It's been a busy 24 hours in the cyber world with significant updates on recent attacks, actively exploited vulnerabilities, new malware campaigns, and a reminder about the ever-evolving privacy landscape. Let's take a look:
Kyowon Group Hit by Suspected Ransomware โ ๏ธ
- South Korea's Kyowon Group, a major education and lifestyle company, shut down parts of its network after identifying a suspected ransomware attack.
- The company confirmed an extortion demand and is investigating potential data leakage, including sensitive customer information, possibly affecting millions.
- This incident follows other high-profile data breaches in South Korea, prompting pledges for stronger data protection laws.
๐๏ธ The Record | https://therecord.media/kyowon-group-south-korea-suspected-ransomware-attack
Dutch Port Hacked for Cocaine Smuggling ๐จ
- A Dutch appeals court upheld a seven-year prison sentence for a man who hacked port IT systems using malware-stuffed USB sticks to aid cocaine smugglers.
- The attacker gained months of remote access, exploring the network and hunting for admin rights, even live-blogging the break-in via encrypted chats.
- The case highlights the real-world impact of cyber intrusions facilitating organised crime, with the hack directly enabling a 210 kg cocaine shipment.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/dutch_port_hacker_appeal/
Black Axe Leaders Arrested in Spain ๐ต๏ธ
- Spanish police, supported by Europol, arrested 34 alleged cybercriminals, including leaders of the transnational Black Axe organisation, across four cities.
- Black Axe is known for business email compromise (BEC) scams, money laundering, and vehicle trafficking, with estimated fraud exceeding $6.9 million.
- The operation froze $139,000 in bank accounts and seized cash, vehicles, and devices, significantly disrupting the hierarchical, Nigerian-led group.
๐คซ CyberScoop | https://cyberscoop.com/black-axe-disruption-arrests-spain/
Supreme Court Filing System Hack ๐๏ธ
- A Tennessee man is expected to plead guilty to a misdemeanor charge for hacking into the U.S. Supreme Courtโs electronic case filing system on 25 occasions between August and October 2023.
- Nicholas Moore, 24, "intentionally accessed a computer without authorization," though details on the specific information accessed were not released.
- This incident underscores ongoing vulnerabilities in federal judicial systems, which have seen strengthened protections following sophisticated cyberattacks.
๐๏ธ The Record | https://therecord.media/guilty-plea-hacking-supreme-court-case-filing-system
Malicious Chrome Extension Steals MEXC API Keys ๐ฐ
- A malicious Google Chrome extension, "MEXC API Automator," is actively stealing API keys from the MEXC cryptocurrency exchange by masquerading as a trading tool.
- The extension programmatically creates new API keys with withdrawal permissions, hides these permissions in the UI, and exfiltrates the keys to a Telegram bot.
- This attack leverages an already authenticated browser session, bypassing traditional authentication, and grants attackers unfettered access to victims' crypto accounts.
๐ฐ The Hacker News | https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html
Gogs Zero-Day Under Active Exploitation ๐ก๏ธ
- CISA has added CVE-2025-8110, a high-severity path traversal vulnerability in the Gogs self-hosted Git service, to its KEV catalog due to active exploitation.
- The flaw allows authenticated users to bypass previous fixes (CVE-2024-55947) by exploiting symbolic link handling in the PutContents API, leading to remote code execution.
- With no official patch yet, federal agencies are mandated to apply mitigations by February 2, 2026, or cease using Gogs, while other users should disable open registration and restrict access.
๐ฐ The Hacker News | https://thehackernews.com/2026/01/13/cisa-warns-of-active-exploitation-of.html
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/cisa_gogs_exploit/
ServiceNow AI Platform Critical Flaw ๐
- ServiceNow patched CVE-2025-12420, a critical 9.3 CVSS vulnerability in its AI Platform, allowing unauthenticated users to impersonate others and perform arbitrary actions.
- The flaw stemmed from a universal credential ("servicenowexternalagent") and lack of password/MFA for user identity verification, which could lead to full platform takeover.
- Although no in-the-wild exploitation has been confirmed, the vulnerability was deemed the "most severe AI-driven vulnerability to date" due to ServiceNow's deep integration across enterprise IT.
๐ฐ The Hacker News | https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html
๐ Dark Reading | https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
AI/ML Python Libraries RCE Vulnerabilities ๐
- Vulnerabilities in popular AI/ML Python libraries (Nvidia's NeMo, Salesforce's Uni2TS, Apple/EPFL VILAB's FlexTok) allow remote code execution via poisoned metadata.
- The flaws exploit Hydra's instantiate() function, which can execute arbitrary callables, enabling attackers to hide malicious code in model metadata that runs automatically upon loading.
- Patches have been issued for NeMo (CVE-2025-23304) and Uni2TS (CVE-2026-22584), with FlexTok also fixed, urging users to only load models from trusted sources.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/ai_python_library_bugs_allow/
Kremlin-linked Hackers Target Ukraine Military ๐ช
- CERT-UA reports a new cyber-espionage campaign by Void Blizzard (UAC-0190) targeting Ukraine's military personnel using a novel PluggyApe malware.
- Attackers impersonate charitable organisations and use messaging apps like Signal and WhatsApp to deliver password-protected malicious executables.
- This campaign highlights a shift towards highly tailored social engineering, leveraging trusted communication channels and detailed target knowledge to deliver malware.
๐๏ธ The Record | https://therecord.media/kremlin-linked-hackers-pose-as-charities-spy-ukraine
SHADOW#REACTOR Delivers Remcos RAT ๐ป
- A new campaign, SHADOW#REACTOR, uses an evasive multi-stage Windows attack chain to deploy the Remcos RAT for persistent remote access.
- The infection leverages obfuscated VBS launchers, PowerShell downloaders, fragmented text-based payloads, and a .NET Reactor-protected loader to complicate detection.
- This broad, opportunistic activity, likely by initial access brokers, abuses LOLBins like MSBuild.exe and employs self-healing mechanisms to ensure payload delivery.
๐ฐ The Hacker News | https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
AsyncRAT Campaign Abuses Cloudflare & Python โ๏ธ
- An emerging phishing campaign is delivering AsyncRAT by exploiting Cloudflare's free-tier services (TryCloudflare tunneling) and legitimate Python downloads.
- Attackers use Dropbox links with double-extension files (.pdfurl) in phishing emails, installing a full Python environment to inject code into explorer.exe.
- This technique masks malicious activity under trusted domains and legitimate tools, making detection challenging and highlighting the ongoing effectiveness of phishing and abuse of legitimate services.
๐ Dark Reading | https://www.darkreading.com/endpoint-security/attackers-abuse-python-cloudflare-deliver-asyncrat
AVCheck Malware Kingpin Arrested ๐ซ
- Dutch police arrested a 33-year-old man at Amsterdam's Schiphol Airport, believed to be the mastermind behind the AVCheck online platform.
- AVCheck was a counter-antivirus (CAV) service, shuttered in May by Operation Endgame, that allowed cybercriminals to test malware against various AV products to evade detection.
- The arrest underscores ongoing international law enforcement efforts to dismantle critical components of the cybercrime ecosystem.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/avcheck_arrest/
North Korea's IT Worker & Crypto Theft Schemes ๐ฐ๐ต
- The U.S. urged UN member states to take tougher action against North Korea's IT worker scheme and cryptocurrency heists, which fund its weapons programs.
- A 140-page report highlights that over 40 countries are impacted, with North Korean IT workers stealing identities to secure remote jobs and laundered crypto funds exceeding $2 billion last year.
- China and Russia were criticised for providing safe havens, with 1,500 North Korean IT workers estimated in China alone, violating UN Security Council Resolutions.
๐๏ธ The Record | https://therecord.media/40-countries-impacted-nk-it-thefts-united-nations
India's Strict Crypto KYC/AML Rules ๐ฎ๐ณ
- India's Financial Intelligence Unit (FIU-IND) updated regulations for crypto service providers, requiring strict client due diligence for all serving Indian residents, even offshore.
- New rules mandate collecting identity documents, bank details, occupation, income, and crucially, "Latitude and longitude coordinates of the onboarding location with date and timestamp along with IP address," plus a selfie.
- These measures aim to combat fraud, money laundering, and terrorism financing in the anonymous and instantaneous crypto transaction landscape.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/india_crypto_kyc_aml_update/
US Cyber Command Leadership Shake-up ๐บ๐ธ
- Air Force Lt. Col. Jason Gargan, commander of a Cyber National Mission Force task force aligned against Russia, was "relieved for cause" due to operational disagreements.
- This unusual dismissal highlights a "loss of trust and confidence" in command ability, with Gargan now expected to retire by the end of 2026.
- The incident occurs amidst other top-rank changes at Cyber Command, which has been without a Senate-confirmed leader for over nine months.
๐๏ธ The Record | https://therecord.media/senior-military-cyber-op-removed-russia-task-force
US Cyber Offense vs. Defense Debate โ๏ธ
- A House Homeland Security subcommittee debated the U.S. approach to cyber deterrence, with some lawmakers warning against expanding offensive cyber operations before strengthening defenses.
- Concerns were raised about CISA losing one-third of its workforce and the potential for offensive actions to provoke retaliation if U.S. networks are not adequately defended.
- While acknowledging the importance of offense, experts suggested a hybrid approach where the private sector supports government offensive operations, with CISA coordinating and receiving legal protections.
๐คซ CyberScoop | https://cyberscoop.com/us-offensive-cyber-operations-defense-cisa-workforce-house-homeland-security-committee/
Mandiant's Salesforce Security Tool ๐ ๏ธ
- Mandiant has open-sourced AuraInspector, a tool designed to help Salesforce admins detect misconfigurations in Aura (Experience Cloud sites) that could expose sensitive data.
- The tool targets access control issues, such as unauthenticated users gaining access to Salesforce Account object records, and can bypass 2,000-record limits via GraphQL API abuse.
- AuraInspector automates potential abuse techniques and remediation strategies, providing read-only operations to identify damaging misconfigurations without modifying Salesforce instances.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/mandiant_salesforce_tool/
#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerability #ZeroDay #RCE #Malware #APT #NationState #Cybercrime #DataPrivacy #InfoSec #IncidentResponse #CloudSecurity #AI #BrowserSecurity #KYC #AML
