Stabilized but smaller.

CISA’s acting director assures Congress the agency has “stabilized”. Google and Cisco patch critical vulnerabilities. Fortinet firewalls are being hit by automated attacks that create rogue accounts. A global spam campaign leverages unsecured Zendesk support systems. LastPass warns of attempted account takeovers. Greek authorities make arrests in a sophisticated fake cell tower scam. Executives at Davos express concerns over AI. Pwn2Own Automotive proves profitable. Our guest is Kaushik Devireddy, AI data scientist at Fable Security, with insights on a fake ChatGPT installer. New password, same as the old password.

Today is Thursday January 22nd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA’s acting director assures Congress the agency has “stabilized”.

The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, is working to refocus on its core mission after a turbulent year marked by staffing losses, funding disruptions, and internal restructuring. Acting Director Madhu Gottumukkala told the House Homeland Security Committee that the agency has stabilized and does not expect further organizational changes in fiscal year 2026.

CISA now employs more than 2,400 staff, roughly a thousand fewer than at the start of the Trump administration. Gottumukkala said the reductions were part of a broader White House effort to shrink the federal workforce and “right-size” the agency. He argued CISA now has the workforce it needs and plans targeted initiatives in 2026 to address the most critical cyber risk gaps.

Republicans praised a narrower, operational focus, while Democrats warned proposed budget cuts could weaken civilian cyber defenses as foreign threats persist. Funding debates for the Department of Homeland Security, including CISA, are expected to intensify ahead of a looming shutdown deadline.

Google and Cisco patch critical vulnerabilities. 

Google has released an urgent update for Chrome and other Chromium-based browsers to fix a high-severity flaw in the V8 JavaScript engine. The vulnerability, tracked as CVE-2026-1220, is a race condition that allows memory corruption and could enable attackers to escape the browser sandbox and run code on a user’s system by luring them to a malicious site. The update, released January 20, 2026, applies to Windows, macOS, and Linux. Users should update Chrome and Chromium-based browsers immediately, according to Google.

Elsewhere, Cisco has issued emergency patches for a critical vulnerability affecting its enterprise communications platforms, warning of active exploitation attempts. The flaw, tracked as CVE-2026-20045, is an unauthenticated code injection issue in web-based management interfaces that can allow attackers to execute commands and potentially gain full system control. Impacted products include Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. Cisco says there are no workarounds and urges immediate patching. 

Fortinet firewalls are being hit by automated attacks that create rogue accounts. 

Researchers warn that Fortinet FortiGate firewalls are being hit by automated attacks that create rogue accounts and rapidly export firewall configurations. According to Arctic Wolf, the campaign began January 15 and appears to exploit an unknown weakness in FortiGate’s single sign-on feature, closely resembling attacks seen in December tied to CVE-2025-59718.

Arctic Wolf says it remains unclear whether current attacks are fully addressed by existing patches, and customer reports suggest a possible patch bypass. Fortinet is expected to release additional FortiOS updates to resolve the issue. Until then, defenders are advised to disable FortiCloud SSO. CISA has already flagged the earlier vulnerability as actively exploited, while Shadowserver reports nearly 11,000 exposed devices online.

A global spam campaign leverages unsecured Zendesk support systems. 

A global spam campaign has flooded inboxes with hundreds of confusing emails generated through unsecured Zendesk support systems. The wave began January 18 and abuses Zendesk’s default setting that allows unverified users to submit support tickets, which then trigger automated confirmation emails to whatever address is entered. Attackers iterated through large email lists, effectively turning legitimate customer support platforms into mass-spam engines.

The emails feature bizarre or alarming subject lines, including fake legal notices and promotional offers, often written with decorative Unicode text. While the messages do not contain malicious links, they bypass spam filters because they originate from trusted companies, making them particularly disruptive. Affected organizations include Discord, Dropbox, Riot Games, and government agencies. Zendesk says it has rolled out new safeguards to detect and limit this “relay spam” and advises customers to restrict ticket submissions to verified users.

LastPass warns of attempted account takeovers. 

LastPass is warning users about an active phishing campaign designed to steal master passwords and take over accounts. According to the company’s Threat Intelligence, Mitigation, and Escalation team, the campaign began January 19 and is circulating widely. The phishing emails impersonate LastPass and claim users must urgently back up their password vaults within 24 hours ahead of supposed maintenance. Links in the messages lead to a fake LastPass login page that captures credentials if entered.

Because LastPass stores passwords for other services, a compromised master password could expose many additional accounts. LastPass says it will never ask for a master password or demand immediate action and is working with partners to take down the malicious domains. The company urges users to remain cautious, noting that false urgency is a common phishing tactic.

Greek authorities make arrests in a sophisticated fake cell tower scam. 

Greek authorities have arrested two foreign nationals accused of running a sophisticated fake cell tower scam in the Athens area. According to Hellenic Police, officers discovered a mobile computing system hidden in a car trunk that acted as a rogue cellular base station, often called an SMS blaster. The setup, linked to a concealed roof antenna, impersonated legitimate telecom infrastructure and intercepted nearby mobile connections.

Police say the suspects exploited known weaknesses in mobile network protocols, forcing phones to downgrade from 4G to less secure 2G connections. This allowed them to collect device identifiers and phone numbers, which were then used in smishing campaigns posing as banks or courier services. Authorities have tied the operation to several confirmed fraud cases in and around Athens, with investigations ongoing.

Executives at Davos express concerns over AI. 

Executives from EY and KPMG warned at the World Economic Forum in Davos that AI security is emerging as a major enterprise risk. EY’s Raj Sharma told Business Insider that organizations are not adequately addressing the security and lifecycle management of AI agents, which can access sensitive data but lack clear identity and controls. He argued that industrial-grade security frameworks for AI agents are still immature. KPMG US CEO Tim Walsh echoed those concerns, saying AI-related cyber risk is now a top issue for CEOs and is slowing some AI deployments as firms reassess data protection. Walsh also flagged quantum computing as a future security threat, warning that it could break current encryption and force widespread reengineering of security systems.

Pwn2Own Automotive proves profitable. 

Day two of Pwn2Own Automotive 2026 proved that hacking cars and chargers can be very profitable. Security researchers walked away with $439,250 in prize money after popping 29 fresh zero-day bugs at the event in Tokyo, held during the Automotive World show.

After two days, total winnings hit $955,750 across 66 zero-days. Fuzzware.io led the pack with $213,000, thanks to successful hacks against multiple EV chargers. Other teams rooted infotainment systems, car operating systems like Automotive Grade Linux, and more charging hardware. Even Tesla tech made an appearance earlier in the contest.

The fun continues on day three, with more chargers and systems lined up for attack. Vendors now have 90 days to patch before details go public, so the clock is ticking.

 

New password, same as the old password. 

After another year of security training, stern warnings, and posters begging users to “think before you type,” passwords have once again refused to evolve. An analysis of six billion leaked credentials by Specops Software, using data from its parent firm Outpost24, shows that 2025’s most common passwords were the same familiar classics: “123456,” “password,” and “admin,” apparently still doing brisk business.

The report suggests this is not nostalgia, but habit. Numeric strings dominate personal accounts, while “admin” and “password” linger on enterprise gear, from networking devices to industrial systems. That creates a predictable path for attackers, who can reuse stolen credentials to access VPNs, Active Directory, or cloud services. Even “more complex” passwords often just decorate old favorites with a few extra characters. The lesson is dry but clear: attackers innovate, users reuse, and security teams clean up the mess.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.