​The attack surface is not growing because of what you added this quarter. It is growing because of what you never fully removed, never fully mapped, and never fully governed. If you have spent the last week in an architecture review, an identity roadmap conversation, or an M&A due diligence call, you already know this instinctively: the stuff that keeps you up is rarely the shiny new deployment. It is the thing three teams ago provisioned and nobody owns anymore.

This week reinforced that pattern from multiple directions at once. Legacy authentication dependencies, services nobody believed were still reachable, AI programs scaling faster than the governance frameworks meant to contain them, and adversaries who have gotten noticeably better at exploiting the gaps between what we think we control and what we actually do. None of this is new. What is new is the tempo. The distance between “we should look at that” and “that just became an incident” is shrinking, and it is shrinking precisely in the areas where ownership is thinnest.

We know the realities. Backlogs do not drain on their own, staffing is tight, and competing priorities win most internal arguments. This newsletter is not here to add another item to the list. It is here to help you decide which items on that list deserve another look this week, and why.

Top Story

Latent OT Access Is Not a Waiting Room. It Is a Loaded Weapon

Source:https://thehackernews.com/2026/01/russian-electrum-tied-to-december-2025.html​

TLDR

Russian threat cluster ELECTRUM, working in tandem with access broker KAMACITE, breached distributed energy resources across roughly 30 sites in the Polish grid in December 2025, permanently disabling OT equipment without triggering a power outage. This is the first confirmed attack against DER infrastructure at scale, and it validates that prolonged, quiet IT-to-OT pivots are now operational tradecraft, not theoretical risk.

What it matters to enterprises

The broken assumption here is that pre-positioning in OT networks remains inert until an adversary decides to act visibly. KAMACITE’s role is specifically to establish and sustain access over long periods, creating conditions where ELECTRUM can execute when timing suits them. That means latent access in your OT environment is not a dormant finding to remediate next quarter; it is an adversary holding a switch. The attack also exposed that DER communication and dispatch infrastructure, often treated as lower-priority OT, sits directly in the blast radius of grid operations. Exposed network devices and unpatched RTUs provided the entry path, which is not novel, but the coordinated IT-OT pivot and the willingness to brick equipment permanently signals a maturity shift in how these groups operate.

What to do this week

• Enumerate all internet-facing OT and DER communication devices against your current network asset inventory
• Audit IT-to-OT trust boundaries for any persistent access paths lacking continuous session monitoring
• Validate RTU and communication device patch status across all distributed generation and CHP sites
• Review detection coverage specifically for lateral movement between IT and OT network segments
• Pressure-test your OT incident response plan against a scenario where equipment is permanently disabled

Big Stories

FBI AI Inventory Reveals Governance Gaps

Source:https://fedscoop.com/fbi-ai-inventory-law-enforcement-biometric-facial-recognition/​

What Happened

The DOJ’s 2025 AI inventory shows the FBI more than doubled its AI use cases in one year, growing from 19 to 50, with 27 now classified as law enforcement activities. New biometric and facial recognition systems are already live in operations. None of the high-impact use cases have completed required risk management steps, and nearly all are built on unnamed vendor systems.

Multiple independent analysts flagged that the inventory is vague on outputs, omits tools known to have been in use for years, and provides no detail on who is auditing or stress-testing these systems.

Why it matters

This is not primarily an FBI story. It is a governance pattern. When a federal agency deploys AI into high-stakes decision workflows, skips risk management entirely, and obscures vendor dependencies, it sets a visible baseline for what is organizationally permissible. Enterprise security leaders should read this as a signal check on their own programs. If your AI-assisted decision tools, including anything touching identity, access, or investigation workflows, lack documented risk assessments, clear vendor accountability, and defined audit trails, you are operating with the same structural blind spots the FBI inventory just made public. The harder problem is that vendor opacity compounds the issue: when the systems are black boxes from unnamed providers, your ability to validate what they actually do, and to hold anyone accountable when they fail, drops to near zero.

550+ Threat Groups Were Hiding Behind Your Users’ Devices

Source:https://cyberscoop.com/ipidea-proxy-network-disrupted-google-lumen/​

What Happened

Google, Lumen’s Black Lotus Labs, Cloudflare, and Spur coordinated a disruption of IPIDEA, a China-based residential proxy network that operated between 8.5 and 11 million devices at peak. The action severed command-and-control links and took down storefronts, reducing the network by roughly 40%, but approximately 5 million proxies remain active and communicating with IPIDEA’s servers.

Google observed over 550 distinct threat groups, including state-sponsored actors from China, North Korea, Iran, and Russia, using IPIDEA exit nodes during a single seven-day window to access cloud environments, on-premises infrastructure, and launch credential attacks.

Why it matters

The structural detail that should concern enterprise security leaders is how IPIDEA recruited devices: through SDKs embedded into third-party applications, where developers were paid per download to include proxy functionality without user knowledge. This is not a compromised endpoint problem in the traditional sense. It is a supply chain trust problem, where legitimate-looking software silently becomes part of adversarial infrastructure. The fact that 550-plus threat groups relied on this single network for operational cover means your traffic filtering, cloud access logs, and geofence controls were likely facing attacker-controlled residential IPs that looked indistinguishable from normal user traffic. A 40% reduction is operationally meaningful for now, but the ecosystem is built on anonymity and shared resources, and takedowns historically regenerate. The harder question is whether your visibility into inbound residential proxy traffic is sufficient to detect this category of threat at all.

Quick Hits

NTLM Deprecation Is Now a Hard Timeline, Not a Roadmap Item

Microsoft’s three-phase plan moves from auditing to full default-disable in the next major Windows Server release, and any application or service still falling back to NTLM will break. If you haven’t mapped NTLM dependencies across your domain, Phase Two arriving in H2 2026 is your last clean window to do it. https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-ntlm-by-default-in-future-windows-releases/​

11-Year-Old telnetd Auth Bypass Gives Root. Exploitation Already Started.

CVE-2026-24061 is a trivial remote authentication bypass to root in GNU InetUtils telnetd, and GreyNoise is already seeing active exploitation attempts. The real question for enterprise teams is whether telnet is still running anywhere in your environment and whether you actually know. https://thehackernews.com/2026/01/critical-gnu-inetutils-telnetd-flaw.html​

Konni Is Targeting Developer Environments, Not End Users

North Korea’s Konni group is now dropping AI-generated PowerShell backdoors into blockchain developer workflows via Discord-hosted payloads, with the explicit goal of anchoring in build and deployment environments. A compromised dev machine in a CI/CD pipeline is a supply chain event, not an endpoint incident. https://thehackernews.com/2026/01/konni-hackers-deploy-ai-generated.html​

The hardest security work this week is not the work that made the news. It is the quiet argument you are having with your backlog about what actually deserves a change window, and whether the thing nobody owns is going to become the thing everybody regrets. That argument does not get easier by waiting.

If this was useful, forward it to one of your peers who will actually read it.

Until next week.

​

Subscribe: https://securityconscience.com/subscribe/enterprise/?utm_source=enterprise_cyber_weekly&utm_medium=email&utm_campaign=ecw_2026-02-02​

​

​