End-of-Day report
Timeframe: Donnerstag 08-01-2026 18:00 - Freitag 09-01-2026 18:00
Handler: Felician Fuchs
Co-Handler: n/a
News
VMware ESXi zero-days likely exploited a year before disclosure
Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.
https://www.bleepingcomputer.com/news/security/vmware-esxi-zero-days-likely-exploited-a-year-before-disclosure/
FBI warns about Kimsuky hackers using QR codes to phish U.S. orgs
The North Korean state-sponsored hacker group Kimsuki is using malicious QR codes in spearphishing campaigns that target U.S. organizations, the Federal Bureau of Investigation warns in a flash alert.
https://www.bleepingcomputer.com/news/security/fbi-warns-about-kimsuky-hackers-using-qr-codes-to-phish-us-orgs/
New China-linked hackers breach telcos using edge device exploits
A sophisticated threat actor that uses Linux-based malware to target telecommunications providers has recently broadened its operations to include organizations in Southeastern Europe.
https://www.bleepingcomputer.com/news/security/new-china-linked-hackers-breach-telcos-using-edge-device-exploits/
Defeating KASLR by Doing Nothing at All
I-ve recently been researching Pixel kernel exploitation and as part of this research I found myself with an excellent arbitrary write primitive-but without a KASLR leak. As necessity is the mother of all invention, on a hunch, I started researching the Linux kernel linear mapping.
https://projectzero.google/2025/11/defeating-kaslr-by-doing-nothing-at-all.html
Google Sees Spam, You See Your Site: A Cloaked SEO Spam Attack
We recently handled a case where a customer reported strange SEO behavior on their website. Regular visitors saw a normal site. No popups. No redirects. No visible spam. However, when they checked their site on Google, the search results were flooded with eBay-type-looking websites and -Situs Toto- gambling spam. This is a professional-grade SEO cloaking attack.
https://blog.sucuri.net/2026/01/google-sees-spam-you-see-your-site-a-cloaked-seo-spam-attack.html
Russian APT28 Runs Credential-Stealing Campaign Targeting Energy and Policy Organizations
Russian state-sponsored threat actors have been linked to a fresh set of credential harvesting attacks targeting individuals associated with a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan.
https://thehackernews.com/2026/01/russian-apt28-runs-credential-stealing.html
Auslegungssache 150: Auf digitaler Spurensuche
Im ct-Datenschutz-Podcast erklärt eine IT-Forensikerin, wie sie nach Vorfällen Spuren sichert, mit Erpressern verhandelt und den Datenschutz im Blick behält.
https://www.heise.de/hintergrund/Auslegungssache-150-Auf-digitaler-Spurensuche-11134668.html
Von München bis Sevilla: Internationaler Schlag gegen Cyber-Mafia -Black Axe-
Ermittlern gelang in Spanien ein empfindlicher Schlag gegen die als -Black Axe- bekannte nigerianische Cyber-Mafia.
https://www.heise.de/news/Von-Muenchen-bis-Sevilla-Internationaler-Schlag-gegen-Cyber-Mafia-Black-Axe-11135925.html
Who Benefited from the Aisuru and Kimwolf Botnets?
Our first story of 2026 revealed how a destructive new botnet called Kimwolf rapidly grew to infect more than two million devices by mass-compromising a vast number of unofficial Android TV streaming boxes. Today, well dig through digital clues left behind by the hackers, network operators, and cybercrime services that appear to have benefitted from Kimwolfs spread.
https://krebsonsecurity.com/2026/01/who-benefited-from-the-aisuru-and-kimwolf-botnets/
CPPA fines data broker selling lists of Alzheimers patients
Datamasters bought and resold the names, addresses, phone numbers and email addresses of millions of people with Alzheimer-s disease, drug addiction, bladder incontinence and other medical conditions for targeted advertising, according to the CPPA.
https://therecord.media/ccpa-fines-data-broker-selling-lists-alzheimers
Russian Hacktivists hack CCTV Cameras in Denmark
The hacktivists had recorded part of the video stream from the CCTV as proof of the hack and published it. It was reported that no individuals were identifiable on the recording.
https://www.truesec.com/hub/blog/russian-hacktivists-hack-cctv-cameras-in-denmark
CISCO-Switches gehen wegen DNS-Fehler in Boot-Schleifen
Weltweit kämpfen Administratoren wohl damit, dass bestimmte Switches des Herstellers CISCO in einer Neustart-Schleife (Boot-Loop) gefangen sind. Das tritt auf, nachdem die Geräte einen DNS-Client-Fehler protokolliert haben.
https://borncity.com/blog/2026/01/09/cisco-switches-gehen-wegen-dns-fehler-in-boot-schleifen/
Hacker Behind Wired.com Leak Now Selling Full 40M Condé Nast Records
A hacker claims to be selling nearly 40 million Condé Nast user records after leaking Wired.com data, with multiple major brands allegedly affected.
https://hackread.com/wired-com-hacker-data-leak-conde-nast-records/
Threat Actors Actively Targeting LLMs
Our Ollama honeypot infrastructure captured 91,403 attack sessions between October 2025 and January 2026. Buried in that data: two distinct campaigns that reveal how threat actors are systematically mapping the expanding surface area of AI deployments.
https://www.greynoise.io/blog/threat-actors-actively-targeting-llms
Do Smart People Ever Say They-re Smart? (SmarterTools SmarterMail Pre-Auth RCE CVE-2025-52691)
Welcome to 2026! While we are all waiting for the scheduled SSLVPN ITW exploitation programming that occurs every January, we-re back from Christmas and idle hands, idle minds, yada yada. In December, we were alerted to a vulnerability in SmarterTools- SmarterMail solution, accompanied by an advisory from Singapore-s Cyber Security Agency (CSA) - CVE-2025-52691, a pre-auth RCE that obtained full marks (10/10) on the industry-s scale.
https://labs.watchtowr.com/do-smart-people-ever-say-theyre-smart-smartertools-smartermail-pre-auth-rce-cve-2025-52691/
Fake Windows Update and BSOD Alerts Used in a Tech Support Scam
While reviewing submissions received through the WordPress feedback form on my website, I came across a URL that initially appeared unremarkable. Such submissions are common and often contain benign questions or comments, but this particular link stood out enough to warrant closer inspection.
https://malwr-analysis.com/2026/01/09/fake-windows-update-and-bsod-alerts-used-in-a-tech-support-scam/
Vulnerabilities
VU#361400: BeeS Software Solutions BeeS Examination Tool (BET) portal contains SQL injection vulnerability
The BeeS Examination Tool (BET) portal from BeeS Software Solutions contains an SQL injection vulnerability in its website login functionality. More than 100 universities use the BET portal for test administration and other academic tasks.
https://kb.cert.org/vuls/id/361400
RICOH Streamline NX vulnerable to improper authorization
RICOH Streamline NX provided by Ricoh Company, Ltd. contains an improper authorization vulnerability.
https://jvn.jp/en/jp/JVN12770174/
Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions
Trend Micro has released security updates to address multiple security vulnerabilities impacting on-premise versions of Apex Central for Windows, including a critical bug that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-69258, carries a CVSS score of 9.8 out of a maximum of 10.0.
https://thehackernews.com/2026/01/trend-micro-apex-central-rce-flaw.html
Mediaplayer VLC: Aktualisierte Version stopft zahlreiche Lücken
Die Version 3.0.23 des VLC Media Player bessert diverse Schwachstellen aus, die möglicherweise Unterschieben von Schadcode erlauben.
https://www.heise.de/news/VLC-stopft-diverse-Sicherheitslecks-11135921.html
Security updates for Friday
Security updates have been issued by Debian (pdfminer and vlc), Red Hat (kernel, kernel-rt, and microcode_ctl), Slackware (libtasn1), SUSE (apptainer, curl, ImageMagick, libpcap, libvirt, libwget4, php8, podman, python311-cbor2, qemu, and rsync), and Ubuntu (gnupg, gnupg2, gpsd, libsodium, and python-tornado).
https://lwn.net/Articles/1053492/
Hitachi Energy Asset Suite
Hitachi Energy is aware of a Jasper Report vulnerability that affects the Asset Suite product versions mentioned in this document below. This vulnerability can be exploited to carry out remote code execution (RCE) attack on the product. Please refer to the Recommended Immediate Actions for information about the mitigation/remediation.
https://www.cisa.gov/news-events/ics-advisories/icsa-26-008-01
K000159018: Linux kernel vulnerability CVE-2023-53178
A local unprivileged user may exploit this vulnerability and cause data integrity issues or system instability under specific conditions.
https://my.f5.com/manage/s/article/K000159018