Summary5 min read

Cybersecurity Headlines – Jan 20, 2026

Host: Sarah Lane, CISO Series
Episode Theme:
A fast-paced rundown of the day’s top infosec stories, from AI vulnerability revelations and major legal proceedings to new malware discoveries and significant incidents across the cybersecurity landscape.

Main Stories & Key Discussion Points

1. Gemini Prompt Injection Flaw Exposes Calendar Info

[00:11]
- Discovery: Mego Security identified a prompt injection vulnerability in Google Gemini.
- Exploit Details:
  - Attackers could embed hidden instructions within calendar invites.
  - When users made simple scheduling requests, Gemini would inadvertently copy private meeting information into a new calendar event accessible to the attacker.
- Response:
  - Google patched the issue after being informed.
- Industry Implications:
  - Researchers highlighted that “AI native workflows broaden the attack surface.”
  - Similar vulnerabilities were demonstrated in Microsoft Copilot, Vertex AI agents, and multiple AI coding IDEs.
- Quote:
  
  "Researchers say AI native workflows broaden the attack surface as other labs recently demonstrated similar data exfiltration and privilege escalation paths across Copilot vertex AI agents and multiple AI coding IDEs." – Sarah Lane [00:36]

2. Hacker Admits to Leaking US Supreme Court Data

[00:54]
- Subject: 24-year-old Nicholas Moore (Springfield, TN) pleaded guilty to hacking the Supreme Court's filing system in 2023.
- Method:
  - Used stolen credentials, accessed the system over 25 times.
  - Posted breach screenshots to Instagram.
  - Also accessed AmeriCorps and VA systems, leaking personal and health data.
- Consequences:
  - Faces up to 1 year in prison and a $100,000 fine.
- Quote:
  
  "...pleaded guilty to hacking the US Supreme Court's electronic filing system more than 25 times in 2023, using stolen credentials, then posting screenshots to an Instagram account to show off the breach." – Sarah Lane [00:57]

3. Researchers Uncover PDFSIDER Malware

[01:23]
- Description:
  - "PDFSIDER" is a newly documented backdoor, distributed via malicious DLL sideloading in spearphishing ZIP files.
  - Masquerades as a fake PDF24 executable to evade detection.
  - Executes commands in memory over AES-encrypted C2 channels.
  - Features anti-VM checks, DNS exfiltration, and delivers decoy intelligence documents.
- Characterization:
  - Styled as advanced persistent threat (APT) tooling.
  - Focused on stealth and persistence, not mass infections.
- Quote:
  
  "Researchers describe it as an apt style tooling focused on stealth and long term access rather than mass infection." – Sarah Lane [01:49]

4. Internal Upheaval at CISA Over CIO Reassignment

[02:01]
- Context:
  - Acting CISA director Madhu Gautamakala attempted to rapidly reassign Chief Information Officer Robert Costello.
  - Move would have forced Costello to resign or transfer within DHS.
  - Senior political appointees objected; DHS intervention halted the move.
  - Costello regarded as one of CISA’s “strongest technical leaders.”
- Backstory:
  - Previous clashes between Costello and Gautamakala over contracting and policy decisions.
- Quote:
  
  "Senior political appointees reportedly objected and DHS halted the move. Costello is viewed by many as one of SISA's strongest technical leaders." – Sarah Lane [02:14]

5. Malware Broker Sentencing – Initial Access Broker for U.S. Attacks

[03:12]
- Defendant: Jordanian national Faras Khalil Ahmad Al Bashidi (a.k.a. Riz, R1Z).
- Crimes:
  - Sold access and malware to an undercover FBI agent in 2023.
  - Aided attacks on at least 50 US companies.
  - Sold an EDR-disabling tool, revealing his IP and linking him to a $50M ransomware case.
- Legal Outcome: Extradited in 2024; faces sentencing (up to 10 years in prison and $250,000 fine) in May.
- Quote:
  
  "...facilitated attacks against at least 50 U.S. companies and sold an EDR disabling tool that ultimately exposed his IP address and tied him to a $50 million ransomware incident." – Sarah Lane [03:22]

6. Ingram Micro Ransomware Update – 42,000+ Impacted

[03:51]
- Disclosure: New stats from the July 2025 ransomware breach:
  - Data stolen on over 42,000 individuals (including SSNs and job applicant records).
  - 3.5 TB of data taken; outage led to days-long work-from-home orders.
- Attribution: SafePay ransomware crew (not formally confirmed by Ingram Micro).
  - SafePay has filled gaps left by notorious groups like Lockbit and Black Hat.
- Quote:
  
  "The attack caused a days long outage, work from home orders and 3.5 terabytes of documents stolen." – Sarah Lane [04:05]

7. TP-Link Patches VIGI Camera Vulnerability

[04:27]
- Vulnerability: High-severity auth bypass impacting 32+ VIGI and VIGI Insight surveillance camera models.
- Impact:
  - Attackers could reset admin passwords and control devices (including live feeds).
  - Over 2,500 devices found exposed online at disclosure.
  - “Patching [is] urgent” due to prior abuse of TP-Link flaws.
- Quote:
  
  "Attackers can reset admin passwords and take full control, including video feeds... he counted more than 2500 exposed cameras online." – Sarah Lane (quoting Arco Dar) [04:34]

8. Windows 11 Shutdown Bug Triggers Emergency Patch

[04:58]
- Issue: January patch broke shutdown, restart & hibernation on devices with Secure Launch enabled.
- Response: Microsoft rushed an out-of-band update (KB577797, Jan 17) to fix this and a Remote Desktop auth bug.
- Lingering Problems: Separate Outlook POP bug remains unresolved.
- Industry Reflection:
  - "Security updates can create unexpected side effects."
- Quote:
  
  "Microsoft urges affected users to install KB57 7797, reminding us that security updates can create unexpected side effects." – Sarah Lane [05:23]

Notable Quotes & Memorable Moments

On Red Team Automation and AI:
[05:35]

"When the glut of LLM based tools started cropping up, many assumed they could never approximate the human creativity needed to be effective red teamers by themselves. But these tools are proving remarkably effective. So what's left for the red team that can't be automated?"
Closing Reflection:

"AI is very efficient at making us forget the value of humans." – Sarah Lane [05:54]

Timestamps for Key Segments

| Segment | Timestamp | |--------------------------------------------------------------|-----------| | Gemini prompt injection/AI attack surface | 00:11–00:53 | | Supreme Court breach admission | 00:54–01:22 | | PDFSIDER malware discovery | 01:23–02:01 | | CISA internal dispute over CIO | 02:01–03:11 | | Malware broker sentencing | 03:12–03:50 | | Ingram Micro ransomware update | 03:51–04:26 | | TP-Link VIGI camera vulnerability | 04:27–04:57 | | Windows 11 emergency patch | 04:58–05:34 | | Red teaming automation, AI & human value (teaser) | 05:35–06:16 |

Tone and Language

Direct & Informative: Sarah Lane delivers concise, high-impact news with a sense of urgency.
Expert Attribution: Frequent reference to security researchers, political sources, and technical leaders.
Reflective: Ends with thought-provoking questions about automation, AI in security, and enduring human skills.

For in-depth coverage or source links for each story, visit CISOSeries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Tuesday, January 20, 2026. I'm Sarah Lane. Gemini Prompt Injection flaw exposes calendar info Mego Security found a prompt injection issue in Google Gemini that lets attackers hide instructions inside Calendar invites. When users asked Gemini basic scheduling questions, the model copied private meeting details into a new Calendar event visible to the attacker. Google patched the issue after disclosure. Researchers say AI native workflows broaden the attack surface as other labs recently demonstrated similar data exfiltration and privilege escalation paths across Copilot vertex AI agents and multiple AI coding IDEs. Hacker admits to leaking stolen Supreme Court data 24 year old Nicholas Moore of Springfield, Tennessee pleaded guilty to hacking the US Supreme Court's electronic filing system more than 25 times in 2023, using stolen credentials, then posting screenshots to an Instagram account to show off the breach. Prosecutors say he also accessed AmeriCorps and VA systems, which with stolen logins leaking personal and health data from victims. He faces up to a year in prison and a $100,000 fine. Researchers uncover. PDF Cider malware PDF Cider is a newly documented backdoor malware delivered via DLL sideloading in spear phishing zip files. Security firm Resecurity says it uses a fake PDF24 executable to evade AV and EDR, runs commands in memory over an AES encrypted C2 channel and includes anti VM checks, DNS exfiltration and decoy intelligence docs. Researchers describe it as an apt style tooling focused on stealth and long term access rather than mass infection. Acting CISA Chief Saad Ouster of CIO Political sources say acting CISA Director Madhu Gautamakala moved to push out the agency's Chief Information Officer Robert Costello last week, issuing a rapid reassignment that would have forced Costello to resign or transfer within the Department of Homeland Security. Senior political appointees reportedly objected and DHS halted the move. Costello is viewed by many as one of SISA's strongest technical leaders. Sources say Costello and Garmacala previously clashed on contracting and policy decisions. Huge thanks to our sponsor DropZone AI. It's 2am and alert fires possible data exfiltration. Your on call analyst is three time zones away, half asleep, context switching between tools. By the time they piece together the evidence, 45 minutes have passed. Was it a real threat or another false positive? The clock is ticking. Tomorrow we'll tell you how 300 enterprises solved this exact problem. But if you can't wait. Head on over to DropZone AI to learn more. Malware broker set for sentencing Jordanian national Faras Khalil Ahmad Al Bashidi pleaded guilty to acting as an initial access broker selling network access and malware to an undercover FBI agent in 2023. Prosecutors say Al Bashidi, operating as Riz, that's R1Z, facilitated attacks against at least 50 U.S. companies and sold an EDR disabling tool that ultimately exposed his IP address and tied him to a $50 million ransomware incident. He was extradited in 2024 and faces sentencing in May with up to 10 years in prison and a $250,000 fine. Ingram Micro says attack affected 42K plus people Ingram Micro disclosed updated details from its July 2025 ransomware incident, confirming stolen data affected more than 42,000 people, including Social Security numbers and job applicant records. The attack caused a days long outage, work from home orders and 3.5 terabytes of documents stolen. While the company still hasn't formally attributed the breach, SafePay claimed responsibility last summer and has since become one of the more active ransomware crews, filling gaps left by Lockbit and Black Hat. TP link patches VIGI camera vulnerability TP link pushed Fixes for a high severity AUTH bypass In more than 32 Vigi and Vigi insight surveillance camera models reddened. Co founder Arco Dar says attackers can reset admin passwords and take full control, including video feeds. When he found the bug back in October, he says he counted more than 2500 exposed cameras online. The cameras are widely deployed globally and previous TP link flaws have been abused in the wild, making Patching urgent Windows 11 shutdown bug forces Microsoft into out of band damage control Microsoft issued an out of band Windows 11 update on January 17th to fix shutdown, restart and hibernation issues caused by January's patch Tuesday. The problem affected systems with System Guard Secure Launch enabled, preventing proper shutdowns and causing laptops and desktops to drain power. The update also addresses a remote desktop authentication bug. While a separate Outlook POP issue remains unresolved, Microsoft urges affected users to install KB57 7797, reminding us that security updates can create unexpected side effects. When the glut of LLM based tools started cropping up, many assumed they could never approximate the human creativity needed to be effective red teamers by themselves. But these tools are proving remarkably effective. So what's left for the red team that can't be automated? That's one of the questions we'll try to answer on this week's episode of the CISO Series podcast, look for the episode. AI is very efficient at making us forget the value of humans. Wherever you get your podcasts, if you have thoughts on the news from today or about our show in general, be sure to reach out to us feedbackisoseries.com we'd love to hear from you. I'm Sarah Lane reporting for the CISO series and we will talk to you today. Tomorrow.
[06:48]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.