Daily Brief

ZAST.AI has successfully raised $6 million in a Pre-A funding round led by Hillhouse Capital, bringing its total funding to nearly $10 million. The company focuses on eliminating false positives in security alerts by using AI to verify vulnerabilities with executable Proof-of-Concept (PoC) evidence. In 2025, ZAST.AI identified hundreds of zero-day vulnerabilities across popular open-source projects, leading to 119 CVE assignments. Affected projects include major components and frameworks such as Microsoft Azure SDK, Apache Struts XWork, and Alibaba Nacos, among others. The AI-driven platform supports both syntax-level and semantic-level vulnerability detection, enhancing its ability to identify complex business logic flaws. ZAST.AI's approach significantly reduces security operation costs and shortens vulnerability remediation cycles for its enterprise clients, including Fortune Global 500 companies. The new funding will be directed towards R&D, product expansion, and global market development, aiming to provide more precise and efficient code security solutions.

Nearly 17,000 Volvo employees in the US had personal data exposed due to a breach at HR outsourcer Conduent, affecting benefits-related records. The breach, linked to the SafePay ransomware group, compromised Conduent systems from October 2024 to January 2025, exposing sensitive employee data. Conduent detected the intrusion in January 2025 and implemented system lockdowns, engaging forensic investigators to assess the damage. Volvo confirmed its employees' data exposure a year later, illustrating the prolonged complexity in resolving vendor-related breaches. While Conduent has not confirmed misuse of the stolen data, affected individuals are being offered identity monitoring services as a precaution. The breach's impact is expanding, with regulators revising victim counts upward, potentially affecting tens of millions due to Conduent's extensive service network. This incident follows a similar third-party breach last year involving Volvo and Swedish software supplier Miljödata, indicating ongoing vendor risk challenges.

SmarterTools experienced a breach by the Warlock ransomware group, exploiting an unpatched SmarterMail server on January 29, 2026, affecting their network and hosted customers. The attack compromised approximately 12 Windows servers and a secondary data center, though critical business applications and account data remained secure. Warlock gained access by exploiting vulnerabilities CVE-2026-23760 and CVE-2026-24423, allowing authentication bypass and remote code execution. Attackers waited several days post-breach to control the Active Directory server, creating new users and deploying Velociraptor and ransomware payloads. The U.S. CISA confirmed active exploitation of CVE-2026-24423 in ransomware attacks, prompting urgent patching advisories. Security experts recommend immediate updates to SmarterMail Build 9526 and isolating mail servers to prevent lateral movement and further ransomware deployment. The incident underscores the need for regular patch management and monitoring of all network assets to prevent unauthorized access and exploitation.

The UK Ministry of Defence has allocated $86 million to Project ASGARD, equipping troops with AI-capable communication systems to expedite battlefield decision-making. The Dismounted Data System (DDS) includes advanced radios, headsets, and display tablets, providing both voice and visual data to improve situational awareness. Project ASGARD's AI integration aims to reduce decision-making time from hours to minutes, enhancing operational effectiveness in combat scenarios. The technology was successfully trialed in Estonia, demonstrating improved clarity and reduced distractions for soldiers in active combat environments. The initiative aligns with NATO's broader strategy to incorporate AI and advanced technologies, learning from Ukraine's tech-driven military strategies against Russia. The DDS, alongside the DART 250 attack drone, extends the range of targeting enemy infrastructure, reflecting a shift towards long-range, precision engagements. The UK's defense strategy is evolving to become AI-native, addressing previous gaps in AI readiness and ensuring competitive military capabilities.

Dutch authorities and the European Commission reported breaches exploiting Ivanti Endpoint Manager Mobile vulnerabilities, affecting employee contact data such as names and phone numbers. The breaches exploited zero-day vulnerabilities CVE-2026-1281 and CVE-2026-1340, with a CVSS score of 9.8, allowing unauthorized remote code execution. The European Commission contained the incident within nine hours, ensuring no mobile devices were compromised, and continues to monitor the situation closely. Finland's Valtori disclosed a breach impacting up to 50,000 government employees, revealing work-related details due to the same vulnerabilities. Ivanti released patches on January 29, 2026, addressing the vulnerabilities, but investigations revealed data management flaws that may have exposed historical user data. This incident underscores the critical need for timely patch management and robust data deletion practices to mitigate potential security risks.

Daren Li, a dual Chinese and St. Kitts and Nevis national, received a 20-year prison sentence for orchestrating a $73 million cryptocurrency fraud, known as "pig butchering." The scheme involved using messaging apps and social media to gain victims' trust before defrauding them through fraudulent investment opportunities. Li's arrest occurred in April 2024 at Atlanta's Hartsfield-Jackson Airport, but he later fled after removing his ankle monitor, becoming a fugitive before sentencing. The scam was part of a larger international crime syndicate that laundered funds through a network of shell companies and cryptocurrency platforms. Investigators uncovered over $341 million in cryptocurrency linked to the fraud ring, highlighting the scale and complexity of the operation. Li is the first among eight co-conspirators to be sentenced, with additional suspects charged in a related $80 million scheme. The FBI's 2024 Internet Crime Report showed a significant rise in investment scams, with losses reaching $6.5 billion, indicating a growing threat landscape.

Fortinet has issued patches for a critical SQL injection flaw in FortiClientEMS, identified as CVE-2026-21643, with a CVSS score of 9.1, allowing unauthorized code execution. The vulnerability stems from improper neutralization of special elements in SQL commands, potentially enabling attackers to execute commands via crafted HTTP requests. Discovered by Gwendal Guégniaud of Fortinet's Product Security team, the flaw has not yet been reported as exploited in the wild, urging prompt user action to apply patches. Fortinet also addressed another critical flaw in multiple products, including FortiOS and FortiManager, with CVE-2026-24858, which has been actively exploited. The latter vulnerability allows attackers with FortiCloud accounts to access other devices, create admin accounts, alter configurations, and exfiltrate firewall data. Organizations are advised to prioritize these updates to mitigate potential unauthorized access and data breaches, ensuring network security and operational integrity. These developments stress the importance of maintaining up-to-date systems to protect against emerging threats and vulnerabilities.

Chinese threat group UNC3886 breached Singapore's top four telecoms, including Singtel and StarHub, using a strategic and targeted campaign, as revealed in July 2025. Attackers gained limited access to critical systems but did not disrupt services or access sensitive customer data, according to Singapore's Cyber Security Agency (CSA). The breach involved a zero-day exploit to bypass telecom perimeter firewalls and steal technical data, with rootkits used for stealth and persistence. In response, Singapore launched 'Operation Cyber Guardian,' engaging over a hundred investigators from six government agencies to contain the threat and secure networks. Authorities expanded monitoring to other critical sectors, preventing potential pivoting to banking, transport, and healthcare organizations. The incident underscores the ongoing threat posed by state-sponsored cyber activities, with UNC3886 previously linked to breaches in the U.S. and Canada. Mandiant researchers have tracked UNC3886 since 2023, noting its exploitation of zero-day vulnerabilities in FortiGate, VMware ESXi, and vCenter Server products.

Microsoft researchers identified attacks on SolarWinds Web Help Desk (WHD) instances in December 2025, exploiting vulnerabilities to steal high-privilege credentials and move laterally within IT environments. The specific vulnerability used remains unidentified, though recent and past CVEs, including CVE-2025-40551 and CVE-2025-26399, are under scrutiny for potential involvement. Attackers utilized PowerShell and the Background Intelligent Transfer Service (BITS) for payload download and execution, a tactic known as "living off the land" to evade detection. Compromised systems showed unauthorized installation of Zoho ManageEngine, enabling long-term remote control and access to sensitive domain users and groups. Microsoft Defender detected attackers creating scheduled tasks to run virtual machines, concealing malicious activities and maintaining persistence through reverse SSH and RDP access. Organizations are urged to apply WHD patches, restrict public access to admin paths, and remove unauthorized RMM tools to mitigate further risks. Security teams should rotate credentials, particularly service and admin accounts linked to WHD, and isolate compromised hosts to prevent further breaches.

Threat actors exploited vulnerabilities in SolarWinds Web Help Desk to deploy tools like Zoho ManageEngine and Velociraptor for malicious purposes, targeting at least three organizations. The attack leveraged CVE-2025-40551 and CVE-2025-26399, both rated critical, enabling remote code execution without authentication on affected systems. Attackers utilized Cloudflare tunnels for persistence and Velociraptor for command and control, exploiting its outdated version for privilege escalation. Zoho ManageEngine was installed for direct access and Active Directory reconnaissance, with compromised hosts registered to an anonymous Proton Mail account. Researchers observed the disabling of Windows Defender and Firewall to facilitate additional payload downloads, indicating sophisticated attack planning. Mitigation steps include upgrading SolarWinds WHD to version 2026.1, restricting internet access to admin interfaces, and resetting associated credentials. Huntress Security provided Sigma rules and indicators of compromise to aid in detecting related malicious activities, enhancing defensive measures. No specific threat groups were identified, but the attacks targeted high-value environments, underscoring the need for robust security practices.

SmarterTools confirmed a breach by the Warlock ransomware gang via a SmarterMail vulnerability, affecting internal systems but sparing customer data and business applications. The breach originated from an unpatched SmarterMail virtual machine, leading to lateral movement across 12 Windows servers and a secondary data center. The exploited vulnerability, CVE-2026-23760, allowed attackers to bypass authentication and reset administrator passwords, granting full privileges. Attackers utilized Windows-centric tools and persistence methods, including Velociraptor and SimpleHelp, to maintain access and prepare for ransomware deployment. Sentinel One security products successfully prevented the final encryption stage, with systems isolated and data restored from backups. ReliaQuest linked the Warlock gang to the Chinese nation-state actor Storm-2603, noting the strategic use of vulnerabilities to blend with legitimate activities. Administrators are urged to upgrade SmarterMail to Build 9511 or later to mitigate risks from recent vulnerabilities, including CVE-2026-24423.

SecurityScorecard's STRIKE team identified over 135,000 OpenClaw instances exposed to the internet, raising significant security concerns due to default network settings. OpenClaw, an open-source AI platform, is plagued by vulnerabilities, including three high-risk CVEs and exposure to remote code execution exploits. The number of systems linked to previous breaches surged from 549 to over 53,000, indicating a rapid increase in potential security incidents. STRIKE advises users to change default network settings from `0.0.0.0:18789` to `127.0.0.1` to limit exposure to public networks. Jeremy Turner of SecurityScorecard warns that OpenClaw’s design inherently exposes systems, necessitating careful integration and testing in controlled environments. Many exposed instances originate from organizational IPs, posing risks beyond individual users and potentially affecting enterprise security. Users are cautioned against deploying OpenClaw without thorough risk assessment, given its potential to access sensitive data and system resources.

Singapore's Cyber Security Agency reported UNC3886, a China-linked group, targeted all four major telecom operators, including M1, SIMBA Telecom, Singtel, and StarHub. The campaign was described as deliberate and sophisticated, involving the exploitation of edge devices and virtualization technologies for initial access. UNC3886 used advanced tactics, including a zero-day exploit, to bypass firewalls and extract technical data, while deploying rootkits for persistent access. Despite unauthorized access to critical network segments, the attacks did not disrupt services or compromise customer data. In response, Singapore's CSA launched "CYBER GUARDIAN" to counteract the threat, closing access points and enhancing monitoring within affected networks. The incident underscores the ongoing risk of state-sponsored cyber espionage targeting critical infrastructure sectors globally.

Attackers are leveraging tools like CeWL to generate targeted wordlists from an organization’s public-facing language, increasing the success rate of password guessing attacks. CeWL, included in penetration testing distributions like Kali Linux, extracts terminology from websites, enabling attackers to create realistic password candidates. Passwords derived from organizational language often meet complexity standards but remain vulnerable due to predictable patterns and contextual relevance. Attackers use tools like Hashcat to apply mutation rules to these wordlists, efficiently testing millions of password candidates against compromised data. Defensive strategies should focus on preventing passwords based on organization-specific language and known-compromised credentials to mitigate targeted wordlist attacks. Implementing multi-factor authentication (MFA) can significantly reduce the impact of credential exposure by ensuring passwords aren’t the sole authentication factor. Organizations are encouraged to treat passwords as active security controls, aligning policies with real-world attack methods to enhance resilience against password attacks.

The Dutch Data Protection Authority and the Council for the Judiciary experienced a data breach due to Ivanti Endpoint Manager Mobile vulnerabilities exploited as zero-days. Personal data, including names, business emails, and phone numbers of employees, were potentially accessed on January 29, affecting both organizations. Dutch justice officials confirmed the breach in a letter to parliament, noting that all affected individuals have been directly informed. Investigations are ongoing, with the Dutch cybersecurity agency monitoring Ivanti vulnerabilities and collaborating with partners to assess further threats. The U.S. CISA has added CVE-2026-1281 to its Known Exploited Vulnerability list, indicating active exploitation of this high-severity flaw. The UK's NHS and cybersecurity experts warn that EPMM devices, being internet-facing, are attractive targets for attackers, stressing the importance of immediate response actions. Ivanti has issued patches, but experts advise organizations to assume compromise if vulnerable systems were exposed and to initiate incident response measures.