📰 Convergence of Identity and Data Security Creates New Attack Vectors, Netwrix Warns
Netwrix report: The convergence of identity and data security is the next major threat vector. Attackers are targeting identity automation and orchestration, a risk amplified by agentic AI. 🤖 #IdentitySecurity #DataSecurity #CyberSecurity #AI
Azure PIM solves just-in-time access for humans. I wanted to bring that same pattern to non-human identities.
PIM handles just-in-time access for humans. For non-human identities like AI coding agents, backup automation, and CI/CD pipelines, it breaks down. Service principals can’t activate PIM roles, so they end up with standing permissions they use for minutes per day.
A backup job running at 2 AM has Key Vault access around the clock. An AI agent deploying infrastructure has permanent Contributor for a 10-minute task. That’s a lot of unnecessary exposure.
So I built a Zero Standing Privilege gateway where I use an Azure Function that brokers access for service principals and other NHIs. The caller requests access through an API, receives a scoped role assignment for a short window, and a Durable Functions timer revokes it automatically. Everything is logged for a full audit trail.
The write-up includes the full architecture and a working lab with Bicep, PowerShell, and Python.
https://nineliveszerotrust.com/blog/zero-standing-privilege-azure/
#ZeroTrust #Azure #CloudSecurity #IdentitySecurity #EntraID #DevSecOps #IAM #AIAgents
Today marks Data Privacy Day.
True data resilience starts with trust and control.
Privacy laws are rising as personal data volumes grow.
Without knowing what data you hold, where it lives, and why it exists, risk management becomes guesswork.
People understand mistakes happen - what matters is transparency, thoughtfulness, and ownership.
#DataPrivacyDay #PrivacyByDesign #Cybersecurity #DataGovernance #IdentitySecurity
The traditional divide between identity and data security is closing rapidly, and that's bad news for security teams. https://jpmellojr.blogspot.com/2026/01/identity-data-security-converging-into.html #DataSecurity #AI #IdentitySecurity #Netwrix
Fortinet confirms active exploitation of FortiCloud SSO auth bypass (CVE-2026-24858, CVSS 9.4).
Cross-customer access via trusted SSO paths observed.
SSO now blocked for vulnerable versions - patching required.
AI agent identities are scaling faster than traditional identity controls can handle.
Interview with Ido Shlomo, Co-Founder & CTO of Token Security, on why visibility, short-lived identities, and automation are becoming critical for AI agent security.
Full interview:
https://www.technadu.com/securing-ai-agents-by-default-today-to-prevent-risks-from-unretired-identities-resurfacing-tomorrow/619128/
Insider-Bedrohungen: Das Risiko, das wir uns nicht länger leisten können zu unterschätzen. Während Unternehmen Millionen in den Schutz vor externen Angriffen investieren, entsteht ein Großteil der gefährlichsten Vorfälle dort, wo es niemand erwartet: im eigenen Haus. Aktuelle Untersuchungen zeigen: Insider-Bedrohungen gehören inzwischen zu den kostspieligsten und am schwierigsten zu erkennenden Vorfällen. #InsiderThreat #CyberSecurity #IdentitySecurity #Cybercrime
Microsoft reports an AiTM phishing campaign targeting the energy sector, focused on session hijacking, inbox rule manipulation, and lateral phishing from trusted accounts.
The activity reinforces that identity compromise response needs to include session revocation, rule auditing, and post-access validation - not just password resets.
How are teams adapting identity incident response to this reality?
Source: https://www.helpnetsecurity.com/2026/01/22/energy-sector-aitm-phishing-sharepoint-misuse/
Share insights and follow @technadu for practical, unbiased InfoSec coverage.
#InfoSec #IdentitySecurity #AiTM #PhishingDefense #EnergyInfrastructure #MFA #ZeroTrust
ShinyHunters has claimed responsibility for the Okta vishing campaign and alleges it leaked data from Crunchbase, SoundCloud, and Betterment after failed extortion attempts, warning more disclosures are coming.
Live phone calls + real-time phishing pages allow attackers to control authentication flows.
Is phishing-resistant MFA now mandatory?
🛡️ MFA A Simple Step That Stops Big Threats
Weak or stolen passwords cause many breaches. MultiFactor Authentication adds a critical layer that blocks most unauthorized access. Enable MFA for email, banking, and admin accounts.
🚀 𝗢𝗜𝗗-𝗦𝗲𝗲 𝘃𝟭.𝟬.𝟭 𝗶𝘀 𝗼𝘂𝘁 — a small release with sharper edges.
This one is all about 𝗽𝗿𝗲𝗰𝗶𝘀𝗶𝗼𝗻 𝗼𝘃𝗲𝗿 𝗻𝗼𝗶𝘀𝗲.
No new dashboards.
No shiny features.
Just tighter logic and risk scoring that better reflects how Entra 𝘢𝘤𝘵𝘶𝘢𝘭𝘭𝘺 behaves in real tenants.
What changed in v1.0.1:
🔧 App role assignment risk fixed (assignment count ≠ risk)
👤 “No owners” reframed as 𝗴𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲, not security
🎭 Deception logic gated and smarter — fewer false positives, stronger signals
If you’re using OID-See to support:
• identity risk assessments
• app governance conversations
• Conditional Access strategy
• explaining 𝘸𝘩𝘺 something is risky (or isn’t)
…this release should feel noticeably calmer and more trustworthy.
📖 Blog post:
https://cirriustech.co.uk/blog/oid-see-v1.0.1/
🏷️ Release notes:
https://github.com/OID-See/OID-See/releases/tag/v1.0.1
Feedback welcome - especially the “yeah but…” kind.
Because tools should get better the more they’re used, not louder.
#OIDSee #EntraID #IdentitySecurity #OAuth #AppGovernance #OpenSource
Eurail B.V. has disclosed a data breach affecting personal and sensitive traveler information, with investigations still ongoing.
Potentially accessed data may include:
• Identity and contact details
• Passport or national ID records
• Limited financial or health-related data for specific EU program participants
The company reports that affected systems were secured, credentials reset, and customers advised to watch for phishing or identity-related abuse.
This incident underscores the risks associated with centralized identity and travel databases, especially in cross-border environments.
What security controls should be considered baseline for platforms handling high-value identity data?
Source: https://www.helpnetsecurity.com/2026/01/15/eurail-interrail-data-breach/
Share your insights, engage with the discussion, and follow @technadu for objective InfoSec coverage.
#InfoSec #DataBreach #PrivacyEngineering #IdentitySecurity #CyberRisk #TechNadu #DataProtection
20M+ customer records exposed.
No ransomware. No system outages.
Our latest analysis of the Endesa data breach explains:
1️⃣ How the breach likely happened
2️⃣ Where the real attack surface was
3️⃣ What the leaked data reveals about backend and API abuse
...and most importantly: 𝘄𝗵𝗮𝘁 𝘆𝗼𝘂𝗿 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻 𝗰𝗮𝗻 𝗱𝗼 𝗻𝗼𝘄 𝘁𝗼 𝗽𝗿𝗼𝘁𝗲𝗰𝘁 𝗶𝘁𝘀𝗲𝗹𝗳.
👉 Read the analysis: https://outpost24.com/blog/endesa-data-breach
#CyberSecurity #DataBreach #ThreatIntelligence #IdentitySecurity
The Brutal Truth About “Trusted” Phishing: Why Even Apple Emails Are Burning Your SOC
1,158 words, 6 minutes read time.
I’ve been in this field long enough to recognize a pattern that keeps repeating, no matter how much tooling we buy or how many frameworks we cite. Every major incident, every ugly postmortem, every late-night bridge call starts the same way: someone trusted something they were conditioned to trust. Not a zero-day, not a nation-state exploit chain, not some mythical hacker genius—just a moment where a human followed a path that looked legitimate because the system trained them to do exactly that. We like to frame cybersecurity as a technical discipline because that makes it feel controllable, but the truth is that most real-world compromises are social engineering campaigns wearing technical clothing. The Apple phishing scam circulating right now is a perfect example, and if you dismiss it as “just another phishing email,” you’re missing the point entirely.
Here’s what makes this particular scam dangerous, and frankly impressive from an adversarial perspective. The victim receives a text message warning that someone is trying to access their Apple account. Immediately, the attacker injects urgency, because urgency shuts down analysis faster than any exploit ever could. Then comes a phone call from someone claiming to be Apple Support, speaking confidently, calmly, and procedurally. They explain that a support ticket has been opened to protect the account, and shortly afterward, the victim receives a real, legitimate email from Apple with an actual case number. No spoofed domain, no broken English, no obvious red flags. At that moment, every instinct we’ve trained users to rely on fires in the wrong direction. The email is real. The ticket is real. The process is real. The only thing that isn’t real is the person on the other end of the line. When the attacker asks for a one-time security code to “close the ticket,” the victim believes they’re completing a security process, not destroying it. That single moment hands the attacker the keys to the account, cleanly and quietly, with no malware and almost no telemetry.
What makes this work so consistently is that attackers have finally accepted what many defenders still resist admitting: humans are the primary attack surface, and trust is the most valuable credential in the environment. This isn’t phishing in the classic sense of fake emails and bad links. This is confidence exploitation, the same psychological technique that underpins MFA fatigue attacks, helpdesk impersonation, OAuth consent abuse, and supply-chain compromise. The attacker doesn’t need to bypass controls when they can persuade the user to carry them around those controls and hold the door open. In that sense, this scam isn’t new at all. It’s the same strategy that enabled SolarWinds to unfold quietly over months, the same abuse of implicit trust that allowed NotPetya to detonate across global networks, and the same manipulation of expected behavior that made Stuxnet possible. Different scale, different impact, same foundational weakness.
From a framework perspective, this attack maps cleanly to MITRE ATT&CK, and that matters because frameworks are how we translate gut instinct into organizational understanding. Initial access occurs through phishing, but the real win for the attacker comes from harvesting authentication material and abusing valid accounts. Once they’re in, everything they do looks legitimate because it is legitimate. Logs show successful authentication, not intrusion. Alerts don’t fire because controls are doing exactly what they were designed to do. This is where Defense in Depth quietly collapses, not because the layers are weak, but because they are aligned around assumptions that no longer hold. We assume that legitimate communications can be trusted, that MFA equals security, that awareness training creates resilience. In reality, these assumptions create predictable paths that adversaries now exploit deliberately.
If you’ve ever worked in a SOC, you already know why this type of attack gets missed. Analysts are buried in alerts, understaffed, and measured on response time rather than depth of understanding. A real Apple email doesn’t trip a phishing filter. A user handing over a code doesn’t generate an endpoint alert. There’s no malicious attachment, no beaconing traffic, no exploit chain to reconstruct. By the time anything unusual appears in the logs, the attacker is already authenticated and blending into normal activity. At that point, the investigation starts from a place of disadvantage, because you’re hunting something that looks like business as usual. This is how attackers win without ever making noise.
The uncomfortable truth is that most organizations are still defending against yesterday’s threats with yesterday’s mental models. We talk about Zero Trust, but we still trust brands, processes, and authority figures implicitly. We talk about resilience, but we train users to comply rather than to challenge. We talk about human risk, but we treat training as a checkbox instead of a behavioral discipline. If you’re a practitioner, the takeaway here isn’t to panic or to blame users. It’s to recognize that trust itself must be treated as a controlled resource. Verification cannot stop at the domain name or the sender address. Processes that allow external actors to initiate internal trust workflows must be scrutinized just as aggressively as exposed services. And security teams need to start modeling social engineering as an adversarial tradecraft, not an awareness problem.
For SOC analysts, that means learning to question “legitimate” activity when context doesn’t line up, even if the artifacts themselves are clean. For incident responders, it means expanding investigations beyond malware and into identity, access patterns, and user interaction timelines. For architects, it means designing systems that minimize the blast radius of human error rather than assuming it won’t happen. And for CISOs, it means being honest with boards about where real risk lives, even when that conversation is uncomfortable. The enemy is no longer just outside the walls. Sometimes, the gate opens because we taught it how.
I’ve said this before, and I’ll keep saying it until it sinks in: trust is not a security control. It’s a vulnerability that must be managed deliberately. Attackers understand this now better than we do, and until we catch up, they’ll keep walking through doors we swear are locked.
Call to Action
If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.
D. Bryan King
Sources
MITRE ATT&CK Framework
NIST Cybersecurity Framework
CISA – Avoiding Social Engineering and Phishing Attacks
Verizon Data Breach Investigations Report
Mandiant Threat Intelligence Reports
CrowdStrike Global Threat Report
Krebs on Security
Schneier on Security
Black Hat Conference Whitepapers
DEF CON Conference Archives
Microsoft Security Blog
Apple Platform Security
Disclaimer:
The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.
#accountTakeover #adversaryTradecraft #ApplePhishingScam #attackSurfaceManagement #authenticationSecurity #breachAnalysis #breachPrevention #businessEmailCompromise #CISOStrategy #cloudSecurityRisks #credentialHarvesting #cyberDefenseStrategy #cyberIncidentAnalysis #cyberResilience #cyberRiskManagement #cybercrimeTactics #cybersecurityAwareness #defenseInDepth #digitalIdentityRisk #digitalTrustExploitation #enterpriseRisk #enterpriseSecurity #humanAttackSurface #identityAndAccessManagement #identitySecurity #incidentResponse #informationSecurity #MFAFatigue #MITREATTCK #modernPhishing #NISTFramework #phishingAttacks #phishingPrevention #securityArchitecture #SecurityAwarenessTraining #securityCulture #securityLeadership #securityOperationsCenter #securityTrainingFailures #SOCAnalyst #socialEngineering #threatActorPsychology #threatHunting #trustedBrandAbuse #trustedPhishing #userBehaviorRisk #zeroTrustSecurity
1Password reshapes its CTO role to confront the rise of AI identity challenges
https://fed.brid.gy/r/https://nerds.xyz/2026/01/1password-reshapes-cto-role-ai/
Ireland’s recall of nearly 13,000 passports due to a software-induced printing defect illustrates how data integrity issues can propagate into physical security and identity systems.
The likely impact on the machine-readable zone (MRZ) reinforces the importance of validation, regression testing, and post-deployment controls in critical document systems.
What best practices would you recommend for preventing similar failures in identity infrastructure?
Join the discussion and follow TechNadu for objective infosec reporting.
#InfoSec #IdentitySecurity #MRZ #GovTech #SystemIntegrity #CyberResilience #TechNadu
🔐 Identity is the new attack surface. In 2026 nobody breaks in, they authenticate. AI scrubs the tells, agents borrow your face, tokens bloom and vanish. Humans, scripts, ghosts in the workflow. Trust leaks faster than data. The perimeter was a story we told ourselves. This year the logins bite back.
This will be described as the year trust stopped being implicit, and no one will agree on when that happened.
#IdentitySecurity https://www.scworld.com/feature/identity-becomes-the-2026-battleground-as-ai-erases-trust-signals
Alright team, it's been a pretty packed 24 hours in the cyber world! We've got some critical RCE vulnerabilities under active exploitation, a deep dive into North Korean "quishing" tactics, and a major regulatory crackdown on AI-generated deepfakes. Let's get into it:
Critical RCE Vulnerabilities Under Active Exploitation ⚠️
- HPE OneView (CVE-2025-37164), a privileged IT infrastructure management platform, has a maximum-severity RCE flaw (CVSS 10.0) that's actively being exploited. Patching is critical as compromise grants centralised control over an organisation's infrastructure.
- The React2Shell vulnerability (CVE-2025-55182), affecting React frameworks like Next.js, allows unauthenticated RCE in default configurations. Vercel, a key maintainer, coordinated a massive industry response, paid out $1M in bug bounties for WAF bypasses, and has blocked over 6 million exploit attempts since disclosure.
- China-linked threat actors were exploiting three VMware ESXi hypervisor escape zero-days (CVE-2025-22224, -22225, -22226) for over a year before VMware publicly disclosed them in March 2025. Initial access was via a compromised SonicWall VPN, leading to VM escape and RCE on the hypervisor.
- Trend Micro Apex Central for Windows has a critical RCE flaw (CVE-2025-69258, CVSS 9.8) allowing unauthenticated remote attackers to load malicious DLLs with SYSTEM privileges. Two other DoS flaws (CVE-2025-69259, -69260) were also patched.
🌑 Dark Reading | https://www.darkreading.com/vulnerabilities-threats/maximum-severity-hpe-oneview-flaw-exploited
🤫 CyberScoop | https://cyberscoop.com/vercel-cto-security-react2shell-vulnerability/
📰 The Hacker News | https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/china_esxi_zerodays/
North Korean Hackers Adopt "Quishing" Tactics 🎣
- The FBI has warned that North Korean state-sponsored threat actors, specifically the Kimsuky group (APT43), are using malicious QR codes ("quishing") in spear-phishing campaigns.
- These QR codes redirect victims to attacker-controlled pages (e.g., fake Microsoft 365, Okta, VPN portals) to steal credentials and session tokens, effectively bypassing MFA and traditional enterprise security controls.
- The tactic leverages unmanaged mobile devices, which often lack the same EDR and network inspection capabilities as corporate machines, making it a high-confidence, MFA-resilient identity intrusion vector.
📰 The Hacker News | https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/pyongyangs_cyberspies_are_turning_qr/
Fake AI Chrome Extensions Steal User Data 🤖
- Malicious Google Chrome extensions, masquerading as legitimate AI tools from "AItopia" (e.g., "ChatGPT for Chrome with GPT-5..."), have stolen LLM conversations and browser data from over 900,000 users.
- These extensions exfiltrated sensitive data like proprietary source code, business strategies, confidential research, full URLs from all tabs, and search queries to command-and-control servers.
- This "prompt poaching" highlights the growing attack surface of LLM-powered applications and the risk of installing extensions from unknown sources, even if they appear "Featured" in the Chrome store.
🌑 Dark Reading | https://www.darkreading.com/cloud-security/fake-ai-chrome-extensions-steal-900k-users-data
Grok AI Deepfake Controversy and Data Privacy ⚖️
- Elon Musk's Grok AI has faced severe backlash for generating sexualised deepfakes, including of children, leading to calls from UK government officials, US senators, and EU regulators for action.
- UK ministers are weighing a ban on X (formerly Twitter) and its AI tools under the Online Safety Act, while US senators have urged Google and Apple to remove the X and Grok apps from their stores for violating terms of service.
- X has limited image generation to paying subscribers, but critics argue this monetises illegal content and doesn't solve the underlying issue, with reports suggesting the feature remains accessible to free users.
- Separately, the California Privacy Protection Agency (CPPA) fined data broker Datamasters $45,000 for selling sensitive health information (e.g., Alzheimer's patients) and other personal data without proper registration, ordering them to cease sales in California.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/grok_image_generation_uk/
🗞️ The Record | https://therecord.media/lawmakers-call-on-app-stores-to-remove-grok-x
🤫 CyberScoop | https://cyberscoop.com/senators-ask-apple-google-remove-x-after-grok-ai-sexual-deepfakes/
🗞️ The Record | https://therecord.media/ccpa-fines-data-broker-selling-lists-alzheimers
CISA Sunsets Emergency Directives & NSA Leadership Changes 🏛️
- CISA has retired 10 emergency directives issued between 2019 and 2024, citing successful implementation or redundancy due to the comprehensive Known Exploited Vulnerabilities (KEV) catalog. This reflects an evolving approach to federal cybersecurity.
- Tim Kosiba has been appointed as the new Deputy Chief of the National Security Agency (NSA), following a previous candidate's withdrawal due to political pressure. Kosiba brings over three decades of government experience to the role.
🗞️ The Record | https://therecord.media/cisa-sunsets-10-emergency-directives
📰 The Hacker News | https://thehackernews.com/2026/01/cisa-retires-10-emergency-cybersecurity.html
🗞️ The Record | https://therecord.media/timothy-kosiba-nsa-new-deputy-chief
CrowdStrike Acquires SGNL for Identity Security 🔒
- CrowdStrike has acquired identity security startup SGNL for $740 million, aiming to bolster its Falcon cloud security platform with "context-aware authorization" for human, machine, and AI agent identities.
- This acquisition addresses the increasing threat of identity-based attacks and the proliferation of non-human identities, providing dynamic privilege management and real-time access evaluation.
- The deal highlights the growing importance of identity as a primary control plane in major security platforms, moving beyond just detection to being in the path of access.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/08/crowdstrikes_740m_sgnl_deal_proves/
France-Russia Prisoner Swap Involving Alleged Cybercriminal 🌍
- France released Daniil Kasatkin, a Russian basketball player accused by the US of aiding ransomware negotiations for a major cybercrime outfit impacting 900 victims, in exchange for French conflict researcher Laurent Vinatier, imprisoned in Russia.
- This "Putinswap" highlights the geopolitical dimension of cybercrime, where alleged cybercriminals can become bargaining chips in international diplomacy.
- Kasatkin had been in French custody since June 2025, wanted by US officials for his alleged role in ransomware attacks between 2020-2022.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/09/alleged_russian_ransom_payment_negotiator/
#CyberSecurity #ThreatIntelligence #Vulnerabilities #RCE #ZeroDay #Kimsuky #APT43 #Phishing #Quishing #AI #Deepfake #DataPrivacy #RegulatoryCompliance #CISA #NSA #IdentitySecurity #CrowdStrike #Geopolitics #Ransomware
CrowdStrike has announced plans to acquire SGNL, expanding Falcon Next-Gen Identity Security with Continuous Identity enforcement.
The stated focus is on addressing identity risk introduced by:
• AI agents and non-human identities
• Distributed SaaS and hyperscaler access paths
• Legacy standing privilege models
From a defensive standpoint, this reflects a growing consensus that identity must be continuously evaluated, not statically trusted - especially as access decisions increasingly happen at machine speed.
How are teams today operationalizing continuous access evaluation in hybrid environments?
Engage in the discussion and follow @technadu for objective InfoSec coverage.
Source: CROWDSTRIKE
#InfoSec #IdentitySecurity #IAM #AIsecurity #ZeroTrust #CloudSecurity #TechNadu
CrowdStrike acquires identity protection startup SGNL for $740 million, aiming to enhance AI-driven identity security as cyber threats grow more sophisticated.
#YonhapInfomax #CrowdStrike #SGNL #Acquisition #IdentitySecurity #ArtificialIntelligence #Economics #FinancialMarkets #Banking #Securities #Bonds #StockMarket
https://en.infomaxai.com/news/articleView.html?idxno=99042
