Cybersecurity News | Daily Recap [24 Jan 2026]

hendryadrian.com

hendryadrian.com

Phishing & Vishing

• Attackers abused SharePoint links in a multi-stage AiTM phishing campaign against the energy sector to steal Microsoft credentials, take over inboxes, create persistence via inbox rules, delete evidence, and tamper with MFA — SharePoint Phish, SharePoint Phish
• Commercial vishing/phishing kits now synchronize fake login pages with live callers to intercept MFA and SSO tokens (targeting Google, Microsoft, Okta), enabling large-scale helpdesk scams and account takeovers that only phishing‑resistant methods like FIDO passkeys reliably stop — Vishing Kits, Vishing Kits, Vishing Kits

Vulnerabilities & Exploits

• Attackers are bypassing Fortinet’s FortiCloud SSO via CVE-2025-59718, creating admin accounts and exporting configs on devices reported as patched (affecting FortiOS 7.4.9/7.4.10); admins should disable FortiCloud SSO and audit for suspicious logins — Fortinet SSO, Fortinet SSO, Fortinet SSO
• An authentication‑bypass in SmarterMail (CVE-2026-23760) is being exploited to reset admin passwords and hijack instances soon after the patch was released — SmarterMail Flaw, SmarterMail Flaw
• A critical CVE-2026-24061 in GNU InetUtils’ telnetd lets remote attackers bypass login and gain root via a crafted USER environment value and is being actively probed — InetUtils Telnetd
• Researchers revived and accelerated Linux page cache attacks (TU Graz), enabling precise keystroke and cross‑container spying across kernels back to 2003; only CVE-2025-21691 is mitigated so far — Page Cache
• CISA added four Known Exploited Vulnerabilities to its catalog; organizations should review the KEV list and apply mitigations immediately — CISA KEV

Ransomware & Crime Operations

• A new ransomware family called Osiris used a custom driver named POORTRY in a BYOVD-style attack to disable protections, exfiltrate data to Wasabi buckets, and deploy hybrid per-file encryption against a major food‑service franchisee — Osiris Ransomware
• An operational security failure by the INC ransomware gang left Restic-based backups intact, allowing researchers to recover encrypted data from 12 U.S. organizations and produce detection rules — INC Recovery
• Two Venezuelans were convicted for ATM jackpotting using Ploutus malware and linked to the Tren de Aragua syndicate; they face deportation after sentences and restitution — ATM Convictions

Security Updates & Product Bugs

• GitLab released critical patch updates (18.8.2, 18.7.2, 18.6.4) fixing multiple high‑severity flaws including a 2FA bypass and DoS issues; self‑managed admins should upgrade immediately (may require DB migrations) — GitLab Patch
• Outlook for iOS (5.2602.0) can crash or freeze on iPad after a coding‑flag change; Microsoft recommends workarounds (Airplane Mode) while a fix rolls out — Outlook iOS
• curl is ending its HackerOne bug‑bounty program after a flood of low‑quality/AI‑generated reports; HackerOne submissions accepted only until 2026‑01‑31, with direct GitHub reporting thereafter — Curl Bounty
• Microsoft Teams will add Brand Impersonation Protection to warn users of suspicious external VoIP calls (targeted release mid‑February) to help prevent voice‑based brand impersonation — Teams Warnings

Policy, Legal & Industry

• Germany expelled a Russian diplomat accused of spying on the Ukraine war effort after probes linked embassy contacts to alleged intelligence collection on military aid and drone testing sites — Diplomat Expelled
• Ireland will draft legislation to permit court‑authorized law‑enforcement use of spyware and electronic scanning equipment, with claimed legal safeguards under development — Ireland Spyware
• A Spanish judge closed the probe into alleged Pegasus spyware surveillance after Israel failed to cooperate with information requests, citing breaches of international obligations — NSO Probe
• The UK House of Lords backed an amendment to ban children under 16 from social media within a year and ordered guidance and studies on digital consent and addictive design — Social Media Ban
• The Bank of England‘s CBEST assessments found widespread failures in basic cyber hygiene across financial firms, urging sustained remediation in patching, identity, detection, encryption, and incident response — BoE Report

Research, Events & Contests

• At Pwn2Own Automotive 2026 researchers earned $1,047,000 for exploiting 76 zero‑days across IVI systems, EV chargers, and car OSes; vendors have 90 days to patch before public disclosure — Pwn2Own Auto
• Weekly bulletins highlight attackers using everyday files and trusted services to gain access (e.g., FALSECUB, TamperedChef, malvertising), emphasizing low‑friction and patient operations — ThreatsDay
• Live webinar on rethinking email security for mid‑sized orgs (1PM ET) will cover behavioral analysis, real‑time risk scoring, and AI‑driven defenses to stop sophisticated email attacks — Email Webinar

Breaches & Operational Security

• Manage My Health confirmed a late‑2023 intrusion that accessed documents in the My Health Documents portal and warned of fraudsters impersonating the service for phishing while working with regulators and IDCARE — Manage My Health
• A weekly “In Other News” roundup covered major items including proposed €1.2B GDPR fines, Mandiant’s Net‑NTLMv1 rainbow tables, Cloudflare WAF bypasses, Snap Store hijacks, and large breaches like MnCHOICES — News Roundup

Operational Security & Identity

• Hybrid work has driven surging Active Directory password resets and remote lockouts, increasing helpdesk costs; self‑service credential tools can reduce workload and save organizations significant sums — AD Resets
• An industry perspective warns that unmanaged IT/OT/IoT and cloud assets act as unseen attack portals (“Upside Down”), calling for continuous visibility, segmentation, and cross‑functional response to prevent lateral spread — Upside Down

Cybersecurity News | Daily Recap – hendryadrian.com