Good Morning Security Gang
I hope your new year’s been great so far. Mine’s been powered by espresso and patching chaos. We’re diving right into a massive week of cybersecurity headlines that set the tone for what’s ahead.
Today we’re covering Jaguar Land Rover’s shocking 43% drop in sales after a crippling cyberattack, the UK government’s new Cyber Action Plan, China ramping up energy attacks on Taiwan, and several urgent vulnerability patches from Android, Veeam, and n8n, including the return of LockBit 5.0. We’ll also talk about D-Link router exploitation and a stealthy Doticat malware campaign compromising Microsoft Exchange servers.
So, coffee cup cheers, y’all — I’m running on a Lavazza Super Crema capsule this morning, because I’m late, but I’m ready. Let’s get right into it.
Jaguar Land Rover Reports 43% Sales Drop Post-Cyberattack
The fallout from Jaguar Land Rover’s ransomware attack continues — and it’s brutal. The company confirmed a 43% plunge in global wholesale volumes tied directly to the cyber incident
Production, logistics, and distribution all ground to a halt, crippling deliveries and inventory flow.
North America was hit hardest, with a 64% sales decline, while Europe fell 48%, and China 46%. Even the UK saw disruptions, though domestic operations cushioned the blow with only a 0.9% decline.
The attack cost the company roughly $220 million in one quarter, prompting a £1.5 billion government bailout. The Bank of England even cited the breach as a drag on national GDP.
As I said on the show:
“This isn’t a network outage — it’s an economic event. A 43% global sales hit is what cyber risk looks like when it becomes real.”
This case will define how boards view cybersecurity in 2026 — not as a cost center, but as a revenue protector.
UK Government Launches New Cyber Action Plan
After acknowledging its old strategies failed, the UK government announced a new Cyber Action Plan aimed at defending national infrastructure
The initiative comes directly in response to the JLR attack and its impact on GDP.
The plan introduces baseline security controls across government and critical industry sectors — MFA, logging, vulnerability management, SBOM requirements, and resilience testing for essential services.
In my words: “The Brits just admitted what most governments won’t — that what they’ve been doing hasn’t worked. But this is their chance to build a real CISA-style response unit.”
It’s a candid moment for the UK — and a step toward building a central cybersecurity command that can actually enforce standards across Whitehall and critical suppliers.
China’s Energy Attacks on Taiwan Surge Tenfold
Taiwan’s energy sector is now facing a tenfold increase in cyberattacks from China’s military-linked groups
These attacks target operational and billing systems — aiming to disrupt maintenance and power distribution, especially during high-tension periods.
What’s fascinating is the timing. Just as the U.S. carried out a covert nighttime extraction operation in Venezuela, cutting power in Caracas, China’s escalation against Taiwan may have been a test case.
As I said on air:
“This isn’t just hacking — it’s geopolitical signaling. The U.S. flipped Caracas’s lights out to send Beijing a message: we can do to you what you plan to do to Taipei.”
These attacks blend credential abuse, phishing, and living-off-the-land tactics to burrow into vendor networks. CISOs with East Asia dependencies must segment, monitor, and validate every connection — because the cyber-kinetic line is fading fast.
Android Patches Critical Dolby RCE Flaw
Google’s January patch dropped with a critical Dolby Media Framework vulnerability (CVE-2025-5549) enabling remote code execution via crafted media files
This flaw lives in devices your staff carry into meetings every day. Patch levels should be enforced enterprise-wide through MDM policies, and block unknown media attachments on managed Android devices.
Push this update immediately — especially on devices accessing enterprise SaaS apps or communications platforms.
Veeam Fixes Critical RCE Vulnerability
Veeam issued an urgent patch for CVE-2025-5470, a remote code execution flaw in its Backup & Replication software, rated 9.0 CVSS
Attackers exploiting this bug could gain control over backup servers, pivot laterally, and disable ransomware recovery.
Patch now, remove public management access, rotate credentials, and alert on unexpected restore or export jobs. This vulnerability hits the heart of business continuity systems — and that’s where attackers strike hardest.
n8n Automation Platform Discloses CVSS 10 RCE Flaw
Open-source workflow tool n8n has disclosed a CVSS 10.0 remote code execution vulnerability (CVE-2026-21877) — the first 2026 CVE of the year
Low-code automation tools often run with broad API and credential access, making this flaw particularly dangerous.
Organizations should upgrade to version 1.121.3 or later, restrict admin access to VPN or allowlists, and rotate API keys immediately.
As I said: “n8n is the new shadow IT — it’s what connects your workflows, but it’s also what attackers can use to own them.”
LockBit 5.0 Ransomware Emerges
LockBit 5.0 is back — leaner, faster, and nastier. Despite multiple takedowns, LockBit’s infrastructure has re-emerged with automated initial access tools and faster encryption speed.
Defenders should prioritize patching KEV vulnerabilities, disable VPNs without MFA, and hunt for common loader chains like Office macros, archives, and PowerShell-based loaders.
LockBit’s persistence proves one thing: ransomware isn’t dying — it’s industrializing.
D-Link DSL Routers Exploited
Attackers are exploiting a remote code execution flaw in legacy D-Link DSL routers, turning them into footholds into corporate SaaS environments.
If your branch offices or rural sites still run DSL, isolate these devices behind an ISP router, disable remote admin access, and monitor for DNS tampering or rogue egress traffic.
Or better yet — replace them. As I said: “If you’re still on DSL in 2026, it’s time to join the rest of the century — Starlink’s calling.”
Doticat Malware Targets Microsoft Exchange Servers
The Doticat malware is actively exploiting unpatched Microsoft Exchange servers via IIS modules, performing credential harvesting and mailbox exfiltration.
Enterprises should upgrade to supported Exchange builds, enable extended protection, and rotate service credentials and certificates. Watch for odd mailbox export spikes or child processes linked to Exchange — these are clear indicators of compromise.
Doticat demonstrates how legacy email systems remain prime targets for espionage and persistence campaigns.
Action List
🚗 Use JLR as a case study: quantify cyber risk in business impact terms.
🇬🇧 Adopt baseline controls — MFA, SBOM, and logging — per UK’s model.
🇨🇳 Audit third-party exposure to East Asia and enforce segmentation.
📱 Deploy January Android patch and restrict side-loaded media apps.
💾 Patch Veeam and monitor backup operations for anomalies.
🔑 Update n8n automation tools and rotate all stored API credentials.
💣 Harden VPNs with MFA and hunt for PowerShell execution chains.
🧱 Replace outdated D-Link routers and monitor for DNS hijacking.
✉️ Upgrade Exchange builds and hunt for rogue mailbox exports.
James Azar’s CISO’s Take
Today’s episode underscores one thing — the business impact of cyber risk has never been more real. Jaguar Land Rover’s 43% sales collapse is the wake-up call we’ve been talking about for years. When cybersecurity fails, the economy feels it.
My biggest takeaway? 2026 is the year cybersecurity becomes operational. Boards, regulators, and governments are moving from theory to execution. Whether it’s the UK’s new plan, Taiwan’s cyber resilience, or Veeam’s patch urgency — the conversation has shifted from “if” to “how fast.” And for CISOs, that means leading the change — not just reporting it.
Stay alert, stay caffeinated, and as always — stay cyber safe.
