{"id":21511,"date":"2026-02-02T19:25:52","date_gmt":"2026-02-02T17:25:52","guid":{"rendered":"https:\/\/kordon.app\/?p=21511"},"modified":"2026-02-05T22:50:03","modified_gmt":"2026-02-05T20:50:03","slug":"latest-interesting-cybersecurity-news-of-the-week-summarised-02-02-2026","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/latest-interesting-cybersecurity-news-of-the-week-summarised-02-02-2026\/","title":{"rendered":"Latest Interesting Cybersecurity News of the Week Summarised &#8211; 02-02-2026"},"content":{"rendered":"<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. <\/strong>Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31<\/p>\n\n\n\n<p>My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.<\/p>\n\n\n\n<p><strong>If you enjoy these, come back next Monday<\/strong><\/p>\n\n\n\n<p><strong>scroll to the bottom to subscribe to the e-mail newsletter.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. 175,000 Publicly Exposed Ollama AI Servers Create High-Severity LLM Abuse Risk<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>A joint SentinelOne SentinelLABS and Censys study found 175,000 Ollama AI instances \nopen to the internet across 130 countries,<\/b> many with tool-calling enabled and no \nauthentication or monitoring. <b>Nearly half support code execution and external API access<\/b>, \nraising the stakes for LLMjacking, prompt injection, and unmetered resource abuse.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Over 48% of hosts advertise tool-calling, enabling code runs and API calls.<\/li>\n\n\n\n<li>China accounts for ~30% of exposed servers; top ten include the U.S., Germany, India.<\/li>\n\n\n\n<li>Researchers observed 7.23 million interactions over 293 days; 23,000 hosts drove 76% of traffic.<\/li>\n\n\n\n<li><b>Operation Bizarre Bazaar actors scan, validate, then resell unauthorized access at discounted rates.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Inventory and segment<\/b> all local <b>AI<\/b> deployments.<\/li>\n\n\n\n<li><b>Enforce authentication and network controls on edge-deployed LLM services.<\/b><\/li>\n\n\n\n<li><b>Deploy monitoring to flag unusual LLM tool-calling <\/b>or outbound API traffic.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/01\/researchers-find-175000-publicly.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.securityweek.com\/175000-exposed-ollama-hosts-could-enable-llm-abuse\/\">SecurityWeek<\/a>, <a href=\"https:\/\/cybersecuritynews.com\/175000-exposed-ollama-hosts\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Malicious VS Code Extension \u201cClawdBot Agent\u201d Deploys ScreenConnect RAT<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>A fake Visual Studio Code extension masquerading as the AI assistant Clawdbot\/Moltbot automatically executes at IDE startup to install a pre-configured ScreenConnect client, giving attackers persistent remote access.&nbsp;<\/b><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Published Jan 27, 2026 as \u201cClawdBot Agent \u2013 AI Coding Assistant\u201d under publisher \u201cclawdbot\u201d despite no official VS Code extension from Clawdbot\/Moltbot.<\/b><\/li>\n\n\n\n<li><b>On launch, the extension fetched a<\/b> <code>config.json<\/code> from clawdbot DOT getintwopc DOT site, ran <code>Code.exe<\/code> to deploy ConnectWise ScreenConnect.<\/li>\n\n\n\n<li><b>Attackers operated a custom ScreenConnect relay<\/b> at meeting DOT bulletmailer DOT net:8041<b> for immediate remote access.<\/b><\/li>\n\n\n\n<li>Fallbacks include a Rust-based <code>DWrite.dll<\/code> sideloaded from Dropbox and alternate batch-script domains.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Audit and uninstall any \u201cClawdBot\u201d or \u201cMoltbot\u201d VS Code extensions.<\/b><\/li>\n\n\n\n<li><b>Remove unauthorized ScreenConnect<\/b> clients and <b>block<\/b> meeting DOT bulletmailer DOT net.<\/li>\n\n\n\n<li><b>Rotate API keys<\/b> for OpenAI, Anthropic, Google and other<b> AI integrations.<\/b><\/li>\n\n\n\n<li><b>Enforce allowlist and review processes for VSCode Extensions<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/beware-of-weaponized-vs-code-extension-named-clawdbot-agent\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/fake-moltbot-ai-coding-assistant-on-vs.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Mandiant Tracks Vishing Campaigns Exploiting MFA to Breach SaaS Platforms<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><div><b>Mandiant warns that the ShinyHunters extortion group and affiliates are calling employees \nwith vishing pretexts to harvest SSO credentials and MFA codes via company-branded phishing \nsites in real time.<\/b>&nbsp;<\/div><div><br><\/div><div><b>Once inside <\/b>Okta, Microsoft Entra, or Google SSO dashboards, <b>attackers \nenroll their own MFA devices and pivot to SaaS apps<\/b>\u2014Salesforce, M365, SharePoint, Slack, and \nmore\u2014<b>to conduct large-scale data exfiltration and extortion<\/b>.&nbsp;<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Attackers use live-call vishing plus cloned login portals to steal SSO tokens<\/b> and one-time MFA codes.<\/li>\n\n\n\n<li>Campaign spans multiple threat clusters <b>targeting a growing roster of cloud SaaS apps.<\/b><\/li>\n\n\n\n<li><b>Primary goal is sensitive data exfiltration<\/b>\u2014internal communications, customer records\u2014followed by extortion threats.<\/li>\n\n\n\n<li><b>Recent incidents include direct harassment of victim personnel to pressure payment or compliance.<\/b><\/li>\n\n\n\n<li><b>Attackers register deceptive domains<\/b> like &lt;company&gt;sso.com and &lt;company&gt;internal.com.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Implement phishing-resistant MFA <\/b>(FIDO2 security keys or passkeys).<\/li>\n\n\n\n<li><b>Enforce live video identity verification for helpdesk resets.<\/b><\/li>\n\n\n\n<li><b>Enable detailed logging of identity events, OAuth authorizations, and MFA device changes.<\/b><\/li>\n\n\n\n<li><b>Alert on new MFA device enrollments <\/b>and deleted MFA notification emails.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/01\/mandiant-finds-shinyhunters-using.html\">The Hacker News<\/a>, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/defense-against-shinyhunters-cybercrime-saas\">Google Cloud Blog<\/a>, <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/expansion-shinyhunters-saas-data-theft\">Google Cloud Blog<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data\/\">BleepingComputer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Russian-Linked Actors Deployed Wiper Malware Against 30+ Polish Energy Sites<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>On December 29, 2025, coordinated destructive cyber attacks struck over 30 wind and solar farms, a combined heat and power (CHP) plant, and a manufacturing firm in Poland, deploying custom wiper malware to damage controllers and delete system files.<\/b>&nbsp;<div><br><\/div><div><b>CERT Polska attributes the campaign to the FSB-backed Static Tundra<\/b> cluster, while <b>OT-security firm Dragos links a parallel strike on distributed energy resources to Russia-aligned ELECTRUM<\/b>, highlighting conflicting attributions.<\/div><div><br><\/div><div><b>The adversaries exploited exposed FortiGate devices and static credentials to move laterally, <\/b>underscoring risks in perimeter security and OT-IT segmentation.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>The attacks disrupted communication with the distribution operator but did not halt electricity or heat production.<\/b><\/li>\n\n\n\n<li><b>Adversaries used Tor, compromised VPS, and lacked two-factor authentication on FortiGate SSL-VPN.<\/b><\/li>\n\n\n\n<li><b>Adversary used exposed network devices and unpatched vulnerabilities for initial access.<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Audit FortiGate <\/b>SSL-VPN configs and <b>enforce multi-factor authentication<\/b><\/li>\n\n\n\n<li><b>Segment OT networks<\/b> from corporate IT and <b>monitor firmware integrity<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/thehackernews.com\/2026\/01\/poland-attributes-december-cyber.html\">The Hacker News<\/a>, <a href=\"https:\/\/cert.pl\/en\/posts\/2026\/01\/incident-report-energy-sector-2025\/\">CERT Polska<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/russian-electrum-tied-to-december-2025.html\">The Hacker News (Dragos Electrum)<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/russian-electrum-tied-to-december-2025.html\">The Hacker News<\/a>, <a href=\"https:\/\/5943619.hs-sites.com\/hubfs\/Reports\/dragos-2025-poland-attack-report.pdf\">Dragos Intelligence Brief<\/a>, <a href=\"https:\/\/www.securityweek.com\/ics-devices-bricked-in-russia-linked-strike-on-polish-power-grid\/\">SecurityWeek<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Attackers Abuse Hugging Face to Deploy Android RAT<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">The campaign starts with users being shown convincing but fraudulent security warnings, suggesting their phones are infected and require immediate action. These messages pressure people into installing a bogus antivirus-style app called\u00a0TrustBastion, which at first seems legitimate.<\/span><br>Bitdefender researchers identified that when users click to update the TrustBastion, the app connects to a server that redirects them to a Hugging Face repository hosting the actual malicious Android application. Attackers regenerate new versions of the malware approximately every fifteen minutes through server-side polymorphism, making detection even more difficult.<br><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Two-stage delivery: <\/b>TrustBastion dropper redirects to a Hugging Face dataset for the final APK<\/li>\n\n\n\n<li><b>Over 6,000 commits in a 29-day Hugging Face repo<\/b>, with new payload variants every 15 minutes<\/li>\n\n\n\n<li><b>Malware requests Accessibility, screen recording, overlay permissions for real-time spying<\/b><\/li>\n\n\n\n<li><b>Operation rebranded to \u201cPremium Club\u201d a<\/b>fter the initial repository was taken down<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Educate users against installing apps from non-official sources<\/b><\/li>\n\n\n\n<li><b>Educate users about the dangers of different mobile application permissions<\/b> like Accessibility.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/attackers-using-hugging-face-hosting\/\">Cybersecurity News<\/a>, <a href=\"https:\/\/www.securityweek.com\/hugging-face-abused-to-deploy-android-rat\/\">SecurityWeek<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hugging-face-abused-to-spread-thousands-of-android-malware-variants\/\">BleepingComputer<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Persistent Exploitation of WinRAR Path-Traversal Flaw Hits SMBs and Critical Sectors<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">A serious WinRAR flaw patched in July 2025 is still being actively used in attacks, largely because many systems remain unpatched. The vulnerability (CVE-2025-8088) allows malicious RAR files to exploit a path-traversal weakness \u2014 meaning WinRAR can be tricked into extracting files into dangerous locations on a Windows machine, not just the folder the user selected.In practice, attackers use this to drop malware into places like the\u00a0<span class=\"s1\">Windows Startup folder<\/span>, where it will run automatically the next time the user logs in.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CVE-2025-8088 (CVSS 8.4\/8.8)<b> allows crafted RAR archives to write and execute arbitrary code via path traversal.<\/b><\/li>\n\n\n\n<li><b>Active campaigns by Russia-aligned APTs <\/b>(Sandworm, Gamaredon, Turla), China-linked actors, and global financially motivated groups.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Identify and update all WinRAR <\/b>installations to version 7.13 or later.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/application-security\/months-after-patch-winrar-bug-poised-smbs-hardest\">Dark Reading<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/google-warns-of-active-exploitation-of.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.securityweek.com\/apts-cybercriminals-widely-exploiting-winrar-vulnerability\/\">SecurityWeek<\/a>, <a href=\"https:\/\/cyberscoop.com\/winrar-defect-active-exploits-google-threat-intel\/\">CyberScoop<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Critical n8n Sandbox Escape Vulnerabilities Enable Host-Level RCE, Risking Enterprise Automation<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers have identified <b>two new flaws in the n8n low-code AI workflow platform that let authenticated users bypass JavaScript and Python sandboxes to execute arbitrary code on the host.<\/b>&nbsp;<div><br><\/div><div><b>Because n8n holds credentials and orchestrates integration<\/b>s for CRM, cloud, databases, LLMs and other critical platforms, <b>unpatched instances expose organizations to full platform takeover and lateral movement.&nbsp;<\/b><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CVE-2026-1470 exploits a deprecated \u201cwith\u201d statement in n8n\u2019s JS expression engine to escape its AST-based sandbox.<\/li>\n\n\n\n<li>CVE-2026-0863 abuses the Python Code node in \u201cInternal\u201d execution mode, allowing subprocess escape to host.<\/li>\n\n\n\n<li>All versions before 1.123.17\/2.4.5\/2.5.1 (JS) and 1.123.14\/2.3.5\/2.4.2 (Python) are vulnerable.<\/li>\n\n\n\n<li>n8n serves some 3,000 enterprises and 230,000 active users, with over 100 million Docker pulls.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Patched: <\/b>Upgrade to n8n 1.123.17, 2.4.5 or 2.5.1 and 1.123.14, 2.3.5 or 2.4.2.<\/li>\n\n\n\n<li><b>Separate LLM API keys from other system credentials.<\/b><\/li>\n\n\n\n<li><b>Enforce review<\/b> procedures for<b> n8n node installations.&nbsp;<\/b><\/li>\n\n\n\n<li><b>Enforce review <\/b>procedures for n8n workflow <b>template executions.&nbsp;<\/b><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/research.jfrog.com\/post\/achieving-remote-code-execution-on-n8n-via-sandbox-escape\/\">JFrog<\/a>, <a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/critical-flaws-n8n-compromise-customer-security\">Dark Reading<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/01\/two-high-severity-n8n-flaws-allow.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.securityweek.com\/n8n-vulnerabilities-could-lead-to-remote-code-execution\/\">SecurityWeek<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4124343\/critical-rce-bugs-expose-the-n8n-automation-platform-to-host%e2%80%91level-compromise.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>","protected":false},"excerpt":{"rendered":"<p>Most interesting cybersecurity news from last week of January 2026.<\/p>","protected":false},"author":1,"featured_media":21517,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21511","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21511"}],"version-history":[{"count":9,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21511\/revisions"}],"predecessor-version":[{"id":21584,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21511\/revisions\/21584"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21517"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}