoon hack, considered the most severe telecom breach in U.S. history. Salt Typhoon, linked to Chinese cyber actors, gained extensive access to major U.S. telecom networks, potentially compromising sensitive communications, including those of government officials. Despite public assurances of improved defenses, the telecom giants have withheld detailed security assessments conducted by Mandiant, raising concerns about transparency and ongoing risks. The FBI and federal agencies provided mitigation guidance, yet reports suggest telecoms have been slow to implement protective measures due to cost concerns. Senator Cantwell seeks direct testimony from the CEOs of AT&T and Verizon to clarify their actions and reassure the public about the security of their communications infrastructure. The lack of cooperation from the telecoms in sharing security assessments has led to questions about the current exposure of American users to potential threats. This situation emphasizes the critical need for transparency and accountability in cybersecurity practices within essential communication infrastructures.

Tirith, an open-source tool, is designed to detect homoglyph attacks in command-line environments by analyzing URLs in typed commands and preventing their execution. Available on GitHub and npm, Tirith integrates with multiple shell environments, including zsh, bash, fish, and PowerShell, to inspect commands for deceptive URLs. Homoglyph attacks exploit visually similar characters from different alphabets, allowing attackers to create misleading domain names that appear legitimate to users. While browsers have addressed homoglyph vulnerabilities, terminal environments remain susceptible, making Tirith a valuable defense mechanism in these contexts. The tool operates with minimal performance impact, conducting checks at sub-millisecond speeds and ensuring no network calls or background operations occur. Tirith does not support Windows Command Prompt (cmd.exe), a limitation given its use in many ClickFix attacks involving malicious command execution. The project has quickly gained traction on GitHub, with significant community interest reflected in its forks and stars, indicating a strong demand for such security solutions.

OpenClaw has integrated VirusTotal scanning to enhance security for its ClawHub skill marketplace, addressing concerns about malicious skills masquerading as legitimate tools. The integration involves creating a SHA-256 hash for each skill, checked against VirusTotal's database, with suspicious skills flagged and malicious ones blocked from download. Despite the added security layer, OpenClaw acknowledges that some threats, such as cleverly concealed prompt injection payloads, may evade detection. The platform plans to release a comprehensive threat model, security roadmap, and audit details to further strengthen its security posture. OpenClaw's popularity has led to increased security scrutiny, with concerns about its potential as a vector for data exfiltration and unauthorized access. China's Ministry of Industry and Information Technology has issued an alert about misconfigured instances, emphasizing the need for robust identity and access controls. The rapid adoption of OpenClaw highlights the challenge of balancing AI-driven productivity with security, as misconfigurations can expose systems to significant risks.

A state-sponsored group, TGR-STA-1030/UNC6619, has compromised networks across 37 countries, focusing on government and critical infrastructure entities. The group's operations, active since January 2024, target ministries, law enforcement, finance, and diplomatic agencies, with a high confidence link to Asia. Attack methods include tailored phishing emails and exploiting vulnerabilities in systems like SAP Solution Manager and Microsoft Exchange Server. A custom Linux rootkit, ‘ShadowGuard,’ enables stealthy operations by manipulating core system functions and evading detection. The actor's infrastructure uses legitimate VPS providers and residential proxies, with C2 domains mimicking familiar local extensions to deceive targets. Increased reconnaissance was noted during significant geopolitical events, such as the U.S. government shutdown and Honduran national elections. Unit 42 provides indicators of compromise to assist defenders in identifying and mitigating these sophisticated espionage efforts.

Recent research indicates that workers aged 55-60 exhibit peak performance, challenging the tech industry's preference for younger employees. Annie Coleman from RealiseLongevity analyzed cognitive markers, revealing that while processing speed declines, other cognitive abilities enhance with age. Studies suggest that experienced workers add significant value, particularly as AI threatens entry-level positions, emphasizing mentorship and accumulated knowledge. Bank of America and Boston Consulting Group studies confirm that age-diverse teams outperform those lacking such diversity, blending judgment with digital skills. The findings urge companies to reassess workforce strategies, treating age as a strategic variable akin to gender or skills, to leverage the strengths of older employees. Organizations are encouraged to invest in reskilling for midand late-career employees, fostering intergenerational collaboration for sustained growth and innovation. The analysis suggests aligning business strategies with the needs of an aging customer base, ensuring long-term value and competitive advantage.

Germany's BfV and BSI issued a warning about phishing attacks via Signal, targeting politicians, military personnel, and journalists in Europe. The campaign involves impersonating "Signal Support" to extract verification codes, compromising account access without malware. Attackers gain control over Signal accounts, enabling them to capture incoming messages and impersonate victims. Alternative methods include using QR codes for device linking, exposing chats and contacts while victims remain unaware. The campaign could extend to WhatsApp, which shares similar security features, increasing potential risk. Users are advised to enable Registration Lock and avoid engaging with suspicious support accounts to mitigate threats. The advisory follows reports of Chinese and Russian cyber activities targeting European and Norwegian entities for intelligence purposes.

BridgePay Network Solutions experienced a ransomware attack, leading to a widespread outage affecting its payment gateway services across the United States. The incident began with degraded performance in key systems, escalating to a full system outage impacting merchants and payment integrators. BridgePay has engaged federal law enforcement, including the FBI and U.S. Secret Service, alongside external forensic and recovery teams to address the breach. Initial investigations suggest no payment card data was compromised, as accessed files were encrypted with no evidence of usable data exposure. Some merchants reported a shift to cash-only transactions due to the outage, though it remains unclear which partners were directly affected. BridgePay is working on restoring operations securely, but no timeline for full recovery has been provided. This incident is part of a rising trend of ransomware attacks targeting payment infrastructure, highlighting vulnerabilities in transaction systems.

BridgePay Network Solutions experienced a ransomware attack causing a widespread outage across its payment gateway services, impacting merchants and payment integrators nationwide. The attack began early Friday, leading to degraded performance and eventually a full system outage, affecting core production systems and card processing capabilities. BridgePay confirmed no payment card data was compromised, as accessed files were encrypted, and there is no evidence of usable data exposure. Federal law enforcement, including the FBI and U.S. Secret Service, along with external forensic teams, have been engaged to investigate and manage recovery efforts. Merchants reported cash-only transactions due to the outage, though BridgePay has not specified which partners were directly affected. The incident reflects a growing trend of ransomware attacks on payment infrastructure, highlighting vulnerabilities in transaction pipelines. BridgePay is focused on restoring operations securely, though no estimated time for full recovery has been provided.

Germany's intelligence agencies report state-sponsored phishing attacks targeting high-ranking individuals via Signal, affecting politicians, military officers, and journalists across Europe. Attackers employ social engineering tactics without using malware or exploiting technical vulnerabilities within messaging apps. Two attack variants include full account takeover and device pairing to monitor chat activity, exploiting Signal's legitimate features. The first variant involves impersonating Signal support to obtain PINs or SMS codes, leading to account hijacking and victim lockout. The second variant uses QR code scanning to link victim accounts with attacker devices, allowing silent access to chats and contacts. Similar techniques have been used by Russian-aligned groups in past attacks on WhatsApp, indicating a broader threat landscape. German authorities recommend users block suspicious support messages, enable 'Registration Lock', and regularly review linked devices for unauthorized access.

Cisco Talos researchers identified the DKnife toolkit, active since 2019, used to hijack router traffic and deliver malware in espionage campaigns. DKnife operates as a post-compromise framework, enabling traffic monitoring and adversary-in-the-middle activities on compromised networks. The toolkit consists of seven Linux-based components for deep packet inspection, traffic manipulation, credential harvesting, and malware delivery. DKnife targets Chinese services, with Simplified Chinese language artifacts suggesting a China-nexus threat actor involvement. Researchers observed DKnife delivering ShadowPad and DarkNimbus backdoors, both linked to Chinese threat actors, onto Windows and Android devices. The toolkit's capabilities include DNS hijacking, Android app update interception, and exfiltration of user activity to remote command-and-control servers. Cisco Talos has released indicators of compromise (IoCs) to assist organizations in detecting and mitigating DKnife-related threats. The persistence of DKnife's command-and-control servers as of January 2026 indicates ongoing threat activity requiring vigilance.

CISA has issued a warning about CVE-2026-24423, a critical vulnerability in SmarterMail, exploited for remote code execution in ransomware attacks. SmarterMail, a Windows-based email server, is widely used by MSPs, SMBs, and hosting companies, impacting approximately 15 million users globally. The flaw allows attackers to execute commands remotely via the ConnectToHub API, posing significant risks to affected systems. SmarterTools addressed the vulnerability with a patch in Build 9511, released on January 15, but exploitation continues in active ransomware campaigns. Federal agencies are directed to apply security updates or discontinue use by February 26, 2026, under CISA's BOD 22-01 guidance. Researchers identified another critical flaw, WT-2026-0001, enabling admin password resets without verification, urging immediate system updates to Build 9526. Organizations must prioritize patch management and monitor for any signs of compromise to mitigate potential security breaches.

Flickr experienced a data breach on February 5, affecting user information through a third-party email service provider. The provider's identity remains undisclosed. The breach potentially exposed names, email addresses, usernames, account types, IP addresses, general locations, and Flickr activity. Data exposure varies per user account. Flickr promptly disabled access to the compromised system, removed vulnerable links, and initiated an investigation with the third-party provider. The company is enhancing security measures and conducting a thorough review of its practices with third-party providers to prevent future incidents. Notifications were sent to relevant data protection authorities, suggesting the breach impacts users across multiple regions, including Europe and the US. Users are advised to be vigilant against phishing attempts and review account settings for suspicious activity. Passwords and financial data were reportedly not compromised. Flickr's proactive response includes strengthening system architecture and improving monitoring of third-party services to safeguard user data.

Cloudflare reported a significant increase in DDoS attacks in 2025, with the UK becoming the sixth-most targeted country globally, marking a substantial rise in threat exposure. The fourth quarter witnessed a 31% increase in attack volume from the previous quarter, with a staggering 58% rise compared to 2024, indicating escalating attack severity. Aisuru-Kimwolf, a botnet leveraging malware-infected Android TVs, executed the largest attack, reaching a record 31.4 Tbps during the "The Night Before Christmas" campaign. Attackers are shifting tactics towards rapid, high-volume traffic spikes, with incidents generating billions of packets per second in under two minutes, challenging traditional defense mechanisms. Large botnets and cloud-hosted virtual machines are increasingly used to scale attacks, exploiting compromised internet-connected devices such as routers and cameras. The UK’s telecom and cloud infrastructure, alongside financial services, remain primary targets, with geopolitical tensions and pro-Russian hacktivists like NoName057(16) contributing to the threat landscape. Cloudflare emphasizes the necessity of autonomous systems for real-time detection and mitigation, as human response times are inadequate against swift, massive DDoS surges.

Modern enterprise operations heavily rely on browsers, yet current security measures often overlook browser-specific threats, creating significant vulnerabilities in cybersecurity frameworks. Browser attacks, such as ClickFix and UI-driven social engineering, exploit user actions without leaving traditional forensic evidence, complicating detection and response efforts. Malicious browser extensions can covertly exfiltrate data, appearing as normal activity, thus evading traditional endpoint and network security measures. HTML smuggling and man-in-the-browser attacks manipulate legitimate browser sessions, bypassing conventional security tools designed for endpoint and network protection. Existing security solutions like EDR, email security, and SASE are not designed to monitor browser interactions, leading to a lack of visibility and incomplete investigations. Keep Aware advocates for enhanced observability of browser-level activities to refine security policies and improve prevention and response strategies. The rise of AI tools and AI-native browsers is exacerbating browser security gaps, as these technologies facilitate subtle and voluminous data movement within browsers. Implementing browser-level observability can transform security practices, enabling precise prevention, informed policy development, and comprehensive incident reconstruction.

Researchers have identified DKnife, an AitM framework linked to China-based actors, active since 2019, targeting routers and edge devices for traffic hijacking and malware delivery. DKnife comprises seven Linux-based implants enabling deep packet inspection, traffic manipulation, and malware deployment, with a focus on Chinese-speaking users. The framework interacts with ShadowPad and DarkNimbus backdoors, hijacking binary downloads and Android updates, and targets PCs, mobile devices, and IoT devices. Cisco Talos discovered DKnife while monitoring Earth Minotaur, a Chinese threat cluster using the MOONSHINE exploit kit and DarkNimbus backdoor. The infrastructure analysis revealed connections to TheWizards APT group, which uses a Windows implant, WizardNet, in similar AitM operations. DKnife's modular architecture allows for diverse attack functions, including credential harvesting from Chinese email services via manipulated TLS certificates. The discovery underscores the sophistication of modern AitM threats, emphasizing the need for robust defenses against traffic manipulation and malware delivery tactics.