The IT Nerd

The viral Instagram “AI work caricature” trend is exposing a serious shadow AI risk. By prompting ChatGPT to create job-based caricatures and posting the results publicly, users are unintentionally signaling their access to sensitive systems, their use of public LLMs for work, and potential data leakage in prompts. Millions are tied to real profiles, helping threat actors identify high‑value targets and potential exploitation of LLMs via prompt injection or jailbreaking.

This seemingly harmless trend is a roadmap for targeted cyber and data‑exfiltration attacks.

Fortra cybersecurity expert Josh Davies has just published an article informing of these risks, which you can read here: https://www.fortra.com/blog/what-can-ai-work-caricature-trend-teach-us-about-risks-shadow-ai 

UPDATE: Reinforcing that this is a top of mind issue at the moment, Bob Long, President, Americas at Daon had this comment:

“Preventing identity fraud on the internet can be a serious challenge. Everyone knows that it’s vital not to share high-value personal information like your social security number or credit card information, but that is just a start to truly protecting your identity. There are multiple ways that bad actors take advantage of people in order to break into their accounts. Stealing your login information through a data breach is just the most visible method of attack. The most common is something most people don’t even see until after their information is compromised—social engineering. Social engineering is a broad term for a number of methods of luring people into handing over their login credentials willingly. Phishing is the most well known of these techniques, but there are many others. One thing they all have in common is the more a fraudster knows about their target, the easier it is to fool them.

That’s where things like the new trend of having Generative AI create a caricature of you based on everything it knows about you moves from being a fun exercise to a security threat. By creating one of these images and posting it on social media, you are doing fraudsters’ work for them—giving them a visual representation of who you are. This is literally the modern version of the “40 things about me” posts that used to be popular on social channels, creating a quick access, public record of who you are so people with bad intentions can exploit it. The fact that it explicitly prompts AI to include everything it knows about you makes it sound like it was intentionally started by a fraudster looking to make their job easy. It not only tells them a lot about the person, but it tells them which people have a lot of accessible information and which don’t. Until all businesses move away from passwords and other knowledge based forms of authentication, people will need to remain vigilant about what information about them is publicly available.

Of course, the argument against giving your image to Generative AI also stands. Unless you know, for certain, what will be done with that image outside of providing the requested output, you are at risk of your image being used for anything from training AI image generators to populating less-than-legal tracking software. Sharing personal information, including your image, with AI should only be done when you know and trust the organization making the request.”

By Tyler Reguly, Associate Director, Security R&D, Fortra

On first pass, this month looks pretty reasonable – 60 CVEs, including one assigned by the Chrome CNA. When you look a little more closely, you start to realize that there is a lot going on here. February can be a bit of a cold, dull month, but Microsoft has decided to heat things up a bit. The good news, there’s not a lot of CVEs to deal with, the bad news, there’s actually a lot to unpack here.

We can’t ignore the fact that there are 6 actively exploited vulnerabilities included in this month’s patch drop. 10% of this month’s vulnerabilities are listed by Microsoft as exploit detected. That’s a significant portion of them.

There’s some common language in there too, with vulnerabilities impacting Windows Shell (CVE-2026-21510), MSHTML Framework (CVE-2026-21513), and Microsoft Word (CVE-2026-21514) all including the words ‘security feature bypass.’ Similarly, two of these vulnerabilities – CVE-2026-21519 in Desktop Windows Manager and CVE-2026-21533 in Windows Remote Desktop Services – both allowing elevation of privilege to SYSTEM. The odd vulnerability out in this list is the Windows Remote Access Connection Manager vulnerability (CVE-2026-21525) because it is a local denial of service, something that Microsoft often rejects – refusing to assign CVEs and issue patches for these types of vulnerabilities on a regular basis.

The upside to this many actively exploited vulnerabilities? They are easy to resolve with regular Microsoft patches for Windows and Office and none of them require any post patch configuration steps.

If I’m a CSO this month, I’m less concerned about what my desktop and server security teams are patching and more concerned with my cloud ops teams. Sure, there are a lot of actively exploited vulnerabilities, but the normal patching process will resolve those. The 10 Azure CVEs representing 16.6% of the CVEs released this month are what I would be concerned about. While 3 of these (CVE-2026-21532, CVE-2026-24300, and CVE-2026-24302) are all marked as ‘No Customer Action Required,’ I’d still want to ensure that there was no evidence of issues in my cloud (or cloud adjacent) environments. For the other 7 CVEs, however, I’d hope that my team is looking closely at the variety of fixes that need to be performed to upgrade my environment.

It’s rather amusing to me to watch as we migrate everything to the cloud. With on-prem deployments, the vulnerability resolution process is mature – we know what patches look like, how to find unpatched software, and how to roll out the standard patch to multiple systems. With the cloud, we rely on scripts, full app replacements, and manual configuration to resolve a lot of the vulnerabilities. This puts a lot more pressure on the cloud ops team to fix these as well as the development teams that may be utilizing the related SDKs. This shifts the responsibility for maintaining systems away from traditional vulnerability management programs and may present headaches to CSOs trying to inventory and track the usage of these components in their environments.

LevelBlue, the world’s largest pure-play provider of managed security services, today announced a strategic partnership with Fortra, a global leader in cybersecurity solutions. This collaboration integrates Fortra’s best-in-class solutions with LevelBlue’s elite managed services, delivering a comprehensive security offering designed to combat the evolving threat landscape.

The partnership marks a major milestone in LevelBlue’s mission to deliver world-class, proactive cybersecurity and secure what’s next for its clients, while also representing a significant step forward in Fortra’s evolution as a channel-first company focused on empowering resellers, service providers, and distributors to deliver its solutions.

As part of this long-term partnership, LevelBlue will acquire the managed services of Fortra’s Alert Logic Managed Detection and Response (MDR), Extended Detection and Response (XDR), and Web Application Firewall (WAF) solutions. LevelBlue’s expanded MDR platform, strengthened through recent acquisitions, will provide Alert Logic’s client base with access to a larger global footprint, broader threat telemetry, and accelerated detection and response across complex environments. In parallel, Fortra will become one of LevelBlue’s leading cybersecurity partners, making its best-in-class software and platforms available to LevelBlue’s global client base.

Fortra’s technologies complement and extend LevelBlue’s existing strengths across data security, brand protection, email security, and offensive security, adding additional depth, optionality, and specialization for LevelBlue clients. Together, LevelBlue and Fortra will provide clients with greater choice, broader coverage across the attack surface, and improved security outcomes, all delivered through LevelBlue’s managed services model.

This partnership further reinforces LevelBlue’s position as the global pure-play leader in MDR and managed cybersecurity services, while underscoring Fortra’s role as a global leader in cybersecurity software and solutions. Following the launch of Fortra’s new partner program, Fortra Protect, last year, the partnership with LevelBlue further illustrates Fortra’s commitment to work with the world’s best service providers and channel experts to serve cyber clients.

LevelBlue, an innovator in cloud-based, AI-driven managed security services, continues to expand its leadership as the world’s largest pure-play MSSP, offering one of the most comprehensive portfolios spanning managed security, offensive security, incident response, threat intelligence, and MDR. This scale and breadth enables clients and partners to accelerate threat detection, streamline security operations, reduce cyber risk, and continuously mature their cybersecurity posture, now with even more choice and value through Fortra’s complementary technologies.

Santander served as the exclusive financial advisor to LevelBlue in this transaction and Stephens served as the exclusive financial advisor to Fortra/Alert Logic.

Fortra’s Intelligence and Research Experts (FIRE) are tracking HaxorSEO (HxSEO), an active cybercrime marketplace that poses a direct threat to financial institutions by manipulating search rankings to drive phishing and fraud. Operating on Telegram and WhatsApp, HxSEO sells backlinks from long‑trusted, compromised domains, allowing fake financial login pages to outrank legitimate ones. For just a few dollars, attackers can scale account takeover, fraud, and malware delivery, turning routine online banking searches for customers into high‑risk activities.

You can read the report here: https://www.fortra.com/blog/seo-poisoning-marketplace-topping-search-results-impersonating-top-financial-institutions

By Tyler Reguly, Associate Director, Security R&D, Fortra

CISOs this month should be paying a lot of attention to CVE-2026-21265 and the guidance associated with it. More specifically, they should be looking at the Windows Secure Boot certificate expiration and CA Updates that Microsoft published June 26, 2025. When the Secure Boot certificates expire in June of this year, organizations that haven’t prepared will not only find Secure Boot no longer operational, but they may also find that Windows boot manager and Secure Boot vulnerabilities have become an issue. It is important to note that the document is not a single page, but contains a multitude of links – including an entire deployment playbook for IT professionals. With less than half a year to prepare, it is time to ensure that environments and teams are prepared for this update.

One of the more interesting updates this month is the Windows Agere Soft Modem Driver elevation of privilege (CVE-2023-31096). It is not often that you see a CVE from 3 years ago show up, but Microsoft is finally cleaning up a problem that has been around for a while. This driver ships with Microsoft Windows, but according to a post about this vulnerability, the driver has been EOL since 2016. The solution to this vulnerability is simply to remove the impacted drivers, agrsm64.sys and agrsm.sys, from systems.

If you’re a fan of statistics, here’s one for you. Microsoft moved away from the security bulletin system in February of 2017 and ushered in the new era of security guidance. Last year, January 2025, saw the largest January Patch Tuesday under this new system with 162 CVEs. This year, we see the third largest January Patch Tuesday with 115 CVEs. For those wondering, 2022 had the second largest January Patch Tuesday with 127 CVEs. This is also only the third time that we’ve seen more than 100 CVEs under the security guidance system. We’re sitting above the average 89 CVEs that we’ve seen over the 9 January Patch Tuesdays that we’ve had under the new system.

Tyler Reguly, Associate Director, Security R&D, Fortra

Let’s end the year with a statistic that I find somewhat interesting. In 2025, Microsoft patched 1275 vulnerabilities. Which should mean roughly 106 vulnerabilities each month, yet December only saw 70 vulnerabilities when you include the third-party CNA vulnerabilities. If all things were equal, December should account for 8.3% of all CVEs fixed by Microsoft, instead December only contains 5.5% of this year’s total CVEs. I suppose we can thank Microsoft for an early Christmas gift.

We’re ending the year with a vulnerability that is seeing active exploitation, the use-after-free vulnerability in the Windows Cloud Files Mini Filter (CVE-2025-62221). Given that this vulnerability is seeing active exploitation and could lead to SYSTEM level access, this should be the priority for patching this month.

There are two vulnerabilities that Microsoft has rated as Critical this month and it is probably more important that we discuss these than the two publicly disclosed vulnerabilities. For that reason, I would prioritize CVE-2025-62557 and CVE-2025-62554, a pair of use-after-free vulnerabilities in Office, over CVE-2025-54100 and CVE-2025-64671, command injection vulnerabilities in PowerShell and GitHub CoPilot for JetBrains. All 4 vulnerabilities are listed as exploitation less likely, but the Office vulnerabilities list the Preview Pane as an attack vector, and I always find that one of the scariest attack vectors that can be listed. Vulnerabilities that don’t rely on user interaction, are vulnerabilities that we want to pay attention to.

CISO’s this month should remember that their admins have remediated (or at least reviewed) 1275 vulnerabilities from just Microsoft alone this year. It’s been a long, vulnerability filled year for our security teams and I’d imagine they’re tired. Thankfully, Microsoft provided this gift of a smaller Patch Tuesday without too many high-profile items… let your teams relax a little as we wrap up the year, there’s enough other items to keep them busy without stressing over this Patch Tuesday release.

If I were in charge of all aspects of security for an enterprise as we wrap up the year and think about 2026 budgets, I’d probably be thinking about the two critical Office vulnerabilities that impact the Preview Pane and consider the email protections that I have in place and where I can make investments in 2026 to further improve the email security of my organization. Between “silent attacks” that utilize the preview pane, phishing, and all the other risks that come to us via email, it is one of the places where organizations can still do more to shore up their security posture and put themselves in a good place.

Adistec, a leading value-added distributor with 20+ years of experience developing IT channels across Latin America, is excited to announce a strategic alliance with global cybersecurity leader Fortra, to expand the availability of its cybersecurity portfolio throughout all regional LATAM operations. This distribution agreement positions Adistec as a key regional enabler for Fortra’s go-to-market strategy.

Fortra offers an integrated ecosystem of advanced offensive and defensive cybersecurity solutions that help organizations break the cyber attack chain. Its portfolio includes data security technologies like DLP, DSPM, and data classification, brand protection, and offensive security products Core Impact, Cobalt Strike, and Outflank Security Tooling.

A Strategic Alliance to Transform LATAM Cybersecurity Readiness

The integration of Fortra’s solutions into Adistec’s regional portfolio gives partners access to a cohesive suite designed to support multiple security requirements — from offensive validation of defenses to regulatory compliance and protection of sensitive data.

Marcelo Gardelin, Strategic Alliance Director for Adistec adds: “Our collaboration with Fortra reinforces Adistec’s mission to strengthen digital resilience across Latin America. By combining our value-added capabilities with Fortra’s industry-leading technologies, we empower partners to deliver continuous, integrated security to organizations of every size.”

The Fortra Intelligence and Research Experts (FIRE) team have released 2026 predictions that uncover the darker side of AI and the next evolution of cyber defense.

John Grancarich, Chief Strategy Officer

Brand protection will expand the attack surface. The attack surface as it stands now includes an organization’s brand, its executives and its online reputation. By 2026, protecting trust beyond the network – across the open web, social platforms and dark web – will become as critical as protecting the network itself.

Tyler Reguly, Associate Director, Security R&D

Companies that over invest in AI and put emphasis on AI over humans will start to struggle. As everyone likes to say, ‘Today, AI is the worst it will ever be.” With that said, AI isn’t great. It is costly and limited in capabilities. While some tasks are performed amazingly, others demonstrate the real weakness in reliance on AI. AI is a tool and should be treated as such. It can increase productivity, but it can’t be productive on its own. That requires human expertise and companies that realize that early and retain their experts will prosper over those that adopt AI-only strategies. 

Josh Taylor, Lead Security Analyst, Fortra

Attacks on critical infrastructure will accelerate. Nation-state and criminal actors will target energy, healthcare, and transportation systems with cyber-physical impacts, turning outages and disruptions into strategic weapons. Enterprises in these sectors must treat cybersecurity as a safety imperative and plan for worst-case operational scenarios.

Tyler Reguly, Associate Director, Security R&D, Fortra

Microsoft seems to have decided that the past few months have given us all the entertainment that we needed and toned things down a little this month. We do have one CVE that has seen active exploitation (CVE-2025-62215) and 6 CVEs that Microsoft has assigned a severity level of Critical (CVE-2025-60724, CVE-2025-62214, CVE-2025-62199, CVE-2025-60716, CVE-2025-60724, CVE-2025-30398). This set includes the single CVE, CVE-2025-60724, to also earn a critical severity on the CVSS scale with a score of 9.8. That 9.8 is something that will likely get a lot of discussion.

One of the things that makes CVE-2025-60724 interesting is a remark that Microsoft made in the FAQ, “In the worst-case scenario, an attacker could trigger this vulnerability on web services by uploading documents containing a specially crafted metafile (AV:N) without user interaction.” This is where I tend to find fault with the way Microsoft handles these vulnerabilities. We have traditional Windows cumulative updates, but a very non-standard attack vector – file upload. There are plenty of unknowns with this one and a lot of questions that we could ask… “Does the technology matter? The backend language processing the metafile? The web server selection?” Microsoft isn’t exactly giving me a lot of confidence that I could mitigate or reduce my risk if patching isn’t immediately possible.

If I’m a CISO, then CVE-2025-60724 has me worried this month. We have a vulnerability that Microsoft and CVSS agree is critical and an attack vector that requires no user interaction and no privileges, just the ability to upload a file. We know nothing about the file type, the technologies that are impacted (other than GDI+ in the title), or the services impacted. Do I need to worry about my SharePoint infrastructure? What about third-party software – my wiki or my bug tracker? This is definitely one that feels a little spooky without a lot of extra details being provided.

While not directly related to today’s patch drop, I wanted to call attention to the additional documentation (via blog post: https://www.microsoft.com/en-us/msrc/blog/2025/10/understanding-cve-2025-55315) that Microsoft published related to CVE-2025-55315. This is fantastic additional context around the vulnerability and the risks involved. This is the type of documentation that we should see for every critical or actively exploited vulnerability that Microsoft patches. If you are a CISO or in communication with a Microsoft TAM, you should reach out and let them know that this is an improvement to their communication and that releasing content like this for more vulnerabilities and in a more timely fashion would be hugely beneficial to the security community.

By John Wilson, Senior Fellow, Threat Research at Fortra

1. Holiday Job Scams  

The holiday season often brings a surge in temporary and remote job listings — and scammers are taking advantage of those looking for work. They pose as recruiters from well-known companies, send fake job offers to collect personal information, and demand upfront payments for “training” or “equipment.” They are even incorporating AI, making scams increasingly difficult to identify. 

Before accepting any offer, verify the opportunity directly through the company’s official website or HR department. Legitimate employers will never ask for money or sensitive data during the hiring process. A few red flags: No company is going to hire you without an interview no matter how qualified you may be for the position. Scam job offerings almost always mention a minimum age requirement. This is so they have an excuse to ask for a photo of your ID. Finally, look to see who sent the message and who it was sent to. A lot of scam texts and emails will come from a strange phone number or email address, and many scammers will send messages to numerous recipients at the same time. 

2. Gift Card Scams 

The use of gift cards during the holiday season ramps up, and so does the attackers’ exploitation of them. Attackers can send their victims emails claiming they’ve won a gift card or received a gift. These may even be customized with AI generated images and tend to impersonate popular retailer brands to increase the authenticity of the fake gift card. But to claim it, they’ll say you must give your personal information or pay a shipping fee first.  

If you receive a message like this, remember that legitimate companies will not ask you for payment to receive a gift card.  

3. Fake Shopping Websites and Ads 

Fake websites, such as phishing sites or phishing, remain a top threat for consumers conducting their holiday shopping online. Cybercriminals often create ‘eCommerce’ websites optimized for search engines and offer goods at below market prices to entice consumers into making a purchase. These sites may even be shared on social media platforms and circulate around as fake enticing ads to lure as many victims as possible.  

When you hand over your payment details by shopping on these sites, the hackers record them and use them to commit identity fraud and fraudulent purchases later. 

4. Always Use Secure Payment Methods 

Never use a debit card online and avoid other payment methods that don’t provide adequate fraud protection when conducting your holiday online shopping. Credit cards tend to be a safer option against fraud, and services such as Apple Pay or Google Pay are generally more secure than entering your card information directly. Some credit card issuers enable you to create virtual card numbers to use on a single website. This is helpful because the card number can’t be used by a scammer to clone your credit card or to purchase from some other website. 

This could protect you from fraud, impersonation, and reduce the likelihood of an attacker compromising your bank accounts.  

5. Travel Scams 

The holiday season is the season of travel, and scammers are always on the lookout for ways to take advantage of these vacation plans. Victims can receive phishing emails offering discounted travel deals and offers that impersonate legitimate online travel service providers. Booking travel plans through these fake malicious sites can compromise your sensitive personal information and even lead to financial losses.  

Always verify the legitimacy of websites by navigating to the service provider’s website directly instead of using suspicious links embedded in emails, use secure payment methods to protect your personal information, and remember – if a deal is too good to be true, it likely is.