Cyber Threat Weekly – #114

The week of January 26^th through February 1^st, about 369 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about foundational security vs chasing tech.

Seems like we are constantly looking for new tech to solve our problems.  Have we forgot people and process?  What about principle-based architecture?  New tech won’t dig us out the huge hole we have dug.  Simplicity will carry us a long way, minimal to no friction helps with usage.  We need new technology, but it’s not the whole answer. 

Let’s start with a large-scale fake cloud storage renewal scam.  Researchers observe expansion in vishing activity.  Open-source AI agent OpenClaw usage growing like crazy.  Researchers share Q4 2025 incident response trends.

Stealthy Linux post-exploitation framework.  Legit infrastructure abused in malware deployment.  The FBI releases Operation Winter SHIELD.  Wide-spread LLM hijacking operation.  Identity Theft Resource Center (ITRC) 2025 data breach report.

New-ish Sicarii ransomware is broken.  State of the Scamiverse report.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

VPN gateways from all vendors are under constant attack.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – January 26^th to February 1^st:

CVE-2018-14634 – Linux Kernel Integer Overflow Vulnerability:
Could allow an unprivileged local user with access to SUID (or otherwise privileged) binary to escalate their privileges on the system.

CVE-2025-52691 – SmarterTools SmarterMail Unrestricted Upload of File with Dangerous Type Vulnerability:
Could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, potentially enabling remote code execution.

CVE-2026-23760 – SmarterTools SmarterMail Authentication Bypass Using an Alternate Path or Channel Vulnerability:
Could allow an unauthenticated attacker to supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance.

CVE-2026-24061 – GNU InetUtils Argument Injection Vulnerability:
Could allow for remote authentication bypass via a "-f root" value for the USER environment variable.

CVE-2026-21509 – Microsoft Office Security Feature Bypass Vulnerability:
Could allow an unauthorized attacker to bypass a security feature locally. Some of the impacted product(s) could be end-of-life (EoL) and/or end-of-service (EoS). Users are advised to discontinue use and/or transition to a supported version.

CVE-2026-24858 – Fortinet Multiple Products Authentication Bypass Using an Alternate Path or Channel Vulnerability:
Could allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.  Affects Fortinet FortiAnalyzer, FortiManager, FortiOS, and FortiProxy.

CVE-2026-1281 – Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability:
Could allow attackers to achieve unauthenticated remote code execution.

Large-Scale Fake Cloud Storage Renewal Scam

Attackers are at it again with a wide spread phishing campaign.  It has the classic signs of a scam including urgency and originating from garbage domains.  The scammers hosted a redirector on legit infrastructure: storage.googleapis.com. 

https://www.bleepingcomputer.com/news/security/cloud-storage-payment-scam-floods-inboxes-with-fake-renewals/

An Expansion of Vishing Activity Observed

Mandiant is tracking an advanced voice phishing and credential harvesting campaign.  Attackers are impersonating IT staff and directing them to attacker infrastructure.  Credentials and MFA auth codes are the target.  Once credentials are obtained, the attackers register their own devices for MFA and move laterally across the networks and exfiltrate data.

https://thehackernews.com/2026/01/mandiant-finds-shinyhunters-using.html

https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/

https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas/

Adoption Rate of Open-Source AI Agent OpenClaw Raising Concerns

The rate of growth, 14x over a week and many employees now using OpenClaw at work, fast growing shadow AI is a real concern.  In addition, OpenClaw is vibe coded most of the time with a swarm of AI agents.  Even the handful of maintainers and 350 contributors are encouraged to submit vibe-coded pull requests.

https://www.darkreading.com/application-security/openclaw-ai-runs-wild-business-environments

https://www.pillar.security/blog/caught-in-the-wild-real-attack-traffic-targeting-exposed-clawdbot-gateways

https://www.token.security/blog/the-clawdbot-enterprise-ai-risk-one-in-five-have-it-installed

https://www.pillar.security/blog/caught-in-the-wild-real-attack-traffic-targeting-exposed-clawdbot-gateways

https://www.ox.security/blog/one-step-away-from-a-massive-data-breach-what-we-found-inside-moltbot/

Incident Response Trends Q4 2025

Cisco Talos shares some trends observed in the quarter.  Initial access included exploiting public facing applications, phishing, and valid accounts round out the top three.  Top security weaknesses included vulnerable / exposed infrastructure, MFA weaknesses, and insufficient logging.  They also shared observed MITRE ATT&CK techniques. 

https://www.cybersecuritydive.com/news/cisco-threat-report-exploitation-phishing/810977/

https://blog.talosintelligence.com/ir-trends-q4-2025/

Linux Post-Exploitation Framework – ShadowHS

Stealthy with in-memory payload, this beast is modular and designed to stay on target for the long haul.  Multiple dormant modules allow the operator to dynamically shift the campaign.  The in-memory payload is a modified version of hackshell.

https://cyble.com/blog/shadowhs-fileless-linux-post-exploitation-framework/

Android Malware Variants Deployed Through Hugging Face

An example of legit infrastructure abused to deliver Android malware.  This one is for tracking purposes; legit infrastructure has been abused for years.  What’s interesting about this one is the use of server-side polymorphism to generate new payloads, let’s hope we don’t see more use of server-side polymorphism. 

https://www.bleepingcomputer.com/news/security/hugging-face-abused-to-spread-thousands-of-android-malware-variants/

https://www.bitdefender.com/en-us/blog/labs/android-trojan-campaign-hugging-face-hosting-rat-payload

Operation Winter SHIELD – FBI

The FBI shares 10 actions that should be implemented to reduce cyber risk.  This is a cyber resilience campaign. 

https://www.infosecurity-magazine.com/news/fbi-operation-winter-shield-cyber/

https://www.fbi.gov/investigate/cyber/wintershield

LLM and MCP Endpoints Targeted at Scale

There is now a marketplace offering access to over 30 LLMs.  The attackers target self-hosted endpoints that have no friction.  The goals are to steal compute resources, resell API access, exfiltrate data, and lateral movement. 

https://www.securityweek.com/llms-hijacked-monetized-in-operation-bizarre-bazaar/

https://www.pillar.security/resources/operation-bizarre-bazaar

Identity Theft Resource Center (ITRC) 2025 Data Breach Report

There is a ton to unpack in this report including 1yr and 5yr trends, top attack vectors, consumer attitudes on breach notices, recommendations, and more.  The trends are interesting.

https://www.infosecurity-magazine.com/news/us-data-breaches-record-high/

https://www.idtheftcenter.org/wp-content/uploads/2026/01/2025-ITRC-Annual-Data-Breach-Report.pdf

Decryption Process Broken with Sicarii Ransomware

You should never feed the ransomware monster, but that doesn’t mean that circumstances won’t lead to it.  Unless otherwise proven, new kid on the block Sicarii ransomware, their encryption process is broken, the private key is discarded, leading to permanent encryption. 

https://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware-decrypted

https://www.halcyon.ai/ransomware-alerts/alert-sicarii-ransomware-encryption-key-handling-defect

State of the Scamiverse 2026

AI is changing the game, AI slop is everywhere, scams are getting harder to spot.  A survey of 7,500 consumers sheds some light on the velocity of scams today, and it’s only going to get worse.

https://www.mcafee.com/blogs/mcafee-news/state-of-the-scamiverse-2026-ai-deepfake-scams-research-data/

https://www.mcafee.com/blogs/wp-content/uploads/2026/01/Scamiverse.pdf