Cyber Threat Weekly – #111
The week of January 5th through January 11th, around 337 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin about the things we can’t keep ignoring, like hygiene.
The same threat actor behavior has been happening for years, and yet we still get pwned on the little things that we should have covered long ago. An understanding of all of our assets, Internet exposed edge devices, shared storage systems, simplicity, visibility of our cloud environments, the need robust identity and access management systems. AI is changing the game, all the little things we ignore can end up being very costly.
Let’s start with a reminder of indirect prompt injection and its undesired outcomes. Threat actors abusing QR code phishing. Industrialized AI-assisted investment fraud. Critical remote code execution bug in Trend Micro’s Apex Central, exploit code released.
BreachForums compromised and user database released. Threat actors abuse Chrome extensions impersonating a legit extension. Just a reminder around ‘vibe coding’. Malicious packages found in the npm repository.
Cisco ISE bug with exploit code available fixed. Simple techniques and a huge attack surface still work well. How lack of MFA leads to data breaches. Another ClickFix campaign, this one targeting the hospitality vertical.
Researchers deep dive into some ShinyHunters threat actors.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
VPN gateways from all vendors are under constant attack.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – January 5th to January 11th:
CVE-2009-0556 – Microsoft Office PowerPoint Code Injection Vulnerability:
Allows remote attackers to execute arbitrary code via a PowerPoint file with an OutlineTextRefAtom containing an invalid index value that triggers memory corruption.
CVE-2025-37164 – Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability:
Allows a remote unauthenticated user to perform remote code execution.
Indirect Prompt Injection Sucks
While this one focuses on ChatGPT, all models are susceptible. Researchers share several ways to abuse large language models and some of the outcomes that come from it. Worth a read to recognize the art of the possible and plan for it in your deployments.
https://www.radware.com/blog/threat-intelligence/zombieagent/
QR Code Phishing Abused by Threat Actors
In this case, North Korean nation state attackers are abusing QR codes. This is a poplar technique, used by both nation states and cybercriminals. The goal is usually credential harvesting / MFA bypass or infostealer / remote access trojan deployment.
https://thecyberexpress.com/kimsuky-threat-actors-malicious-qr-codes/
https://www.ic3.gov/CSA/2026/260108.pdf
Synthetic Industrialized AI-Assisted Investment Fraud
This is the world we live in now, worth a read. From mobile applications to AI-assisted social engineering, all an elaborate fake. Trust building, manipulation, operational execution, all automated. The threat actors even harvest Know your Customer (KYC) type information.
https://www.infosecurity-magazine.com/news/ai-truman-show-industrializes/
https://blog.checkpoint.com/mobile/the-truman-show-scam-trapped-in-an-ai-generated-reality/
Apex Central (Trend Micro) Critical Bug and Exploit Code Released
A remote code execution bug was identified by researchers and disclosed to Trend Micro. In addition to disclosure, a proof-of-concept exploit and technical details were released. Threat actors jump all over these, we’ll keep an eye out for exploitation.
https://www.tenable.com/security/research/tra-2026-01
Researchers Dive into the BreachForums Compromise
A little background on BreachForums as well as plenty of details from the dumped database. Several individuals are named, presumably part of the various threat groups. An interesting foray into the criminal underground.
Legit Chrome AITOPIA Extension Impersonated
Two malicious extensions were discovered, one had a ‘featured’ badge, they exfiltrate ChatBot and browser history. The real lesson here is threat actors are abusing trust, imitating and using legit infrastructure and tools.
https://www.darkreading.com/cloud-security/fake-ai-chrome-extensions-steal-900k-users-data
https://www.ox.security/blog/malicious-chrome-extensions-steal-chatgpt-deepseek-conversations/
Vibe Coding is all the Rage, Don’t Forget Security
Researchers share findings after AI visibility and security assessment engagements. A few lessons learned, most evaluated organizations allowed vibe coding, but lacked governance to ensure safe use of the tools. The SHIELD framework is shared.
https://unit42.paloaltonetworks.com/securing-vibe-coding-tools/
Three Malicious NPM Packages Discovered by Researchers
The assault on npm and other repositories continues. This one is interesting; the malicious packages were designed to deliver a remote access trojan dubbed NodeCordRat that was previously unknown. It appears the threat actor impersonated legit repositories.
https://thehackernews.com/2026/01/researchers-uncover-nodecordrat-hidden.html
https://www.zscaler.com/blogs/security-research/malicious-npm-packages-deliver-nodecordrat
Exploit Code Released for Cisco ISE Bug
Cisco patched CVE-202-20029 CVSS score: 4.9 after proof-of-concept exploit released. The vulnerability allows an authenticated attacker with admin privileges to read arbitrary files from the operating system that admins don’t even have access.
https://thehackernews.com/2026/01/cisco-patches-ise-security.html
New Attacks Targeting FTP / MySQL / PostgreSQL via GoBruteforcer
Also known as GoBrut, a Golang-based botnet that relies on compromised Linux servers to scan public IPs. This brute force attack works because of weak passwords, common usernames, and a large attack surface.
Lack of MFA + Infostealer Data = Data Breach
Infostealer data is crazy, with social engineering techniques like ClickFix and others, deploying infostealers is becoming easier. If you don’t have MFA, attackers simply log in and steal your data. This is a perfect example. Verify your exposed systems, ensure MFA is enabled.
https://thecyberexpress.com/infostealers-and-lack-of-mfa-led-to-breaches/
Hospitality Vertical Targeted with ClickFix Campaign
This one is a combination of social engineering such as fake CAPTCHA, simulated blue screen of death, and living off the land techniques. The payload is DCRat, a remote access trojan that enables keylogging, process injection, and malware deployment.
https://www.darkreading.com/cyberattacks-data-breaches/clickfix-campaign-fake-blue-screen-of-death
ShinyHunter Threat Actors Tricked by Reserchers
This is a continuation from last week when researchers shared their deception operations. This week the researchers dig into some members of ShinyHunters and share details on each and message traffic intercepted.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
