AI: No One Is Safe – PSW #912

Paul Asadoorian

1. Ingress-NGINX Flaw Enables Arbitrary Code Execution Attacks
2. Agentic AI: the Confused Deputy problem – Quarkslab’s blog
3. Exploiting CVE-2025-49825
4. Critical ASUSTOR NAS Security Flaw Enables Complete Device Takeover
5. Interlock Ransomware Exploits Zero-Day in Gaming Anti-Cheat Driver to Disable EDR, AV
6. M5Stack AI-8850 LLM Accelerator M.2 Kit offers an alternative to Raspberry Pi AI HAT+ 2 – CNX Software
7. Someone Knows Bash Far Too Well, And We Love It (Ivanti EPMM Pre-Auth RCEs CVE-2026-1281 & CVE-2026-1340)
8. The End of the Road for Cisco Kenna: Take a Measured Path into Exposure Management
9. Researchers say Russian government hackers were behind attempted Poland power outage
10. Who Operates the Badbox 2.0 Botnet? – Krebs on Security
11. Hardwear.io NL 2025: Glitching Google’s TV Streamer From Adb To Root – Niek Timmers
12. Pccomponentes “Breach”: How Infostealer Logs Enable Convincing Credential Stuffing
13. Disrupting the World’s Largest Residential Proxy Network
    • Google disrupted IPIDEA, a massive residential proxy network that abused millions of consumer and IoT devices as exit nodes, significantly degrading its operations.
    • The network was fueled by shady “monetization” SDKs and some pre‑compromised Android/IoT devices, quietly enrolling users into a global proxy pool without meaningful consent.
    • Over 550 threat groups used this infrastructure in a week for credential stuffing, fraud, and state‑aligned operations, making residential IP space a prime cover channel.
    • This takedown highlights both the power and limits of ecosystem‑level interventions, and raises hard questions about gray‑market proxy providers, supply‑chain risk in cheap devices, and defenders’ reliance on IP reputation.
14. Ukraine tightens controls on Starlink terminals to counter Russian drones
    • Ukraine and SpaceX have implemented emergency technical measures in Ukraine that block unauthorized Starlink terminals on Russian drones, including imposing a speed limit on receivers so high‑speed attack UAVs can no longer be reliably controlled.
    • Kyiv plans to roll out a registration and verification system so only authorized, Ukrainian-registered Starlink terminals will function in the country, with unverified terminals being disabled even if this temporarily impacts some Ukrainian users.
    • Ukrainian officials say these steps have already produced tangible results in curbing Russian Starlink‑guided drone attacks, which had previously leveraged Starlink’s jam‑resistant, long‑range connectivity to strike deep into Ukrainian territory.
15. Wave of Citrix NetScaler scans use thousands of residential proxies

    This typically indicates a campaign is coming targeting these devices:

    • Over roughly January 28–February 2, a coordinated recon campaign hit Citrix NetScaler/Citrix Gateway, generating 111,834 sessions from over 63,000 IPs, with about 79% of traffic aimed at Citrix Gateway honeypots.
    • Around 64% of the scanning traffic came from globally distributed residential proxy IPs (appearing as consumer ISPs) and 36% from a single Azure IP, strongly indicating pre-exploitation infrastructure mapping rather than random scanning.
    • Scans targeted /logon/LogonPoint/index.html to find exposed login panels and /epa/scripts/win/nsepa_setup.exe to fingerprint versions, using an outdated Chrome 50 user agent, with defenders advised to monitor those paths, detect Chrome 50 fingerprints, lock down /epa/scripts/, and reassess internet-facing Citrix Gateway exposure.
16. EDR killer tool uses signed kernel driver from forensic software

    This is just mind boggling: "The driver's certificate was issued in 2006, expired in 2010, and was subsequently revoked; however, because the Driver Signature Enforcement system on Windows works by validating cryptographic verification results and timestamps, rather than checking Certificate Revocation Lists (CRLs), the operating system still accepts the old certificate. Although Microsoft added a requirement in Windows 10 version 1607 that kernel drivers must be signed via the Hardware Dev Center, an exception was made for certificates issued before July 29, 2015, which applies in this case." Recommendation that is important:

    • "enabling HVCI/Memory Integrity to enforce Microsoft’s vulnerable driver blocklist"
    • Note: "HVCI in the Windows security context stands for HyperVisor-protected Code Integrity (also called “Memory Integrity”). It is a virtualization-based security (VBS) feature that uses the Windows hypervisor to enforce that only trusted, properly signed code can execute in kernel mode, mitigating kernel-level malware, rootkits, and unsigned/modified drivers from loading."
17. CVE-2026-1633 / 10

    I'm a big fan of issuing CVEs for this: "The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication. This allows unauthenticated users to access and modify critical device settings or perform a factory reset of the device." - It is important to note which devices cannot be trusted. We need a gateway to be in front of devices such as this that does provide good authentication. Of course, this increases your attack surface. I'm not certain why you would bring to market an access device that does not implement any authentication. Do we dare say that we need standards?

18. StopICE alerts hacked to sen texts , admins accuse CPB agent

    So CBP is into hacking now? Did I read that right?

    • StopICE, an app and website that tracks ICE activity, was hacked so that users received alarming SMS messages falsely claiming their data was compromised, sent to authorities, and that the developer was untrustworthy.
    • The maintainers say the incident stemmed from an attack on their downstream carrier API that queued fake alerts, and they claim to have traced the activity to a personal server belonging to a CBP agent in Southern California. ​* StopICE asserts it does not store names, addresses, or GPS history for subscribers (aside from an optional location-assist feature) and characterizes claims of mass data theft as intimidation and clout-chasing. ​* Admins say they used bait data and fake API keys to identify multiple alleged attackers and plan to publish identifying details, while also reminding users to favor privacy-preserving tools and encrypted communication platforms.
19. County pays $600,000 to pentesters it arrested for assessing courthouse security

    Good news of the week. And it appears that the settlement will go to the pen testers, not Coalfire: "DeMercurio and Wynn sued Dallas County and Leonard for false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case dragged on for years. Last Thursday, five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case."

20. Trump Administration Rescinds Biden-Era Software Guidance

    One step forward, two steps back, Jeff Williams sums this up nicely: "The new OMB 26-05 takes us back to square zero. Now agencies are free to do whatever they want to ensure their code is secure and nobody has to attest to anything. And to be clear, attestation is very different from compliance,"

21. Wiper malware targeted Poland energy grid, but failed to knock out electricity
    • This is interesting to debate: "There is no indication how or why DynoWiper failed to take out power. It’s possible Russia planned it to do so in an attempt to send a message without provoking Polish allies. Another possibility is that cyber defenses prevented the wiper from working as intended."

    Also, I found it interesting that this attack included Fortinet, here are some notes:

    • The Attack Vector: Exposed FortiGate VPN/firewall devices without multi-factor authentication (MFA) and attackers used Statically defined accounts with reused credentials, Known unpatched vulnerabilities in FortiGate devices, and Credential reuse enabled lateral movement between sites
    • Attacker Actions After Gaining Access: Obtained administrative access to FortiGate devices, Reset devices to erase forensic evidence, Used compromised FortiGate as pivot point to internal OT networks

Jeff Man

1. Former Google Engineer Found Guilty of Economic Espionage and Theft of Confidential AI Technology

   So many thoughts on this... First, the data that was stolen dates from 2022 - 2023, probably two lifetimes ago in AI-time. Now for the questions: Why does anyone need to "dominate the field of artificial intelligence"? Why did a Google software engineer have privileged access to anything? Where was the background investigation? Why was Ding able to upload company documents to a personal account? How is finding someone guilty after the fact an example of "reinforces the FBI’s steadfast commitment to protecting American innovation and national security"?

2. Chrome Vulnerabilities Let Attackers Execute Arbitrary Code and Crash System

   Reference: CVE-2026-1862: Type Confusion in V8 and CVE-2026-1861: Heap Buffer Overflow in libvpx Philosophical question - which is worse, aribitrary code execution or denial-of-service? Technical question - what's the difference between a heap overflow and a buffer overflow (or what's the difference between a heap and a buffer)? Wait...further in the article it's called a "heap buffer overflow". Never mind.

3. Sean Cairncross’ cybersecurity agenda: less regulation, more cooperation

   Cut the regulatory burden, boost information sharing, and get Congress moving: that’s the pitch as the White House readies a new cyber strategy. Um....I'm pretty sure the regulations in question are attempting to provide secure environments and operations to organizations (think HIPAA, GLBA, FISMA, NIST Cybersecurity Framework, CISA, CCPA, and CMMC). I'm genuinely curious as to how relaxing security standards will increase security?

4. Cairncross Lays Out 6 Pillars of Coming National Cyber Strategy

   Finally an article that cites all six of the pillars of our new National Cyber Strategy: 1. shaping adversary behavior 2. focus on the regulatory environment 3. securing and modernizing the federal government 4. securing critical infrastructure 5. maintaining U.S. dominance in emerging technologies 6. closing cybersecurity skills and workforce gaps

5. Will establishing Data Centers in Space banish Data Security concerns across the World

   "One of the main appeals of space-based data centers is physical isolation. Unlike terrestrial facilities, they cannot be easily breached, vandalized, or seized by hostile actors." - when was the last time you heard about a data center suffering a physical compromise???

6. Conduent Business Services Data Breach Victim Count Swells

   The hits just keep on coming... In the private sector there is a huge push to outsource to managed service providers and let them shoulder the "burden" of cybersecurity. The logic includes an argument that they are bigger, have the resources (read: $$$), and can focus more on all things cybersecurity related. So, when one of them is hit by a major breach it's natural, I think, to question the logic of outsourcing. There is a concept in the compliance world know as "risk transfer" to which I say, "bunk" - you might transfer responsibility but you hardly ever transfer liability. Don't believe me? Read the small pring of your T's and C's with yourown third party service providers.

7. 860GB of Target source code stolen. No one knows who did it

   Remember Target? I do. They suffered a credit card breach back in 2013 that was one of the biggest security breaches in history (at the time, anyway). Who says lightning doesn't strike twice? The author lists four failures which are worth highlighting: 1. The initial compromise went undetected. 2. Mass cloning activity went unnoticed. 3. The Git server was misconfigured. 4. Privileged access persisted for months.

   Ironically, the 2013 initial compromise went undetected for months as well as the siphoning (exfilitration) of cardholder data. It's like déjà vu all over again.

Larry Pesce

1. County pays $600,000 to pentesters it arrested for assessing courthouse security
2. How to write a good spec for AI agents

   You are an AI software engineer. Draft a detailed specification for [project X] covering objectives, features, constraints, and a step-by-step plan.

3. Shadowhs-fileless-linux-post-exploitation-framework

Lee Neely

1. NIST releases a new draft cybersecurity framework for systems that never stop moving

   The NIST's National Cybersecurity Center of Excellence (NCCoE) has published a draft cybersecurity framework for the transportation sector. The Transit Cybersecurity Framework Community Profile notes that the transportation sector comprises "complex networks of business and operational systems, such as rail signaling, bus charging, scheduling, ticketing, and public information systems." Public comment is open through February 23, 2026.

   The transportation sector operates large distributed systems, with huge reliance on wireless communcation, and this framework asks transit agencies start by defensively securing any functions, which, if distrupted, would impact passenger safety or service delivery. This is also intended to be scalable, from a small bus fleet to transcontentental operations and wisely includes different levels of implementation based on size and resources. Take advantage of the comment period to impact the outcome.

2. Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

   Ivanti published a security advisory on January 29, 2026, disclosing and releasing patches for two critical flaws in Endpoint Manager Mobile (EPMM) that are currently under exploitation. CVE-2026-1281 and CVE-2026-1340 both carry CVSS score 9.8, and both allow an unauthenticated attacker to achieve remote code execution through code injection.

   EPMM remains challenged by exploited flaws. While you need to target version 12.8.0.0, it's not out yet. You need tto install the matching RPM for the version you're running. The good news is that you can do the upated without downtime. If you're running an HA environment, each node needs to be patched. Give strong consideration to rebuilding your EPMM environment on new servers, particularly when 12.8.0.0 drops.

   Ivanti Advisory Bulletin: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

3. Advancing Windows security: Disabling NTLM by default – Windows IT Pro Blog

   Microsoft has announced a schedule for phasing out its New Technology LAN Manager (NTLM) authentication protocol and moving toward stronger, Kerberos-based alternatives. Because it employs weak cryptography, NTLM is vulnerable to replay and man-in-the-middle attacks. Microsoft deprecated NTLM in June 2024, meaning it is no longer updated or enhanced, although it continues to be used "in environments where modern protocols, such as Kerberos, are not feasible due to legacy dependencies, network limitations, or ingrained application logic.

   You should already be disabling NTLM wherever possible. Leverage features like a local KDC (currently in preview) to prevent NTLM fall-back. You may have some legacy systems which  make this harder - take advantage of the auditing tools to narrow down where NTLM is in use. See what can be moved to Kerberos, and migrate it. Take a look at disabling NTLM by default in your new deployments.

4. Thousands more learn their health info stolen from TriZetto

   Individuals affected by a November 2024 data breach of healthcare technology company TriZetto Provider Solutions (TPS) will receive notification letters from TPS starting in February 2026. TPS is a vendor of SaaS programs and platforms that handle a wide range of data and administration for medical providers and patients, including health insurance, healthcare, and billing information. Healthcare providers in multiple US states were made aware of the breach in December 2025 and have been sending their own notifications in the meantime.

   The timeline is distrubing. The breach happened in November 2024, but not detected until October 2025. The good news is the threat was eliminated immediately.  Further,  TriZetto has offered to handle breach notifications on behalft of their affected clients. The action here is to make sure you can detect anomolous behavior in a timely fashion as well as making sure you know who you need to call to help in the investigation. Then make sure you're actively testing this capability, not just using a paper activity.

5. Companies Substantiate Breach Claims: Panera, Bumble, Match Group, CrunchBase

   Panera Bread, Bumble, Match Group, and CrunchBase confirmed data breaches in statements to news sources during the last week of January 2026; none of the companies has filed an official report at the time of this writing. Panera stated that contact information had been compromised, and Troy Hunt's "Have I Been Pwned" analysis of the leaked files indicates that the breach affects approximately 5.1 million accounts; the number initially reported was 14 million, which actually represents the total number of records, not unique accounts.

   Panera's compromise appears to be due to a exploit of Entra SSO, which was part of ShinyHunters vishing campaign targeting SSO for Okta, Microsoft and Google accounts at over 100 high-profile organizations.

6. Dell Unity: Attackers can execute malicious code with root privileges

   Dell Unity, UnityVSA and Unity XT are software for managing their EMC storage arrays. Both CVE-2026-21418 and CVE-2026-22277 have a CVSS score of 7.8 and are due to improper input sanitiztaion. CVE-2025-0938 and CVE-2024-47875 have CVSS scores of 6.3 and 6.1 respectively. The good news is the issues are fixed in the updated version, the bad news is you need to deploy it. Then review access to your Dell Unity environment, limiting acccess to authorized devices, as well as cleaning up unneeded accounts/users.

7. eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

   Two weeks ago, researchers at Morphisec "identified an active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product." The incident resulted in eScan's update infrastructure serving malicious updates.

   If you're an eScan site, grab the IoCs from the Morphisec blog to see if you're impacted, review scheduled tasks for unexpected entries, look at the registry for suspicious keys, block the C2 domains, check for hosts file entries blocking legit eScan domains, and roll out the patch to get a clean version of eScan.

   Morphisec Analysis: https://www.morphisec.com/blog/critical-escan-threat-bulletin/

8. CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms

   CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025.

   The attack leveraged DynoWiper and LazyWiper, The report from Poland CERT includes IoCs for the wipers as well as C2 services you want to jump on. Two of the attacks leveraged FortiNet devices. One taking advantage of the VPN not having MFA, the other exercizing a flaw over the Internet facing management interface. Make sure your remote access requires MFA for ALL accounts and that no management interfaces face the Internet.  https://cert.pl/uploads/docs/CERTPolskaEnergySectorIncidentReport2025.pdf

9. Notepad++ Hijacked by State-Sponsored Hackers

   Don Ho, maintainer of open-source text and code editing program Notepad++, announced on February 2, 2026, that a state-sponsored threat actor had compromised the software's update supply chain for almost six months.

   The attackers took advantage of the distribution system replacing update.exe with an NSIS installer commonly used by a Chinese APT to deliver the initial payload. Rapid7 has dubbed this the Chrysalis Backdoor and released a detailed analysis which includes IoCs.

   Rapid7 Analysis: https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

10. OpenClaw ecosystem still suffering severe security issues

    Security issues continue to pervade the OpenClaw ecosystem, formerly known as ClawdBot then Moltbot, as multiple projects patch bot takeover and remote code execution (RCE) exploits. The initial hype around the renamed OpenClaw has died down somewhat compared to last week, although security researchers say they continue to find holes in a technology designed to make life easier for users, not more onerous.

    Still time to restrict OpenClaw, yeah it got renamed again, to that "other" sysetem, not your primary systems. Yes,  they are working as fast as they can to identify and resolve issues, but they are not done yet. Think at least twice before allowing it to access your secure messaging platforms (Signal, Telegram, etc.). Then bone up on Moltbook, an AI Social networking platform used by LLM's patterned off of Redit. Consider what network access you want to grant your AI agents.

Sam Bowne

1. OnlyFans Rival Seemingly Succumbs to AI Psychosis, Which We Dare You to Try Explain to Your Parents

   ManyVids is an OnlyFans-like porn platform with millions of users. For roughly the past half-year, its official account on X and on its own website have been posting bizarre, feverishly spiritual rants on topics ranging from aliens to numerology, along with absurd AI-generated images and videos that depict its CEO Bella French. French is suffering from AI psychosis.

2. Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation

   A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure, and: Steal computing resources for cryptocurrency mining Resell API access on darknet markets Exfiltrate data from prompts and conversation history, Attempt to pivot into internal systems via Model Context Protocol (MCP) servers

3. Viral Moltbot AI assistant raises concerns over data security

   Because Clawdbot auto-approves “local” connections, deployments behind reverse proxies often treat all internet traffic as trusted, so many exposed instances allow unauthenticated access, credential theft, access to conversation history, command execution, and root-level system access. There is no sandboxing for the AI assistant by default. Risks include exposed gateways and API/OAuth tokens, plaintext storage credentials under ~/.clawdbot/, corporate data leakage via AI-mediated access, and an extended prompt-injection attack surface.

4. Massive AI Chat App Leaked Millions of Users Private Conversations

   The issue is a misconfiguration in the app’s usage of the mobile app development platform Google Firebase, which by default makes it easy for anyone to make themselves an “authenticated” user who can access the app’s backend storage where in many instances user data is stored. The company fixed the issue across all of its apps within hours, according to Harry.

5. ICE Is Going on a Surveillance Shopping Spree

   They have a massively increased budget, and are buying: Cellebrite service to extract data from seized phones Paragon's Graphite phone-hacking software Webloc and Tangles to gather data from data brokers and social media to build dossiers of targets, including historic and current locations without a need for a warrant Our concern with ICE buying this software is the likelihood that it will be used against undocumented people and immigrants who are here legally, as well as U.S. citizens who have spoken up against ICE or who work with immigrant communities.

6. Booz Allen Tech Contractor Took IRS Job Specifically to Leak Trump’s Tax Records

   The US Treasury Department announced yesterday that it was canceling all contracts it holds with consulting firm Booz Allen Hamilton because the company failed to prevent one of its contractors, Charles Littlejohn, from stealing and leaking Trump's tax records years ago. This is the first time I'm aware that a major federal agency has cancelled significant government contracts over an infosec leak. Even after another Booz Allen contractor – Edward Snowden – stole and leaked a massive cache of documents he downloaded from computers belonging to the National Security Agency, Booz Allen retained its federal contracts with the spy agency. Both Littlejohn and Snowden said they took the jobs at Booz Allen Hamilton specifically in order to gain access to documents and leak them.

7. Google takes down massive shady network that was secretly running on millions of Android phones

   Google has taken down what it believes to be the world’s largest residential proxy network. Most people end up on Ipidea’s network by installing free apps, games, or desktop software that secretly include proxy code.

8. AI agents now have their own Reddit-style social network, and it’s getting weird fast

   Over 32,000 AIs have joined Moltbook, a Facebook-style social network for OpenClaw (previously called "Clawdbot" and then "Moltbot") personal assistants. The AIs discuss tips, how they interact with humans, and other things. They are apparently acting out fiction about robots they've been trained on. But since many of them have access to PII, and they have serious vulnerabilities including prompt injection, problems may arise.

9. Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site

   Moltbook runs on Supabase, an open source database software. The URL to the Supabase and the publishable key was sitting on Moltbook’s website. “With this publishable key (which advised by Supabase not to be used to retrieve sensitive data) every agent's secret API key, claim tokens, verification codes, and owner relationships, all of it sitting there completely unprotected for anyone to visit the URL,” O’Reilly said. The exposed database has been closed.