InfoSec News 06FEB2026
General
- It appears that Microsoft is pivoting away from its security commitments, back to 'security is a product-line'. The more technical-focused Charlie Bell is stepping down from the 'Executive Vice President, Security' role, in favour of Hayete Gallot.
There are also rumours that "is essentially being taken out of Connect (yearly goal reviews), which was Microsoft's big commitment to Congress as part of Secure Future Initiative....it's been watered down now to the point where it basically doesn't exist any more"
Hayete ... spent more than 15 years at Microsoft with senior leadership roles across engineering and sales, playing multiple critical roles in building two of our biggest franchises – Windows and Office, leading our commercial solution areas’ go-to-market efforts. And she was instrumental in the design and implementation of our Security Solution Area. She brings an ethos that combines product building with value realization for customers, which is critical right now
- https://blogs.microsoft.com/blog/2026/02/04/updates-in-two-of-our-core-priorities/
- https://cyberplace.social/@GossiTheDog/116013635575706652
- https://www.theregister.com/2026/02/05/microsoft_appoints_quality_chief/
- After a critical flaw was found in n8n, and publicised widely, at the end of last year, the n8n (open-source) Visual Workflow Automation application has received a lot more attention. A new series of CVE's have been announced, primarily impacting multi-tenant instances.
The vulnerabilities allowed any authenticated user to seize complete control of the server, stealing every stored credential, API key, and secret on both self hosted and cloud instances. On n8n Cloud, the shared multi-tenant architecture meant a single malicious user could potentially breach the entire platform, accessing data belonging to all other customers.
...
The attack requires nothing special. If you can create a workflow, you can own the server.
We discovered a critical vulnerability (GHSA-6cqr-8cfr-67f8 / CVE-2026-25049) in n8n that allows authenticated users to achieve remote code execution (RCE) via sandbox escape. With full control over the n8n instance, attackers can read files, execute system commands, access databases, and exfiltrate credentials stored in n8n's credential vault.
- https://www.endorlabs.com/learn/cve-2026-25049-n8n-rce
- https://www.bleepingcomputer.com/news/security/critical-n8n-flaws-disclosed-along-with-public-exploits/
- Substack suffered a data-breach back in October 2025, but apparently only realised it this month. If this is tied to the data dump on BreachForums (posted the day before Substack say they identified the breach) then it suggests Substack's initial response was to cover it up. The BreachForums post claims "the scraping method used was noisy and patched fast", suggesting Substack detected the data exfiltration, stopped it, then hoped that the data that had got out just disappeared.
- Interesting to see what one group of attackers did with React2Shell access - modifying NGINX configuration, to proxy traffic. Targeted paths (inc. "slot", "g", "casino") suggest the goal is to hide gambling sites behind legitimate domains.
Warning: Against best practices, DataDog have not de-fanged any attacker URL's, indeed the domains are linked and appear clickable. - [RO] An attack claimed by Qilin has taken down the Information Technology (IT - website, billing, etc) side of Romanian oil pipeline operator Conpet, however their Operational Technology (OT - the oil transport) side remains operational.
Geo-Politics
- [IT] Italy is blaming Russia for cyberattacks, in the lead-up to the Winter Olympics.
Italy thwarted a series of cyberattacks of “Russian origin” targeting diplomatic missions abroad and sites linked to the upcoming Winter Olympics, Foreign Minister Antonio Tajani said Wednesday.
The attempted attacks hit multiple foreign ministry offices “starting with Washington,” according to Tajani, as well as facilities connected to the 2026 Winter Games, including hotels in the Alpine resort of Cortina d’Ampezzo. He did not disclose technical details of the incidents.
...
Russia-linked hackers have previously targeted countries hosting major sporting events. During the 2018 Winter Olympics in Pyeongchang, the Russian state-sponsored hacking group Sandworm, also known as APT44, disrupted the Games’ IT infrastructure using so-called Olympic Destroyer malware in a false-flag operation designed to implicate North Korean and Chinese actors.
- https://therecord.media/italy-blames-russia-linked-hackers-winter-games-cyberattack
- https://www.theregister.com/2026/02/05/winter_olympics_russian_attacks/
- [RU] Trellix is attributing attacks against "maritime, transportation and diplomatic entities in countries including Poland, Slovenia, Turkey, Greece and the United Arab Emirates" to Russia - APT28 (aka Strontium, Fancy Bear, Forest Blizzard, Flamboyant Leatherdaddy).
APT28's attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509, a Microsoft Office security feature bypass vulnerability. This vulnerability was addressed by an urgent, out-of-band security update. When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction. The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.
...
The adversary orchestrated a concentrated 72-hour spear-phishing campaign (January 28-30, 2026), delivering at least 29 distinct emails across nine Eastern European nations, primarily targeting defense ministries (40%), transportation/logistics operators (35%), and diplomatic entities (25%). These emails originated from compromised government accounts of multiple countries, including Romania, Bolivia, and Ukraine.
Privacy
- An Administrative Review Tribunal has reversed most of the Office of the Australian Information Commissioners earlier findings against Bunnings, for its use of Face Recognition Technology (FRT).
Between 6 November 2018 and 30 November 2021 (the Relevant Period), Bunnings operated FRT
...
Bunnings ceased operating the FRT system on 30 November 2021.
...
We have found that during the Relevant Period, Bunnings was entitled to use FRT for the limited purpose of combatting very significant retail crime and protecting their staff and customers from violence, abuse and intimidation within its stores.
...
We have also found that, whilst using FRT during the Relevant Period, Bunnings did not comply with obligations relating to notification in APP 5.1 and management of personal information in APP1.2 and 1.3. If personal information is to be collected by FRT, Bunnings and other APP entities must take reasonable steps to provide notification that personal information is being collected and to implement appropriate practices, procedures and systems.
...
The decision of the Tribunal is to set aside the Determination by the Privacy Commissioner in relation to the finding that Bunnings breached APP 3.3 and to substitute a decision that Bunnings did not breach APP 3.3 because subclause 3.4 applies and a permitted general situation existed in relation to the collection of information by Bunnings during the Relevant Period.
AI
- A few new model releases...
- Mistral have released Voxtral Transcribe 2, a speech-to-text model, with both open-weights and closed-weights variants.
Voxtral Mini Transcribe V2: State-of-the-art transcription with speaker diarization, context biasing, and word-level timestamps in 13 languages.
Voxtral Realtime: Purpose-built for live transcription with latency configurable down to sub-200ms, enabling voice agents and real-time applications.
Voxtral Realtime - official name Voxtral-Mini-4B-Realtime-2602 - is the open weights (Apache-2.0) model, available as a 8.87GB download from Hugging Face.
- https://mistral.ai/news/voxtral-transcribe-2 / https://archive.is/Tag5Q
- https://simonwillison.net/2026/Feb/4/voxtral-2/
- Anthropic have released Opus 4.6 (their largest model in the family, Sonnet is their mid-sized model, Haiku is their smallest). Some highlights, compared to Opus 4.5 - Agentic terminal coding - 60%->65%, Agentic computer use - 66%->73%, Multidisciplinary reasoning (no code use) 30%->40%, Novel problem solving 38%->69%.
The new Claude Opus 4.6 improves on its predecessor’s coding skills. It plans more carefully, sustains agentic tasks for longer, can operate more reliably in larger codebases, and has better code review and debugging skills to catch its own mistakes. And, in a first for our Opus-class models, Opus 4.6 features a 1M token context window in beta.
- https://www.anthropic.com/news/claude-opus-4-6 / https://archive.is/XsT1i
- https://simonwillison.net/2026/Feb/5/two-new-models/
- OpenAI have released GPT-5.3-Codex.
The model advances both the frontier coding performance of GPT‑5.2-Codex and the reasoning and professional knowledge capabilities of GPT‑5.2, together in one model, which is also 25% faster. This enables it to take on long-running tasks that involve research, tool use, and complex execution.
- https://openai.com/index/introducing-gpt-5-3-codex/
- https://simonwillison.net/2026/Feb/5/two-new-models/
- A break in the circular-funding loop of AI companies? The US$100b investment in OpenAI infrastructure, that Nvidia announced in 2025, still hasn't appeared.
The September announcement described a wildly ambitious plan: 10 gigawatts of Nvidia systems for OpenAI, requiring power output equal to roughly 10 nuclear reactors. Nvidia CEO Jensen Huang told CNBC at the time that the project would match Nvidia’s total GPU shipments for the year. “This is a giant project,” Huang said.
But the deal was always a letter of intent, not a binding contract. And in recent weeks, Huang has been walking back the number. On Saturday, he told reporters in Taiwan that the $100 billion was “never a commitment.” He said OpenAI had invited Nvidia to invest “up to” that amount and that Nvidia would “invest one step at a time.”