It's been a busy 24 hours in the cyber world with critical zero-days, active exploitation of known flaws, nation-state activity, and important updates on regulatory enforcement and government cyber agencies. Let's dive in:
Energy Sector Phishing & Ransomware Leader Guilty 🚨
- Microsoft has detailed a multi-stage phishing and Business Email Compromise (BEC) campaign targeting energy sector organisations. Attackers used compromised Microsoft accounts, SharePoint URLs, and credential harvesting to take over inboxes and send hundreds of phishing emails to internal and external contacts.
- Attackers set inbox rules to delete incoming emails and out-of-office replies, and even responded to queries about the legitimacy of the phish, demonstrating sophisticated social engineering.
- In other news, Russian national Ianis Antropenko pleaded guilty to leading a ransomware conspiracy (Zeppelin, GlobeImposter) that targeted at least 50 victims over four years, causing $1.5 million in losses. Authorities seized over $3.4 million in cryptocurrency and cash from him.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_compromised_energy_firms_microsoft/
🤫 CyberScoop | https://cyberscoop.com/ianis-antropenko-russian-ransomware-leader-guilty/
DPRK Abuses VS Code Tunnels, Malicious PyPI Package Spreads Miner 🌑
- North Korean actors are deploying spear-phishing campaigns that abuse Microsoft VS Code's built-in tunneling feature to gain full remote control of targeted systems. This technique allows attackers to bypass traditional C2 infrastructure and custom malware, blending in with legitimate developer activity.
- The attacks, primarily targeting South Korean entities, use JSE files disguised as HWPX documents to install VS Code and establish a tunnel, giving attackers interactive access to the VS Code terminal and file browser via trusted Microsoft infrastructure.
- Separately, a malicious PyPI package named `sympy-dev` has been found impersonating the legitimate `SymPy` library to deploy an XMRig cryptocurrency miner on Linux hosts. The malware is designed to trigger only when specific polynomial routines are called and uses memory-backed file descriptors to reduce on-disk artifacts.
🌑 Dark Reading | https://www.darkreading.com/endpoint-security/dprk-vs-code-tunnels-remote-hacking
🚨 The Hacker News | https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
Cisco Zero-Day Under Active Exploitation ⚠️
- Cisco has released emergency patches for a critical zero-day vulnerability, CVE-2026-20045 (CVSS 8.2), affecting multiple Unified Communications products and Webex Calling Dedicated Instance.
- The flaw allows unauthenticated remote attackers to execute arbitrary commands on the underlying operating system and escalate privileges to root via crafted HTTP requests to the web-based management interface.
- CISA has added CVE-2026-20045 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies apply fixes by February 11, 2026. No workarounds are available, so immediate patching is crucial.
🚨 The Hacker News | https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/another_week_another_emergency_patch/
FortiGate SSO Bypass Exploited, SmarterMail Auth Bypass Also Hit 🛡️
- Arctic Wolf has warned of automated malicious activity targeting Fortinet FortiGate devices, involving unauthorised firewall configuration changes via compromised SSO accounts. Attackers are creating persistence accounts, modifying VPN/firewall rules, and exfiltrating configuration files.
- This activity aligns with exploitation of CVE-2025-59718 and CVE-2025-59719, SSO authentication bypasses patched in December 2025. However, some administrators report exploitation on fully patched FortiOS 7.4.10, suggesting a patch bypass, with Fortinet reportedly preparing further fixes.
- In other news, a critical authentication bypass (WT-2026-0001) in SmarterTools SmarterMail email software was actively exploited just two days after a patch release. The flaw allows unauthenticated users to reset the system administrator password and then achieve Remote Code Execution (RCE) via a built-in volume mount command feature.
🚨 The Hacker News | https://thehackernews.com/2026/01/automated-fortigate-attacks-exploit.html
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/fortigate_firewalls_hit_by_silent/
🚨 The Hacker News | https://thehackernews.com/2026/01/smartermail-auth-bypass-exploited-in.html
Ancient Telnet Bug Hands Out Root Access 👴
- A critical, 11-year-old vulnerability (CVE-2026-24061, CVSS 9.8) in the GNU InetUtils telnet daemon (`telnetd`) has been disclosed and is being actively exploited.
- The bug allows attackers to trivially gain root access by sending a crafted `USER` environment variable (`-f root`) during connection, bypassing normal authentication.
- Experts strongly recommend decommissioning `telnetd` entirely due to its unencrypted nature, or at minimum, patching immediately and restricting network access to the telnet port to trusted clients only.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/root_telnet_bug/
AI Agents Pose New Insider Threat, Financial Sector Still Lags on Basics, New CVE System Launched 🧠
- A Davos panel highlighted AI agents as a potential "ultimate insider threat," posing new security challenges as they can access sensitive data and perform harmful tasks. Recommendations include implementing zero trust, least-privilege access, and "guard agents" to monitor AI behaviour.
- The UK's 2025 CBEST report revealed that financial organisations continue to miss basic cybersecurity safeguards, with common weaknesses including poor access controls, misconfigured/unpatched systems, and ineffective detection. Social engineering remains a significant threat due to poor staff culture and awareness.
- The Computer Incident Response Center Luxembourg (CIRCL) has launched the Global CVE Allocation System (GCVE), a decentralised alternative to MITRE's CVE program. GCVE allows independent numbering authorities to assign vulnerability identifiers, aiming to address concerns about CVE's governance and sustainability.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/21/davos_ai_agents_security/
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/financial_sector_cyber_gap/
🤫 CyberScoop | https://cyberscoop.com/gcve-vulnerability-database-launches/
Cellebrite Misused by Jordan, Spain Closes Pegasus Probe ⚖️
- Citizen Lab reported that Jordanian authorities used Cellebrite digital forensic software to extract data from phones of at least seven activists critical of the Gaza war, often during interrogations or detentions. This highlights the ongoing misuse of surveillance technology against civil society.
- Separately, a Spanish judge closed a probe into the use of Pegasus spyware against top government officials due to a lack of cooperation from Israel, which regulates NSO Group's exports. The court found evidence of crimes that "jeopardised the security of the Spanish State."
🗞️ The Record | https://therecord.media/jordan-used-cellebrite-against-activists-critical-gaza-war
🗞️ The Record | https://therecord.media/spanish-judge-closes-nso-group-spyware-probe-israel
GDPR Fines Surge as Breach Notifications Hit Record High 📈
- DLA Piper's latest survey shows GDPR fines surpassed €1.2 billion in 2025, bringing the total since May 2018 to €7.1 billion. Daily data breach notifications surged 22% to an average of 443, the first time exceeding 400.
- Ireland remains the top enforcer, with a €530 million fine against TikTok being the largest in 2025. The report attributes the rise in breaches to geopolitics, cyber incidents, and new reporting regimes like NIS2 and DORA.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2026/01/22/europes_gdpr_cops_dished_out/
CISA and NIST Face Staffing Challenges 📉
- CISA's acting head, Madhu Gottumukkala, faced intense questioning from lawmakers over significant personnel reductions (nearly 1,000 staff lost since 2017) and reported attempts to fire the agency's CIO. Democrats expressed concern about weakened defences and reassignments, while Republicans suggested CISA was "doing more with less."
- NIST is also grappling with staff cuts (over 700 positions lost since 2025) and a shrinking budget, impacting its critical work on cybersecurity, AI, and post-quantum encryption. The Information Technology Laboratory (ITL) lost 89 employees, forcing a narrower focus and hindering efforts to reduce backlogs in its human-intensive cryptographic validation program.
🤫 CyberScoop | https://cyberscoop.com/cisa-madhu-gottumukkala-house-homeland-hearing-workforce-staffing-levels/
🤫 CyberScoop | https://cyberscoop.com/encryption-nist-officials-detail-staff-cuts-impact/
#CyberSecurity #ThreatIntelligence #Vulnerability #ZeroDay #RCE #APT #Ransomware #Malware #DataPrivacy #GDPR #InfoSec #CISA #NIST #AI #SocialEngineering #FortiGate #Cisco #Telnet #CyberAttack
