A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them@meter.com CST.

B

Millions of devices freed from the clutches of nation state hackers AI agents hijacked with a single URL single sign on, System compromised through phishing attacks Polish energy infrastructure targeted by state linked cyber ops and antivirus software allegedly used to deliver malware this is Cybersecurity Today and I'm your host David Shipley. Let's get started. Millions of people were unknowingly letting criminals and nation state hackers use their home and mobile Internet connections to hide cyberattacks, According to reporting by Android Central. Google has disrupted a massive residential proxy network known as IP Idea, which until recently was operating quietly at global scale. IP Idea wasn't traditional malware. It was a proxy network embedded inside hundreds of Android apps and developer toolkits. Once installed, those apps could silently turn a device into an Internet relay, routing other people's traffic through it. That meant malicious activity didn't come from suspicious data centers, it came from real phones, real homes, real people. Google's Threat Intelligence Group says the network was used by more than 550 tracked threat groups in a single week, including organized cybercriminals and state linked actors tied to China, Russia, Iran and North Korea. The infrastructure supported credential theft, espionage, denial of service attacks, and command and control traffic. Last week, Google took legal and technical action to shut down IP Idea related domains, updated Google Play Protect to remove affected apps, and coordinated with partners to disrupt backend systems. Google says roughly 9 million Android devices were removed from the network, along with hundreds of compromised apps. Parts of the infrastructure may still exist, but the scale of abuse has been sharply reduced. If you wanted to take over every AI agent on one of the Internet's newest and most talked about AI platforms and you really didn't need to hack much, you just needed a URL. You heard that right. The AI agent platform Jim noted about last week. It was a security hot mess. According to reporting by 404 Media on Saturday, Multbook, billed as a social network for autonomous AI agents, left its backend database completely exposed, allowing anyone to take control of any agent on the platform. Security researcher Jamison O'Reilly discovered that multbooks Supabase database exposed API keys, verification tokens and ownership data for every registered agent. Those keys effectively act as passwords, allowing agents to post and act online. The issue stemmed from a basic configuration failure. Supabase exposes API by default, but relies on row level security rules to protect data. In this case, those protections were either never enabled or never properly configured. Compounding the issue, the database URL and publishable keys were visible in Multipook's own code. Anyone who found them could retrieve agent secrets and post whatever they wanted to as any agent. 404 Media verified the exposure and demonstrated account takeover with permission. O'Reilly says the flaw could have been prevented with just two SQL statements. Some affected agents belong to high profile figures in the AI community, raising the risk of impersonation, scams and reputational damage. The database has since been secured and there's no evidence of malicious exploitation prior to disclosure. Welcome to 2026's answer to unsecured AWS S3 buckets Our next story shows how attackers are abusing single sign on platforms to move quickly through cloud environments. According to new reporting from Mandian, the Shiny Hunters extortion group and its affiliates are stealing large volumes of cloud data by targeting SSO platforms like Okta, Microsoft, Entra and Google. The attacks begin with voice phishing or vishing. Threat actors impersonate corporate IT or help desk staff and call employees directly claiming there's an issue with multi factor authentication. During the call, the employee is directed to a company branded phishing site designed to look like a legitimate login portal. These sites use advanced phishing kits that allow attackers to interact with victims in real time. As credentials are entered, attackers immediately relay them, trigger legitimate MFA challenges and instruct the employees on how to respond, approving push notifications or entering in one time codes that allows attackers to authenticate and register their own MFA devices. Once inside, attackers log into the organization's SSO dashboard, which in some cases may list every connected SaaS application the user can access, including Salesforce, Microsoft 365, SharePoint document, Slack, Google Drive, and so on. Mandian observed bulk data downloads scripted to access using PowerShell and attackers deleting security notification emails to conceal new MFA enrollment. Mandan is tracking multiple threat clusters involved with Shiny Hunters handling extortion and stolen data already appearing on leak sites. Earlier this month we told you about a failed cyber attack targeting Poland's energy sector. Now new details from Polish authorities reveal how broad and coordinated that operation was. Poland's national Computer Emergency Response team Cert Polska, says attackers linked to Russian state security services targeted more than 30 wind and solar farms, a manufacturing company and a large combined heat and power plant. The attacks took place on December 29, 2025 and are attributed to a threat cluster known as Static Tundra, which CERT Polska assesses is connected to Russia's Federal Security Service. According to SERT Polska, the attacks had a destructive objective. Communications between renewable energy facilities and grid operators were disrupted, but electricity production thankfully continued. An attempted attack on a combined heat and power plant supplying nearly 500,000 customers also thankfully failed to cause an outage. Investigators say attackers accessed internal networks tied to substations, conducted reconnaissance, damaged firmware on industrial controllers, deleted system files and attempted to deploy custom wiper malware known as dynowiper. The malware was deployed on industrial human machine interface systems and network shares after attackers granted access through vulnerable fortigate devices and SSL VPN services. Certpolska also reports months long data theft, lateral movement and the use of stolen credentials to access Microsoft 365 Exchange Teams and SharePoint, with particular interest in SCADA and operational technology projects. Our final story today is a reminder that even security software can be an attack vector. Security Week reports that some customers of E Scan antivirus were infected with malware after attackers compromised an official update server operated by Microworld Technologies. The incident became public on January 29 after cybersecurity firm Morphisec warned that malicious updates were actively tampering with user systems. According to Morphisec, attackers distributed a malicious file called Reload Exe through E Scan's legitimate update infrastructure. Once installed, it blocked future updates, altered antivirus functionality, established persistence, and downloaded additional payloads. Because compromised services were cut off from update servers, automatic remediation was impossible, forcing users to contact E Scan directly for a cleanup. Utility Microworld Technology says it detected unauthorized access on January 20th and isolated the affected update servers in a customer advisory, E Scan confirmed a regional update server was compromised and acknowledged medium to high impact for some enterprise customers. The company has disputed morphisec's characterization of the incident as a supply chain attack and has indicated is working with legal counsel. In response to the disclosure, E Scan says remediation tools have been released and normal update operations restored. Those are the stories for Monday, February 2nd. If you enjoy the show, please consider giving us a like subscribing or a review on your favorite podcast service. We'd love to reach even more people and we continue to need your help. Consider telling folks about cybersecurity today. I'm David Shipley. Thanks for listening. Have a great week. Jim Love will be back on the news desk on Wednesday.

A

We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter Designs, deploys and manages everything required to get performant, reliable and secure connectivity in your space. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single integrated solution that scales from branch offices to warehouses to large campuses, all the way to data centers. Book a demo@meter.com CST. That's m e t e r com CST.