12 Jan
I am thinking that all these phishing trainings that we’ve done as an industry are finally starting to pay off. I think that because it looks like the bad guys are resorting to alternative ways to get into the systems. Instead of only relying on phising links and exploits, they are now actively recruiting insiders to give them access. Deals are different but this week you can read about a revenue share model.
P.S. If you enjoy this summary, consider subscribing to the newsletter and getting it an as e-mail every Monday.
Scroll to the bottom to subscribe
1. Kimwolf Botnet Exploits Compromises 2 Million Android Devices including Smart TVs for Its Botnet
Synthient and XLab researchers report that the Kimwolf Android botnet has hijacked over two million devices—primarily low-cost Android TV boxes and streaming devices—by exploiting exposed Android Debug Bridge (ADB) services through residential proxy networks. Operators monetize the network by selling bandwidth, app-install services and launching DDoS attacks exceeding 30 Tbps, underscoring systemic risks in proxy provider security.
Key Details
- About 67% of devices in observed proxy pools have unauthenticated ADB ports open (5555, 5858, 12108, 3222).
- Botnet activity generates roughly 12 million unique IPs per week; infections concentrate in Vietnam, Brazil, India and Saudi Arabia.
- Many Android TV boxes arrive pre-infected with modified proxy SDKs, enabling malware drops within minutes of network connection.
Next Steps
- Disable or secure ADB on Android devices not under active development.
- Disable network access on older less reputable “smart” TVs and switch to an Apple TV, Google TV or other dongle for smart tv features.
Read more at Cybersecurity News, SecurityWeek, The Hacker News, Security Affairs, Bleeping Computer
2. Disney Fined $10M for COPPA Violations on YouTube
Disney will pay a $10 million civil penalty after the DOJ and FTC found the company misclassified its YouTube videos, enabling targeted ads and data collection on viewers under 13 without parental consent. As part of the settlement, Disney must implement a COPPA compliance program for its YouTube operations.
Key Details
- The DOJ complaint, filed in federal court in California, alleges Disney failed to label child-directed content, bypassing COPPA protections.
- Disney’s popular YouTube channels have amassed billions of views, intensifying the scope of unlawful data collection.
- The settlement includes an injunction requiring Disney Worldwide Services and Disney Entertainment Operations to maintain a tailored COPPA compliance program.
Next Steps
- Audit all YouTube content classifications for child-directed indicators.
- Implement clear parental consent workflows for under-13 viewers.
Read more at Hackread.com
3. Critical “Ni8mare” RCE in n8n Workflow Platform Enables Full N8N Instance Takeover
A content‐type validation bug (CVE-2026-21858, CVSS 10.0) in n8n’s webhook/form handling lets unauthenticated attackers read any local file, steal session secrets, forge admin cookies, and execute commands via the Execute Command node.Organizations using self-hosted or internet-exposed n8n instances face full compromise until patched.
Key Details
- Flaw dubbed “Ni8mare” by Cyera: formWebhook() misroutes JSON as file upload.
- Attackers can leak .n8n/config and database.sqlite to rebuild n8n-auth cookies.
- Forge admin sessions then deploy Execute Command nodes for OS-level RCE.
- Patched in n8n version 1.121.0 (released Nov 18, 2025); advisories intentionally delayed.
Next Steps
- Upgrade all n8n instances to ≥ 1.121.0 immediately.
- Restrict or disable public webhook/form endpoints until patched.
- Rotate leaked credentials, API keys, and session secrets.
- Audit n8n logs for unusual file‐read or workflow‐creation events.
Read more at CSO Online, The Hacker News, SecurityWeek, HackRead, SiliconANGLE
4. Scattered Lapsus$ Hunters Relaunch Operations with ShinySp1d3r RaaS and Insider Recruitment
The formerly silent Scattered Lapsus$ Hunters group has resurfaced, unveiling a new Ransomware-as-a-Service platform called ShinySp1d3r and launching a targeted insider recruitment drive.They’re offering tiered commissions for privileged access—up to 25% for Active Directory systems and 10% for cloud identity platforms—and are seeking insiders in high-revenue firms to supply VPN, VDI, Citrix or AnyDesk credentials. Organizations in telecommunications, software, gaming and call-center sectors should fortify remote-access controls and monitor for suspicious insider activity.
Key Details
- ShinySp1d3r is a joint RaaS effort tied to operators from ShinyHunters, Scattered Spider and Lapsus$.
- Recruitment ads target firms with annual revenues over $500 million, excluding Russia, China, North Korea, Belarus and healthcare.
- Commission structure: 25% payout for AD-joined compromises, 10% for Okta, Azure Portal and AWS IAM root access.
- Group has showcased leaked CrowdStrike dashboard and Okta SSO screenshots to prove insider sourcing.
Next Steps
- Enforce and monitor MFA
- Deploy UEBA to detect anomalous privileged-access behaviors
- Audit and remove stale AD and cloud credentials
Read more at Cybersecurity News
5. Microsoft Debuts Defender Experts Suite for End-to-End Expert-Led Security Services
Microsoft this week unveiled the Defender Experts Suite, a bundled offering that combines managed extended detection and response (MXDR), end-to-end incident response, and a dedicated security advisor.
Key Details
- Defender Experts for XDR provides 24/7 MXDR and proactive hunting across endpoints, identities, email, cloud apps, and workloads.
- Microsoft Incident Response offers planning, simulation exercises, and rapid on-site support to prevent, contain, and recover from attacks.
- Enhanced Designated Engineering pairs you with Microsoft security advisors to optimize architecture, configuration, and operational maturity.
- Promotional pricing (through Dec 31, 2026) offers up to 66% savings for customers purchasing at least 1,500 seats with Microsoft 365 E5 or Defender and Purview Frontline Workers.
Read more at Microsoft Security Blog, Microsoft Security Blog
6. Microsoft Expands Proactive Incident Response Services to Boost Resilience
Microsoft Incident Response has rolled out new proactive services—including incident response plan development, major event support, cyber range simulations, advisory engagements, and M&A compromise assessments—to help organizations identify gaps and build muscle memory before real incidents occur.
Key Details
- Cyber range exercises deliver hands-on attack simulations using the customer’s existing Microsoft security toolset.
- Major event support provides real-time monitoring and rapid intervention during high-risk events like conferences or product launches.
- M&A compromise assessments spot hidden breaches in target environments before or after a transaction.
Read more at Microsoft Security Blog
7. Threat Actors Leverage Multi-Stage Commodity Loader in Fileless Email Attacks
Security researchers uncovered a sophisticated email campaign using a shared commodity loader to deliver fileless PureLog Stealer to manufacturing and government organizations in Italy, Finland and Saudi Arabia.By chaining weaponized Office docs, malicious SVG/ZIP attachments and steganographically embedded .NET payloads, the four-stage loader evades detection through memory-only execution and trojanized open-source libraries.
Key Details
- Initial vectors include CVE-2017-11882 Office docs, SVG files and ZIP-packed LNK shortcuts.
- Stage 2 downloads PNGs from Archive.org, extracting a hidden Base64 .NET assembly via steganography.
- Trojanized TaskScheduler library and RegAsm.exe process hollowing enable full fileless execution.
- Final payload, PureLog Stealer, decrypts with Triple DES (CBC, PKCS7) and GZip.
Next Steps
- Audit RegAsm.exe usage and unusual suspended processes
- Inspect HTTP requests for Archive.org PNG downloads
Read more at Cybersecurity News
Subscribe
Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.
English 
Estonian