January was defined by the exploitation of authenticated access, a trend where attackers no longer try to break into the house, but instead trick users and AI agents into opening the door.
From the subversion of identity platforms like LinkedIn to the exploitation of “unpatched” legacy systems in the heart of Europe’s critical infrastructure, the message is clear that the perimeter is now invisible and trust is the new zero day.
1. Critical Infrastructure and Supply Chain
The European Space Agency (ESA) Breach
The confirmation of a 200GB data exfiltration from ESA collaborative engineering servers is a watershed moment for aerospace security. While core mission controls were segmented, the theft of JIRA data and Bitbucket repositories provides attackers with a forensic roadmap of European satellite infrastructure.
- The Technical Detail: Attackers bypassed legacy MFA (Multi-Factor Authentication) on a vendor accessible engineering portal, moving laterally into repositories containing Terraform scripts and Infrastructure as Code (IaC).
Ingram Micro & The Global Supply Chain Tax
With 42,000 individuals impacted by the ransomware attack on Ingram Micro, we see the continuing “Industrialisation of Ransomware”.
When a global distributor is hit, the disruption isn’t just internal, it causes a “cascading fail” across thousands of downstream resellers and partners.
Pwn2Own Automotive 2026: 66 Zero Days in 48 Hours
At the Pwn2Own Automotive event in Tokyo this month, researchers uncovered 66 unique zero day vulnerabilities in just two days, targeting EV chargers (ChargePoint, Autel) and infotainment systems.
- The Trend: The discovery of a triple bug chain against Automotive Grade Linux underscores the fragility of the “Software Defined Vehicle” (SDV) ecosystem. As transport becomes electrified and connected, the attack surface expands into the physical safety of our cities.
2. Identity is the New Perimeter
The LinkedIn Pivot: Professional Trust as an Attack Surface
This month, a sophisticated dual-stage campaign on LinkedIn that weaponises professional rapport to bypass traditional security awareness .
In this “long-con” approach, attackers move beyond bulk phishing, instead investing days in building credible relationships with high-value targets. By the time a malicious payload is delivered via direct message, the victim’s psychological guard is lowered, rendering standard email filters and perimeter defenses ineffective.
A recent case study highlights an AI-generated “Global Recruiter” who engaged engineers for four days before deploying an ISO-based Phantom Stealer disguised as a “Technical Assessment.”
Microsoft Flags Multi Stage AiTM Attacks
Microsoft has issued a high priority warning regarding a sophisticated Adversary in the Middle (AiTM) campaign targeting the energy sector. Attackers are abusing SharePoint file sharing to deliver phishing payloads that bypass MFA by stealing active session cookies.
Once an account is compromised, the attacker responds to emails from the victim’s colleagues to “confirm” the legitimacy of the phishing link, weaponising internal organisational trust.
The Coinbase Insider
The recent arrest of a Coinbase employee for selling customer data reinforces that insider risk remains the silent killer of modern enterprise. This incident highlights that technical controls like Data Loss Prevention (DLP) are insufficient if they operate in a vacuum, without the oversight required to correlate unusual access with external risk indicators.
Managing this risk requires moving beyond a “set and forget” security posture. At Secora Consulting, we address these systemic vulnerabilities through our Cybersecurity Maturity Assessments.
We evaluate your organisation’s ability to detect and respond to internal threats, ensuring your policies, behavioural analytics, and access controls are mature enough to identify a “trusted” actor who has turned malicious.
3. From Malware to Manipulation
Prompt Injection Flaws
The discovery of prompt injection flaws in Google Gemini and the rise of the “Re-Prompt” technique mark a new phase of AI risk.
Attackers don’t need code, they just need to convince an AI agent to ignore its safety protocols.
-
How Re Prompting Works: An attacker sends a long, complex query that exhausts the AI’s context window, causing it to forget its system instructions and follow the attacker’s hidden command.
-
The AI Resilience Gap: Only 17% of enterprises have adopted Agentic AI governance. January suggests that if you are querying internal docs with AI, you are potentially one prompt away from a data leak.
4. Tactical Evasion and the Fileless Threat
ClickFix & VVS Stealer: Subverting Native OS Trust
We are seeing a move toward Browser Based Exploitation tactics. The ClickFix campaign mimics a Windows problem report or Google support alert, directing users to copy and paste a PowerShell command.
- Why it works: The command looks like a system fix. Once pasted, it executes entirely in memory, evading traditional signature based antivirus.
- VVS Stealer: This malware specifically targets Discord tokens and browser session cookies, allowing attackers to bypass MFA by cloning the user’s active session.
Supply Chain Poisoning
The open source ecosystem remains a prime target. Researchers identified a malicious package , sympy-dev, impersonating the popular SymPy library. It was downloaded over 1,100 times before removal, deploying XMRig miners directly into Linux development environments.
5. January’s Critical Fixes
If you haven’t patched these by February, your environment is at high risk:
- Trend Micro Apex Central (RCE): A critical flaw allows takeover of the very console meant to protect your endpoints.
- Cisco AsyncOS (CVE-2025-20393 ): Cisco finally patched a CVSS 10.0 zero day in its email security appliances that was exploited by China linked actors (UAT 9686) since late 2025.
- Fortinet FortiGate (Auth Bypass): Despite December patches, new automated attacks are successfully exploiting the FortiCloud SSO path to steal firewall configurations and create “shadow” admin accounts.
- Cisco ISE: Critical flaws in identity services allow for full administrative takeover.
6. Your February Cybersecurity Priority List
January has proven that recovery is a fine, but resilience is an investment.
The SETU Waterford disclosure this month, revealing a €2.3 million recovery cost, is a stark reminder for Irish public and private sectors. To maintain stability, Secora Consulting recommends shifting to a resilience first model.
Priority 1: Supply Chain & Third Party Assurance
The ESA and Ingram Micro breaches prove that external vendors are your biggest vulnerability.
- The Irish/EU Context: Relying on a vendor’s internal policy is no longer sufficient. Under NIS2 and DORA, Irish organisations must now actively manage their ICT supply chain risk.
- Action: Move beyond static annual questionnaires. Implement Third Party Assurance Assessments to verify that your vendors adhere to strict European data protection and security standards.
Priority 2: Validating Identity Resilience
With session hijacking and VVS Stealer on the rise, simply having MFA is no longer the finish line. As shown by the recent Microsoft AiTM campaign, attackers are now routinely bypassing static controls to weaponise the internal trust of your authenticated sessions.
- The Gap: Most organisations have the tools to prevent a login, but lack the maturity to detect a hijacked session.
- Action: Conduct a Cybersecurity Maturity Assessment focused on Identity Threat Detection & Response (ITDR).
- The Strategic Outcome: We move your identity strategy from compliance to capability. Our assessment provides the documented evidence of testing and remediation that boards and regulators now require under the Identify & Prepare pillar of the CBI’s Operational Resilience guidance.
Priority 3: AI Governance & Guardrails
To address the emerging threat of Shadow AI, organisations must take proactive steps to prevent unvetted tools from creating permanent, unmonitored backdoors into their corporate environments. By establishing a formalised Approved Tool List for Large Language Models (LLMs), businesses can steer employees toward secure, enterprise grade platforms that offer data privacy and logging capabilities.
Furthermore, implementing semantic guardrails such as real-time input sanitisation and adversarial pattern matching is essential to prevent prompt injection attacks from manipulating AI agents into leaking sensitive internal datasets.
These measures ensure that AI innovation drives productivity without compromising your organisation’s data integrity or regulatory compliance.
From Reaction to Readiness
January 2026 has shown us that the “Perimeter” is gone. Security must now be woven into the fabric of your business, from how your employees use LinkedIn to how your developers prompt their AI assistants.
Secora Consulting provides the specialised expertise to validate these layers. Whether through Adversary Simulation to test your systems with real world attack scenarios or Maturity Assessments to measure and advance your cybersecurity posture, we turn these monthly threats into a strategic advantage for your business.
Ready to harden your February roadmap? Contact Secora Consulting today. ⬇️