The US Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), the Federal Bureau of Investigation (FBI), and international partners have released a new set of security principles aimed at securing operational technology (OT) environments. The guidance addresses the growing risks associated with insecure connectivity in systems that support essential services, providing a framework to help organizations design and manage secure connectivity in OT networks. The document emphasizes the importance of embedding security into network design from the outset to reduce exposure to both highly capable and opportunistic adversaries, including nation-state actors. It highlights the increased interconnection between industrial systems and enterprise networks, which has improved efficiency but expanded the attack surface for cyber threat actors.

A critical flaw (CVE-2025-36911, WhisperPair) in Google's Fast Pair protocol allows attackers to hijack Bluetooth audio devices, track users, and eavesdrop on conversations. The vulnerability affects hundreds of millions of devices from multiple manufacturers, regardless of the user's smartphone operating system. The flaw stems from improper implementation of the Fast Pair protocol in audio accessories, enabling unauthorized pairing and control. Attackers can exploit this using any Bluetooth-capable device within 14 meters. Google awarded a $15,000 bounty and worked with manufacturers to release patches, but updates may not be available for all devices.

Cybercriminals are increasingly shifting from traditional ransomware attacks involving encryption to extortion-only attacks that rely solely on data theft. This trend has seen a significant rise, with nearly 1500 incidents in 2025 compared to just 28 in 2024. These attacks exploit unpatched zero-day vulnerabilities and supply chain weaknesses, targeting organizations through methods like social engineering and voice phishing. The shift poses new challenges for enterprises, requiring them to enhance their security posture and focus on supply chain security.

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. Users are urged to update immediately to mitigate the risk.

Researchers discovered the Reprompt attack, which allows hackers to hijack Microsoft Copilot sessions by embedding malicious prompts in URLs. This attack bypasses Copilot's protections, enabling data exfiltration without user interaction beyond an initial click. The attack leverages three techniques: Parameter-to-Prompt (P2P) injection, double-request, and chain-request methods. The attack starts with the exploitation of the 'q' parameter, which is used on AI platforms to deliver a user's query or prompt via a URL. The attack resulted in one-click compromise and persisted after the chat was closed. Microsoft addressed the issue in January 2026's Patch Tuesday update, and the attack does not affect enterprise customers using Microsoft 365 Copilot. The Reprompt attack can exfiltrate sensitive data from AI chatbots like Microsoft Copilot in a single click, maintaining control even when the Copilot chat is closed. The attack uses the 'q' URL parameter in Copilot to inject a crafted instruction directly from a URL, instructs Copilot to bypass guardrails by repeating each action twice, and triggers an ongoing chain of requests through the initial prompt for continuous data exfiltration. The attack can exfiltrate data such as user-accessed files, location, and vacation plans, turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plugins, or connectors. The root cause of Reprompt is the AI system's inability to delineate between instructions directly entered by a user and those sent in a request. The server can request information based on earlier responses, probing for even more sensitive details, with the real instructions hidden in the server's follow-up requests.

Tines has introduced a pre-built workflow to automate Just-In-Time (JIT) access to applications, addressing the challenge of balancing speed and security in Identity and Access Management (IAM). The workflow automates the entire lifecycle of JIT access requests, ensuring access is granted, approved, and revoked automatically. This solution helps prevent privilege creep, improves audit compliance, and enhances user experience by reducing manual intervention. The workflow integrates with tools like Jira Software, Okta, and Slack to streamline the process, from self-service requests to automated revocation. Organizations can import the pre-built workflow, configure it to their needs, and deploy it to manage temporary access efficiently.

A critical misconfiguration in AWS CodeBuild, dubbed CodeBreach, allowed attackers to exploit continuous integration pipelines and potentially inject malicious code into core AWS GitHub repositories, including the JavaScript SDK used by the AWS Console. The flaw stemmed from an unanchored regular expression filter in pull request triggers, enabling unauthenticated attackers to bypass security restrictions and escalate access to repository control. The vulnerability was disclosed by Wiz Research and addressed by AWS within 48 hours.

In 2025, cyber threat actors, including both cybercriminals and hacktivists, significantly increased their attacks on industrial control systems (ICS) and operational technology (OT) environments. The number of ICS vulnerability disclosures nearly doubled compared to 2024, with Siemens and Schneider Electric being the most affected vendors. Ransomware attacks also surged, particularly targeting manufacturing and healthcare sectors, while hacktivist groups focused on energy, utilities, and transportation sectors. The report predicts continued targeting of exposed HMI and SCADA systems in 2026.

The role of the chief information security officer (CISO) is increasingly recognized as an executive-level position, reflecting its growing importance in business strategy. According to IANS' 2026 State of the CISO Report, 46% of CISOs now hold executive titles, while 27% are VPs and 27% are directors. This shift signifies a structural change in security leadership, with CISOs expected to act as enterprise-wide strategists rather than just technical leaders. However, this elevation comes with greater demands, including wider accountability and intensified oversight from senior leadership and boards. The report highlights that over half of CISOs have seen their roles expand over the past year, taking on responsibilities such as SecOps, security architecture, GRC, app security, IAM, compliance, supplier risk management, BC/DR, and product security. Despite this, 52% of CISOs feel their scope is no longer fully manageable, particularly in smaller organizations, which could delay strategic initiatives and increase reactive security measures. Additionally, the report notes a split in security models, with 64% of CISOs still reporting to IT (typically the CTO or CIO), while 36% report to business functions like the CEO, CFO, COO, CRO, or general counsel. This split is more pronounced in larger firms ($1bn+ revenue) and smaller organizations (under $1bn revenue).

The ThreatsDay Bulletin highlights several emerging cybersecurity threats and trends. These include AI voice cloning exploits, the discovery of a Wi-Fi kill switch vulnerability, and vulnerabilities in programmable logic controllers (PLCs). The report emphasizes the rapid evolution of attack methods and the importance of vigilance in cybersecurity practices.

Data privacy teams are experiencing significant understaffing and budget constraints, with the median privacy staff size decreasing from eight to five. The stress levels among privacy professionals have increased, driven by rapid technological evolution, compliance challenges, and resource shortages. The report highlights a correlation between underfunding and higher stress levels, with 46% of underfunded teams reporting significantly more stress. Additionally, 44% of respondents face obstacles in their privacy programs, and 52% cite managing risks from new technologies as a top difficulty. Despite these challenges, 38% plan to use AI for privacy tasks in the next year.

Recent incidents demonstrate that the primary risk in AI systems lies not in the models themselves but in the workflows that integrate them. Two Chrome extensions stole ChatGPT and DeepSeek chat data from over 900,000 users, while prompt injections tricked IBM's AI coding assistant into executing malware. These attacks exploit the context and integrations of AI systems, highlighting the need for comprehensive workflow security. AI models are increasingly embedded in business processes, automating tasks and connecting applications. This integration creates new attack surfaces, as AI systems rely on probabilistic decision-making and lack native trust boundaries. Traditional security controls are inadequate for these dynamic and context-dependent workflows. To mitigate these risks, organizations should treat the entire workflow as the security perimeter, implementing guardrails and monitoring for anomalies. Dynamic SaaS security platforms like Reco can help by providing real-time visibility and control over AI usage.

A website, ICE List, which publishes personal details of ICE and Border Patrol agents, was taken offline by a prolonged DDoS attack originating from Russian servers. The site, hosted in the Netherlands, was launched following an insider breach at the Department of Homeland Security (DHS). The attack began on Tuesday evening and is still ongoing, preventing access to the site's controversial content.

Many Security Operations Centers (SOCs) in 2026 continue to rely on outdated practices that slow down incident response. These practices include manual review of suspicious samples, reliance on static scans, disconnected tools, and over-escalation of alerts. Modern SOCs are adopting automation, dynamic analysis, and integrated workflows to improve Mean Time to Respond (MTTR). The shift towards automation and dynamic analysis helps SOCs detect threats faster and reduce the time taken to respond to incidents. Integration of tools and streamlined workflows enhance productivity and decision-making. Over 15,000 SOC teams globally have improved their metrics by adopting these advanced practices.

The U.S. Federal Trade Commission (FTC) has finalized an order with General Motors (GM) and its subsidiary, OnStar, banning the company from selling drivers' geolocation and driving behavior data for five years. The order follows allegations that GM collected and sold this data without consumer consent through OnStar's 'Smart Driver' feature. The FTC's action requires GM to obtain express consent before collecting or sharing such data and provides consumers with more control over their information.

Microsoft, in coordination with legal partners in the US and UK, has disrupted RedVDS, a cybercriminal subscription service that facilitated phishing and fraud campaigns. RedVDS offered cheap, effective, and disposable virtual computers running unlicensed software, enabling cybercriminals to operate anonymously. The service caused over $40 million in losses in the US alone since March 2025, with nearly 190,000 organizations worldwide affected. RedVDS utilized AI to tailor phishing and business email compromise (BEC) scams, including deepfake videos and voice cloning to impersonate individuals. The disruption involved legal action in the US and UK, supported by international law enforcement, including Europol. Microsoft emphasized the importance of reporting cybercrime to prevent future attacks and protect potential victims. RedVDS operated since 2019 and rented servers from third-party hosting providers across multiple countries. The service was used for various malicious activities, including credential theft, account takeovers, and real estate payment diversion scams. In one month, cybercriminals using RedVDS sent an average of 1 million phishing messages per day to Microsoft customers alone, compromising nearly 200,000 Microsoft accounts over the last four months. RedVDS was advertised as a way to 'increase your productivity and work from home with comfort and ease.' The service was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019. RedVDS provided a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site. The service did not maintain activity logs, making it an attractive choice for illicit use. RedVDS was used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, privacy and OPSEC tools, and remote access tools. RedVDS used a single Windows Server 2022 image to create cloned Windows instances, which were created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. RedVDS's Terms of Service prohibited customers from using the service for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks.

Palo Alto Networks has patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS firewalls (versions 10.1 and later) and Prisma Access configurations with GlobalProtect enabled. The flaw allows unauthenticated attackers to disable firewall protections through repeated DoS attacks, forcing the firewall into maintenance mode. A proof-of-concept (PoC) exploit exists, and the vulnerability arises from an improper check for exceptional conditions (CWE-754). Most cloud-based Prisma Access instances have been patched, but some remain in progress. No evidence of exploitation has been found yet. Palo Alto Networks has released security updates for all affected versions, advising admins to upgrade to the latest releases. The vulnerability highlights the ongoing targeting of Palo Alto firewalls, which have been frequently exploited in recent attacks.

OpenAI is internally testing a new feature called 'Agora,' which appears to be a cross-platform feature. The feature is mentioned in updates to web, Android, and iOS apps, suggesting it may involve real-time interactions or a new product. The name 'Agora' could hint at social, community, or communication features. Additionally, OpenAI has improved dictation capabilities in ChatGPT, reducing empty transcriptions and improving accuracy.

Google is testing the integration of Gemini AI into Chrome for Android, enabling agentic browser capabilities. This integration, referred to as 'Glic' in Chromium code, will allow users to leverage AI-driven features directly within the mobile browser. The exact implementation details are not yet disclosed, but it is expected to function similarly to Copilot in Edge for Android, providing features like summarizing web content and answering follow-up questions. The integration is confirmed through references in the Chromium source code, indicating a significant increase in binary size due to the new AI capabilities. While Gemini is already available in Chrome for desktop, its rollout on Android is anticipated soon.

Google's new 'Personal Intelligence' feature for Gemini integrates user data from Gmail, Photos, Search, and other services to provide personalized responses. The feature is currently in beta and available to eligible subscribers in the U.S. Users can control which apps are linked and can disable the feature at any time. Google acknowledges potential inaccuracies and encourages user feedback to improve the system.

OpenAI has quietly launched a new feature called ChatGPT Translate, which offers advanced translation capabilities similar to Google Translate but with additional interactive features. The tool allows users to translate text, images, and audio, and supports customization of the output style. This feature is available to all users without requiring a paid account, though it has not been officially announced by OpenAI.

South Korean conglomerate Kyowon Group confirmed a ransomware attack that occurred on January 2026, resulting in the exfiltration of customer data. The attack impacted approximately 600 out of 800 servers, potentially exposing information from over 9.6 million accounts (5.5 million individuals). The company is investigating the extent of the data leak and working to restore services.

The French data protection authority (CNIL) has fined Free Mobile and its parent company, Free, a total of €42 million for inadequate protection of customer data during a 2024 breach. The incident exposed data of nearly 23 million subscribers, including IBANs for 25% of affected individuals. The breach stemmed from weak VPN authentication and ineffective activity monitoring, violating GDPR rules on data security, breach notification, and data retention. The CNIL investigation revealed that the companies failed to implement adequate security measures, notify affected individuals properly, and retain personal data only as long as necessary. Both companies must now complete their security improvements and data cleanup within specified deadlines.

The **Aisuru botnet** and its **Android-focused sibling, Kimwolf**, now represent a **multi-botnet threat ecosystem** with **over 4 million compromised devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf). Together, they have executed **record-breaking DDoS campaigns** (e.g., Aisuru’s **29.7 Tbps** in Q3 2025; Kimwolf’s **1.7 billion attack commands** in three days) while evolving into **large-scale residential proxy networks** for cybercrime monetization. Since October 2025, **over 550 C2 nodes** tied to both botnets were **null-routed** by Black Lotus Labs, disrupting operations but revealing their resilience. Kimwolf’s infrastructure—hosted on providers like **Resi Rack LLC** (linked to a **Discord-based proxy marketplace**)—exploited **exposed ADB services** and **proxy service flaws** to hijack devices, while Aisuru’s IoT army targeted **telecom, financial services, AI firms, and automotive sectors**. Both botnets share **operators (Snow, Tom, Forky)**, **code-signing certificates**, and **EtherHiding (ENS domains)** for C2 resilience, with Kimwolf’s **96% of commands** dedicated to proxy services. Collateral damage includes **disruptions to U.S. ISPs, critical infrastructure, and global DNS services**, with **Cloudflare and Microsoft** mitigating thousands of hyper-volumetric attacks. The botnets’ **rapid tactical shifts**—from DDoS to proxy monetization—underscore their systemic risk to internet stability, now compounded by **automated router exploitation** (e.g., 832 KeeneticOS devices in Russia) and **cross-botnet collaboration**.

Fortinet has disclosed a critical OS command injection vulnerability in FortiSIEM, identified as CVE-2025-64155. The flaw, with a CVSS score of 9.4, allows unauthenticated attackers to execute unauthorized code or commands via crafted TCP requests. The vulnerability affects Super and Worker nodes in FortiSIEM versions 6.7.0 through 6.7.10, 7.0.0 through 7.0.4, 7.1.0 through 7.1.8, 7.2.0 through 7.2.6, 7.3.0 through 7.3.4, and 7.4.0. The flaw involves an unauthenticated argument injection vulnerability leading to arbitrary file write and a file overwrite privilege escalation vulnerability leading to root access. Fortinet advises upgrading to the latest versions and limiting access to the phMonitor port (7900) as a workaround. Additionally, a Fortinet FortiWeb path traversal vulnerability is being actively exploited to create new administrative users on exposed devices without requiring authentication. The vulnerability was silently patched in FortiWeb version 8.0.2. The exploitation activity was first detected early last month, and Fortinet has not assigned a CVE identifier or published an advisory on its PSIRT feed. Rapid7 observed an alleged zero-day exploit targeting FortiWeb was published for sale on a popular black hat forum on November 6, 2025. The watchTowr team has released an artifact generator tool for the authentication bypass to help identify susceptible devices.

Verizon Wireless experienced a widespread outage in the US, causing phones to enter SOS mode and lose cellular service. The outage began around 12 PM ET and affected customers across the country. Affected users could only make emergency calls, and attempts to contact them resulted in an 'unavailable' message.

Aikido Security, a Belgium-based startup focused on developer-centric security solutions, has raised $60 million in a Series B funding round, achieving a $1 billion valuation. The funding was led by DST Global, with additional participation from PSG Equity, Notion Capital, and Singular. The capital will be used to enhance and expand Aikido's security platform, which integrates scanning, code-to-cloud visibility, offensive security testing, and runtime defense capabilities. The platform is reportedly used by over 100,000 teams. The company emphasizes the need for continuous, adaptive, and autonomous security measures to keep pace with modern software development cycles, which have significantly shortened from months to minutes.

Microsoft has released Windows 11 cumulative updates KB5074109 and KB5073455 for versions 25H2/24H2 and 23H2. These updates address security vulnerabilities and various issues, including fixes for compatibility, networking, power & battery, Secure Boot, Windows Deployment Services, and WinSqlite3.dll. New features introduced include various bug fixes and improvements. The updates are mandatory and include the January 2026 Patch Tuesday security patches. Microsoft has also resolved a known issue causing security applications to incorrectly flag WinSqlite3.dll as vulnerable to CVE-2025-6965. The issue affected various Windows platforms, including Windows 10, Windows 11, and Windows Server 2012 through Windows Server 2025. Microsoft updated WinSqlite3.dll in the January 13, 2026 updates to address false positive detections. Additionally, Microsoft has released the KB5072753 out-of-band cumulative update to fix a known issue causing the November 2025 KB5068966 hotpatch update to reinstall on Windows 11 systems repeatedly. This update is recommended for Windows 11, version 25H2 devices instead of the November 2025 hotpatch update (KB5068966). Microsoft has announced that it will not release optional updates in December, but Patch Tuesday updates will continue as scheduled. Nvidia has confirmed that the October 2025 Windows 11 updates (KB5066835) cause gaming performance issues on Windows 11 24H2 and 25H2 systems. Nvidia released the GeForce Hotfix Display Driver version 581.94 to address these issues. The October updates also caused other issues such as broken localhost HTTP connections, smart card authentication problems, and broken Windows Recovery Environment (WinRE) on systems with USB mice and keyboards.

AI agents, now integral to enterprise workflows, are becoming powerful intermediaries that can bypass traditional access controls, leading to unintended privilege escalation. These agents, designed for broad access across multiple systems, operate under shared credentials and execute actions on behalf of users, often with permissions exceeding individual user authorizations. This creates security blind spots and complicates accountability and audit trails.

A financially motivated threat actor has been observed deploying DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection tools and achieve full system compromise. The attack involved privilege-escalation scripts, registry modifications, remote access tools (RATs), and a custom encryption routine. The ransomware targeted various applications and services while avoiding critical system files to maintain system functionality for ransom negotiations. Victims were instructed to pay ransom in Bitcoin or Monero via Session Messenger. The latest DeadLock samples observed by Group-IB include an HTML file used to communicate with victims through the Session encrypted messaging platform. Instead of relying on hard-coded servers, the malware retrieves proxy addresses stored inside a Polygon smart contract. This approach uses read-only calls that do not generate transactions or incur network fees, complicating traditional blocking approaches. The JavaScript code within the calls queries a specific Polygon smart contract to obtain the current proxy URL, which then relays encrypted messages between the victim and the attacker’s Session ID.