InfoSec News 23JAN2026

General

• ZenDesk ticket systems are getting spammed en masse, generating large amounts of spam for some users (acknowledgement email for opening a ticket) and presumably the organisations. Attackers appear to be using email lists for valid emails when opening the tickets. The goal is currently unclear, as they are not delivering phishing links or other malicious contend, merely nuisance. Coming from legitimate domains/senders, many are bypassing spam filters.
  • https://www.bleepingcomputer.com/news/security/zendesk-ticket-systems-hijacked-in-massive-global-spam-wave/
• INC Ransomware was using Restic to 'backup' target organisation data, and re-using the destination repositories. Incident responders took note, and were able to recover data for multiple victims.
  • https://www.bleepingcomputer.com/news/security/inc-ransomware-opsec-fail-allowed-data-recovery-for-12-us-orgs/
  • https://cybercentaurs.com/blog/infiltration-into-the-inc-ransomware-groups-infrastructure/
• Denial of Service in Berkely Internet Name Domain server (BIND) (DNS Server). HHIT = "Hierarchical Host Identity Tag (HHIT)", BRID = "Broadcast Remote ID" - part of a recent (2025) RFC, for "Drone Remote Identification Protocol".

The flaw is exploitable remotely in both forwarding and recursive modes; the attacker only needs to cause the server to process a crafted DNS message containing an undersized HHIT or BRID RR.

• https://marlink.com/resources/knowledge-hub/isc-bind-vulnerability-discovered-and-disclosed-by-marlink-cyber/
• https://datatracker.ietf.org/doc/html/rfc9886
• https://www.iana.org/assignments/dns-parameters/HHIT/hhit-completed-template
• https://www.iana.org/assignments/dns-parameters/BRID/brid-completed-template
• [UK] The Prudential Authority has released its report on cyber resilience in the United Kingdom's financial sector, based on testing in 2025.

CBEST is a targeted assessment that allows regulators, firms and Financial Market Infrastructures (FMIs) to better understand weaknesses and vulnerabilities and take remedial actions.

Staff culture, awareness and training
Weaknesses in cyber resilience culture exploited during CBESTs include:
Firms/FMIs whose staff were susceptible to social engineering tactics were more likely to be vulnerable to simulated attacks aimed at credentials or system access. These attacks could occur directly via phishing or indirectly through the exposure of sensitive information, for example in job descriptions or on social media. (PR.AT-01)
Firms/FMIs in which users were routinely storing credentials in unprotected facilities, such as in spreadsheets or in open file shares, were more likely to have those credentials exposed and used as part of simulated cyberattacks. (PR.AT-01)
Firms/FMIs with insecure protocols for helpdesks, such as limited or no authentication of users during interactions with cyber attackers, were vulnerable to being attacked using fraudulently obtained credentials to further malicious access to sensitive information or systems. (PR.AT-02)

• https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector/2025-cbest-thematic
• https://www.theregister.com/2026/01/22/financial_sector_cyber_gap/

Getting Techy

• Another fun write-up from Watchtowr Labs, with more 🤦🏻bugs in "SmarterMail". Apparently this one is being actively exploited - it appear someone reverse-engineered the patch.
  • https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/
  • https://www.bleepingcomputer.com/news/security/smartermail-auth-bypass-flaw-now-exploited-to-hijack-admin-accounts/

Geo-Politics

• [ES] Spain gives up on its probe into the use of NSO Pegasus spyware against the Spanish Prime Minister and Defence Minister, blaming a lack of co-operation from Israel.

Israel has not responded to five cooperation requests, breaking “the balance inherent in international cooperation and [violating] the principle of good faith that should govern relations between states,” Judge José Luis Calama, of the Audiencia Nacional high court, reportedly said in court documents.
Spain’s thwarted probe found evidence of crimes enabled by Pegasus, which the court has reportedly said “jeopardized the security of the Spanish State.”

• https://therecord.media/spanish-judge-closes-nso-group-spyware-probe-israel
• [IR] Iran is using USDT (~US$0.5b) stable coin to try and stabilise its fiat currency, due to freezing of their external foreign-currency reserves. The crypto-currency will also allow them to avoid sanctions, when purchasing externally.

Reports suggest that the primary motivation behind the CBI's USDT acquisitions was to control foreign exchange markets. This aligns with the on-chain activity we observed. The routing of funds to Nobitex indicates a strategy of injecting US dollar liquidity into the local market to prop up the rial.
Beyond domestic intervention, the CBI also appears to be constructing a "sanctions-proof" banking mechanism that replicates the utility of international dollar accounts. By treating USDT as "digital off-book eurodollar accounts", the regime creates a shadow financial layer capable of holding US dollar value outside the reach of US authorities.

• https://www.elliptic.co/blog/iran-has-acquired-us-dollar-stablecoins-worth-at-least-half-a-billion-dollars
• [JO] The Citizen Lab have released a report, alleging Jordanian use of Cellebrite to access the phones of activists and human rights defenders.

Between January 2024 and June 2025, we collected and forensically analyzed three iPhones and one Android device belonging to members of Jordanian civil society that had been detained, arrested or interrogated by the authorities. This set included the devices of two political activists, a student organizer, and a human rights defender. We conclude with high confidence that all four devices were subjected to forensic extraction with a Cellebrite product. In addition, our analysis surfaced high-confidence, and previously-unpublished, Indicators of Compromise (IoCs) of Cellebrite forensic extraction on iOS and Android devices.

We find that, during the time the phone was in possession of the GID, the iPhone was connected via USB to a device that identified itself with the HostID 9016926980658937761372207 and SystemBUID 30313996-42072961236303456. We attribute both to Cellebrite with high confidence, as they appear in DLL files digitally signed by Cellebrite on VirusTotal, including “CellebriteMobileAgent/iPhoneLib.dll.”

• https://citizenlab.ca/research/from-protest-to-peril-cellebrite-used-against-jordanian-civil-society/
• https://therecord.media/jordan-used-cellebrite-against-activists-critical-gaza-war
• [UK] The House of Lords votes in support of a social media ban for under-16's. Expect regulations within a year.

Action to promote the wellbeing of children in relation to social media
(1) Within 12 months of the day on which this Act is passed, the Secretary of State must, for the purposes of promoting the wellbeing of children—
(a) direct the Chief Medical Officers of the United Kingdom (“the UK CMOs”) to prepare and publish advice for parents and carers on the use of social media by children at different ages and developmental stages, and
(b) by regulations made by statutory instrument require all regulated user-to-user services to use highly- effective age assurance measures to prevent children under the age of 16 from becoming or being users.

• https://bills.parliament.uk/bills/3909/stages/20215/amendments/10031850
• https://therecord.media/house-lords-bans-social-media

Privacy

• [EU] 2025 was another big year for General Data Protection Regulation (GDPR) fines - US$1.42b, up from US$1.26b in 2024.

For the first time since 25 May 2018, average breach notifications per day have reached over 400 – breaking the plateauing trend we have seen in recent years. Between 28 January 2025 and 27 January 2026, the average number of breach notifications per day increased by 22% – from 363 to 443. While the data does not reveal the exact causes of this spike in notifications, it seems likely that geopolitical tensions, the abundance of new technologies available to threat actors to launch cyber-attacks, and the raft of new laws including incident notification requirements are all contributing factors.

• https://www.dlapiper.com/en-gb/insights/publications/2026/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2026
• https://www.dlapiper.com/en/insights/publications/2025/01/dla-piper-gdpr-fines-and-data-breach-survey-january-2025
• https://www.theregister.com/2026/01/22/europes_gdpr_cops_dished_out/

AI

• A reliable, and completely intended, stop-string in Anthropic's Claude. Consider it the LLM equivalent of EICAR, triggering a refusal to respond.

The reason this "magic string" exists is practical: in real deployments, a model can refuse mid-stream, and apps need to handle partial tokens, missing refusal messages, and state cleanup. The magic string is a deterministic way to validate that your streaming client handles those edge cases every time, without having to craft a policy-violating prompt.

ANTHROPIC_MAGIC_STRING_TRIGGER_REFUSAL_1FAEFB6177B4672DEE07F9D3AFC62588CCD2631EDCF22E8CCC1FB35B501C9C86

• https://hackingthe.cloud/ai-llm/exploitation/claude_magic_string_denial_of_service/
• Sticking with Anthropic Claude - the previously confirmed 'soul' document, has now - as promised - been formally released as its 'constitution'.
  • https://www.anthropic.com/news/claude-new-constitution
  • https://x.com/AmandaAskell/status/1995610567923695633
  • https://simonwillison.net/2026/Jan/21/claudes-new-constitution/
• FreeBSD co-founder Jordan Hubbard has created a new language, specifically for LLM coding agents.

A minimal, LLM-friendly programming language with mandatory testing and unambiguous syntax.
NanoLang transpiles to C for native performance while providing a clean, modern syntax optimized for both human readability and AI code generation.

• https://github.com/jordanhubbard/nanolang
• https://simonwillison.net/2026/Jan/19/nanolang/