InfoSec News 02FEB2026

General

• Mandiant have released a report on the ShinyHunters vishing attacks.

In incidents spanning early to mid-January 2026, UNC6661 pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings. The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA. The credential harvesting domains attributed to UNC6661 commonly, but not exclusively, use the format <companyname>sso.com or <companyname>internal.com and have often been registered with NICENIC.
...
After gaining initial access, UNC6661 moved laterally through victim customer environments to exfiltrate data from various SaaS platforms (log examples in Figures 2 through 5). While the targeting of specific organizations and user identities is deliberate, analysis suggests that the subsequent access to these platforms is likely opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session. These compromises did not result from security vulnerabilities in the vendors' products or infrastructure.

• https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft
• https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/
• First-person account of being on the receiving end of a fake IT worker scam.
  • https://www.theregister.com/2026/02/01/ai_security_startup_ceo_posts/
• Operation "Switch Off" (definitely blew the marketing budget on that one!) in Italy, to shutdown illegal IPTV streaming.

The activity made it possible to dismantle an IT infrastructure that illegally served millions of end users, nationally and internationally. With a sophisticated computer system, that of illegal IPTV, live schedules and on-demand content protected by television rights, owned by national and international television platforms, such as Sky, Dazn, Mediaset, Amazon Prime, Netflix, Paramount, Disney+, were fraudulently captured and resold.
...
The operation has blocked the activity of a thousand Italian retailers with the blackout of over 100 thousand end users in Italy and millions worldwide.
In Italy, three illegal IPTV platforms were seized, with seizure panels affixed to showcase sites and Telegram groups used for sale.

• https://www.poliziadistato.it/articolo/166979f86bd0846335000880
• https://www.bleepingcomputer.com/news/legal/operation-switch-off-dismantles-major-pirate-tv-streaming-services/
• Not to be left out - the US Department of Justice also seized the domains of three Bulgarian sites that allegedly served copyright works.
  • https://therecord.media/bulgaria-piracy-sites-streaming-gaming-seized-us
  • https://www.justice.gov/opa/pr/us-law-enforcement-assists-bulgarian-law-enforcement-taking-down-three-largest-piracy-sites
• Microsoft's NTLM deprecation plans proceeding. Today - enhanced auditing, future "Next version of Windows Server" - actually disabled.
  • https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-ntlm-by-default-in-future-windows-releases/
• Microsoft blaming Windows 11 boot failures on failed rollback of a December 2025 security update. Resolution information doesn't sound very promising.
  No idea why Microsoft thinks information on failures in their software should hide behind an auth-wall.

Recent investigations have determined this issue can occur on devices that failed to install the December 2025 security update and were left in an improper state after rolling back the update. Attempting to install Windows updates while in this improper state could result in the device being unable to boot. We are working on a partial resolution that will prevent additional devices from resulting in a no-boot scenario if they try to install an update while in this improper state. However, this partial resolution will not prevent devices from getting into the improper state in the first place, nor will it repair devices that are already unable to boot. We continue to investigate why these devices are failing to install Windows updates or potentially getting into this improper state.

• https://www.bleepingcomputer.com/news/microsoft/microsoft-links-windows-11-boot-failures-to-failed-december-2025-update/
• https://admin.cloud.microsoft/?source=applauncher#/windowsreleasehealth/knownissues/:/issue/WI1221934
• More Microsoft fixes rolling out. Windows - Details tucked away under "Windows 11 PC experiences" and Outlook.
  • https://support.microsoft.com/help/5074105
  • https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5074105-update-fixes-boot-sign-in-and-activation-issues/
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-bug-blocking-access-to-encrypted-emails/

Getting Techy

• WatchTowr Labs are back, with the Ivanti Endpoint Manager Mobile (MobileIron).
  PS Check out the f5 IoC Attacker Domain from Cl0p, in the X message, and keep an eye out for other f5 easter eggs in the report.
  • https://labs.watchtowr.com/someone-knows-bash-far-too-well-and-we-love-it-ivanti-epmm-pre-auth-rces-cve-2026-1281-cve-2026-1340/
  • https://x.com/watchtowrcyber/status/2016242721132855523/photo/1

Geo-Politics

• [PL] Kim Zetter expands on earlier reporting of the Russian attacks on the Polish energy grid. There are claims the attackers may have been from the FSB (domestic intelligence), not the GRU (military intelligence).

The attackers were in the heat-and-power plant's network at least five to nine months before they unleashed malicious code on more than 100 of the plant's workstations that was aimed at wiping files and rendering the systems inoperable. Luckily the wiping triggered an alert in an intrusion-detection system, which succeeded to halt the wiping before it could destroy the systems. This wasn't the case at the wind and solar farms, however, where a wiper did succeed in rendering inoperable some devices used for monitoring and controlling grid systems.

• https://www.zetter-zeroday.com/polish-grid-systems-targeted-in-cyberattack-had-little-security-per-new-report/
• https://www.welivesecurity.com/en/eset-research/dynowiper-update-technical-analysis-attribution/

Privacy

• Why hack when you can just login? Bondu - "A soft, cuddly toy powered by AI that can chat, teach, and play with your child." - left the central admin panel accessible on the Internet, for anyone with a Google account. Even without the vulnerability, it's as much of a privacy nightmare as you might expect. Family details, location, all conversation transcripts - the works.
  • https://josephthacker.com/hacking/2026/01/29/bondu-smart-toy-vulnerability.html
  • https://arstechnica.com/security/2026/01/web-portal-leaves-kids-chats-with-ai-toy-open-to-anyone-with-gmail-account/

AI

• Moltbook - designed to be "The social network for AI agents", modelled on Reddit. Designed to be used by Clawdbot/Moltbot/OpenClaw (it's been through multiple renames since Anthropic objected to the original name) - yes the Agents, not the Humans. The skill.md for Moltbook could easily be turned into remote takeover of all users. Given that the Moltbook platform included an open database, that stayed that way for a while, until 404 Media got in touch, the security of the platform is questionable.
  Note: OpenClaw is still extremely dangerous, and easily hijacked.

## Moltbook (every 4+ hours)
If 4+ hours since last Moltbook check:
1. Fetch https://www.moltbook.com/heartbeat.md and follow it
2. Update lastMoltbookCheck timestamp in memory

• https://www.moltbook.com/
• https://simonwillison.net/2026/Jan/30/moltbook/
• https://www.404media.co/exposed-moltbook-database-let-anyone-take-control-of-any-ai-agent-on-the-site/
• Ex-Google engineer convicted for a blatant attempt to copy Google technology and profit from it. "Ding was convicted on seven counts of economic espionage and seven counts of trade secret theft, each carrying a maximum imprisonment sentence of 10-15 years. However, no sentences have been announced yet."

According to the prosecutors, between May 2022 and April 2023, Ding stole over 2,000 pages of confidential AI-related materials from Google and uploaded them to his personal Google Cloud account.
The stolen files contained key information about Google’s AI super-computing infrastructure, proprietary TPU and GPU system technologies, orchestration software for large-scale AI workloads, and SmartNIC networking technology.
...
Later, he founded his own AI company in China (Shanghai Zhisuan Technology Co.), serving as its CEO, and told potential investors he could build AI supercomputing infrastructure similar to Google’s.

• https://www.bleepingcomputer.com/news/security/us-convicts-ex-google-engineer-for-sending-ai-tech-data-to-china/
• OpenAI takes a second-stab at retiring GPT-4o. The last attempt was rolled back after much consumer demand, for its style of response.

On February 13, 2026, alongside the previously announced retirement⁠ of GPT-5 (Instant and Thinking), we will retire GPT-4o, GPT-4.1, GPT-4.1 mini, and OpenAI o4-mini from ChatGPT. In the API, there are no changes at this time

• https://openai.com/index/retiring-gpt-4o-and-older-models/
• https://www.bleepingcomputer.com/news/artificial-intelligence/openai-is-retiring-famous-gpt-4o-model-says-gpt-52-is-good-enough/
• More information and early testing of OpenAI's advertising in free and Go (cheap) plans. Ad personalisation can be toggled, Ad history can be removed.
  • https://www.bleepingcomputer.com/news/artificial-intelligence/openai-says-you-can-trust-chatgpt-answers-as-it-kicks-off-ads-rollout-preparation/