It's been a busy 24 hours in the cyber world with significant updates on recent attacks, actively exploited vulnerabilities, new malware campaigns, and a reminder about the ever-evolving privacy landscape. Let's take a look:
Kyowon Group Hit by Suspected Ransomware ⚠️
- South Korea's Kyowon Group, a major education and lifestyle company, shut down parts of its network after identifying a suspected ransomware attack.
- The company confirmed an extortion demand and is investigating potential data leakage, including sensitive customer information, possibly affecting millions.
- This incident follows other high-profile data breaches in South Korea, prompting pledges for stronger data protection laws.
🗞️ The Record | https://therecord.media/kyowon-group-south-korea-suspected-ransomware-attack
Dutch Port Hacked for Cocaine Smuggling 🚨
- A Dutch appeals court upheld a seven-year prison sentence for a man who hacked port IT systems using malware-stuffed USB sticks to aid cocaine smugglers.
- The attacker gained months of remote access, exploring the network and hunting for admin rights, even live-blogging the break-in via encrypted chats.
- The case highlights the real-world impact of cyber intrusions facilitating organised crime, with the hack directly enabling a 210 kg cocaine shipment.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/dutch_port_hacker_appeal/
Black Axe Leaders Arrested in Spain 🕵️
- Spanish police, supported by Europol, arrested 34 alleged cybercriminals, including leaders of the transnational Black Axe organisation, across four cities.
- Black Axe is known for business email compromise (BEC) scams, money laundering, and vehicle trafficking, with estimated fraud exceeding $6.9 million.
- The operation froze $139,000 in bank accounts and seized cash, vehicles, and devices, significantly disrupting the hierarchical, Nigerian-led group.
🤫 CyberScoop | https://cyberscoop.com/black-axe-disruption-arrests-spain/
Supreme Court Filing System Hack 🏛️
- A Tennessee man is expected to plead guilty to a misdemeanor charge for hacking into the U.S. Supreme Court’s electronic case filing system on 25 occasions between August and October 2023.
- Nicholas Moore, 24, "intentionally accessed a computer without authorization," though details on the specific information accessed were not released.
- This incident underscores ongoing vulnerabilities in federal judicial systems, which have seen strengthened protections following sophisticated cyberattacks.
🗞️ The Record | https://therecord.media/guilty-plea-hacking-supreme-court-case-filing-system
Malicious Chrome Extension Steals MEXC API Keys 💰
- A malicious Google Chrome extension, "MEXC API Automator," is actively stealing API keys from the MEXC cryptocurrency exchange by masquerading as a trading tool.
- The extension programmatically creates new API keys with withdrawal permissions, hides these permissions in the UI, and exfiltrates the keys to a Telegram bot.
- This attack leverages an already authenticated browser session, bypassing traditional authentication, and grants attackers unfettered access to victims' crypto accounts.
📰 The Hacker News | https://thehackernews.com/2026/01/malicious-chrome-extension-steals-mexc.html
Gogs Zero-Day Under Active Exploitation 🛡️
- CISA has added CVE-2025-8110, a high-severity path traversal vulnerability in the Gogs self-hosted Git service, to its KEV catalog due to active exploitation.
- The flaw allows authenticated users to bypass previous fixes (CVE-2024-55947) by exploiting symbolic link handling in the PutContents API, leading to remote code execution.
- With no official patch yet, federal agencies are mandated to apply mitigations by February 2, 2026, or cease using Gogs, while other users should disable open registration and restrict access.
📰 The Hacker News | https://thehackernews.com/2026/01/13/cisa-warns-of-active-exploitation-of.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/cisa_gogs_exploit/
ServiceNow AI Platform Critical Flaw 🔒
- ServiceNow patched CVE-2025-12420, a critical 9.3 CVSS vulnerability in its AI Platform, allowing unauthenticated users to impersonate others and perform arbitrary actions.
- The flaw stemmed from a universal credential ("servicenowexternalagent") and lack of password/MFA for user identity verification, which could lead to full platform takeover.
- Although no in-the-wild exploitation has been confirmed, the vulnerability was deemed the "most severe AI-driven vulnerability to date" due to ServiceNow's deep integration across enterprise IT.
📰 The Hacker News | https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html
🌑 Dark Reading | https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow
AI/ML Python Libraries RCE Vulnerabilities 🐍
- Vulnerabilities in popular AI/ML Python libraries (Nvidia's NeMo, Salesforce's Uni2TS, Apple/EPFL VILAB's FlexTok) allow remote code execution via poisoned metadata.
- The flaws exploit Hydra's instantiate() function, which can execute arbitrary callables, enabling attackers to hide malicious code in model metadata that runs automatically upon loading.
- Patches have been issued for NeMo (CVE-2025-23304) and Uni2TS (CVE-2026-22584), with FlexTok also fixed, urging users to only load models from trusted sources.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/ai_python_library_bugs_allow/
Kremlin-linked Hackers Target Ukraine Military 🪖
- CERT-UA reports a new cyber-espionage campaign by Void Blizzard (UAC-0190) targeting Ukraine's military personnel using a novel PluggyApe malware.
- Attackers impersonate charitable organisations and use messaging apps like Signal and WhatsApp to deliver password-protected malicious executables.
- This campaign highlights a shift towards highly tailored social engineering, leveraging trusted communication channels and detailed target knowledge to deliver malware.
🗞️ The Record | https://therecord.media/kremlin-linked-hackers-pose-as-charities-spy-ukraine
SHADOW#REACTOR Delivers Remcos RAT 👻
- A new campaign, SHADOW#REACTOR, uses an evasive multi-stage Windows attack chain to deploy the Remcos RAT for persistent remote access.
- The infection leverages obfuscated VBS launchers, PowerShell downloaders, fragmented text-based payloads, and a .NET Reactor-protected loader to complicate detection.
- This broad, opportunistic activity, likely by initial access brokers, abuses LOLBins like MSBuild.exe and employs self-healing mechanisms to ensure payload delivery.
📰 The Hacker News | https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
AsyncRAT Campaign Abuses Cloudflare & Python ☁️
- An emerging phishing campaign is delivering AsyncRAT by exploiting Cloudflare's free-tier services (TryCloudflare tunneling) and legitimate Python downloads.
- Attackers use Dropbox links with double-extension files (.pdfurl) in phishing emails, installing a full Python environment to inject code into explorer.exe.
- This technique masks malicious activity under trusted domains and legitimate tools, making detection challenging and highlighting the ongoing effectiveness of phishing and abuse of legitimate services.
🌑 Dark Reading | https://www.darkreading.com/endpoint-security/attackers-abuse-python-cloudflare-deliver-asyncrat
AVCheck Malware Kingpin Arrested 🚫
- Dutch police arrested a 33-year-old man at Amsterdam's Schiphol Airport, believed to be the mastermind behind the AVCheck online platform.
- AVCheck was a counter-antivirus (CAV) service, shuttered in May by Operation Endgame, that allowed cybercriminals to test malware against various AV products to evade detection.
- The arrest underscores ongoing international law enforcement efforts to dismantle critical components of the cybercrime ecosystem.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/avcheck_arrest/
North Korea's IT Worker & Crypto Theft Schemes 🇰🇵
- The U.S. urged UN member states to take tougher action against North Korea's IT worker scheme and cryptocurrency heists, which fund its weapons programs.
- A 140-page report highlights that over 40 countries are impacted, with North Korean IT workers stealing identities to secure remote jobs and laundered crypto funds exceeding $2 billion last year.
- China and Russia were criticised for providing safe havens, with 1,500 North Korean IT workers estimated in China alone, violating UN Security Council Resolutions.
🗞️ The Record | https://therecord.media/40-countries-impacted-nk-it-thefts-united-nations
India's Strict Crypto KYC/AML Rules 🇮🇳
- India's Financial Intelligence Unit (FIU-IND) updated regulations for crypto service providers, requiring strict client due diligence for all serving Indian residents, even offshore.
- New rules mandate collecting identity documents, bank details, occupation, income, and crucially, "Latitude and longitude coordinates of the onboarding location with date and timestamp along with IP address," plus a selfie.
- These measures aim to combat fraud, money laundering, and terrorism financing in the anonymous and instantaneous crypto transaction landscape.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/india_crypto_kyc_aml_update/
US Cyber Command Leadership Shake-up 🇺🇸
- Air Force Lt. Col. Jason Gargan, commander of a Cyber National Mission Force task force aligned against Russia, was "relieved for cause" due to operational disagreements.
- This unusual dismissal highlights a "loss of trust and confidence" in command ability, with Gargan now expected to retire by the end of 2026.
- The incident occurs amidst other top-rank changes at Cyber Command, which has been without a Senate-confirmed leader for over nine months.
🗞️ The Record | https://therecord.media/senior-military-cyber-op-removed-russia-task-force
US Cyber Offense vs. Defense Debate ⚖️
- A House Homeland Security subcommittee debated the U.S. approach to cyber deterrence, with some lawmakers warning against expanding offensive cyber operations before strengthening defenses.
- Concerns were raised about CISA losing one-third of its workforce and the potential for offensive actions to provoke retaliation if U.S. networks are not adequately defended.
- While acknowledging the importance of offense, experts suggested a hybrid approach where the private sector supports government offensive operations, with CISA coordinating and receiving legal protections.
🤫 CyberScoop | https://cyberscoop.com/us-offensive-cyber-operations-defense-cisa-workforce-house-homeland-security-committee/
Mandiant's Salesforce Security Tool 🛠️
- Mandiant has open-sourced AuraInspector, a tool designed to help Salesforce admins detect misconfigurations in Aura (Experience Cloud sites) that could expose sensitive data.
- The tool targets access control issues, such as unauthenticated users gaining access to Salesforce Account object records, and can bypass 2,000-record limits via GraphQL API abuse.
- AuraInspector automates potential abuse techniques and remediation strategies, providing read-only operations to identify damaging misconfigurations without modifying Salesforce instances.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/13/mandiant_salesforce_tool/
#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerability #ZeroDay #RCE #Malware #APT #NationState #Cybercrime #DataPrivacy #InfoSec #IncidentResponse #CloudSecurity #AI #BrowserSecurity #KYC #AML
