Daily Threat Intel Digest - 2026-01-15

🔴 Critical Threats & Active Exploitation

[NEW] Palo Alto Networks warns of critical DoS flaw in firewalls
Palo Alto Networks disclosed a high-severity vulnerability (CVE-2026-0227) allowing unauthenticated attackers to disable next-generation firewalls and Prisma Access instances via denial-of-service attacks. Exploitation forces devices into maintenance mode, effectively crippling network protections. With Shadowserver tracking ~6,000 exposed firewalls online and historical precedents of zero-day exploitation against PAN-OS, immediate patching is critical for affected versions (10.2+). [BleepingComputer; Palo Alto Advisory]

[NEW] Public exploit released for critical FortiSIEM command injection flaw
Exploit code published for CVE-2025-64155 enables unauthenticated remote code execution on Fortinet FortiSIEM devices via the exposed phMonitor service (port 7900). Impacted versions include 6.7 through 7.4.1, with FortiSIEM Cloud and 7.5 unaffected. Given Fortinet’s frequent targeting by ransomware groups (e.g., Black Basta) and 23 of its CVEs on CISA’s KEV catalog, attackers will likely weaponize this rapidly. [Tenable; BleepingComputer]

[NEW] Kimwolf botnet infects 2M Android TV devices for DDoS attacks
The Kimwolf botnet, spun off from the record-breaking Aisuru DDoS botnet, has compromised over 2 million Android TV devices by abusing residential proxy networks. Lumen Technologies has neutralized 550+ C2 servers, but the botnet continues launching short-burst DDoS attacks (up to hours-long) against targets like Minecraft servers. Its rapid growth via untapped device populations poses severe risks if repurposed against critical infrastructure. [CyberScoop; XLab Research]

🎯 Threat Actor Activity & Campaigns

[NEW] Microsoft disrupts $40M RedVDS cybercrime platform
Microsoft seized RedVDS infrastructure in coordinated global operations, dismantling a virtual desktop service sold to criminals for $24/month. The platform facilitated BEC, phishing, and AI-driven scams (e.g., ChatGPT-generated phishing, deepfake impersonation), causing $40M in U.S. losses alone since March 2025 and compromising 191K+ organizations. Its distinctive VM fingerprint (WIN-BUNS25TD77J) enabled tracking across campaigns. [BleepingComputer; Microsoft Blog]

[UPDATE] Ransomware campaigns target high-value sectors
Ransomware groups accelerated attacks this week, with:

• Nova: Hit Dubai Air Wing (UAE government VIP airline) and National Auto Loan Network (USA), exfiltrating employee and financial data [DeXpose 1; DeXpose 2]
• Akira: Targeted U.S. firms including TruGolf (37GB data), Rebars & Mesh, ImageWorks Display, and H2 Builders, threatening to leak corporate contracts and client data [DeXpose 1; DeXpose 2]
• Qilin: Compromised U.S. entities (Pathology Associates, Lunsford Capital, Ernest Maier) and UK’s Gtech, demanding ransom to prevent medical and financial data leaks [DeXpose 1; DeXpose 2]

⚠️ Vulnerabilities & Patches

[NEW] Industrial systems patched in ICS Patch Tuesday
Siemens, Schneider Electric, Aveva, and Phoenix Contact released fixes for multiple vulnerabilities in operational technology (OT) systems. While specifics are pending publication, the coordinated update cycle addresses flaws impacting critical infrastructure environments. [SecurityWeek]

[NEW] Multiple vendors address critical flaws

• Red Hat: Patched Linux kernel vulnerabilities in Enterprise Linux variants affecting privilege escalation and memory corruption [CCCS Advisory]
• Drupal: Fixed vulnerabilities in Group Invite, Role Delegation, and Microsoft Entra ID SSO Login modules enabling bypass and injection [CCCS Advisory]

📋 Policy & Industry News

[NEW] FTC bans GM from selling driver location data for 5 years
The FTC finalized an order prohibiting GM and OnStar from sharing geolocation/driver behavior data with consumer reporting agencies after the company sold data from millions of vehicles without consent. GM must obtain explicit consent for data collection and allow users to disable tracking, reflecting heightened enforcement against automotive data abuses. [BleepingComputer]

[NEW] DHS finalizes ANCHOR to replace CIPAC infrastructure council
The Department of Homeland Security is establishing the Alliance of National Councils for Homeland Operational Resilience (ANCHOR) to replace the disbanded Critical Infrastructure Partnership Advisory Council (CIPAC). The new body aims to streamline industry-government threat discussions with flexible liability protections, addressing gaps in cross-sector coordination. [CyberScoop]

[NEW] France fines Free Mobile €42M over 2024 breach
CNIL fined France’s second-largest ISP for GDPR violations after a breach exposing 23M subscribers’ data. Failures included weak VPN authentication, delayed breach notifications, and excessive data retention. The fine underscores global tightening of data breach accountability. [BleepingComputer]

🛡️ Defense & Detection

[NEW] ANY.RUN integrates with Tines for SOC automation
The new integration enables automated malware detonation and threat intelligence enrichment within Tines workflows, reducing mean time to respond (MTTR) by pulling sandbox verdicts and IOCs directly into incident playbooks. SOC teams can scale validation without tool-switching, handling alert spikes without added headcount. [ANY.RUN Blog]