Daily Brief

Researchers at Varonis identified a vulnerability in Microsoft Copilot, termed "Reprompt," allowing attackers to hijack user sessions and exfiltrate data through malicious URLs. The attack leverages the 'q' parameter in URLs to inject commands, bypassing Copilot's protections and maintaining access even after the session is closed. Reprompt does not require additional plugins, making it a low-effort yet effective method for data exfiltration once the victim clicks a phishing link. The vulnerability affected only Copilot Personal, not Microsoft 365 Copilot, which benefits from enhanced security measures like Purview auditing and DLP. Microsoft addressed the issue in the January 2026 Patch Tuesday update, following responsible disclosure by Varonis in August of the previous year. No exploitation of the Reprompt method has been detected in the wild, but immediate application of the latest Windows security update is advised. This incident underscores the importance of continuous monitoring and timely patching to safeguard against evolving threats in AI-integrated applications.

AZ Monica hospitals in Antwerp and Deurne experienced a cyberattack, forcing them to shut down servers and transfer critical patients to other facilities. The attack led to the cancellation of 70 surgeries and the temporary suspension of Mobile Urgency Group and Paraprofessional Intervention Team services. Seven critically ill patients were moved to nearby hospitals with Red Cross assistance to ensure continuous care. Emergency departments are operating at reduced capacity, prompting advisories for patients to seek alternative medical services. The hospital network is actively monitoring the situation, prioritizing patient safety and care continuity while awaiting further clarity. Disruptions are anticipated to continue, affecting hospital operations and patient registration times. The incident underscores the vulnerability of healthcare infrastructure to cyber threats, emphasizing the need for robust cybersecurity measures.

Eurail experienced a data breach affecting customers, including those using the DiscoverEU program, potentially compromising passports, bank details, and health information. The breach was publicly acknowledged on January 10, with affected customers notified starting January 13, though the exact number of impacted individuals remains undisclosed. The European Commission noted that DiscoverEU travelers might have additional sensitive data exposed, including ID photocopies and bank account references. There is no current evidence of data misuse or public disclosure, but potential risks include phishing, spoofing, unauthorized access, and identity theft. Eurail has secured affected systems, closed the vulnerability, reset credentials, and enhanced security measures post-breach. The breach has been reported to the Dutch data protection authority in compliance with GDPR requirements. Affected customers are advised to change passwords across all accounts and remain vigilant against potential scams leveraging the stolen data.

The UK government has reversed its decision to mandate digital IDs for right-to-work verification, raising questions about the program's financial viability and overall purpose. Originally set for mandatory implementation by 2029, digital IDs will now focus on enhancing access to public services rather than immigration control. Transport Secretary Heidi Alexander confirmed plans for mandatory digital right-to-work checks, despite the broader digital ID scheme being scaled back. Critics, including Big Brother Watch, argue the £1.8 billion initiative is intrusive, expensive, and poses significant cybersecurity and privacy risks. The Government Digital Service, under the Department for Science, Innovation and Technology, will oversee technical delivery, but funding details remain unclear. Concerns persist about the ability of financially constrained departments to justify their contributions to the digital ID system. The government plans a public consultation to clarify the digital ID scheme's details, aiming to enhance public service efficiency and inclusivity. The initiative is part of broader efforts to streamline digital access to government services, including the development of the UK One Login system.

Pax8 inadvertently sent a spreadsheet containing internal business data to fewer than 40 UK-based partners, affecting 1,800 MSP partners primarily in the UK, with one in Canada. The exposed CSV file included customer organization names, Microsoft SKUs, license counts, and renewal dates, totaling over 56,000 entries. Pax8 confirmed the spreadsheet did not contain personally identifiable information but did include sensitive business data like MSP pricing and Microsoft program details. Immediate response actions included recalling the email, requesting deletion from recipients, and conducting follow-up calls to ensure compliance. An internal review has been initiated by Pax8 to understand the cause of the incident and implement measures to prevent future occurrences. Threat actors are reportedly attempting to purchase the leaked dataset, which could be exploited for competitive targeting or cybercriminal activities such as phishing or extortion. The incident underscores the importance of stringent data handling protocols and the potential risks associated with internal data mismanagement.

Fortinet has released updates addressing a critical OS injection vulnerability, CVE-2025-64155, in FortiSIEM, rated 9.4 on the CVSS scale, potentially allowing unauthenticated remote code execution. The flaw impacts Super and Worker nodes, exploiting FortiSIEM’s phMonitor service, which manages communication and task distribution via TCP port 7900. Attackers could leverage this vulnerability to execute arbitrary code by injecting arguments through crafted TCP requests, leading to potential system takeover. The vulnerability allows privilege escalation from admin to root by writing a reverse shell to a file executed with root permissions, granting full system access. Fortinet advises users to update to the latest software versions and restrict network access to port 7900 as a temporary mitigation measure. Security researcher Zach Hanley discovered the flaw, emphasizing the need for organizations to promptly apply patches to prevent exploitation. Fortinet also addressed another critical flaw in FortiFone, CVE-2025-47855, which could expose device configurations through crafted HTTP(S) requests. These vulnerabilities highlight the importance of timely updates and network security measures to protect against unauthorized access and potential breaches.

The Victorian Department of Education reported unauthorized access to a database containing personal information of current and former students, affecting email addresses and encrypted passwords. Sensitive data such as birth dates and home addresses were not compromised, limiting potential exposure risks. As a precaution, the department reset all student passwords, temporarily blocking access to school accounts until new credentials are distributed. Priority was given to issuing new passwords to VCE students, with other students receiving updates at the start of the school year. The breach impacts a system serving approximately 650,000 students across over 1,500 schools, though the exact number affected remains undisclosed. Authorities have yet to find evidence of the data being publicly released or shared, and no ransom demand has been reported. The department has removed the attack vector responsible for the breach and is committed to ongoing updates and enhanced security measures.

Recent research reveals 64% of third-party applications access sensitive data without valid justification, up from 51% the previous year, highlighting a significant security governance gap. A study of 4,700 websites shows that third-party tools like analytics and marketing pixels are expanding attack surfaces, risking massive data breaches through unauthorized data access. The entertainment and online retail sectors are particularly vulnerable, with marketing pressures often leading to security oversight lapses, exacerbating the risk of unjustified data access. Survey findings indicate that 58% of organizations lack dedicated defenses against third-party risks, relying instead on general security tools, leaving them exposed to potential breaches. Budget constraints and manpower shortages are primary obstacles for government and education sectors, contributing to increased breaches, while private sectors stabilize through better governance. Marketing departments are responsible for 43% of third-party risk exposure, often deploying tools without IT oversight, leading to significant vulnerabilities in payment and credential environments. The Facebook Pixel, with its widespread use, represents a systemic risk due to unmanaged permissions, potentially leading to breaches far larger than the 2024 Polyfill.io incident. Effective governance and context-aware deployment are crucial, with successful organizations maintaining fewer third-party apps and achieving better security outcomes through strategic oversight.

Endesa, Spain's largest electricity utility, reported a data breach potentially affecting over 20 million individuals, with claims of a 1.05 TB data theft. The breach involved unauthorized access to a commercial platform managing customer information, leading to possible exposure of personal and contract-related data. Compromised data may include identifying details, national identity numbers, and some bank account numbers, though passwords were reportedly not accessed. Endesa activated incident response procedures and notified affected customers, complying with GDPR by reporting to Spain's data protection authority. The cybercriminal, identified as "Spain," claimed responsibility, but the accuracy of the data theft scale remains unconfirmed by Endesa. Customers are advised to remain vigilant against phishing attempts and suspicious communications as the investigation continues. The breach's full impact will depend on ongoing forensic analysis and further disclosures from Endesa.

Microsoft released its first 2026 security update, addressing 114 vulnerabilities, including one actively exploited flaw in the Desktop Window Manager. The update includes eight Critical and 106 Important vulnerabilities, with privilege escalation and information disclosure among the most prevalent issues. A significant information disclosure flaw, CVE-2026-20805, has been exploited in the wild, impacting the Desktop Window Manager's handling of user-mode memory. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to apply these updates by February 3, 2026, to mitigate risks. Microsoft also addressed vulnerabilities in Edge and Secure Boot, urging users to update certificates before their expiration in June 2026. The patch removes vulnerable Agere Soft Modem drivers, which were susceptible to privilege escalation, enhancing system security. Organizations are advised to prioritize patching to maintain security boundaries and prevent potential exploitation of these vulnerabilities.

Monroe University experienced a significant data breach in December 2024, compromising personal, financial, and health data of over 320,000 individuals. The breach involved unauthorized access to the university's network for two weeks, from December 9 to December 23, 2024. Stolen data included names, Social Security numbers, medical and financial information, and student data, varying by individual. The university began notifying affected individuals in January 2025, advising them to monitor credit reports for fraud indicators. Affected parties are offered one year of free credit monitoring services through Cyberscout to mitigate potential identity theft risks. This incident is part of a broader trend of cyberattacks targeting U.S. universities, with several institutions reporting similar breaches recently. Previous attacks on Monroe University, including a ransomware demand of $2 million, indicate a persistent threat landscape for educational institutions.

Node.js has issued updates to address a critical vulnerability affecting nearly all production Node.js applications, potentially leading to denial-of-service conditions if exploited. The flaw originates from a stack overflow issue linked to the async_hooks module, causing Node.js to exit unexpectedly without handling exceptions. Affected frameworks and tools include React Server Components, Next.js, Datadog, New Relic, Dynatrace, Elastic APM, and OpenTelemetry due to their reliance on AsyncLocalStorage. The vulnerability impacts Node.js versions from 8.x to 18.x, with older versions unpatched as they have reached end-of-life status. The fix involves detecting stack overflow errors and returning them to user code, enhancing error handling and service reliability. This vulnerability is tracked as CVE-2025-59466 with a CVSS score of 7.5, highlighting its significant impact on the Node.js ecosystem. Users and server hosting providers are urged to update immediately, while library and framework maintainers should bolster defenses against stack space exhaustion. Node.js also addressed three other high-severity vulnerabilities, including those leading to data leakage, file access via symlink paths, and remote denial-of-service attacks.

Anthropic has partnered with the Python Software Foundation (PSF), contributing $1.5 million to bolster security within the Python ecosystem, particularly focusing on CPython and the Python Package Index (PyPI). This funding aims to advance the PSF's security roadmap, protecting millions of PyPI users from potential supply-chain attacks and supporting the foundation's core work. The initiative is expected to have broader implications, potentially improving security across various open source ecosystems beyond Python. Anthropic's investment aligns with its interests, as the company uses Python for its SDK and the PyTorch deep learning framework, underscoring the importance of a secure Python environment. The collaboration reflects Anthropic's commitment to supporting the open-source community while enhancing the security of critical software development tools. This development coincides with Anthropic's expansion of its Labs, focusing on incubating experimental AI products and scaling them to meet enterprise demands. The strategic investment and expansion efforts highlight the increasing importance of security and innovation in the rapidly evolving AI and software development landscapes.

CERT-UA reported cyber attacks on Ukrainian defense forces using PLUGGYAPE malware, attributed to the Russian group Void Blizzard, active since April 2024. Attackers exploit Signal and WhatsApp, posing as charities to trick targets into downloading malicious archives, leading to PLUGGYAPE deployment. The malware, written in Python, uses WebSocket and MQTT for remote code execution, enhancing operational security and resilience. Command-and-control servers are dynamically updated using external paste services, allowing attackers to evade detection and maintain infrastructure. Attackers use legitimate Ukrainian mobile operator accounts and language skills to convincingly engage targets, highlighting sophisticated social engineering tactics. Additional campaigns involve phishing emails with VHD files and ZIP archives, deploying various malware tools like FILEMESS and LaZagne against Ukrainian entities. The incidents underscore the persistent cyber threat landscape faced by Ukraine, emphasizing the need for robust defense strategies and awareness.

Microsoft has addressed CVE-2026-20805, a medium-severity Windows vulnerability allowing memory address leakage, which is already under attack according to CISA and Microsoft. This vulnerability could be exploited to bypass Address Space Layout Randomization (ASLR), potentially leading to arbitrary code execution if combined with other exploits. The U.S. Cybersecurity and Infrastructure Security Agency mandates federal agencies to patch CVE-2026-20805 by February 3, emphasizing the significant risk to federal systems. Microsoft's first Patch Tuesday of 2026 included a substantial release of 112 CVEs, with two other vulnerabilities publicly known at the time of the update. CVE-2026-21265, a secure boot certificate expiration issue, could lead to loss of security updates if not addressed, posing operational challenges for administrators. CVE-2023-31096, an elevation of privilege flaw in Agere Modem drivers, has been resolved with the removal of the affected drivers in the latest update. Experts stress the importance of rapid patching due to limited proactive threat-hunting capabilities, as Microsoft has not disclosed all components involved in potential exploit chains.