Daily Brief

Researchers identified a critical flaw in Google's Fast Pair protocol, allowing attackers to hijack Bluetooth audio devices, affecting millions of users globally across various manufacturers. The vulnerability, CVE-2025-36911, named WhisperPair, impacts devices from brands like Google, Jabra, and Sony, enabling unauthorized pairing and user tracking. Attackers can exploit the flaw using any Bluetooth-capable device, gaining control over audio accessories to eavesdrop or disrupt with high-volume audio. The flaw allows for user tracking via Google's Find Hub network, with notifications potentially misleading victims into dismissing legitimate alerts. Google has collaborated with manufacturers to issue patches, though updates may not be available for all devices, posing ongoing risks. The only mitigation is applying firmware updates from manufacturers, as disabling Fast Pair on phones does not prevent the attack on accessories. Google awarded a $15,000 bounty to researchers for this discovery, emphasizing the importance of responsible vulnerability disclosure and collaboration.

A severe vulnerability in the WordPress Modular DS plugin, tracked as CVE-2026-23550, is being actively exploited, affecting over 40,000 installations worldwide. The flaw, with a CVSS score of 10.0, allows unauthenticated privilege escalation, enabling attackers to gain administrator access through specific API routes. Exploitation involves bypassing authentication by manipulating the "origin" and "type" parameters, affecting routes such as /login/ and /backup/. Attacks were first observed on January 13, 2026, with HTTP GET requests targeting the "/api/modular-connector/login/" endpoint to create admin users. Users are urged to update to version 2.5.2 immediately, which addresses this vulnerability by rectifying the flawed routing mechanism. The incident underscores the risks of implicit trust in internal request paths when exposed online, emphasizing the need for robust authentication measures. Organizations using the plugin should review their security posture and ensure all plugins are regularly updated to mitigate similar risks.

Researchers identified a vulnerability in Microsoft Copilot, termed Reprompt, allowing data exfiltration with a single click, bypassing enterprise security measures. The attack requires no user interaction beyond clicking a legitimate Microsoft link, maintaining attacker control even after the Copilot session ends. Reprompt uses a chain of techniques to execute commands via the "q" parameter, making it difficult to detect data exfiltration from the initial prompt. Microsoft has addressed the issue following responsible disclosure, ensuring enterprise customers using Microsoft 365 Copilot remain unaffected. This vulnerability highlights the persistent risk of prompt injections in AI systems, necessitating layered defenses and limited access to sensitive data. Organizations must enforce robust monitoring and stay updated on AI security research to protect sensitive data accessed by AI systems. The discovery underscores the expanding impact of AI vulnerabilities, emphasizing the need for careful consideration of trust boundaries in AI deployments.

Wiz researchers discovered a critical misconfiguration in AWS's CodeBuild service, potentially allowing unauthorized access to AWS's GitHub repositories and risking global cloud environments. The flaw, dubbed "CodeBreach," involved missing characters in webhook filters, which could let untrusted pull requests trigger builds, posing a significant supply chain threat. AWS swiftly addressed the vulnerability in September, mitigating potential threats before any malicious exploitation occurred, ensuring no impact on customer environments. The vulnerability exploited a common CI/CD security blind spot, affecting not only AWS but also other cloud providers and tech companies using similar open-source supply chains. AWS conducted extensive audits of public build environments and logs to confirm no other actors exploited the unanchored regex issue, enhancing security measures across its infrastructure. The incident underscores the need for robust security practices in CI/CD pipelines to prevent unauthorized privilege escalation and potential supply chain attacks. This vulnerability highlights the ongoing challenges in securing open-source supply chains, emphasizing vigilance and proactive measures to protect cloud infrastructure.

Tines introduces a pre-built workflow to automate Just-In-Time (JIT) access, addressing the challenge of balancing speed with security in Identity and Access Management (IAM) systems. The workflow automates the lifecycle of JIT access requests, utilizing tools like Jira, Okta, and Slack to streamline approval and revocation processes. Users initiate access requests through a Tines Page, specifying application and duration, which triggers automated approval routing to managers or application owners. Upon approval, the system instantly provisions access via Okta, logging the process in Jira for compliance, and ensuring no manual intervention is needed. A crucial feature is the automatic revocation of access post-duration, enhancing security by preventing lingering accounts and privilege accumulation. This solution aids IT teams in managing capacity and scaling infrastructure effectively, reducing manual workload and enhancing operational reliability. Organizations can customize the workflow to align with specific security policies, including setting access duration limits and additional approval layers for sensitive applications.

A critical vulnerability (CVE-2025-62507) in Redis could enable remote code execution via a stack buffer overflow, affecting thousands of servers worldwide. The flaw is tied to the Redis 8.2 XACKDEL command, which improperly handles user-supplied stream IDs, leading to potential security breaches. Redis's default configuration lacks authentication, allowing unauthenticated attackers to exploit the vulnerability by sending a single malicious command. JFrog discovered the issue and reported that 2,924 servers are currently exposed to this threat, necessitating immediate attention and patching. Redis has released a fix in version 8.3.2, urging users to update their systems to mitigate potential exploitation risks. Organizations should prioritize patching and consider implementing additional security measures, such as enabling authentication, to protect against unauthorized access. This incident serves as a reminder of the importance of regular updates and security audits to prevent exploitation of known vulnerabilities.

The Federal Trade Commission has prohibited GM and OnStar from sharing precise driver data with consumer reporting agencies for five years under a new 20-year consent order. GM's Smart Driver program collected detailed telematics data, including location and driving behavior, which was sold to data brokers and insurance companies, impacting customer premiums. The FTC's order requires GM to obtain explicit consent from drivers before collecting or sharing their data and mandates a clear process for data access and deletion requests. GM discontinued the Smart Driver program in April 2024 following customer backlash and has since terminated third-party data-sharing agreements with LexisNexis and Verisk. The FTC's action serves as a cautionary measure for car manufacturers, emphasizing the need for transparency in data collection and sharing practices. GM has consolidated its privacy notices into a single document and claims the FTC order formalizes changes already implemented to enhance customer privacy. The settlement allows GM to share anonymized data for research and road safety projects and with emergency responders, reflecting a balance between privacy and operational needs.

West Midlands Police are investigating a data breach at Croft Surgery in Willenhall, involving a 29-year-old woman released on bail. The suspect, not directly employed by the surgery, is accused of theft related to the data breach. Croft Surgery is committed to contacting affected patients and ensuring the protection of personal data remains a priority. The nature of the breach and specific data affected have not been disclosed, but similar incidents have involved sensitive medical information. The investigation continues, with the suspect assisting police inquiries; further updates from West Midlands Police are anticipated. The incident highlights ongoing challenges in safeguarding patient data within healthcare facilities.

Recent incidents reveal vulnerabilities in AI workflows, with malicious Chrome extensions stealing data from over 900,000 users of ChatGPT and DeepSeek. Researchers demonstrated that prompt injections in code repositories could manipulate IBM's AI coding assistant, executing malware without altering the AI algorithms. These attacks exploit the operational context of AI systems, rather than the models themselves, indicating a shift in threat vectors. AI systems are increasingly integrated into business processes, automating tasks and connecting applications, which expands the potential attack surface. Traditional security measures, designed for deterministic software, struggle to address the dynamic nature of AI-driven workflows. Emerging SaaS security platforms, like Reco, offer real-time monitoring and anomaly detection, providing visibility and control over AI usage within organizations. Businesses are advised to focus on securing entire workflows, not just AI models, to mitigate risks associated with AI-driven operations.

Microsoft initiated legal actions in the US and UK to dismantle RedVDS, a platform facilitating global phishing and fraud operations. RedVDS offered cybercriminals access to virtual dedicated servers for $24 a month, enabling large-scale phishing and scams. The operation resulted in approximately $40 million in reported fraud losses in the US, impacting sectors like healthcare and real estate. Microsoft collaborated with Europol and German law enforcement to seize RedVDS domains and infrastructure, disrupting its operations. Victims include H2-Pharma, losing over $7.3 million, and Gatehouse Dock Condominium Association, defrauded of nearly $500,000. RedVDS enabled attacks on over 191,000 organizations globally, with millions of phishing messages sent daily to Microsoft customers. The platform is linked to Storm-2470, and efforts continue to identify individuals behind the scheme. Microsoft emphasizes the economic challenge posed by cybercrime services, which make fraud scalable and hard to trace.

Ofcom is investigating X, formerly Twitter, for AI misuse that generated non-consensual intimate images, raising compliance concerns with the Online Safety Act. X reported implementing technological measures to block Grok, an AI chatbot, from creating manipulated images, but Ofcom's investigation persists. The platform initially restricted Grok's capabilities for paid users, a move criticized by UK officials as inadequate, prompting further action. X now enforces a complete restriction on Grok's nudifying functions for all users, including paid subscribers, to align with legal standards. California's Attorney General has also initiated an investigation, citing widespread reports of AI-generated explicit content involving women and children. The incident underscores the critical need for robust AI governance and adherence to legal frameworks to ensure user safety on social media platforms. X's ongoing compliance efforts will be closely monitored by regulators to ensure comprehensive adherence to safety regulations and prevent future breaches.

Many Security Operations Centers (SOCs) are hindered by outdated practices, affecting their Mean Time to Respond (MTTR) to emerging threats in 2026. Manual analysis of suspicious samples is causing alert fatigue and delayed prioritization, slowing down incident response in high-volume environments. Modern SOCs are adopting automation and cloud-based malware analysis to enhance efficiency, reducing MTTR by an average of 21 minutes per incident. Sole reliance on static scans and reputation checks leaves infrastructures vulnerable; dynamic behavioral analysis is now crucial for detecting advanced threats. Disconnected tools within SOCs create workflow gaps, increasing investigation time and reducing transparency; integrated systems are key to seamless operations. Over-escalation of alerts between Tier 1 and Tier 2 analysts is prevalent; empowering Tier 1 with conclusive insights reduces unnecessary escalations by 30%. Over 15,000 SOC teams globally have improved metrics by implementing solutions like ANY.RUN, enhancing performance and reducing response times significantly.

The FTC has imposed a five-year ban on General Motors from selling drivers' location and behavior data, following unauthorized data collection through its OnStar service. GM's "Smart Driver" feature collected detailed geolocation and driving data every three seconds, affecting millions of vehicles across its brands like GMC, Cadillac, and Chevrolet. Data was sold to third parties, including consumer reporting agencies, impacting insurance rates and coverage decisions without drivers' consent. The FTC order mandates GM to obtain explicit consent before collecting or sharing data, with exceptions for emergency services, and to provide data access and deletion options to consumers. GM has committed to enhancing transparency and control over data collection, expanding its privacy program to offer more consumer choices nationwide. The case follows a similar lawsuit against Allstate and several automakers for unauthorized data collection, indicating a broader industry issue with consumer data privacy. The settlement reflects increasing regulatory scrutiny and the need for robust data privacy practices in the automotive industry.

Microsoft has taken legal action in the U.S. and U.K. to dismantle RedVDS, a cybercrime service linked to $40 million in fraud losses since March 2025. RedVDS offered criminals disposable virtual computers for $24 a month, enabling scalable and hard-to-trace fraudulent activities, including phishing and business email compromise. The service facilitated cybercrime by providing unlicensed Windows-based RDP servers, allowing threat actors to conduct financial fraud and impersonation scams across multiple sectors. RedVDS infrastructure was used globally, affecting over 191,000 organizations, with notable impacts in sectors such as legal, healthcare, and education. Microsoft's investigation revealed that the service's hosts were cloned from a single Windows Server 2022 image, allowing rapid deployment and scaling of criminal operations. Despite terms prohibiting illegal activities, RedVDS was exploited for phishing and credential theft, leveraging AI tools to enhance deception and target identification. The disruption of RedVDS is part of a broader effort to combat crimeware-as-a-service, which has professionalized cybercrime and lowered entry barriers for aspiring threat actors.

Amazon Web Services has introduced its European Sovereign Cloud, designed to meet EU data sovereignty requirements amid geopolitical tensions between Europe and the United States. The new cloud infrastructure is entirely located within the EU and is managed by EU residents, featuring strong technical controls and legal protections for sensitive data. AWS plans to expand Dedicated Local Zones in Belgium, the Netherlands, and Portugal, offering 90 services including compute, database, networking, and AI. Customers will maintain all metadata within the EU, supported by a new parent company and subsidiaries incorporated in Germany, ensuring compliance with European law. The introduction of this cloud aims to address European customers' concerns over US jurisdiction under laws like the CLOUD Act, which could compel data access. Competitors Microsoft and Google are also enhancing their sovereign cloud offerings to reassure European customers about data privacy and control. Analysts note that while US hyperscalers dominate the European cloud market, there is growing interest in local cloud providers due to geopolitical and legal challenges.