CyberNews: 24/01/2026 Edition

Published by Dunateo on 2026-01-24

Today’s roundup

  • ShinyHunters claim to be behind SSO-account data theft attacks
  • What an AI-Written Honeypot Taught Us About Trusting Machines
  • Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware
  • New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector
  • CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities
  • NHS Issues Open Letter Demanding Improved Cybersecurity Standards from Suppliers
  • U.S. CISA adds a flaw in Broadcom VMware vCenter Server to its Known Exploited Vulnerabilities catalog
  • 11-Year-Old critical telnetd flaw found in GNU InetUtils (CVE-2026-24061)
  • Fortinet warns of active FortiCloud SSO bypass affecting updated devices
  • Cyberattack disrupts digital systems at renowned Dresden museum network

    • Summary

    The ShinyHunters extortion gang claims ongoing voice phishing attacks target Okta, Microsoft, and Google SSO accounts. These attacks aim to breach corporate SaaS platforms and steal data for extortion.

    Research on an AI-written honeypot revealed that AI-generated code can introduce subtle security flaws, underscoring risks when organizations over-trust automated outputs and highlighting the need for robust security in AI-assisted development.

    A multi-stage phishing campaign targets users in Russia, delivering ransomware and the Amnesia remote access trojan (RAT) via business-themed social engineering documents.

    The Russian nation-state hacking group Sandworm attempted a significant cyberattack on Poland's power system in December 2025, deploying a new DynoWiper malware. The largest attack against the sector, it was ultimately unsuccessful.

    CISA added four new actively exploited security flaws to its Known Exploited Vulnerabilities (KEV) catalog, including CVE-2025-68645, a critical PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS).

    The UK's National Health Service (NHS) issued an open letter, demanding improved cybersecurity standards from its suppliers. NHS leaders outlined plans to identify and mitigate risks across the health and social care system's software supply chain.

    CISA added critical Broadcom VMware vCenter Server vulnerability CVE-2024-37079 (CVSS 9.8) to its KEV catalog due to confirmed active exploitation. This heap-overflow flaw in the DCERPC protocol allows remote code execution and, when chained, unauthorized root access on ESXi.

    An 11-year-old critical authentication bypass, CVE-2026-24061 (CVSS 9.8), found in GNU InetUtils telnetd (v1.9.3–2.7) allows root access via an unsanitized USER environment variable. Present since 2015, exploitation attempts are observed by GreyNoise.

    Fortinet confirmed active attacks bypassing FortiCloud SSO authentication, affecting even fully patched devices. This new attack path, applicable to all SAML SSO implementations, prompts Fortinet to release IOCs and suggest workarounds like restricting admin access and temporarily disabling FortiCloud SSO.

    Germany's Dresden State Art Collections network experienced a cyberattack that disrupted significant portions of its digital infrastructure. Despite the systems disruption, the museum maintained open facilities and protected its art collections.

    Want to dig deeper?

    Vulnerabilities

    CVE-2026-24061 High
    CVE-2025-68645 High
    CVE-2024-37079 Critical