Cyber OSINT Overview, Jan 12 - Jan 18, 2026 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Microsoft’s January 2026 Patch Tuesday addressed 112-114 vulnerabilities, notably including CVE-2026-20805, a Desktop Window Manager (DWM) information disclosure flaw actively exploited in the wild. Other critical patches covered Remote Code Execution (RCE) bugs in Microsoft Office and the removal of legacy third-party modem drivers like agrsm64.sys and agrsm.sys due to security risks. Organizations are urged to prioritize these updates to mitigate risks of privilege escalation and credential compromise.

• Multiple high-severity vulnerabilities in Fortinet products are being actively discussed and targeted, specifically CVE-2025-64155 impacting FortiSIEM. This command injection flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on Super and Worker nodes. Additionally, CVE-2025-25249 was disclosed as an RCE vulnerability in the CAPWAP Wireless Aggregate Controller Daemon affecting FortiOS and FortiSwitchManager.

• The security and ethics of generative AI and AI agents have come under intense scrutiny, particularly regarding X’s Grok. Lawmakers and regulators are investigating the platform for its ‘spicy mode’ allowing the creation of nonconsensual sexualized imagery of women and minors. Furthermore, security researchers are identifying critical vulnerabilities in AI agent frameworks like n8n, ServiceNow, and Google Vertex AI, highlighting the emerging attack surface of ‘Agentic AI’.

Critical Vulnerabilities #

• CVE-2025-64155 is a critical OS command injection vulnerability in Fortinet FortiSIEM (CVSS 9.8) that allows unauthenticated root access via crafted TCP requests. Proof-of-concept exploit code has been released, and active exploitation has been observed on honeypot infrastructure. Administrators must upgrade affected instances to versions 7.4.1, 7.3.5, or 7.2.7 or higher immediately.

• n8n workflow automation software is affected by several high-severity flaws, including CVE-2026-21858 (CVSS 10.0), a Content-Type confusion vulnerability enabling unauthenticated RCE. Attackers can chain this with CVE-2025-68613 to extract sensitive secrets and achieve complete server takeover. Users are advised to upgrade to n8n version 1.121.0 or later.

• CVE-2025-14847, known as ‘MongoBleed,’ is a critical unauthenticated memory disclosure vulnerability in MongoDB Server (CVSS 8.7). By exploiting a trust issue in zlib-compressed network messages, attackers can leak sensitive heap memory containing credentials and PII. CISA has added this flaw to the KEV Catalog following confirmed active exploitation in the wild.

• A maximum-severity zero-day vulnerability (CVE-2025-20393, CVSS 10.0) was patched in Cisco Secure Email Gateway and Email and Web Manager appliances. The flaw in the Spam Quarantine feature allows unauthenticated root command execution via crafted HTTP requests. It was actively exploited by China-nexus threat actor UAT-9686 since November 2025 to deploy the ‘AquaShell’ backdoor.

• Modular DS WordPress plugin versions 2.5.1 and earlier are vulnerable to critical privilege escalation (CVE-2026-23550, CVSS 10.0). Attackers can bypass authentication to automatically log in as an administrator by exploiting flawed ‘direct request’ routing. Active exploitation began in mid-January 2026, aimed at taking over sites and creating unauthorized admin users.

• ServiceNow addressed CVE-2025-12420, a critical privilege escalation vulnerability in its Now Assist AI Platform. The flaw resided in the Now Assist AI Agents and Virtual Agent API, potentially allowing attackers to gain unauthorized access levels. Organizations using AI Agent versions prior to 5.1.18 or 5.2.19 are encouraged to apply security updates immediately.

• Siemens released multiple advisories for Industrial Edge Devices, SCALANCE, SIMATIC, and SIPLUS products. Notable vulnerabilities include CVE-2025-40805, an authorization bypass allowing unauthenticated impersonation, and CVE-2025-40944, a denial-of-service vulnerability triggered by malformed S7 protocol disconnect requests. Users should restrict network access and apply the latest firmware updates.

Major Incidents #

• The Canadian Investment Regulatory Organization (CIRO) confirmed a major data breach impacting 750,000 investors following an August 2025 phishing attack. The investigation revealed that sensitive data including social insurance numbers, government IDs, and account statements were copied. While there is no current evidence of data misuse on the dark web, CIRO is providing two years of credit monitoring to victims.

• Kyowon Group, a major South Korean conglomerate, suffered a ransomware attack that potentially compromised 9.6 million user accounts. The incident forced 600 of the company’s 800 servers offline and impacted numerous subsidiaries, including educational and travel services. The breach reportedly originated from an internet-exposed external server used to gain initial network access.

• Poland prevented a nationwide power blackout in late December following a severe cyberattack attributed to Russian sabotage. The attack targeted energy infrastructure during extreme winter weather to maximize destabilization. Polish officials stated they were ‘very close’ to a total outage before successfully stabilizing the network.

• Central Maine Healthcare reported a breach affecting over 145,000 patients after unauthorized access occurred between March and June 2025. Exposed data included names, birth dates, treatment information, and social security numbers. The nonprofit healthcare provider has since implemented enhanced monitoring software to protect its IT environment.

• The Anchorage Police Department (APD) took several servers offline as a precaution after its technology service provider, Whitebox Technologies, reported a cybersecurity incident. APD stated there is currently no evidence of compromised departmental data. The incident reflects the growing risk to local government agencies from third-party supply chain vulnerabilities.

Emerging Threats #

• UAT-8837, a China-nexus threat actor, is conducting targeted campaigns against critical infrastructure in North America. The group uses compromised credentials and exploited zero-days, such as CVE-2025-53690 in Sitecore, to gain initial access. Their toolkit includes Earthworm for SOCKS tunneling and GoTokenTheft for hijacking process access tokens.

• A cloud-native Linux malware framework named ‘VoidLink’ has been identified, originating from Chinese-affiliated developers. The modular framework features rootkit capabilities using LD_PRELOAD and eBPF, designed specifically for long-term access in Kubernetes and Docker environments. It can tailor its behavior based on detected security tools to maintain operational security.

• Researchers demonstrated ‘WhisperPair’, a series of Bluetooth attacks that hijack audio accessories using the Google Fast Pair protocol. Affected brands include Sony, Google, and JBL. Attackers can trigger pairing even while devices are in use, allowing for location tracking via the Find Hub network or microphone eavesdropping without user interaction.

• PyStoreRAT is a new supply chain threat targeting developers by using weaponized GitHub repositories disguised as legitimate tools. The campaign uses lightweight Python/JS loader stubs and fileless HTA execution to deploy a modular RAT. It targets developer workflows, aiming to steal credentials and launch follow-on payloads like Rhadamanthys.

• A malicious campaign using trojanized ‘RustDesk’ installers has been observed deploying the Winos4.0 backdoor. The installer at the fake domain rustdesk[.]work installs a functional version of the remote access software while quietly staging a hidden loader in memory. This technique evades traditional antivirus by hiding the primary malicious framework entirely within RAM.

Regulatory and Policy Updates #

• The U.S. Senate unanimously passed the DEFIANCE Act, establishing federal civil liability for those who knowingly produce or distribute nonconsensual sexually explicit deepfakes. This legislative move aims to empower victims of AI-generated intimate imagery. The bill now proceeds to the House for final approval.

• CISA and the UK National Cyber Security Centre (NCSC-UK) released ‘Secure Connectivity Principles for Operational Technology (OT)’. This guidance provides eight principles to help asset owners design and manage secure connectivity for critical OT environments. The framework aims to help operators of essential services address increasing business pressure for remote access to OT networks.

• The Department of Homeland Security is finalizing ‘ANCHOR’ (Alliance of National Councils for Homeland Operational Resilience) to replace the disbanded Critical Infrastructure Partnership Advisory Council (CIPAC). ANCHOR will serve as a communication hub for government and industry to plan infrastructure security. Key remaining issues under review include liability protections for ‘one-to-many’ information sharing engagements.

• The NSA published new Zero Trust Implementation Guidelines, including a Primer and Discovery Phase document. These resources offer federal and private-sector entities practical steps for building zero-trust architectures. The guidance focuses on visibility into asset and user inventory as a foundational requirement.

Security Operations #

• Mandiant released a comprehensive dataset of Net-NTLMv1 rainbow tables to accelerate the deprecation of the insecure legacy protocol. The dataset allows security professionals to recover authentication keys in under 12 hours using consumer hardware. The release aims to demonstrate the practical ease of credential theft via NTLMv1 to encourage organizations to disable it and migrate to stronger protocols.

• AuraInspector is a new open-source tool released by Mandiant for identifying access control misconfigurations in the Salesforce Aura framework. The tool automates the detection of gaps that allow unauthorized access to sensitive data, such as PII and health information. It specifically checks for exposures involving the ‘getConfigData’ method and undocumented GraphQL bypasses.

• Let’s Encrypt reached General Availability for its 6-day IP-based and short-lived TLS certificates. These certificates last only 160 hours, significantly reducing the exposure window if private keys are compromised. They are designed for automated environments via ACME and close security gaps in hybrid networks where domain-based validation is not feasible.

• ConfigManBearPig is a new BloodHound OpenGraph collector designed to map attack paths in Microsoft Configuration Manager (SCCM). The PowerShell-based tool identifies over 30 unique attack techniques, including hierarchy takeover and privilege escalation. It allows defenders to visualize SCCM misconfigurations from an unprivileged domain context.

• Pacific Northwest National Labs developed ‘ALOHA’, an AI-driven cybersecurity system that can reconstruct and test attacks in hours instead of weeks. The tool automates the recreation of complex attack patterns against organizational infrastructure to identify defensive gaps. This highlights the growing role of AI in red teaming and adversarial simulation at scale.

Wins #

• Microsoft, working with international law enforcement, seized the infrastructure of RedVDS, a major cybercrime marketplace that sold disposable virtual machines for launching attacks. The service was responsible for at least $40 million in fraud losses and enabled over 191,000 Microsoft email account compromises. The operation shut down domains in the US, UK, and Germany, disrupting multiple active cybercrime groups.

• German and Ukrainian authorities identified Oleg Nefedov as the leader of the Black Basta ransomware gang and placed him on the Interpol ‘Red Notice’ list. Police conducted raids in Ukraine, arresting two ‘hash crackers’ suspected of facilitating initial access and ransomware deployment. Black Basta is linked to over 500 global victims and hundreds of millions in damages.

• Feras Albashiti, a Jordanian national operating under the handle ‘r1z’, pleaded guilty to selling access to over 50 corporate networks and EDR-killing malware. An undercover FBI operation traced his IP address to a 2023 ransomware attack that caused $50 million in damage. He face up to 10 years in prison for trafficking unauthorized access credentials and malware.

• Dutch police arrested the alleged 33-year-old operator of AVCheck, a malware testing platform used by criminals to verify if their code could bypass antivirus signatures. The arrest at Schiphol Airport followed the seizure of AVCheck servers in 2025. This success is part of Operation Endgame, which continues to target the enabling services behind malware like Lumma Stealer and Rhadamanthys.

• A critical supply chain vulnerability in AWS CodeBuild, named ‘CodeBreach,’ was remediated within 48 hours of discovery. The flaw could have allowed attackers to take over the AWS Console by exploiting an improperly anchored Regex in the JavaScript SDK. The swift response by Amazon prevented potential infrastructure-wide compromises comparable to the SolarWinds breach.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.