In today’s cybersecurity news…
The UK hits reset on cybersecurity
The British government presented a new Government Cyber Action Plan to Parliament, which marks a conscious reset in its efforts to protect public services. The announcement admits that its previous approach was flawed and left it unable to meet commitments to security government organizations to known vulnerabilities and methods by 2030. This will see the UK move away from providing non-binding guidance to public sector authorities and instead establish a new Government Cyber Unit to adopt a centralized, mandatory approach. The plan also calls for more coordination on incident response and stronger contractual expectations from strategic suppliers. This comes ahead of a plan to reboot it’s nationa cyber strategy, set for release later this year.
No MFA, Know Problems
A threat actor that goes by Zestix or Sentap listed data allegedly stolen from roughly 50 organizations on illicit forums, including the American engineering firm Pickett and Associates, Spain’s Iberia airline, and the Japanese homebuilder Sekisui House. Researchers at Hudson Rock found that this data was stolen using compromised cloud credentials, which was easy because none of the organisations listed had enforced MFA for logins. Zestix isn’t new to this game; they have used infostealers to abscond with passwords and serve as an initial access broker since 2021. Another example of threat actors that don’t break in, they log in.
US may have coordinated cyberattacks with Maduro’s arrest
Both US President Trump and the chair of the Joint Chiefs of Staff, General Dan Caine alluded to a possible US cyberattack to cut power in Caracas as part of the arrest of Venezuelan President Nicolás Maduro on January 3rd. Caine referred to this as “layering different effects” as part of the operation without going into details. The internet tracking group NetBlocks reported a loss of internet connectivity at that time due to power cuts, saying that if they were tied to a cyberattack, “it will have been targeted, not impacting the broader network space.” While it is widely known that the US conducts sophisticated cyber operations globally, we generally don’t receive any acknowledgement of this close to an event.
(Politico)
Jaguar Land Rover sees sales crash after cyberattack
The British automaker is still feeling the impact of a cyberattack last year, which forced it to halt production for weeks in the fall. In its most recent earnings report, Jaguar Landrover saw a 25.1% fall in sales on the year in Q3, down to 79,600 vehicles. Even this drop depended on old stock already on dealer lots, because shipments to dealers fell 43% on the year to just over 59,000 vehicles. The UK’s Cyber Monitoring Center has described the attack as the most economically damaging cyberattack in the UK, with an estimated financial impact of £1.9 billion.
Huge thanks to our sponsor, Hoxhunt
Microsoft pushes back on Copilot security flaws
Security engineer John Russell recently outlined several perceived security flaws in Microsoft Copilot, including prompt injection that leaks system prompts, command execution within isolated Linux environments, and bypassing file type restrictions with base64-encoded plaintext strings. Russell noted that while all LLMs hit a point where they struggle to separate data from instruction, other major LLMs like Anthropic’s Claude didn’t have the same issues he saw with Copilot. Speaking to Bleeping Computer about these findings, a Microsoft spokesperson said these were out of scope for servicing as a vulnerability, saying, “There are several reasons why a case may be out of scope, including instances where a security boundary is not crossed, impact is limited to the requesting user’s execution environment, or other low-privileged information is provided that is not considered to be a vulnerability.”
N8scape spells trouble for n8n
Researchers at Cyera disclosed a critical sandbox bypass vulnerability in the open-source automation platform n8n, affecting all versions prior to 2.0.0. This stems from a protection mechanism failure in which an authenticated user retains the same permissions on the underlying host, allowing them to execute commands. Users on version 1.111.0 can enable improved security isolation to get around the bug; with 2.0, this is on by default.
Ledger impacted by third-party breach
The blockchain security company Ledger says a breach at its payment provider, Global-e, resulted in the leak of customer information. This included names, contact data, order details, and amounts paid. Ledger was quick to point out that nothing related to financial data or cryptocurrency wallets was impacted. Global-e began notifying affected customers on January 5th, warning them to be on the lookout for targeted phishing attacks based on this information. Ledger is specifically warning customers about any scams involving devices shipped to their address, looking to access crypto wallets.
Microsoft sees misconfigurations used to spoof domains
In a blog post, Microsoft warned that since May 2025, it has seen an increase in threat actors using complex routing and exploiting misconfigurations to spoof domains in phishing messages. The company was quick to point out that this does not represent a vulnerability in its Direct Send mail flow method for Exchange. Most of these messages used the Tycoon2FA Phishing-as-a-Service platform, using lures like business invoices to be paid or spoofing Microsoft messages that ask users to refresh soon-to-be-expired passwords to steal credentials. Microsoft recommended setting strict DMARC reject and SPF hard-fail policies, and reviewing third-party connector integrations to avoid these spoofed messages.