InfoSec News 30JAN2026

General

• Google is expanding theft protection for mobile devices, including default enabling in presumably high-risk countries (initially Brazil). Updates include changes to "Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts", "critical tools that utilize Biometric Prompt, like third-party banking apps and Google Password Manager, now automatically benefit from the additional security of Identity Check.", "harder for a thief to guess your PIN, pattern, or password by increasing the lockout time after failed attempts.", "Remote Lock (android.com/lock) is a crucial tool that lets you lock your lost or stolen device from any web browser...adding a new optional security question/challenge to the process."
  • https://security.googleblog.com/2026/01/android-theft-protection-feature-updates.html
  • https://www.bleepingcomputer.com/news/google/google-rolls-out-android-theft-protection-feature-updates/
• In further Google news - and one likely to make site-owners reeling under AI-company scrapers happy - Google Threat Intelligence Group (GTIG) have disrupted the IPIDEA residential proxy network.

IPIDEA has become notorious for its role in facilitating several botnets: its software development kits played a key role in adding devices to the botnets, and its proxy software was then used by bad actors to control them. This includes the BadBox2.0 botnet we took legal action against last year, and the Aisuru and Kimwolf botnets more recently.

• https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
• https://www.bleepingcomputer.com/news/security/google-disrupts-ipidea-residential-proxy-networks-fueled-by-malware/
• https://www.itnews.com.au/news/google-busts-giant-ipidea-residential-proxy-network-623250
• https://www.theregister.com/2026/01/29/google_ipidea_crime_network/
• Ivanti - where old software goes to breed CVE's - MobileIron (now "Ivanti Endpoint Manager Mobile" / "EPMM") has two CVSS 9.8 vulnerabilities - Unauthenticated Remote Code Execution. It's being exploited in the wild.
  • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
  • https://forums.ivanti.com/s/article/Analysis-Guidance-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US
  • https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/
• [PL] More information on the Russian attack on Poland's energy infrastructure has emerged. Dragos performed incident response (IR) on one of the impacted sites, and has released a 13-page (easy to read) report.
  (RTU = Remote Terminal Unit)

RTUs standardize how distributed sites interface with control centers, enabling operators to manage large numbers of remote facilities from a single SCADA system....This combination of standardization and variation likely explains both what adversaries achieved and what they failed to accomplish....While many of these RTUs have control capabilities, tools like CRASHOVERRIDE or Industroyer2 cannot simply be deployed. .... The RTUs in distributed energy systems lack this standardization, and each requires unique commands tailored to its specific configuration

Previous attacks focused on centralized control systems managing large portions of the grid – distribution control centers in 2015, a transmission substation in 2016. The Poland attack instead targeted the distributed edge of the grid: the RTUs and communication systems managing dozens of smaller generation sites. This shift reflects the changing nature of electric grids, as countries like Poland add more distributed renewable generation

When compared with the 2015 attack in Ukraine, it shows similar technical tactics, techniques, and procedures, such as wiping Windows devices and damaging exposed serial terminal servers, but lacks the coordinated sequencing that maximized impact in that operation.

Dragos assesses with moderate confidence that opportunism was a key factor in the attack. Rather than executing a precisely planned operation with specific outcomes, ELECTRUM exploited whatever opportunities their access provided: wiping Windows-based devices, resetting configurations, or attempting to permanently damage (or brick) equipment. Each location required different manual actions rather than a single automated tool.

...While 1.2 GW represents only 5 percent of the total supply, the sudden simultaneous loss of this amount of generation would have had a noticeable impact on the system frequency. Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse

• https://5943619.hs-sites.com/hubfs/Reports/dragos-2025-poland-attack-report.pdf
• https://www.bleepingcomputer.com/news/security/cyberattack-on-polish-energy-grid-impacted-around-30-facilities/
• https://www.theregister.com/2026/01/29/cyberattack_poland_power_grid/
• https://www.zetter-zeroday.com/attack-against-polands-grid-disrupted-communication-devices-at-about-30-sites/
• [RU] Bread production not impacted, however bread deliveries strained, after a cyber-attack on one of Russia's larger bread producers over the weekend.

While production itself was not affected and bakeries continued operating at full capacity, the outage complicated order processing and deliveries. ... To keep supplies moving, the company shifted all office staff to a round-the-clock schedule and temporarily reverted to manual processing of orders and shipments.

• https://therecord.media/cyberattack-russian-bread-factory-supply-disruptions
• [US] Marquis - a US fintech - which had large amounts of data stolen in a ransomware attack last year, is blaming the attack on SonicWall firewalls. Apparently their firewall config (backup) was one of many stolen from SonicWall's cloud earlier in the year.
  • https://techcrunch.com/2026/01/29/fintech-firm-marquis-blames-hack-at-firewall-provider-sonicwall-for-its-data-breach/
• [US] Justice at last for two Red Teamers, arrested for performing authorised testing in an authorised engagement. "Last Thursday, five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case."

DeMercurio and Wynn’s engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called “war stories” to deputies who had asked about the type of work they do.
When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed “they were crouched down like turkeys peeking over the balcony” when deputies were responding.... Eventually, all charges were dismissed.

• https://arstechnica.com/security/2026/01/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security/
• (Original Story) https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/

Geo-Politics

• [LV] Latvia's National Security Service (SAB) warns of increasing attacks from Russia, in its annual report.

In 2025, Russia continued to deploy a wide range of instruments of influence against the West to undermine Western unity in supporting Ukraine or even to achieve a potential cessation of this support and prepare for a potential confrontation with NATO. Russia continued to conduct not only sabotage and information activities against Western countries, but also its readiness to carry out cyber attacks on industrial control system in Latvia and Western countries, which can lead to both short term inconveniences and threats to security of critical infrastructure. The aim of these activities is to spread uncertainty and mistrust among the population, undermine the quality of services, punish for supporting Ukraine, and discourage from showing support in future.

In 2025, there has been an increase in airspace violations and the number of unidentified drones being observed over NATO member states, including critical and military infrastructure. Russia has used the disruptions caused by drones to the airports in its information activities, highlighting the vulnerabilities of European countries, e.g., the inability to control airspace.

Moscow continued to influence both Latvian and international information domain, spreading narratives that are in line with Russian interests. These narratives aim to increase discord and differences in Latvian society and reduce trust in government institutions and our allies in the EU and NATO. Russia constantly tries to discredit Latvia internationally.

Information influence activities were also one of the main tools Russia used when trying to manipulate elections in Europe in 2025. Moscow used fake social media accounts to spread support for candidates preferred by Russia, while disseminating defamation for candidates who embraced the European course and advocated for continuous or even increased support for Ukraine. Information influence activities were also used to reduce public trust in the electoral process and democracy in general.

• https://www.sab.gov.lv/files/uploads/2026/01/SABs-annual-report_2025_ENG.pdf
• https://therecord.media/latvia-says-russia-remains-top-cyber-threat-record-attacks
• [UK] The government is chartering a plane to China, as they don't trust the Chinese to not bug the official government jet

Sir Keir Starmer and his entire team are taking “burner” phones and laptops to China in an attempt to stop their hosts from spying on them.
...
New mobile phones, temporary Sim cards and throwaway laptops are being issued to the prime minister, attachés, special advisers, the No 10 policy team and digital media staffers before they departed on Tuesday night.

But a government source told Metro the decision to take a British Airways jet was simply down to the size of the delegation going along.

• https://x.com/TomTugendhat/status/2016253486405750962
• (The Times) https://archive.is/ZX4XB
• https://metro.co.uk/2026/01/28/keir-starmer-really-take-a-burner-plane-china-bugging-fears-26569234/

Privacy

• Apple is rolling out a feature to improve location privacy from mobile-phone-carriers. Dubbed "Limit precise location from cellular networks", it is designed to reduce the accuracy of location data the mobile phone network captures - e.g. from Street down to Neighbourhood). It doesn't impact the phones knowledge of its own location.
  Support appears to be tide to Apple's own C-series modem, and supported carriers.
  • https://support.apple.com/en-us/126101
  • https://appleinsider.com/articles/26/01/26/apple-c-series-modem-enables-new-privacy-focused-limit-precise-location-feature
  • https://techcrunch.com/2026/01/29/apples-new-iphone-and-ipad-security-feature-limits-cell-networks-from-collecting-precise-location-data/
  • https://therecord.media/new-apple-feature-block-location-data-cell-networks