Cyber Intelligence Weekly

Cyber Intelligence Weekly (January 18, 2026): Our Take on Three Things You Need to Know

By Dan Desko
Posted on Jan 18 / 2026

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we turn to this week’s edition of Cyber Intelligence Weekly, I want to pause and introduce a new CISO Spotlight Series: The Human Side of Cybersecurity.

This series is grounded in conversation rather than commentary. It centers on CISOs who are in the seat—navigating real leadership pressure, complex risk decisions, and the human realities of building and sustaining security programs. Some are earlier in their journey, others further along paths many of you may recognize or aspire toward. What they share isn’t theory. It’s experience—earned through moments of progress, frustration, growth, and reflection. These conversations are for the professionals who show up every day to quietly carry the weight of this industry.

As part of the series, I sat down with John O'Rourke, CISO at PPG Industries, to talk about how the security role evolves inside a large, globally distributed manufacturing organization. Early in our conversation, John reflected on his 18-year career at PPG, beginning in software development and M&A integration before moving into security leadership. That transition shaped how he thinks about risk, governance, and accountability—and the conversation quickly moved beyond tools to the realities of scale and responsibility.

John shared how his leadership approach changed as threats accelerated and the organization grew. He spoke candidly about stepping back from day-to-day technical decisions and focusing instead on building strong teams, establishing trust-based operating models, and becoming comfortable empowering others to lead—while ultimately remaining accountable for outcomes. We also spent meaningful time on burnout, where John emphasized the importance of rotations, depth of coverage, and intentionally disconnecting from work to avoid fatigue-driven mistakes.

The conversation also challenged some common assumptions in enterprise security. John was direct about his skepticism around the value many organizations place on third-party risk questionnaires, noting the significant resource investment and limited measurable impact when standards and accountability are unclear. In contrast, he argued that governance quality and process rigor often deserve far more attention than they receive.

For those earlier in their careers, John addressed a misconception head-on: the CISO role is not primarily a technical one. As scope and influence grow, understanding the business, managing risk tradeoffs, and communicating clearly with executive leadership become far more important than being the most technical person in the room. His advice was simple and grounded—earn trust first. Influence and investment tend to follow.

🎥 Watch the full conversation here: https://www.youtube.com/watch?v=vgI7VRcITI4

Away we go!

1. Hackers Actively Exploiting Critical Fortinet FortiSIEM Flaw

A newly disclosed vulnerability in Fortinet FortiSIEM has moved rapidly from proof-of-concept to real-world exploitation, reinforcing a familiar pattern: once offensive research becomes public, defenders are immediately racing the clock. The flaw, tracked as CVE-2025-64155, allows unauthenticated attackers to execute arbitrary commands and escalate privileges all the way to root access. Within days of technical details being published, threat actors began actively exploiting the weakness in the wild.

According to researchers at Horizon3.ai, the issue stems from exposed command handlers in FortiSIEM’s phMonitor service that can be invoked remotely without authentication. By abusing argument injection, attackers can overwrite system scripts and gain full control of the underlying appliance. While Fortinet released patches earlier this week, exploitation was confirmed shortly afterward by multiple threat-intelligence teams observing live attacks against vulnerable systems.

What makes this incident particularly concerning is not just the severity of the vulnerability, but its placement. FortiSIEM sits at the center of many security operations, aggregating logs, alerts, and telemetry from across the enterprise. A compromised SIEM doesn’t merely represent a single breached system — it creates the opportunity for attackers to suppress detections, erase forensic evidence, and move laterally under the cover of compromised monitoring infrastructure.

For security leaders, the takeaway is straightforward but uncomfortable: defensive tooling is now a primary target. Organizations running FortiSIEM should treat this as a high-urgency event — patch immediately, restrict access to the phMonitor service where patching isn’t yet possible, and review logs for indicators of compromise. More broadly, this incident underscores the need to treat security platforms with the same zero-trust assumptions applied to production systems. When attackers gain root on the tools meant to protect us, the balance of power shifts quickly.

Critical React Server Components Vulnerability Prompts Urgent Patching

On the cloud security front, a high-severity remote code execution vulnerability affecting React Server Components has surged into prominence over the past week, prompting widespread patch guidance and automated protections from major vendors. The flaw, tracked as CVE-2025-55182, impacts server-side React frameworks that are ubiquitous in modern web applications and cloud-deployed services. Researchers noted that even applications that don’t explicitly expose React server endpoints may still be vulnerable if they incorporate certain server component configurations.

Wiz and other cloud security teams stressed the danger of this exploit due to its unauthenticated remote execution vector: attackers can send crafted HTTP requests that trigger insecure deserialization paths, leading to full code execution on affected servers. The issue stems from how React Server Components handle untrusted inputs when running code on the server, and standard deployments are immediately at risk without mitigation.

Cloud providers and edge protection services have already responded: Google Cloud Armor rolled out new rules to detect and block exploitation patterns associated with CVE-2025-55182, and Cloudflare announced protections that automatically shield customers from common exploit behaviors. Security tooling has also emerged that scans for exposed React Server Component implementations.

For cloud architects and DevOps practitioners, this vulnerability underscores a broader truth: cloud security isn’t just about infrastructure misconfigurations or IAM policies — it extends deeply into the application frameworks that power modern distributed systems. Ensuring timely patching, runtime protection, and dependency hygiene must be treated as core elements of every cloud security strategy.

2. Law Enforcement Closes In on Black Basta as International Manhunt Expands

European law enforcement agencies have taken a meaningful step against the ransomware ecosystem this week, announcing coordinated actions targeting members of the Russia-linked Black Basta operation. Authorities in Ukraine and Germany confirmed raids on the homes of two Ukrainian nationals accused of supporting the group’s intrusion activity, while German investigators placed the suspected ringleader—a Russian national—on an international wanted list. The case underscores a growing willingness among Western governments to pursue not just ransomware infrastructure, but the people behind it.

According to investigators, the two suspects arrested in western Ukraine played a specialized but critical role inside the Black Basta operation. Rather than deploying ransomware directly, they allegedly focused on cracking stolen password hashes and extracting credentials from compromised systems. Those credentials were then used to move laterally inside victim networks, escalate privileges, exfiltrate sensitive data, and ultimately enable ransomware deployment. This division of labor mirrors the increasingly industrialized structure of modern ransomware groups, where access brokers, developers, negotiators, and money launderers operate as distinct roles.

German authorities identified the group’s alleged leader as Oleg Nefedov, a 36-year-old Russian citizen accused of orchestrating Black Basta’s campaigns. Investigators say he selected targets, managed affiliates, negotiated ransom payments, and distributed proceeds—typically demanded in cryptocurrency. Nefedov is believed to be in Russia and has been placed on an international wanted list via Interpol, though extradition remains unlikely. The group’s victims have included major organizations such as ABB and Ascension, with total damages estimated in the hundreds of millions.

For defenders, this case reinforces two important realities. First, ransomware remains deeply entangled with geopolitical boundaries, where enforcement effectiveness often stops at national borders. Second, takedowns—even partial ones—matter. Disrupting credential-harvesting operations and exposing leadership structures raises costs for attackers and slows campaigns. But the broader lesson is unchanged: ransomware is no longer a technical nuisance—it’s a transnational criminal enterprise. Long-term risk reduction will require sustained law enforcement cooperation, stronger financial tracking, and continued pressure on the safe havens that allow these groups to operate with relative impunity.

Microsoft Copilot “Reprompt” Exploit Underscores Prompt Injection Risk

This week brought renewed focus on the fragility of AI assistants after security researchers disclosed a serious vulnerability in Microsoft Copilot that allowed attackers to extract sensitive user data with a single click. The flaw, dubbed the “Reprompt” exploit, was identified by Varonis Threat Labs and worked by embedding a malicious parameter in a phishing link that instructed Copilot to fetch and exfiltrate data — even when the AI interface wasn’t actively open. According to the analysis, this technique bypassed enterprise controls and required no further user interaction beyond clicking the initial URL, exposing information such as recent files and potentially personal identifiers. Microsoft patched the vulnerability in January 2026, but the discovery highlights ongoing risks within AI assistant workflows that rely on loosely validated prompts.

What makes this incident particularly noteworthy is how it illustrates the continued evolution of prompt manipulation attacks — a class of vulnerabilities where adversarial inputs are engineered not to break the model, but to coax it into performing unintended actions. The “Reprompt” method functions by exploiting the AI’s inherent flexibility in interpreting instructions, transforming data retrieval and URL processing into a vector for exfiltration.

For defenders, this means strengthening phishing defenses and examining how AI assistants interact with external content and hyperlinks. Security teams should treat AI outputs with suspicion and ensure strict boundaries around actions that involve sensitive information or external network requests. Prompt hardening, careful input validation, and user education about phishing remain core mitigations.

Ultimately, while this specific flaw has been remediated, the underlying dynamics — where attackers weaponize normal features of AI systems — will continue to challenge traditional security models. Organizations should assume that sophisticated prompt injection and repurposing of AI features will be part of the threat landscape moving forward.

3. Anchorage Police Cyber Response Highlights Growing Third-Party Risk for Local Governments

The Anchorage Police Department took swift containment measures this month after learning that one of its technology service providers had suffered a cyber incident, underscoring how third-party risk continues to challenge public sector organizations. According to city officials, the issue stemmed from a January 7 notification by Whitebox Technologies, a vendor used by the department for data migration services. While details about the attack remain limited, the police department emphasized that the response was precautionary and aimed at minimizing any downstream risk.

As part of its response, the city’s IT department shut down affected police servers, revoked vendor and third-party access, and oversaw the deletion of all remaining Anchorage Police Department data from the vendor’s systems. Officials stated there is currently no evidence that APD systems were directly compromised or that sensitive police data was accessed by the threat actor. Even so, the department has committed to heightened monitoring and additional safeguards, along with notifications should any impacted individuals later be identified.

The incident illustrates a recurring pattern in municipal cybersecurity: attackers increasingly target service providers that sit adjacent to government systems rather than the agencies themselves. Data migration firms, emergency notification providers, and managed IT vendors often have privileged access during routine operations, making them attractive targets. Anchorage officials were careful to note that the incident was unrelated to a recent citywide 311 outage, but the timing reinforces how quickly operational disruptions can compound during periods of heightened cyber activity.

For local governments nationwide, the takeaway is clear. Third-party risk management can no longer be treated as a procurement checkbox—it requires continuous oversight, rapid isolation capabilities, and clearly defined incident response playbooks that extend beyond internal systems. Anchorage’s response demonstrates how decisive containment actions can reduce uncertainty and limit exposure, even when an investigation is still unfolding. As vendor ecosystems grow more complex, this type of readiness is quickly becoming table stakes for public sector cyber resilience.

 

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Are you ready to get started?