It's been a busy 24 hours in the cyber world with significant updates on actively exploited vulnerabilities, evolving social engineering tactics, and some notable cyberattacks. Let's dive in:
London Boroughs Still Recovering Months After Cyberattack ๐๏ธ
- Hammersmith & Fulham Council is slowly restoring services, two months after a cyberattack affected multiple London boroughs. Online payments have resumed, but some account balances may not be current.
- Westminster City Council and Kensington & Chelsea also remain impacted, with the latter confirming criminal intent and data compromise, and warning that full system restoration could take months.
- This incident highlights the ongoing threat to local authorities, with the NCSC recently warning about pro-Russia hacktivist attacks causing costly disruption to such targets.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/landmark_milestone_as_hammersmith_fulham/
Dresden Museum Network Hit by Cyberattack ๐ผ๏ธ
- Germany's Dresden State Art Collections (SKD), one of Europe's oldest museum networks, has suffered a targeted cyberattack that disrupted significant parts of its digital infrastructure.
- The attack, discovered on Wednesday, has limited digital and phone services, with online ticket sales and the museum shop unavailable, and on-site payments restricted to cash.
- While security systems protecting the collections remain intact, the incident underscores a growing trend of cultural institutions becoming targets for cybercriminals, as seen with recent attacks on national art museums and libraries.
๐๏ธ The Record | https://therecord.media/dresden-state-art-collections-cyberattack
ATM Jackpotting Ring Busted in US ๐ฐ
- Two Venezuelan nationals have been convicted and will be deported for an ATM jackpotting scheme that stole hundreds of thousands of dollars from US banks across several states.
- The attackers connected laptops to older ATM models and installed Ploutus malware to bypass security protocols, forcing machines to dispense all available cash directly from the banks.
- This operation is linked to a larger conspiracy, with Nebraska authorities indicting 54 individuals, including alleged leaders of the Venezuelan Tren de Aragua gang, for similar multi-million dollar thefts.
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-to-deport-venezuelans-who-emptied-bank-atms-using-malware/
Vishing and AitM Phishing Attacks on the Rise ๐ฃ
- Okta has warned about custom vishing (voice phishing) kits, sold as a service, actively targeting Okta, Google, and Microsoft SSO accounts, as well as cryptocurrency platforms.
- These kits feature adversary-in-the-middle (AitM) capabilities, allowing attackers to manipulate phishing page content in real-time during a call, effectively bypassing push-based MFA, including number matching.
- Microsoft also reported a multi-stage AitM phishing and BEC campaign targeting energy firms, abusing SharePoint for phishing payloads and creating inbox rules for persistence and evasion. Post-compromise, attackers leverage stolen session cookies and internal identities for large-scale intra-organizational and external phishing.
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_sell_voice_phishing_kits/
๐จ The Hacker News | https://thehackernews.com/2026/01/microsoft-flags-multi-stage-aitm.html
RMM Tools Weaponised for Persistent Access ๐ ๏ธ
- A new dual-vector campaign is leveraging stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software, specifically LogMeIn Resolve, for persistent remote access.
- The attack starts with fake Greenvelope invitation emails to harvest Microsoft Outlook, Yahoo!, or AOL.com login details. These stolen credentials are then used to register with LogMeIn and generate RMM access tokens.
- A malicious executable, "GreenVelopeCard.exe," signed with a valid certificate, silently installs LogMeIn Resolve, alters its service settings for unrestricted access, and creates hidden scheduled tasks to maintain persistence.
๐จ The Hacker News | https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
Malicious AI Extensions Steal Developer Data ๐ป
- Two malicious extensions in Microsoft's Visual Studio Code (VSCode) Marketplace, "ChatGPT โ ไธญๆ็" (1.34M installs) and "ChatMoss (CodeMoss)" (150k installs), are exfiltrating developer data to China-based servers.
- Part of a campaign dubbed 'MaliciousCorgi,' these extensions, while providing advertised AI coding assistance, covertly monitor and transmit the entire contents of opened files, including changes, encoded in Base64.
- They also perform server-controlled harvesting of up to 50 files from a victim's workspace and use commercial analytics SDKs (Zhuge.io, GrowingIO, TalkingData, Baidu Analytics) for user profiling and device fingerprinting, exposing sensitive source code, configuration files, and credentials.
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-ai-extensions-on-vscode-marketplace-steal-developer-data/
Fortinet FortiGate SSO Flaw Still Exploitable โ ๏ธ
- Fortinet has confirmed that a critical FortiCloud SSO authentication bypass vulnerability (CVE-2025-59718), supposedly patched in December, is still being actively exploited via a new attack path.
- Threat actors are compromising fully patched FortiGate firewalls, creating generic accounts with VPN access, and exfiltrating firewall configurations within seconds, indicating automated activity.
- Fortinet advises customers to restrict administrative access to management interfaces, disable the FortiCloud SSO feature, and rotate all credentials if any indicators of compromise are detected, as the issue applies to all SAML SSO implementations.
๐๏ธ Dark Reading | https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-confirms-critical-forticloud-auth-bypass-not-fully-patched/
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/fortinet_fortigate_patch/
Pwn2Own Automotive Uncovers 76 Zero-Days ๐
- The Pwn2Own Automotive 2026 competition concluded with security researchers earning over $1 million for exploiting 76 zero-day vulnerabilities in automotive technologies.
- Targets included in-vehicle infotainment (IVI) systems, electric vehicle (EV) chargers, and car operating systems like Automotive Grade Linux.
- Vendors have 90 days to patch these newly disclosed flaws before TrendMicro's Zero Day Initiative publicly releases the details.
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-get-1-047-000-for-76-zero-days-at-pwn2own-automotive-2026/
CISA Adds Four Actively Exploited Bugs to KEV ๐จ
- CISA has updated its Known Exploited Vulnerabilities (KEV) catalog with four actively exploited flaws impacting enterprise software. Federal Civilian Executive Branch (FCEB) agencies must patch these by February 12, 2026.
- The vulnerabilities include a PHP remote file inclusion in Synacor Zimbra Collaboration Suite (CVE-2025-68645), an authentication bypass in Versa Concerto SD-WAN (CVE-2025-34026), and an improper access control flaw in Vite Vitejs (CVE-2025-31125).
- Also added is CVE-2025-54313, an embedded malicious code vulnerability in `eslint-config-prettier`, stemming from a supply chain attack that hijacked several npm packages to deliver an information stealer.
๐จ The Hacker News | https://thehackernews.com/2026/01/cisa-updates-kev-catalog-with-four.html
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-confirms-active-exploitation-of-four-enterprise-software-bugs/
Critical Telnetd Auth Bypass Exploited for Root Access ๐
- A coordinated campaign is exploiting CVE-2026-24061, an 11-year-old critical authentication bypass vulnerability in the GNU InetUtils telnetd server.
- The flaw allows attackers to gain root access by leveraging unsanitized environment variable handling, specifically by setting the USER variable to "-f root" when connecting via telnet.
- While Telnet is a legacy component, its prevalence in industrial, legacy, and embedded devices (IoT/OT) makes this easily exploitable bug a concern, with GreyNoise observing automated and some "human-at-keyboard" exploitation attempts.
๐ค Bleeping Computer | https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-telnetd-auth-bypass-flaw-to-get-root/
Chinese Electric Buses Raise National Security Concerns ๐
- Australia's government is reviewing whether Chinese-made Yutong electric buses, currently in use in major cities, pose a national security risk due to potential remote control capabilities.
- Research from Oslo's public transport authority found that Yutong maintains an over-the-air (OTA) connection, allowing the manufacturer remote access to the Controller Area Network (CAN) bus, which controls driving systems.
- While no "kill switch" or invasive data collection was explicitly found, the inherent risks of connected IoT devices, coupled with China's national intelligence laws, raise concerns about data exfiltration, surveillance, or broader fleet compromise.
๐๏ธ Dark Reading | https://www.darkreading.com/cyber-risk/chinese-electric-buses-aussie-govt
AI-Powered Cyberattack Kits on the Horizon ๐ค
- Google's VP of Security Engineering, Heather Adkins, warns CISOs to prepare for a "really different world" where cybercriminals will reliably automate cyberattacks at scale using AI.
- While currently used for small tasks like phishing copy and C2 development, it's "just a matter of time" before full, end-to-end AI toolkits emerge, potentially leading to a "Metasploit moment" for AI-driven threats.
- This shift could mean attackers gain a significant first-mover advantage, forcing defenders to redefine success not by preventing breaches, but by limiting dwell time and damage, potentially through real-time, AI-enabled defensive disruptions.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/ai_cyberattack_google_security/
Microsoft Provided BitLocker Keys to FBI ๐
- Microsoft reportedly provided the FBI with BitLocker encryption keys to unlock laptops of Windows users charged in a fraud indictment, marking the first publicly known instance of such disclosure.
- By default, Microsoft "typically" backs up BitLocker recovery keys to its servers when the service is set up with an active Microsoft account, giving Redmond access to these keys.
- This highlights a trade-off between data recoverability and privacy, as users who choose to store keys with Microsoft relinquish total control over access to their encrypted data, a stark contrast to Apple's Advanced Data Protection where Apple holds fewer keys.
๐ต๐ผ The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/23/surrender_as_a_service_microsoft/
Ireland to Legalise Law Enforcement Spyware ๐ฎ๐ช
- The Irish government plans to draft legislation to legalise the use of spyware by law enforcement to combat serious crime and security threats.
- The proposed bill would require court authorisation for interception requests and include provisions for electronic scanning equipment to track mobile device identifier data.
- This move aims to strengthen "lawful interception powers" and create a legal basis for "covert surveillance software," with robust safeguards promised to ensure necessity and proportionality.
๐๏ธ The Record | https://therecord.media/ireland-plans-law-enforcement-spyware
#CyberSecurity #ThreatIntelligence #Vulnerabilities #ActiveExploitation #ZeroDay #Phishing #Vishing #AitM #SocialEngineering #Malware #RMM #SupplyChain #DataPrivacy #Fortinet #CISA #KEV #IoT #AI #NationalSecurity #Geopolitics #InfoSec #CyberAttack #IncidentResponse
