InfoSec News 27JAN2026

General

• Pwn2Own Automotive wrapped up, where "$1,047,000 USD was awarded for 76 unique 0-day vulnerabilities". Kudos to Juurin Oy for installing Doom on an HYC50 Compact wall-mountable (vehicle) charger.
  • https://www.zerodayinitiative.com/blog/2026/1/23/pwn2own-automotive-2026-day-three-results-and-the-master-of-pwn
  • https://www.zerodayinitiative.com/blog/2026/1/22/pwn2own-automotive-2026-day-two-results
  • https://www.zerodayinitiative.com/blog/2026/1/21/pwn2own-automotive-2026-day-one-results
  • https://www.bleepingcomputer.com/news/security/hackers-get-1-047-000-for-76-zero-days-at-pwn2own-automotive-2026/
• More quality Microsoft coding - Outlook on iPad is crashing, turn on Airplane Mode / disable Wi-Fi when starting it to circumvent the bug.
  Meanwhile, they've released out-of-band patches for other bugs, including an issue with PST files on cloud storage (e.g. OneDrive)
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-for-ios-crashes-freezes-due-to-coding-error/
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-releases-emergency-oob-update-to-fix-outlook-freezes/
• Microsoft are also looking in to "UNMOUNTABLE_BOOT_VOLUME" errors after the January 2026 Patch Tuesday update bundle for Windows 11.
  As well as a "high-severity Microsoft zero-day vulnerability exploited in attacks".
  • https://www.askwoody.com/forums/topic/reports-of-boot-failures-with-the-january-2026-security-update-and-later-updates/
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-windows-11-boot-failures-after-january-updates/
  • https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-actively-exploited-office-zero-day-vulnerability/
• Strangeness in Microsoft M365 routing, example.com - which is supposed to be non-routable - was being routed to Sumitomo Electric. Tiny Apps investigation suggests the misconfiguration has been around since February 2020.
  • https://arstechnica.com/information-technology/2026/01/odd-anomaly-caused-microsofts-network-to-mishandle-example-com-traffic/
  • https://tinyapps.org/blog/microsoft-mishandling-example-com.html
• ShinyHunters are claiming responsibility for a recent campaign targeting Single-Sign-On (SSO) accounts at Google, Microsoft and Okta, using Voice Phishing (Vishing). The Okta report includes a sequence diagram for a common vishing pathway, and screen-shot of the purported phishing kit.
  • https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/
  • https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
  • https://www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
  • https://www.theregister.com/2026/01/23/shinyhunters_claims_okta_customer_breaches/
• NPM decides to rely on users to keep themselves secure from supply-chain attacks. That's definitely going to work. It may be time to look at alternative package managers for NodeJS.

"npm users are responsible for vetting the content of packages that they choose to install."

• https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
• https://www.bleepingcomputer.com/news/security/hackers-can-bypass-npms-shai-hulud-defenses-via-git-dependencies/
• Border Gateway Protocol (BGP) is still a fragile ecosystem, keeping the Internet connected. Cloudflare tweaked a BGP filter, accidentally causing added latency, congestion and some dropped packets in Miami. A positive-spin - given that it was only IPv6 traffic impacted - looks as though IPv6 traffic is finally taking off!

At peak, we discarded around 12Gbps of traffic ingressing our router in Miami for these non-downstream prefixes.

• https://blog.cloudflare.com/route-leak-incident-january-22-2026/
• https://www.bleepingcomputer.com/news/security/cloudflare-misconfiguration-behind-recent-bgp-route-leak/
• Follow-on from the earlier telnetd Remote Code Execution (RCE) - The Shadowserver Foundation is reporting ~800k exposed telnet fingerprints (down from 1,484k on the 23rd of January). Unclear how many are vulnerable InetUtils versions.
  • https://bsky.app/profile/shadowserver.bsky.social/post/3mdczsbkpr22a
  • https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=scan&source=scan6&tag=telnet&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
  • https://www.bleepingcomputer.com/news/security/nearly-800-000-telnet-servers-exposed-to-remote-attacks/
• Another big name gets ransomed - Nike has allegedly had 1.4TB of data stolen by WorldLeaks.
  • https://www.theregister.com/2026/01/26/data_thieves_claim_nike_data_haul/
• [EU] "The European Commission has launched a new formal investigation against X under the Digital Services Act (DSA)".

The new investigation will assess whether the company properly assessed and mitigated risks associated with the deployment of Grok's functionalities into X in the EU. This includes risks related to the dissemination of illegal content in the EU, such as manipulated sexually explicit images, including content that may amount to child sexual abuse material.

• https://ec.europa.eu/commission/presscorner/detail/en/ip_26_203
• https://www.bleepingcomputer.com/news/artificial-intelligence/eu-launches-investigation-into-x-over-grok-generated-sexual-images/
• https://therecord.media/grok-sexually-explicit-images-eu-formal-investigation
• https://www.theregister.com/2026/01/26/ec_open_new_investigation_into/
• [PL] Russian Main Intelligence Directorate (GRU) hacking group (Sandworm / Seashell Blizzard / APT44 / Flamboyant Mullet) is being blamed for an attempted wiper attack on the Polish power grid in December 2025.
  ESET's post is frustratingly bereft of detail - "details regarding the intended impact continue to be investigated".

Digital Affairs Minister Krzysztof Gawkowski said the incident came “very close to a blackout” and showed signs of a coordinated sabotage campaign. He had earlier pointed to suspected Russian involvement, even before ESET released its findings. Russia has not commented on the attribution but has previously denied such accusations.

Although the attack was thwarted, Polish authorities have stated that if successful it could have taken out power to 500,000 people in Poland. Polish officials haven't revealed how the hackers pulled off the attack or how officials determined the intent was to be disruptive or destructive, but the use of a wiper supports a conclusion that this was the intent of the attack.

The targets included two heat-and-power plants and a system for managing electricity generated from renewable sources such as wind turbines and solar farms, according to Polish authorities.

• https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/
• https://arstechnica.com/security/2026/01/wiper-malware-targeted-poland-energy-grid-but-failed-to-knock-out-electricity/
• https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/
• https://therecord.media/russia-eset-sandworm-poland-hack
• https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
• https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/

Geo-Politics

• [CN] China has launched an investigation into two high-profile members of the military.

Zhang Youxia, the country’s most senior uniformed military officer, and Liu Zhenli, a top operational commander — have been placed under investigation following deliberation by the Chinese Communist Party’s Central Committee.

Both Zhang, the first-ranked vice chairman of the Central Military Commission (CMC) and a member of the elite Politburo, and Liu, the chief of staff at the CMC’s Joint Staff Department, were said to be suspected of “serious violations of discipline and law,” according to Xinhua.

Both men faced significant responsibilities for the intense operational tempo that Xi has demanded around Taiwan, which he has pledged to see reunified with the mainland under Communist Party rule.

• https://therecord.media/china-investigates-top-general-purge-senior-military-leaders
• [DE] Germany has kicked a Russian diplomat - Andrei Mayorov, allegedly a Colonel in the Russian Main Intelligence Directorate (GRU) - on accusations of spying against Ukraine.

Mayorov is alleged to have acted as the handler for Ilona Kopylova, a dual Ukrainian-German citizen who was arrested in Berlin earlier on suspicion of spying for Russia. German authorities believe Kopylova had been in contact with a Russian Embassy official working for an intelligence service since at least November 2023.

• https://therecord.media/germany-expels-russian-diplomat-accused-spying-ukraine-war
• [US] In more petty politics - the US government is pulling out of this year's RSA Conference, apparently due to former CISA directory Jen Easterly being named Chief Executive of RSAC.

Easterly, who was appointed to lead America's top cyber-defense agency under the Biden administration, joined her predecessor and CISA's first-ever director Chris Krebs in President Trump's line of fire back in July.

Last week, Easterly announced that she's joined RSAC as its new CEO, and almost immediately, rumors began swirling that Trump cybersecurity officials would boycott the industry's "largest and most influential conference" to protest Easterly's appointment.
Following publication of this article, the FBI and NSA sessions and speakers have also disappeared from the cybersecurity conference’s agenda.

• https://www.theregister.com/2026/01/24/cisa_skipping_rsa_exclusive/

Privacy

• Relying on BitLocker to protect your data? Don't expect it to prevent Law Enforcement Officers (LEO) from gaining access.

Microsoft confirmed to Forbes that it does provide BitLocker recovery keys if it receives a valid legal order. “While key recovery offers convenience, it also carries a risk of unwanted access, so Microsoft believes customers are in the best position to decide... how to manage their keys,” said Microsoft spokesperson Charles Chamberlayne.

Microsoft "typically" backs up BitLocker keys to its servers when the service gets set up from an active Microsoft account. "If you use a Microsoft account, the BitLocker recovery key is typically attached to it, and you can access the recovery key online," the company explains in its documentation.

Now that the FBI and other agencies know Microsoft will comply with warrants similar to the Guam case, they’ll likely make more demands for encryption keys, Green said. “My experience is, once the U.S. government gets used to having a capability, it's very hard to get rid of it.”

Both the Home and Pro versions of Windows support disk encryption, but only the Pro versions give users full control over the process. The Home version of Windows only supports disk encryption when logged in with a Microsoft account and will only offer to store your encryption key on Microsoft’s servers.

• https://www.forbes.com/sites/thomasbrewster/2026/01/22/microsoft-gave-fbi-keys-to-unlock-bitlocker-encrypted-data/
• https://support.microsoft.com/en-us/windows/back-up-your-bitlocker-recovery-key-e63607b4-77fb-4ad3-8022-d6dc428fbd0d
• https://arstechnica.com/gadgets/2026/01/how-to-encrypt-your-pcs-disk-without-giving-the-keys-to-microsoft/
• https://techcrunch.com/2026/01/23/microsoft-gave-fbi-a-set-of-bitlocker-encryption-keys-to-unlock-suspects-laptops-reports/
• https://www.theregister.com/2026/01/23/surrender_as_a_service_microsoft/

AI

• A bit quiet in AI news at the moment, so here's Simon Willison's wrap-up of 2025 "The Year in LLMs"
  • https://simonwillison.net/2025/Dec/31/the-year-in-llms/