Tageszusammenfassung - 28.01.2026

End-of-Day report

Timeframe: Dienstag 27-01-2026 18:00 - Mittwoch 28-01-2026 18:30 Handler: Felician Fuchs Co-Handler: Alexander Riepl

News

Fortinet blocks exploited FortiCloud SSO zero day until patch is ready

Fortinet has confirmed a new, actively exploited critical FortiCloud single sign-on (SSO) authentication bypass vulnerability, tracked as CVE-2026-24858, and says it has mitigated the zero-day attacks by blocking FortiCloud SSO connections from devices running vulnerable firmware versions.

https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/

Slovakian man pleads guilty to operating darknet marketplace

A Slovakian national admitted on Tuesday to helping operate a darknet marketplace that sold narcotics, cybercrime tools and services, fake government IDs, and stolen personal information for more than two years.

https://www.bleepingcomputer.com/news/security/slovakian-man-pleads-guilty-to-operating-kingdown-market-cybercrime-marketplace/

Hackers hijack exposed LLM endpoints in Bizarre Bazaar operation

A malicious campaign is actively targeting exposed LLM (Large Language Model) service endpoints to commercialize unauthorized access to AI infrastructure.

https://www.bleepingcomputer.com/news/security/hackers-hijack-exposed-llm-endpoints-in-bizarre-bazaar-operation/

Vibe-Coded Sicarii Ransomware Cant Be Decrypted

A new ransomware strain that entered the scene last year has poorly designed code and an odd "Hebrew" identity that might be a false flag.

https://www.darkreading.com/endpoint-security/vibe-coded-sicarii-ransomware-decrypted

WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware

Meta on Tuesday announced its adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do.

https://thehackernews.com/2026/01/whatsapp-rolls-out-lockdown-style.html

Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan

Cybersecurity researchers have discovered two malicious packages in the Python Package Index (PyPI) repository that masquerade as spellcheckers but contain functionality to deliver a remote access trojan (RAT).

https://thehackernews.com/2026/01/fake-python-spellchecker-packages-on.html

Mustang Panda Deploys Updated COOLCLIENT Backdoor in Government Cyber Attacks

Threat actors with ties to China have been observed using an updated version of a backdoor called COOLCLIENT in cyber espionage attacks in 2025 to facilitate comprehensive data theft from infected endpoints.

https://thehackernews.com/2026/01/mustang-panda-deploys-updated.html

Leder-Unikate von -maronellis.com-: Alles Schwindel!

Sobald Werbeanzeigen von einem kleinen Familienbetrieb berichten, der leider schließen muss, ist Vorsicht angebracht. Besonders dann, wenn eine angebliche Reportage Eindrücke vom großen Ansturm auf die letzten handgefertigten Einzelstücke liefert. Wie problematische Onlineshops funktionieren und wie die Kriminellen ihre Opfer anlocken - eine Analyse am Beispiel -maronellis.com-.

https://www.watchlist-internet.at/news/leder-unikate-maronelliscom/

Open Source statt Big Tech: Frankreich will Microsoft Teams, Zoom und Co loswerden

Visio entsteigt der Pilotphase und soll bis 2027 von 200.000 Beamten genutzt werden. Das Streben nach Souveränität, aber auch Kosteneinsparungen liefern die Motivation

https://www.derstandard.at/story/3000000306024/open-source-statt-big-tech-frankreich-will-microsoft-teams-zoom-und-co-loswerden

EU fordert Öffnung von Android für andere KI - innerhalb von sechs Monaten

Die exklusive, tiefgehende Integration von Gemini in das Betriebssystem sei ein Verstoß gegen den Digital Markets Act. Zudem will die EU, dass Google Suchdaten an Konkurrenten herausgibt

https://www.derstandard.at/story/3000000306105/eu-fordert-oeffnung-von-android-fuer-andere-ki-innerhalb-von-sechs-monaten

Angriffswelle auf Journalisten über Signal-Messenger

Auch andere zivilgesellschaftliche Akteure betroffen. Bösartige Phishing-Nachricht fordert wegen "verdächtiger Aktivitäten" zur "Verifizierung" auf.

https://www.derstandard.at/story/3000000306125/angriffswelle-auf-journalisten-ueber-signal-messenger

Beware! Fake ChatGPT browser extensions are stealing your login credentials

If youve installed a browser extension to enhance your ChatGPT experience, you might want to think again. Read more in my article on the Hot for Security blog.

https://www.bitdefender.com/en-us/blog/hotforsecurity/beware-fake-chatgpt-browser-extensions-are-stealing-your-login-credentials

Cyberattack on Poland-s power grid hit around 30 facilities, new report says

Adding to previous research about an operation against Polands electrical grid, analysts at Dragos say it affected dozens of facilities and disrupted operational technology.

https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected

Exchange Online: Microsoft verschiebt SMTP AUTH Basic Authentication-Abschaltung

Eigentlich wollte Microsoft in Exchange Online die Unterstützung für die Basisauthentifizierung mit Client-Übermittlung (SMTP AUTH) bereits im September 2025 einstellen. Dann hieß es, dass die Einstellung zwischen 1. März 2026 bis zum 30. April 2026 schrittweise einstellen.

https://borncity.com/blog/2026/01/28/exchange-online-microsoft-verschiebt-smtp-auth-basic-authentication-abschaltung/

ShinyHunters Target 100+ Firms Using Phone Calls to Bypass SSO Security

ShinyHunters is driving attacks on 100+ organisations, using vishing and fake login pages with allied groups to bypass SSO and steal company data, reports Silent Push.

https://hackread.com/shinyhunters-target-firms-bypass-sso-security/

Russian Cybercrime Platform RAMP Forum Seized by Feds

US authorities have seized the RAMP cybercrime forum, taking down both its clearnet and dark web domains in a major hit to the ransomware infrastructure.

https://hackread.com/russian-cybercrime-ramp-forum-seized-feds/

OpenSSL January 2026 Security Update: CMS and PKCS#12 Buffer Overflows

A deep dive into OpenSSL-s January 2026 CMS and PKCS#12 vulnerabilities, including a pre-auth stack overflow and a PKCS#12 parsing bug.

https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-update-cms-and-pkcs12-buffer-overflows/

Vulnerabilities

Administrative FortiCloud SSO authentication bypass

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] in FortiOS, FortiManager, FortiAnalyzer may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices.

https://fortiguard.fortinet.com/psirt/FG-IR-26-060

SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws

SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.

https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

Two High-Severity n8n Flaws Allow Authenticated Remote Code Execution

Cybersecurity researchers have disclosed two new security flaws in the n8n workflow automation platform, including a crucial vulnerability that could result in remote code execution.

https://thehackernews.com/2026/01/two-high-severity-n8n-flaws-allow.html

Critical vm2 Node.js Flaw Allows Sandbox Escape and Arbitrary Code Execution

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system. The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.

https://thehackernews.com/2026/01/critical-vm2-nodejs-flaw-allows-sandbox.html

Netzwerkmanagementlösung HPE Aruba Fabric Composer ist angreifbar

Angreifer können Systeme mit HPE Aruba Networking Fabric Composer mit Schadcode attackieren.

https://www.heise.de/news/Netzwerkmanagementloesung-HPE-Aruba-Fabric-Composer-ist-angreifbar-11156836.html

A critical GnuPG security update

There is a new GnuPG update for a "critical security bug" in recentGnuPG releases. A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likley also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API.

https://lwn.net/Articles/1056209/

Security updates for Wednesday

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (openssl), Fedora (assimp, chromium, curl, freerdp, gimp, and harfbuzz), Mageia (glibc, haproxy, iperf, and python-pyasn1), Red Hat (image-builder, openssl, and osbuild-composer), Slackware (mozilla), SUSE (avahi, cups, gio-branding-upstream, google-osconfig-agent, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel-firmware, libmatio-devel, libopenjp2-7, nodejs22, php8, python-python-multipart, python311-urllib3_1, qemu, and xen), and Ubuntu (ffmpeg, jaraco.context, openssl, and openssl, openssl1.0).

https://lwn.net/Articles/1056330/

Security Vulnerabilities fixed in Thunderbird 140.7.1

CSS-based exfiltration of the content from partially encrypted emails when allowing remote content.

https://www.mozilla.org/en-US/security/advisories/mfsa2026-08/

[R1] Tenable Network Monitor Version 6.5.3 Fixes Multiple Vulnerabilities

Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several of the third-party components (libxml2, libxslt, expat, c-ares, curl, sqlite) were found to contain vulnerabilities, and updated versions have been made available by the providers.

https://www.tenable.com/security/tns-2026-02

Notification about the vulnerability in beat-access for Windows - Privilege Escalation Risk

A vulnerability has been identified in beat-access for Windows, a remote access software provided as part of the beat service, which may allow malicious code to be executed from the local environment. At the time of posting this notice, no attacks exploiting this vulnerability have been confirmed. However, we strongly recommend that customers using beat-access for Windows promptly update to the latest version (4.0.0 or later).

https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html

CVE-2025-60021 (CVSS 9.8): Command injection in Apache bRPC heap profiler

CVE-2025-60021, a critical command injection issue in Apache bRPC-s /pprof/heap profiler endpoint, was identified during broader analysis of diagnostic and debugging surfaces in the framework.

https://www.cyberark.com/resources/threat-research-blog/cve-2025-60021-cvss-9-8-command-injection-in-apache-brpc-heap-profiler