It's been a busy 24 hours in the cyber world with significant updates on active exploitation of zero-days, widespread cyberattacks from sophisticated threat actors, and important discussions around data privacy and government initiatives. Let's dive in:
Recent Cyber attacks or breaches
ShinyHunters' SSO Vishing Spree Continues ⚠️
- The ShinyHunters group is actively targeting around 100 organisations, including major players like Canva, Atlassian, Epic Games, and Panera Bread, using evolved voice-phishing (vishing) techniques to compromise Okta, Microsoft, and Google SSO credentials.
- These attacks involve real-time phishing kits that mimic legitimate login pages and MFA requests, tricking employees into providing credentials and enrolling threat actor-controlled devices into MFA solutions.
- The group has claimed data theft from SoundCloud (29.8 million accounts), Betterment, Crunchbase, Panera Bread (14 million records), CarMax (500k+), and Edmunds (millions), often followed by extortion demands.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/
🤫 CyberScoop | https://cyberscoop.com/shinyhunters-voice-phishing-sso-okta-mfa-bypass-data-theft/
Russian Security Firm Delta Hit by Cyberattack 🚨
- Delta, a major Russian provider of alarm and security systems for homes, businesses, and vehicles, suffered a "large-scale, coordinated" cyberattack attributed to an unspecified "hostile foreign state."
- The attack caused widespread service outages, with customers reporting issues like car alarms not deactivating, vehicles locking unexpectedly, and home systems switching to emergency mode.
- While Delta denies personal data compromise, an unidentified Telegram channel claiming responsibility has published an archive of alleged stolen data, the authenticity of which is unverified.
🗞️ The Record | https://therecord.media/russia-delta-security-alarm-company-cyberattack
Nike Investigates 1.4TB Data Leak by WorldLeaks 👟
- Sportswear giant Nike is investigating a potential cyber incident after the WorldLeaks extortion group claimed to have leaked over 1.4 terabytes of internal company data.
- The alleged stolen data includes internal documents, archives from 2020-2026, R&D assets, product creation details (technical packs, prototypes), supply chain information, and internal business presentations.
- WorldLeaks, believed to be a rebrand of the Hunters International ransomware group, briefly listed Nike on its leak site before removing the entry, suggesting potential negotiations or payment.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nike-investigates-data-breach-after-extortion-gang-leaks-files/
🗞️ The Record | https://therecord.media/nike-probes-alleged-cyber-incident
🕶️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/worldeaks-extortion-group-stole-1.4tb-nike-data
Ploutus ATM Jackpotting Ring Busted 💸
- US authorities have charged an additional 31 individuals, bringing the total to 87 members of the Venezuelan gang Tren de Aragua (TdA), for their involvement in a multi-million dollar ATM jackpotting scheme.
- The gang allegedly stole at least $5.4 million from 63 ATMs by physically accessing machines to replace hard drives or connect USBs, deploying Ploutus malware to force cash dispensing.
- TdA has been designated a Foreign Terrorist Organization by the U.S. Department of the Treasury, highlighting the increasing convergence of transnational organised crime and cyber-enabled financial fraud.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-charges-31-more-suspects-linked-to-atm-malware-attacks/
🗞️ The Record | https://therecord.media/dozens-more-charged-ploutus-jackpotting-atm
China-linked Hackers Accused of Years-Long UK Government Espionage 🇨🇳
- Chinese state-linked hackers, identified as Salt Typhoon, are accused of years-long access to the phones of senior Downing Street officials, potentially exposing private communications.
- The espionage focused on aides to former UK Prime Ministers and leveraged intrusions into telecommunications providers to skim metadata and communications without direct handset installation.
- This incident, discovered in 2024, underscores the persistent threat of nation-state espionage targeting critical government infrastructure and sensitive communications.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
New Threat Research on Threat Actors/Groups, Ransomware, Malware, or Techniques and Tradecraft
ClickFix Attacks Evolve with App-V and Steganography 🎣
- A new ClickFix campaign is using fake CAPTCHA prompts to trick users into executing a command that abuses the signed Microsoft App-V script, SyncAppvPublishingServer.vbs, as a living-off-the-land (LoL) binary.
- This method proxies PowerShell execution through a trusted Microsoft component, making detection harder, and delivers the Amatera infostealer, which retrieves configuration from a public Google Calendar file and uses steganography to hide payloads in PNG images.
- The campaign is highly evasive, with checks for sandbox environments and a focus on enterprise-managed systems, reflecting a broader trend of ClickFix evolution into variants like GlitchFix and ClearFake, leveraging trusted web infrastructure for malware delivery.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-clickfix-attacks-abuse-windows-app-v-scripts-to-push-malware/
📰 The Hacker News | https://thehackernews.com/2026/01/clickfix-attacks-expand-using-fake.html
'Stanley' MaaS Guarantees Malicious Chrome Extensions 😈
- A new malware-as-a-service (MaaS) called 'Stanley' is being advertised, promising to bypass Google's review process and publish malicious phishing extensions to the Chrome Web Store.
- These extensions can overlay full-screen iframes with phishing content over legitimate webpages, silently auto-install on Chrome, Edge, and Brave, and support custom tweaks, C2 polling, and geographic targeting.
- This offering highlights the ongoing challenge of securing browser extension platforms and the commoditisation of sophisticated phishing techniques, urging users to be vigilant about extension installations and publishers.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/
Chinese Networks Dominate Illicit Crypto Laundering 💰
- Chinese money laundering networks processed an estimated $16.1 billion in illicit cryptocurrency in 2025, accounting for 20% of all laundered funds globally.
- These operations are highly professionalised, using Telegram groups, "guarantee" platforms for escrow protection, and offering services like "Black U" for hacking proceeds and crypto swapping.
- The continued resilience of these networks, despite crackdowns, underscores the global challenge of combating crypto-enabled financial crime and its links to transnational organised crime groups.
🗞️ The Record | https://therecord.media/chinese-money-launderers-moved-more-crypto-2025
Vulnerabilities, especially any mentioning Remote Code Exploitation (RCE), Active Exploitation, or Zero-Days
Microsoft Office Zero-Day Under Active Exploitation (CVE-2026-21509) 🚨
- Microsoft has issued an emergency out-of-band patch for CVE-2026-21509, a high-severity security feature bypass zero-day in Microsoft Office that is actively being exploited in the wild.
- The flaw bypasses OLE mitigations, allowing attackers to execute arbitrary code by convincing a user to open a specially crafted Office file; the preview pane is not an attack vector.
- CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches or implement registry-based mitigations for older Office versions by February 16.
📰 The Hacker News | https://thehackernews.com/2026/01/microsoft-issues-emergency-patch-for.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/27/office_zeroday_exploited_in_the/
SmarterMail Servers Vulnerable to RCE via Auth Bypass (CVE-2026-23760) 🛡️
- Over 6,000 SmarterMail servers remain exposed online and are likely vulnerable to automated attacks exploiting CVE-2026-23760, a critical authentication bypass flaw.
- This vulnerability in the password reset API allows unauthenticated attackers to hijack admin accounts and achieve remote code execution (RCE) on affected servers.
- CISA has added CVE-2026-23760 to its KEV catalog, urging federal agencies to patch by February 16, as mass exploitation attempts have already been observed in the wild.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/over-6-000-smartermail-servers-exposed-to-automated-hijacking-attacks/
Critical Sandbox Escape in vm2 Node.js Library (CVE-2026-22709) 💻
- A critical sandbox escape vulnerability, CVE-2026-22709, has been discovered in the popular vm2 Node.js library, allowing arbitrary code execution on the host system.
- The flaw stems from improper sanitisation of Promise callbacks, enabling attackers to bypass the secure context designed to isolate untrusted JavaScript code.
- Despite the project being previously discontinued due to similar issues, vm2 remains widely used, and users are strongly advised to upgrade to version 3.10.3 immediately due to the trivial nature of exploitation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/
WinRAR Path Traversal Flaw Actively Exploited (CVE-2025-8088) 📦
- The high-severity WinRAR path traversal vulnerability, CVE-2025-8088, continues to be actively exploited by both state-sponsored and financially motivated threat actors since July 2025.
- Attackers leverage Alternate Data Streams (ADS) to conceal malicious files within decoy archives, dropping payloads like LNK, HTA, or script files into Windows Startup folders for persistence.
- Google Threat Intelligence reports observing groups like RomCom, APT44, TEMP.Armageddon, Turla, and China-linked actors using this flaw to deliver various malware, highlighting the commoditisation of such exploits.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/winrar-path-traversal-flaw-still-exploited-by-numerous-hackers/
Data Privacy
Google Settles Voice Recording Lawsuit for $68 Million 🎤
- Google has agreed to a $68 million settlement in a class-action lawsuit alleging its voice-activated assistant illegally recorded and shared private conversations with third parties for targeted advertising.
- Plaintiffs claimed Google Assistant improperly triggered and recorded their words, leading to unwanted targeted ads, with the settlement funds to be distributed to Google device purchasers since May 2016.
- While Google settled without admitting wrongdoing, the case underscores ongoing concerns about privacy in voice-activated technologies and the use of personal data.
🗞️ The Record | https://therecord.media/google-settles-millions-privacy-recording
WhatsApp Introduces 'Strict Account Settings' for Spyware Protection 🔒
- WhatsApp is rolling out a new "Strict Account Settings" feature designed to combat sophisticated spyware attacks by allowing users to block attachments and media from non-contacts.
- This "lockdown-style" feature is specifically aimed at high-risk users like journalists and public figures, drawing parallels with similar protections offered by Apple and Google.
- The move follows WhatsApp's legal battles against NSO Group over Pegasus spyware, reinforcing the platform's commitment to user privacy and defence against advanced surveillance tools.
🤫 CyberScoop | https://cyberscoop.com/whatsapp-strict-account-settings-lockdown-style-spyware-protection/
🗞️ The Record | https://therecord.media/whatsapp-spyware-anti-lockdown
#CyberSecurity #ThreatIntelligence #Ransomware #NationState #APT #ZeroDay #Vulnerability #ActiveExploitation #DataPrivacy #InfoSec #CyberAttack #Malware #IncidentResponse #SSO #MFA #Phishing #Vishing #PQC #DigitalSovereignty
