Fortinet auth bypass ๐Ÿ”, Russian energy attacks โšก, security supply chain ๐Ÿ”ง, proxy takedown ๐ŸŒ, AI legal challenges ๐Ÿค–

Daily Threat Intel Digest - 2026-01-29

๐Ÿ”ด Critical Threats & Active Exploitation

[UPDATE] Fortinet SSO authentication bypass exploited in wild
Attackers are actively exploiting CVE-2026-24858, a critical FortiCloud SSO authentication bypass vulnerability allowing unauthenticated access to FortiGate firewalls and other Fortinet products [vendor advisory; Arctic Wolf analysis]. Fortinet confirmed malicious accounts leveraged the flaw to modify firewall configurations, create unauthorized accounts, and alter VPN settings before blocking the accounts on January 22. The vulnerability (CVSS 9.8) affects over 10,000 exposed FortiCloud SSO instances globally, with approximately one-fourth in the United States [Shadowserver data]. This marks the 14th actively exploited Fortinet vulnerability since 2021, prompting criticism of the vendor’s security record [Coalition Insurance].

[UPDATE] Russian Electrum group damages Polish energy infrastructure
Russian state-linked threat actor Electrum (overlapping with Sandworm) compromised approximately 30 distributed energy resource sites across Poland in late December, damaging “key equipment beyond repair” [Dragos report]. While attackers failed to disrupt power generation (affecting 1.2 GW or 5% of Poland’s supply), they successfully disabled OT communications equipment and corrupted device configurations. The attacks targeted exposed remote terminal units and grid-edge communication systems, demonstrating deep knowledge of industrial control deployments [ESET analysis]. The operationๅปถ็ปญไบ†Sandworm้’ˆๅฏนๅ…ณ้”ฎๅŸบ็ก€่ฎพๆ–ฝ็š„ๅๅนดๆ”ปๅ‡ปๆจกๅผ๏ผŒ้€‰ๆ‹ฉๅ†ฌๅญฃๆœ€ๅคงๅŒ–ๅนณๆฐ‘ๅฝฑๅ“ [CyberScoop].

[NEW] ShinyHunters breaches Match Group in ransomware attack
The ShinyHunters extortion gang claims to have breached Match Group (match.com), threatening to leak 10 million user records unless paid [DeXpose intelligence]. The group posted a taunting message: “Your greed is killing you… Don’t be the next headline.” Match Group users are advised to monitor for credential stuffing attacks and enable MFA, as dating platforms often reuse breached credentials across services. This attack continues ShinyHunters’ pattern of targeting high-value consumer data for extortion [previous incidents].

[NEW] eScan update server breached to distribute malware
MicroWorld Technologies’ eScan antivirus suffered a supply chain attack where compromised update infrastructure delivered malicious Reload.exe files to customers on January 20 [eScan confirmation; Morphisec analysis]. The trojanized component (SHA256: 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860) disables eScan updates, modifies HOSTS files, and installs CONSCTLX.exe backdoor for persistence [technical details]. Affected systems show update failures and require manual remediation via eScan’sไฟฎๅคๅทฅๅ…ทใ€‚This follows a 2024 incident where North Korean hackers similarly exploited eScan’s update mechanism [previous report]ใ€‚

๐ŸŽฏ Threat Actor Activity & Campaigns

[NEW] TA584 escalates campaigns with Tsundere Bot and ClickFix
The prolific initial access broker TA584 (overlapping with Storm-0900) tripled its 2025 campaign volume, now weaponizing ClickFix social engineering to deliver Tsundere Bot alongside XWorm RAT [Proofpoint tracking; BleepingComputer]. Tsundere Bot, a Node.js-based backdoor sold as MaaS, uses EtherHiding to retrieve C2 addresses from Ethereum blockchain and aborts on CIS locales. The group sends geofenced emails from compromised accounts, leading victims through CAPTCHA gates to PowerShell execution hooks. With increased targeting in Germany and Australia, researchers assess with high confidence that Tsundere Bot infections could lead to ransomware [Kaspersky attribution].

[NEW] Google dismantles IPIDEA residential proxy network
Google Threat Intelligence Group led a takedown of IPIDEA, the world’s largest residential proxy network hijacking millions of consumer devices [Google analysis; technical breakdown]. IPIDEA powered operations for 550+ threat groups from China, North Korea, Iran, and Russia, facilitating botnets like BadBox 2.0 and Aisuru. The operation seized control domains, shared SDK intelligence for detection, and enabled Play Protect blocking. IPIDEA operated under 13 brands (including IP2World, Luna Proxy) and used a two-tier C2 system spanning ~7,400 servers. This disrupts a critical infrastructure for credential stuffing, ransomware C2 obfuscation, and reconnaissance [Cloudflare collaboration].

โš ๏ธ Vulnerabilities & Patches

[NEW] Critical vulnerabilities in SolarWinds Web Help Desk
SolarWinds released WHD 2026.1 to patch six critical/high vulnerabilities, including four CVSS 9.8 flaws enabling unauthenticated RCE and authentication bypass [vendor advisory; Arctic Wolf analysis]. CVE-2025-40551 and CVE-2025-40553 allow deserialization attacks for arbitrary code execution, while CVE-2025-40552 and CVE-2025-40554 permit bypass of authentication controls. The vulnerabilities affect both standalone and cloud deployments, requiring immediate patching as WHD often processes sensitive IT service data [Cyber Centre advisory].

[NEW] Grist-Core sandbox escape enables RCE via spreadsheet formulas
A critical sandbox escape vulnerability (GHSA-7xvx-8pf2-pv5g, CVSS 9.1) in Grist-Core allows attackers to achieve RCE through malicious spreadsheet formulas [Cyberpress analysis]. The flaw stems from Pyodide WebAssembly sandbox bypasses via Python Class Hierarchy Traversal, Direct C Library Access, and Emscripten Runtime Manipulation. Grist 1.7.9 (released Jan 20) mitigates this by relocating formula execution under Deno with permission mediation. Organizations must verify GRIST_PYODIDE_SKIP_DENO is disabled, as re-enabling Pyodide reintroduces the vulnerability. The platform serves over 1,000 organizations, including French educational institutions [Cyera Research disclosure].

๐Ÿ“‹ Policy & Industry News

[NEW] CISA director inadvertently uploads sensitive documents to public ChatGPT
Acting CISA Director Madhu Gottumukkala exposed “for official use only” government contracting documents via public ChatGPT in mid-2025, triggering DHS automated DLP alerts [Politico report; Cyberpress]. While no classified intelligence was compromised, the incident underscores federal policy violations regarding commercial AI tool usage. CISA’s security infrastructure successfully detected the uploads, but the breach highlights governance challenges as agencies adopt generative AI. Federal policy prohibits uploading sensitive-but-unclassified material to platforms like ChatGPT, which shares data across backend systems [data handling risks].

[NEW] UK announces policing overhaul amid online crime surge
The UK government unveiled plans to centralize cybercrime and fraud policing capabilities, arguing current structures can’t handle borderless digital offenses [Nextgov/FCW]. The Home Office proposal aims to coordinate responses to ransomware, business email compromise, and AI-driven threats through a specialized national unit. This responds to a 40% rise in reported cybercrimes since 2024, with particular focus on cross-border fraud [policy brief]. Critics warn implementation faces jurisdictional hurdles and requires urgent parliamentary approval before taking effect.

[NEW] Class action filed against xAI over Grok deepfakes
Victims of nonconsensual nude deepfakes generated by Grok filed a class-action lawsuit against xAI, alleging the tool “humiliates and sexually exploits women and girls” through undressing capabilities [court filing; CyberScoop]. The suit cites data showing Grok produced 4.4 million images in nine days, with up to 3 million sexualized depictions. Plaintiffs claim xAI knowingly promoted the feature via a “spicy” button and failed to implement prompt filtering. This compounds ongoing investigations by the EU, UK, and multiple U.S. states into xAI’s compliance with deepfake and CSAM laws [global scrutiny].