Security Intelligence for Real-World Decisions
← Back to Archive

Russian, Chinese APTs Exploit WinRAR Flaw as Microsoft Issues Emergency Office Zero-Day Patch; Fortinet Blocks Active FortiCloud SSO Attacks

Critical Infrastructure Intelligence Briefing

Date: Wednesday, January 28, 2026

Reporting Period: January 21-28, 2026

1. Executive Summary

This week's threat landscape is dominated by active exploitation of multiple critical vulnerabilities affecting enterprise software widely deployed across critical infrastructure sectors. The convergence of nation-state and cybercriminal exploitation of these flaws demands immediate attention from infrastructure operators.

Major Developments:

  • Active Zero-Day Exploitation: Microsoft issued an emergency out-of-band patch for CVE-2026-21509, a high-severity Office zero-day under active exploitation. Fortinet has confirmed active exploitation of CVE-2026-24858, a critical FortiCloud SSO authentication bypass, and has implemented mitigations while patches are being finalized.
  • Nation-State Convergence on WinRAR Flaw: Russian and Chinese state-sponsored threat actors, alongside financially motivated cybercriminals, continue exploiting CVE-2025-8088 in WinRAR—a vulnerability first disclosed six months ago—targeting military, government, and technology sectors for espionage and initial access.
  • Supply Chain Security Concerns: Critical vulnerabilities in the JavaScript ecosystem ("PackageGate") and a new sandbox escape in Grist-Core highlight ongoing risks to software supply chains affecting operational technology and enterprise environments.
  • Financial Sector Alert: 77% of financial service organizations accumulated security debt in 2025, creating systemic vulnerabilities. A massive ATM jackpotting operation has resulted in 87 total indictments, with 31 new defendants charged this week.
  • Post-Quantum Transition: CISA released a technology readiness list for post-quantum cryptography, though security experts caution that most products and backend protocols remain unprepared for the transition.

Immediate Actions Required:

  • Apply Microsoft Office emergency patch for CVE-2026-21509 immediately
  • Verify Fortinet FortiCloud configurations and monitor for unauthorized access
  • Update WinRAR to latest version and audit systems for indicators of compromise
  • Review OpenSSL deployments for 12 newly patched vulnerabilities including high-severity RCE

2. Threat Landscape

Nation-State Threat Actor Activities

Russian and Chinese APT Exploitation of WinRAR (CVE-2025-8088)

Multiple nation-state groups have been actively exploiting a high-severity path traversal vulnerability in WinRAR since July 2025. According to SecurityWeek and CyberScoop, both Russian and Chinese state-sponsored actors are leveraging this flaw for initial access against military, government, and technology sector targets.

  • Attribution: Multiple APT groups confirmed; specific group names withheld pending further analysis
  • Targets: Military installations, government agencies, technology companies
  • Objective: Espionage and persistent access
  • Assessment: The six-month exploitation window indicates many organizations have failed to patch despite available updates

China-Linked Mustang Panda Updates CoolClient Backdoor

The Chinese espionage group Mustang Panda has deployed an updated variant of its CoolClient backdoor with enhanced capabilities for stealing browser login credentials and monitoring clipboard activity, per Bleeping Computer.

  • New Capabilities: Browser credential theft, clipboard monitoring
  • Sectors at Risk: Government, defense, telecommunications

PeckBirdy C2 Framework Linked to China-Aligned Operations

Researchers have identified a JScript-based command-and-control framework called PeckBirdy, in use by China-aligned APT actors since 2023. The framework has targeted gambling and government sectors across Asia, according to The Hacker News and Infosecurity Magazine.

Pakistan-Linked Campaigns Target Indian Government

Two distinct cyber campaigns, codenamed "Gopher," have been attributed to Pakistan-based threat actors targeting Indian government entities using previously undocumented tradecraft, as reported by The Hacker News.

Ransomware and Cybercriminal Developments

World Leaks Ransomware Group Claims Nike Breach

The World Leaks ransomware group has leaked 1.4 TB of files allegedly stolen from Nike. The sportswear company has confirmed it is investigating a "potential cyber security incident," per Bleeping Computer and Homeland Security Today.

  • Impact: Potential exposure of corporate data, supply chain information, and customer data
  • Relevance: Demonstrates continued evolution of extortion tactics beyond encryption

ShinyHunters Vishing Campaign Targets 100+ Organizations

A sophisticated voice phishing (vishing) campaign attributed to ShinyHunters is targeting single sign-on (SSO) services to gain network access and steal data. Over 100 organizations have been targeted, including Atlassian, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, and WeWork, according to SecurityWeek and CyberScoop.

  • Technique: Real-time vishing attacks combined with fake CAPTCHAs
  • Target: SSO credentials for enterprise network access
  • Critical Infrastructure Relevance: Healthcare (Moderna) and technology providers serving multiple sectors

ATM Jackpotting Operation Expands

Federal prosecutors have charged 31 additional defendants in connection with a massive ATM jackpotting scheme, bringing the total to 87 individuals charged. The operation is allegedly linked to the Venezuelan gang Tren de Aragua, per SecurityWeek and Bleeping Computer.

Malicious Chrome Extensions Steal ChatGPT Sessions

Browser extensions marketed as ChatGPT enhancement tools have been discovered stealing user session data, enabling threat actors to access victims' ChatGPT conversations and data, according to SecurityWeek.

"Stanley" MaaS Guarantees Malicious Chrome Extensions

A new malware-as-a-service platform called "Stanley" promises to help threat actors create malicious Chrome extensions capable of bypassing Google's review process, per Bleeping Computer.

Emerging Attack Vectors

ClickFix Attacks Combine Fake CAPTCHAs with Signed Microsoft Scripts

A new campaign combines ClickFix-style fake CAPTCHAs with signed Microsoft Application Virtualization (App-V) scripts to distribute information-stealing malware, as detailed by The Hacker News.

AI-Powered Polymorphic Phishing Attacks

Researchers have identified AI-powered polymorphic attacks that dynamically generate phishing content to evade detection, per CSO Online.

3. Sector-Specific Analysis

Energy Sector

Threat Level: ELEVATED

Cyber-Physical Systems Security Gap Addressed

Indurex, a new cybersecurity startup founded by former Applied Risk leader Jalal Bouhdada, has emerged from stealth to address security gaps in cyber-physical systems, according to SecurityWeek. This development highlights ongoing concerns about OT/IT convergence security in energy infrastructure.

Relevance to Energy Sector:

  • WinRAR exploitation campaigns may target energy sector engineering workstations
  • FortiCloud SSO bypass could affect energy companies using Fortinet for network security
  • Supply chain vulnerabilities in npm/yarn affect SCADA web interfaces and monitoring dashboards

Water & Wastewater Systems

Threat Level: MODERATE

While no sector-specific incidents were reported this week, water utilities should note:

  • OpenSSL vulnerabilities may affect water system monitoring and control interfaces
  • Fortinet devices commonly deployed in water utility networks require immediate attention
  • The Grist-Core vulnerability could affect utilities using spreadsheet-based data management

Communications & Information Technology

Threat Level: HIGH

SoundCloud Data Breach Impacts 29.8 Million Accounts

Have I Been Pwned has added a SoundCloud breach affecting nearly 30 million user accounts, per Bleeping Computer.

SmarterMail Servers Exposed

Over 6,000 SmarterMail servers remain exposed online and vulnerable to automated hijacking attacks exploiting a critical authentication bypass, according to Bleeping Computer.

vm2 NodeJS Sandbox Escape

A critical sandbox escape vulnerability (CVE-2026-22709) in the vm2 Node.js library allows arbitrary code execution on host systems, per Bleeping Computer.

WhatsApp Introduces Strict Account Settings

Meta has released "Strict Account Settings" for WhatsApp, providing lockdown-style security for users at elevated risk of spyware attacks, according to The Hacker News and CyberScoop.

Transportation Systems

Threat Level: MODERATE

TSA Biometric Data Collection Revision

TSA has announced intentions to revise its biometric data collection practices, per Homeland Security Today. Transportation sector operators should monitor for updated guidance.

Maritime Security Enhancement

DHS Science & Technology has announced enhanced critical infrastructure protection through the Ammonia Port Preparedness and Emergency Response program, according to Homeland Security Today.

Healthcare & Public Health

Threat Level: ELEVATED

Moderna Among ShinyHunters Targets

Healthcare company Moderna appears among the targets in the ShinyHunters vishing campaign, highlighting continued threat actor interest in pharmaceutical and healthcare organizations.

Privacy and GenAI Concerns

Security Magazine reports that generative AI is raising the stakes for privacy and security integration, particularly relevant for healthcare organizations handling protected health information, per Security Magazine.

Financial Services

Threat Level: HIGH

77% of Financial Organizations Accumulated Security Debt

A concerning report indicates that 77% of financial service organizations accrued security debt in 2025, creating systemic vulnerabilities across the sector, according to Security Magazine.

ATM Jackpotting Threat Continues

The expanded indictments in the ATM jackpotting case underscore ongoing physical and cyber threats to financial infrastructure.

Always-On Privileged Access Risks

CSO Online reports that always-on privileged access remains pervasive in financial services and is fraught with risks, per CSO Online.

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE Product Severity Status Action Required
CVE-2026-24858 Fortinet FortiCloud SSO Critical Active Exploitation Apply mitigations; monitor for patches
CVE-2026-21509 Microsoft Office High Active Exploitation Apply emergency patch immediately
CVE-2025-8088 WinRAR High Active Exploitation Update to latest version
CVE-2026-22709 vm2 NodeJS Library Critical Patch Available Update immediately
Multiple CVEs OpenSSL High Patches Available Update to patched versions
Grist-Core RCE Grist-Core Spreadsheet Critical Patch Available Update immediately

Detailed Vulnerability Analysis

Fortinet FortiCloud SSO Authentication Bypass (CVE-2026-24858)

Source: SecurityWeek, The Hacker News, Bleeping Computer

  • Impact: Allows attackers to log into devices registered to other FortiCloud accounts
  • Exploitation Status: Confirmed active exploitation in the wild
  • Mitigation: Fortinet has implemented server-side mitigations; patches forthcoming
  • Recommended Actions:
    • Review FortiCloud account access logs for unauthorized activity
    • Implement additional authentication controls where possible
    • Monitor Fortinet advisories for patch release

Microsoft Office Zero-Day (CVE-2026-21509)

Source: The Hacker News, CSO Online, Infosecurity Magazine

  • Affected Products: Microsoft Office 2016 and 2019
  • CVSS Score: High severity
  • Exploitation Status: Active exploitation confirmed
  • Recommended Actions:
    • Apply out-of-band patch immediately
    • Enable Protected View for Office documents from untrusted sources
    • Block Office file types at email gateways where feasible

OpenSSL Multiple Vulnerabilities

Source: SecurityWeek

  • Total Vulnerabilities: 12 flaws patched
  • Most Severe: High-severity remote code execution
  • Discovery: All vulnerabilities discovered by a single cybersecurity firm
  • Critical Infrastructure Impact: OpenSSL is widely deployed in SCADA systems, industrial control systems, and enterprise infrastructure

PackageGate - NPM/Yarn Supply Chain Vulnerabilities

Source: SecurityWeek, CSO Online

  • Impact: Bypasses protections against supply chain attacks, enabling arbitrary code execution
  • Affected Systems: Any application using npm or yarn package managers
  • Critical Infrastructure Relevance: Web-based SCADA interfaces, monitoring dashboards, and enterprise applications

Grist-Core Sandbox Escape

Source: The Hacker News, Infosecurity Magazine

  • Impact: Remote code execution via malicious spreadsheet formulas
  • Attack Vector: Pyodide sandbox escape
  • Recommended Action: Update Grist-Core installations immediately; audit for unauthorized formula execution

5. Resilience & Continuity Planning

Lessons Learned

WinRAR Exploitation Highlights Patch Management Gaps

The continued exploitation of CVE-2025-8088 six months after disclosure demonstrates that many organizations still struggle with timely patching of common desktop applications. Infrastructure operators should:

  • Include archive utilities in vulnerability management programs
  • Implement application whitelisting where feasible
  • Consider enterprise deployment tools for consistent patching

SSO as Single Point of Failure

The ShinyHunters vishing campaign and FortiCloud SSO bypass highlight risks associated with centralized authentication:

  • Implement phishing-resistant MFA (FIDO2/WebAuthn) for SSO systems
  • Deploy behavioral analytics to detect anomalous authentication patterns
  • Establish out-of-band verification procedures for sensitive access requests

Supply Chain Security Developments

JavaScript Ecosystem Vulnerabilities

The PackageGate vulnerabilities underscore the need for:

  • Software Bill of Materials (SBOM) for all deployed applications
  • Dependency scanning in CI/CD pipelines
  • Vendor security assessments for third-party software

Cross-Sector Dependencies

Fortinet Deployment Across Sectors

The FortiCloud SSO vulnerability affects organizations across all critical infrastructure sectors. Cascading impacts may include:

  • Compromised network segmentation between IT and OT environments
  • Unauthorized access to remote management interfaces
  • Potential pivot points for lateral movement

Public-Private Coordination

IAEM-USA Emergency Management Survey

The International Association of Emergency Managers (IAEM-USA) has launched an Emergency Management Performance Grant Survey to assess local and tribal preparedness funding needs, per Homeland Security Today. Infrastructure operators are encouraged to participate.

6. Regulatory & Policy Developments

Federal Guidelines and Initiatives

CISA Post-Quantum Cryptography Technology Readiness List

Source: CyberScoop, CSO Online

CISA has published guidance to help technology buyers navigate the transition to post-quantum encryption. Key points:

  • Purpose: Assist agencies in identifying quantum-resistant products
  • Expert Caution: Most products and backend internet protocols have yet to be updated
  • Recommended Actions:
    • Inventory cryptographic assets and dependencies
    • Prioritize systems handling long-lived sensitive data
    • Engage vendors on post-quantum migration roadmaps

NIST Secure Hardware Standards Initiative

Source: NIST

NIST has announced the SUSHI@NIST initiative to enhance hardware security standards for national defense and emerging technologies. This addresses:

  • Geopolitical semiconductor supply chain concerns
  • Digital sovereignty requirements
  • Hardware-level security for critical systems

TSA Biometric Data Collection Revisions

TSA's announced intention to revise biometric data collection practices may affect transportation sector operators and security integrators.

International Developments

UK Counterterrorism Operations

UK terror police have revealed they stopped 19 "late-stage" attack plots over the past five years, per Homeland Security Today. This underscores the persistent physical threat environment affecting allied nations.

Legal and Judicial Developments

Supreme Court Considers Geofence Warrant Constitutionality

The US Supreme Court is considering the constitutionality of geofence warrants, per Schneier on Security. This case may have implications for law enforcement access to location data during infrastructure security investigations.

GAO Report on Terrorist Watchlist

The Government Accountability Office has released recommendations for improving terrorist watchlist awareness, reporting, and redress processes, according to Homeland Security Today.

7. Training & Resource Spotlight

New Tools and Frameworks

Indurex Cyber-Physical Systems Security Platform

Indurex has emerged from stealth with solutions designed to close security gaps in cyber-physical systems. Founded by Jalal Bouhdada (formerly of Applied Risk), the company focuses on industrial cybersecurity challenges relevant to critical infrastructure operators.

Memcyco Anti-Impersonation Technology

Memcyco has raised $37 million to expand its agentless anti-impersonation platform, per SecurityWeek. The technology may help organizations combat brand impersonation attacks targeting customers and employees.

LevelBlue Acquires Alert Logic MDR

LevelBlue has acquired Alert Logic's managed detection and response services from Fortra, per CyberScoop. MDR customers should monitor for service transition communications.

Best Practices and Guidance

CISO Skills for 2026

CSO Online has published guidance on skills CISOs need to master in 2026, including managing AI-related risks and overcoming "AI fatigue," per CSO Online.

Executive Protection Planning

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.