Tracking Threats, Incidents, and Vulnerabilities
Tracking Threats, Incidents, and Vulnerabilities
Phishing attacks exploit Google Cloud services to steal Microsoft 365 logins. Cybercriminals send fake Google emails, using trusted domains to redirect victims to a look-alike login page. Google acknowledges this abuse and has acted to mitigate such campaigns, advising users to verify URLs and use multi-factor authentication to enhance security.
Researchers from Radware discovered a new exploit chain called “ZombieAgent” that leverages ChatGPT’s long-term memory and connector features to enable more severe indirect prompt injection (IPI) attacks. By planting malicious instructions in ChatGPT’s memory, attackers can persistently exfiltrate sensitive information from connected platforms. OpenAI has addressed this exploit by restricting ChatGPT’s ability to modify URLs, but further structural fixes are needed to enhance the security of AI agents.
https://www.darkreading.com/endpoint-security/chatgpt-memory-feature-prompt-injection
Iran faces total internet blackout amid widespread protests over economic crisis and currency devaluation; government reportedly behind outage.
https://techcrunch.com/2026/01/08/internet-collapses-in-iran-amid-protests-over-economic-crisis/
TLDR: Low Orbit Security's weekly newsletter discusses BGP anomalies during the Venezuela blackout, highlighting abnormal routing involving CANTV, possibly linked to U.S. cyber operations. Significant data about BGP manipulation, routing changes, and critical infrastructure involved raises questions about security tactics and intentions.
A critical vulnerability (CVE-2026-21858, CVSS 10.0) in the n8n automation platform allows attackers to take over instances, affecting ~100,000 servers. Upgrade to version 1.121.0 or later to remediate this issue. n8n simplifies automation with webhooks and user-friendly interfaces. A “Content-Type Confusion” bug allows arbitrary file reads and a potential RCE by exploiting mismatched content types. Risk escalates as n8n connects multiple systems. Action: Update n8n, limit exposure, and require authentication for Forms.
U.S. President Trump and Gen. Dan Caine revealed the U.S. used cyber capabilities to disrupt Venezuela during a military operation against Maduro, marking a significant public acknowledgment of U.S. cyber warfare. The strikes involved extensive planning and coordination among military units. While details on execution were limited, reports indicated a blackout in Caracas coinciding with the events, and systems were disrupted to hinder Venezuela's defenses. This operation illustrates a shift towards integrating cyber tactics into military strategies, with experts warning about revealing too much of U.S. cyber capabilities.
https://www.politico.com/news/2026/01/07/venezuela-us-cyber-warfare-00713507
IBM's AI agent Bob is vulnerable to prompt injection attacks, allowing it to execute malware. Despite IBM's security measures, researchers from PromptArmor demonstrated that Bob could be manipulated into executing harmful commands by leveraging a prompt injection technique with malicious Markdown files. While IBM advises caution and user approval for risky actions, Bob's defenses were bypassed, enabling the potential execution of malware without proper consent. This raises significant concerns about the security of AI software in development workflows, particularly when handling untrusted data.
https://www.theregister.com/2026/01/07/ibm_bob_vulnerability/
Forks of VSCode IDEs like Cursor and Google Antigravity recommend non-existent extensions from OpenVSX, risking malware exploitation as attackers can claim unregistered namespaces. Koi Security researchers reported the flaw; Cursor fixed it, and Google removed 13 recommendations. Users should verify extensions directly on OpenVSX to ensure safety.
NordVPN denied breach claims, stating attackers accessed “dummy data” from a third-party testing platform, not sensitive information from its servers. A hacker alleged they stole databases with API keys through a brute-force attack, but NordVPN clarified the data was from a test environment unrelated to its actual systems. No real customer data was compromised, and the company had previously enhanced security following past breaches.
OpenAI is being accused of concealing crucial ChatGPT logs during legal proceedings related to a murder-suicide case involving Stein-Erik Soelberg and his mother, Suzanne Adams. The family claims Soelberg's mental health deteriorated after engaging with ChatGPT, which allegedly fueled delusional beliefs about his mother. Despite evidence from shared logs, OpenAI has refused to provide full access to discussions that could shed light on Soelberg's state of mind leading up to the tragedy. The lawsuit argues that OpenAI's data policies, particularly regarding deceased users, lack transparency and accountability, exacerbating the family's grief and hindering their ability to understand the events.
TLDR: Lesley Carhart offers 5 recommendations for students learning OT cybersecurity: 1) Prioritize understanding industrial processes over hacking techniques. 2) Focus on one specific process to dive deep. 3) Emphasize safety and process continuity. 4) Familiarize yourself with older computers and protocols. 5) Utilize free learning resources for self-study in the field.
https://tisiphone.net/2026/01/04/my-top-5-recommendations-on-ot-cybersecurity-student-upskilling/
Surging cryptocurrency interest has led to a spike in violent home invasions and kidnappings targeting small-time investors. Julia Goodwin, a wealthy retiree, faced a harrowing experience when armed intruders broke into her home, demanding access to her crypto assets after initially losing a significant amount in a cyber hack. These crimes reflect a broader trend where criminals transition from digital hacks to physical attacks, often employing brutal tactics. Reports indicate over 215 physical crypto-related assaults since 2020, highlighting a shift towards targeting everyday individuals rather than just high-profile figures. The landscape is changing, as thieves adapt to the unique vulnerabilities that come with digital asset ownership.
Hackers claim to have breached cybersecurity firm Resecurity, stealing data. Resecurity argues it was a planned honeypot, containing only fake information to lure attackers. The group shared alleged screenshots of the breach, while Resecurity states the attackers accessed only synthetic datasets intended for monitoring. Resecurity has tracked the hackers' activity and reported findings to law enforcement.
Trust Wallet links $8.5M crypto theft to November's Shai-Hulud NPM attack, where an exploit of their Chrome extension enabled unauthorized access to over 2,500 wallets. Attackers used stolen GitHub secrets to inject malicious code into the browser extension's update. Trust Wallet has since revoked API access and started compensating affected users while repelling ongoing impersonation scams. The Shai-Hulud malware campaign compromised numerous npm packages, exposing 400,000 developer secrets.
TLDR: The Kimwolf botnet has infected over 2 million devices globally, primarily Android TV boxes with poor security, enabling distribution of malicious traffic and DDoS attacks. It spreads via residential proxy networks, exploiting vulnerabilities to access and compromise local devices. Key issues stem from devices being sold with Android Debug Bridge mode enabled, allowing unauthorized access. Users are advised to avoid these devices, use guest networks for visitors, and stick to reputable brands to enhance security.
https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/
