It's been a packed 24 hours in the cyber world with critical zero-day vulnerabilities, evolving threat actor tactics, significant data breaches, and shifts in government policy. Let's dive in:
Critical Zero-Days in Ivanti EPMM and SmarterMail ⚠️
- Ivanti has patched two critical code-injection zero-days (CVE-2026-1281, CVE-2026-1340) in its Endpoint Manager Mobile (EPMM) platform, actively exploited to achieve unauthenticated remote code execution.
- These flaws, with CVSS scores of 9.8, allow attackers to execute arbitrary code and access sensitive data like user credentials, device info, and potentially location data. Temporary RPM scripts are available, but a permanent fix is due in Q1 2026.
- SmarterMail also addressed a critical unauthenticated RCE (CVE-2026-24423, CVSS 9.3) in its ConnectToHub API, and a medium-severity NTLM relay vulnerability (CVE-2026-25067) that could lead to credential coercion. Users are urged to update to Build 9511 (for RCE) and Build 9518 (for NTLM relay) immediately.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/
📰 The Hacker News | https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html
📰 The Hacker News | https://thehackernews.com/2026/01/smartermail-fixes-critical.html
Evolving Android Malware and Chinese APT Tactics 🛡️
- A new Android malware campaign is leveraging Hugging Face as a trusted repository to distribute thousands of polymorphic APK variants, disguised as a security app called TrustBastion. It exploits Accessibility Services to steal credentials for financial services like Alipay and WeChat.
- China-linked APTs are actively deploying sophisticated malware: "PeckBirdy," a JScript-based C2 framework, is used by both financially motivated cybercrime groups targeting Chinese gambling sites and espionage groups against Asian government entities.
- UAT-8099, another China-linked threat actor, is targeting vulnerable IIS servers in Asia, particularly Thailand and Vietnam, with BadIIS SEO malware. They use web shells, PowerShell, and legitimate tools like GotoHTTP for remote access and persistence, creating hidden user accounts like "admin$" or "mysql$".
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/
⚫ Dark Reading | https://www.darkreading.com/cyberattacks-data-breaches/chinese-apts-asian-orgs-high-end-malware
📰 The Hacker News | https://thehackernews.com/2026/01/china-linked-uat-8099-targets-iis-servers-in-asia-with-badiis-seo-malware
High-Profile Breaches and IP Theft Conviction 🚨
- Coupang, a major Korean e-commerce site, is under police investigation for allegedly obstructing a probe into a data breach affecting 33.7 million customer accounts, with its CEO questioned and a smashed laptop recovered from a river.
- Thousands more Oregon residents are being notified of health data exposure from the TriZetto data breach, which occurred in November 2024 but wasn't discovered until almost a year later, impacting over 700,000 patients across multiple US states.
- A former Google engineer, Linwei Ding, has been convicted of economic espionage and theft of trade secrets for stealing over 2,000 confidential AI-related documents to benefit a China-based startup he founded.
🗞️ The Record | https://therecord.media/coupang-acting-CEO-questioned-police-investigating-data-breach
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/trizetto_health_data_stolen/
📰 The Hacker News | https://thehackernews.com/2026/01/ex-google-engineer-convicted-for.html
Broadening Cyber Threats and Law Enforcement Responses 🌍
- A senior Secret Service official highlighted the "staggering" weakness in the Internet Assigned Numbers Authority (IANA) domain registration system, which facilitates phishing and fraudulent advertising due to insufficient identity validation.
- Google, in collaboration with Cloudflare and Lumen, disrupted IPIDEA, a China-based residential proxy network, removing millions of devices used by cybercriminals and espionage groups, though a significant portion remains active.
- Illicit cryptocurrency flows surged to a record $158 billion in 2025, primarily driven by sanctions-linked activity (Russia, Iran, Venezuela), nation-state use, and improved attribution, despite a slight drop in illicit activity's share of total volume.
- A comprehensive analysis of 418 law enforcement actions (2021-mid-2025) reveals that extortion, malware, and hacking are the most targeted criminal acts, with arrests dominating responses and significant public-private collaboration, particularly from US agencies.
🤫 CyberScoop | https://cyberscoop.com/secret-service-iana-domain-security-weakness/
🤫 CyberScoop | https://cyberscoop.com/ipidea-proxy-network-disrupted-google-lumen/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/crypto-wallets-received-a-record-158-billion-in-illicit-funds-last-year/
📰 The Hacker News | https://thehackernews.com/2026/01/badges-bytes-and-blackmail.html
US Policy Shifts and Microsoft's NTLM Retirement 🏛️
- The White House's OMB rescinded Biden-era mandates for Software Bills of Materials (SBOMs) and software attestation, arguing they prioritised compliance over genuine security, sparking debate among security professionals about the potential impact on software supply chain security.
- CISA faced scrutiny for releasing insider threat guidance shortly after its acting director, Madhu Gottumukkala, reportedly uploaded sensitive documents to a public ChatGPT instance, highlighting a potential disconnect between policy and practice.
- Microsoft announced plans to disable the 30-year-old NTLM authentication protocol by default in future Windows releases, phasing it out in favour of more secure Kerberos-based alternatives due to NTLM's inherent vulnerabilities to relay and pass-the-hash attacks.
⚫ Dark Reading | https://www.darkreading.com/application-security/trump-administration-rescinds-biden-era-sbom-guidance
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/29/cisa_insider_threat_guidance/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-to-disable-ntlm-by-default-in-future-windows-releases/
AI Security and Developer Challenges 💡
- A BellSoft survey indicates nearly half of Java developers prefer delegating container security to vendors of hardened containers, despite security being the most important factor in image choice and 23% experiencing container-related incidents.
- An op-ed argues that the US can win the AI race against China not just through advanced models, but by leveraging its robust private-sector cybersecurity industry, which fosters trust and security through real-world threat exposure and market-driven defence.
- Tenable introduced "Tenable One AI Exposure" to its exposure management portfolio, designed to detect, map, and govern the use of agentic and generative AI platforms across enterprise infrastructure, addressing concerns about shadow AI and data leakage.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/30/java_developers_container_security/
🤫 CyberScoop | https://cyberscoop.com/ai-race-china-us-cloud-cybersecurity-trust-security-op-ed/
⚫ Dark Reading | https://www.darkreading.com/cyber-risk/tenable-tackles-ai-governance-shadow-ai-risks-data-exposure
#CyberSecurity #ThreatIntelligence #ZeroDay #RCE #Vulnerability #Malware #APT #AndroidSecurity #IISSecurity #DataBreach #EconomicEspionage #IPTheft #Cybercrime #LawEnforcement #SBOM #NTLM #MicrosoftSecurity #AISecurity #ContainerSecurity #InfoSec
