Security Intelligence for Real-World Decisions
← Back to Archive

Cisco Unified CM Zero-Day Under Active Exploitation as NIST Staff Cuts Threaten Encryption Standards; Black Basta Ringleader Identified

Critical Infrastructure Intelligence Briefing

Date: Thursday, January 22, 2026

Reporting Period: January 15-22, 2026

1. Executive Summary

Major Developments

  • Active Zero-Day Exploitation: Cisco has released emergency patches for CVE-2026-20045, a critical vulnerability in Unified Communications and Webex Calling products that is being actively exploited in the wild for unauthenticated remote code execution. Organizations using these products should patch immediately.
  • NIST Workforce Reductions Impact Critical Security Functions: NIST officials disclosed that the agency has lost over 700 positions since 2025, including 89 staff members at the laboratory responsible for testing and validating government encryption standards. This raises significant concerns about the pace of cryptographic standards development and validation.
  • Black Basta Leadership Identified: European authorities have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the alleged ringleader of the Black Basta ransomware operation. Raids on homes of other members have been conducted, and Nefedov is now on Europol and Interpol's most-wanted lists.
  • CISA Staffing Under Congressional Scrutiny: House Homeland Security Committee members questioned CISA Acting Director Madhu Gottumukkala about staffing decisions and cutbacks affecting the agency's mission capabilities.
  • FortiGate Firewall Attacks Continue: Automated attacks are exploiting a patch bypass for a previously fixed FortiGate authentication vulnerability (CVE-2025-59718), with attackers altering firewall configurations on patched devices.

Cross-Sector Concerns

  • Multiple critical vulnerabilities disclosed across enterprise collaboration platforms (Cisco, Zoom, GitLab, Atlassian) create widespread exposure across all critical infrastructure sectors
  • North Korean threat actors expanding software supply chain targeting through fake job interview campaigns
  • AI-assisted malware development reaching new sophistication levels, lowering barriers for threat actors
  • New Global Cybersecurity Vulnerability Enumeration (GCVE) system launched as alternative to CVE program amid funding concerns

2. Threat Landscape

Nation-State Threat Actor Activities

North Korea – PurpleBravo/Contagious Interview Campaign

  • Scope: Researchers have identified 3,136 individual IP addresses linked to likely targets, with 20 potential victim organizations spanning multiple sectors including artificial intelligence, fintech, and software development
  • TTPs: Threat actors are using fake job interviews to trick victims into accessing malicious GitHub or GitLab repositories that are opened using Visual Studio Code, turning the development environment into an attack vector
  • Malware: Campaign deploys RATs and infostealers including BeaverTail
  • Target Profile: macOS developers are specifically targeted, indicating focus on software supply chain compromise
  • Source: Recorded Future, The Hacker News

U.S. Offensive Cyber Operations

  • U.S. officials have confirmed a cyber role in the Caracas blackout that occurred during operations targeting the Maduro regime in Venezuela
  • This represents a rare public acknowledgment of offensive cyber capabilities being employed in conjunction with other operations
  • Source: Homeland Security Today

Ransomware and Cybercriminal Developments

Black Basta Leadership Exposed

  • Development: Oleg Evgenievich Nefedov identified as the alleged founder and leader of Black Basta since 2022
  • Law Enforcement Action: Europol and Interpol have added Nefedov to most-wanted lists; raids conducted on homes of other members
  • Impact Assessment: While leadership identification is significant, Black Basta operations may continue under new leadership or splinter into new groups
  • Source: CyberScoop

Ransomware Negotiation Landscape

  • Industry analysis highlights the "moral gray zone" occupied by ransomware negotiators operating without industrywide rules of engagement
  • Concerns raised about the thin line between saving companies and inadvertently funding criminal enterprises
  • Source: CyberScoop

Ingram Micro Breach Confirmed

  • Technology distributor Ingram Micro has acknowledged that 42,000 individuals were impacted by a ransomware attack
  • Given Ingram Micro's role in technology supply chains, downstream impacts should be monitored
  • Source: CSO Online

Emerging Attack Vectors

AI-Assisted Malware Development

  • VoidLink Framework: A sophisticated 88,000-line Linux malware framework was developed by a single individual with AI assistance
  • Implication: This demonstrates how AI tools are dramatically lowering the barrier to entry for creating sophisticated malware, potentially enabling lone actors to produce threats previously requiring well-resourced teams
  • Source: The Hacker News, Infosecurity Magazine

AI-Powered Android Malware

  • New Android click-fraud trojans are leveraging TensorFlow machine learning models to automatically detect and interact with advertisement elements
  • Represents evolution in mobile malware sophistication
  • Source: Bleeping Computer

Misconfigured Demo Environments as Attack Vectors

  • Threat actors are exploiting misconfigured security training applications (DVWA, OWASP Juice Shop, Hackazon, bWAPP) to gain access to Fortune 500 cloud environments
  • Demo and testing environments are becoming significant backdoors into enterprise infrastructure
  • Source: Bleeping Computer, CSO Online

Phishing Campaigns

LastPass Credential Harvesting

  • Active phishing campaign impersonating LastPass with fake maintenance/backup notifications
  • Emails create urgency by requesting users "back up their vaults in the next 24 hours"
  • Campaign aims to harvest master passwords
  • Recommendation: Alert users that LastPass does not request master passwords via email; verify all communications through official channels
  • Source: Bleeping Computer, The Hacker News

3. Sector-Specific Analysis

Communications & Information Technology

Critical: Cisco Unified Communications Zero-Day (CVE-2026-20045)

  • Severity: Critical – Active exploitation confirmed
  • Affected Products: Multiple Cisco Unified Communications (CM) products and Webex Calling Dedicated Instance
  • Impact: Unauthenticated remote code execution
  • Action Required: Immediate patching
  • Source: SecurityWeek, The Hacker News, Bleeping Computer

FortiGate Firewall Patch Bypass Exploitation

  • Automated attacks are exploiting a bypass for previously patched CVE-2025-59718
  • Attackers are leveraging FortiCloud SSO to alter firewall configurations on patched devices
  • Arctic Wolf has warned of this "new cluster of automated malicious activity"
  • Recommendation: Review FortiGate configurations for unauthorized changes; implement additional monitoring
  • Source: Bleeping Computer, The Hacker News

EU High-Risk Supplier Review

  • European Commission is reviewing cybersecurity measures to limit danger from high-risk suppliers
  • Reports indicate potential moves to restrict Huawei and ZTE from European networks
  • Source: CSO Online

Healthcare & Public Health

Under Armour Data Exposure

  • 72 million email addresses have been exposed in a data breach affecting Under Armour customers
  • While primarily a retail breach, health and fitness data associated with Under Armour's MyFitnessPal and connected applications may be implicated
  • Source: Security Magazine

DHS Cyber Incidents Impact Two States

  • Two separate DHS-related cyber incidents within two weeks have exposed data of approximately 1 million individuals across two states
  • Details remain limited, but incidents highlight ongoing risks to government systems handling sensitive personal information
  • Source: Security Magazine

Financial Services

Post-Quantum Cryptography Migration Guidance

  • New report outlines practical approach to prioritizing post-quantum cryptography migration in financial services
  • Guidance comes as NIST staff cuts raise concerns about the pace of cryptographic standards development
  • Recommendation: Financial institutions should begin inventorying cryptographic assets and developing migration roadmaps
  • Source: Homeland Security Today

Peruvian Loan Scam Operation

  • Sophisticated phishing operation in Peru is harvesting card information and PINs through fake loan applications impersonating financial institutions
  • Demonstrates continued evolution of financial fraud tactics
  • Source: Infosecurity Magazine

Transportation Systems

Automotive Security Research – Pwn2Own Automotive 2026

  • Security researchers successfully hacked the Tesla Infotainment System on Day 1 of Pwn2Own Automotive 2026
  • 37 zero-day vulnerabilities demonstrated across automotive systems, with $516,500 in awards
  • Implication: Continued discovery of vulnerabilities in connected vehicle systems underscores need for robust automotive cybersecurity programs
  • Source: Bleeping Computer

Energy Sector

DOE AI Workforce Initiative

  • Department of Energy has launched a Request for Information (RFI) to train 100,000 AI-ready scientists and engineers
  • Initiative aims to build workforce capacity for AI applications in energy sector operations and security
  • Source: Homeland Security Today

Water & Wastewater Systems

WaterISAC Advisories

  • WaterISAC has released weekly vulnerability prioritization guidance for January 22, 2026
  • CISA ICS advisories and additional alerts have been compiled for water sector operators
  • Access: WaterISAC members should review TLP:AMBER and TLP:CLEAR products through the member portal
  • Source: WaterISAC

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE/Vulnerability Product Severity Status Action
CVE-2026-20045 Cisco Unified CM, Webex Calling Critical Active Exploitation Patch Immediately
CVE-2025-59718 Bypass Fortinet FortiGate Critical Active Exploitation Review configs; apply updates
GitLab 2FA Bypass GitLab CE/EE High Patch Available Update to latest version
Zoom RCE/DoS Flaws Zoom Products High Patch Available Update to latest version
Atlassian Multiple Vulns Atlassian Products Critical/High Patch Available Review and apply patches
Apache Tika Flaw Oracle Products Critical Patch Available Apply Oracle patches
binary-parser Bug Node.js npm library High Disclosed Review usage; await patch
Chainlit AI Flaws Chainlit Framework High Disclosed Review deployments
Anthropic Git MCP Server AI/LLM Infrastructure High Disclosed Review AI deployments

Major Patch Releases This Week

Oracle Critical Patch Update

  • Oracle has released 337 security patches, including fixes for a critical Apache Tika vulnerability
  • Organizations running Oracle products should prioritize review and deployment
  • Source: CSO Online

Atlassian, GitLab, Zoom Security Updates

  • Over two dozen vulnerabilities addressed across these platforms
  • GitLab patch addresses high-severity 2FA bypass that could allow account takeover
  • Zoom patches address RCE and DoS vulnerabilities
  • Source: SecurityWeek, The Hacker News

AI/ML Infrastructure Vulnerabilities

Chainlit AI Framework

  • Two high-severity vulnerabilities allow reading arbitrary files on servers and leaking sensitive information
  • Could enable lateral movement into cloud environments
  • Recommendation: Organizations using Chainlit for conversational AI applications should review deployments and implement additional access controls
  • Source: The Hacker News, Bleeping Computer

Anthropic Git MCP Server

  • Three vulnerabilities could allow attackers to tamper with Large Language Models (LLMs)
  • Highlights emerging attack surface in AI infrastructure
  • Source: CSO Online

Recommended Defensive Measures

  • Unified Communications: Prioritize Cisco patches; implement network segmentation for UC infrastructure
  • Firewall Management: Audit FortiGate configurations for unauthorized changes; implement change monitoring
  • Development Environments: Audit VS Code extensions and repository access; implement code signing verification
  • Demo/Test Environments: Isolate or remove internet-accessible security training applications
  • AI Infrastructure: Inventory AI/ML deployments; implement access controls and monitoring

5. Resilience & Continuity Planning

Supply Chain Security Developments

Software Supply Chain Targeting

  • North Korean PurpleBravo campaign specifically targeting software developers through fake job interviews represents continued focus on supply chain compromise
  • The use of VS Code as an attack vector demonstrates how trusted development tools can be weaponized
  • Recommendation: Implement developer security awareness training; establish policies for vetting external code repositories

Technology Distributor Breach

  • Ingram Micro breach affecting 42,000 individuals highlights risks in technology supply chains
  • Organizations should assess their exposure to Ingram Micro and monitor for potential downstream impacts

Third-Party Risk Management

Vendor Vetting Guidance

  • New guidance published on 13 cyber questions to better vet IT vendors and reduce third-party risk
  • Emphasis on frequency of cyber risk assessments as essential to effective risk management
  • Source: CSO Online

Zendesk System Abuse

  • Massive global spam wave originating from unsecured Zendesk support systems
  • Highlights risks of misconfigured SaaS platforms being abused by threat actors
  • Recommendation: Review configurations of customer-facing support platforms
  • Source: Bleeping Computer

Identity Security Evolution

  • Industry analysis emphasizes that identity security must move beyond MFA alone
  • Integration of identity threat detection with MFA recommended for comprehensive protection
  • GitLab 2FA bypass vulnerability underscores that MFA implementation flaws can create significant exposure
  • Source: SecurityWeek

AI Governance Considerations

  • Gartner predicts 50% of organizations will adopt zero trust data governance by 2028, driven partly by risk of AI model collapse
  • 73% of CISOs report being more likely to consider AI-enabled security solutions
  • Generative AI tools (including grammar checkers) identified as potential intellectual property risks
  • Source: CSO Online, Infosecurity Magazine, Security Magazine

6. Regulatory & Policy Developments

Federal Developments

DHS Spending Bill Advances

  • House Appropriations Committee has rolled out final spending bills, including DHS funding
  • Bill bolsters staffing at CISA, FEMA, and Secret Service
  • Comes amid congressional scrutiny of CISA staffing decisions
  • Source: Homeland Security Today

CISA Leadership Questioned on Staffing

  • House Homeland Security Committee grilled CISA Acting Director Madhu Gottumukkala over staffing cutbacks
  • Questions addressed both broad organizational impacts and specific capability concerns
  • Source: CyberScoop

NIST Workforce Impacts

  • NIST has shed more than 700 jobs since 2025
  • 89 positions lost at laboratory responsible for encryption testing and validation
  • Impact: Potential delays in cryptographic standards development and validation processes critical to federal and critical infrastructure security
  • Source: CyberScoop

International Developments

EU Cybersecurity Act 2.0

  • European Union has unveiled proposed update to the Cybersecurity Act
  • Aims to address challenges with current CSA, including slow rollout of certification schemes
  • Implication: Organizations operating in EU markets should monitor developments for compliance implications
  • Source: Infosecurity Magazine

EU High-Risk Supplier Restrictions

  • European Commission reviewing cybersecurity measures to limit danger from high-risk suppliers
  • Potential restrictions on Huawei and ZTE in European networks under consideration
  • Source: CSO Online

Vulnerability Management Evolution

Global Cybersecurity Vulnerability Enumeration (GCVE) Launch

  • New decentralized system for tracking software vulnerabilities has launched
  • Emerges after repeated funding crises exposed fragility of the 25-year-old CVE program
  • Offers alternative to US-led CVE system that cybersecurity defenders worldwide depend on
  • Implication: Organizations should monitor GCVE development and consider how it may complement or interact with existing CVE-based processes
  • Source: CyberScoop, Infosecurity Magazine

Election Security

  • Princeton CITP researchers have published analysis reiterating that internet voting remains too insecure for use in elections
  • Analysis comes as some jurisdictions continue to explore online voting options
  • Source: Schneier on Security

7. Training & Resource Spotlight

New Frameworks and Tools

MITRE Embedded Systems Threat Matrix (ESTM)

  • MITRE has launched a new security framework specifically for embedded systems
  • Aims to help organizations protect critical embedded systems across industrial, automotive, medical, and other sectors
  • Provides structured approach to understanding and mitigating threats to embedded devices
  • Recommendation: Organizations with significant embedded systems deployments should evaluate ESTM for integration into security programs
  • Source: SecurityWeek

Exposure Assessment Platforms

  • Gartner has recognized Exposure Assessment Platforms as an emerging category
  • Signals industry shift toward more comprehensive vulnerability and exposure management
  • Source: The Hacker News

K-12 Cybersecurity Education

  • CyberNut has closed $5M in growth capital for K-12 security awareness training
  • Investment reflects growing recognition of need for cybersecurity education at earlier stages
  • Source: SecurityWeek

AI Security Tools

aiFWall AI Firewall

  • New startup has emerged from stealth with firewall protection specifically for AI deployments
  • Uses AI to improve its own performance in protecting AI systems
  • Source: SecurityWeek

Asymmetric Security AI Forensics

  • Startup has emerged with $4.2M in funding for AI-powered forensic investigation automation
  • Platform aims to accelerate incident response through AI assistance
  • Source: SecurityWeek

Vulnerability Prioritization Guidance

  • New analysis published on vulnerability prioritization beyond CVSS scores
  • Emphasizes importance of contextual factors in determining remediation priorities
  • Source: CSO Online

UK Fraud Reporting

  • City of London Police has launched the UK's national Report Fraud service
  • Aims to streamline reporting and response to economic crime
  • Source: Infosecurity Magazine

8. Looking Ahead: Upcoming Events

Security Conferences and Events

Pwn2Own Automotive 2026 (In Progress)

  • Status: Day 1 completed January 21, 2026; event continues
  • Significance: 37 zero-days already demonstrated; additional automotive vulnerabilities expected to be disclosed
  • Action: Automotive sector organizations should monitor for disclosed vulnerabilities affecting their systems

Milano-Cortina 2026 Winter Olympics

  • Date: February 6-22, 2026
  • Security Concerns: Phishing and spoofed websites identified as primary threat vectors
  • Recommendation: Organizations should prepare for Olympics-themed phishing campaigns and potential distractions during event period
  • Source: Infosecurity Magazine

Anticipated Regulatory

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.