Daily Brief

Two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, are set for deportation after serving sentences for ATM jackpotting crimes in the southeastern United States. The duo installed malware on older ATM models, forcing machines to dispense all available cash, resulting in significant financial losses for banks. Their criminal activities targeted banks in South Carolina, Georgia, North Carolina, and Virginia, with total restitution ordered at over $400,000. The Justice Department's investigation extended to Nebraska, leading to indictments against 54 individuals involved in a broader ATM jackpotting conspiracy. The scheme involved deploying a Ploutus malware variant, utilizing methods like replacing ATM hard drives or using infected external devices. Jimena Romina Araya Navarro, an entertainer linked to the Tren de Aragua gang, is among those indicted, highlighting the organized nature of these operations. The Department of the Treasury has sanctioned Navarro, reflecting the U.S. government's commitment to addressing transnational cybercrime. This case underscores the need for enhanced security measures in ATM technology to prevent similar attacks in the future.

A critical vulnerability, CVE-2026-24061, in GNU InetUtils telnetd has been actively exploited, allowing attackers to bypass authentication and gain root access. The flaw, present since 2015, involves unsanitized handling of the USER environment variable, affecting versions 1.9.3 through 2.7, with a patch available in version 2.8. Exploitation involves setting the USER variable to -f root, enabling attackers to connect via telnet -a and obtain unauthorized access. GNU InetUtils, while largely replaced by SSH, remains in use in industrial sectors and legacy systems due to its simplicity and low overhead. Threat monitoring firm GreyNoise detected exploitation attempts from 18 unique IPs, indicating both automated and manual attack efforts targeting vulnerable systems. Mitigation strategies include upgrading to the patched version, disabling telnetd, or blocking TCP port 23 to prevent unauthorized access. While current exploitation is limited, organizations are advised to patch or harden affected systems to prevent future optimized attacks.

The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities catalog with four new security flaws, signaling active exploitation in the wild. Among the vulnerabilities, CVE-2025-54313 is linked to a supply chain attack involving eslint-config-prettier and several npm packages, discovered in July 2025. Attackers used phishing tactics to compromise package maintainers' credentials, enabling the release of trojanized versions of npm packages. CVE-2025-68645 has been actively targeted since January 14, 2026, though specific exploitation details for other vulnerabilities remain undisclosed. Federal Civilian Executive Branch agencies must implement necessary security patches by February 12, 2026, as mandated by Binding Operational Directive 22-01. The directive aims to fortify federal networks against these active threats, emphasizing the importance of timely vulnerability management. Organizations are encouraged to monitor the KEV catalog for updates and ensure prompt application of security measures to mitigate risks.

Intruder's deployment of AI-generated code in honeypots exposed a vulnerability, demonstrating potential security risks when relying on AI for coding tasks. The vulnerability involved AI logic that mishandled client-supplied IP headers, allowing potential IP spoofing and payload injection by site visitors. Static analysis tools like Semgrep OSS and Gosec failed to detect the flaw, highlighting limitations in current automated security testing methods. The incident underscores the need for rigorous human oversight in AI-assisted coding, as AI lacks contextual understanding and safety margins found in other automated systems. AI-generated code also led to vulnerabilities in AWS IAM roles, requiring multiple iterations to achieve a secure configuration, emphasizing the need for experienced human intervention. Organizations are advised to revisit code review processes and CI/CD detection capabilities to prevent AI-introduced vulnerabilities from slipping through. As AI tools become more prevalent, the frequency of such vulnerabilities is expected to rise, posing challenges for organizations in maintaining secure software environments.

Pwn2Own Automotive 2026 concluded with researchers earning $1,047,000 for exploiting 76 zero-day vulnerabilities in automotive technologies, highlighting the persistent security challenges in this sector. The competition, held in Tokyo, targeted fully patched in-vehicle infotainment systems, EV chargers, and car operating systems, emphasizing the need for robust security measures in modern vehicles. Team Fuzzware.io emerged victorious, securing $215,000 by hacking various charging stations and navigation receivers, demonstrating the team's advanced vulnerability exploitation skills. Vendors have a 90-day window to develop and release security patches for the zero-days discovered, ensuring timely remediation to protect automotive systems from potential threats. The event showcased the evolving threat landscape in automotive cybersecurity, with past competitions also revealing numerous vulnerabilities, underscoring the importance of continuous security assessments. The competition's outcomes stress the critical need for automotive manufacturers to prioritize cybersecurity investments and proactive vulnerability management to safeguard consumer safety and data integrity.

Fortinet has acknowledged that attackers are bypassing a December patch for a critical FortiCloud SSO authentication flaw, affecting devices previously considered secure. Reports indicate attackers have been altering firewall settings, creating backdoor admin users, and exfiltrating configuration files through compromised SSO accounts. The attack campaign began around January 15, with automated processes enabling rapid VPN account creation and configuration file extraction. Fortinet's Chief Information Security Officer confirmed that a new attack path has been identified, affecting even fully updated systems. The vulnerability is not limited to FortiCloud SSO; it potentially impacts all SAML SSO implementations, raising broader security concerns. Fortinet is working on a new fix and advises customers to monitor authentication logs, restrict management interface exposure, and track administrator account changes. Organizations using Fortinet products should remain vigilant and prepare for further advisories as the company develops a comprehensive solution.

Fortinet confirms a new attack path exploiting the FortiCloud SSO bypass vulnerability on fully-patched FortiGate firewalls, affecting devices upgraded to the latest release. The vulnerability, related to CVE-2025-59718 and CVE-2025-59719, allows unauthorized bypass of SSO login authentication through crafted SAML messages if FortiCloud SSO is enabled. Recent malicious activity includes unauthorized logins to admin accounts, creation of generic accounts, and exfiltration of firewall configurations to external IP addresses. The threat actor utilizes accounts named "cloud-noc@mail.io" and "cloud-init@mail.io" to maintain persistence and make unauthorized configuration changes. Fortinet advises immediate mitigation steps, emphasizing the vulnerability's applicability to all SAML SSO implementations, not just FortiCloud SSO. The company is actively working to address the vulnerability and prevent further exploitation, highlighting the need for continuous monitoring and patch management. Organizations using FortiGate appliances should review security configurations and ensure compliance with Fortinet's recommended security practices to mitigate risks.

TikTok announced the formation of TikTok USDS Joint Venture LLC to comply with a 2025 U.S. Executive Order, enabling continued operations in the U.S. under majority-American ownership. ByteDance, TikTok's Chinese parent company, will retain a 19.9% stake, while the majority will be held by American investors, addressing national security concerns. The joint venture will implement comprehensive data protections, algorithm security, and content moderation to safeguard U.S. users, utilizing Oracle's secure U.S. cloud infrastructure. A robust cybersecurity program will adhere to industry standards, including NIST CSF and ISO 27001, with third-party audits ensuring compliance and accountability. The initiative extends to other apps like CapCut and Lemon8, impacting over 200 million American users and 7.5 million businesses. This development follows a temporary ban and legislative actions mandating American ownership to mitigate risks of data access by the Chinese government. The joint venture aims to enhance trust through transparency reporting and third-party certifications, reinforcing its commitment to U.S. national security.

Cybersecurity researchers exposed a dual-vector phishing campaign leveraging stolen credentials to deploy Remote Monitoring and Management (RMM) software for persistent remote access to compromised systems. Attackers bypass traditional security measures by using legitimate IT tools, turning them into backdoors, rather than deploying custom malware. The attack begins with fake emails disguised as invitations from Greenvelope, tricking users into providing credentials for platforms like Microsoft Outlook and Yahoo!. Stolen credentials are used to register with LogMeIn, generating RMM access tokens, which are deployed via an executable to establish remote access. The RMM tool, once installed, is manipulated to run with unrestricted access, and hidden scheduled tasks ensure its persistence even after manual termination attempts. Organizations are advised to monitor for unauthorized RMM installations and unusual usage patterns to detect and mitigate such threats effectively. This incident underlines the importance of vigilance against phishing tactics and the need for robust monitoring of IT tools within corporate environments.

Fortinet is addressing a critical authentication bypass vulnerability in FortiCloud SSO, initially believed to be patched in December, but recent attacks suggest otherwise. The vulnerability, tracked as CVE-2025-59718, has been exploited to compromise fully patched firewalls, allowing attackers to create VPN accounts and steal configurations. Cybersecurity firm Arctic Wolf reported that these automated attacks began on January 15, mirroring incidents from December, indicating a persistent threat. Fortinet confirmed that the attacks utilized a new path, affecting devices even with the latest updates, and is working on a comprehensive fix. Customers are advised to restrict administrative access and disable FortiCloud SSO to mitigate risks until a complete patch is available. Fortinet's CISO emphasized the importance of treating affected systems as compromised, urging credential rotation and configuration restoration from clean backups. Nearly 11,000 Fortinet devices with FortiCloud SSO enabled are exposed online, according to Shadowserver, highlighting the widespread impact of this vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2025-59718 in its list of actively exploited vulnerabilities, mandating prompt patching for federal agencies.

Hammersmith & Fulham Council has resumed processing payments two months after a cyberattack disrupted multiple London boroughs, affecting council tax and housing rent account balances. The attack impacted shared legacy systems, with Hammersmith & Fulham isolating its network and implementing enhanced security measures to protect against further incidents. Despite service restoration, some public-facing applications remain suspended, and residents face potential delays in receiving council services and support. Westminster City Council continues to experience severe disruptions, with direct debits postponed and essential services like birth certificate issuance unavailable. Kensington & Chelsea confirmed criminal intent and data compromise, with ongoing investigations and collaboration with law enforcement and cybersecurity agencies. The UK's NCSC warns local authorities are frequent targets of pro-Russia hacktivist attacks, which, although unsophisticated, can lead to significant operational disruptions. The ongoing situation highlights the vulnerability of local government systems to cyber threats and the need for robust cybersecurity measures and incident response plans.

The UK Government Digital Service (GDS) reports only 15,000 digital veterans IDs issued since October, representing less than 1% of the eligible 1.8 million former armed forces personnel. Digital IDs are available via the GOV.UK One Login app, planned to be rebranded as GOV.UK Wallet, but lack functionality for online use, limiting their utility. Unlike physical veterans cards, the digital version cannot serve as photo ID for domestic flights or be used for Veterans Railcard applications, reducing its practical benefits. GDS is testing digital driving licenses within the same app, aiming for a broader rollout later this year to enhance identity verification processes. Plans are underway to enable programmatic verification for both digital veterans IDs and driving licenses, potentially expanding their utility for online and in-person verifications. The initiative aligns with broader governmental efforts to advance digital identity solutions, despite recent policy shifts regarding mandatory digital identity checks. The slow adoption rate and limited functionality of the digital veterans ID highlight challenges in digital transformation and user engagement within government services.

Microsoft has detected a sophisticated phishing and business email compromise (BEC) campaign targeting multiple organizations within the energy sector, exploiting trusted platforms like SharePoint for initial access. Attackers leveraged compromised internal identities to conduct large-scale phishing, affecting both intra-organizational and external contacts, using familiar services to bypass detection. The campaign employed adversary-in-the-middle (AitM) techniques, creating inbox rules to delete or mark emails as read, maintaining persistence and evading user awareness. Microsoft collaborated with affected organizations to revoke malicious multi-factor authentication changes and remove attacker-created inbox rules, emphasizing the need for comprehensive remediation beyond password resets. The attack strategy reflects a growing trend of exploiting trusted services such as Google Drive and AWS to stage phishing and malware activities, complicating detection efforts. Okta reported the emergence of custom phishing kits used in voice phishing campaigns targeting major tech platforms, highlighting the evolving sophistication of social engineering tactics. The phishing kits enable real-time control over the authentication process, allowing attackers to bypass non-phishing-resistant MFA through coordinated voice instructions and browser manipulation. Recent campaigns have also utilized visual deception techniques, such as homoglyph attacks, to mislead victims by mimicking legitimate domains, posing significant risks to brand security.

Cybercriminals are utilizing advanced voice-phishing kits sold on dark web forums to target Google, Microsoft, and Okta accounts, facilitating identity fraud and social engineering scams. These kits mimic authentication flows of identity providers, allowing attackers to intercept credentials and multi-factor authentication codes in real-time. Attackers employ reconnaissance to gather target information from public sources, enhancing the credibility of their phishing attempts. The phishing kits are marketed with real-time support, enabling attackers to manipulate victims' interactions with fake login pages effectively. Scams often involve impersonating IT support to trick victims into providing sensitive information, leading to unauthorized account access. Okta's research shows these kits can bypass multi-factor authentication challenges, posing significant risks to organizational security. The emergence of "impersonation-as-a-service" reflects a growing trend of commoditized cybercrime tools, offering comprehensive packages for executing identity fraud operations.

Okta has issued a warning about sophisticated phishing kits designed for voice-based social engineering, targeting Okta SSO accounts to steal credentials and facilitate data breaches. These phishing kits operate on an "as a service" model, enabling multiple hacking groups to impersonate IT staff and trick employees into revealing their credentials. Attackers use adversary-in-the-middle platforms for real-time interaction, allowing them to manipulate authentication processes and bypass multi-factor authentication (MFA). Stolen credentials are used to access Okta SSO dashboards, providing attackers with entry to various enterprise platforms, leading to significant data theft. Threat actors have been identified as targeting sectors such as Fintech and financial services, with some attacks linked to the extortion group ShinyHunters. Okta advises using phishing-resistant MFA solutions and emphasizes the importance of ongoing employee education on security best practices. Companies are urged to remain vigilant and implement robust security measures to protect against evolving phishing campaigns and social engineering threats.