New Tooling
- Microsoft Launches LiteBox, a Security-Focused Open-Source Library OS
"Microsoft has released LiteBox, a project intended to function as a security-focused library OS that can serve as a secure kernel for protecting a guest kernel using virtualization hardware. LiteBox was developed in collaboration with the Linux Virtualization Based Security (LVBS) project. The goal is to isolate and protect a normal guest kernel by running security-critical functionality in a separate, hardened environment."
https://www.helpnetsecurity.com/2026/02/05/microsoft-litebox-security-focused-open-source-library-os/
https://github.com/microsoft/litebox
Vulnerabilities
- Cisco, F5 Patch High-Severity Vulnerabilities
"Cisco and F5 this week released patches for multiple vulnerabilities across their products, including high-severity issues leading to denial-of-service (DoS) conditions, command execution, and privilege escalation. Cisco rolled out fixes for five security defects, including two high-severity bugs in TelePresence Collaboration Endpoint (CE) and RoomOS software, and Meeting Management. The first, tracked as CVE-2026-20119, can be exploited remotely without authentication or user interaction to cause a DoS condition by sending a crafted meeting invitation to a vulnerable appliance."
https://www.securityweek.com/cisco-f5-patch-high-severity-vulnerabilities/ - Hacking GitHub Codespaces Via VS Code Defaults: A Supply-Chain Attack Vector
"GitHub Codespaces is a cloud-hosted developer environment that lets users spin up fully configured Visual Studio Code instances in minutes. It integrates tightly with repositories and supports devcontainers for reproducible environments. From a usability perspective, this makes onboarding and collaboration seamless. Developers can review pull requests, test code, or spin up services without configuring local machines. However, this same convenience means that repository-defined configurations like .vscode/ and .devcontainer/ files are automatically executed within Codespaces, creating a fertile attack surface."
https://orca.security/resources/blog/hacking-github-codespaces-rce-supply-chain-attack/
https://www.infosecurity-magazine.com/news/malicious-commands-in-github/
https://www.securityweek.com/vs-code-configs-expose-github-codespaces-to-attacks/ - BOD 26-02: Mitigating Risk From End-Of-Support Edge Devices
"The United States faces persistent cyber campaigns that threaten both public and private sectors, directly impacting the security and privacy of the American people. These campaigns are often enabled by unsupported devices that physically reside on the edge of an organization’s network perimeter. Unsupported devices – referred to in this Directive as “end of support (EOS)” – are those that are no longer maintained by their vendors. The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices."
https://www.cisa.gov/news-events/directives/bod-26-02-mitigating-risk-end-support-edge-devices
https://therecord.media/cisa-gives-federal-agencies-one-year-end-of-life-devices
https://cyberscoop.com/cisa-bod-directive-unsupported-edge-devices-firewalls-routers/ - Npx Confusion: Packages That Forgot To Claim Their Own Name
"Back in July 2025, I was prototyping a new project and decided to try out MikroORM. The docs said to run npx mikro-orm-esm for migrations. So I did."
https://www.aikido.dev/blog/npx-confusion-unclaimed-package-names
Malware
- Zendesk Spam Wave Returns, Floods Users With 'Activate Account' Emails
"A fresh wave of spam is hitting inboxes worldwide, with users reporting that they are once again being bombarded by automated emails generated through companies' unsecured Zendesk support systems. Some recipients say they are receiving hundreds of messages with strange or alarming subject lines."
https://www.bleepingcomputer.com/news/security/zendesk-spam-wave-returns-floods-users-with-activate-account-emails/ - Protests Don't Impede Iranian Spying On Expats, Syrians, Israelis
"As mass protests flare at home, Iranian attackers have been carrying out spear-phishing attacks against their perceived enemies abroad. The Iranian government has a long, storied history targeting its enemies, be they domestic or abroad, Iranian or foreign nationals, Israeli, American, or Arabic. In recent weeks, though, as protests against the ruling regime have surged, reports of cyber spying have been flaring up."
https://www.darkreading.com/cyberattacks-data-breaches/iran-spies-expats-syrians-israelis - Stan Ghouls Targeting Russia And Uzbekistan With NetSupport RAT
"Stan Ghouls (also known as Bloody Wolf) is an cybercriminal group that has been launching targeted attacks against organizations in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. These attackers primarily have their sights set on the manufacturing, finance, and IT sectors. Their campaigns are meticulously prepared and tailored to specific victims, featuring a signature toolkit of custom Java-based malware loaders and a sprawling infrastructure with resources dedicated to specific campaigns."
https://securelist.com/stan-ghouls-in-uzbekistan/118738/ - The Shadow Campaigns: Uncovering Global Espionage
"This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries."
https://unit42.paloaltonetworks.com/shadow-campaigns-uncovering-global-espionage/
https://therecord.media/research-cyber-espionage-targeting-dozens-worldwide
https://www.securityweek.com/cyberspy-group-hacked-governments-and-critical-infrastructure-in-37-countries/
https://www.theregister.com/2026/02/05/asia_government_spies_hacked_37_critical_networks/ - Knife Cutting The Edge: Disclosing a China-Nexus Gateway-Monitoring AitM Framework
"Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Based on the artifact metadata, DKnife has been used since at least 2019 and the command and control (C2) are still active as of January 2026. DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates."
https://blog.talosintelligence.com/knife-cutting-the-edge/ - Prince Of Persia, Part II: Covering Tracks, Striking Back & a Revealing Link To The Iranian Regime Amid The Country’s Internet Blackout
"On December 18, 2025, we shared Part I of our most recent research project on the Iranian state-sponsored threat actor known as “Prince of Persia.” SafeBreach Labs has followed this threat actor since 2019 and originally published research in 2021 that presented evidence they had dramatically reinforced their operations security activities, technical proficiency, and tooling capabilities. However, for the next three years, there was no publicly identified activity from the group. Our research team continued to hunt for evidence based on a variety of anchors and patterns we defined. As a result, we were able to maintain unprecedented visibility into their malicious activity during this time."
https://www.safebreach.com/blog/prince-of-persia-part-ii/
https://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.html - Italy Claims Cyberattacks 'of Russian Origin' Are Pelting Winter Olympics
"Italy's foreign minister says the country has already started swatting away cyberattacks from Russia targeting the Milano Cortina Winter Olympics. Antonio Tajani told reporters on Wednesday that a series of cyberattacks targeted some of the government's foreign offices, including the one in the US capital. He said they were "of Russian origin," but did not specify whether this appeared to be state-backed activity, nor provide details about the nature of the attacks, AP reported."
https://www.theregister.com/2026/02/05/winter_olympics_russian_attacks/ - Malicious Use Of Virtual Machine Infrastructure
"In late 2025, SophosLabs analysts investigated several WantToCry remote ransomware incidents. In each case, the attackers used virtual machines with autogenerated NetBIOS hostnames derived from Windows templates provisioned by ISPsystem, a legitimate provider of IT infrastructure management platforms. Counter Threat Unit
(CTU) researchers investigated the potential scale of malicious use of these devices and identified multiple internet-exposed systems associated with cybercriminal activity, including ransomware operations and commodity malware delivery. Further investigation identified multiple additional hostnames derived from ISPsystem-provisioned virtual machine templates, some of which were also used in malicious activity."
https://www.sophos.com/en-gb/blog/malicious-use-of-virtual-machine-infrastructure
https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ispsystem-vms-for-stealthy-payload-delivery/ - SaaS Abuse At Scale: Phone-Based Scam Campaign Leveraging Trusted Platforms
"This report documents a large-scale phishing campaign in which attackers abused legitimate software-as-a-service (SaaS) platforms to deliver phone-based scam lures that appeared authentic and trustworthy. Rather than spoofing domains or compromising services, the attackers deliberately misused native platform functionality to generate and distribute emails that closely resembled routine service notifications, inheriting the trust, reputation, and authentication posture of well-known SaaS providers."
https://blog.checkpoint.com/research/saas-abuse-at-scale-phone-based-scam-campaign-leveraging-trusted-platforms/ - Compromised Routers, DNS, And a TDS Hidden In Aeza Networks
"When most people say DNS, they are thinking about the global DNS system, the official mechanism for resolving domain names on the internet. But shadow systems exist. Visiting a website relies on a DNS resolution chain that iteratively queries authoritative name servers within the distributed DNS hierarchy to get an IP address. This resolution all happens in the background, and users put a lot of trust into DNS resolvers without even realizing they exist. If the IP address of those resolvers is changed, a website’s domain name might resolve to an entirely different IP address, sending an unwitting visitor to an entirely different location."
https://www.blogs.infoblox.com/threat-intelligence/compromised-routers-dns-and-a-tds-hidden-in-aeza-networks/ - **https://hackread.com/sanctioned-bulletproof-host-hijack-old-home-routers/
- Pro-Russian Group Noname057(16) Launched DDoS Attacks On Milano Cortina 2026 Winter Olympics**
"Italy has thwarted a series of Russian-linked cyberattacks aimed at Foreign Ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, according to Foreign Minister Antonio Tajani. “We have foiled a series of cyberattacks on Foreign Ministry offices, starting with Washington, and also on some Winter Olympic sites, including hotels in Cortina,” said Tajani, who is also deputy premier, emphasizing that “these are Russian-led actions.” Foreign Minister Antonio Tajani told reporters during a trip to Washington, as reported the Italian news agency ANSA."
https://securityaffairs.com/187654/hacktivism/pro-russian-group-noname05716-launched-ddos-attacks-on-milano-cortina-2026-winter-olympics.html
https://therecord.media/italy-blames-russia-linked-hackers-winter-games-cyberattack
https://www.securityweek.com/italy-averted-russian-linked-cyberattacks-targeting-winter-olympics-websites-foreign-minister-says/ - Technical Analysis Of Marco Stealer
"Zscaler ThreatLabz has discovered an information stealer that we named Marco Stealer, which was first observed in June 2025. Marco Stealer primarily targets browser data, cryptocurrency wallet information, files from popular cloud services like Dropbox and Google Drive, and other sensitive files stored on the victim’s system. Marco Stealer implements several anti-analysis techniques including string encryption and terminating security tools. The malware leverages HTTP for command-and-control (C2) with messages encrypted with 256-bit AES."
https://www.zscaler.com/blogs/security-research/technical-analysis-marco-stealer - Inside a Sophisticated Recovery Scam Network: Evidence From a Live Investigation Into Legal Services Impersonation
"Business impersonation scams aren’t new. But the way they operate today is very different from what most people expect. Volumes are up 148% year over year, driven by AI-assisted content generation, deepfake tooling, and the increasing ease of cloning entire websites in minutes. Gone are typo-ridden phishing pages.; Today, phishing pages are polished, credible, and designed to look exactly like those created by real businesses, professionals, and trusted institutions."
https://www.sygnia.co/blog/inside-recovery-scam-network-legal-impersonation/
https://www.securityweek.com/researchers-expose-network-of-150-cloned-law-firm-websites-in-ai-powered-scam-campaign/ - APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 And Cloud C2 Infrastructure
"Russian state-sponsored threat group APT28 (aka Fancy Bear or UAC-0001) has launched a sophisticated espionage campaign targeting European military and government entities, specifically targeting maritime and transport organizations across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. The attackers weaponized a newly disclosed Microsoft Office 1-day (CVE-2026-21509) within 24 hours of its public revelation, using spear-phishing documents to compromise Ukrainian government agencies and EU institutions [1]. This campaign features a multi-stage infection chain and novel payloads, including a simple initial loader, an Outlook VBA backdoor (NotDoor), and a custom C++ implant dubbed “BeardShell.” The threat actors abuse legitimate cloud storage (filen.io) as command-and-control (C2) infrastructure, blending malicious traffic with normal user activity."
https://www.trellix.com/blogs/research/apt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2/
https://therecord.media/russian-hackers-microsoft-office-europe
Breaches/Hacks/Leaks
- Betterment Data Breach
"In January 2026, the automated investment platform Betterment confirmed it had suffered a data breach attributed to a social engineering attack. As part of the incident, Betterment customers received fraudulent crypto-related messages promising high returns if funds were sent to an attacker-controlled cryptocurrency wallet. The breach exposed 1.4M unique email addresses, along with names and geographic location data. A subset of records also included dates of birth, phone numbers, and physical addresses. In its disclosure notice, Betterment stated that the incident did not provide attackers with access to customer accounts and did not expose passwords or other login credentials."
https://haveibeenpwned.com/Breach/Betterment
https://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-betterment-exposes-14-million-accounts/
https://www.theregister.com/2026/02/05/betterment_hack/ - Spain's Ministry Of Science Shuts Down Systems After Breach Claims
"Spain's Ministry of Science (Ministerio de Ciencia) announced a partial shutdown of its IT systems, affecting several citizen- and company-facing services. Ministerio de Ciencia, Innovación y Universidades is the Spanish government body responsible for science policy, research, innovation, and higher education. Among others, it maintains administrative systems used by researchers, universities, and students that handle high-value, sensitive information."
https://www.bleepingcomputer.com/news/security/spains-ministry-of-science-shuts-down-systems-after-breach-claims/ - Italian University La Sapienza Goes Offline After Cyberattack
"Rome’s “La Sapienza” university has been targeted by a cyberattack that impacted its IT systems and caused widespread operational disruptions at the educational institute. The university first disclosed the incident in a social media post earlier this week, saying that its IT infrastructure "has been the target of a cyberattack." “As a precautionary measure, and in order to ensure the integrity and security of data, an immediate shutdown of network systems has been ordered,” the organization said."
https://www.bleepingcomputer.com/news/security/italian-university-la-sapienza-goes-offline-after-cyberattack/ - Romanian Oil Pipeline Operator Conpet Discloses Cyberattack
"Conpet, Romania's national oil pipeline operator, has disclosed that a cyberattack disrupted its business systems and took down the company's website on Tuesday. Conpet operates nearly 4,000 kilometers of pipeline network, supplying domestic and imported crude oil and derivatives, including gasoline and liquid ethane, to refineries nationwide. In a Wednesday press release, the company said the incident affected its corporate IT infrastructure but didn't disrupt its operations or its ability to fulfill its contractual obligations."
https://www.bleepingcomputer.com/news/security/romanian-oil-pipeline-operator-conpet-discloses-cyberattack-qilin-ransomware/ - Newsletter Platform Substack Notifies Users Of Data Breach
"Newsletter platform Substack is notifying users of a data breach after attackers stole their email addresses and phone numbers in October 2025. Although the incident occurred four months ago, CEO Chris Best told affected users that Substack only discovered the breach this week. However, while the attackers stole some users' data, Best added that they didn't access credentials or financial information."
https://www.bleepingcomputer.com/news/security/newsletter-platform-substack-notifies-users-of-data-breach/
https://therecord.media/substack-data-breach-notification
https://securityaffairs.com/187659/uncategorized/hacker-claims-theft-of-data-from-700000-substack-users-company-confirms-breach.html
https://www.securityweek.com/substack-discloses-security-incident-after-hacker-leaks-data/
https://www.theregister.com/2026/02/05/substack_admit_security_incident/
https://hackread.com/substack-breach-user-records-leak-cybercrime-forum/ - 280+ Leaky Skills: How OpenClaw & ClawHub Are Exposing API Keys And PII
"On Monday, February 3rd, Snyk Staff Senior Engineer Luca Beurer-Kellner and Senior Incubation Engineer Hemang Sarkar uncovered a massive systemic vulnerability in the ClawHub ecosystem (clawhub.ai). Unlike the malware campaign we reported yesterday involving specific malicious actors, this new finding reveals a broader, perhaps more dangerous trend: widespread insecurity by design. In this write-up, Snyk is presenting Leaky Skills - uncovering exposed and insecure credentials usage in Agent Skills. Scanning the entire ClawHub marketplace (3,984 skills) using Evo Agent Security Analyzer, our researchers found that 283 skills, an estimated 7.1% of the entire registry, contain critical security flaws that expose sensitive credentials."
https://snyk.io/blog/openclaw-skills-credential-leaks-research/
https://www.theregister.com/2026/02/05/openclaw_skills_marketplace_leaky_security/
General News
- Why Boards Should Be Obsessed With Their Most ‘boring’ Systems
"Following a series of high-profile cyberattacks, boards of directors are now requiring their organizations to take greater responsibility for the risks posed by enterprise resource planning (ERP) systems pose after a series of high-profile cyberattacks. The Jaguar Land Rover (JLR), incident in Sept. 2025 illustrates the severe consequences of such attacks. The cyberattack forced JLR to halt production for six weeks, making it the costliest cyberattack in Britain’s history. The company’s revenue declined 24 percent that quarter, accounting for potentially over a $1.2 billion drop in earnings, and subsequently reported a 43.3% wholesale sales volume drop the following quarter."
https://cyberscoop.com/boardroom-erp-cybersecurity-sap-ransomware-resilience-op-ed/ - Cybersecurity Planning Keeps Moving Toward Whole-Of-Society Models
"National governments already run cybersecurity through a mix of ministries, regulators, law enforcement, and private operators that own most critical systems. In that environment, guidance circulating among policymakers outlines how national cybersecurity strategies increasingly tie together risk management, workforce planning, technology standards, and coordination across sectors."
https://www.helpnetsecurity.com/2026/02/05/cybersecurity-planning-national-cybersecurity-strategy/ - Measuring AI Use Becomes a Business Requirement
"Enterprise teams already run dozens of AI tools across daily work. Usage stretches from code generation and analytics to customer support drafting and internal research. Oversight remains uneven across roles, functions, and industries. A new Larridin survey of enterprise leaders places measurement and governance at the center of this operating environment."
https://www.helpnetsecurity.com/2026/02/05/measuring-ai-use-becomes-a-business-requirement/ - AI-Enabled Voice And Virtual Meeting Fraud Surges 1000%+
"Fraudsters significantly ramped up their use of AI to enhance campaigns across voice and virtual meeting channels last year, boosting speed and volume, according to Pindrop. The voice authentication and deepfake detection specialist said its new report, Inside the 2025 AI Fraud Spike, is based on its own data collected between January and December 2025. The firm pointed to a 1210% increase in AI-enabled fraud during this time, versus a 195% surge in traditional fraud."
https://www.infosecurity-magazine.com/news/ai-voice-virtual-meeting-fraud/ - Cloud Sovereignty Is No Longer Just a Public Sector Concern
"Sovereignty remains a hot topic in the tech industry, but interpretations of what it actually means – and how much it matters – vary widely between organizations and sectors. While public bodies are often driven by regulation and national policy, the private sector tends to take a more pragmatic, cost-focused view."
https://www.theregister.com/2026/02/05/opennebula_sovereignty_interview/ - Cybereason TTP Briefing Q4 2025: Diverse Phishing Tactics And RATs On The Rise
"Explore the latest trends, techniques, and procedures (TTPs) our incident response (IR) experts are actively facing with the TTP Briefing Q4 2025, a report built on frontline threat intelligence from our global incident response investigations, enriched by noteworthy detections from our SOC."
https://www.cybereason.com/blog/ttp-briefing-q4-2025 - Cyber Success Trifecta: Education, Certifications & Experience
"As organizations grapple with increasingly sophisticated threats, the need for leaders who can balance technological innovation with robust risk management is paramount. In this episode of "Heard It from A CISO," Dark Reading's Kristina Beek sits down with Col. Georgeo Xavier Pulikkathara, a seasoned cybersecurity expert and CISO at iMerit, to explore the challenges, insights, and lessons learned from his ongoing journey in the field."
https://www.darkreading.com/cybersecurity-operations/the-trifecta-of-cyber-success-education-certifications-and-experience - Latest Public Sector AI Adoption Trends: What Government, Healthcare, And Education Security Teams Need To Know
"The public sector isn’t taking a “trial-and-error” approach to AI adoption. Government, healthcare, and education systems have to work—often under tight budgets, legacy constraints, and high uptime expectations—and data must be protected, especially when it includes citizen records, patient information, and student data. The ThreatLabz 2026 AI Security Report examined 989.3 billion total AI/ML transactions across the Zscaler Zero Trust Exchange throughout 2025, revealing a public sector AI adoption story defined by accelerating (albeit uneven) adoption. Some sectors are scaling quickly; others, more gradually and quietly."
https://www.zscaler.com/blogs/security-research/latest-public-sector-ai-adoption-trends-what-government-healthcare-and - 2025 Q4 DDoS Threat Report: A Record-Setting 31.4 Tbps Attack Caps a Year Of Massive DDoS Assaults
"Welcome to the 24th edition of Cloudflare’s Quarterly DDoS Threat Report. In this report, Cloudforce One offers a comprehensive analysis of the evolving threat landscape of Distributed Denial of Service (DDoS) attacks based on data from the Cloudflare network. In this edition, we focus on the fourth quarter of 2025, as well as share overall 2025 data. The fourth quarter of 2025 was characterized by an unprecedented bombardment launched by the Aisuru-Kimwolf botnet, dubbed “The Night Before Christmas" DDoS attack campaign. The campaign targeted Cloudflare customers as well as Cloudflare’s dashboard and infrastructure with hyper-volumetric HTTP DDoS attacks exceeding rates of 200 million requests per second (rps), just weeks after a record-breaking 31.4 Terabits per second (Tbps) attack."
https://blog.cloudflare.com/ddos-threat-report-2025-q4/
https://thehackernews.com/2026/02/aisurukimwolf-botnet-launches-record.html - Smartphones Now Involved In Nearly Every Police Investigation
"Digital evidence, especially that extracted from smartphones, is now key to nearly all police investigations, a new report from Cellebrite has confirmed. The Israeli forensics company compiled its 2026 Industry Trends Report based on interviews with 1200 law enforcement practitioners in 63 countries. It found that a majority (95%) now agree that digital evidence is key to solving cases, up from 74% two years ago. In fact, nearly all (97%) respondents noted that the public expects it to be used in almost all cases."
https://www.infosecurity-magazine.com/news/smartphones-involved-every-police/ - AI Pentesting: Minimum Safety Requirements For Security Testing
"If you feel uneasy about AI penetration testing, you’re not behind the curve. You’re probably ahead of it. Security testing is one of the first areas where AI is no longer just helping humans, but acting on its own. Modern AI pentesting systems explore applications independently, execute real actions, and adapt based on what they see. That is powerful. It also raises very real questions about control, safety, and trust. This post is not about whether AI pentesting works. It’s about when it is actually safe to run."
https://www.aikido.dev/blog/ai-pentesting-safety-requirements
อ้างอิง
Electronic Transactions Development Agency (ETDA) 
