Tageszusammenfassung - 13.01.2026

End-of-Day report

Timeframe: Montag 12-01-2026 18:00 - Dienstag 13-01-2026 18:00 Handler: Felician Fuchs Co-Handler: n/a

News

Targets dev server offline after hackers claim to steal source code

Hackers are claiming to be selling internal source code belonging to Target Corporation, after publishing what appears to be a sample of stolen code repositories on a public software development platform. After BleepingComputer notified Target, the files were taken offline and the retailers developer Git server was inaccessible.

https://www.bleepingcomputer.com/news/security/targets-dev-server-offline-after-hackers-claim-to-steal-source-code/

CISA orders feds to patch Gogs RCE flaw exploited in zero-day attacks

CISA has ordered government agencies to secure their systems against a high-severity Gogs vulnerability that was exploited in zero-day attacks.

https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-gogs-rce-flaw-exploited-in-zero-day-attacks/

Facebook login thieves now using browser-in-browser trick

Hackers over the past six months have relied increasingly more on the browser-in-the-browser (BitB) method to trick users into providing Facebook account credentials.

https://www.bleepingcomputer.com/news/security/facebook-login-thieves-now-using-browser-in-browser-trick/

Convincing LinkedIn comment-reply tactic used in new phishing

Scammers are flooding LinkedIn posts with fake "reply" comments that appear to come from the platform, warning of bogus policy violations and urging users to click external links. Some even abuse LinkedIns official lnkd.in shortener, making the phishing attempts harder to spot.

https://www.bleepingcomputer.com/news/security/convincing-linkedin-comment-reply-tactic-used-in-new-phishing/

What we know about Iran-s Internet shutdown

Cloudflare Radar data shows Internet traffic from Iran has effectively dropped to zero since January 8, signaling a complete shutdown in the country and disconnection from the global Internet.

https://blog.cloudflare.com/iran-protests-internet-shutdown/

GoBruteforcer Botnet Targets 50K-plus Linux Servers

Researchers detailed a souped-up version of the GoBruteforcer botnet that preys on servers with weak credentials and AI-generated configurations.

https://www.darkreading.com/threat-intelligence/gobruteforcer-botnet-targets-50k-plus-linux-servers

10-Punkte-Papier: BDEW fordert Maßnahmen zum Schutz kritischer Infrastruktur

In einem Positionspapier fordert der Bundesverband der Energie- und Wasserwirtschaft die Stärkung der Resilienz kritischer Infrastrukturen.

https://www.golem.de/news/10-punkte-papier-bdew-fordert-massnahmen-zum-schutz-kritischer-infrastruktur-2601-204140.html

n8n Supply Chain Attack Abuses Community Nodes to Steal OAuth Tokens

Threat actors have been observed uploading a set of eight packages on the npm registry that masqueraded as integrations targeting the n8n workflow automation platform to steal developers OAuth credentials.

https://thehackernews.com/2026/01/n8n-supply-chain-attack-abuses.html

New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack

Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access.

https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html

New Advanced Linux VoidLink Malware Targets Cloud and container Environments

Cybersecurity researchers have disclosed details of a previously undocumented and feature-rich malware framework codenamed VoidLink thats specifically designed for long-term, stealthy access to Linux-based cloud environments.

https://thehackernews.com/2026/01/new-advanced-linux-voidlink-malware.html

Businesses in 2026: Maybe we should finally look into that AI security stuff

Survey finds security checks nearly doubled in a year as leaders wise up. The number of organizations that have implemented methods for identifying security risks in the AI tools they use has almost doubled in the space of a year.

https://www.theregister.com/2026/01/12/ai_security_wef_survey/

Mandiant open sources tool to prevent leaky Salesforce misconfigs

AuraInspector automates the most common abuses and generates fixes for customers Mandiant has released an open source tool to help Salesforce admins detect misconfigurations that could expose sensitive data.

https://www.theregister.com/2026/01/13/mandiant_salesforce_tool/

Dutch cops cuff alleged AVCheck malware kingpin in Amsterdam

33-year-old was under surveillance for some time before returning home from the UAE Dutch police believe they have arrested a man behind the AVCheck online platform - a service used by cybercrims that Operation Endgame shuttered in May.

https://www.theregister.com/2026/01/13/avcheck_arrest/

Start der ersten ESC-Ticketwelle: Vorsicht vor unseriösen Angeboten!

Endlich ist es so weit: Der Vorverkauf für den Eurovision Song Contest 2026 hat begonnen! Doch Fans sollten besonders vorsichtig sein, denn unseriöse Anbieter versuchen, außerhalb der offiziellen Verkaufsplattformen Profit zu schlagen.

https://www.watchlist-internet.at/news/start-der-ersten-esc-ticketwelle-vorsicht-vor-unserioesen-angeboten/

Neue Phishing-Welle: Ausstehende Zahlungen ans Finanzamt

Einmal mehr geben sich Kriminelle als das Bundesministerium für Finanzen aus. Aktuell nehmen sie sowohl Privatpersonen als auch Unternehmen ins Visier. In beiden Fällen sollen angeblich offene Zahlungen mit einer Überweisung beglichen werden - auf ein Konto im Ausland.

https://www.watchlist-internet.at/news/phishing-ausstehende-zahlungen-finanzamt/

Latin America Sees Sharpest Rise in Cyber Attacks in December 2025 as Ransomware Activity Accelerates

In December 2025, organizations experienced an average of 2,027 cyber attacks per organization per week. This represents a 1% month-over-month increase and a 9% year-over-year increase. While overall growth remained moderate, Latin America recorded the sharpest regional increase, with organizations experiencing an average of 3,065 attacks per week, a 26% increase year over year.

https://blog.checkpoint.com/research/latin-america-sees-sharpest-rise-in-cyber-attacks-in-december-2025-as-ransomware-activity-accelerates/

VoidLink: The Cloud-Native Malware Framework Weaponizing Linux Infrastructure

Key Points: VoidLink is a cloud-native Linux malware framework built to maintain long-term, stealthy access to cloud infrastructure rather than targeting individual endpoints. It reflects a shift in attacker focus away from Windows systems toward the Linux environments that power cloud services and critical operations. Its modular, plug-in-driven design allows threat actors to customize capabilities over time, expanding attacks quietly as objectives evolve.

https://blog.checkpoint.com/research/voidlink-the-cloud-native-malware-framework-weaponizing-linux-infrastructure/

Sweden detains ex-military IT consultant suspected of spying for Russia

A 33-year-old former IT consultant for Sweden-s Armed Forces has been detained on suspicions of spying for Russian intelligence, Swedish prosecutors said.

https://therecord.media/sweden-detains-it-consultant-russia

0patch Micropatch für CredSSP-Schwachstelle CVE-2025-47987

Noch ein kleiner Nachtrag von letzter Woche und vor dem Januar 2026 Patchday. ACROS Security hat einen 0patch Micropatch für eine Elevation of Privilege (EoP)-Schwachstelle CVE-2025-47987 im Credential Security Support Provider Protocol (CredSSP) veröffentlicht.

https://borncity.com/blog/2026/01/13/0patch-micropatch-fuer-credssp-schwachstelle-cve-2025-47987/

End of Support für Microsoft-Produkte in 2026

Das Jahr 2026 bringt für Nutzer von Microsoft Produkten einige Termine, an denen der Support endet. Das reicht von diversen Windows-Versionen, die dann nicht mehr durch Updates unterstützt werden, bis hin zu Microsoft Office 2021.

https://borncity.com/blog/2026/01/13/end-of-support-fuer-microsoft-produkte-in-2026/

Russian BlueDelta (Fancy Bear) Uses PDFs to Steal Logins in Just 2 Seconds

New research from Recorded Future reveals how Russian state hackers (BlueDelta) are using fake Microsoft and Google login portals to steal credentials. The campaign involves using legitimate PDF lures from GRC and EcoClimate to trick victims.

https://hackread.com/russian-bluedelta-fancy-bear-pdfs-steal-login/

Widespread Magecart Campaign Targets Users of All Major Credit Cards

Researchers at Silent Push have exposed a global Magecart campaign stealing credit card data since 2022. Learn how this invisible web-skimming attack targets major networks like Mastercard and Amex, and how to stay safe.

https://hackread.com/magecart-targets-all-credit-cards-users/

K7 Antivirus: Named pipe abuse, registry manipulation and privilege escalation (CVE-2025-67826)

When hunting for privilege escalation vulnerabilities, named pipes are a goldmine. Antivirus products often use named pipes to allow unprivileged users to trigger privileged operations, making them especially promising targets for this class of vulnerability.

http://blog.quarkslab.com/k7-antivirus-named-pipe-abuse-registry-manipulation-and-privilege-escalation.html

How GitHub could secure npm

In 2025, npm experienced an unprecedented number of compromised packages in a series of coordinated attacks on the JavaScript open source supply chain. These packages ranged from crypto-stealing malware1 to credential-stealing exploits2. While GitHub announced changes3 to address these attacks, many maintainers (myself included) found the response insufficient.

https://humanwhocodes.com/blog/2026/01/how-github-could-secure-npm/

Shai Hulud 2.0 Campaign

Shai-Hulud 2.0 represents one of the most severe supply chain compromises observed in the modern cloud-native ecosystem. The campaign involved the manipulation of hundreds of publicly available packages and specifically targeted developer workstations, CI/CD pipelines, and cloud workloads to harvest credentials and sensitive configuration data.

https://detect.fyi/shai-hulud-2-0-campaign-be390e502f28?source=rssd5fd8f494f6a4

Malicious Chrome Extension Steals MEXC API Keys for Account Takeover

Socket-s Threat Research Team identified a malicious Chrome extension, MEXC API Automator, published to the Chrome Web Store on September 1, 2025, by a threat actor under the alias jorjortan142.

https://socket.dev/blog/malicious-chrome-extension-steals-mexc-api-keys?utm_medium=feed

Fixing ESC1 - Enrollee supplies subject and template allows client authentication

ADCS misconfigurations are one of the most common privilege escalation vectors we encounter. This article covers steps to remediate ESC1 flaws.

https://projectblack.io/blog/fixing-esc1-enrollee-supplies-subject-and-template-allows-client-authentication/

Lack of isolation in agentic browsers resurfaces old vulnerabilities

With browser-embedded AI agents, we-re essentially starting the security journey over again. We exploited a lack of isolation mechanisms in multiple agentic browsers to perform attacks ranging from the dissemination of false information to cross-site data leaks.

https://blog.trailofbits.com/2026/01/13/lack-of-isolation-in-agentic-browsers-resurfaces-old-vulnerabilities/

Vulnerabilities

Unauthenticated access to local configuration

CVSSv3 Score: 9.3. An exposure of sensitive information to an unauthorized actor [CWE-200] vulnerability in FortiFone Web Portal page may allow an unauthenticated attacker to obtain the device configuration via crafted HTTP or HTTPS requests.

https://fortiguard.fortinet.com/psirt/FG-IR-25-260

Unauthenticated remote command injection

CVSSv3 Score: 9.4. An improper neutralization of special elements used in an OS command (OS Command Injection) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.

https://fortiguard.fortinet.com/psirt/FG-IR-25-772

SAP Security Patch Day January 2026

SAP has released its January 2026 security patch package containing 17 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 9.9, four High priority issues, seven Medium priority fixes, and two Low priority updates. The patches affect SAP S/4HANA, SAP HANA database, SAP NetWeaver, SAP Wily Introscope, and various application components.

https://redrays.io/blog/sap-security-patch-day-january-2026/

TinyWeb: Windows-Web-Server ermöglicht Codeschmuggel

In dem schlanken Web-Server TinyWeb für Windows können Angreifer aus dem Netz beliebigen Code einschleusen. Ein Update hilft.

https://www.heise.de/news/TinyWeb-Windows-Web-Server-ermoeglicht-Codeschmuggel-11138924.html

TYPO3-CORE-SA-2026-003: Broken Access Control in Recycler Module

It has been discovered that TYPO3 CMS is susceptible to broken access control.

https://typo3.org/security/advisory/typo3-core-sa-2026-003

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow AI Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user. The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0.

https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html

Security updates for Tuesday

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).

https://lwn.net/Articles/1053988/

Remote Code Execution With Modern AI/ML Formats and Libraries

We identified remote code execution vulnerabilities in open-source AI/ML libraries published by Apple, Salesforce and NVIDIA.

https://unit42.paloaltonetworks.com/rce-vulnerabilities-in-ai-python-libraries/