Alright team, it's been a pretty packed 24 hours in the cyber world! We've got some major breaches, a new AI-assisted Linux malware framework, critical vulnerabilities in popular software and automotive systems, and some serious discussions around ransomware negotiation ethics and government surveillance. Let's dive in:
Under Armour Data Breach ⚠️
- Have I Been Pwned (HIBP) has ingested data from an alleged Everest ransomware attack in November, affecting 72.7 million Under Armour accounts.
- The leaked data includes names, email addresses, dates of birth, genders, geographic locations, and purchase details.
- Under Armour has yet to publicly acknowledge the breach, despite Everest's claims and a class-action lawsuit filed on behalf of customers.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/21/under_armour_everest/
PcComponentes Credential Stuffing Attack 🔒
- Spanish tech retailer PcComponentes denies claims of a 16.3 million customer data breach but confirms a credential stuffing attack.
- Their investigation found no unauthorised access to internal systems, but info-stealer logs from other breaches were used to compromise a "small number" of accounts.
- As a response, PcComponentes has enforced mandatory two-factor authentication (2FA) for all accounts, invalidated active sessions, and added CAPTCHA to login pages.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/online-retailer-pccomponentes-says-data-breach-claims-are-fake/
LastPass Phishing Campaign 🎣
- LastPass is warning users about an active phishing campaign impersonating the password manager, urging them to "create a local backup" of their vaults due to "upcoming maintenance."
- These emails, sent from suspicious addresses with urgent subject lines, redirect users to phishing sites designed to steal their master passwords.
- LastPass stresses they will never ask for a master password and advises users to report suspicious emails to abuse@lastpass.com, noting that the campaign was timed over a US holiday weekend to reduce detection.
📰 The Hacker News | https://thehackernews.com/2026/01/lastpass-warns-of-fake-maintenance.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fake-lastpass-emails-pose-as-password-vault-backup-alerts/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/21/lastpass_backup_phishing_campaign/
👁️ Dark Reading | https://www.darkreading.com/application-security/phishing-campaign-zeroes-lastpass-customers
CrashFix Malware Leverages Browser Crashes for Corporate Infiltration 💥
- A new "CrashFix" variant of the ClickFix scam, attributed to the KongTuke threat actor, intentionally crashes victims' browsers via a malicious extension (NexShield).
- It then presents a fake security message prompting users to run a "fix," which executes a PowerShell script to contact a C2 server.
- Domain-joined corporate systems receive ModeloRAT, a Python-based remote access Trojan with extensive reconnaissance capabilities, while home users appear to be part of a testing phase.
👁️ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/crashfix-scam-crashes-browsers-delivers-malware
VoidLink Linux Malware & AI's Impact on Cybercrime 🤖
- The sophisticated Linux malware framework, VoidLink, is believed to have been predominantly developed by a single actor with significant AI assistance, reaching 88,000 lines of code in under a week.
- Check Point Research identified operational security blunders, including TRAE-generated helper files and LLM-generated internal planning documents, suggesting a "Spec Driven Development" approach using AI agents.
- This highlights how AI is industrialising cybercrime, lowering the barrier to entry for complex attacks and enabling threat actors to rapidly envision, create, and iterate sophisticated systems, as also noted by Group-IB.
📰 The Hacker News | https://thehackernews.com/2026/01/voidlink-linux-malware-framework-built.html
Black Basta Ringleader Identified 🚨
- Oleg Evgenievich Nefedov, 35, has been publicly identified by German police as the alleged leader of the Black Basta ransomware group and added to Europol and Interpol's most-wanted lists.
- This identification follows raids in Ukraine on the homes of two other Russian nationals accused of participating in Black Basta's crimes, seizing data and cryptocurrency.
- Nefedov is accused of extorting over 100 companies in Germany and 600 globally, with authorities suggesting prior involvement with the Conti ransomware group.
🤫 CyberScoop | https://cyberscoop.com/black-basta-leader-europol-most-wanted-list/
SMS Blaster Scams: Fake Cell Towers in Cars 🚗
- Greek police arrested suspects using a fake cell tower hidden in a car trunk to send mass phishing messages across Athens.
- The device, an "SMS blaster," mimicked legitimate telecom infrastructure, forcing nearby phones to downgrade to less secure 2G networks to harvest data.
- Attackers then sent phishing links, posing as banks or couriers, to steal payment card details, a tactic previously seen in Thailand, Indonesia, Qatar, and the UK, often using similar Chinese-manufactured equipment.
🗞️ The Record | https://therecord.media/greek-police-arrest-scammers-using-hidden-cell-towers/
Fortinet FortiGate Patch Bypass Under Active Exploitation 🛡️
- Fortinet customers are reporting that patched FortiGate firewalls (FortiOS 7.4.9 and 7.4.10) are still vulnerable to a patch bypass for CVE-2025-59718, a critical SSO authentication flaw.
- Attackers are exploiting this by creating local admin accounts via malicious SSO logins, similar to previous attacks seen in December 2025.
- Fortinet is reportedly preparing new FortiOS versions (7.4.11, 7.6.6, 8.0.0) to fully address the issue; until then, admins are advised to disable the FortiCloud login feature if enabled.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/fortinet-admins-report-patched-fortigate-firewalls-getting-hacked/
ACF Extended WordPress Plugin RCE 🌐
- A critical vulnerability (CVE-2025-14533) in the Advanced Custom Fields: Extended (ACF Extended) WordPress plugin allows unauthenticated attackers to gain administrative privileges.
- The flaw, affecting versions 0.9.2.1 and earlier, stems from a lack of role restriction enforcement during form-based user creation/updates, even when role limitations are configured.
- Roughly 50,000 sites remain exposed, and while no active exploitation of this specific flaw has been observed, large-scale WordPress plugin reconnaissance activity is ongoing, targeting other known vulnerabilities.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/acf-plugin-bug-gives-hackers-admin-on-50-000-wordpress-sites/
GitLab Patches 2FA Bypass and DoS Flaws 💻
- GitLab has released patches for high-severity vulnerabilities, including a two-factor authentication (2FA) bypass (CVE-2026-0723) and multiple denial-of-service (DoS) flaws.
- The 2FA bypass allows attackers with knowledge of a victim's credential ID to circumvent multi-factor authentication by submitting forged device responses.
- Admins are strongly advised to upgrade self-managed GitLab installations to versions 18.8.2, 18.7.2, or 18.6.4 immediately to address these issues.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/gitlab-warns-of-high-severity-2fa-bypass-denial-of-service-flaws/
Chainlit AI Framework Flaws Enable Data Theft and SSRF 🤖
- High-severity "ChainLeak" vulnerabilities (CVE-2026-22218, CVE-2026-22219) were found in the open-source Chainlit AI framework, allowing arbitrary file reads and Server-Side Request Forgery (SSRF).
- These flaws can be combined to steal sensitive data, leak cloud environment API keys, and enable lateral movement within an organisation.
- Patches were released in Chainlit version 2.9.4, highlighting how traditional software vulnerabilities are now being embedded into AI infrastructure, creating new attack surfaces.
📰 The Hacker News | https://thehackernews.com/2026/01/chainlit-ai-framework-flaws-enable-data.html
Microsoft MarkItDown MCP Server Vulnerability ☁️
- A vulnerability dubbed "MCP fURI" in Microsoft's MarkItDown Model Context Protocol (MCP) server allows arbitrary calling of URI resources, leading to privilege escalation, SSRF, and data leakage.
- This flaw affects the server when running in AWS EC2 instances using IDMSv1, potentially allowing attackers to obtain instance credentials and access AWS accounts.
- BlueRock's analysis found over 36.7% of 7,000 MCP servers are likely exposed; mitigation includes using IMDSv2, private IP blocking, and restricting metadata service access.
📰 The Hacker News | https://thehackernews.com/2026/01/chainlit-ai-framework-flaws-enable-data.html
`binary-parser` npm Library Bug Allows Node.js RCE ⚙️
- A security vulnerability (CVE-2026-1245) in the popular `binary-parser` npm library allows for arbitrary JavaScript execution with Node.js process privileges.
- The flaw stems from a lack of sanitisation of user-supplied values when JavaScript parser code is dynamically generated at runtime using the "Function" constructor.
- Users of `binary-parser` are advised to upgrade to version 2.3.0 and avoid passing untrusted input into parser field names or encoding parameters.
📰 The Hacker News | https://thehackernews.com/2026/01/certcc-warns-binary-parser-bug-allows-node.js-privilege-level-code-execution.html
Cloudflare WAF Bypass Bug Fixed 🛡️
- Cloudflare has patched a logic flaw in its ACME (Automatic Certificate Management Environment) validation that allowed attackers to bypass its Web Application Firewall (WAF) and directly access origin servers.
- The "side door" was caused by the WAF disabling features for ACME challenge tokens without verifying the token matched an active challenge for the hostname.
- While no evidence of in-the-wild exploitation was found, researchers warn that such WAF bypasses could become more dangerous with AI-driven attacks.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/20/cloudflare_fixes_acme_validation/
EU Proposes Phasing Out "High-Risk" Telecom Suppliers 🇪🇺
- The European Commission (EC) is proposing a revised Cybersecurity Act that could force member states to phase out IT and telecoms kit from "high-risk suppliers" (implicitly Huawei and ZTE) within three years.
- This move aims to bolster cybersecurity across the bloc by addressing supply chain security challenges in critical infrastructure and simplifying certification frameworks.
- China has accused the EU of protectionism, with Huawei stating the proposal violates basic legal principles and WTO obligations by targeting suppliers based on country of origin rather than factual evidence.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/21/eu_mulls_deadline_of_3_years/
🗞️ The Record | https://therecord.media/eu-unveils-new-plans-to-tackle-huawei-zte
Curl Shuts Down Bug Bounty Program Due to AI "Slop" 🚫
- Daniel Stenberg, the maintainer of the popular open-source `cURL` tool, has ended the project's bug bounty program, citing a struggle to assess a flood of AI-generated contributions.
- Stenberg hopes this move will "remove the incentive for people to submit crap and non-well researched reports," which have placed a high load on the `cURL` security team.
- While acknowledging AI can aid bug hunting, he maintains that developers should only report bugs they fully understand and can reproduce, reserving the right to publicly criticise those who waste the team's time.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/21/curl_ends_bug_bounty/
#CyberSecurity #ThreatIntelligence #Ransomware #Phishing #Vulnerabilities #ZeroDay #AI #Malware #IncidentResponse #DataBreach #InfoSec #WordPress #Fortinet #GitLab #CloudSecurity #AutomotiveSecurity #Regulation #Privacy #OpenSource
