To curmudgeon or not to curmudgeon, that is the question. – PSW #911

Jeff Man

1. Feds Take Their Ball and Go Home From RSAC Conference

   Alan sums up the tone of this action very nicely: "In a petulant act worthy of a disturbed adolescent, the Cybersecurity and Infrastructure Security Agency and in fact most of the Federal agencies involved in cyber have pulled out of their long-standing participation in the RSAC Conference....Rumor has it, they are not even eating dinner at the family table and will remain in their rooms playing video games during RSAC this year."

2. WorldLeaks Extortion Group Claims It Stole 1.4TB of Nike Data

   I'm not sure what's incredibly sensitive about knowing what type of shoe I wear, but this sounds ominous nonetheless!

3. Cyber Incidents: A Watershed Moment for Transparency

   Over 30 years into this business and very little has changed in terms of corporate attitudes it seems. While "cyber" is showing up more in annual reports and board meetings, I'm not convinced that most companies yet have an understanding of the breadth of their cybersecurity risk.

4. Coupang Data Breach Puts Legal Risks And Governance In The Spotlight

   For investors who previously focused on Coupang as a scaled e commerce growth story with improving operations, the data breach and questions around cybersecurity statements add an extra governance and compliance layer to the narrative.

5. Healthcare technology and compliance: A complex patchwork of laws and regulations

   This begs a philosophical discussion... "While we love to think of improved efficiency and outcomes, there is also the “dark side” of such technology. Private information is much less likely to remain private. Too much automation can lead to inaccurate records or lazy recordkeeping. Allowing computers to make decisions or have a role in patient care can lead to risks if those systems and processes are not thoroughly tested and subject to human oversight."

6. State-led AI policy, cyber grant funding, FirstNet in NASCIO’s 2026 federal advocacy priorities

   I suppose since CISA and other gov't agencies won't be attending RSAC this year they will have more time to focus on writing policy that will "respects state autonomy, reauthorization of the State and Local Cybersecurity Grant Program, support for broader adoption of the .gov top-level domain on government websites and a streamlining of the many redundant or conflicting federal cybersecurity standards that states must follow."

7. The Bill of Rights: A Transcription

   PSA.

Larry Pesce

1. (19) Thenewarea51 on X: “ADSB shenanigans. Air Force One was spoofed as VANCE 1 and drew the JD Vance meme picture over Mar-a-Lago in Florida this evening taking roughly 2 hours to draw. The tracks are color coded by altitude and was created by having VANCE 1 fly at altitudes between 20,000 – 50,000 ft. https://t.co/Y5tayEpvIM” / X
2. Dawson_et_al_v_Meta_Platforms_Inc_et_al__candce-26-00751__0001.0.pdf
3. Demonstrating The Sheer Lack Of Security In First Gen Cellular Networks
4. The Defunct Scooter Company, And The Default Key
5. AI Autonomously Finds 7 FFmpeg Vulnerabilities
6. Trump’s acting cyber chief uploaded sensitive files into a public version of ChatGPT
7. Threat Bulletin: Critical eScan Supply Chain Compromise

Lee Neely

1. CISA Adds Known VMware DCERPC Vulnerability to KEV

   CISA has added a critical vulnerability in VMware vCenter Server to the KEV catalog. CVE-2024-37079, a heap overflow vulnerability, affects vCenter Server's implementation of the DCERPC protocol. As described by The Register, DCERPC "allows software to invoke procedures and services on a remote system across a network. This bug can be abused by someone with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution."

   The fix is to apply the patches. VCF users need to use the async patch tool to apply the updaet, vCenter Server needs to be updated to 8.0 U2d, or 7.0 U3r. If you're running vCenter 6.x, it's EOL and you need to update to a supported version. If you're running 7.0, you may get a failure on the U3r update due to unsupported ciphers. This is because U3q is built on BoringSSL rather than OpenSSL. OpenSSL silently ignores unsupported ciphers while BoringSSL does not, the fix is to reset the TLS ciphers in the rhttpproxy config file and retry the update.  Limit the access to your vCenter servers to authorized devices.  https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453

2. Wiper malware targeted Poland energy grid, but failed to knock out electricity

   WIPE OUT Poland’s energy grid was targeted by never-before-seen wiper malware Destructive payload unleashed on 10-year anniversary of Russia’s attack on Ukraine’s grid. Dubbed DynoWiper, ESET attributes it to the Sandworm APT group.

   If you don't remember Sandworm from ten years ago, you probably do remember the NotPetya attack from 2017. Same motivation - disruption of services, albeit NotPetya was supposed to only target the Ukraine, but got out and spread worldwide.  ESET published an IoC to detect Win32/KillFiles.NMO aka DynoWiper. Add that to your arsenal. https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/

3. Microsoft Gives BitLocker Recovery Keys to FBI

   Microsoft reportedly surrendered BitLocker encryption recovery keys for three laptops after being served a search warrant by the FBI in connection with a 2025 fraud investigation in Guam. Users may store BitLocker keys locally, but typically by default they are also backed up to Microsoft cloud servers, both for personal and managed devices.

   Microsoft can only provide recovery keys for keys backed up (stored) in their cloud storage. Unfortunately, the keys are stored online by default for Windows Home edition. Storing the key online is a valuable backup for home users. Unfortunately, unlike Apple and Google's cloud storage of encryption keys, Microsoft can access these stored keys when needed. Users can delete the key from their online account, but then it's on them to manage the key, and if it's lost, there is no recovery option. Note that once deleted, it can be found in Microsoft's systems for up to 30 days. One hopes Microsoft will take lead from Apple and Google to make some items, such as Bitlocker keys, not retrievable from other than the end user.

4. Microsoft patches actively exploited Office zero-day vulnerability

   Microsoft has released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability exploited in attacks. The security feature bypass vulnerability, tracked as CVE-2026-21509, affects multiple Office versions, including Microsoft Office 2016, Microsoft Office 2019, Microsoft Office LTSC 2021, Microsoft Office LTSC 2024, and Microsoft 365 Apps for Enterprise (the company's cloud-based subscription service).

   However, as noted in today's advisory, security updates for Microsoft Office 2016 and 2019 are not yet available and will be released as soon as possible.

   The exploit requires a user to open a malicious Office file, as much as we hope users listen to our guidance on opening files, good luck with that. The newest Office versions benefit from a service update, but users will need to relaunch running components, such as Word or Excel. There is a workaround for Office 2016 and 2019 of modifying registry keys relating to COM Compatibility; it's going to be simpler to apply the update when released. Windows Defender has protections to block exploitation, so check your EDR provider for their implementation of these as well.

5. Why you need Microsoft’s new emergency Windows patch – and the black-screen bug to watch for

   Microsoft has released a second out-of-band (OOB) update to address an issue that was introduced in the January 2026 Patch Tuesday updates. The updates released on Saturday, January 24, fix an issue that was preventing "Outlook and other apps from opening files from, or saving files to, cloud-based storage sites such as OneDrive and Dropbox." This is the second OOB update Microsoft has published for issues introduced in the January 2026 Patch Tuesday release. On Saturday, January 17, Microsoft published OOB updates to fix two issues: one that prevented some Windows 10 and Windows 11 users from logging in via remote connections, and another that prevented certain Windows 11 devices running Secure Launch from shutting down or hibernating. Microsoft says the January 17 updates are included in the January 24 OOB update.

   I heard some of those eye-rolls at another OOB patch. Thing is, there are two issues from the January update, the patch helps with access to cloud services, not the issue with the black screen boot for Windows 11 25H2 and 24H2. Either of these issues will light up our respective help desks, so applying the available patch is a good idea.

   Ironically, applying KB5078127 requires a reboot.

6. OMB Rescinds Software Attestation Order

   OMB) has rescinded two Memoranda requiring agencies to obtain to software self-attestations from vendors before using their products. In a January 23, 2026 Memorandum, OMB Director Russell T. Vought OMB writes that Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (M-22-18) and a companion policy M-23-16. US federal agencies will still be required "to maintain a complete inventory of software and hardware and develop software and hardware assurance policies and processes that match their risk determinations and mission needs.

   The quesiton is: is this a step towards SBOM/HBOM, or a step backwards from full information about the software stack?

7. Arctic Wolf Observes Malicious Configuration Changes On Fortinet FortiGate Devices via SSO Accounts

   Fortinet acknowledged that attackers have found a way to bypass patches the company issued in December to address single sign-on (SSO) authentication vulnerabilities (CVE-2025-59718 and CVE-2025-59719) in FortiCloud.

   If you''ve got Fortinet devices, you need to disable FortiCloud SSO login to management (admin) interfaces until a fix is available. Moreover, restrict these logins to authorized devices, ideally internal. Use the IoCs from Artic Wolf to see if you're impacted. If so, you're going to need to reset credentials on your firewall. 

   From Ed Skoudis: There are few phrases that are as haunting to cybersecurity professionals as this one: "unexpected login activity ... on their [fully-patched] devices…” but here we are.

8. Cyberattack disrupts digital systems at renowned Dresden museum network

   Germany’s Dresden State Art Collections, one of Europe’s oldest museum networks, has been hit by a targeted cyberattack that disrupted large parts of its digital infrastructure, the state of Saxony’s culture ministry said this week.

   The Museum web sites include information about reduced services, but the degree of granularity could be better, even though contact information is provided. If you want to visit one of the museums and pay cash, you're good to go. If you're looking for their digital resources, you're likely going to need that contact information to figure out what's working.  https://www.skd.museum/en/

9. London boroughs limping back online months after cyberattack

   Several London (UK) boroughs have published updates regarding the progress of their recovery from a November 2025 cybersecurity incident. The attack affected the councils of Westminster City and Kensington and Chelsea; Hammersmith & Fulham Council was also affected via "shared legacy ... systems."

   The tip here is to keep an eye on the relevant status page; the boroughs are keeping things updated online, which includes contact and workaround information. I'm a big fan of leveraging communication from others for my outage playbook. Take a look at the information published here: note that it is both direct and thorough, and that it includes working links to supporting information. https://www.westminster.gov.uk/news/key-service-updates-residents-and-businesses-following-cyber-incident https://www.lbhf.gov.uk/news/2026/01/cyber-security-update