Telnetd root access exploit π΄, VSCode AI extensions theft π», ShinyHunters SSO vishing π£, ATM jackpotting malware π°, Oracle maximum severity flaw β οΈ
Daily Threat Intel Digest - January 24, 2026
π΄ Critical Threats & Active Exploitation
[NEW] Decade-old telnetd vulnerability enables unauthenticated root access
Attackers are actively exploiting CVE-2026-24061, a critical authentication bypass flaw in GNU InetUtils telnetd that has existed since 2015. The vulnerability allows unauthenticated remote attackers to gain root access by manipulating the USER environment variable with “telnet -a” and setting the value to “-f root”, causing the login utility to skip authentication [Cyberpress; BleepingComputer; SOC Prime]. GreyNoise detected exploitation from 18 unique IPs across 60 sessions within 18 hours of public disclosure, with attackers conducting reconnaissance and attempting persistence through SSH key injection. While only approximately 3,000 exposed telnet services are believed to be vulnerable, the flaw affects GNU InetUtils versions 1.9.3 through 2.7. Organizations should immediately patch to version 2.8, disable telnetd services, or block TCP port 23 at network boundaries.
[NEW] Malicious AI extensions on VSCode Marketplace steal developer data
Two malicious AI code extensions collectively installed 1.5 million times are exfiltrating developer work files and credentials to China-based servers in a campaign dubbed “MaliciousCorgi” [BleepingComputer; Koi Security]. The extensions “ChatGPT β δΈζη” (1.34M installs) and “ChatMoss (CodeMoss)” (150K installs) use three data collection mechanisms: real-time monitoring of opened files (transmitting entire contents via Base64 encoding), server-controlled file harvesting of up to 50 files, and commercial analytics SDKs for user profiling. The theft exposes private source code, configuration files, cloud service credentials, and API keys stored in .env files. Both extensions remain on the marketplace at time of reporting, requiring Microsoft removal and developer awareness about unauthorized data transmission.
[UPDATE] Fortinet confirms FortiCloud SSO exploitation against patched devices
Fortinet has confirmed active exploitation of CVE-2025-59718 and CVE-2025-59719, even against systems that received initial December 2025 patches [Cyberpress; GBHackers]. Attackers are exploiting a new attack vector beyond the original SAML signature verification bypass, creating persistent administrative accounts (audit, backup, itadmin, secadmin, support) after gaining SSO access. Compromised devices show unexpected login activity from accounts like “cloud-noc@mail.io” and “cloud-init@mail.io” originating from IPs including 104.28.244.115 and 104.28.212.114. Organizations should treat compromised systems as fully compromised, requiring firmware updates to version 7.6+, configuration restoration from clean backups, credential rotation, and restriction of administrative interfaces to trusted IP ranges via local-in policies.
π― Threat Actor Activity & Campaigns
[UPDATE] ShinyHunters claims responsibility for Okta vishing campaign
The ShinyHunters extortion gang has confirmed responsibility for the ongoing voice phishing attacks targeting SSO accounts at Okta, Microsoft, and Google [BleepingComputer; DataBreaches.Net]. The group confirmed they are using data from previous breaches to contact employees, impersonating IT support and tricking victims into entering credentials and MFA codes on phishing sites. ShinyHunters stated Salesforce remains their primary target, with other platforms as “benefactors.” The group relaunched their Tor leak site listing breaches at SoundCloud, Betterment, and Crunchbase, with Crunchbase confirming a network intrusion and data exfiltration. The campaign uses sophisticated phishing kits with real-time interface modifications to guide victims through authentication steps.
[NEW] Venezuelan nationals convicted in ATM jackpotting scheme
Two Venezuelan nationals have pleaded guilty to conspiracy and computer crimes for stealing hundreds of thousands of dollars from U.S. banks using ATM malware [BleepingComputer]. Luz Granados and Johan Gonzalez-Jimenez connected laptops to ATMs at night, installed Ploutus malware variants that bypassed security protocols, and forced machines to dispense all available cash. The attacks targeted older ATM models across South Carolina, Georgia, North Carolina, and Virginia, with stolen funds coming directly from banks rather than customer accounts. Granados received time served and $126,340 restitution; Gonzalez-Jimenez was sentenced to 18 months and $285,100 restitution. The case is connected to a larger operation targeting ATMs across multiple states.
β οΈ Vulnerabilities & Patches
[NEW] CISA adds four critical vulnerabilities to KEV catalog
CISA has added four vulnerabilities to its Known Exploited Vulnerabilities catalog with a February 12, 2026 remediation deadline for federal agencies [BleepingComputer; Cyberpress]. The additions include: CVE-2025-31125 (Vite dev server improper access control), CVE-2025-34026 (Versa Concerto SD-WAN authentication bypass), CVE-2025-54313 (malicious code in eslint-config-prettier npm package), and CVE-2025-68645 (Zimbra remote file inclusion). The Zimbra vulnerability allows unauthenticated attackers to include arbitrary files from the WebRoot directory via the /h/rest endpoint, while the Versa flaw enables unauthorized access to administrative endpoints through Traefik reverse proxy misconfiguration.
[NEW] Oracle HTTP Server/WebLogic Proxy Plug-In maximum severity flaw
Oracle patched CVE-2026-21962, a maximum-severity vulnerability in its Fusion Middleware affecting Oracle HTTP Server and WebLogic Server Proxy Plug-in [Malware.News; Arctic Wolf]. An unauthenticated remote attacker can exploit the improper handling of incoming requests to gain unauthorized creation, deletion, or modification access to critical data. The vulnerability was patched in Oracle’s January 20, 2026 Critical Patch Update, requiring immediate application for organizations running affected Fusion Middleware versions.
π‘οΈ Defense & Detection
[NEW] Microsoft introduces real-time protection for AI agents
Microsoft has released runtime protection for Copilot Studio agents that inspects tool invocations before execution to prevent malicious manipulation [Microsoft Security Blog]. The system uses webhook-based security checks to analyze planned actions including parameters, context, and metadata, then blocks or allows execution based on security policies. The research identified three attack scenarios: malicious instruction injection in event-triggered workflows, prompt injection via shared documents leading to data exfiltration, and capability reconnaissance attempts against public chatbots. The protection provides defenders with visibility into agent behavior while preserving legitimate functionality, addressing the risk that natural language inputs could manipulate agent planning and execution sequences.
[NEW] Volatility 3 memory forensics workflow and cheat sheet released
SOCFortress has published a comprehensive Volatility 3 workflow and cheat sheet for malware hunting in memory dumps [SOCFortress Medium]. The resource covers system identification, process analysis including hidden process detection, command-line extraction, memory injection detection, network connection analysis with process context, and kernel/rootkit checks. The workflow helps investigators find evidence when disk artifacts are limited or malware operates entirely in memory. The cheat sheet includes specific commands for each investigation phase and guidance on exporting results for analysis with external tools.
π Policy & Industry News
[NEW] CISA withdraws from RSAC conference following leadership change
CISA will not participate in the RSAC cybersecurity conference in March following the appointment of former CISA director Jen Easterly as CEO [Malware.News]. The decision comes amid Trump administration efforts to police how current officials engage with industry events tied to former senior leaders. Agency spokesperson Marci McCarthy stated the withdrawal ensures “maximum impact and good stewardship of taxpayer dollars” while focusing on President Trump’s policies. The move will impact scheduling of public panels and behind-the-scenes engagements at one of the world’s largest cybersecurity forums.
[NEW] Node.js implements Signal score requirement for vulnerability reports
The Node.js project now requires security researchers to maintain a minimum HackerOne Signal reputation score of 1.0 before submitting vulnerability reports [Cyberpress]. The change addresses an influx of low-quality submissions that overwhelmed project resources between December and January, with over 30 reports received in one month. Researchers below the threshold can still participate by contacting the security team via the OpenJS Foundation Slack workspace. The policy represents a pragmatic approach to managing open-source security program sustainability while preserving opportunities for emerging researchers.
β‘ Quick Hits
- Nike probing security incident as hackers threaten to leak data [SecurityWeek]
- Pwn2Own Automotive 2026 concludes with $1,047,000 awarded for 76 zero-day vulnerabilities, with Team Fuzzware.io taking top honors [BleepingComputer]
- TrustAsia revokes 143 certificates following critical LiteSSL ACME vulnerability allowing unauthorized certificate issuance [GBHackers]