< ciso
brief />
Telegram
Critical Patches and New Services Lead as Incidents Persist

Critical Patches and New Services Lead as Incidents Persist

Coverage: 06 Jan 2026 (UTC)

< view all daily briefs >

Microsoft moved to close skills and capacity gaps with a new expert-led security services bundle, the Defender Experts suite, while critical advisories landed across open-source libraries, workflow automation, and legacy networking gear. On the incident side, Jaguar Land Rover continued to feel the financial impact of last year’s disruption, with sales and shipments materially down, according to Infosecurity.

Platform services to raise defenses

To address alert fatigue and staffing shortages, Microsoft packaged 24/7 managed XDR, incident response, and designated engineering in a single offering positioned to unify endpoint, identity, email, and cloud signals. The company says the bundle reduces investigation time and improves SOC efficiency through shared workflows and threat intelligence. The move targets organizations that need hands-on help modernizing operations and accelerating recovery without building every capability in-house.

CrowdStrike detailed how its Malware Analysis Agent automates static and dynamic analysis, applies thousands of YARA rules, and orchestrates actions through its SOAR to isolate hosts, block infrastructure, and distribute IOCs. The blog describes tight integration with threat intelligence and third-party tools to turn findings into rapid protections. In the public sector, a year-in-review from year in review highlights Google accreditations such as IL6 for Distributed Cloud and FedRAMP High for multiple services, plus deployments of Gemini for Government and agency pilots aimed at secure AI adoption. Together, these updates reflect a continued push to combine accredited cloud, AI assistance, and expert services for mission outcomes.

Critical advisories: code, automation, and ICS

Researchers disclosed a critical path traversal in the @adonisjs/bodyparser package that enables arbitrary file writes via unsafe multipart filename handling. The The Hacker News report notes fixes in 10.1.2 and 11.0.0-next.6 and outlines mitigations like filename sanitization and least-privilege filesystem permissions. Separately, n8n warned that CVE-2025-68668 (CVSS 9.9) allows authenticated users to execute OS commands through a Python Code Node sandbox bypass; upgrading to 2.0.0 or disabling vulnerable features is advised, per The Hacker News. A high-severity flaw in Open WebUI (CVE-2025-64496) also received patches, blocking crafted server-sent events that could steal tokens and escalate to backend code execution when certain permissions are present, according to CSO Online.

On the network and industrial front, VulnCheck revealed an actively exploited command injection (CVE-2026-0625) in multiple legacy D‑Link DSL gateways. Because the affected models are end-of-life, the BleepingComputer coverage relays vendor guidance to retire and replace impacted units and to lock down administrative interfaces. For operational technology, CISA published an advisory for Columbia Weather Systems MicroServer firmware (pre‑MS_4.1_14142) with issues that could redirect SSH, expose plaintext secrets on SD cards, and allow limited shell access; customers should apply vendor firmware and tighten network segmentation and access controls via CISA.

Finally, Microsoft researchers warned that misconfigured mail routing and spoof protections can make external phishing appear internal, often tied to PhaaS platforms. A research post recommends enforcing SPF/DKIM/DMARC, reviewing connectors, and enabling Defender features like Safe Links and zero-hour auto purge, alongside phishing-resistant authentication in Entra ID. Why it matters: small configuration gaps can undermine otherwise robust anti-spoofing controls and enable credential theft and BEC.

Abuse of trust: proxies, extensions, and phishing lures

Threat actors behind the Kimwolf Android botnet are abusing residential proxy services that expose local network access, rapidly expanding to nearly two million devices by scanning for unauthenticated ADB endpoints. The BleepingComputer report notes infections concentrate on low-cost Android TV boxes and devices bundled with proxy SDKs, with observed DDoS capacity linked to the broader Aisuru ecosystem. One provider has since blocked local-network routing and risky ports.

Researchers also flagged two malicious Chrome extensions that exfiltrate ChatGPT and DeepSeek conversations and browsing data to attacker infrastructure. According to The Hacker News, the extensions reached a combined 900,000 installs and scrape DOM content to exfiltrate prompts, outputs, and URLs every ~30 minutes—information that can be repurposed for phishing and data theft. In parallel, Securonix documented PHALT#BLYX, a holiday-period phishing operation impersonating Booking.com and using ClickFix-style lures to trick hospitality staff into pasting a PowerShell command that leads to DCRat installation via MSBuild. Infosecurity reports the chain adds Defender exclusions and achieves persistence while leveraging living-off-the-land binaries to evade detection.

Confirmed breaches and operational impact

Jaguar Land Rover’s cyber disruption in late August continued to weigh on Q3 2025 performance, with retail sales down 25.1% year-on-year and wholesale shipments down 43% amid production halts and lingering distribution delays, per Infosecurity. An independent monitoring body categorized the breach as a systemic cyber event with a significant estimated UK economic impact; the company also faced market headwinds and product transitions, compounding the effect on volumes.

Sedgwick Government Solutions disclosed a breach impacting an isolated file transfer system while emphasizing network segmentation from parent operations; a ransomware group claimed responsibility and posted alleged data, according to BleepingComputer. Separately, Taiwan’s National Security Bureau reported a tenfold rise in attacks on the energy sector and broader activity across nine critical sectors, often aligned with political and military events, as covered by BleepingComputer. Why it matters: sector-wide targeting and supply-chain exposures can amplify operational risk even when core systems remain segmented.