Alright team, it's been a busy 24 hours in the cyber world with significant updates on supply chain attacks, actively exploited zero-days, evolving threat actor tactics, and a few stark reminders about fundamental security hygiene. Let's dive in:
Recent Cyber Attacks & Breaches ⚠️
Notepad++, eScan, and Open VSX Hit by Supply Chain Attacks
- The popular Notepad++ text editor's update mechanism was hijacked for six months by a suspected Chinese state-sponsored group (Lotus Blossom/Billbug), redirecting select users to malicious servers to deliver custom backdoors.
- eScan Antivirus update servers were compromised, distributing multi-stage malware globally by replacing a legitimate 'Reload.exe' with a rogue, unsigned version that disabled updates and fetched further payloads.
- A supply chain attack on the Open VSX Registry saw a legitimate developer's account compromised to push malicious updates embedding the GlassWorm malware loader, designed to steal macOS credentials and crypto wallet data, notably avoiding Russian locales.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
📰 The Hacker News | https://thehackernews.com/2026/02/notepad-official-update-mechanism-hijacked-to-deliver-malware-to-select-users.html
🤫 CyberScoop | https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
📰 The Hacker News | https://thehackernews.com/2026/02/escan-antivirus-update-servers-compromised-to-deliver-multi-stage-malware.html
📰 The Hacker News | https://thehackernews.com/2026/02/open-vsx-supply-chain-attack-used-compromised-dev-account-to-spread-glassWorm.html
NationStates, Panera Bread, and a Belgian School Suffer Breaches
- The browser game NationStates confirmed a data breach after a player exploited an RCE vulnerability in a new feature, gaining access to the production server and copying user data including email addresses and MD5 password hashes.
- Panera Bread's data breach, attributed to the ShinyHunters extortion gang via a vishing campaign targeting Microsoft Entra SSO, impacted 5.1 million unique accounts, exposing names, phone numbers, and physical addresses.
- A high school in Antwerp, Belgium, OLV Pulhof, was hit by cybercriminals (falsely claiming to be LockBit) who attempted to extort the school for €15,000, and upon refusal, directly targeted parents for €50 per child, threatening data leaks.
- The anti-ICE alert service StopICE reported a server attack, blaming a US Customs and Border Protection agent for sending alarming text messages to users, though admins state no personal data (names, addresses, GPS) was stored or compromised.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/nationstates-confirms-data-breach-shuts-down-game-site/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/panera-bread-data-breach-impacts-51-million-accounts-not-14-million-customers/
🗞️ The Record | https://therecord.media/hackers-attempt-to-extort-parents-after-school-refuses-ransom-demand
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/stopice_alerts_hacked/
Vulnerabilities & Active Exploitation 💥
APT28 Actively Exploiting New Microsoft Office Zero-Day
- Russia-linked APT28 (UAC-0001/Fancy Bear) is actively abusing CVE-2026-21509, a Microsoft Office security feature bypass zero-day, targeting Ukrainian government agencies and EU organisations.
- The attack chain involves malicious DOC attachments that, when opened, initiate a WebDAV connection to download a shortcut file, leading to DLL sideloading, shellcode deployment, and persistence via COM hijacking and scheduled tasks.
- The campaign deploys the COVENANT post-exploitation framework, routing traffic through legitimate cloud storage to evade detection, with CERT-UA urging monitoring or blocking of Filen-related traffic.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/russialinked_apt28_microsoft_office_bug/
OpenClaw/Moltbot RCE and Database Exposure Patched
- A one-click RCE exploit chain was discovered in OpenClaw (formerly Moltbot/ClawdBot), allowing attackers to gain control by exploiting a cross-site WebSocket hijacking vulnerability due to a lack of origin header validation.
- The exploit, which takes milliseconds, could allow an attacker to retrieve authentication tokens, disable sandboxing, and execute privileged operations via node.invoke requests after a user visits a malicious webpage.
- Separately, the Moltbook social media network for AI agents, associated with OpenClaw, had its database exposed, making secret API keys freely accessible and potentially allowing attackers to post as high-profile AI agents.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/openclaw_security_issues/
New Threat Research on Threat Actors/Malware 🕵🏼
North Korean Labyrinth Chollima Splits into Specialised Entities
- The prolific North Korean cyber threat group Labyrinth Chollima has evolved into three distinct, coordinated entities: Golden Chollima, Pressure Chollima, and the original Labyrinth Chollima.
- Golden Chollima focuses on small-value cryptocurrency and fintech thefts in regions like the US, Europe, and South Korea, while Pressure Chollima handles high-profile financial and crypto heists, showcasing advanced technical capabilities.
- The original Labyrinth Chollima now exclusively targets malware-driven espionage against defence and manufacturing sectors, with Crowdstrike warning organisations in these sectors to be vigilant against DPRK social engineering, especially employment-themed lures and trojanised software.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/
Malicious OpenClaw/Moltbot Skills Deliver NovaStealer
- Over 230 malicious "skills" (plugins) for the OpenClaw AI assistant were published on its official registry and GitHub, impersonating legitimate utilities to deliver information-stealing malware.
- The infection occurs when users follow documentation instructions to run a fake 'AuthTool,' which on macOS is a base64-encoded shell command downloading NovaStealer, and on Windows, a password-protected ZIP archive.
- NovaStealer targets a wide array of sensitive data, including cryptocurrency exchange API keys, wallet files, seed phrases, browser wallet extensions, macOS Keychain data, browser passwords, SSH keys, and cloud credentials.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/malicious-moltbot-skills-used-to-push-password-stealing-malware/
Threat Landscape & Industry Commentary 📈
Open-Source AI: A Global Security Monoculture
- Researchers warn that open-source AI deployments, particularly Ollama instances, are forming a global monoculture, with 175,108 hosts found exposed across 130 countries, largely running similar models and configurations.
- This homogeneity means a single vulnerability in how specific quantized models handle tokens could simultaneously affect a substantial portion of the exposed ecosystem, leading to widespread exploitation.
- Many exposed instances have tool-calling capabilities via API, vision capabilities, and uncensored prompt templates lacking safety guardrails, posing risks of resource hijacking, remote execution, and identity laundering if not treated as critical infrastructure with proper authentication, monitoring, and network controls.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/
Infrastructure Cyberattacks Are on the Rise
- Cyberattacks on critical infrastructure are becoming more prevalent and integrated into military strategies, as seen in attempts to disrupt the Polish grid and the US-attributed power outages in Caracas during a military operation.
- The "democratisation" of attack technologies, with open-source tools like Shodan and resources like MITRE ATT&CK, has made infrastructure attacks more accessible beyond nation-state specialisation.
- While such attacks can cause short-term disruption and confusion, their effectiveness for political extortion or as singular game-changers is limited, highlighting the need for increased awareness, spending on resilience, and clear national policies on responses.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/energy_infrastructure_cyberattacks/
"Move Fast and Break Things" Culture Undermines Supply Chain Security
- The "move fast and break things" development culture has led to vulnerable applications and services, making supply chain attacks a primary concern, as demonstrated by incidents like Microsoft Sharepoint and Ivanti VPN exploits, and the Trust Wallet breach.
- Attackers increasingly target older applications with legacy code vulnerabilities and complex cloud platforms by compromising third-party integrations, software dependencies, and poorly managed APIs.
- To counter this, software publishers must prioritise security by adopting "zero vulnerability" goals, testing compiled binaries, and embracing transparency through Software Bills of Materials (SBOMs, MLBOMs, SaaSBOMs) to ensure secure and resilient technology.
🤫 CyberScoop | https://cyberscoop.com/move-fast-break-things-cybersecurity-supply-chain-security-op-ed/
Data Privacy & Best Practices 🔒
Booz Allen Hamilton Loses Treasury Contracts Over Data Leak
- The US Treasury Department has terminated 31 contracts with consulting firm Booz Allen Hamilton, totaling $4.8 million annually, citing the company's failure to implement adequate safeguards for sensitive taxpayer data.
- This decision follows a former BAH employee, Charles Littlejohn, pleading guilty to stealing and leaking confidential tax returns of high-profile US citizens, including Donald Trump and Elon Musk, between 2018 and 2020.
- The incident underscores the severe consequences for contractors who fail to protect sensitive government data, highlighting the critical need for robust internal security controls and data handling policies.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/01/opensource_ai_is_a_global/
McDonald's Urges Better Password Hygiene
- McDonald's Netherlands used "Change Your Password Day" to highlight poor password practices, noting that terms like "bigmac" and its leetspeak variants appear over 110,000 times in compromised password corpuses.
- The campaign, including public advertisements, warns against using easily guessable product names or simple character substitutions (e.g., Ch!ck3nMcN4gg€t$) as these are easily brute-forced by attackers.
- This serves as a reminder for all users, not just "normies," to adopt stronger password practices, such as long passphrases, randomised passwords, password managers, and multi-factor authentication, to counter widespread cybercriminal reliance on weak credentials.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/02/02/mcdonalds_password_advice/
Regulatory & Policy Changes 📜
Microsoft Begins NTLM Phase-Out to Kerberos
- Microsoft has initiated a three-phase plan to phase out the legacy NTLM authentication protocol in Windows environments, aiming to shift towards more secure, Kerberos-based options.
- NTLM, deprecated in June 2024 due to its susceptibility to replay, relay, and man-in-the-middle attacks, is still prevalent in enterprise environments due to legacy dependencies, posing significant security risks.
- The transition involves enhanced NTLM auditing (Phase 1, available now), addressing migration roadblocks with features like IAKerb and local KDC (Phase 2, H2 2026), and finally disabling NTLM by default in future Windows Server and client versions (Phase 3), requiring explicit re-enablement.
📰 The Hacker News | https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html
#CyberSecurity #ThreatIntelligence #SupplyChainAttack #ZeroDay #RCE #APT #Malware #Ransomware #DataBreach #InfoSec #IncidentResponse #Vulnerability #AI #CriticalInfrastructure #PasswordSecurity #NTLM #Kerberos #Pentesting
