Cisco Zero-Day Under Active Exploitation as FortiGate Firewalls Face Automated Attack Wave; Energy Sector Targeted in Multi-Stage BEC Campaign
Critical Infrastructure Intelligence Briefing
Report Date: Friday, January 23, 2026
Reporting Period: January 16-23, 2026
1. Executive Summary
This week's threat landscape presents significant challenges for critical infrastructure operators, with multiple actively exploited vulnerabilities requiring immediate attention and sophisticated campaigns targeting the energy sector.
Major Developments
- Critical Cisco Zero-Day (CVE-2026-20045): Cisco has patched a critical vulnerability in Unified Communications Manager and Webex Calling that is under active exploitation, enabling unauthenticated remote code execution. Organizations using these products must patch immediately.
- FortiGate Firewall Campaign: Arctic Wolf has identified a new wave of automated attacks targeting Fortinet FortiGate devices, with threat actors bypassing FortiCloud SSO authentication to create rogue accounts and exfiltrate firewall configurations. This represents a significant perimeter security threat across all sectors.
- Energy Sector BEC Campaign: Microsoft has disclosed a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise campaign specifically targeting energy sector organizations, highlighting continued nation-state and criminal interest in this critical sector.
- New Ransomware Strain Emerges: The Osiris ransomware family has been identified using the POORTRY driver in Bring Your Own Vulnerable Driver (BYOVD) attacks, with a major food service operator in Southeast Asia among confirmed victims.
- NIST Staff Reductions Impact Encryption Standards: NIST officials have detailed the impact of over 700 job cuts since 2025, including 89 positions at the laboratory responsible for testing and validating government encryption—a development with long-term implications for cryptographic standards.
Cross-Sector Vulnerabilities
- Critical GNU InetUtils telnetd vulnerability (CVE-2026-24061, CVSS 9.8) allows authentication bypass and root access—unpatched for nearly 11 years
- GitLab 2FA bypass vulnerability enables account takeover
- SmarterMail authentication bypass being exploited within 48 hours of patch release
- Zero-day exploits now account for nearly 30% of vulnerabilities attacked before public disclosure
2. Threat Landscape
Nation-State and Advanced Threat Actor Activities
Energy Sector Targeting: Microsoft's threat intelligence team has identified a sophisticated multi-stage attack campaign targeting energy sector organizations. The campaign combines:
- Adversary-in-the-middle (AitM) phishing techniques to intercept credentials
- Business email compromise (BEC) tactics for financial fraud and data theft
- Abuse of legitimate services to evade detection
Source: The Hacker News
Surveillance Technology Abuse: Citizen Lab researchers have documented the Jordanian government's use of Cellebrite phone-cracking technology against activists during Gaza protests, raising concerns about the proliferation of surveillance capabilities and potential human rights implications.
Source: CyberScoop
Chinese State-Sponsored Activity: WaterISAC has shared a fusion center report (TLP:AMBER) highlighting recent threat activity from a Chinese state-sponsored threat actor targeting critical infrastructure. Members are encouraged to review this intelligence through appropriate channels.
Ransomware and Cybercriminal Developments
Osiris Ransomware Emergence: A new ransomware family dubbed "Osiris" has been identified following an attack on a major food service franchisee operator in Southeast Asia in November 2025. Key characteristics include:
- Use of the POORTRY driver in Bring Your Own Vulnerable Driver (BYOVD) attacks
- Sophisticated evasion techniques leveraging legitimate but vulnerable drivers
- Targeting of food service and hospitality sectors
Source: The Hacker News
Ransomware Leader Guilty Plea: Ianis Antropenko, a Russian national residing in California, has pleaded guilty to leading a ransomware crew responsible for attacks against at least 50 victims over four years. He faces up to 25 years in prison.
Source: CyberScoop
INC Ransomware OPSEC Failure: An operational security failure by the INC ransomware gang allowed researchers to recover data stolen from 12 U.S. organizations—a rare positive outcome demonstrating the value of threat intelligence and incident response capabilities.
Source: CSO Online, Bleeping Computer
ATM Jackpotting Convictions: Two Venezuelan nationals have been convicted in the U.S. for their role in ATM jackpotting attacks using malware. Dozens of Venezuelan nationals have been charged in connection with these financially motivated attacks.
Source: SecurityWeek
Emerging Attack Vectors and TTPs
Vishing Attacks with Custom Phishing Kits: Okta has issued a warning about custom phishing kits specifically designed for voice-based social engineering (vishing) attacks targeting SSO accounts. These kits are being actively used to steal credentials through phone-based deception.
Source: Bleeping Computer
AI-Generated Malware: Security researchers have identified "VoidLink" malware that was almost entirely created using artificial intelligence, demonstrating the lowering barrier to entry for malware development.
Source: CSO Online
Linux Page Cache Attack Optimization: Researchers at Graz University of Technology have revived and optimized Linux page cache attacks, potentially enabling new side-channel exploitation techniques.
Source: SecurityWeek
Hacktivist Activity Assessment
WaterISAC reports that hacktivist activity targeting critical infrastructure surged significantly in 2025 and is likely to remain a significant threat throughout 2026. Infrastructure operators should maintain heightened awareness for ideologically motivated attacks, particularly during periods of geopolitical tension or significant news events.
3. Sector-Specific Analysis
Energy Sector
PRIORITY ALERT: The energy sector faces elevated threat levels this week due to the Microsoft-disclosed multi-stage AitM phishing and BEC campaign specifically targeting energy organizations.
Recommended Actions:
- Implement phishing-resistant MFA (FIDO2/WebAuthn) where possible
- Review email security controls and AitM detection capabilities
- Conduct targeted awareness training on BEC indicators
- Verify financial transaction approval processes include out-of-band verification
- Monitor for indicators of compromise associated with this campaign
Perimeter Security: Energy sector organizations using Fortinet FortiGate devices should immediately review the FortiGate attack campaign details in Section 4 and implement recommended mitigations.
Water and Wastewater Systems
Threat Intelligence: WaterISAC has released multiple advisories this week relevant to the sector:
- TLP:GREEN: Security & Resilience Update covering hacktivist activity surge and severe winter weather forecasts
- TLP:AMBER: Fusion center report on Chinese state-sponsored threat actor activity
- TLP:AMBER: Report examining the enduring risk of fire as a weapon and arson-related crime
- TLP:CLEAR: Severe winter weather forecast impacting large portions of the U.S.
Weather Preparedness: Severe winter weather is forecast to impact large portions of the United States. Water and wastewater utilities should review cold weather operational procedures and ensure backup power systems are tested and ready.
Resource Highlight: FEMA's PrepToolkit offers emergency managers and infrastructure operators valuable preparedness and resilience resources. WaterISAC members are encouraged to leverage these tools.
Communications and Information Technology
Critical Vulnerabilities:
- Cisco Unified CM/Webex (CVE-2026-20045): Actively exploited zero-day requiring immediate patching
- GitLab 2FA Bypass: Authentication protection can be circumvented, enabling account takeover
- Atlassian, GitLab, Zoom Patches: Over two dozen vulnerabilities addressed, including critical and high-severity bugs
Cloud Security: Security Magazine reports that customer-managed business cloud environments are being actively targeted and exploited, with security vendors and Fortune 500 companies among those affected. Organizations should review cloud security configurations and access controls.
Zendesk Abuse: A massive global spam wave is originating from unsecured Zendesk support systems, with victims receiving hundreds of alarming emails. Organizations using Zendesk should review security configurations.
Transportation Systems
TSA Developments:
- TSA PreCheck Touchless ID: Now available at Boston Logan International Airport, expanding biometric screening capabilities
- Data Sharing Lawsuit: A watchdog group has filed suit over TSA's data sharing agreement with ICE, following Congressional testimony defending the practice as critical to national security
Infrastructure Investment: The U.S. Transportation Department and Maryland have reached an agreement to fast-track major bridge rebuilds, demonstrating continued focus on transportation infrastructure resilience.
Healthcare and Public Health
Vulnerability Exposure: Healthcare organizations using the affected Cisco Unified Communications products should prioritize patching CVE-2026-20045 given the active exploitation and the sector's reliance on these communication systems for patient care coordination.
Supply Chain Considerations: The Osiris ransomware attack on a food service operator highlights risks to healthcare food service contractors and the broader healthcare supply chain.
Financial Services
BEC Threat: While the Microsoft-disclosed BEC campaign primarily targets energy, financial services organizations should review their defenses against similar multi-stage AitM attacks, as these techniques are commonly adapted across sectors.
Credential Theft: The LastPass phishing campaign attempting to steal master passwords through fake backup requirement emails represents a significant threat to organizations using password management solutions. LastPass confirms it would never require such actions from users.
Source: Infosecurity Magazine
Food and Agriculture
Ransomware Alert: The Osiris ransomware attack on a major food service franchisee operator in Southeast Asia highlights continued targeting of the food and agriculture sector. Organizations should review ransomware preparedness and BYOVD attack mitigations.
4. Vulnerability and Mitigation Updates
Critical Vulnerabilities Requiring Immediate Attention
| CVE | Product | CVSS | Status | Priority |
|---|---|---|---|---|
| CVE-2026-20045 | Cisco Unified CM, Webex Calling | Critical | ACTIVELY EXPLOITED | IMMEDIATE |
| CVE-2026-24061 | GNU InetUtils telnetd | 9.8 | Public | IMMEDIATE |
| N/A (unassigned) | SmarterMail | High | ACTIVELY EXPLOITED | HIGH |
| Multiple | Fortinet FortiGate | Varies | Under Attack | HIGH |
| Multiple | GitLab | High | Patched | HIGH |
| Multiple | Atlassian Products | Critical/High | Patched | HIGH |
| Multiple | Zoom | Varies | Patched | MEDIUM |
Cisco Unified Communications Zero-Day (CVE-2026-20045)
Impact: Unauthenticated remote code execution
Affected Products: Cisco Unified Communications Manager, Webex Calling Dedicated Instance
Status: Patches available; active exploitation confirmed
Recommended Actions:
- Apply vendor patches immediately following version-specific guidance
- If patching is not immediately possible, implement network segmentation to limit exposure
- Monitor for indicators of compromise
- Review logs for evidence of prior exploitation
Sources: SecurityWeek, The Hacker News, CSO Online
FortiGate Firewall Attack Campaign
Attack Vector: Automated attacks bypassing FortiCloud SSO login authentication
Impact: Creation of rogue accounts, firewall configuration theft and modification
Attribution: Unknown; characterized as automated malicious activity
Recommended Actions:
- Audit FortiGate device configurations for unauthorized changes
- Review and remove any unrecognized administrative accounts
- Implement additional authentication controls beyond FortiCloud SSO
- Enable comprehensive logging and forward to SIEM
- Consider restricting management interface access to trusted networks
- Apply latest firmware updates from Fortinet
Sources: SecurityWeek, The Hacker News, Bleeping Computer
GNU InetUtils Telnet Daemon (CVE-2026-24061)
Impact: Authentication bypass allowing root access
CVSS Score: 9.8 (Critical)
Note: This vulnerability went unnoticed for nearly 11 years
Recommended Actions:
- Identify any systems running GNU InetUtils telnetd
- Apply patches immediately or disable telnet services
- Migrate to SSH for remote administration where telnet is still in use
- Audit network for unauthorized telnet services
Source: The Hacker News, CSO Online
SmarterMail Authentication Bypass
Impact: Admin password reset, account hijacking
Status: Exploitation began within 48 hours of patch release
Recommended Actions:
- Apply patches immediately
- Review admin accounts for unauthorized access
- Check for evidence of password reset exploitation
- Implement additional access controls for administrative functions
Sources: The Hacker News, Bleeping Computer
Additional Patches Released This Week
- Atlassian: Multiple products patched for critical and high-severity vulnerabilities
- GitLab: 2FA login protection bypass fixed; enables account takeover
- Zoom: Security patches for multiple vulnerabilities
- RealHomes CRM Plugin: WordPress plugin flaw affecting 30,000+ sites patched
- Appsmith: Critical flaw enabling account takeover via password reset process
Sources: SecurityWeek, CSO Online, Infosecurity Magazine
Zero-Day Exploitation Trends
VulnCheck analysts report that vulnerabilities exploited before public disclosure rose from 23.6% in 2024 to 28.96% in 2025. This trend underscores the importance of:
- Defense-in-depth strategies that don't rely solely on patching
- Behavioral detection capabilities
- Network segmentation to limit blast radius
- Rapid patch deployment processes when fixes become available
Source: Infosecurity Magazine
5. Resilience and Continuity Planning
Lessons Learned: INC Ransomware Data Recovery
An operational security failure by the INC ransomware gang enabled researchers to recover data stolen from 12 U.S. organizations. Key takeaways:
- Threat Intelligence Value: Active monitoring of threat actor infrastructure can yield recovery opportunities
- Incident Response Partnerships: Collaboration between victims, researchers, and law enforcement can produce positive outcomes
- Don't Assume Data is Lost: Even after exfiltration, recovery may be possible through various means
Severe Winter Weather Preparedness
Multiple states have declared emergencies ahead of forecast severe winter weather:
- South Carolina: State of emergency declared
- Mississippi: Emergency Management Agency encouraging citizen preparedness
- Washington State: Requesting $21 million in FEMA aid for flood victims
Infrastructure Operator Recommendations:
- Test backup power systems and fuel supplies
- Review cold weather operational procedures
- Ensure remote work capabilities are functional
- Pre-position response resources and personnel
- Coordinate with local emergency management
- Review mutual aid agreements
Supply Chain Security
PyPI Malicious Package: A malicious package impersonating the SymPy library was discovered deploying XMRig cryptocurrency miners on Linux hosts. This highlights ongoing software supply chain risks.
Recommendations:
- Implement software composition analysis (SCA) tools
- Verify package authenticity before installation
- Use private package repositories with vetting processes
- Monitor systems for unexpected cryptocurrency mining activity
FEMA PrepToolkit Resources
FEMA's PrepToolkit offers emergency managers and infrastructure operators comprehensive preparedness and resilience resources. Infrastructure operators are encouraged to leverage these tools for:
- Exercise planning and execution
- Continuity of operations planning
- Risk assessment frameworks
- Training and awareness materials
6. Regulatory and Policy Developments
NIST Staff Reductions Impact Encryption Standards
NIST officials have detailed the significant impact of staff reductions on the agency's critical missions:
- Total Job Losses: Over 700 positions since 2025
- Encryption Impact: 89 positions cut at the laboratory responsible for testing and validating government encryption
- Implications: Potential delays in cryptographic standards development and validation
Infrastructure Operator Considerations:
- Monitor for delays in NIST cryptographic module validation (CMVP)
- Plan for potential extended timelines in standards development
- Consider impact on post-quantum cryptography transition timelines
Source: CyberScoop
NIST Hardware Security Standards Initiative
NIST has announced the "SUSHI@NIST" initiative focused on rolling next-generation secure hardware into standards. This effort aims to enhance hardware security for national defense and emerging technologies amid geopolitical uncertainty and semiconductor supply chain concerns.
Note: Full details scheduled for publication January 28, 2026
GDPR Breach Notifications Surge
DLA Piper reports a 22% increase in organizations notifying European GDPR regulators of breaches, with over 160,000 companies submitting notifications. This trend indicates:
- Increased breach activity or improved detection
- Greater regulatory compliance awareness
- Potential for increased enforcement actions
Organizations with European operations or customers should ensure breach notification procedures are current and tested.
Source: Infosecurity Magazine
TSA Data Sharing Practices Under Scrutiny
A watchdog group has filed suit seeking information about TSA's data sharing agreement with ICE. A TSA official testified to Congress defending the practice as critical to national security. Transportation sector organizations should monitor this development for potential policy implications.
Source: CyberScoop
7. Training and Resource Spotlight
Security Investment Trends
Several significant funding rounds this week indicate continued investment in critical infrastructure security capabilities:
- Claroty: $150 million Series F funding (total raised ~$900 million, $3 billion valuation) - OT/IoT security platform
- Furl: $10 million for autonomous vulnerability remediation
- AiStrike: $7 million seed funding for AI-native security platform unifying exposure analysis, threat intelligence, investigation, and response
These investments reflect market demand for automated security solutions and OT/ICS protection capabilities relevant to critical infrastructure.
AI in Security Operations
A CSO Online survey indicates 73% of CISOs are more likely to consider AI-enabled security solutions. Infrastructure operators evaluating AI security tools should:
- Assess AI capabilities against specific OT/ICS use cases
- Evaluate false positive rates in operational environments
- Consider integration with existing security infrastructure
- Review vendor AI training data and model transparency
Pwn2Own Automotive 2026
Day two of Pwn2Own Automotive 2026 saw researchers exploit 29 zero-day vulnerabilities, collecting $439,250 in rewards. This event highlights:
- Ongoing vulnerability discovery in automotive systems
- Value of coordinated disclosure programs
- Transportation sector cybersecurity challenges
Source: Bleeping Computer
Microsoft Teams Security Enhancement
Microsoft will soon add brand impersonation warnings to Teams calls, alerting users about external callers attempting to impersonate trusted organizations. This feature will help defend against social engineering attacks targeting enterprise users.
Source: Bleeping Computer
Bug Bounty Program Challenges
The curl project has announced it will end its HackerOne bug bounty program at the end of January 2026 due to being overwhelmed by low-quality, AI-generated vulnerability reports ("AI slop"). This development highlights challenges in managing security research programs amid increasing AI-generated submissions.
Sources: Bleeping Computer, CSO Online
8. Looking Ahead: Upcoming Events
Anticipated Developments
- January 28, 2026: NIST SUSHI@NIST hardware security standards publication
- Late January 2026: Curl bug bounty program termination on HackerOne
- Ongoing: Pwn2Own Automotive 2026 competition continues
Threat Periods Requiring Heightened Awareness
- Severe Winter Weather: Multiple U.S. regions facing significant winter storms; infrastructure operators should maintain heightened operational awareness
- Post-Patch Exploitation Window: Given the trend of rapid exploitation following patch releases (as seen with SmarterMail), organizations should prioritize rapid patch deployment
- Energy Sector Targeting: Continued elevated threat level for energy organizations given active BEC campaign
Seasonal Considerations
- Winter weather impacts on physical infrastructure and personnel availability
- Increased remote work during weather events may expand attack surface
- End of fiscal year for some organizations may affect security resource allocation
Recommended Preparedness Actions
- Review and test incident response procedures
- Ensure backup communications are functional
- Verify patch management processes can respond rapidly to critical vulnerabilities
- Conduct tabletop exercises for ransomware and BEC scenarios
- Review physical security measures for critical facilities during weather events
This briefing is compiled from open-source intelligence and is intended for critical infrastructure owners, operators, and security professionals. Recipients are encouraged to share relevant information with appropriate stakeholders through established information sharing channels.
Report Prepared: Friday, January 23, 2026
This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.