It's been a busy 24 hours in the cyber world with significant updates on recent breaches, critical vulnerabilities, evolving threat actor tactics, and a deep dive into AI security. Let's take a look:
Recent Cyber Attacks and Breaches 🚨
- The University of Hawaii Cancer Center was hit by a ransomware attack in August 2025, leading to the theft of study participant data, including Social Security numbers from the 1990s. The university paid a ransom to obtain a decryptor and ensure data deletion, highlighting the ongoing challenge of protecting legacy data.
- Spanish energy provider Endesa and its Energía XXI operator disclosed unauthorised access to their commercial platform, exposing basic identification, contact, national identity numbers, contract, and payment details for over 10 million customers. Threat actors are allegedly selling a 1TB database with 20 million records.
- Hackers claim to have stolen 860 GB of Target's internal source code and developer documentation, publishing samples on Gitea. Following inquiries, Target's internal Git server (`git.target.com`) was taken offline, suggesting a potential breach of private development infrastructure.
- The notorious cybercrime forum, BreachForums, suffered a data breach in August 2025, exposing email addresses, usernames, and hashed passwords for approximately 324,000 users. The leaked database, posted to `shinyhunte.rs`, includes records linked to real cybercriminals and PGP keys, potentially aiding law enforcement.
- Players of Apex Legends experienced disruptions as a "bad actor" remotely controlled characters, disconnected players, and changed nicknames, with some reports suggesting administrative privilege access. Respawn, the publisher, resolved the incident, attributing it to anti-cheat circumvention rather than RCE or malware.
- Higham Lane School in the UK closed for a week following a cyberattack that disabled electronic gates, fire alarms, and student record systems, making it unsafe to open. This incident highlights the critical impact of cyberattacks on essential services and physical safety.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/university-of-hawaii-cancer-center-hit-by-ransomware-attack/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/spanish-energy-giant-endesa-discloses-data-breach-affecting-customers/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-after-hackers-claim-to-steal-source-code/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/12/breachforums_breach/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/bad-actor-hijacks-apex-legends-characters-in-live-matches/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/11/infosec_news_in_brief/
📰 The Hacker News | https://thehackernews.com/2026/01/weekly-recap-ai-automation-exploits.html
Critical Vulnerabilities and Exploitation ⚠️
- A maximum-severity flaw, dubbed "Ni8mare" (CVE-2026-21858), allows unauthenticated remote code execution on locally deployed n8n instances (versions prior to 1.121.0). This improper input validation vulnerability in form-based workflows affects nearly 60,000 exposed instances and could lead to full system compromise.
- CISA has ordered federal agencies to patch a high-severity Gogs RCE flaw (CVE-2025-8110), actively exploited as a zero-day. This path traversal vulnerability in the PutContents API allows authenticated attackers to bypass previous patches and overwrite files via symbolic links, enabling arbitrary command execution.
- Veeam patched four vulnerabilities, including a critical RCE (CVE-2025-59470, CVSS 9.0) that allows a Backup or Tape Operator account to execute arbitrary code. This flaw is particularly dangerous as ransomware actors often gain this level of access post-initial compromise, using it to accelerate attacks and disrupt backups.
- A vulnerability in Telegram's Android and iOS clients allows an attacker to reveal a user's real IP address with a single click on a specially crafted proxy link. The app automatically attempts a test connection to the specified server, bypassing configured proxies, making it a silent and effective deanonymisation tool.
- Chinese-speaking threat actors likely developed and exploited a trio of VMware ESXi flaws (CVE-2025-22224, -22225, -22226) over a year before public disclosure, using a compromised SonicWall VPN as an initial access vector. The exploit allowed memory leakage and code execution as the VMX process, targeting a wide range of ESXi versions.
- A critical buffer overflow vulnerability in zlib's `untgz` utility (CVE-2026-22184, versions up to 1.3.1.2) can lead to memory corruption, denial of service, and potentially remote code execution. The flaw, with a CVSS score of 9.3, is due to an unbounded `strcpy()` call on attacker-controlled input.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/max-severity-ni8mare-flaw-impacts-nearly-60-000-n8n-instances/
📰 The Hacker News | https://thehackernews.com/2026/01/researchers-uncover-service-providers.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/11/infosec_news_in_brief/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hidden-telegram-proxy-links-can-reveal-your-ip-address-in-one-click/
📰 The Hacker News | https://thehackernews.com/2026/01/weekly-recap-ai-automation-exploits.html
Evolving Threat Actor Tactics and Malware 🛡️
- Researchers uncovered service providers like "Penguin Account Store" and "UWORK" fuelling industrial-scale pig butchering fraud. These services offer full fraud kits, including stolen social media accounts, pre-registered SIMs, character sets, automated victim engagement platforms (SCRM AI), and even turnkey scam websites with KYC panels and mobile apps, significantly lowering the barrier to entry for criminals.
- A new wave of GoBruteforcer attacks is targeting cryptocurrency and blockchain project databases by exploiting weak credentials. The botnet, leveraging common usernames and passwords often propagated by AI-generated server deployment examples, can brute-force FTP, MySQL, PostgreSQL, and phpMyAdmin on Linux servers, with observed activity including scanning for TRON blockchain addresses with non-zero funds.
- Two distinct campaigns are actively targeting exposed Large Language Model (LLM) services, amounting to nearly 100,000 attack sessions. One campaign, likely by ethical hackers, exploits SSRF vulnerabilities, while the other, more malicious, systematically probes over 73 LLM model endpoints (OpenAI, Anthropic, Google, etc.) to identify misconfigured proxy servers for potential future exploitation.
- The Kimwolf botnet, an Android variant of Aisuru malware, has infected over two million devices, primarily by exploiting vulnerabilities in residential proxy networks. It abuses proxy providers to access local network addresses and ports, allowing direct interaction with Android Debug Bridge (ADB) services exposed on internal networks.
- A sophisticated threat actor, UAT-7290, is conducting a long-running cyber-espionage campaign targeting high-value telecommunications infrastructure in South Asia since at least 2022. The group focuses on extensive reconnaissance before deploying Linux malware families like RushDrop, DriveSwitch, and SilentRaid, highlighting the strategic value of these networks.
- Two malicious Chrome extensions, "Chat GPT for Chrome with GPT-5..." and "AI Sidebar with DeepSeek...", collectively installed 900,000 times, were found exfiltrating OpenAI ChatGPT and DeepSeek conversations, along with browsing data, to attacker-controlled servers. This technique, dubbed "Prompt Poaching," underscores the risk of third-party browser add-ons.
📰 The Hacker News | https://thehackernews.com/2026/01/researchers-uncover-service-providers.html
📰 The Hacker News | https://thehackernews.com/2026/01/gobruteforcer-botnet-targets-crypto.html
🌑 Dark Reading | https://www.darkreading.com/endpoint-security/separate-campaigns-target-exposed-llm-services
📰 The Hacker News | https://thehackernews.com/2026/01/weekly-recap-ai-automation-exploits.html
Threat Landscape and AI Security Insights 🧠
- The US appears to be shifting towards a "gray zone" cyber approach, using cyber interference against economic and civilian infrastructure as part of sustained pressure campaigns, rather than isolated actions. This strategy, drawing lessons from Russia's hybrid warfare, leverages persistent access and calibrated disruption to shape behaviour below the threshold of open conflict.
- A World Economic Forum survey indicates a significant increase in organisations assessing AI tool security risks, with 64% doing so before deployment, almost double the previous year. While AI is seen as the most significant driver of cybersecurity change, data leaks and the advancement of adversarial AI capabilities remain top concerns for leaders.
- Block's CISO, James Nettesheim, revealed their red team successfully used a prompt injection attack to deploy an infostealer on an employee's laptop via their open-source AI agent, Goose. This highlights the critical need for least-privilege access for AI agents and humans, and the ongoing challenge of prompt injection, which Block is addressing with features like recipe install warnings and suspicious Unicode character detection.
- Illicit cryptocurrency activity reached a record $158 billion in 2025, a 145% increase from 2024, with over 80% linked to Russia-linked entities. Despite the volume, illicit activity's share of overall crypto transactions continues to decline, suggesting improved visibility and a maturing ecosystem where illicit actors operate at scale, similar to traditional finance.
🤫 CyberScoop | https://cyberscoop.com/gray-zone-cyber-operations-state-power-below-threshold-conflict-op-ed/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/12/businesses_are_finally_starting_to_ask_whether_their_ai_is_secure/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/12/block_ai_agent_goose/
📰 The Hacker News | https://thehackernews.com/2026/01/weekly-recap-ai-automation-exploits.html
Data Privacy Concerns 🔒
- Meta addressed an issue allowing external parties to request password reset emails for some Instagram users, but denied any system breach or data theft. This clarification follows claims of 17.5 million Instagram accounts having sensitive information stolen, likely from an older scraped dataset.
- China has issued draft regulations to govern personal information collection and use from the internet, emphasising legality, legitimacy, necessity, and integrity. The rules aim to safeguard user rights, promote transparency, and require explicit consent for data collection, especially sensitive personal information, with app developers responsible for security and compliance.
- Gulshan Management Services, operating 150 Handi gas stations, disclosed a data breach from September last year, affecting 377,082 customers. A phishing attack led to IT system encryption and exposure of names, SSNs, contact info, and driver's license numbers, raising concerns about delayed notification and potential legal action.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/11/infosec_news_in_brief/
📰 The Hacker News | https://thehackernews.com/2026/01/weekly-recap-ai-automation-exploits.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/11/infosec_news_in_brief/
#CyberSecurity #ThreatIntelligence #Ransomware #Vulnerabilities #ZeroDay #RCE #APT #Malware #DataBreach #AIsecurity #PromptInjection #GrayZone #Cybercrime #InfoSec #IncidentResponse
