Oktacron - Cyber Security RSS Feeds History

Threat Hunting in 2026: Why Proactive Defence Is the Only Way Forward

cyberexpress Jan 19, 2026 Cyber News

Threat hunting is no longer a reactive activity that focuses on pursuing signals after trouble has been done. The role of the threat hunter is changing as attackers become more persistent and repurpose tried-and-true methods. Proactive threat hunting is not only possible but also necessary for contemporary security show more ...

systems, according to Saeed Abbasi from Qualys. Effective threat hunting in 2026 will be based on knowing how attackers act, how they repurpose techniques and how their actions leave long-lasting evidence inside surroundings rather than searching for the unknown. Proactive Hunting Is About Patterns, Not Surprises It's a prevalent misperception that proactive threat hunting involves recognizing previously unseen threats. Attackers rarely innovate that way in practice. They repeat themselves. Once a vulnerability is discovered, whether in a product or an advanced technology, attackers repeatedly take advantage of that entire category of software until it becomes a liability for the entire industry. When teams concentrate on adversary-centric context rather than generic risk ratings, proactive threat hunting increases. Better prioritization leads to better hunting. This involves looking at attacker telemetry and posing useful queries: Has the threat been turned into a weapon? Does it have anything to do with ransomware? How frequently has it been observed in the wild? Is there any activity or conversation about it on the dark web? Is this a target that keeps happening? Threat hunters can prevent exploitation cycles rather than only responding to them by concentrating on how attackers truly function. Also read: Reaction isn’t defence: Why proactive threat hunting matters Automation and AI Change the Role of the Threat Hunter Threat hunting now requires automation. The scope and velocity of contemporary dangers render manual analysis insufficient on its own. AI is essential because it manages the high-volume, high-speed tasks that humans are unable to complete. The modern threat hunting process is powered by AI agents. They automatically identify and indicate those that are genuinely catastrophic as they sort through a large number of possible risks. Crucially, people are still involved in the process. Rather, it keeps them informed. Human threat hunters can concentrate on higher-level thinking, such as comprehending systemic danger, developing long-term strategy, and determining how to respond, as AI takes care of the time-sensitive and routine tasks. To put it simply, AI locates the needle in the haystack and humans make decisions about the needle, the haystack and the farm as a whole. In the future, threat hunting will neither be entirely automated nor entirely manual. Each will have a specific and essential role in the collaboration. Hunting for What Comes After the Attack The emphasis on identifying past adversary presence is another crucial development in threat hunting. Attackers don't always stay. An adversary may frequently take advantage of a weakness, accomplish their goal (such deploying an infostealer) and then go. That does not imply that the threat has passed. The concept of Marathon CVEs - vulnerabilities like Log4Shell that are never completely fixed - is based on this reality. Attackers' artifacts and exploitation efforts persist even after patches are implemented. Because of this, assuming a breach is a fundamental component of contemporary threat hunting. Identification of post-exploitation behaviour, such as web shells, backdoors, credential modifications and other signs that continue long after the initial intrusion, must be the foundation of detection strategies. Finding these long-burn hazards requires ongoing cleanup efforts. It is an ongoing security feature that is integrated into regular business processes. Even when attackers come and go, organizations that handle it as such are better positioned to lower long-term risk. Also read: What is Threat Hunting? Looking Ahead The goal of threat hunting is becoming more apparent as 2026 approaches. Thinking more deeply is now more important than responding more quickly. Organizations can develop a more robust and practical defence posture by concentrating on attacker behaviour, embracing automation without sacrificing human judgment, and persistently searching for persistent threats. Proactive threat hunting is the cornerstone of this concept, not only an enhancement. Also read: Beyond 24/7: How Smart CISOs are Rethinking Threat Hunting

How to Remove Saved Passwords From Google Chrome (And Why You Should)

cyberexpress Jan 19, 2026 Cyber News

It usually starts with a small convenience. You log into a site once, Chrome offers to remember the password, and you click “Save” without thinking twice. Weeks turn into months, devices multiply, and before you know it, your browser knows more about your digital life than you do. This is exactly how many users show more ...

end up relying on Chrome’s built-in tools without ever learning how to delete passwords from Chrome when it actually matters. That quiet accumulation of saved credentials feels harmless until you stop considering what’s actually at stake. Losing a device, sharing a computer, or falling victim to a remote attack can instantly turn convenience into exposure. Managing and deleting saved passwords isn’t busywork; it’s basic digital hygiene, especially if you want to delete saved passwords in Chrome before they become a liability. This article walks through how to remove passwords from Google Chrome, explains how to clear saved passwords in Chrome across devices, and outlines why browser-based password storage is risky, along with safer alternatives that make sense in real-world use. Why Browser-Saved Passwords Are a Security Risk Most modern browsers, including Chrome, Firefox, Edge, Safari, and Opera, offer built-in password managers. Chrome’s implementation, known as Google Password Manager, is deeply integrated into Chrome, Android, and Google accounts. It autofills credentials, suggests strong passwords, syncs logins across devices, and even flags compromised passwords after known data breaches. All of that sounds reassuring, but there’s a trade-off. If someone gains physical access to your unlocked device or remote access through a Man-in-the-Middle or Evil Twin attack, they may also gain access to every stored login. That risk escalates quickly if banking, email, or work-related credentials are saved. Even without theft or hacking, saved passwords make casual snooping far too easy, which is why knowing how to remove saved passwords from Chrome is more than just a cleanup task. The problem isn’t that password managers are bad. It’s that browser-based password storage ties your credentials too closely to the device and session itself, making it harder to fully control or audit access unless you deliberately erase saved passwords in Chrome. How to Delete Saved Passwords in Google Chrome Chrome remains the most widely used browser, which makes it a natural starting point when you want to delete autofill passwords in Chrome or remove stored login data selectively. Deleting Individual Passwords on Desktop Open Google Chrome. Click the three-dot menu in the top-right corner. Select Settings. Navigate to Autofill and passwords, then open Google Password Manager. You’ll see a list of saved sites, usernames, and masked passwords. Click a specific website and select Delete to delete stored passwords in Chrome one by one. Deleting Multiple Passwords Chrome allows bulk deletion by selecting multiple entries: Check the boxes next to the passwords you want to remove. Click Delete at the top of the list. Confirm when prompted. This approach is useful when you want to remove Chrome password manager data without wiping everything. Deleting All Passwords at Once There’s no single “Delete All Passwords” button, but you can still clear saved passwords in Chrome completely: Go to Settings > Privacy and security. Select Clear browsing data. Open the Advanced tab. Set the time range to All Time. Check Passwords and passkeys. Click Clear data. If Chrome sync is enabled, these steps will delete saved passwords in Chrome across all synced devices. Chrome Password Deletion on Mobile Android Open the Chrome app. Tap the three-dot menu. Go to Settings > Password Manager. Tap a saved password and select Delete. To remove all saved passwords: Tap Clear browsing data. Set the time range to All Time. Select Saved Passwords. Tap Clear data. iOS Open Chrome. Tap the three-dot icon at the bottom right. Open Password Manager. Tap Edit, select sites, then Delete. Bulk deletion follows the same Clear Browsing Data path under Privacy and Security, allowing you to remove passwords from Google Chrome on iOS as well. Turning Off Password Saving in Chrome If you want to turn off and delete passwords in Chrome permanently so the browser stops prompting, you should follow these steps: Desktop: Settings > Autofill and passwords > Google Password Manager > Settings. Toggle Offer to save passwords and Sign in automatically off. Android and iOS: Open Password Manager, tap Settings, and turn Offer to save passwords off. Removing Saved Passwords in Other Browsers Mozilla Firefox On mobile: Open Firefox. Tap the three horizontal lines. Select Passwords. Choose entries and tap Delete. To disable password saving: Go to Settings > Privacy and Security. Uncheck Ask to save logins and passwords for websites. Safari (macOS and iOS) On Mac: Open Safari > Preferences > Passwords. Select passwords and click Remove or Remove All. On iOS: Open the Settings app. Tap Passwords. Swipe left on entries to delete, or use Edit to remove all. Disable password saving by turning off AutoFill Passwords. Opera On desktop: Open Opera > Settings > Advanced. Under Autofill, select Passwords. Remove entries via the three-dot menu. On iOS: Use the system Passwords menu in Settings. Swipe to delete entries. Disable AutoFill Passwords to stop future saves. What to Use Instead of Browser Password Storage Strong password practices demand length, complexity, and uniqueness, rules that make human memory an unreliable storage medium. This is where dedicated password managers earn their place. Tools like 1Password, LastPass, Dashlane, Keeper, and Apple Keychain are built specifically for credential security, not browser convenience. Deleting saved passwords from your browser isn’t about rejecting convenience; it’s about choosing where convenience makes sense. Browsers are optimized for speed and accessibility, not long-term credential protection. Once you understand how easily stored logins can become liabilities, learning how to delete passwords from Chrome feels less like a chore and more like reclaiming control. If you rely on Chrome or any modern browser daily, knowing how to delete stored passwords in Chrome, disable autofill, and pair those actions with a proper password manager and multi-factor authentication is a practical step toward a safer digital life.

The Year Ransomware Went Fully Decentralized: Cyble’s 2025 Threat Analysis

cyberexpress Jan 19, 2026 Cyber News

Cyble’s Annual Threat Landscape Report for 2025 documents a cybercrime environment that remained volatile even as international law enforcement agencies escalated disruption efforts. Large-scale takedowns, arrests, and infrastructure seizures failed to slow adversaries for long. Instead, cybercriminal ecosystems show more ...

fractured, reorganized, and re-emerged across decentralized platforms, encrypted messaging channels, and invitation-only forums. The ransomware landscape, in particular, demonstrated a capacity for rapid regeneration that outpaced enforcement pressure. According to Cyble’s report, ransomware was the most destabilizing threat category throughout 2025. Attacks expanded across government, healthcare, energy, financial services, and supply-chain-dependent industries. Many groups moved away from encryption-centric campaigns toward extortion-only operations, relying on data theft, public exposure, and reputational damage to extract payment. This shift reduced operational friction and shortened attack cycles, making traditional detection and containment models less effective. Artificial intelligence further reshaped attacker operations. Cyble observed AI-assisted automation being embedded into multiple stages of the kill chain. Negotiation workflows were partially automated. Malware became more polymorphic. Intrusion paths were adapted in real time as defenses responded. These developments increased attack velocity while compressing dwell time, forcing defenders to operate with narrower margins for response. Measured Threat Activity Across Underground Ecosystems CRIL tracked 9,817 confirmed cyber threat incidents across forums, marketplaces, and leak sites during 2025. These incidents impacted organizations spanning critical infrastructure, government agencies, and law enforcement entities. [caption id="attachment_108748" align="aligncenter" width="946"] sectors and regions targeted by threat actors in 2025 (Source: Cyble)[/caption] The breakdown of activity was heavily skewed toward monetized data exposure. 6,979 incidents involved breached datasets or compromised information advertised for sale. Another 2,059 incidents centered on the sale of unauthorized access, including credentials, VPN entry points, and administrative footholds. Government, law enforcement agencies (LEA), BFSI, IT & ITES, healthcare, education, telecommunications, and retail remained in the most consistently targeted sectors. Geographic analysis showed a clear concentration of activity in Asia, where 2,650 incidents affected organizations through breaches, leaks, or access sales. North America followed with 1,823 incidents, while Europe and the United Kingdom recorded 1,779 incidents. At the country level, the United States, India, Indonesia, France, and Spain experienced the highest volume of targeting during the year. Ransomware Growth and Structural Expansion Cyble’s Annual Threat Landscape Report quantifies the scale of ransomware’s expansion over time. From 2020 to 2025, ransomware incidents increased by 355%, rising from roughly 1,400 attacks to nearly 6,500. While 2023 marked the largest year-over-year surge, 2025 produced the second-largest spike, with 47% more attacks than observed across the prior two years combined. The ransomware landscape also broadened structurally. CRIL identified 57 new ransomware groups and 27 new extortion-focused groups emerging in 2025 alone. More than 350 new ransomware strains surfaced during the year, many derived from established codebases such as MedusaLocker, Chaos, and Makop. Rather than consolidating, the ecosystem continued to fragment, complicating attribution and enforcement. Affiliate Mobility and Repeat Victimization One of the most consequential trends documented in the Annual Threat Landscape Report was the recurrence of victim targeting. CRIL observed 62 organizations listed by multiple ransomware groups within the same year, sometimes within weeks. Across a five-year window, more than 250 entities suffered ransomware attacks more than once. [caption id="attachment_108750" align="aligncenter" width="945"] Ransomware attack trends between 2020 and 2025 (Source: Cyble)[/caption] This pattern reflected widespread affiliate mobility. Ransomware-as-a-Service operators shared affiliates who moved between platforms, relisted victims, and reused stolen data to sustain pressure. Groups such as Cl0p, Qilin, Lynx, INC Ransom, Play, LockBit, and Crypto24 repeatedly claimed overlapping victims during short timeframes. Several new groups, including Devman and Securotrop, initially operated within established RaaS programs before developing independent tooling and infrastructure. This progression blurred the line between affiliate and operator and further decentralized the ransomware landscape. Law Enforcement Pressure and Criminal Countermoves Law enforcement activity intensified throughout 2025. Authorities disrupted operations tied to CrazyHunters and 8Base and arrested or indicted affiliates associated with Black Kingdom, Conti, DoppelPaymer, RobbinHood, Scattered Spider, DiskStation, Ryuk, BlackSuit, and Yanluowang. These actions forced tactical changes but did not suppress activity. CRIL confirmed insider recruitment efforts by Scattered Spider, LAPSUS$ Hunters, and Medusa. Other groups, including Play and MedusaLocker, publicly referenced similar recruitment strategies through announcements on their data leak sites. The ransomware landscape responded to enforcement pressure by becoming opaquer rather than less active. Tactical Shifts Toward Extortion-Only Models Operational realignment became more visible in 2025. Hunters International abandoned its RaaS model and rebranded as World Leaks, repositioning itself as an Extortion-as-a-Service provider while maintaining cross-relationships with RaaS operators such as Secp0. Analysis also indicated that Everest redirected part of its activity toward extortion-only campaigns, reducing reliance on encryption payloads. [caption id="attachment_108751" align="aligncenter" width="291"] Rebranded ransomware groups reported in 2025 (Source: Cyble)[/caption] The year also saw widespread rebranding. Hunters International became World Leaks. Royal re-emerged as Chaos. LockBit 3.0 evolved into LockBit 4.5 and later 5.0. HelloKitty resurfaced as Kraken. At the same time, numerous groups dissolved or ceased operations, including ALPHV/BlackCat, Phobos/8Base, Cactus, RansomHub, and CrazyHunter. Victimology and Sector Impact Ransomware victimology data revealed 4,292 victims in the Americas, 1,251 in Europe and the UK, 589 across Asia and Oceania, and 202 within META-region organizations. The United States accounted for 3,527 victims, followed by Canada (360), Germany (251), the United Kingdom (198), Brazil (111), Australia (98), and India (67). Sectoral impact remained uneven but severe. Manufacturing recorded 600 impacted entities, with industrial machinery and fabricated metal manufacturers bearing the brunt. Healthcare followed with 477 victims, where general hospitals and specialty clinics were repeatedly targeted to exploit the sensitivity of Personal Health Information. Construction, professional services, IT & ITES, BFSI, and government organizations also experienced sustained pressure. Supply Chain Exploitation and Infrastructure Risk Supply chain compromise emerged as a defining feature of the 2025 ransomware landscape. Cl0p’s exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882 affected more than 118 entities worldwide, primarily in IT & ITES. Among these victims were six organizations classified as critical infrastructure industries. Fog ransomware actors compounded supply chain risk by leaking GitLab source code from multiple IT firms. Government and law enforcement agencies in the United States were targeted aggressively, with more than 40 incidents impacting essential public services. Semiconductor manufacturers in Taiwan and the United States remained priority targets due to their role as global production hubs. European semiconductor developers also faced attacks, though at lower volumes. High-Impact Incidents and Strategic Targeting Healthcare attacks continued to cause operational disruption, with repeated exposure of PHI used to intensify extortion pressure. Telecom providers faced sustained risk due to large-scale theft of customer PII, which threat actors actively traded and reused for downstream fraud. In several cases, ransomware groups removed breach disclosures from leak sites shortly after publication, suggesting successful ransom payments or secondary data sales. Aerospace and defense organizations experienced fewer incidents but higher impact. One of the most significant events in 2025 was the attack on Collins Aerospace, which disrupted operations across multiple European airports and exposed proprietary defense technologies. Telemetry indicated disproportionate targeting of NATO-aligned defense developers. Cyble’s Annual Threat Landscape Report makes one conclusion unavoidable: ransomware is no longer a disruption-driven threat; it is an intelligence-led, adaptive business model that thrives under pressure. The data from 2025 shows an ecosystem optimized for speed, affiliate mobility, and supply-chain leverage, with AI now embedded deep into extortion workflows and intrusion paths. The Cyble Annual Threat Landscape Report provides complete datasets, regional breakdowns, threat actor analysis, and tactical intelligence drawn directly from CRIL’s monitoring of underground ecosystems. Readers can download the report to access the detailed findings, charts, and threat mappings referenced throughout this analysis. Organizations looking to operationalize this intelligence can also book a Cyble demo to see how Cyble’s AI-powered threat intelligence platform translates real-world adversary data into actionable defense, combining automated threat hunting, supply-chain risk visibility, and predictive analytics driven by Cyble’s latest generation of agentic AI.

Canada’s Investment Regulator Investigates Cyber Incident, Data Exposure Confirmed

cyberexpress Jan 19, 2026 Cyber News

The Canadian Investment Regulatory Organization (CIRO) has confirmed that it detected a cybersecurity threat earlier this month and took immediate steps to contain the situation. The CIRO cybersecurity incident, first identified on August 11, 2025, prompted CIRO to proactively shut down parts of its IT environment to show more ...

protect its systems and data while an investigation was launched. The CIRO is the national self-regulatory body overseeing all investment dealers, mutual fund dealers, and trading activity across Canada’s debt and equity markets. CIRO’s mandate includes protecting investors, ensuring efficient and consistent regulation, and strengthening public trust in financial regulation and the professionals who manage Canadians’ investments. In a public update issued from Toronto on August 18, CIRO said critical regulatory and surveillance functions remained operational throughout the disruption. The organization also reassured the public that its real-time equity market surveillance operations are continuing as normal and that there is currently no active threat within its systems. CIRO added a clear warning to the public: “CIRO will never contact you about this event with an unsolicited call or email asking for your personal or financial information.” CIRO Cybersecurity Incident: What Happened According to organization, the CIRO cybersecurity incident was detected on August 11, 2025. As a precautionary measure, the organization temporarily shut down some of its systems to ensure their safety and immediately began a technical and forensic investigation. “Throughout this time, critical functions remained available,” CIRO stated, emphasizing that its core regulatory responsibilities were not disrupted. It later confirmed, “We are confident that the incident is contained and that there is no active threat in CIRO’s environment.” CIRO is working with both internal teams and external cybersecurity and legal experts, as well as law enforcement authorities, to determine the nature and full scope of the breach. Personal Information Affected at CIRO On August 17, preliminary investigative findings indicated that some personal information had been impacted. The affected data relates to certain member firms and their registered employees. CIRO acknowledged the seriousness of this development, stating, “Given the high standard of security that CIRO expects of both itself and its members, we are deeply concerned about this, and know our members will be too.” The organization said its immediate priority is to identify which individual registrants may have been affected. Once that process is complete, CIRO will notify impacted individuals directly and provide appropriate risk mitigation services. Further updates are expected as the investigation progresses. Are Investors Impacted? CIRO stressed that Canadians’ investments are not at risk as a result of the CIRO cybersecurity incident. The regulator clarified that it only holds limited investor data, obtained through its member compliance and oversight functions. “It is important to note that Canadians’ investments are not at risk. CIRO only receives information about a sample of investors through its member compliance functions,” the organization said. However, CIRO acknowledged that some investor information may have been impacted. If the investigation confirms that any investor data was affected, those individuals will be notified directly and offered risk mitigation services. What CIRO Is Doing Now In response to the breach, CIRO has engaged both internal and external experts to carry out a full technical and forensic investigation. The regulator said the incident has been successfully contained and that additional system and data security measures have already been implemented. “We engaged internal and external experts to perform a technical and forensic investigation to identify the nature and scope of the event,” CIRO said. “As previously shared, the incident has been successfully contained, and additional system and data security measures have been implemented to enhance our existing cyber security protections.” CIRO also expressed regret over the CIRO cybersecurity incident and committed to ongoing transparency. “We deeply regret this has happened and remain committed to providing further updates on this page as we learn more.” Key Takeaways CIRO detected a cybersecurity threat on August 11, 2025, and shut down some systems as a precaution. The CIRO cybersecurity incident is contained, and there is no active threat in CIRO’s environment. Some personal and registration information linked to member firms and registered employees was affected. Some investor information may have been impacted, but Canadians’ investments are not at risk. Impacted individuals will be notified directly and offered risk mitigation services. CIRO will never contact individuals with unsolicited calls or emails seeking personal or financial information. As the investigation continues, CIRO says it will release more details in due course and provide direct notifications to anyone confirmed to be affected.

EU and INTERPOL Hunt Black Basta Ransomware Kingpin, Suspects Identified in Ukraine

cyberexpress Jan 19, 2026 Cyber News

European and international law enforcement agencies have intensified their pursuit of individuals connected to the Black Basta ransomware operation. Authorities confirmed that the alleged leader of the Russia-linked ransomware-as-a-service (RaaS) group has been placed on both the European Union’s Most Wanted list show more ...

and INTERPOL’s Red Notice, while Ukrainian and German investigators have identified two additional suspects operating inside Ukraine. According to official notices, Ukrainian National Police and German Federal Criminal Police (BKA) coordinated efforts to uncover members of an international hacking group affiliated with Russia. [caption id="" align="aligncenter" width="240"] Oleg Evgenievich NEFEDOV Source: Federal Criminal Police Office (Bundeskriminalamt)[/caption] The investigation identified two Ukrainian nationals who allegedly performed specialized technical roles within the criminal structure of Black Basta ransomware. At the same time, investigators formally named the group’s suspected organizer as Oleg Evgenievich Nefedov (Нефедов Олег Євгеньевич), a 35-year-old Russian citizen. Law enforcement statements said Nefedov has now been declared internationally wanted. He was added to the EU Most Wanted list, and an INTERPOL Red Notice was issued at the initiative of Germany’s Federal Criminal Police Office and the Central Office for Combating Internet Crime (ZIT) of the Frankfurt am Main Public Prosecutor’s Office. German authorities are seeking him on suspicion of “extortion in an especially serious case, formation and leadership of a criminal organization, and other criminal offenses.” Authorities Detail Role of Alleged Ringleader and Technical Specialists German prosecutors allege that Nefedov founded and led the group behind the Black Basta ransomware, acting as its ringleader and chief decision-maker. Under multiple pseudonyms, including tramp, tr, AA, Kurva, Washingt0n, and S.Jimmi. He is suspected of developing and establishing the Black Basta malware. Investigators claim he functioned as the group’s “managing director,” selecting attack targets, recruiting personnel, assigning tasks, participating in ransom negotiations, managing cryptocurrency proceeds, and distributing payments to members of the group. The Ukrainian National Police detailed how domestic cyber police officers and investigators from the Main Investigative Department, under the procedural guidance of the Cyber Department of the Office of the Prosecutor General, worked alongside the German BKA to disrupt the group’s activities. Within the framework of the international investigation, two participants operating in Ukraine were identified as performing technical functions essential to ransomware attacks. According to investigators, these individuals specialized in breaking into protected systems and preparing ransomware campaigns. They acted as so-called “hash crackers,” extracting passwords from corporate information systems using specialized software. After obtaining employee credentials, the suspects allegedly accessed internal company networks without authorization, escalated privileges of compromised accounts, and expanded their control within corporate environments. Authorities said this access was then used to compromise critical systems, steal confidential data, and deploy malware designed to encrypt files. Victims were subsequently extorted for ransom payments, typically demanded in cryptocurrency, in exchange for data decryption and restoration. Searches authorized by the court were carried out at the suspects’ residences in the Ivano-Frankivsk and Lviv regions. During these operations, police seized evidence of illegal activity, including digital storage devices and cryptocurrency assets. Black Basta Ransomware Global Impact Through joint efforts involving Europol specialists, investigators also identified Nefedov as the probable organizer of the broader criminal enterprise. Foreign law enforcement partners indicated he may also have been involved in the operations of another notorious ransomware group, Conti. Law enforcement agencies described the Black Basta ransomware group as one of the most dangerous cybercrime organizations in recent years. Between 2022 and 2025, the group allegedly targeted hundreds of companies, institutions, and government bodies in economically developed Western countries, causing damages estimated in the hundreds of millions of euros. Victims spanned multiple sectors, including healthcare, manufacturing, and construction, across the United States, the United Kingdom, Canada, Australia, and several EU member states. The investigation has been conducted as part of a wider international cooperation framework involving authorities from Ukraine, Germany, Switzerland, the Netherlands, and the United Kingdom. Ukrainian police also noted that earlier investigative actions, including searches in Kharkiv and the surrounding region, had already been carried out at the request of foreign partners.

Attack Surface Visibility Tops CISO Infrastructure Security Priorities for 2026

cyberexpress Jan 19, 2026 Features

As organizations look toward 2026, infrastructure security is becoming one of the most defining challenges for cybersecurity leaders. Expanding cloud adoption, hybrid IT environments, growing reliance on APIs, and a rapidly widening digital footprint are making it harder for organizations to understand what assets show more ...

they actually own and expose to the internet. Against this backdrop, attack surface visibility is emerging as a central concern for CISOs shaping their long-term cybersecurity strategy. To understand how security leaders are prioritizing these challenges, The Cyber Express (TCE) conducted a LinkedIn poll asking, “What will be the top infrastructure security priority for CISOs in 2026?” The results point clearly to a growing consensus: before organizations can defend effectively, they must first gain visibility into their expanding digital attack surface. The Cyber Express Poll Results: Attack Surface Visibility Takes the Lead The poll generated strong engagement from cybersecurity professionals across roles and industries. The final results were: Attack surface visibility – 40% Cloud and hybrid security – 25% Identity and access security – 25% Ransomware resilience – 10% With 40% of respondents selecting attack surface visibility, it emerged as the top infrastructure security priority for CISOs heading into 2026. The result reflects a growing recognition that organizations cannot secure what they cannot see — particularly as assets are spread across cloud platforms, SaaS tools, APIs, endpoints, development environments, and third-party services. Both cloud and hybrid security and identity and access security tied for second place, each receiving 25% of the vote. Ransomware resilience, while still a major operational concern, ranked lower at 10%, suggesting that many security leaders are shifting focus toward foundational controls that reduce exposure before attacks occur. Why Attack Surface Visibility Is Rising to the Top The dominance of attack surface visibility in the poll reflects a practical reality facing modern enterprises. Infrastructure today is no longer limited to on-premise servers and corporate networks. It now includes cloud workloads, remote endpoints, APIs, shadow IT, and externally facing services that change constantly. Without accurate, real-time visibility into these assets, even mature cybersecurity strategies struggle to apply controls consistently or detect threats early enough to prevent impact. Marcos S, Founder & CEO and Senior Full Stack Developer specializing in email infrastructure and cybersecurity, highlighted this shift in focus. He said, “It's interesting to see how organizations are adjusting their focus towards infrastructure security as digital transformation accelerates. Investing in robust API security solutions could play a crucial role when facing evolving threat landscapes.” His comment underscores how modern attack surfaces are increasingly shaped by APIs, integrations, and digital services that were not part of traditional security models. “They’re All Intertwined” — The Link Between Visibility, Cloud, and Identity While attack surface visibility topped the list, the close ranking of cloud and hybrid security and identity and access security shows how interconnected modern infrastructure security priorities have become. Mary Teisserenc, who works in MFA and access security for Active Directory, captured this reality in a comment on the poll. She wrote, “It's hard to alienate all of these, they're so intertwined. How do you have hybrid security without strong IAM?” Her observation reflects a common challenge for CISOs: visibility alone is not enough if identity controls are weak or cloud environments are misconfigured. Each layer of infrastructure security depends on the others to be effective. CISO Priorities for 2026: Identity, AI, and Leadership The themes emerging from the TCE poll closely mirror what senior security leaders are already predicting. Adam Palmer, CISO at First Hawaiian Bank, recently shared his top three predictions for cybersecurity in 2026: AI becomes the foundation of security operations, but governance lags adoption. Boards will continue to seek CISOs who translate risk into business decisions. Identity becomes the dominant control strategy led across PAM, Zero Trust, and SSO. He added, “Across all three predictions, the differentiator will not be technology. It will be leadership.” Palmer’s post reinforce why identity and access security and attack surface visibility are gaining traction as top CISO priorities for 2026. Both are foundational controls that support AI-driven operations and help translate cyber risk into business impact. AI, Scale, and a Growing Digital Attack Surface Matthew Rosenquist, Founder of Cybersecurity Insights and CISO at Mercury Risk, also pointed to artificial intelligence as the defining force shaping cybersecurity in 2026. He warned that attackers will use AI to scale proven techniques faster and more effectively, while defenders struggle to keep pace. He said: “AI is an amazing tool for computing, but in 2026, there will be significant pain, public failures, and a few uncomfortable Board conversations.” As attacks become faster and more automated, blind spots in the digital attack surface will become far more dangerous — further elevating the importance of continuous visibility. From Strategy to Execution Industry research is also pushing CISOs toward execution-focused priorities. William Luders, Business Development Associate at Gartner, highlighted key initiatives leaders have recently prioritized: Developing an actionable zero-trust strategy Maturing governance with NIST CSF 2.0 Embedding cybersecurity into GenAI governance Enhancing data security with cyberstorage Monitoring and managing OT, IoT, and IIoT systems He asked, “Which of these initiatives will you prioritize in 2026? And how will you measure success?” A Clear Shift Toward Foundational Security Taken together, the poll results and industry perspectives reflect a practical shift in how CISOs are approaching infrastructure security. Rather than prioritizing isolated threat categories, leaders are increasingly focusing on core capabilities that support every layer of defense — particularly attack surface visibility, identity control, and governance. The strong preference for attack surface visibility highlights a growing recognition that security programs cannot function effectively without a clear understanding of what needs to be protected. As CISO priorities for 2026 continue to evolve, infrastructure security is shaping up to be less about deploying more tools and more about strengthening fundamentals — visibility, identity, leadership, and execution.

All In One SEO Plugin Flaw Exposes AI Token to Low-Privilege WordPress Users

cyberexpress Jan 19, 2026 Cyber News

A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a show more ...

site-wide AI access token tied to the plugin’s artificial intelligence features. The issue adds to a growing list of security problems involving All In One SEO in 2025. According to security researchers, this is the sixth vulnerability disclosed for the plugin this year, raising concerns about recurring authorization and permission-related weaknesses. All In One SEO and the AIOSEO Plugin in WordPress The AIOSEO plugin is one of the most popular SEO tools in the WordPress ecosystem. It helps site owners manage essential optimization tasks such as generating metadata, creating XML sitemaps, adding structured data, and improving on-page SEO performance. In recent versions, All In One SEO also introduced AI-powered tools designed to help users write SEO titles, meta descriptions, blog posts, FAQs, social media content, and generate images. These AI features rely on a global AI access token that allows the plugin to communicate with external AIOSEO AI services on behalf of the site. Missing Capability Check in the AIOSEO Plugin The vulnerability was traced to a missing permission check in a REST API endpoint used by the All In One SEO plugin. According to Wordfence, the issue allowed users with Contributor-level access or higher to retrieve sensitive AI-related data. This endpoint is intended to return information about a site’s AI usage and remaining credits. However, it failed to verify whether the user making the request was authorized to view that information. As a result, the plugin exposed the site’s global AI access token to low-privilege users. Why Low-Privilege Access Is a Serious Issue in WordPress Contributor is one of the lowest privilege roles in WordPress. Many websites grant Contributor access to guest authors, freelancers, or editorial staff so they can submit drafts for review. By exposing a site-wide AI token to these users, All In One SEO effectively allowed broad access to a credential that controls AI functionality across the entire site. That token could be misused in several ways. Potential Risks of the All In One SEO Vulnerability While the vulnerability does not enable direct code execution, it still presents meaningful risks: Unauthorized AI usage: The exposed token could be used to generate AI content through the affected WordPress site, consuming available credits. Service depletion: An attacker could automate AI requests to exhaust the site’s AI quota, preventing administrators from using those features. Billing and resource concerns: Even without direct financial theft, misuse of AI credits could lead to unexpected costs or disrupted workflows. How the AIOSEO Plugin Vulnerability Was Fixed The vulnerability affects all versions of All In One SEO up to and including version 4.9.2. It was addressed in version 4.9.3. In the official plugin changelog, the developers described the fix as: “Hardened API routes to prevent AI access token from being exposed.” This change directly resolves the missing permission check identified in the REST API endpoint. What WordPress Site Owners Should Do Now Anyone using All In One SEO on a WordPress site should update to version 4.9.3 or newer as soon as possible. Sites that allow multiple Contributors or external collaborators face a higher risk, as low-privilege accounts could access the AI token on vulnerable versions. Regularly updating WordPress plugins, especially those like AIOSEO, which integrate AI services and external APIs, remains one of the most effective ways to reduce exposure to security risks.

What is the “year 2038 problem”, and how can businesses fix it?

kaspersky Jan 19, 2026 Business

Millions of IT systems — some of them industrial and IoT — may start behaving unpredictably on January 19. Potential failures include: glitches in processing card payments; false alarms from security systems; incorrect operation of medical equipment; failures in automated lighting, heating, and water supply show more ...

systems; and many more less serious types of errors. The catch is — it will happen on January 19, 2038. Not that that’s a reason to relax — the time left to prepare may already be insufficient. The cause of this mass of problems will be an overflow in the integers storing date and time. While the root cause of the error is simple and clear, fixing it will require extensive and systematic efforts on every level — from governments and international bodies and down to organizations and private individuals. The unwritten standard of the Unix epoch The Unix epoch is the timekeeping system adopted by Unix operating systems, which became popular across the entire IT industry. It counts the seconds from 00:00:00 UTC on January 1, 1970, which is considered the zero point. Any given moment in time is represented as the number of seconds that have passed since that date. For dates before 1970, negative values are used. This approach was chosen by Unix developers for its simplicity — instead of storing the year, month, day, and time separately, only a single number is needed. This facilitates operations like sorting or calculating the interval between dates. Today, the Unix epoch is used far beyond Unix systems: in databases, programming languages, network protocols, and in smartphones running iOS and Android. The Y2K38 time bomb Initially, when Unix was developed, a decision was made to store time as a 32-bit signed integer. This allowed for representing a date range from roughly 1901 to 2038. The problem is that on January 19, 2038, at 03:14:07 UTC, this number will reach its maximum value (2,147,483,647 seconds) and overflow, becoming negative, and causing computers to “teleport” from January 2038 back to December 13, 1901. In some cases, however, shorter “time travel” might happen — to point zero, which is the year 1970. This event, known as the “year 2038 problem”, “Epochalypse”, or “Y2K38”, could lead to failures in systems that still use 32-bit time representation — from POS terminals, embedded systems, and routers, to automobiles and industrial equipment. Modern systems solve this problem by using 64 bits to store time. This extends the date range to hundreds of billions of years into the future. However, millions of devices with 32-bit dates are still in operation, and will require updating or replacement before “day Y” arrives. In this context, 32 and 64 bits refer specifically to the date storage format. Just because an operating system or processor is 32-bit or 64-bit, it doesn’t automatically mean it stores the date in its “native” bit format. Furthermore, many applications store dates in completely different ways, and might be immune to the Y2K38 problem, regardless of their bitness. In cases where there’s no need to handle dates before 1970, the date is stored as an unsigned 32-bit integer. This type of number can represent dates from 1970 to 2106, so the problem will arrive in the more distant future. Differences from the year 2000 problem The infamous year 2000 problem (Y2K) from the late 20th century was similar in that systems storing the year as two digits could mistake the new date for the year 1900. Both experts and the media feared a digital apocalypse, but in the end there were just numerous isolated manifestations that didn’t lead to global catastrophic failures. The key difference between Y2K38 and Y2K is the scale of digitization in our lives. The number of systems that will need updating is way higher than the number of computers in the 20th century, and the count of daily tasks and processes managed by computers is beyond calculation. Meanwhile, the Y2K38 problem has already been, or will soon be, fixed in regular computers and operating systems with simple software updates. However, the microcomputers that manage air conditioners, elevators, pumps, door locks, and factory assembly lines could very well chug along for the next decade with outdated, Y2K38-vulnerable software versions. Potential problems of the Epochalypse The date’s rolling over to 1901 or 1970 will impact different systems in different ways. In some cases, like a lighting system programmed to turn on every day at 7pm, it might go completely unnoticed. In other systems that rely on complete and accurate timestamps, a full failure could occur — for example, in the year 2000, payment terminals and public transport turnstiles stopped working. Comical cases are also possible, like issuing a birth certificate with a date in 1901. Far worse would be the failure of critical systems, such as a complete shutdown of a heating system, or the failure of a bone marrow analysis system in a hospital. Cryptography holds a special place in the Epochalypse. Another crucial difference between 2038 and 2000 is the ubiquitous use of encryption and digital signatures to protect all communications. Security certificates generally fail verification if the device’s date is incorrect. This means a vulnerable device would be cut off from most communications — even if its core business applications don’t have any code that incorrectly handles the date. Unfortunately, the full spectrum of consequences can only be determined through controlled testing of all systems, with separate analysis of a potential cascade of failures. The malicious exploitation of Y2K38 IT and InfoSec teams should treat Y2K38 not as a simple software bug, but as a vulnerability that can lead to various failures, including denial of service. In some cases, it can even be exploited by malicious actors. To do this, they need the ability to manipulate the time on the targeted system. This is possible in at least two scenarios: Interfering with NTP protocol data by feeding the attacked system a fake time server Spoofing the GPS signal — if the system relies on satellite time Exploitation of this error is most likely in OT and IoT systems, where vulnerabilities are traditionally slow to be patched, and the consequences of a failure can be far more substantial. An example of an easily exploitable vulnerability related to time counting is CVE-2025-55068 (CVSSv3 8.2, CVSSv4 base 8.8) in Dover ProGauge MagLink LX4 automatic fuel-tank gauge consoles. Time manipulation can cause a denial of service at the gas station, and block access to the device’s web management panel. This defect earned its own CISA advisory. The current status of Y2K38 mitigation The foundation for solving the Y2K38 problem has been successfully laid in major operating systems. The Linux kernel added support for 64-bit time even on 32-bit architectures starting with version 5.6 in 2020, and 64-bit Linux was always protected from this issue. The BSD family, macOS, and iOS use 64-bit time on all modern devices. All versions of Windows released in the 21st century aren’t susceptible to Y2K38. The situation at the data storage and application level is far more complex. Modern file systems like ZFS, F2FS, NTFS, and ReFS were designed with 64-bit timestamps, while older systems like ext2 and ext3 remain vulnerable. Ext4 and XFS require specific flags to be enabled (extended inode for ext4, and bigtime for XFS), and might need offline conversion of existing filesystems. In the NFSv2 and NFSv3 protocols, the outdated time storage format persists. It’s a similar patchwork landscape in databases: the TIMESTAMP type in MySQL is fundamentally limited to the year 2038, and requires migration to DATETIME, while the standard timestamp types in PostgreSQL are safe. For applications written in C, pathways have been created to use 64-bit time on 32-bit architectures, but all projects require recompilation. Languages like Java, Python, and Go typically use types that avoid the overflow, but the safety of compiled projects depends on whether they interact with vulnerable libraries written in C. A massive number of 32-bit systems, embedded devices, and applications remain vulnerable until they’re rebuilt and tested, and then have updates installed by all their users. Various organizations and enthusiasts are trying to systematize information on this, but their efforts are fragmented. Consequently, there’s no “common Y2K38 vulnerability database” out there (1, 2, 3, 4, 5). Approaches to fixing Y2K38 The methodologies created for prioritizing and fixing vulnerabilities are directly applicable to the year 2038 problem. The key challenge will be that no tool today can create an exhaustive list of vulnerable software and hardware. Therefore, it’s essential to update inventory of corporate IT assets, ensure that inventory is enriched with detailed information on firmware and installed software, and then systematically investigate the vulnerability question. The list can be prioritized based on the criticality of business systems and the data on the technology stack each system is built on. The next steps are: studying the vendor’s support portal, making direct inquiries to hardware and software manufacturers about their Y2K38 status, and, as a last resort, verification through testing. When testing corporate systems, it’s critical to take special precautions: Never test production systems. Create a data backup immediately before the test. Isolate the system being tested from communications so it can’t confuse other systems in the organization. If changing the date uses NTP or GPS, ensure the 2038 test signals cannot reach other systems. After testing, set the systems back to the correct time, and thoroughly document all observed system behaviors. If a system is found to be vulnerable to Y2K38, a fixing timeline should be requested from the vendor. If a fix is impossible, plan a migration; fortunately, the time we have left still allows for updating even fairly complex and expensive systems. The most important thing in tackling Y2K38 is not to think of it as a distant future problem whose solution can easily wait another five to eight years. It’s highly likely that we already have insufficient time to completely eradicate the defect. However, within an organization and its technology fleet, careful planning and a systematic approach to solving the problem will allow to actually make it in time.

ChatGPT Health Raises Big Security, Safety Concerns

darkreading Jan 19, 2026 Feed

ChatGPT Health promises robust data protection, but elements of the rollout raise big questions regarding user security and safety.

Iranian state TV feed reportedly hijacked to air anti-regime messages

cyware Jan 19, 2026 Government

About 10 minutes of unauthorized video aired on Iranian state television over the weekend, according to multiple reports.