Back to All Digests

2026-04

January 23 - January 29, 2026

Subscribe
16
Total Articles
4
Topics
10
Sources
29 days
ago

This Week's Summary

The persistent gap between compliance artifacts and actual security showed up everywhere this week, from Microsoft's Administrator Protection getting disabled for "app compatibility" to Under Armour's months-late breach disclosure. We saw multiple instances of attackers sailing through certified environments using legitimate tools—phishing campaigns installing LogMeIn RMM, attackers compromising eScan's update servers, and Poland's power grid getting hit despite presumably having all the right controls documented. The pattern is clear: organizations are building compliance programs that look good on paper but crumble when tested by real adversaries who don't care about your SOC 2 report.

The vendor supply chain emerged as this week's most exploitable attack surface. The SmarterMail authentication bypass (CVSS 9.3) went from patch to active exploitation in days, eScan pushed malicious updates through compromised infrastructure, and Pwn2Own demonstrated that EV chargers—now critical payment infrastructure—are riddled with vulnerabilities that PCI-DSS hasn't caught up to yet. The vm2 Node.js sandbox keeps bleeding critical escapes, proving once again that trusting a JavaScript library for security-critical isolation was always wishful thinking. If your third-party risk management program is just collecting SOC 2 reports and vendor questionnaires, you're documenting relationships while attackers are exploiting them.

Meanwhile, the regulatory landscape continued its march toward fragmented chaos. Ireland's proposed surveillance powers will create delightful conflicts between government access demands and GDPR Article 32 security requirements, while the Supreme Court's examination of geofence warrants could reshape what "lawful basis" actually means when law enforcement shows up. TikTok's US joint venture promised NIST, ISO 27001, and CISA compliance—we'll see if third-party auditors get real access to data flows or just another layer of compliance theater with a 19.9% ByteDance backdoor. The SecurityWeek analysis got it right: companies face hundreds of overlapping requirements, but most ask for the same controls wrapped in different paperwork.

The few bright spots offered practical lessons worth internalizing. The SEC credited ADM for actually investigating itself, reporting findings, and fixing controls—that cooperative playbook beats stonewalling every time. Twelve companies recovered from ransomware because criminals made a mistake, which is exactly why that can't be your backup strategy. Poland's grid operators detected the Sandworm attack before it caused outages, demonstrating what mature incident response looks like when it's not just documented procedures gathering dust. These incidents prove the same point: the organizations that survive don't just pass audits—they build detection capabilities, practice actual incident response, and maintain controls that work when the paperwork stops mattering.

security incident

9 articles

Bypassing Windows Administrator Protection

Jan 26, 2026 Google Project Zero Score: 1.0

A security researcher details nine vulnerabilities discovered in Windows 11's new Administrator Protection feature (25H2) that could allow local users to silently gain full administrator privileges. All reported vulnerabilities have been addressed by Microsoft through security updates, and the feature has been temporarily disabled to resolve application compatibility issues. The analysis highlights the evolution of Windows privilege escalation mechanisms from UAC to Administrator Protection.

My Take

Microsoft disabled the feature because of "app compatibility issues"—which is code for "enterprises aren't ready to break their stack of legacy tools that assume admin access." The real lesson here isn't the nine bugs (new security features always have teething problems), it's that organizations relying on OS-level controls as their primary defense are still playing whack-a-mole with privilege escalation.

SOC2 ISO27001

Key Actions

  • • Review and apply Windows security bulletins addressing Administrator Protection bypasses
  • • Audit systems running Windows 11 25H2 for potential unauthorized privilege escalation
  • • Monitor Microsoft security updates for Administrator Protection fixes and re-enablement

Scanning Webserver with /$(pwd)/ as a Starting Path, (Sun, Jan 25th)

Jan 26, 2026 SANS Internet Storm Center Score: 0.9

Article discusses a webserver vulnerability scanning technique using /$(pwd)/ as an attack vector, which could lead to command injection or path traversal vulnerabilities. This type of security vulnerability is relevant to organizations maintaining compliance with SOC2 and ISO27001 standards, which require robust vulnerability management and security controls.

My Take

If your vulnerability scanners aren't catching this kind of path injection nonsense, your SOC 2 "comprehensive vulnerability management" control is just paperwork. This is exactly the gap between passing an audit and actually having defensible infrastructure.

SOC2 ISO27001

Key Actions

  • • Review webserver configurations for command injection vulnerabilities
  • • Implement input validation and sanitization controls
  • • Conduct vulnerability assessment and penetration testing

Ransomware gang’s slip-up led to data recovery for 12 US firms

Jan 23, 2026 CSO Online Score: 0.9

A ransomware gang's operational error enabled 12 US firms to recover their encrypted data without paying ransom. This incident highlights both the threat of ransomware attacks and the importance of robust incident response and data recovery procedures. Organizations across multiple sectors were affected, requiring notification and remediation efforts under various compliance frameworks.

My Take

Don't let this feel-good story become your backup strategy. The only reason these 12 companies aren't writing ransom checks is because criminals made a mistake—your security plan can't depend on adversary incompetence.

SOC2 ISO27001 GDPR HIPAA PCI-DSS CCPA

Key Actions

  • • Review and test data recovery and backup procedures
  • • Conduct incident response drills to prepare for ransomware scenarios
  • • Document and report data exposure incidents to relevant regulators as required

Fresh SmarterMail Flaw Exploited for Admin Access

Jan 23, 2026 SecurityWeek Score: 0.9

A critical authentication bypass vulnerability (CVE-2026-23760, CVSS 9.3) in SmarterMail is being actively exploited by threat actors to gain unauthorized admin access and achieve remote code execution within days of patch release. The flaw allows attackers to reset administrator passwords without authentication, enabling full system compromise through OS command execution capabilities. Organizations using SmarterMail must immediately apply patches to version 9511 or later and audit systems for signs of exploitation.

My Take

If you're running SmarterMail and haven't patched yet, you're not just vulnerable—you've likely already been compromised. This is the kind of trivial-to-exploit, full-takeover flaw where "we'll patch next maintenance window" means you're handing over the keys.

SOC2 ISO27001 HIPAA PCI-DSS

Key Actions

  • • Immediately update SmarterMail to patched version 9511 or later
  • • Review logs for exploitation attempts targeting the password reset API and System Events functionality
  • • Audit all administrator accounts for unauthorized password resets or access

Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access

Jan 23, 2026 The Hacker News Score: 0.9

A sophisticated phishing campaign exploits stolen credentials to deploy legitimate LogMeIn RMM software for persistent unauthorized access to victim systems. Attackers use fake Greenvelope invitation emails to harvest Microsoft Outlook and Yahoo credentials, then leverage these to register with LogMeIn and establish hidden remote access with administrative privileges. Organizations are advised to monitor for unauthorized RMM installations and suspicious usage patterns to detect and prevent this type of attack.

My Take

This is why your compliance checklist of "approved software" isn't enough—attackers are using *legitimate* tools that sail right past your controls. If you're not monitoring for behavioral anomalies (like new RMM installs or off-hours remote access), you're just checking boxes while the back door stays wide open.

SOC2 ISO27001 HIPAA PCI-DSS

Key Actions

  • • Implement monitoring for unauthorized RMM tool installations and suspicious remote access activity
  • • Enforce multi-factor authentication (MFA) on email and critical administrative accounts
  • • Conduct security awareness training focusing on credential theft via phishing

Infotainment, EV Charger Exploits Earn Hackers $1M at Pwn2Own Automotive 2026

Jan 23, 2026 SecurityWeek Score: 0.9

White hat hackers discovered 76 vulnerabilities in automotive systems at Pwn2Own Automotive 2026, earning $1.047M in total rewards. Critical vulnerabilities were found in EV charging infrastructure (Alpitronic, ChargePoint, Autel, Phoenix Contact, Grizzl-E), Tesla infotainment systems, and Automotive Grade Linux. The event highlights significant security gaps in connected vehicle technologies that require immediate patching and compliance attention.

My Take

If your EV chargers handle payment cards and you're assuming PCI compliance means they're secure—this is your wake-up call. Pwn2Own just demonstrated that the attack surface expanded way faster than our compliance frameworks caught up, and those chargers are now part of your critical infrastructure whether your risk assessment says so or not.

PCI-DSS ISO27001

Key Actions

  • • EV charger manufacturers and automotive OEMs should prioritize patching disclosed vulnerabilities immediately
  • • Organizations managing EV charging infrastructure should review PCI-DSS compliance requirements for connected payment/control systems
  • • Implement security assessments and penetration testing for automotive infotainment and charging systems

eScan confirms update server breached to push malicious update

Jan 28, 2026 BleepingComputer Score: 0.9

MicroWorld Technologies' eScan antivirus update server was breached and used to distribute malicious updates to a limited subset of customers on January 20, 2026. The company detected the unauthorized access internally within hours, isolated affected infrastructure, rotated credentials, and provided remediation to impacted customers. The incident involved compromised update infrastructure rather than a product vulnerability.

SOC2 ISO27001

Key Actions

  • • Review and strengthen update server authentication and access controls
  • • Implement enhanced monitoring and detection mechanisms for unauthorized access to critical infrastructure
  • • Conduct comprehensive incident response review and update security protocols

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

Jan 28, 2026 The Hacker News Score: 0.9

A critical sandbox escape vulnerability (CVE-2026-22709, CVSS 9.8) has been discovered in the popular vm2 Node.js library, allowing attackers to execute arbitrary code by bypassing Promise handler sanitization. This is the latest in a series of sandbox escape vulnerabilities affecting vm2, with the flaw patched in version 3.10.2 and additional fixes in 3.10.3. Organizations using vm2 for executing untrusted code must immediately update and consider alternative isolation solutions.

My Take

If you're still running untrusted code with vm2, this is your wake-up call to architect actual isolation—containers, separate processes, something that doesn't keep bleeding critical escapes every few months. Patching to 3.10.3 buys you time, but relying on a JavaScript sandbox for security-critical isolation was always wishful thinking.

SOC2 ISO27001 PCI-DSS

Key Actions

  • • Immediately upgrade vm2 to version 3.10.3 or later
  • • Audit all applications and systems using vm2 library for potential exploitation
  • • Evaluate migration to alternative sandboxing solutions such as isolated-vm or Docker-based isolation

Cyberattack on Poland’s power grid hit around 30 energy facilities, new report says

Jan 28, 2026 The Record Score: 0.9

A coordinated cyberattack attributed to Russian hacking group Sandworm targeted Poland's power grid in late December, compromising control and communications systems at approximately 30 energy facilities. While the attack did not cause power outages, attackers gained access to operational technology systems critical to grid operations and disabled key equipment. The incident highlights vulnerabilities in distributed energy systems that rely heavily on remote connectivity and typically receive less cybersecurity investment than centralized infrastructure.

My Take

If you're running critical infrastructure on remote access without robust segmentation and monitoring, you're not compliant—you're just filling out paperwork. This attack didn't cause outages because the operators caught it, not because their SOC 2 checkboxes saved them.

SOC2 ISO27001

Key Actions

  • • Conduct comprehensive security audit of distributed energy generation facilities
  • • Implement enhanced monitoring and access controls for operational technology systems
  • • Develop incident response procedures specific to OT/grid operations

penalty/fine

1 articles

SEC Charges ADM and Three Former Executives with Accounting and Disclosure Fraud

Jan 27, 2026 SEC Press Releases Score: 1.0

The SEC charged ADM and three former executives with accounting and disclosure fraud for materially inflating the performance of its Nutrition business segment through improper intersegment transaction adjustments during 2019-2022. The company received credit for cooperation, conducting an internal investigation, voluntarily reporting findings, and implementing new internal accounting controls and policies. A Fair Fund was established to distribute monetary relief to harmed investors.

My Take

The Fair Fund is nice, but the real win here is that ADM gets credit for actually doing what companies claim they'll do—investigating themselves, reporting it, and fixing their controls. That cooperative playbook is your blueprint if you ever find yourself in similar territory: transparency and remediation beat stonewalling every time.

SOC2

Key Actions

  • • Implement enhanced internal accounting controls around intersegment transactions
  • • Strengthen disclosure accuracy and transparency in financial reporting to investors
  • • Conduct regular testing and validation of accounting control effectiveness

regulation update

5 articles

Coffee with the Council Podcast: PCI SSC Releases Version 2.0 of the PCI Secure Software Standard 

Jan 28, 2026 PCI Security Standards Council Score: 1.0

The PCI Security Standards Council has released version 2.0 of the PCI Secure Software Standard, marking the first major revision since its introduction in 2019. This update is part of the Council's Software Security Framework and includes changes to both the Secure Software Standard and the Secure Software Lifecycle Standard. The revision aims to provide enhanced flexibility and programmatic benefits for software vendors undergoing assessment and certification.

My Take

If you're a payment software vendor, the "enhanced flexibility" is worth reading closely—these revisions usually mean the Council heard feedback about what wasn't working in real-world assessments. The rest of us can safely ignore this unless we're building something that touches cardholder data, in which case you already knew this was coming.

PCI-DSS

Key Actions

  • • Review and understand the changes in PCI Secure Software Standard v2.0
  • • Assess impact on software vendors and existing certification programs
  • • Plan transition strategy for organizations currently using version 1.0

Ireland Proposes Giving Police New Digital Surveillance Powers

Jan 26, 2026 Schneier on Security Score: 0.9

The Irish government is proposing new legislation that would grant police expanded digital surveillance powers, including the ability to intercept encrypted communications and legally use spyware. This development has significant implications for GDPR compliance, particularly regarding lawful basis for processing personal data and privacy rights. Organizations operating in Ireland should monitor this regulatory change closely as it may affect data protection obligations.

My Take

If this passes, expect a mess of conflicting obligations between government access demands and your GDPR Article 32 security requirements. The real headache won't be the law itself—it'll be explaining to your EU customers why Irish-hosted data suddenly comes with a state surveillance asterisk.

GDPR

Key Actions

  • • Monitor Irish government legislative updates regarding digital surveillance powers
  • • Review GDPR lawful basis assessments in light of potential new surveillance legislation
  • • Assess impact on encryption and data protection strategies for Irish operations

The Constitutionality of Geofence Warrants

Jan 27, 2026 Schneier on Security Score: 0.9

The US Supreme Court is examining the constitutional validity of geofence warrants used by law enforcement to obtain location data from tech companies like Google. The case raises Fourth Amendment concerns about privacy rights and warrantless data collection practices that intersect with data protection regulations.

My Take

If you're handling location data, this case matters more than most regulatory updates—it could reshape what "lawful basis" means when US law enforcement comes knocking. The constitutional gray zone around geofence warrants is exactly where your privacy program meets real legal risk, not theoretical compliance checkboxes.

GDPR CCPA

Key Actions

  • • Monitor Supreme Court ruling on geofence warrant constitutionality for privacy law implications
  • • Review data sharing policies with law enforcement to ensure Fourth Amendment and GDPR/CCPA compliance
  • • Assess location data handling procedures and warrant verification processes

TikTok Forms U.S. Joint Venture to Continue Operations Under 2025 Executive Order

Jan 23, 2026 The Hacker News Score: 0.9

TikTok has officially formed a U.S. joint venture (TikTok USDS Joint Venture LLC) to comply with President Trump's September 2025 Executive Order, with majority American ownership and ByteDance retaining 19.9% stake. The new entity will implement comprehensive data protection, cybersecurity, and content moderation safeguards that adhere to NIST CSF, NIST 800-53, ISO 27001, and CISA security requirements, with third-party audits and certifications.

My Take

Watch how this actually gets implemented—we're about to see if you can genuinely carve off data sovereignty in a platform this interconnected, or if this is just elaborate compliance theater with a 19.9% backdoor. The real test won't be the certifications they announce, but whether the third-party auditors get access to the actual data flows and algorithmic decision-making.

ISO27001 SOC2

Key Actions

  • • Implement ISO 27001 and NIST CSF compliance frameworks for data privacy and cybersecurity programs
  • • Establish third-party audit and certification processes for cybersecurity compliance verification
  • • Migrate U.S. user data and algorithms to Oracle's secure U.S. cloud infrastructure

Cyber Insights 2026: Regulations and the Tangled Mess of Compliance Requirements

Jan 23, 2026 SecurityWeek Score: 0.9

SecurityWeek's Cyber Insights 2026 report analyzes the evolving landscape of global cyber regulations, describing it as a complex 'Gordian Mess' of overlapping and sometimes conflicting requirements across multiple jurisdictions. The article examines how geopolitical tensions and growing national digital sovereignty movements are driving increasingly assertive regulatory frameworks that apply to international organizations operating across borders. The report emphasizes that global companies must navigate hundreds of legal requirements across different regions to maintain compliance.

My Take

The real problem isn't that regulations are proliferating—it's that most frameworks still ask for the same controls wrapped in different paperwork. Map your controls once to a solid baseline (CIS, NIST, pick your poison), then treat each new regulation as a documentation exercise, not a rebuild of your entire program.

SOC2 ISO27001 GDPR HIPAA PCI-DSS CCPA

Key Actions

  • • Monitor and map all applicable regulations across operating jurisdictions for 2026
  • • Establish compliance frameworks that address overlapping and conflicting requirements from multiple regulatory domains
  • • Prepare for continued evolution of national digital sovereignty regulations

data breach

1 articles

Under Armour Looking Into Data Breach Affecting Customers’ Email Addresses

Jan 23, 2026 SecurityWeek Score: 0.9

Under Armour is investigating a data breach affecting approximately 72 million customers' email addresses and personal information (names, genders, birthdates, ZIP codes), discovered late last year. The company states no evidence suggests passwords or financial information were compromised, and payment systems were not affected. The incident raises questions about disclosure timeliness and notification requirements under various compliance frameworks.

My Take

"Discovered late last year" and we're hearing about it now? The breach itself is garden-variety PII exposure, but the disclosure timeline is the compliance risk that'll actually bite them—especially under GDPR's 72-hour clock.

GDPR CCPA SOC2

Key Actions

  • • Conduct thorough forensic investigation to confirm scope and nature of compromised data
  • • Issue formal breach notification to affected customers in compliance with GDPR, CCPA, and state-specific breach notification laws
  • • Document incident response timeline and controls assessment for SOC2 audit purposes