CyberNews: 16/01/2026 Edition

Published by Dunateo on 2026-01-16

Today’s roundup

  • China-linked APT UAT-9686 abused now patched maximum severity AsyncOS bug
  • Actively exploited critical flaw in Modular DS WordPress plugin enables admin takeover
  • China-Linked APT Exploits Sitecore Zero-Day in Attacks on American Critical Infrastructure
  • Critical WhisperPair flaw lets hackers track, eavesdrop via Bluetooth audio devices
  • RondoDox Botnet Targets HPE OneView Vulnerability in Exploitation Wave
  • AWS CodeBuild Misconfiguration Exposed GitHub Repos to Potential Supply Chain Attacks
  • LOTUSLITE Backdoor Targets U.S. Policy Entities Using Venezuela-Themed Spear Phishing
  • Gootloader now uses 1,000-part ZIP archives for stealthy delivery
  • Grubhub confirms hackers stole data in recent security breach
  • Anchorage police department takes servers offline after cyberattack on service provider

    • Summary

    Cisco patched a maximum-severity AsyncOS flaw (CVE-2025-20393, CVSS 10.0) in its Secure Email Gateway and Manager. Exploited as a zero-day by China-linked APT UAT-9686 since November 2025, the flaw allowed root command execution via improper HTTP request validation in Spam Quarantine. Attackers deployed persistence tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA added this to its KEV catalog.

    A critical flaw (CVE-2026-23550, CVSS 10.0) in the Modular DS WordPress plugin is actively exploited, allowing unauthenticated privilege escalation to admin via a direct route access bypass. Versions 2.5.1 and earlier are affected, patched in 2.5.2. Attacks began January 13, 2026, from identified IP addresses.

    A China-nexus Advanced Persistent Threat (APT) group, identified as UAT-8837 and tracked by Cisco Talos, has been targeting critical infrastructure sectors in North America since at least last year. The group is actively exploiting a zero-day vulnerability in Sitecore content management systems to facilitate these attacks.

    A critical vulnerability, dubbed WhisperPair, has been discovered in Google's Fast Pair protocol. This flaw allows attackers to hijack Bluetooth audio accessories, such as wireless headphones and earbuds, enabling them to track users' locations and eavesdrop on their conversations.

    Check Point Research has reported a significant increase in attacks targeting a vulnerability within HPE OneView management software. These exploitation efforts are being driven by the Linux-based RondoDox botnet, indicating a coordinated campaign against the platform.

    A critical misconfiguration in AWS CodeBuild, codenamed CodeBreach by Wiz, posed a supply chain attack risk by potentially allowing a complete takeover of AWS's GitHub repositories, including the JavaScript SDK. AWS remediated the flaw in September 2025.

    A new campaign is leveraging Venezuela-themed spear-phishing emails to target U.S. government and policy entities. The attack involves distributing a backdoor known as LOTUSLITE through malicious ZIP archives, with lures related to geopolitical developments between the U.S. and Venezuela.

    The Gootloader malware, known for initial access operations, has evolved its delivery method to evade detection. It now utilizes highly malformed ZIP archives, concatenating up to 1,000 parts, to stealthily infect target systems.

    Food delivery platform Grubhub confirmed a data breach where hackers accessed its systems and stole data, with the company reportedly facing extortion demands.

    The Anchorage Police Department (APD) in Alaska temporarily took its servers offline due to a cyberattack affecting a third-party service provider. APD officials stated there is currently no evidence to suggest their own systems were compromised or that any APD data was exfiltrated by the threat actor.

    Want to dig deeper?

    Vulnerabilities

    CVE-2025-20393 Critical
    CVE-2026-23550 Critical