California DROP Law Simplifies Data Collection Refusals; Honeypot With Synthetic Data Catches Threat Actor; Hospitality Industry Targeted by Fake BSOD ClickFix

On January 1, 2026, the Delete Request and Opt-out Platform, or DROP, law took effect in California. The law allows California residents to file a single demand for data brokers to delete their personal information and not collect or sell such information in the future. While California's Delete Act has been on the books since 2023, that law required residents to file a demand with each broker. DROP allows California residents to file a single demand which The California Privacy Protection Agency (CalPrivacy), sends on to all data brokers. California law requires data brokers to register with CalPrivacy; currently, more than 500 data brokers are registered with the state. DROP enforcement will begin in August. Data brokers who do not comply with requests will face fines. The DROP website requires residents to enter the data they are demanding be removed. While it may seem counterintuitive to enter the data desired to be scrubbed from systems, the fact remains that the information has already been collected. California is one of just four US states that require data brokers to register; the others are Oregon, Texas, and Vermont. DROP is available only to California residents.

A honeypot created by Resecurity allowed researchers to observe and analyze the behavior of a threat actor believed to be Scattered Lapsus$ Hunters, who claimed to have compromised Resecurity on January 3, but who in fact only accessed "synthetic data." Resecurity created the honeypot after a threat actor probed the company's public-facing services and applications in November 2025, planting a dummy account mimicking a high-value target in a Dark Web marketplace. The company generated tens of thousands of consumer records and hundreds of thousands of payment transactions and messages, using a combination of AI-generated data, outdated non-sensitive logs, and genuine "already known breached data available on the Dark Web and underground marketplaces [...] an important element for cyber deception -- especially when the threat actor is advanced and may perform various checks to verify that the data is not completely fake." Resecurity observed the threat actor's tactics, techniques, and procedures (TTPs) over 12 days, which may be used "for early-stage threat detection when the same actor targets other enterprises, acting as Indicators of Compromise (IOCs)." The threat actor accessed the honeypot, automated activity using a large network infrastructure of residential IP proxies, and "made over 188,000 requests attempting to dump synthetic data. During this period, the Resecurity team documented the activity and collaborated with relevant law enforcement authorities and ISPs to share information about it." The threat actor made several OPSEC errors that disclosed their own real IP addresses and other identifying details including an email address and phone number, enabling law enforcement to issue a subpoena request.

The hospitality sector is being targeted by ClickFix phishing attacks that mimic the Windows "Blue Screen of Death" (BSOD) error message, according to research from Securonix. The phishing email mimics a costly cancellation from booking.com, and contains a link that leads to a counterfeit website with a fake error message, which in turn triggers a fake BSOD instructing the user to enter keyboard shortcuts that paste a PowerShell script into the Windows Run dialog. Running the script downloads a malicious project file and uses MSBuild to compile and execute an initial payload inside it, disabling Windows Defender and establishing persistence. The malware installs DCRat as its final payload, which enables process hollowing, keylogging, persistent remote access, and dropping additional payloads. The lure emails include charges listed in Euros; grammatically sound Russian language also appears in the MS build file, and the DCRat trojan is known to be common in Russian forums. Securonix recommends organizations train employees against phishing and ClickFix-style attacks, monitor for suspicious activity from MSBuild and system binaries, monitor for suspicious file types created in the ProgramData directory and Startup folder, enable PowerShell Script Block Logging, and check for indicators of compromise (IoCs).

Cisco has released updates to address CVE-2026-20029, a medium-severity vulnerability in the company's Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. "The vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application." Proof-of-concept code for the vulnerability has been publicly released. Cisco has also released updates to address a pair of vulnerabilities in the processing of Distributed Computing Environment Remote Procedure Call (DCE/RPC): CVE-2026-20026, denial of service, and CVE-2026-20027, information disclosure, affect Open Source Snort 3, Cisco Secure Firewall Threat Defense Software, Cisco IOS XE Software, and Cisco Meraki Products.

Workflow automation platform n8n released fixes for two critical (CVSS 10.0) vulnerabilities earlier this week. CVE-2026-21877 is an arbitrary file write issue that could lead to remote code execution; CVE-2026-21858 is an improper input validation issue that could allow an attacker to access arbitrary files and could also lead to remote code execution. The vulnerabilities allow attackers to take complete control of vulnerable instances; roughly 100,000 vulnerable servers are estimated to be exposed. CVE-2026-21858 was discovered by researchers at Cyera. Users are urged to update to the most recent patched version.

Veeam has released updates to address four vulnerabilities in Veeam Backup & Replication. The issues affect versions 13.0.1.180 and earlier 13.x builds. Older versions, 12.x and previous, are not affected. The most serious of the vulnerabilities is a critical issue (CVE-2025-59470) that "allows a backup or tape operator to perform remote code execution (RCE) as the postgres user by sending a malicious interval or order parameter." The other three vulnerabilities include two high-severity flaws, CVE-2025-55125, which "allows a backup or tape operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file," and CVE-2025-59469, which "allows a Backup or Tape Operator to write files as root," and a medium severity issue (CVE-2025-59468) that "allows a Backup Administrator to perform remote code execution (RCE) as the postgres user by sending a malicious password parameter." Users are urged to update to Veeam Backup & Replication 13.0.1.1071.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two CVEs to the Known Exploited Vulnerabilities (KEV) catalog: a critical code injection vulnerability in HPE OneView (CVE-2025-37164) and a high-severity code injection vulnerability in Microsoft Office PowerPoint (CVE-2009-0556). HPE released hotfixes to address CVE-2025-37164 on December 16, 2025, and published an advisory the following day. Microsoft addressed the PowerPoint vulnerability in 2009; the CVE''s addition to the KEV suggests it is once again being actively exploited. Both vulnerabilities have mitigation deadlines of January 28, 2026 for US Federal Civilian Executive Branch (FCEB) agencies.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an Industrial Control System Medical Advisory regarding a critical vulnerability affecting WHILL Model C2 electric wheelchairs. According to CISA, a missing authentication for Bluetooth connections could "allow an attacker within Bluetooth range to take control over the product," issuing movement commands, overriding speed restrictions, and manipulating device configuration profiles. The issue affects WHILL Model C2 Electric Wheelchairs and Model F Power Chairs. WHILL released a patch and mitigations for a number of security issues in December 2025. The vulnerability was reported to CISA by members of the Exploit Development Team at QED Secure Solutions.

The European Space Agency (ESA) has confirmed that they suffered an information security breach and that the agency "is in the process of informing the judicial authorities having jurisdiction over this cyber incident to initiate a criminal inquiry." In a statement, ESA says of the incident that the affected "servers support unclassified collaborative engineering activities within the scientific community. All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available."