Cyber Threat Weekly – #113
The week of January 19th through January 25th, about 332 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about organizational changes and how difficult it is to get people to accept change.
In security we roll out new tools, new processes, password managers, and more. It’s difficult to get our information tech folks to adopt, let alone the whole company. Even if you minimize friction and make lives easier, change is hard. We can’t get folks to use strong passwords or multi-factor authentication and companies continue to suffer the consequences. What’s it going to take to perform good hygiene and minimize simple mistakes the adversary abuses time and time again?
Here we go, the attack on trust continues via SSO. Code repository supply chain attack stories. Account takeover, SharePoint, and business email compromise. Credential phishing leads to remote management tool install for persistence.
Telnet bug in Linux systems. New Fortinet SSO bug leading to firewall configuration changes. Researchers discover the VoidLink malware framework maybe AI generated. Researchers discover misconfigured cloud-based security training web applications.
Another attack on trust via LinkedIn.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
VPN gateways from all vendors are under constant attack.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – January 19th to January 25th:
CVE-2026-20045 – Cisco Unified Communications Products Code Injection Vulnerability:
Could allow an attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.
CVE-2025-68645 – Synacor Zimbra Collaboration Suite (ZCS) PHP Remote File Inclusion Vulnerability:
Could allow for remote attackers to craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.
CVE-2025-34026 – Versa Concerto Improper Authentication Vulnerability:
Allows at attacker to access administrative endpoints. The internal Actuator endpoint can be leveraged for access to heap dumps and trace logs.
CVE-2025-31125 – Vite Vitejs Improper Access Control Vulnerability:
The bug exposes content of non-allowed files using ?inline&import or ?raw?import. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.
CVE-2025-54313 – Prettier eslint-config-prettier Embedded Malicious Code Vulnerability:
Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.
CVE-2024-37079 – Broadcom VMware vCenter Server Out-of-bounds Write Vulnerability:
Could allow a malicious actor with network access to vCenter Server to send specially crafted network packets, potentially leading to remote code execution.
ShineyHunters Claims SSO Attacks at Okta, Google, and Microsoft
The attack on trust continues, threat actors are impersonating IT support personnel. They are calling employees and tricking them into entering credentials including multi-factor authentication codes. This is done through phishing platforms; they can manipulate what the victim sees in real-time and lead the conversation. Phishing resistant multi-factor and passwordless authentication will be the best mitigation.
https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/
Combining Code Repository Stories
Since there are so many code repository attacks, this is a combo thread. First up, Visual Studio Code Marketplace. SymPy impersonated, deploys XMRig Miner.
https://thehackernews.com/2026/01/malicious-pypi-package-impersonates.html
https://socket.dev/blog/pypi-package-impersonates-sympy-to-deliver-cryptomining-malware
Multi-Stage Attack Abuses SharePoint Leading to Business Email Compromise
The abuse on trust continues, account takeover powers an adversary-in-the-middle attack campaign. Using a SharePoint URL directing the victim to an attacker-controlled landing page prompting for credentials. From there the business email compromise begins and the cycle continues.
https://www.securityweek.com/phishers-abuse-sharepoint-in-new-campaign-targeting-energy-sector/
Phishing + Stolen Credentials = Remote Management Tool Install
The credential harvesting part of this attack campaign led to the remote monitoring and management (RMM) tool install. That the real goal of this attack campaign. Once the RMM is delivered, full system compromise is obtained. Allow listing is a strong deterrent to this type of attack. Monitoring for abnormal tools can help with detection, an accurate inventory is crucial.
https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
Newly Discovered 11-Year-Old Telnet Bug Affecting Linux Systems
Why does this matter, Telnet should be replaced by now? Many IoT and embedded systems have shipped with Telnet exposed, older systems no longer supported may still have Telnet exposed. This can lead to easy exploitation and botnets can abuse this bug too.
https://seclists.org/oss-sec/2026/q1/89
Fortinet FortiGate Devices Malicious Config Changes Observed
Researchers observe malicious changes to Fortinet firewalls via SSO accounts. This activity appears to be automated. The changes include creating generic accounts, config changes granting VPN access, and exfil of firewall configurations.
https://www.darkreading.com/cloud-security/fortinet-firewalls-malicious-configuration-changes
Operational Security Failures Lead to VoidLink AI Origins
Researchers find what appears to be proof that AI was used to plan, build, and iterate the framework. The initial directive appears to be to design it around a thin skeleton and produce an execution plan. Other documents include schedules, features, coding guidelines, and other evidence.
https://www.darkreading.com/threat-intelligence/voidlink-linux-malware-ai
https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
Cloud-Based Over-privileged Vulnerable Security Testing Applications
Researchers discover 1,926 live and exposed vulnerable applications designed for security training. Many of the applications did not follow ‘least privilege’ and allowed for lateral movement. There is clear evidence attackers were actively exploiting these systems. We have got to get better at hygiene.
https://pentera.io/blog/exposed-cloud-training-apps-pentera-labs/
Researches Discover LinkedIn Private Message Campaign
The business based social media platform was used to deliver weaponized files that abuse DLL side-loading with a legitimate open-source Python pen testing script to deploy malware. The phishing message contains a link to download a malicious WinRAR archive.
https://www.infosecurity-magazine.com/news/linkedin-phishing-campaign-targets/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
