no.security
About

Comprehensive cybersecurity intelligence covering threats, vulnerabilities, research, policy, and industry developments

15 min read · 18 stories

Daily Security Brief - January 15, 2026

🔄 Updates on Previous Stories

China Scam Compound Crackdown Continues

Following last week’s arrest and extradition of alleged scam kingpin Chen Zhi from Cambodia to China, experts are cautioning that China’s enforcement efforts are domestically motivated and may inadvertently redirect scammer targeting toward Americans. Jason Tower, formerly of the US Institute of Peace, has noted that Chinese crackdowns have “increased the cost of scamming in China dramatically” but that “scam syndicates are increasingly pivoting to target the rest of the world, and especially Americans.” The enforcement pattern remains reactive to Chinese domestic outrage rather than a strategic effort to improve global security.

Maduro Raid Cyber Operations Analysis

The spectacular US raid to capture Venezuelan President Nicolás Maduro has cemented disruptive cyber operations as a regular component of military operations. President Trump hinted that cyber capabilities were used to cut power in Caracas during the operation, with Chair of the Joint Chiefs General Dan Caine acknowledging Cyber Command’s involvement in “layering different effects.” The New York Times reported the operation began with a cyberattack that “cut power to large swaths of Caracas, shrouding the city in darkness.” This marks a significant milestone in the normalization of offensive cyber operations in military planning.

🚨 Critical Threats & Incidents

Poland Thwarts Major Russian Cyberattack on Energy Grid - Near Blackout Averted

Impact: High | Sector: Energy/Critical Infrastructure | Status: Contained | Attribution: Russia (High Confidence)

Poland narrowly avoided a large-scale power outage by thwarting what officials described as the most serious cyberattack on its energy infrastructure in years. The attempted disruption occurred in the final days of December, when hackers targeted communications between renewable energy installations—including solar farms and wind turbines—and electricity distribution operators across large parts of the country.

Digital Affairs Minister Krzysztof Gawkowski said the incident came “very close to a blackout” and bore the hallmarks of a coordinated sabotage campaign. “The scale of this attack, the vector of entry, and who was behind it indicate that it was a deliberate attempt to cut off power to Polish citizens. Everything points to Russian sabotage,” Gawkowski told local media.

Unlike previous cyber incidents that focused on large power plants or transmission networks, this attack targeted multiple smaller distributed energy sources simultaneously—a novel approach that exploited the growing complexity of modern grid architectures. Energy Minister Miłosz Motyka stated, “We have not seen this type of attack before, but we should expect it to happen again.”

Key Facts:

  • Attack targeted renewable energy communications systems (solar, wind)
  • Multiple distributed energy sources attacked simultaneously (novel technique)
  • Poland is a NATO member and key Ukraine supporter
  • Attack occurred during Russia’s ongoing bombardment of Ukraine’s energy system
  • Officials declined to provide specific technical details or IOCs

References: The Record, Reuters, Bloomberg, Polish Radio

DHS Data Leak Exposes 4,500 ICE and Border Patrol Employees

Impact: High | Sector: Government/Law Enforcement | Status: Under Investigation

A reported data leak has exposed personal and work details for approximately 4,500 ICE and Border Patrol employees online, significantly escalating safety concerns for federal law enforcement personnel. The leak comes amid heightened tensions following recent enforcement operations in Minneapolis and other sanctuary cities.

The exposed information reportedly includes work details that could be used to identify and target individual agents. This incident compounds existing security concerns after DHS reported an 8000% increase in death threats against ICE officers. The leak raises serious questions about the security of federal personnel databases and the potential for targeted harassment or violence against law enforcement officials.

Key Facts:

  • ~4,500 ICE and Border Patrol employees affected
  • Personal and work details exposed
  • Timing coincides with increased enforcement activity
  • Escalates existing threats against federal agents

References: eSecurity Planet, DHS

🔓 Vulnerabilities & Patches

CVE-2026-0227: Palo Alto GlobalProtect DoS Vulnerability - PoC Available

CVE: CVE-2026-0227 | CVSS: 7.7 (High) | Products: GlobalProtect Gateway and Portal | Status: Patched, PoC Exists

Palo Alto Networks has patched a high-severity denial-of-service vulnerability affecting GlobalProtect Gateway and Portal components. The vulnerability allows unauthenticated attackers to crash firewalls, potentially disrupting critical network security functions for organizations relying on GlobalProtect for remote access.

The existence of publicly available proof-of-concept code significantly increases the risk of exploitation. Security teams should prioritize patching, especially for internet-facing GlobalProtect deployments.

Technical Details:

  • Vulnerability Type: Denial of Service (DoS)
  • Attack Vector: Network (unauthenticated)
  • Impact: Firewall service disruption
  • Affected: GlobalProtect Gateway and Portal on PAN-OS

Mitigation Steps:

  • Apply latest PAN-OS security updates immediately
  • Monitor GlobalProtect logs for anomalous traffic patterns
  • Consider rate limiting on GlobalProtect endpoints
  • Ensure IPS signatures are updated

References: Palo Alto Networks Security Advisory, The Hacker News, Security Affairs

CVE-2025-64155: Fortinet FortiSIEM Critical Command Injection - Exploit Code Released

CVE: CVE-2025-64155 | CVSS: Critical | Products: FortiSIEM | Status: PoC Published

Exploit code has been published for a critical command injection vulnerability affecting Fortinet FortiSIEM devices. The vulnerability allows attackers to execute arbitrary commands on affected systems, potentially leading to complete system compromise.

The release of exploit code transforms this from a theoretical risk to an imminent threat. Organizations running FortiSIEM should treat this as a critical priority and apply patches immediately or implement compensating controls.

Technical Details:

  • Vulnerability Type: Command Injection
  • Impact: Remote Code Execution
  • Exploitation: Active PoC available

Mitigation Steps:

  • Apply Fortinet security updates immediately
  • Restrict network access to FortiSIEM management interfaces
  • Monitor for exploitation attempts
  • Review FortiSIEM logs for signs of compromise

References: Tenable, Fortinet Advisory

🔬 Security Research & Innovation

’Reprompt’ Attack Enables One-Click Data Exfiltration from Microsoft Copilot

Type: AI Security Research | Source: Varonis | Status: Patched by Microsoft

Security researchers at Varonis have discovered a sophisticated attack technique dubbed “Reprompt” that allowed single-click data exfiltration from Microsoft Copilot Personal through indirect prompt injection. The attack bypassed the LLM’s data leak protections and enabled persistent session exfiltration even after the Copilot chat was closed.

The Reprompt attack leverages a Parameter 2 Prompt (P2P) injection combined with a double-request technique and chain-request methodology to enable continuous, undetectable data exfiltration. The attack starts by exploiting the ‘q’ parameter used to deliver user queries via URL—all it takes is for the victim to click a malicious link.

How It Worked: Varionis discovered that Copilot’s protections against sensitive information leaks only applied to the initial request. By supplying each request multiple times, researchers bypassed the filtering. They then developed a chain request where Copilot retrieved instructions directly from an attack server, creating an ongoing exchange that could exfiltrate user information continuously—with all commands hidden from client-side monitoring.

“Client-side monitoring tools won’t catch these malicious prompts, because the real data leaks happen dynamically during back-and-forth communication—not from anything obvious in the prompt the user submits,” Varonis explains.

Why This Matters:

  • Demonstrates fundamental challenges in securing AI assistants
  • Single-click compromise with session persistence
  • Enterprise data at risk from seemingly innocuous links
  • Highlights need for server-side AI interaction monitoring

Note: Microsoft has resolved the underlying issue. The attack does not affect enterprise customers using Microsoft 365 Copilot.

References: SecurityWeek, The Hacker News, Varonis Blog, ZDNet

⚖️ Policy, Compliance & Regulations

China Orders Domestic Firms to Stop Using US and Israeli Cybersecurity Software

Jurisdiction: China | Effective: Immediate | Impact: Global Cybersecurity Market

China has ordered domestic companies to stop using cybersecurity solutions from more than a dozen U.S. and Israeli firms, citing national security concerns. The move reflects escalating tech tensions between Washington and Beijing and marks a significant fragmentation of the global cybersecurity market.

Affected US Companies: VMware, Palo Alto Networks, Fortinet, Mandiant, CrowdStrike, SentinelOne, McAfee, Recorded Future, Claroty, Rapid7, and Wiz

Affected Israeli Companies: Check Point, CyberArk, Orca Security, Cato Networks, and Imperva (now owned by France’s Thales)

Chinese authorities expressed concern that the software could collect and transmit confidential information abroad. The announcement immediately impacted affected companies’ stock prices. This mirrors earlier U.S. actions against Kaspersky, which was banned from U.S. government systems in 2017 and from all U.S. sales by 2024.

Key Requirements:

  • Immediate cessation of use for listed security products
  • Transition to domestic Chinese alternatives
  • Affects unknown number of Chinese enterprises

Business Impact: The move accelerates China’s push to replace Western technology with domestic alternatives and signals that cybersecurity has become a frontline in the broader US-China technology competition. Western vendors should expect continued market access restrictions in China and potentially other aligned nations.

References: Reuters, Security Affairs, Cybersecurity Insiders

💼 Industry & Business

Aikido Security Reaches Unicorn Status with $60M at $1B Valuation

Type: Funding | Value: $60M Series B at $1B Valuation | Company: Aikido Security (Belgium)

Belgium-based application security startup Aikido Security has raised $60 million in Series B funding led by DST Global, reaching unicorn status with a $1 billion valuation. The company helps developers create secure applications through automated security testing and remediation.

Aikido’s rapid growth reflects the continued strong demand for developer-focused security tools as organizations shift security left in the development lifecycle. The company plans to accelerate its vision for “self-securing software” and continuous penetration testing capabilities.

Business Impact: The funding validates the developer security tooling market and signals continued investor confidence in application security despite broader market corrections.

References: SecurityWeek, Aikido Blog, Reuters

2025 Ransomware Report: 7,419 Attacks Worldwide, 32% Increase

Type: Market Analysis | Source: Comparitech | Period: 2025 Annual

Comparitech’s annual ransomware report reveals that 2025 saw 7,419 ransomware attacks worldwide, representing a 32% increase over the 5,631 attacks recorded in 2024. Manufacturing emerged as the hardest-hit sector with a 56% increase in attacks (from 937 to 1,466) and average ransom demands more than doubling from $523,000 to nearly $1.2 million.

Key Statistics:

  • Total Attacks: 7,419 (32% YoY increase)
  • US Attacks: 3,810 (51% of global total, 33% increase)
  • Records Breached: 59.2 million confirmed
  • Most Active Group: Qilin with 1,034 attacks (14% of total)
  • Second Most Active: Akira with 765 attacks
  • Largest Data Theft Claim: 31.2 petabytes (Qilin, single US manufacturer)

Sector Analysis:

  • Manufacturing: +56% (1,466 attacks)
  • Legal: +54% (346 attacks)
  • Government: +27% (374 attacks)
  • Healthcare: +2% (444 attacks) - plateau observed
  • Education: +2% (252 attacks) - plateau observed

Notable Trend: Average ransom demands declined 26% to $1.04 million, but sector-specific demands varied significantly. The plateau in healthcare and education attacks may reflect increased awareness following high-profile cases in recent years.

References: Comparitech, Industrial Cyber

🎯 Threat Intelligence

UAT-8837: China-Nexus APT Targeting North American Critical Infrastructure

Actor: UAT-8837 | Attribution: China (Medium Confidence) | Targets: Critical Infrastructure (North America) | Status: Active

Cisco Talos has published detailed analysis of UAT-8837, a threat actor assessed with medium confidence to be a China-nexus APT group primarily tasked with obtaining initial access to high-value organizations in North American critical infrastructure sectors.

The group exploits both n-day and zero-day vulnerabilities, including the recent ViewState Deserialization zero-day (CVE-2025-53690) in SiteCore products. Post-compromise, UAT-8837 deploys a mix of open-source tools including Earthworm (tunneling), SharpHound (AD reconnaissance), DWAgent (remote access), Certipy (AD abuse), GoExec, and Rubeus.

TTPs Observed:

  • Initial access via vulnerable servers or compromised credentials
  • Extensive use of open-source offensive tools
  • Token theft using GoTokenTheft
  • Network tunneling via Earthworm to attacker infrastructure
  • Active Directory reconnaissance with SharpHound and Certipy
  • Credential harvesting and lateral movement
  • Creation of backdoored user accounts
  • Exfiltration of DLL libraries (potential supply chain risk)

Infrastructure Indicators:

  • 74[.]176[.]166[.]174
  • 20[.]200[.]129[.]75
  • 172[.]188[.]162[.]183
  • 4[.]144[.]1[.]47
  • 103[.]235[.]46[.]102

Significance: The potential exfiltration of victim product DLL files raises supply chain compromise concerns. Organizations in critical infrastructure should review Cisco Talos IOCs and hunt for related activity.

References: Cisco Talos Intelligence Blog

18,000+ Chinese Malware C2 Servers Mapped Across Major ISPs

Source: Hunt.io | Scope: China Hosting Infrastructure | Type: Infrastructure Analysis

Threat intelligence firm Hunt.io has mapped more than 18,000 active command-and-control servers linked to Chinese hosting infrastructure across 48 different malware families. The research provides visibility into the scale of malicious infrastructure operating from Chinese ISPs and hosting providers.

This mapping effort enables defenders to proactively block known malicious infrastructure and improve detection capabilities for China-nexus threat activity.

References: Hunt.io, CyberPress

📚 Best Practices & Guidance

NCSC-Led Global Guidance: 8 Principles for Secure OT Connectivity

Source: UK NCSC (Lead), CISA, FBI, ASD-ACSC, BSI, and Partners | Topic: Operational Technology Security | Audience: OT Operators, Integrators, Device Manufacturers

Global cybersecurity agencies have released comprehensive joint guidance providing a goal-oriented framework for designing secure connectivity into operational technology environments. The ‘Secure Connectivity Principles for Operational Technology’ document sets out eight core principles that organizations can use to design, secure, and manage connectivity into OT environments.

The 8 Principles:

  1. Balance Risks and Opportunities - Recognize connectivity delivers value while introducing risks
  2. Limit Exposure - Reduce unnecessary access paths and tightly control communications
  3. Centralize and Standardize - Improve visibility, consistency, and governance
  4. Use Secure Protocols - Default to latest secure versions (DNP3-SAv5, CIP Security, OPC UA)
  5. Strengthen the OT Boundary - Prevent unauthorized access and contain threats
  6. Limit Compromise Impact - Implement segmentation, containment, and resilience
  7. Log and Monitor - Enable timely detection and response
  8. Plan for Isolation - Ensure systems can be safely disconnected during incidents

Key Recommendations:

  • All OT connections should be outbound-initiated from within the OT environment
  • Obsolete devices require indirect access via DMZ with strong compensating controls
  • Industrial protocols (Modbus, OPC DA, EtherNet/IP) should be restricted to isolated OT segments
  • Implement phishing-resistant MFA for external OT access
  • Design systems to function independently of external dependencies

Co-Authors: UK NCSC, Australian Cyber Security Centre (ASD-ACSC), Canadian Centre for Cyber Security, CISA, FBI, Germany’s BSI, Netherlands NCSC-NL, New Zealand NCSC-NZ

References: CISA, NCSC UK, Industrial Cyber

🛠️ Products & Services

isVerified Emerges from Stealth with Voice Deepfake Detection Apps

Vendor: isVerified | Product: Voice Deepfake Detection | Type: Mobile Security Apps

isVerified has emerged from stealth mode with Android and iOS mobile applications designed to protect enterprise communications from voice deepfake attacks. The technology addresses the growing threat of AI-generated voice cloning used in business email compromise, vishing attacks, and executive impersonation fraud.

The launch comes as research continues to show weaknesses in current voice cloning defenses. University of Texas San Antonio researchers recently demonstrated that modern systems designed to protect voices from cloning through noise injection can be bypassed with proper techniques.

Key Features: Real-time voice authentication for enterprise communications

References: SecurityWeek

👥 Community & Culture

The OSINT Newsletter Issue #90: GitHub Investigation Techniques and AI Detection

Type: Newsletter | Topic: OSINT Techniques and Tools

The 90th issue of The OSINT Newsletter provides valuable insights for investigators, including:

  • GitHub Profile Investigation: Contributions to non-main branches don’t appear in contribution graphs until merged—a key consideration when assessing dormant-looking profiles
  • Gmail Address Changes Coming: Google is gradually rolling out the ability to change Gmail addresses, which may impact email-based identity verification
  • God’s Eye Tool: New subdomain enumerator using local AI (Ollama) for vulnerability analysis and CVE detection
  • Surfface: New face recognition reverse image search tool (requires Russian VPN)
  • Telegram Spoiler Decoder: Tool to recover text hidden under Telegram’s pseudo-braille spoiler feature on MacOS

References: The OSINT Newsletter (Substack)

💡 Security Professional Action Items

Immediate (24-48 hours)

  1. Patch Palo Alto GlobalProtect - CVE-2026-0227 has public PoC; prioritize internet-facing deployments
  2. Patch FortiSIEM - CVE-2025-64155 exploit code released; restrict management interface access
  3. Hunt for UAT-8837 IOCs - Critical infrastructure organizations should search for Cisco Talos indicators
  4. Review Microsoft Copilot configurations - Ensure enterprise policies are properly configured

Short-term (This Week)

  1. Assess OT connectivity posture - Review against new NCSC/CISA 8 principles guidance
  2. Evaluate distributed energy communications security - Poland attack highlights new attack vector
  3. Review vendor exposure to China ban - Assess if your security vendors are affected by China’s restrictions

Strategic (This Month)

  1. Update ransomware response plans - Manufacturing sector seeing 56% increase in attacks
  2. Implement voice verification for executive communications - Deepfake threats continue evolving
  3. Review AI assistant security policies - Reprompt attack demonstrates LLM security challenges

📈 Threat Landscape Analysis

Today’s intelligence reveals several converging trends:

State-Sponsored Infrastructure Targeting Intensifies: Poland’s near-blackout experience demonstrates that nation-state actors are developing novel techniques specifically designed to exploit distributed energy architectures. The simultaneous targeting of multiple renewable energy installations represents an evolution beyond traditional attacks on centralized power plants—a technique we should expect to see replicated globally.

AI Security Remains Immature: The Reprompt attack on Microsoft Copilot illustrates that AI assistants remain fundamentally vulnerable to prompt injection and data exfiltration techniques. As organizations rapidly deploy AI tools, the attack surface expands faster than security controls mature.

Geopolitical Fragmentation Accelerates: China’s ban on Western cybersecurity software signals a deepening bifurcation of the global technology ecosystem. Organizations operating internationally must now plan for incompatible security stacks across different regulatory regimes.

Ransomware’s Manufacturing Focus: The 56% increase in manufacturing attacks with doubled ransom demands reflects attackers’ recognition that operational technology environments face unique pressure to pay ransoms to avoid production disruption.

Comprehensive balanced analysis from: Cisco Talos, Varonis, Comparitech, The Record, Reuters, SecurityWeek, Security Affairs, Industrial Cyber, NCSC, CISA, Risky.Biz, The OSINT Newsletter

Issue #105 | January 15, 2026 | Coverage: 12 stories across 9 security segments 11 new stories | 2 updates