InfoSec News 19JAN2026

General

• Quality Microsoft coding - secured Windows 11 23H2 Enterprise and IoT versions fail to shutdown with the latest cumulative update.

After installing the January 13, 2026, Windows security update (KB5073455) for Windows 11, version 23H2, some PCs with Secure Launch are unable to shut down or enter hibernation. Instead, the device restarts. Secure Launch uses virtualization-based security to protect the system from firmware-level threats during startup.

• https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23h2#devices-with-secure-launch-might-fail-to-shut-down-or-hibernate
• https://www.bleepingcomputer.com/news/security/microsoft-some-windows-pcs-fail-to-shut-down-after-january-update/
• https://www.theregister.com/2026/01/16/patch_tuesday_secure_launch_bug_no_shutdown/
• (Update - fixes have been issued) https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-oob-windows-updates-to-fix-shutdown-cloud-pc-bugs/
• Yet more Microsoft bugs - this one's for those still enjoying a 90's email experience - a bug blocking access to Post Office Protocol (POP/POP3) to retrieve email.
  • https://support.microsoft.com/en-us/office/classic-outlook-pop-account-profiles-hang-and-freeze-after-windows-11-update-to-kb5074109-590fe356-ecc2-49f4-b9e3-bd39fafa58f6
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-11-update-causes-outlook-freezes-for-pop-users/
• Cisco finally gets around to patching IronPort (aka Secure Email Gateway and Secure Email and Web Manager). The bugs were known to be exploited - by suspected china-nexus actors - from November 2025, and disclosed by Cisco in December 2025.
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sma-attack-N9bf4
  • https://www.bleepingcomputer.com/news/security/cisco-finally-fixes-asyncos-zero-day-exploited-since-november/
  • https://www.theregister.com/2026/01/15/cisco_fixes_cve_2025_20393/
• Black Basta (ransomware) leader Nefedov makes it onto the Interpol 'Red Notice' list, almost a year after being outed in leaked chat messages. Two further Black Basta suspects have been arrested in related raids.
  • https://cyberpolice.gov.ua/news/naczpolicziya-vykryla-chleniv-mizhnarodnogo-xakerskogo-ugrupovannya-ta-identyfikuvala-jogo-organizatora-6407/
  • https://www.bleepingcomputer.com/news/security/black-basta-boss-makes-it-onto-interpols-red-notice-list/
  • https://therecord.media/police-raid-homes-of-alleged-black-basta-hackers
  • https://www.theregister.com/2026/01/16/black_basta_boss_wanted/
• Cross-Site-Scripting (XSS) bug in the StealC malware's control panel, allowed researchers to watch the crims.
  • https://www.cyberark.com/resources/threat-research-blog/uno-reverse-card-stealing-cookies-from-cookie-stealers
  • https://www.bleepingcomputer.com/news/security/stealc-hackers-hacked-as-researchers-hijack-malware-control-panels/
• [CA] 750k investor details confirmed leaked after "a sophisticated phishing attack" 🤷🏻

“There is currently no evidence that the information has been misused. We continue to monitor for malicious activity and have not identified any threat activity or exposure on the dark web,”

• https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach

Getting Techy

• Gootloader (a 'loader' commonly used to provide initial access for ransomware) has started messing with ZIP files, to break detection.

The file consists of 500–1,000 ZIP archives concatenated together. Because ZIP archives are read from the end of the file, the ZIP archive can still function properly. ....
The ZIP archive’s “End of Central Directory” file structure is truncated: two critical bytes are missing from the expected structure. This causes errors when some tools attempt to parse the End of Central Directory.
For each of Gootloader’s ZIP archives generated, values in non-critical fields are randomized: fields such as “Disk Number” and “Number of Disks” are randomly assigned, causing some unarchiving tools to expect a sequence of ZIP archives which don’t exist.
In practice, every user who downloads a ZIP file from Gootloader’s infrastructure will receive a unique ZIP file

• https://expel.com/blog/gootloaders-malformed-zip/
• https://www.bleepingcomputer.com/news/security/gootloader-now-uses-1-000-part-zip-archives-for-stealthy-delivery/
• Carlsberg - might be able to make beer, not so good at making secure systems. Photos, videos and visitor details from a Carlsberg exhibit can easily be brute-forced.

I noticed that the URL in the QR code just contained the wristband ID and no other extra data. It looked like there were only 26 million combinations. That’s not enough entropy to provide any security for your personal data and videos.

• https://www.pentestpartners.com/security-blog/carlsberg-probably-not-the-best-cybersecurity-in-the-world/
• https://www.theregister.com/2026/01/16/carlsberg_experience_vulnerability/
• Estonian e-Scooter manufacturer goes bust, of course a cloud-connected app is required to use them, so - time to reverse engineer. Surprise, the default per-device key was never changed, so the key is just `ffffffffffffffff`
  • https://blog.nns.ee/2026/01/06/aike-ble/
  • https://www.theregister.com/2026/01/16/bankrupt_scooter_startup_key/

Geo-Politics

• [IR] SpaceX is offering free Starlink access in Iran, as the regime cut off Internet and Mobile access within the country on January 8th. The service is predictably banned in Iran, and the regime is attempting to jam the system.
  • https://www.itnews.com.au/news/starlink-faces-high-profile-security-test-in-iran-crackdown-623028
  • https://mastodon.social/@netblocks/115916988061201716

AI

• OpenAI has two new ways to make money, and try to offset their ginormous spending spree.
  • ChatGPT ads, in free or low-cost subscriptions

What matters most:
- Responses in ChatGPT will not be influenced by ads.
- Ads are always separate and clearly labeled.
- Your conversations are private from advertisers
- Plus, Pro, Business, and Enterprise tiers will not have ads.

• https://x.com/OpenAI/status/2012223373489614951
• https://simonwillison.net/2026/Jan/16/chatgpt-ads/
• https://www.bleepingcomputer.com/news/artificial-intelligence/openai-says-its-new-chatgpt-ads-wont-influence-answers/
• ChatGPT Go, a low-cost subscription - with ads - that provides:

10x more messages, file uploads and image creation than the free tier, so you can keep chatting with no limits on GPT‑5.2 Instant.

Longer memory and context window, so ChatGPT can remember more helpful details about you over time.

• Free and Go plan offer the same access to models - GPT-5.2-Instant, but not Thinking, Pro, nor Legacy.
• Context window for Free is 16K, Go/Plus/Business is 32K, Pro/Enterprise is 128K.
• (OpenAI Announcement) https://archive.is/UiheI
• (ChatGPT Pricing) https://archive.is/XuYxF
• https://www.bleepingcomputer.com/news/artificial-intelligence/chatgpt-go-subscription-rolls-out-worldwide-at-8-but-itll-show-you-ads/
• The concept of "Skills" - which appears to be replacing 'tools' as a more context-efficient way of adding functionality - for LLM's has made its way into Chrome. It's still highly dangerous to allow agentic access to browsing.
  • https://www.bleepingcomputer.com/news/artificial-intelligence/google-chrome-tests-gemini-powered-ai-skills/
• Trail of Bits documents the threat model, when using agentic browsers. This is a useful reference, and applicable to all implementations.
  • https://blog.trailofbits.com/2026/01/13/lack-of-isolation-in-agentic-browsers-resurfaces-old-vulnerabilities/