NRG Networks Inc.

  Microsoft is hardening a Windows Server component. The focus is on Windows Deployment Services (WDS) , which supports “hands-free deployment” using an Unattend.xml (Answer file) for automated installations. A vulnerability (CVE-2026-0386) was discovered that could allow attackers to intercept this file over insecure channels, leading to remote code execution (RCE) and credential theft . Key Points: Patch Tuesday Update (KB5074109) introduced the first phase of changes on January 13, 2026 . Microsoft will phase out hands-free deployment over insecure connections : Currently still supported but discouraged. IT admins can disable it via registry keys now. By April 2026 , hands-free deployment will be blocked by default unless explicitly re-enabled. Microsoft warns that re-enabling this feature after April will be considered insecure . Additional event logs are being added to help admins monitor deployment configurations. Despite the active vulnerability, Microsoft is not immedia...

  CVE‑2025‑25249 — Heap‑Based Buffer Overflow (High Severity) The flaw exists in the cw_acd daemon , which handles certain network communications in FortiOS and FortiSwitchManager. A heap-based buffer overflow occurs when the daemon improperly manages memory and writes beyond allocated bounds. By sending specially crafted packets , a remote attacker can corrupt memory and potentially execute arbitrary code or commands. Why It’s Dangerous No authentication required — the attacker does not need credentials. Network‑reachable — can be triggered if the vulnerable service is exposed to untrusted networks (e.g., WAN, misconfigured management interfaces). High impact — successful exploitation allows: Running arbitrary commands Modifying configurations Intercepting traffic Installing persistence mechanisms Affected Products & Versions According to the advisory, the following versions are vulnerable: FortiOS 7.6.0 – 7.6.3 7.4.0 – 7.4.8 7.2.0 – 7.2.11 7.0.0 – 7....

  1. Actively Exploited Zero-Day (CVE-2026-20805) Impact: Attackers can read sensitive memory addresses, weakening ASLR and enabling exploit chaining. Risk: High for environments running Windows Desktop Window Manager (DWM). Action: Prioritize patching all Windows endpoints and servers immediately. 2. Secure Boot Certificate Expiration (CVE-2026-21265) Impact: Expired certificates could allow Secure Boot bypass, undermining OS integrity. Risk: Critical for enterprises relying on Secure Boot for compliance and device trust. Action: Update Secure Boot certificates and validate boot chain integrity across all managed devices. 3. Legacy Driver Privilege Escalation (CVE-2023-31096) Impact: Vulnerable modem drivers (agrsm.sys) can grant attackers elevated privileges. Risk: High in environments with older hardware or legacy drivers still present. Action: Remove deprecated drivers and apply patches to prevent privilege escalation. 4. Broader Vulnerability Landscape 114 flaws total...

  Why Attackers Use LinkedIn for Phishing Bypasses Email Security : LinkedIn direct messages (DMs) don’t go through corporate email gateways, so traditional anti-phishing tools can’t detect them. This creates a blind spot for security teams. High Trust Factor : Users expect outreach from recruiters or business contacts, making them more likely to engage with malicious messages. Rich OSINT Data : Public profiles reveal names, job titles, and company details, enabling attackers to craft convincing spear-phishing campaigns.  Scalable & Cheap : Hijacked accounts and AI-generated messages allow attackers to run large-scale campaigns quickly and at low cost.  Credential Harvesting : Many attacks redirect victims to fake Microsoft login pages, stealing credentials and even bypassing MFA using Adversary-in-the-Middle techniques.  Common Attack Patterns Fake Recruiter Messages : Offering job opportunities with malicious attachments or links. Investment Scams : Redirecting...

Hackers claimed to have stolen and were selling Target’s internal source code , posting samples on Gitea , a public development platform. Multiple current and former Target employees confirmed the leaked materials were authentic, matching internal systems and infrastructure. The leaked data included: Internal system names like BigRED and TAP [Provisioning] . References to Hadoop datasets , proprietary CI/CD tooling based on Vela , and supply-chain tools like JFrog Artifactory . Internal taxonomy identifiers such as “blossom IDs” , which are unique to Target’s environment. These details strongly indicate the leak was not fabricated but came from real internal repositories.  Accelerated Git Lockdown After being contacted about the leak, Target implemented an “accelerated” security change : Effective January 9, 2026 , access to git.target.com (Target’s on-prem GitHub Enterprise Server) now requires connection to a Target-managed network (on-site or via VPN). Previously, the Git ser...

  Instagram Data Leak What Happened? Cybersecurity firm Malwarebytes discovered a dataset containing personal information from approximately 17.5 million Instagram accounts circulating on dark web forums. The leaked data reportedly includes: Usernames Email addresses Phone numbers Partial physical addresses In some cases, location details .  How Did It Occur? The data appears to have been scraped via Instagram’s API , likely exploiting weaknesses in rate-limiting or privacy safeguards. A threat actor using the alias “Solonik” posted the dataset on BreachForums, claiming it originated from a 2024 API leak . Meta (Instagram’s parent company) denies any breach of internal systems , stating that the surge in password reset emails was due to a bug that allowed external parties to trigger reset requests, not unauthorized access. Risks to Users Phishing & Social Engineering: Attackers can craft convincing messages using real account details. SIM-Swapping & Account Takeove...

  What is ConsentFix? ConsentFix is a sophisticated attack that exploits the OAuth 2.0 authorization code flow , a legitimate mechanism used by applications like Azure CLI and PowerShell to authenticate users. Instead of breaking passwords or bypassing MFA through brute force, attackers manipulate this trusted flow to steal authorization codes , which can then be exchanged for access tokens granting entry to Microsoft Entra resources.  How Does It Work? Malicious Login URI Attackers craft a Microsoft Entra login URL targeting trusted apps (e.g., Azure CLI) and resources (e.g., Azure Resource Manager). User Interaction Victims are lured to a phishing page or malicious site that triggers this login flow. After successful authentication, the browser redirects to a localhost URI (e.g., http://localhost:<port> ), which normally would be handled by the legitimate app. Authorization Code Exposure Because no app is listening on localhost, the browser shows an error—but the aut...