End-of-Day report
Timeframe: Donnerstag 22-01-2026 18:00 - Freitag 23-01-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Analysis of Single Sign On (SSO) abuse on FortiOS
Fortinet product security has identified the issue, and the company is working on a fix to remediate this occurrence. An advisory will be issued as the fix scope and timeline is available. It is important to note that while, at this time, only exploitation of FortiCloud SSO has been observed, this issue is applicable to all SAML SSO implementations. In the meantime, Fortinet recommends taking the mitigating actions described below.
https://feeds.fortinet.com/~/941387753/0/fortinet/blogs~Analysis-of-Single-Sign-On-SSO-abuse-on-FortiOS
Okta SSO accounts targeted in vishing-based data theft attacks
Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft.
https://www.bleepingcomputer.com/news/security/okta-sso-accounts-targeted-in-vishing-based-data-theft-attacks/
Datenlecks analysiert: Solche Passwörter sollten Nutzer besser meiden
Forscher haben rund sechs Milliarden Passwörter aus mehreren Datenlecks untersucht. Ihr Bericht zeigt Muster auf, die besonders häufig vorkommen.
https://www.golem.de/news/datenlecks-analysiert-solche-passwoerter-sollten-nutzer-besser-meiden-2601-204548.html
Phishing Attack Uses Stolen Credentials to Install LogMeIn RMM for Persistent Access
Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. [..] The attack unfolds in two distinct waves, where the threat actors leverage fake invitation notifications to steal victim credentials, and then leverage those pilfered credentials to deploy RMM tools to establish persistent access.
https://thehackernews.com/2026/01/phishing-attack-uses-stolen-credentials.html
Crims compromised energy firms Microsoft accounts, sent 600 phishing emails
Unknown attackers are abusing Microsoft SharePoint file-sharing services to target multiple energy-sector organizations, harvest user credentials, take over corporate inboxes, and then send hundreds of phishing emails from compromised accounts to contacts inside and outside those organizations. The attackers likely used previously-compromised email addresses to gain initial access to "multiple" energy-sector organizations targeted in this campaign, according to Redmond, which detailed the digital intrusions in a Wednesday report.
https://go.theregister.com/feed/www.theregister.com/2026/01/22/crims_compromised_energy_firms_microsoft/
149 Million Usernames and Passwords Exposed by Unsecured Database
This -dream wish list for criminals- includes millions of Gmail, Facebook, banking logins, and more. The researcher who discovered it suspects they were collected using infostealing malware.
https://www.wired.com/story/149-million-stolen-usernames-passwords/
URL fritz.box leitet seit 22.1.2026 auf 91.195.240.12 um
Die von der früheren AVM, heute FRITZ, erworbene Domain fritz.box ist wohl wieder auf "Abwegen". [..] Die Whois-Daten zeigen, dass heute (22.1.2026) die Domain-Registrierung abgelaufen ist.
https://borncity.com/blog/2026/01/22/url-fritz-box-leitet-seit-22-1-2026-auf-91-195-240-12-um/
KI und Security: Zero-Day-Exploits durch KI sind bereits Realität
Eine Studie zeigt: KIs können komplexe Zero-Day-Exploits erstellen. Die Folge: Die Suche nach Sicherheitslücken wird erfolgreich industrialisiert und skaliert.
https://heise.de/-11151838
Exploit Cursor Agents to create persistent, distributed threats
Yesterday a VSCode exploit was written up. When a programmer simply opens a folder that contains a malicious tasks.json file, the malicious code will silently run from inside the editor itself - where all their work lives. That got me thinking: could I use this to re-program a developer's AI agents and get them to do what I want? Even worse - could I do this to all their code repositories? Turns out: hell yes.
https://ike.io/open-a-folder-all-your-agents-are-mine/
Vulnerabilities
Security updates for Friday
Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1).
https://lwn.net/Articles/1055671/
Videokonferenzsoftware: Zoom Node möglicher Ansatzpunkt für Schadcode-Attacken
In einer Warnmeldung führen die Entwickler aus, dass die nun geschlossene Sicherheitslücke (CVE-2026-22844) mit dem Bedrohungsgrad -kritisch- eingestuft ist. Die Schwachstelle betrifft konkret die Komponente Multimedia Routers (MMRs). Damit eine Attacke gelingt, muss ein Angreifer Teilnehmer eines Meetings sein. Ist das gegeben, kann er auf einem nicht näher beschriebenen Weg Schadcode ausführen.
https://heise.de/-11151434
Rockwell Automation CompactLogix 5370
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-03
Schneider Electric EcoStruxure Process Expert
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-01
EVMAPA
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08
Weintek cMT X Series HMI EasyWeb Service
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05
Delta Electronics DIAView
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-07
Johnson Controls Inc. iSTAR Configuration Utility (ICU) tool
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04
AutomationDirect CLICK Programmable Logic Controller
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02
Hubitat Elevation Hubs
https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06