InfoSec Briefing - January 22, 2026

🚨 Critical Vulnerability Alert

We have a critical security alert. CVE-2026-20045, a remote code execution in Cisco Unified Communications products, has been added to the CISA Known Exploited Vulnerabilities catalog.

🎧 Audio Briefing

Playback Speed:

Download MP3

Good morning. This is your security briefing for Wednesday, January 21, 2026, covering 5 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

We have a critical security alert. CVE-2026-20045, a remote code execution in Cisco Unified Communications products, has been added to the CISA Known Exploited Vulnerabilities catalog.

Disclosing.Observer reports on new research proposing the use of DNS sinkholes as analytical tools to study malicious infrastructure after takedowns. Researchers analyzed the Badbox 2.0 botnet takedown from April 2025, which affected 10 million Android devices, revealing patterns in hosting distribution across Hostinger, Amazon, and Cloudflare, as well as nameserver reuse indicating shared operational control.

Matt Swann has published five Kusto Query Language queries designed to accelerate incident containment and response times within Microsoft Sentinel. The queries focus on helping security teams act effectively during the critical first hour of a security incident to minimize attacker damage.

Cotool released a benchmark evaluating AI agents' capabilities in Security Operations Center tasks, comparing frontier AI models including GPT-5, Claude, and Gemini on real-world challenges like threat hunting and incident response. The benchmark specifically evaluates these models' intrinsic knowledge of detection engineering and the MITRE ATT&CK framework using industry-standard tools like Sigma rules and Splunk BOTSv3.

Slack's Security Engineering team has developed an AI agent system to automate security investigations of billions of daily events. The system uses specialized AI agents including a Director, Expert, and Critic that break down complex investigations into manageable tasks, enabling faster identification of security vulnerabilities, credential exposures, and IAM policy weaknesses.

Claesmnyberg has released the Self Decrypting Binary Generator, or SDC, an open-source tool that creates self-decrypting executables using Blowfish encryption in CFB mode. While designed for secure data distribution across multiple operating systems including Linux, Windows, and BSD variants, the tool poses security risks as it can be misused to disguise malicious payloads and evade detection.

That concludes today's briefing.

📰 Articles Covered

After the Takedown: Excavating Abuse Infrastructure with DNS Sinkholes - Disclosing.Observer

The article "After the Takedown: Excavating Abuse Infrastructure with DNS Sinkholes" by Disclosing.Observer proposes a new perspective on DNS sinkholes, viewing them not as the end of an abuse campaign but as an analytical boundary that preserves valuable data about malicious infrastructure.

**What Happened:**
The article argues that when domains are sinkholed, their DNS configurations are frozen at the moment of intervention. This creates a stable record of how the abuse infrastructure was organized prior to the takedown. By analyzing this frozen state using passive DNS, researchers can gain insights into the structure, hosting choices, nameserver reuse, and subdomain generation patterns of malicious operations. A specific example highlighted is the **Badbox 2.0 takedown** in April 2025, which saw a massive increase in sinkholed domains, indicating a coordinated effort against a large botnet infrastructure. 【1】

**Who is Affected:**
The Badbox 2.0 botnet, for instance, affected an estimated **10 million Android users** by turning their devices into residential proxies. 【1】 While the article focuses on the infrastructure behind such attacks, the ultimate impact is on the users whose devices and data are compromised.

**Security Implications:**
Treating sinkholes as analytical boundaries rather than endpoints allows for a deeper understanding of how abuse infrastructure is built and maintained. This knowledge can inform more effective defensive strategies. The article suggests that by analyzing patterns like hosting distribution, nameserver reuse, and programmatic subdomain expansion, defenders can identify and disrupt similar operations more effectively. 【1】

**Technical Details:**
The analysis relies exclusively on **passive DNS** to reconstruct the structure, clustering, and temporal patterns of domains before and after takedown. 【1】 Sinkholing acts as a stable observation point, freezing the DNS behavior. 【1】 The study of the Badbox 2.0 takedown revealed:
- **Pre-takedown Hosting:** Before sinkholing, domains were hosted across various commercial providers, including **Hostinger, Amazon, and Cloudflare**. Cloudflare was also used for obfuscation and authoritative DNS. 【1】
- **Nameserver Reuse:** A significant pattern observed was the **reuse of identical Cloudflare nameserver pairs** across many unrelated registered domains, indicating shared operational control. 【1】
- **Programmatic Subdomain Generation:** A small set of registered domains generated hundreds of thousands of distinct subdomains, suggesting **automated generation at scale**. The subdomain labels were often repetitive and non-meaningful, reused across different domains tied to the Badbox 2.0 command and control (C2) infrastructure. 【1】 These regular subdomain labels can act as **fingerprints** to discover additional infrastructure. 【1】

**What Defenders Should Know:**
Defenders should understand that sinkholing does not eliminate the evidence of malicious infrastructure; instead, it preserves it. 【1】
- **Sinkholes as Analytical Artifacts:** Treat sinkholed domains as opportunities to analyze past infrastructure, not as the end of an investigation. 【1】
- **Leverage Passive DNS:** Utilize passive DNS data to reconstruct pre-disruption infrastructure, revealing hosting distribution, nameserver reuse, and subdomain expansion patterns. 【1】
- **Identify Patterns:** Look for patterns such as the reuse of nameservers and programmatic subdomain generation, which can indicate shared operational control and automated infrastructure. 【1】
- **Coordinated Takedowns:** Recognize that coordinated takedowns can provide a snapshot of infrastructure at the moment it stops changing, offering a unique window for analysis. 【1】

While this approach has limitations, such as reliance on observation density and potential collapse of data once infrastructure is redirected to defensive providers, it offers a valuable method for treating takedowns as moments when abuse infrastructure becomes legible. 【1】
5 KQL Queries to Slash Your Containment Time in Microsoft Sentinel - Matt Swann

This article outlines five Kusto Query Language (KQL) queries designed to accelerate incident containment within Microsoft Sentinel. The primary goal is to enable security teams to act quickly and effectively during the critical "First Hour" of an incident, minimizing the potential damage caused by attackers.

**What Happened:**
The article addresses the need for rapid response to cybersecurity incidents. It focuses on providing defenders with specific KQL queries that can quickly identify and isolate compromised systems and accounts, thereby reducing the "blast radius" of an attack.

**Who is Affected:**
The queries and containment strategies discussed are relevant to various entities within an organization's network, including:
- **Hosts:** Individual computers and servers that may be compromised.
- **Identities:** User accounts that could be taken over or misused by attackers.
- **The Enterprise:** The overall organization, which is at risk if an attack is not contained promptly.

**Security Implications:**
The security implications highlighted are centered around the benefits of rapid containment:
- **Early Identification:** Quickly pinpointing the scope of a compromise.
- **Effective Containment:** Implementing reversible actions to stop an attacker's progress.
- **Disruption of Attacker Footholds:** Preventing attackers from establishing persistence or moving laterally within the network.

**Technical Details:**
The article provides specific KQL query patterns for several key areas of incident response:
- **File Events:** Identifying suspicious file modifications or executions.
- **Sign-ins:** Detecting anomalous or unauthorized user logins.
- **Lateral Movement:** Tracking how attackers might be moving from one system to another.
- **High-Value Assets:** Identifying and monitoring critical systems or data repositories.
- **Outbound C2 (Command and Control):** Detecting communication between compromised systems and attacker infrastructure.

The queries are designed to be used with narrow time windows around alerts to collect evidence efficiently.

**What Defenders Should Know:**
Defenders are advised to:
- **Act Swiftly:** Prioritize speed in the initial stages of an incident.
- **Minimize Disruption:** Employ containment actions that are reversible and have the least impact on legitimate operations.
- **Map the Attacker's Footprint:** Understand the full extent of the compromise.
- **Isolate Compromised Assets:** Remove affected systems or accounts from the network.
- **Rotate Credentials and Revoke Sessions:** Secure user accounts and active sessions.
- **Disable Compromised Accounts:** Prevent further misuse of breached identities.
- **Block C2 Channels:** Disrupt communication with attacker infrastructure.
- **Utilize Narrow Time Windows:** Focus investigations on the immediate period surrounding an alert.
- **Prioritize Successful Logins:** Pay close attention to legitimate-looking but potentially malicious sign-ins.
- **Identify Persistence Mechanisms:** Look for ways attackers might be trying to maintain access.

The article emphasizes the importance of collecting evidence rapidly to support containment and eradication efforts. 【1】
Sigma Detection Classification - This benchmark evaluates LLMs' intrinsic knowledge of detection engineering and the MITRE ATT&CK framework. - Cotool

The provided article is about **AI Research in Security Operations** by Cotool. It focuses on using AI agents to improve security tasks and benchmarks their performance against real-world Security Operations (SecOps) challenges.

Here's a breakdown based on your requested points:

* **What happened:** The article discusses the advancement and application of AI agents in cybersecurity, specifically within Security Operations Centers (SOCs). It highlights the development of rigorous benchmarks to evaluate these AI agents on tasks like threat hunting and incident response.
* **Who is affected:** The primary audience and beneficiaries are **security professionals, SecOps teams, and organizations** looking to enhance their cybersecurity posture through AI automation. This includes those involved in detection engineering, threat hunting, and incident response.
* **Security implications:** The use of AI in SecOps has significant implications for **improving threat detection speed and accuracy, automating repetitive tasks, and potentially reducing human error**. It also implies a shift in the skills required for cybersecurity professionals, moving towards managing and collaborating with AI systems. The article suggests that AI can push the frontier of what's possible in real-time security work.
* **Technical details:** While the article doesn't delve into specific technical details of the AI models themselves, it mentions the use of **benchmarks** to compare frontier models (like GPT-5, Claude, Gemini) on real-world SecOps tasks. It also references concepts like **Splunk BOTSv3, MITRE ATT&CK, and Sigma rules**, indicating that the AI agents are being evaluated on their ability to understand and utilize industry-standard security frameworks and detection languages.
* **What defenders should know:** Defenders should be aware that **AI is becoming a powerful tool in cybersecurity operations**. They should understand the capabilities of AI agents in areas like threat hunting and incident response, and how these tools are being benchmarked and improved. It's important for defenders to stay informed about the advancements in AI for SecOps to effectively leverage these technologies and adapt their strategies accordingly.
Streamlining Security Investigations with Agents - **Salesforce** controls the content posted at the URL https://slack.engineering/streamlining-security-investigations-with-agents/. Slack was acquired by Salesforce in July 2021.

Slack's Security Engineering team is leveraging **AI agents to enhance the efficiency and effectiveness of their security investigations** 【1】. This initiative aims to streamline the process of analyzing security alerts, which involve billions of events daily, and to strengthen Slack's overall security posture 【1】.

**What Happened:**
The team developed a system that breaks down complex security investigations into a series of smaller, manageable tasks performed by specialized AI agents. This approach moves away from a single, broad prompt to a more controlled, step-by-step process involving multiple AI model invocations 【1】.

**Who is Affected:**
The primary users of this system are **Slack's Security Engineering team**, who are responsible for monitoring and responding to security alerts. The system also indirectly affects all Slack users by improving the security of the platform.

**Security Implications:**
The AI agents can **identify security vulnerabilities and threats more rapidly and consistently** than traditional methods 【1】. They can uncover novel issues, such as credential exposures or weaknesses in IAM policies, that might be missed by static detection rules 【1】. This proactive discovery and analysis lead to a more robust security defense for Slack.

**Technical Details:**
The system is designed around a team of AI personas, or agents, each with specific roles:
- **Director Agent**: Manages the overall investigation, posing questions and deciding how to progress through different phases (Discovery, Director Decision, Trace, Conclude) 【1】.
- **Expert Agents**: Act as domain specialists (Access, Cloud, Code, Threat) who analyze data sources and generate findings in response to the Director's questions 【1】.
- **Critic Agent**: Reviews the findings from Expert Agents for quality, identifies the most credible information, and helps mitigate hallucinations and variability 【1】.

The process utilizes structured output formats (JSON schema) for precise control over each model invocation 【1】. The architecture includes a **Hub** for API and storage, **Workers** for processing tasks, and a **Dashboard** for real-time monitoring and debugging 【1】. This tiered "Knowledge Pyramid" approach strategically uses different cost models for expert, critic, and director functions 【1】.

**What Defenders Should Know:**
Defenders can learn from Slack's approach to:
- **Decompose complex tasks**: Break down intricate investigation processes into smaller, well-defined steps for AI agents 【1】.
- **Utilize specialized personas**: Employ different AI agents with distinct roles (Director, Expert, Critic) to manage and validate information 【1】.
- **Implement structured outputs**: Use JSON schemas to ensure predictable and controlled AI responses 【1】.
- **Monitor and iterate**: Leverage dashboards for real-time observation and debugging, continuously refining the system 【1】.
- **Embrace emergent behavior**: Recognize that AI agents can uncover unexpected vulnerabilities beyond predefined rules 【1】.
sdc: Self Decrypting Binary Generator - claesmnyberg

The provided GitHub repository details the **Self Decrypting Binary Generator (SDC)** tool, which creates self-decrypting executables. This tool is not an account of a specific cybersecurity incident but rather a utility for encrypting and packaging files.

- **What happened:** The SDC tool encrypts a target file using the **Blowfish algorithm in Ciphertext Feedback Mode (CFB)**. This encrypted data is then appended to an executable. When the executable is run, it automatically decrypts the appended data.
- **Who is affected:** The tool itself is designed to run on various operating systems and architectures, including **Linux, Windows, OpenBSD, FreeBSD, NetBSD, and Solaris**. The users of this tool would be those who wish to distribute encrypted data securely.
- **Security implications:** The primary security implication is that SDC can be used for **secure distribution of encrypted data**. However, it also carries the risk of **misuse for disguising malicious payloads**, making it a potential tool for attackers to hide malware.
- **Technical details:** The core technology involves **Blowfish encryption in CFB mode**. The build process is managed using `make`, with specific targets for different operating systems. A noted technical detail is that the `elf_offset()` routine requires the ELF file to be stripped. Future plans include adding compression before encryption for further obfuscation and expanding support to more operating systems like MacOSX.
- **What defenders should know:** Defenders should be aware that self-decrypting binaries like those generated by SDC can be used to deliver **encrypted or obfuscated content**. This necessitates the development and application of specific analysis techniques to uncover and understand the underlying payload within such executables.