Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 10-16 January
Critical remote code execution vulnerability in Trend Micro Apex Central
Trend Micro has released patches for three severe vulnerabilities affecting Apex Central on Windows systems, the most severe being CVE-2025-69258 (CVSSv3 9.8 according to vendor). This remote code execution (RCE) flaw allows an unauthenticated attacker to send a specially formed message to the MsgReceiver.exe process on TCP port 20001, forcing the load of a malicious DLL that runs with SYSTEM privileges, completely compromising the security management server.
The other two vulnerabilities (CVE-2025-69259 and CVE-2025-69260, both CVSS 7.5 according to vendor) can trigger denial-of-service conditions. We recommend patching, restricting access to the interface, and applying additional network controls.
OPCOPRO: financial fraud using AI and simulation of social environments
Check Point has identified a fraudulent operation called OPCOPRO that uses artificial intelligence to orchestrate personalized investment scams. Attackers employ language models to generate fake profiles and automate interactions in WhatsApp groups, creating a fictional social environment where multiple participants (actually bots) confirm fake earnings.
The fraud architecture includes malicious mobile apps that simulate legitimate trading platforms, displaying false positive balances to incentivize additional deposits. Victims initially receive SMS or advertisements that appear to come from financial institutions, induce them to download an app from official stores (Android/iOS) and complete KYC processes with identity documents to steal personal data.
The infrastructure uses ephemeral hosting servers and crypto-asset payment methods to complicate financial tracing.
SAP releases updates for four critical vulnerabilities
SAP has released its January 2026 Security Patch Day, with the release of 17 new security notes and the fixing of critical impact vulnerabilities. The most severe flaw is CVE-2026-0501 (CVSSv3 9.9), a SQL injection in SAP S/4HANA that allows low-privilege users to fully compromise the database.
Three additional critical vulnerabilities have been mitigated: CVE-2026-0500 (CVSSv3 9.6) by remote code execution in SAP Wily Introscope Enterprise Manager; and two code injections, CVE-2026-0498 and CVE-2026-0491 (both with CVSSv3 9.1), affecting SAP S/4HANA and SAP Landscape Transformation respectively. In the high priority category, CVE-2026-0492 (CVSSv3 8.8) stands out for elevation of privilege in SAP HANA 2.0 databases and CVE-2026-0507 (CVSSv3 8.4) for injection of commands into the operating system through ABAP and RFCSDK servers.
The bulletin is completed with patches for medium-severity bugs, including XSS and information disclosure in Fiori and NetWeaver applications.
RustyWater: evolution of MuddyWater implant to Rust
According to a report by CloudSEK, the MuddyWater APT, associated with Iran's Ministry of Intelligence and Security, has evolved its arsenal by developing and deploying RustyWater, a remote access implant written in Rust, distributed through spearphishing campaigns targeting the diplomatic, maritime, financial, and telecommunications sectors in the Middle East.
The initial attack vector is a Word document with a forged icon that, when enabling macros, executes code to deploy RustyWater, which establishes asynchronous communications with C2, uses anti-analysis techniques, persistence through registry modifications, and modular architecture to extend post-compromise capabilities.
RustyWater facilitates network reconnaissance functions, system metadata exfiltration, and shell command execution remotely.
Reprompt: one click that allows you to exfiltrate data from Copilot
An investigation by Varonis Threat Labs has identified Reprompt, an attack flow in Microsoft Copilot Personal that allows malicious actors to set up a sensitive data exfiltration vector with a single click on a legitimate link, bypassing enterprise security controls and requiring no add-ons or additional user interaction.
The technique exploits the URL parameter "q" (Parameter 2 Prompt or P2P injection) to inject malicious instructions directly from a legitimate Microsoft link. When executed, the attacker uses a two-request technique to bypass native AI safeguards, maintaining access even after logging out and allowing the continuous extraction of information such as accessed files, location, or personal data.
Exfiltration occurs stealthily during communication between Copilot and the attacker's server, making detection difficult with client-side tools. Copilot Enterprise users are not affected by this flaw.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
