🩹 KEV-Driven Patching and “Emergency Directive Fatigue”

The work hasn’t changed: there will always be more vulnerabilities than time. The shift is from reacting to noise to acting on evidence. It’s no longer about winning a CVE leaderboard; it’s about reducing the risk and impact of the attacks you are most likely to face…

⚠️ Threat Updates

🔴 Infostealer Logs Fuel “Zestix” Data Theft at Dozens of Enterprises (01/20/26)

A threat actor tracked as Zestix (aka Sentap) used only valid credentials harvested from infostealer malware logs on the dark web to log into corporate file‑sharing portals at dozens of global organizations, including airlines, healthcare, and robotics firms, and then quietly exfiltrated sensitive data for sale. Because no exploits were needed and logins appeared “normal,” traditional alerting often failed, underscoring the need for mandatory MFA on all external access, continuous monitoring for anomalous file‑sharing activity, and dark web credential monitoring so exposed accounts can be rapidly rotated or disabled. » More Info​​

🔴 CISA Retires 10 Emergency Directives as KEV Catalog Takes Center Stage (01/09/26)

CISA has officially closed ten high-profile Emergency Directives issued between 2019 and 2024 — covering threats like DNS tampering, SolarWinds Orion, on‑prem Exchange, Pulse Secure, VMware, and Microsoft email compromise — stating that required mitigations are now either fully implemented at federal agencies or enforced via Binding Operational Directive 22‑01 and the Known Exploited Vulnerabilities (KEV) catalog. While labeled as a milestone in federal cyber resilience, the move shifts responsibility back to continuous vulnerability hygiene; enterprise defenders should align patch SLAs and risk scoring with the KEV catalog, not legacy “emergency” guidance, and validate that controls originally deployed for these directives remain in place and effective. » More Info​

🔴 LastPass Users Hit with Highly Targeted Backup-Themed Phishing Campaign (01/21/26)

Password manager LastPass is warning users about a fresh phishing campaign in which attackers send convincing emails urging recipients to “back up” or “re‑sync” their password vaults, directing them to spoofed sites designed to steal master passwords and multifactor tokens. Organizations relying on consumer or business password managers should push just‑in‑time awareness to staff, reinforce that vendors rarely demand urgent vault actions via email, and enforce security policies such as phishing‑resistant MFA and URL verification training, particularly for anyone holding high‑value admin or finance credentials in a shared vault. » More Info​

​

🗨️ Parting Words

“Privacy should not be a luxury good.” — Sundar Pichai

Are you a vCISO or MSP looking to operationalize security programs? Let’s discuss how Blacksmith Infosec proves that compliance is an opportunity, not a struggle that has to be packaged in FUD!