| The Record from Recorded Future News
therecord.media
Alexander Martin
February 6th, 2026

Norwegian intelligence discloses country hit by Salt Typhoon campaign
Norway’s domestic security agency confirmed Friday that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations.

The disclosure was made in the Norwegian Police Security Service’s (PST) annual threat assessment for 2026. The agency’s director general, Beate Gangås, said Norway was “facing its most serious security situation since World War II,” citing pressure from multiple foreign intelligence services.

Salt Typhoon is the name U.S. and allied authorities use for a Chinese cyber espionage campaign that has focused heavily on breaching telecommunications and other critical infrastructure. In its report, PST said the actor has exploited vulnerable network devices in Norway.

Gangås said foreign states — particularly China, Russia and Iran — are “conducting intelligence operations and employing hybrid tactics in Norway to undermine our resilience,” stressing the “vital” need for stronger protective security, intelligence and situational awareness.

The assessment said Chinese security and intelligence services have strengthened their ability to operate in Norway, including through cyber operations and human intelligence collection, adding that “the primary intelligence threat from China is in the cyber domain.”

China is described as posing a “substantial” threat and is expected to continue improving its efforts to collect intelligence and map Norwegian digital infrastructure.

PST also warned that China is “systematically” exploiting collaborative research and development projects to bolster its own military capacity and security capabilities.

Salt Typhoon has been linked to significant breaches of telecommunications providers and other critical infrastructure abroad. U.S. officials have said the campaign allowed attackers to intercept communications linked to senior political figures during the 2024 presidential race, including Donald Trump and JD Vance.

Last year, more than a dozen allied countries issued a joint advisory blaming three Chinese technology companies for enabling the espionage campaign, saying the intrusions were used to track the communications and movements of specific targets.

While China dominates the cyber threat picture, PST said Russia remains the principal overall threat to Norway’s security. The agency cited sustained espionage, mapping of critical infrastructure, pressure on Ukrainian refugees, covert intelligence operations using civilian vessels and the risk of sabotage.

Russian intelligence has been “closely monitoring military targets and allied activities and capabilities in Norway for many years,” the report said, adding that the tense geopolitical situation in Europe is likely to drive increased activity.

PST said it expects that to include more Russian cyber operations, influence campaigns and attempts to recruit sources via digital platforms in 2026, describing cyber activity as an integral part of Moscow’s broader intelligence effort alongside traditional espionage and influence work.

“The tense geopolitical situation in Europe means that Russian intelligence has several areas of interest in relation to Norway and other NATO countries. Given the increase in military targets on Norwegian soil, the stronger allied presence, and additional military exercises, we anticipate heightened activity from Russian intelligence services,” the agency added.

Iranian intelligence services are also expected to carry out intelligence and influence operations in Norway, the PST said, warning the regime may attempt to target Western interests through property damage, targeted assassinations, terrorist acts or destructive cyber operations.

The PST said the assessment underlines the need for closer cooperation between authorities and the private sector, particularly operators of critical infrastructure, as foreign intelligence services increasingly combine cyber operations with more traditional espionage and influence campaigns.

BridgePay Network Solutions's Status Page - BridgePay Gateway - Outage - Under Investigation.

Update
We are continuing to work with our internal teams and external partners to address the issue.

At this time, we do not have any new information to share. We understand the impact this disruption may have and sincerely appreciate your patience as our teams continue their work.

We will provide another status update tomorrow with any new information available.
Posted 12 hours ago. Feb 08, 2026 - 18:06 EST
Update
At this time, there is no new confirmed information to report. Our teams, along with federal authorities and cybersecurity specialists, are working diligently on forensic analysis, system security, and recovery planning. Restoration efforts are actively underway, and all work is being conducted with care to ensure systems are brought back online safely and securely. We not have an ETA on when this process will be completed. Because of the nature of attack - ransomware - we are still in the early stages of this process.

We do want to reiterate this was not a card data breach. No card data was compromised and any file that may have been accessed was encrypted.

We understand the disruption this causes and truly appreciate your continued patience, support, and understanding during this process.

We remain committed to transparent communication and will provide further updates as soon as meaningful new information becomes available.
Posted 2 days ago. Feb 07, 2026 - 16:14 EST
Update
We want to provide a further update regarding the cybersecurity incident affecting our systems.
It is very unfortunate that we are all facing this situation in today’s world, and we are deeply grateful for the patience, understanding, and support we have received — especially from our partners, who have offered assistance and expertise during this time.
We can now confirm that this incident was the result of a ransomware attack. As previously noted, we have engaged both local and federal authorities, along with specialized forensic and recovery teams, to assist with investigation, containment, and system restoration. We are also working closely with leading cybersecurity firms to restore operations as quickly and safely as possible.
Initial forensic findings indicate that no payment card data has been compromised, and any files that may have been accessed were encrypted. At this time, there is no evidence of usable data exposure.
We recognize that recovery may be a lengthy process, and we are working with urgency and diligence to restore systems and services in a secure and responsible manner. Our priority remains protecting our customers, partners, and operations.
We will continue to provide updates as restoration efforts progress and additional verified information becomes available.
Thank you again for your patience, trust and continued support.
Posted 2 days ago. Feb 06, 2026 - 19:08 EST
Identified
At this time, our systems are temporarily unavailable. We are actively working with the U.S. Secret Service forensic team and cybersecurity professionals to secure our environment and obtain clearance to access our systems so we can fully assess the scope of the incident. This will allow us to better understand the extent of the impact and determine the appropriate restoration and recovery process.
Please know that this matter is being treated with the highest priority, and every available resource is being dedicated to resolving the situation safely and responsibly. We do not believe there is a threat or vulnerability for our integrators at this time.
We sincerely appreciate your patience and understanding during this time. We will provide updates as soon as new information becomes available and as restoration efforts progress.
Thank you for your continued trust and support.
Posted 3 days ago. Feb 06, 2026 - 12:00 EST
Update
We are currently experiencing a system-wide service disruption. We have identified that this outage is related to a cybersecurity incident and are actively investigating with our internal teams and external specialists including the FBI.

At this time, we do not have an estimated timeframe for full restoration of services. Our teams are working diligently to assess the impact, contain the issue, and restore systems as quickly and safely as possible.

We will provide additional updates as more information becomes available. We appreciate your patience and understanding during this time.
Posted 3 days ago. Feb 06, 2026 - 06:34 EST
Investigating
BridgePay systems are currently experiencing an outage.
Our team is engaged and investigating the cause.
Expected time for resolution is unknown at this time.
Posted 3 days ago. Feb 06, 2026 - 05:48 EST
This incident affects: PathwayLink Gateway (T-Gate) - Production (Gateway.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink Boarding Portal), PathwayLink (T-Gate) UAT - Certification Environment (GatewayStage.Itstgate.com - Virtual Terminal, Reporting, API, PathwayLink UAT Boarding Portal), BridgePay Gateway - Production (BridgePay Gateway API - BridgeComm, PayGuardian Cloud API, MyBridgePay Portal - Virtual Terminal and Reporting, BridgePay Gateway WebLink 3.0 - Hosted Payment Page), BridgePay UAT - Certification Environment (BridgePay UAT API - BridgeComm, PayGuardian Cloud UAT API, MyBridgePay UAT Portal - Virtual Terminal and Reporting, BridgePay UAT WebLink 3.0 - Hosted Payment Page), and BridgePay Support (BridgePay Integration Support Portal, BridgePay Phone Support, BridgePay Email Support).

SmarterTools Derek Curtis - 03/02/2026 à 15:45

As promised, we wanted to provide additional information regarding the network breach we experienced last Thursday (January 29, 2026), along with summaries of our releases and what we have observed both on our servers and when working with SmarterMail customers who have been compromised.

Our Network Breach
Prior to the breach, we had approximately 30 servers/VMs with SmarterMail installed throughout our network. Unfortunately, we were unaware of one VM, set up by an employee, that was not being updated. As a result, that mail server was compromised, which led to the breach.

We isolate our networks, as is best practice, in the event of a breach. Because of this segmentation, our website, shopping cart, My Account portal, and several other services remained online while we mitigated the issue. None of our business applications or account data were affected or compromised.

As for what was affected, it was the network at our office and at another data center which primarily had various labs where we do much of our QC work, etc. At the data center, we hosted our Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory. We didn’t see much affected there and, out of an abundance of caution, we restored some of those servers from the most recent backup, which was six hours old.

Because we are primarily a Linux company now, only about 12 Windows servers looked to be compromised and on those servers, our virus scanners blocked most efforts. None of the Linux servers were affected.

When we first noticed the breach, we instantly shut off all servers at the two locations and we disabled all internet until we completely evaluated all aspects of the breach and either eliminated servers and/or restored servers to be safe.

As a result of all this, our networks look very different than before. We have eliminated Windows from our networks where we could and we no longer use Active Directory services. Our policy in these scenarios is to replace passwords throughout our network as well.

Another thing to note, Sentinel One did a really good job detecting vulnerabilities and preventing servers from being encrypted. We use multiple virus vendors but we saw great results with Sentinel One and wanted to throw a shout out to them and encourage customers to take a look. Any virus scanner you do run on a SmarterMail server, please be sure to look at our knowledge base article on exclusions so you do not corrupt any files. Please review here: https://portal.smartertools.com/kb/a3249/virus-scanner-exceptions-for-smartermail.aspx#

We hope this helps customers understand the scope of the breach and what steps we took. More info on what we saw and what we are seeing on customers’ servers that have been compromised are included below.

Recent SmarterMail Releases
As mentioned in our previous emails, Build 9518 (January 15, 2026) contains all fixes related to the CVEs that were announced. Build 9526 (January 22, 2026) complements those fixes with additional improvements and resolves lesser issues that have been brought to our attention and/or discovered during our internal security audits.

It remains challenging to ensure all customers keep their installations up to date. Every build we release has significance. Even smaller security updates can help prevent issues such as denial-of-service attacks that might otherwise consume excessive server memory or CPU, etc.

Email remains as critical today as ever, and threats against mail servers are as high as they have ever been. The attacks are constantly evolving and technologies are constantly changing, and SmarterTools must make changes that are not always appreciated or understood. Examples include the deprecation of TLS 1.0/1.1 in favor of TLS 1.2 and above, the enforcement of SPF, DKIM, and DMARC requirements by major email providers, and other evolving standards.

Moving forward, we are continuing to audit all of our products and we will continue working with security companies and independent researchers if/when they find bugs or other issues. We are making continual updates—no matter how small—to ensure our products are as secure and optimized as possible.

As of now, there are no major known security issues with SmarterMail.

In addition, we are making a concerted effort to improve transparency in how we communicate security updates. This situation is unprecedented in our company’s history, and we are learning a great deal from it—with the help of our customers. While we do not anticipate a recurrence, we will approach any future incident even more proactively and effectively than we have.

Malicious Behaviors We Have Seen
As you can imagine, we have been working extensively with customers whose systems were vulnerable to attack. We were compromised by a group known as the Warlock Group, and we have observed similar activity on customer machines.

Once these bad actors gain access, they typically install files and wait approximately 6–7 days before taking further action. This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later.

They often attempt to take control of the Active Directory server and create new users. From there, they distribute files across Windows machines and attempt to execute files that encrypt data.

Common folders used:
Public folders
AppData
ProgramData
SmarterTools \ SmarterMail directories
Common file names and programs observed:
Velociraptor
JWRapper
Remote Access
SimpleHelp
WinRAR (specifically older, vulnerable versions)
Run.exe
Run.dll
main.exe
Short, random filenames such as e0f8rM_0.ps1 or abc...
Random .aspx files
Other indicators:
Unusual local users or administrators
Suspicious startup items
Newly created or modified scheduled tasks
It is also important to note that CVEs are being discovered across many different products. Some groups install legitimate-looking applications on servers and later exploit. For example, the Warlock Group frequently targets CVE’s in SharePoint and Veeam and has now targeted SmarterMail. Recent Notepad++ update vulnerabilities are another example of how trusted applications can be leveraged to further exploit systems, servers, and desktops.

Based on our observations, the Warlock Group primarily targets Windows environments. We are now primarily a Linux-based company and found no Linux servers exposed to compromise.

A Final Word
We hope this provides a fuller summary of what we have seen and what customers can look for in their own environments. We also hope it demonstrates that we are taking every possible step to prevent issues like this from occurring again and making every effort to consolidate what we’re seeing and sharing with our customers.

Finally, we continue to experience elevated support volumes, but response times are improving and are now measured in hours rather than days.
Derek Curtis
CCO
SmarterTools Inc.
www.smartertools.com

| The Record from Recorded Future News
therecord.media
Martin Matishak
February 4th, 2026

The U.S. military digitally disrupted Iranian air missile defense systems during its operation last year against the country’s nuclear program, some of the most sophisticated action Cyber Command has taken to date against Iran.

Exclusive: US used cyber weapons to disrupt Iranian air defenses during 2025 strikes
The U.S. military last year digitally disrupted Iranian air missile defense systems as part of a coordinated operation to destroy the country’s nuclear program, according to several U.S. officials, another sign of America’s growing comfort with employing cyber weapons in warfare.

The strike on a separate military system connected to the nuclear sites at Fordo, Natanz and Isfahan helped to prevent Iran from launching surface-to-air missiles at American warplanes that had entered Iranian airspace, the officials said.

“Military systems often rely on a complex series of components, all working correctly. A vulnerability or weakness at any point can be used to disrupt the entire system,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss sensitive information.

In hitting a so-called “aim point” — a mapped node on a computer network, such as a router, a server or some other peripheral device — U.S. operators, enabled by intelligence from the National Security Agency, bypassed what would have been a more difficult task of breaking into a military system located at one, or all, of the fortified nuclear facilities.

“Going ‘upstream’ can be extraordinarily hard, especially against one of our big four adversaries,” another official said, referring to the quartet of Iran, China, Russia and North Korea.

“You need to find the Achilles heel.”

None of the officials would specify what kind of device was attacked. At the request of sources, Recorded Future News withheld certain details about the cyberattack due to national security concerns.

“U.S. Cyber Command was proud to support Operation Midnight Hammer and is fully equipped to execute the orders of the Commander-in-Chief and the Secretary of War at any time and in any place," a command spokesperson said in a statement, without elaborating.

The digital element of June’s Operation Midnight Hammer, which has not been previously reported, is some of the most sophisticated action Cyber Command has taken against Iran in its nearly 16-year history.

Since being granted authorities to augment its offensive capabilities during the first Trump administration, the command skirmished with the Islamic Revolutionary Guard Corps and Iranian hacker groups in the run-up to the 2020 presidential election and moved against government-aligned malicious actors before they could disrupt the 2022 midterms.

Gen. Dan Caine, the chairman of the Joint Chiefs of Staff, publicly lauded Cyber Command’s contribution during a Pentagon press conference after Midnight Hammer concluded, noting it had supported the “strike package” that saw all three nuclear sites hit in a span of less than a half-hour.

The command received similar kudos last month after it conducted cyber operations that officials say knocked out power to Venezuela's capital and disrupted air defense radar, as well as handheld radios, as part of the mission to capture President Nicolás Maduro.

Cyber Command and others “began layering different effects” on Venezuela as commandos approached in helicopters in order to “create a pathway” for them, Caine said during a press conference at Mar-a-Lago.

Little has been shared about the command’s role in the ouster of Maduro, however. And while lawmakers received classified briefings on both digital operations last month, they are seeking more information about the digital attacks on Iran and Venezuela, hoping some details will eventually be shared with the public.

Venezuela has “been in the news and a lot of discussion about the fact that this was a good example of what happens when you combine all of the joint forces, including cyber operations,” Sen. Mike Rounds (R-SD), the chair of the Senate Armed Services cyber subcommittee, said during a hearing with defense officials last week.

“I understand that this [setting] is unclassified but there's a lot of folks out there that might now have a curiosity about this, and they may very well want to be a part of a team in the future that you're going to have to try to recruit,” he added.

The officials, for their part, declined to offer any fresh details and instead touted the use of cyber capabilities.

“I would tell you not just [Operation] Absolute Resolve [in Venezuela] but Midnight Hammer, in a number of other operations, we've really graduated to the point where we’re treating a cyber capability just like we would a kinetic capability, not sprinkling cyber on,” Army Lt. Gen. William Hartman, the acting chief of the command and the NSA, told the subcommittee.

Air Force Brig. Gen. Ryan Messer, deputy director for global operations on the Joint Staff, noted that Caine has put an “emphasis on not just traditional kinetic effects, but the role non-kinetic effects play in all of our global operations, especially cyber.”

He said that over the last six months, the Joint Staff has developed a “non-kinetic effects cell” that is “designed to integrate, coordinate and synchronize all of our non-kinetics into the planning and then, of course, the execution of any operation globally.”

In military jargon, “non-kinetic effects” are produced through capabilities like cyber tools, while “kinetic” generally refers to striking targets with missiles or by other physical means.

“The reality is that we’ve now pulled cyber operators to the forefront,” Messer said.

Iran and Venezuela suggest the “ideal use cases for cyber operations as enablers of conventional military operations,” according to Erica Lonergan, an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation.

“Altogether, both of these operations reflect the routinization of the use of cyber capabilities during military operations, and we should expect to see more of these in the future. In my view, this is a good thing, because it suggests we are moving beyond seeing cyber as a unique, exquisite (and dangerous) capability,” said Lonergan, a former director of the congressionally-mandated Cyberspace Solarium.

“I would not generalize from these cases to make inferences about how this might play out in the context of a contingency involving an adversary like China.”

techcrunch.com
Zack Whittaker
7:25 AM PST · February 5, 2026

The ransomware attack at Conduent allowed hackers to steal a "significant number of individuals’ personal information" from the govtech giant's systems. Conduent handles personal and health data of more than 100 million people across America.

A data breach at government technology giant Conduent appears to affect far more people than first disclosed, with the number of victims potentially stretching to dozens of millions of people across the United States.

The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million people in Texas alone, accounting for about half of the state’s population. Conduent said in October that 4 million people across the state were affected.

Another 10.5 million people are affected across Oregon, per the state’s attorney general.

Conduent has also notified hundreds of thousands of people across Delaware, Massachusetts, New Hampshire, and other states, according to data breach notifications seen by TechCrunch.

The stolen data includes individuals’ names, Social Security numbers, medical data, and health insurance information.

One of the largest government contractors today, Conduent handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company says its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs.

When contacted with several questions about the data breach, Conduent spokesperson Sean Collins provided a boilerplate statement that did not address the questions, nor did they answer if Conduent knows how many individuals are affected by the cyberattack. The spokesperson would not say if the breach affects more than 100 million people.

Collins said that the company has been working to “conduct a detailed analysis of the affected files to identify the personal information” taken in the breach but would not say how many data breach notifications the company has sent out to date.

Little else is known about the breach, and the company has disclosed few details. Conduent disclosed the cyberattack in April, months after hackers knocked out the company’s systems, which resulted in outages to government services across the United States.

The Safeway ransomware gang took credit for the breach, claiming to have stolen over 8 terabytes of data.

In a later SEC filing, the company said that the stolen datasets “contained a significant number of individuals’ personal information associated with our clients’ end-users,” referring to its corporate and government customers.

Conduent also said it is continuing to notify individuals whose data was stolen in the breach, and plans to conclude alerting individuals by early 2026. The company did not give a more specific timeline.

bbc.com
Liv McMahon
Technology reporter

Elon Musk's X and Grok platforms are facing increased scrutiny from authorities on both sides of the channel.
The French offices of Elon Musk's X have been raided by the Paris prosecutor's cyber-crime unit, as part of an investigation into suspected offences including unlawful data extraction and complicity in the possession of child sexual abuse material (CSAM).

The prosecutor's office also said both Musk and former X chief executive Linda Yaccarino had been summoned to appear at hearings in April.

In a separate development, the UK's Information Commissioner's Office (ICO) announced a probe into Musk's AI tool, Grok, over its "potential to produce harmful sexualised image and video content."

Writing on X, Musk said the raid was a "political attack".
The company said in a statement that it was "disappointed" but "not surprised," and accused the Paris Public Prosecutor's office of an "abusive act."

X also denied any wrongdoing and said the raid "endangers free speech."

The investigation began in January 2025 when French prosecutors started looking into content recommended by X's algorithm, before being widened in July that year to include Musk's controversial AI chatbot, Grok.

Yaccarino also took to X to accuse French prosecutors of carrying out "a political vendetta against Americans."

"To be clear: they are lying," added Yaccarino, who left the firm last year.

Following Tuesday's raid, French prosecutors say they are now investigating whether X has broken the law across multiple areas.

Among potential crimes it said it would investigate were complicity in possession or organised distribution of CSAM, infringement of people's image rights with sexual deepfakes and fraudulent data extraction by an organised group.

New UK investigation
Meanwhile, UK authorities have given an update on their investigations into sexual deepfakes created by Grok and shared on X.

The images - often made using real images of women without their consent - prompted a barrage of criticism in January from victims, online safety campaigners and politicians.

The company eventually intervened to prevent the practice, after Ofcom and others launched investigations.

In an update on Tuesday, Ofcom said it was continuing to investigate the platform and was treating it as "a matter of urgency".

But it added it was currently unable to investigate the creation of illegal images by Grok in this case because it did not have sufficient powers relating to chatbots.

However, shortly afterwards the ICO said it was launching its own probe, in conjunction with Ofcom, into the processing of personal data in relation to the Grok.

"The reports about Grok raise deeply troubling questions about how people's personal data has been used to generate intimate or sexualised images without their knowledge or consent, and whether the necessary safeguards were put in place to prevent this," said William Malcolm, the ICO's executive director for regulatory risk & innovation.

In late January, the European Commission announced an investigation into its parent company xAI over concerns about the images.

A Commission spokesperson said it was in touch with France over its search of X's office in Paris.

'Not a free country'
Pavel Durov - founder of the messaging app Telegram - criticised the French authorities on Tuesday, accusing France of being "the only country in the world that is criminally persecuting all social networks that give people some degree of freedom".

"Don't be mistaken: this is not a free country," he added in a post on X.

Durov was arrested and detained in France in August 2024 over alleged moderation lapses on his messaging app, which the Paris prosecutor's office said had failed to curb criminal activity.

He was permitted to leave the country last March after the platform made some changes to the way it operates following the arrest.

These included sharing some user data with authorities in response to legal requests.

arstechnica.com - Ars Technica
Dan Goodin – 29 janv. 2026 19:30

Settlement comes more than 6 years after Gary DeMercurio and Justin Wynn's ordeal began.

Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation.

The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct “red-team” exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.

The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings so long as they didn’t cause significant damage.

A chilling message
The event galvanized security and law enforcement professionals. Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail ($50,000 for each). The charges were later reduced to misdemeanor trespassing charges, but even then, Chad Leonard, sheriff of Dallas County, where the courthouse was located, continued to allege publicly that the men had acted illegally and should be prosecuted.

Reputational hits from these sorts of events can be fatal to a security professional’s career. And of course, the prospect of being jailed for performing authorized security assessment is enough to get the attention of any penetration tester, not to mention the customers that hire them.

“This incident didn’t make anyone safer,” Wynn said in a statement. “It sent a chilling message to security professionals nationwide that helping [a] government identify real vulnerabilities can lead to arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.”

DeMercurio and Wynn’s engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.

Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called “war stories” to deputies who had asked about the type of work they do.

When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn’t authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed “they were crouched down like turkeys peeking over the balcony” when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.

DeMercurio and Wynn sued Dallas County and Leonard for false arrest, abuse of process, defamation, intentional infliction of emotional distress, and malicious prosecution. The case dragged on for years. Last Thursday, five days before a trial was scheduled to begin in the case, Dallas County officials agreed to pay $600,000 to settle the case.

It’s hard to overstate the financial, emotional, and professional stresses that result when someone is locked up and repeatedly accused of criminal activity for performing authorized work that’s clearly in the public interest. DeMercurio has now started his own firm, Kaiju Security.

“The settlement confirms what we have said from the beginning: our work was authorized, professional, and done in the public interest,” DeMercurio said. “What happened to us never should have happened. Being arrested for doing the job we were hired to do turned our lives upside down and damaged reputations we spent years building.”

bleepingcomputer.com
By Lawrence Abrams
January 28, 2026

The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.

Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."

"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.

The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.

While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:

Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.

For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.

In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.

"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.

"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.

BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.

The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.

This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.

Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.

RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.

Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.

Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.

Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.

Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.

The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.

In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.

Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.

In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.

He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.

politico.eu
January 28, 2026 4:16 pm CET
By Sam Clark

Europe is investing heavily in security but not enough in cyber, bloc’s cyber agency chief says.

BRUSSELS — The European Union urgently needs to rethink its cyber defenses as it faces an unprecedented volume and pace of attacks, the head of the bloc's cyber agency told POLITICO.

“We are losing this game,” said Juhan Lepassaar, the executive director of the EU's Agency for Cybersecurity (ENISA). “We are not catching up, we're losing this game, and we're losing massively.”

Europe has been pummeled with damaging cyberattacks in recent years, which have shut down major airports, disrupted elections and crippled hospitals. Just in the past week, cyber experts pinned an attempted attack on Poland’s power grid on Russia, and the president of Germany's Bundesbank said in an interview that the central bank faced over 5,000 cyberattacks every minute.

The cyber threats come as Europe deals with war on its eastern border, China's growing power over the global technology market and an increasingly unfriendly United States. In the past year, European countries have pledged to boost defense spending and the EU has shaped many of its policies around security and self-reliance.

Investing in security services but not in cybersecurity creates a “loophole,” Lepassaar warned.

The agency chief's warnings come one week after the European Commission presented a proposal to overhaul its Cybersecurity Act legislation. The bill would allow the EU's cyber agency, based in Athens, to expand its personnel by 118 full-time staff and to spend more on operational costs. The agency now has approximately 150 staff.

But Lepassaar lamented that wasn't nearly enough. He drew a comparison to EU police agency Europol and EU border agency Frontex, which have more than 1,400 and more than 2,500 staff respectively, with more resources on the way.

“We just don't need an upgrade. We need a rethink," he said. “Doubling the capacity is the absolute minimum."

The European Union has fallen short in cyber investment for years and it needs to build an entire new EU-level cyber infrastructure, the agency chief said.

Europe needs to 'step up'
When Lepassaar took charge of the agency in 2019, Europe was in a “totally different environment," he said.

In 2019, approximately 17,000 software flaws were added to a global database logging such vulnerabilities; in 2025, more than 41,000 were added, he said. And in 2019, it took hackers approximately two months on average to use those flaws in an attack, but now it took only one day on average, he said, citing industry and government data.

The cybersecurity industry has warned it now takes hackers far less time to exploit glitches, in part because of AI.

Just as Europe has pledged to take greater responsibility for its physical security, it must do the same in cyberspace, said Lepassaar — an Estonian who previously headed the office of European Commissioner for Digital Affairs Andrus Ansip.

In areas such as cataloging and managing cyber vulnerabilities — an obscure but critical area of cybersecurity — the only organizations systematically working on the problem have long been U.S.-based, Lepassaar said. “We all reap the benefits for free … it's needed that we now step up and take our fair share of this.”

MITRE, a U.S.-based nonprofit group, manages a global database of cyber flaws on which the entire industry relies. It nearly lost funding last year before being bailed out by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

European startups and small businesses benefit from a system whose security is “backed up only by MITRE and CISA,” Lepassaar said.

ENISA has started operating a database of cyber flaws — though this was planned before MITRE nearly lost its funding — and recently took on a key technical role that further embeds it at the core of global cybersecurity infrastructure.

“It's part of our obligation as Europe to take our fair share from this,” Lepassaar said.

cnn.com
By
Sean Lyngaas
PUBLISHED Jan 28, 2026, 6:00 AM ET

Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.

Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.

From their perch at Cyber Command at Fort Meade, Maryland, the military hackers took aim at the computer servers and key personnel of at least two Russian companies that were covertly pumping out the propaganda, according to multiple sources briefed on the operation.

The trolls were trying to influence election results in six swing states by publishing fictitious news stories that attacked American politicians who supported Ukraine. One of the companies had held “strategy meetings” with Kremlin officials on how to covertly influence US voters, according to an FBI affidavit.

In one case, the Cyber Command operatives planned to knock offline computer servers based in a European country that one of the Russian companies used, the sources said. Though the Russian trolls continued to create content through Election Day, when President Donald Trump defeated then-Vice President Kamala Harris, one source briefed on the hacking effort said it successfully slowed down the Russians’ operations.

The hacking campaign, which hasn’t been previously reported, was one of multiple US cyber operations against Russian and Iranian groups aimed at blunting foreign influence on the 2024 election. It was part of a broader US government effort involving the FBI, the Department of Homeland Security, and other intelligence and security agencies that exposed and disrupted foreign meddling.

But a year into a second Trump administration, many of the government centers previously tasked with repelling foreign influence operations have been disbanded or downsized — and local election officials are preparing to face a continued onslaught of foreign influence operations largely on their own.

The administration has shut down foreign-influence-focused centers at the Office of the Director of National Intelligence, the FBI and the State Department that helped warn the public that China, Russia and Iran’s spy services were targeting Americans with election-related disinformation. The Department of Homeland Security has also slashed its election security teams, which pass intelligence to local election offices and help them defend against cyber threats.

The Trump administration has accused those federal programs of censoring Americans and conducting domestic interference in US elections.

While military cyber operations are still an option, there is widespread concern among current and former officials that the US government’s willingness to combat foreign efforts to shape elections has waned. The cuts to election security programs risk causing an exodus of expertise at US intelligence and security agencies that was built up over nearly a decade.

The cuts come even as the US intelligence community found, in a threat assessment released by the Office of the Director of National Intelligence Tulsi Gabbard, that foreign powers will continue to try to influence US elections.

“I find it devastating and deeply alarming for our national security,” said Mike Moser, a former election security specialist at DHS’ Cybersecurity and Infrastructure Security Agency, who resigned after the agency froze its election work last year. “To see those partnerships unilaterally dismantled is a tragedy. We are losing the human and technological infrastructure that protects our democracy.”

Foreign influence and propaganda tend to increase in years when general elections or midterms are held. But even in the off-year of 2025, groups tied to authoritarian regimes were weighing in on races like the New York City mayoral election.

Chinese state-owned media accounts repeatedly amplified Trump’s attacks on Zohran Mamdani, the Democrat who ended up winning New York’s mayoral election, according to disinformation-tracking firm Alethea Group. Some pro-Iranian influencer accounts, meanwhile, pivoted to attacking Mamdani as a “Zionist apologist” in October after Mamdani made overtures to Jewish voters in New York, Alethea said.

But by the time that election was held in November of last year, the cuts to election protection efforts had already taken hold.

The 2026 midterms could be a litmus test for how foreign adversaries respond to a US government that is less forceful in publicly combating influence operations.

“We’ve not had a disaster take place because, in many ways, the procedures and policies and tools set up during the first Trump administration helped keep us safe,” Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, told CNN. “We’re going into a (2026) election cycle with our guard down.”

Multiple government agencies and processes for countering foreign influence that are now being cut were set up during Trump’s first term, including a dedicated team at the FBI that tracked counterintelligence threats to elections.

In April, Trump fired Gen. Tim Haugh, the head of Cyber Command and the National Security Agency ,who had led numerous operations countering Russian meddling.

“The foundation that we built to protect our electoral process was driven by the first Trump administration’s direct guidance to NSA and Cyber Command — the focus that they put at CISA and FBI to counter foreign influence and then any potential hacking activity targeting our electoral process,” Haugh told CNN in his first interview on the subject since being fired. He declined to comment on any Cyber Command operations during the 2024 election.

Far-right activist and Trump confidant Laura Loomer had pushed for Haugh’s removal, publicly calling him “disloyal” to Trump due to the fact that he had served alongside former Chairman of the Joint Chiefs of Staff Gen. Mark Milley. Haugh has denied the allegation.

Nearly 10 years after Russian agents tried to influence the 2016 election through hacking and disinformation, Americans are arguably more susceptible to covert propaganda than ever, according to experts.

“This is just an enormous set of vulnerability for our nation,” Haugh said. “We have shown a decreasing ability to discern truth from fiction as a society.”

Cyber Command declined to comment for this story. The NSA referred to questions to ODNI.

Cuts to federal funding for cybersecurity services for election offices have forced those offices to scramble for alternative funds, said Paul Lux, a Republican who is the top election official for Okaloosa County, Florida.

Election officials are also unsure whether the FBI and CISA will continue to hold classified briefings for them on threats to elections, something those agencies have done for years.

The briefings were “illuminating,” Lux said. “They allowed me to personally connect some dots” by making the threats more tangible, he added.

The FBI had no comment when asked by CNN whether the briefings would continue.

A CISA spokesperson did not directly answer a question about the briefings but provided a statement that read, in part, “since January 2025, CISA has issued 38 joint cybersecurity advisories with law enforcement and international partners and provided threat intelligence guidance to combat evolving threats and protect critical infrastructure, and we will continue to ensure election officials remain informed of any emerging issues going forward.”

With or without federal security and intelligence support, election officials will be ready to do their job, Lux said. “Our mission doesn’t change. (It is to) provide safe, free and fair elections with as much transparency as possible.”

Dismantling offices
The same type of Russian trolls that Cyber Command took aim at in the 2024 election continue to churn out content. A Russian covert influence network focused on undermining Western support for Ukraine has set up at least 200 fake websites since last March to target audiences in the US, France and elsewhere, according to the cyber intelligence firm Recorded Future.

The concern among more than a dozen current and former officials who spoke to CNN is that the Trump administration took a hatchet, rather than a scalpel, to federal programs aimed at countering the type of influence operation that Recorded Future uncovered. The programs could have been downsized, rather than abruptly canceled, in a way that met the Trump administration’s goal of cutting bureaucratic red tape, the sources said.

The State Department’s Global Engagement Center, which focused on combating foreign propaganda, posted a massive US intelligence dump on Russian meddling prior to the 2024 election. (The Trump administration formally shut down the State Department center last April after Congress let its funding expire.)

ODNI’s Foreign Malign Influence Center, which was set up under then-President Joe Biden, turned intelligence on Russian AI-generated videos posted on X purporting to show voter fraud into public statements in the days before Election Day in 2024.

Without that center, it’s unclear which government agency would warn the public of such efforts.

In announcing the Foreign Malign Influence Center’s closure in August, ODNI said the center was “redundant” and that other elements of the intelligence community perform some of the same work. Some Republican lawmakers agree.

“I am confident ODNI and the (intelligence community) will remain poised to assess and warn policymakers of covert and overt foreign influence operations targeting (US government) policies and manipulating public opinion,” said Rick Crawford, an Arkansas Republican who chairs the House intelligence committee, in a statement to CNN.

But Haugh, who spent more than three decades in the Air Force, said the cuts at various federal agencies mean that the US government has fewer levers to pull to punish or expose foreign influence operations.

ODNI did not answer a detailed list of questions on how the agency plans to counter foreign influence, including whether ODNI has a top intelligence specialist dedicated to the issue, as it has had in years past. An ODNI spokesperson referred CNN to a previous agency statement saying the Foreign Malign Influence Center’s core functions would be moved to other parts of ODNI.

Gabbard said in August that ODNI would cut its workforce by over 40% and save taxpayers hundreds of millions of dollars in the process.

Trump’s new pick to replace Haugh and lead the NSA and Cyber Command, Lt. Gen. Joshua Rudd, pledged to protect the electoral process from foreign interference during his Senate confirmation hearing.

“Any foreign attempt to undermine the American process of democracy, and at the center of that is our electoral process, as you all know far better than I do, has got to be safeguarded,” Rudd told senators on January 15.

A sensitive subject
The FBI’s election security posture today has been shaped by Trump’s grievances over the bureau’s investigation into his 2016 campaign’s contacts with Russia and his false claims of a stolen 2020 election.

As president-elect in 2017, Trump was incsensed when then-FBI Director James Comey briefed him on the existence of a salacious, and later debunked, dossier about Trump gathered by a former British intelligence agent. Many see a through line between that day and the FBI’s current counterintelligence posture for elections.

“You could argue that where we are today happened because Comey briefed Trump, Trump got embarrassed and the rest is one big revenge tour,” said a former senior FBI counterintelligence official who served during the first Trump term and Biden’s term. They spoke on the condition of anonymity out of fear of retaliation from the Trump administration

If and when US officials speak publicly on foreign efforts to shape US democracy is an intensely delicate subject in the second Trump administration. Trump has bristled at US intelligence findings that Russia tried to influence the 2016 election in his favor, while Democrats have often exaggerated those findings to attack Trump.

A year after FBI agents were caught off-guard in 2016 by the scale of Russian hacking and propaganda aimed at voters, the bureau set up a Foreign Influence Task Force (FITF), a team of about 30 people to focus on the threat of foreign meddling. The task force passed intelligence about what foreign spies were doing on Facebook and Twitter to those social media platforms.

In February 2025, Attorney General Pam Bondi dissolved FITF, citing the need to “free resources to address more pressing priorities, and end risks of further weaponization and abuses of prosecutorial discretion.”

The impact of Bondi’s memo goes beyond FITF, according to current and former FBI officials. It’s a disincentive for any FBI agent to take up a case involving Russian election influence.

“Say the Russians influence the election again — I’m worried that we won’t know it until after the fact,” the ex-FBI official said.

In a statement to CNN, the FBI said it continues to pursue cases related to “foreign influence efforts by adversarial nations.”

“The Counterintelligence Division and our field offices work together to defend the homeland against all foreign influence efforts, including any attempts at election interference,” the FBI said.

The Cyber Command operation against Russian trolls in 2024 followed the Justice Department’s public disclosure that it had seized internet domains used by the trolls. US officials saw the hacking as an added, clandestine counter-punch to complement the law enforcement seizure. Under the second Trump administration, the public may not know if the Justice Department takes such an action leading up to an election.

After Trump won the 2024 election, a planning document used by his transition team and reviewed by CNN lamented a “surge in politicization and meddling in US politics by US intelligence agencies,” and said the Justice Department and the FBI should revisit how they communicate threats to the public, “e.g. in announcing indictments of foreign hackers or getting involved in threats to election security in partisan ways.”

Working with local election offices
Cyber Command, the NSA and other parts of the US intelligence community began playing a more prominent role in the cyber defense of US elections after the Russian intervention in 2016. The federal Cybersecurity and Infrastructure Security Agency emerged as a conduit between those powerful military and spy agencies and local election offices, building trust with those offices and passing on intelligence on foreign threats. Trump signed a law establishing CISA as a part of the Department of Homeland Security during his first term.

But Trump and his top advisers never forgave CISA’s leadership for saying the 2020 election was secure. They accused CISA of “censoring” conservative voices when in the first Trump term, at the urging of Republican and Democratic election officials, the agency flagged to social media platforms posts that spread false information about voting. The second Trump administration last year paused all of CISA’s election security work and reassigned the agency’s election specialists or put them on administrative leave

CISA spokespeople say the agency still offers some cybersecurity services to election offices, as it does other sectors. But election officials say the impact from the cuts to so many offices, including CISA, is clear.

A day after the US bombed Iranian nuclear facilities in June, pro-Iranian hackers breached an Arizona state election website and replaced candidates’ photos with an image of Iran’s Supreme Leader Ayatollah Ali Khamenei. It had echoes of 2020, when, according to the FBI, Iranian hackers set up a website with violent threats to election officials.

But while CISA was central to the federal response to the 2020 incident — and communicated proactively with election officials then — Arizona election officials now say they are not getting the same level of collaboration with the agency. In a statement to CNN, a CISA official said the agency “worked with Arizona and provided direct assistance to support their response efforts.”

The cuts to CISA have “drastically reduced national visibility into foreign threats and increased the potential for security failures,” Moser, the former CISA election security official, told CNN. “While state and local officials take great care to secure elections, now they are effectively being siloed and expected to combat sophisticated nation-state adversaries with severely limited federal support.”

A CISA spokesperson said: “Every day, DHS and CISA are providing our partners the most capable and timely threat intelligence, expertise, no-cost tools and resources these partners need to defend against risks.”

Foreign powers, with the help of artificial intelligence, will continue to target American voters with disinformation, the ODNI said in its annual worldwide threat assessment published in March.

“Reinforcing doubt in the integrity of the U.S. electoral system achieves one of (Russia’s) core objectives,” the intelligence report says.

China, in particular, is making alarming leaps in AI-powered influence activity, according to researchers at Vanderbilt University’s Institute of National Security. In August, the institute published documents leaked from a Chinese firm that appear to show it targeting the 2024 Taiwan election with a wave of social media posts. The Chinese firm has also put together profiles on at least 117 members of Congress and more than 2,000 American political figures and “thought leaders,” according to the research.

“This election cycle, foreign governments will be able to use AI tools to essentially whisper in the ear of anyone they target,” said Emerson Brooking, a former Pentagon cyber policy adviser who now studies influence operations at the Atlantic Council’s Digital Forensic Research Lab. “And the Trump team isn’t just unprepared; they’ve deliberately knocked down a lot of the defenses built over the past eight years.”

Last year, Gabbard and Iowa GOP Sen. Chuck Grassley released declassified intelligence documents related to the FBI and intelligence community’s probes of Russian influence on the 2016 election. Contrary to Gabbard’s public claims, the documents do not show the probes were a hoax. But they do show the lengths to which Russia’s SVR foreign intelligence service was willing to go either to impress their Kremlin bosses or to play mind games with US officials analyzing the hack, according to Michael van Landingham, a former CIA analyst, and Alex Orleans, a counterintelligence researcher.

That Americans are still arguing about Russia’s 2016 influence operations 10 years later is exactly what Russian intelligence hoped for, they said.

“SVR officers are definitely dining out on the fact that our national discourse still can’t fully escape the riptides of 2016,” Orleans told CNN.

CNN’s Katie Bo Lillis and Evan Perez contributed to this report.

politico.com
By John Sakellariadis
01/27/2026 03:30 PM EST

The interim director of the Cybersecurity and Infrastructure Security Agency triggered an internal cybersecurity warning with the uploads — and a DHS-level damage assessment.

The interim head of the country’s cyber defense agency uploaded sensitive contracting documents into a public version of ChatGPT last summer, triggering multiple automated security warnings that are meant to stop the theft or unintentional disclosure of government material from federal networks, according to four Department of Homeland Security officials with knowledge of the incident.

The apparent misstep from Madhu Gottumukkala was especially noteworthy because the acting director of the Cybersecurity and Infrastructure Security Agency had requested special permission from CISA’s Office of the Chief Information Officer to use the popular AI tool soon after arriving at the agency this May, three of the officials said. The app was blocked for other DHS employees at the time.

None of the files Gottumukkala plugged into ChatGPT were classified, according to the four officials, each of whom was granted anonymity for fear of retribution. But the material included CISA contracting documents marked “for official use only,” a government designation for information that is considered sensitive and not for public release.

Cybersecurity sensors at CISA flagged the uploads this past August, said the four officials. One official specified there were multiple such warnings in the first week of August alone. Senior officials at DHS subsequently led an internal review to assess if there had been any harm to government security from the exposures, according to two of the four officials.

It is not clear what the review concluded.

In an emailed statement, CISA’s Director of Public Affairs Marci McCarthy said Gottumukkala “was granted permission to use ChatGPT with DHS controls in place,” and that “this use was short-term and limited.” McCarthy added that the agency was committed to “harnessing AI and other cutting-edge technologies to drive government modernization and deliver on” Trump’s executive order removing barriers to America’s leadership in AI.

The email also appeared to dispute the timeline of POLITICO’s reporting: “Acting Director Dr. Madhu Gottumukkala last used ChatGPT in mid-July 2025 under an authorized temporary exception granted to some employees. CISA’s security posture remains to block access to ChatGPT by default unless granted an exception.”

Gottumukkala is currently the senior-most political official at CISA, an agency tasked with securing federal networks against sophisticated, state-backed hackers from adversarial nations, including Russia and China.

Any material uploaded into the public version of ChatGPT that Gottumukkala was using is shared with ChatGPT-owner OpenAI, meaning it can be used to help answer prompts from other users of the app. OpenAI has said the app has more than 700 million total active users.

Other AI tools now approved for use by DHS employees — such as DHS’s self-built AI-powered chatbot, DHSChat — are configured to prevent queries or documents input into them from leaving federal networks.

Gottumukkala “forced CISA’s hand into making them give him ChatGPT, and then he abused it,” said the first official.

All federal officials are trained on the proper handling of sensitive documents. According to DHS policy, security officials are also supposed to investigate the “cause and affect” of any exposure of official use documents, and determine the “appropriateness” of any administrative or disciplinary action. Depending on the circumstances, those could range from things like mandatory retraining or a formal warning, to more serious measures, like the suspension or revocation of a security clearance, said one of the four officials.

After DHS detected the activity, Gottumukkala spoke with senior officials at DHS to review what he uploaded into ChatGPT, said two of the four officials. DHS’s then-acting general counsel, Joseph Mazzara, was involved in the effort to assess any potential harm to the department, according to the first official. Antoine McCord, DHS’s chief information officer, was also involved, according to a second official.

Gottumukkala also had meetings this August with CISA’s chief information officer, Robert Costello, and its chief counsel, Spencer Fisher, about the incident and the proper handling of for official use only material, the four people said.

Mazzara and Costello did not respond to requests for comment. McCord and Fisher could not be reached for comment.

Gottumukkala has helmed the agency in an acting capacity since May, when he was appointed by DHS Secretary Kristi Noem as its deputy director. Donald Trump’s nominee to head CISA, DHS special adviser Sean Plankey, was blocked last year by Sen. Rick Scott (R-Fla.) over a Coast Guard shipbuilding contract. A date for his new confirmation hearing has not been set.

Gottumukkala’s tenure atop the agency has not been smooth — and this would not be his first security-related incident.

At least six career staff were placed on leave this summer after Gottumukkala failed a counterintelligence polygraph exam that he pushed to take, as POLITICO first reported. DHS has called the polygraph “unsanctioned.” Asked during Congressional testimony last week if he was “aware” of the failed test, Gottumukkala twice told Rep. Bennie Thompson (D-Miss.) that he did not “accept the premise of that characterization.”

And last week, Gottumukkala tried to oust Costello, CISA’s CIO, before other political appointees at the agency intervened to block the move.

ctrlaltnod.com
Emanuel DE ALMEIDA
January 29, 2026

SonicWall cloud breach led to ransomware attack affecting 74+ US banks and 400,000+ individuals via Marquis Software Solutions compromise.

TL;DR
Marquis Software Solutions suffered a ransomware attack on August 14, 2025, affecting over 74 U.S. banks and credit unions and compromising data of 400,000+ individuals
Investigation revealed attackers exploited configuration data stolen from SonicWall's cloud backup service breach in September 2025
State-sponsored hackers accessed SonicWall's MySonicWall cloud service via API calls, initially affecting "less than 5%" but later confirmed to impact all cloud backup customers
The attack bypassed Marquis's firewall defenses using stolen configuration files rather than exploiting CVE-2024-40766 as initially suspected
Marquis is pursuing legal recourse against SonicWall and evaluating options to recover expenses from the incident
Verified Timeline
August 14, 2025 — Marquis Software Solutions detected suspicious network activity and confirmed ransomware attack, initiated investigation with cybersecurity experts
September 17, 2025 — SonicWall disclosed security incident involving unauthorized access to MySonicWall cloud backup files, initially reporting less than 5% of firewall customers affected
October 9, 2025 — SonicWall updated disclosure, confirming all customers using cloud backup service were impacted
November 5, 2025 — SonicWall attributed breach to state-sponsored hackers who accessed cloud backup files via API call
December 3, 2025 — Marquis began notifying affected banks and credit unions about data breach from August ransomware attack
January 29, 2026 — Marquis publicly attributed ransomware attack to exploitation of configuration data from SonicWall's cloud backup breach
What We Know vs. What's Unclear
Confirmed
State-sponsored hackers breached SonicWall's MySonicWall cloud service in September 2025
All SonicWall customers using cloud backup service were affected, not just 5% as initially reported
Attackers accessed firewall configuration backup files via API calls
Marquis ransomware attack on August 14, 2025 affected 74+ U.S. financial institutions
Over 400,000 individuals had personal information compromised
Attackers used stolen SonicWall configuration data to circumvent Marquis firewall defenses
CVE-2024-40766 was not the primary attack vector as initially suspected
Unclear or Unconfirmed
Identity of the state-sponsored threat group behind SonicWall breach
Specific ransomware family used in Marquis attack
Exact method attackers used configuration data to bypass security controls
Whether the same threat actors were responsible for both SonicWall breach and Marquis attack
Full scope of additional organizations potentially compromised using stolen SonicWall data
Timeline between SonicWall data theft and Marquis attack initiation
Who Is Affected
This interconnected breach affected multiple stakeholder groups across the financial services sector:

Primary Victims: Marquis Software Solutions, a Texas-based financial services provider, serves as the central victim of the ransomware attack that leveraged stolen SonicWall configuration data.

Financial Institutions: Over 74 U.S. banks and credit unions that utilize Marquis services experienced data exposure. These institutions face potential regulatory scrutiny, customer trust erosion, and compliance obligations under financial data protection regulations.

Individual Consumers: More than 400,000 individuals associated with affected financial institutions had sensitive personal information compromised, including Social Security numbers, Taxpayer Identification Numbers, financial account details, and personal identifiers.

SonicWall Customers: All customers using SonicWall's MySonicWall cloud backup service experienced configuration file exposure, potentially enabling similar attacks against other organizations using compromised firewall settings.

Broader Impact: The incident demonstrates supply chain vulnerability risks, where third-party service breaches can enable downstream attacks against customers who may have maintained otherwise secure configurations.

Technical Details
SonicWall Breach Vector: State-sponsored hackers accessed SonicWall's MySonicWall cloud service through API calls, successfully extracting firewall configuration backup files stored in the cloud environment. The breach occurred in September 2025, with SonicWall initially underestimating the scope before confirming all cloud backup customers were affected.

CVE-2024-40766 Context: Initially suspected as the attack vector, CVE-2024-40766 represents an improper access control vulnerability in SonicWall's SSLVPN feature that allows authentication bypass. This critical vulnerability was patched by SonicWall in August 2024, but investigators determined it was not the primary attack method used against Marquis.

Attack Methodology: Rather than exploiting unpatched vulnerabilities, attackers leveraged configuration data stolen from SonicWall's cloud service to understand and circumvent Marquis's firewall defenses. The specific technical methods used to weaponize configuration files have not been disclosed.

Ransomware Details: The specific ransomware family deployed against Marquis has not been publicly disclosed. The incident reflects broader trends where ransomware groups adopt new tactics to maximize impact and evade traditional security measures. Technical indicators of compromise and malware signatures remain unavailable in public reporting.

CVSS Scoring: CVE-2024-40766 maintains critical severity ratings, though specific CVSS scores were not confirmed in available sources. The vulnerability's critical classification reflects its potential for authentication bypass in SSLVPN implementations.

Detection & Validation
Organizations can implement several detection strategies to identify potential exploitation of stolen configuration data:

Firewall Configuration Monitoring: Implement continuous monitoring of firewall rule changes, VPN configuration modifications, and access control list updates. Establish alerts for unauthorized configuration changes or suspicious administrative access patterns.

Network Traffic Analysis: Monitor for unusual network traffic patterns that might indicate attackers leveraging knowledge of internal network configurations. Focus on connections to previously unknown external IP addresses or unexpected internal network traversal.

Authentication Log Review: Examine VPN and administrative access logs for successful authentication attempts using compromised credentials or from unexpected geographic locations. Look for authentication events occurring outside normal business hours.

API Activity Monitoring: For organizations using cloud-based firewall management services, monitor API call patterns and authenticate all management interface access. Implement alerting for bulk configuration downloads or unusual API usage patterns.

Endpoint Detection: Deploy endpoint detection and response tools to identify lateral movement techniques that attackers might employ after gaining initial access through compromised firewall configurations.

Specific IOCs: Specific indicators of compromise related to this incident have not been publicly disclosed by affected organizations or security vendors.

Mitigation & Hardening
Immediate Credential Reset: Reset all credentials, API keys, and authentication tokens used by users, VPN accounts, and administrative services. This includes service accounts and automated system credentials that may have been exposed in configuration files.
Firewall Configuration Audit: Conduct comprehensive review of current firewall rules, VPN configurations, and access control policies. Compare current settings against known-good baselines to identify unauthorized modifications.
Multi-Factor Authentication Implementation: Deploy MFA across all administrative interfaces, VPN connections, and cloud management portals. Prioritize hardware-based tokens or certificate-based authentication for high-privilege accounts.
Network Segmentation Review: Reassess network segmentation strategies to limit potential lateral movement if perimeter defenses are compromised. Implement zero-trust principles for internal network communications.
Cloud Service Security Assessment: Evaluate security posture of all third-party cloud services, particularly those handling configuration data or backup files. Implement additional encryption and access controls where possible.
Patch Management Acceleration: Ensure all network security devices receive priority patching, particularly SonicWall devices that should be updated to address CVE-2024-40766 and other known vulnerabilities.
Monitoring Enhancement: Deploy enhanced network monitoring tools to detect configuration-based attacks and unusual administrative activity. Establish baselines for normal network behavior patterns.
Incident Response Planning: Update incident response procedures to address supply chain compromise scenarios where third-party service breaches enable downstream attacks.
FAQ
How did attackers use SonicWall configuration data to compromise Marquis?
According to Marquis's statement, attackers leveraged configuration data extracted from SonicWall's cloud backup breach to circumvent their firewall defenses. The stolen configuration files likely contained network topology information, firewall rules, and security policies that attackers used to identify weaknesses and craft targeted bypass techniques. Specific technical details of how configuration data was weaponized have not been publicly disclosed.

Were SonicWall customers who don't use cloud backup affected?
No, the SonicWall breach specifically affected customers using the MySonicWall cloud backup service. Organizations that maintain local-only firewall configurations and don't utilize SonicWall's cloud backup features were not directly impacted by the configuration file theft. However, all SonicWall customers should ensure they have applied patches for CVE-2024-40766 and other known vulnerabilities.

What legal action is Marquis taking against SonicWall?
Marquis has indicated they are evaluating options with respect to SonicWall, including seeking recoupment of expenses incurred due to the incident. The company has not specified whether formal legal proceedings have been initiated, but they are exploring potential avenues for recovering costs related to the breach investigation, customer notification, and remediation efforts.

How can organizations protect against similar supply chain attacks?
Organizations should implement multiple defensive layers including vendor risk assessments, contractual security requirements for third-party services, monitoring of cloud service provider security bulletins, and incident response procedures that account for supply chain compromises. Recent incidents like Ingram Micro's ransomware attack and ransomware attacks on major firms demonstrate the importance of maintaining defense-in-depth strategies that ensure single points of failure in vendor services don't compromise entire security postures. Organizations should also stay informed about emerging threats, such as new ransomware techniques being adopted by threat actors.

| CyberScoop
cyberscoop.com/
By
Matt Kapko
January 22, 2026

Ianis Antropenko, a Russian national living in California, admitted to committing ransomware attacks against at least 50 victims. He faces up to 25 years in jail.

Russian national pleaded guilty to leading a ransomware conspiracy that targeted at least 50 victims during a four-year period ending in August 2022.

Ianis Aleksandrovich Antropenko began participating in ransomware attacks before moving to the United States, but conducted many of his crimes while living in Florida and California, where he’s been out on bond enjoying rare leniency since his arrest in 2024.

Antropenko pleaded guilty in the U.S. District Court for the Northern District of Texas earlier this month to conspiracy to commit money laundering and conspiracy to commit computer fraud and abuse. He faces up to 25 years in jail, fines up to $750,000 and is ordered to pay restitution to his victims and forfeit property.

Federal prosecutors reached a plea agreement with Antropenko after a years-long investigation, closing one of the more unusual cases against a Russian ransomware operator who committed many of his crimes while living in the U.S.

While most cybercriminals, especially those involved in ransomware, are held in jail pending trial because of a flight risk, Antropenko was granted bail the day of his arrest.

This rare flash of deferment in a case involving a prolific cybercriminal is even more shocking considering his multiple run-ins with police since then. Antropenko violated conditions for his pretrial release at least three times in a four-month period last year, including two arrests in Southern California involving dangerous behavior while under the influence of drugs and alcohol.

As part of his plea agreement, Antropenko recognized that pleading guilty could impact his immigration status since the crimes he committed are removable offenses.

Court records don’t indicate if Antropenko has been detained pending sentencing, and his sentencing hasn’t been scheduled. His attorney and federal prosecutors working on his case did not respond to requests for comment.

Antropenko admitted to leading the ransomware conspiracy with the aid of multiple co-conspirators, including some who lived outside the U.S.

His ex-wife, Valeriia Bednarchik, was previously implicated by the FBI and prosecutors as one of his alleged co-conspirators involved in the laundering of ransomware proceeds.

FBI investigators traced Antropenko’s activities via accounts he held at Proton Mail, PayPal and Bank of America, and accounts he and Bednarchik controlled at Binance and Apple. In Bednarchik’s iCloud account, agents found a seed phrase for a crypto wallet that had received over 40 Bitcoin from Antropenko’s accounts, as well as evidence she had agreed to safeguard a disguised copy of this phrase so the funds could be accessed if Antropenko became unavailable. Her account also contained joint tax returns with Antropenko and photos showing large amounts of U.S. cash.

Bednarchik, who also lives in Southern California, has been identified as Antropenko’s unnamed co-conspirator through court documents and public records. While authorities previously indicated they plan to bring charges against her, no cases are currently pending.

Antropenko, who previously pleaded not guilty to the charges in October 2025, used multiple ransomware variants to commit attacks, including Zeppelin and GlobeImposter. The ransomware operation he led caused losses of at least $1.5 million to victims, according to court records.

Yet, the spoils of his crimes appear to be much greater. The Justice Department seized more than $2.8 million in cryptocurrency, nearly $71,000 in cash and two luxury vehicles from Antropenko in February 2024. Authorities seized an additional $595,000 in cryptocurrency from a wallet Antropenko owned in July 2025.

pcmag.com
Michael Kan
Senior Reporter

UPDATE 1/24: The hacking group World Leaks claims to have stolen 1.4TB of data from Nike, according to a post on the gang's website.

The stolen data covers 188,000 files. But a cursory look suggests that World Leaks looted internal files about Nike's clothing manufacturing business, rather than any customer or employee information. For example, a few of the folders have been titled "Garment making process," "Nike Apparel tools" and "Women's Lifestyle." Another set of folders have been titled with the Chinese language.

The data
(World Leaks)
We've reached out to Nike for comment and we'll update the story if we hear back.

Original story:
Nike is investigating a possible data breach after a hacking group listed the fashion brand as one of its latest victims.

On Thursday, cybersecurity researchers spotted World Leaks posting on the dark web about breaching Nike. It's unclear what they stole; for now, the group’s post shows only a countdown clock, indicating that World Leaks plans to reveal more on Saturday morning.

In response, Nike told PCMag: “We always take consumer privacy and data security very seriously. We are investigating a potential cybersecurity incident and are actively assessing the situation.”

According to cybersecurity firms, World Leaks operates as an extortion group that loots data from companies to force them to pay up, or else it’ll leak the stolen information. The group previously operated as “Hunters International,” and focused on delivering ransomware to encrypt victim computers. But last year, following increased scrutiny from law enforcement, the gang rebranded as World Leaks and pivoted to extortion-only tactics.

“They typically gain initial access through phishing campaigns, compromised credentials, or exploitation of exposed services,” according to cybersecurity vendor Blackpoint Cyber. “Once inside, they perform data discovery and exfiltration, prioritizing confidential corporate or personal information.”

WorldLeaks sites
(Credit: World Leaks)
Still, it’s possible that World Leaks stole inconsequential data from Nike. The group has already listed 114 other victims; it claims to have stolen 1.3TB of data from Dell. But the PC maker says World Leaks merely infiltrated a platform the company uses to demo products to prospective clients. As a result, the hackers were only able to access and steal an outdated contact list.

databreaches.net/
Posted on January 24, 2026 by Dissent

Telehealth provider Call-On-Doc, Inc., dba Call-On-Doc.com, advertises that it has 2 million active patients and treats 150+ medical conditions. It claims to be the most highly rated telehealth service, and it assures patients of “state-of-the-art” data security for their information. But if a post on a hacking forum is accurate, Call-On-Doc recently had a breach that may have affected more than one million patients.

According to a sales listing on a hacking forum, Call-On-Doc was breached in early December, and 1,144,223 patient records were exfiltrated. The types of information reportedly included:

Patient Code, Transaction Number, Patient Name, Patient Address, Patient City, Patient State, Patient Zip, Patient Country, Patient Phone Number, Patient Email Address, Medical Category, Medical Condition, Service / Prescription, Paid Amount

Three screenshots with rows of dozens of patients’ information were included in the listing. An additional .txt file with information on 1,000 patients was also included.

Inspection of the screenshots immediately raised concerns about the sensitive information they revealed. Although some appointments were visits for conditions such as strep infections or other medical conditions, a number of patient records were for the “STD” category (sexually transmitted disease), with the specific type of STD listed in the “Condition” field.

Is Call-On-Doc HIPAA-Regulated?
Call-On-Doc does not accept insurance. It is a self-pay model, and no health insurance information or Social Security Numbers were included in the data. Because it is self-pay, DataBreaches is unsure whether Call-On-Doc is a HIPAA-regulated entity. If it uses electronic transmission for other covered transactions, it might be. But even if it is not a HIPAA-regulated entity, it would still be regulated by state laws and the Federal Trade Commission (FTC).

When HIPAA does not apply, the FTC can investigate and take enforcement action for violations of the FTC Act if there are deceptive or “unfair practices,” such as promising excellent data security for health data or patient information, but failing to deliver it.

A check of Call-On-Doc’s website reveals the following statement in its FAQ:

Q: Is my payment and medical information safe with Call-On-Doc?

A: Absolutely! Call-On-Doc employs state-of-the-art security measures, including our proprietary Electronic Health Record (EHR) system, and is fully HIPAA compliant.

According to the threat actor, they found no evidence of any encryption, and the entity did not detect the attack while it was in progress. HIPAA does not actually mandate encryption, but what “state-of-the-art” security measures did Call-On-Doc use to provide the kind of protection that protected health information (PHI) requires? And have they implemented any changes or additional protections since being alerted to the alleged breach?

Given that patients from many states may be involved, this might be a situation in which multiple state attorneys general collaborate to investigate a breach and an entity’s risk assessment, security, and incident response, including notification obligations.

Notification Obligations and Regulatory Questions
DataBreaches emailed Call-On-Doc’s privacy@ email address on Thursday to ask if it had confirmed any breach. There was no reply.

DataBreaches emailed its support@ email address on Friday. There was no reply.

If these are real data, there are several questions regulators may investigate.

According to the individual who posted the listing and shared additional details with DataBreaches in private communication, the breach occurred in early December. They contacted Call-On-Doc on December 25 to alert them to the breach and to try to negotiate a payment to avoid leaking or selling it. “They contacted me from an unofficial email address. I provided all the evidence and details, but then they stopped responding—basically ignoring me,” the person told DataBreaches.

Regardless of which federal or state agencies may have jurisdiction, if these are real patient data, Call-On-Doc also has a duty to notify patients and regulators promptly. While some regulations or statutes require “without unreasonable delay,” HIPAA has a “no later than 60 calendar days from discovery” deadline, and 19 states have notification deadlines of 30 days. As of publication, DataBreaches cannot find any substitute notice, media notice, website notice, or notification to any state attorneys general or federal regulators.

DataBreaches reminds readers that Call-On-Doc has not confirmed the claims. Even though the patient data appears likely to be real, AI has advanced to the point where threat actors can create datasets that appear legitimate. DataBreaches does not think that is the case here, but can’t rule out that possibility without contacting patients, which this site tries to avoid to spare patients any embarrassment or anxiety. For a small random sample from the 1,000 records file that DataBreaches checked via Google searches, most patients are still at the addresses listed in the 1,000-patient sample. Others could be verified as having lived at the listed addresses in the recent past.

One other detail suggests the data are real: the seller is accepting escrow for the sale, which is usually an indicator that the listing is not a scam.

This post may be updated when Call-On-Doc responds or more information becomes available.

If you were or are a Call-On-Doc patient and have heard from Call-On-Doc about a breach, we’d like to hear from you.

therecord.media
Daryna Antoniuk
January 23rd, 2026

Germany’s Dresden State Art Collections, one of Europe’s oldest museum networks, has been hit by a targeted cyberattack that disrupted large parts of its digital infrastructure, the state of Saxony’s culture ministry said this week.

The attack, discovered on Wednesday, has left the museum group with limited digital and phone services. Online ticket sales, visitor services, and the museum shop are currently unavailable, and payments at museum sites can only be made in cash. Tickets purchased online before the incident remain valid and can still be scanned on site.

Despite the disruption, the museums remain open to visitors. The culture ministry said security systems protecting the collections were not affected and that both physical and technical security remain fully intact.

The Dresden State Art Collections, known as SKD, said it is unclear when all affected systems will be fully restored. As of Friday, the institution was still operating under restrictions, with no new updates on the incident, local media reported, citing an SKD spokesperson.

Officials have not said who carried out the attack or what their motives may have been. It is also unclear whether the incident involved a ransom demand or whether any negotiations with the attackers are underway.

The Dresden State Art Collections oversee about 15 museums, housing works by artists such as Raphael and Rembrandt, as well as the famed Green Vault, one of Europe’s richest treasure chambers, known for its royal jewels and goldwork.

Cultural institutions have increasingly become targets for cybercriminals in recent years. In 2023, Canada’s national art museum spent weeks restoring systems after a ransomware attack, while in 2022 the Metropolitan Opera in New York suffered a cyberattack that disrupted ticketing and box office operations during the busy holiday season.

Major libraries have also drawn the attention of hackers, prompting U.S. officials to launch a program to help such institutions protect themselves from cyberattacks. In 2023, ransomware crippled the systems of the British Library, one of the world’s largest and the national library of the United Kingdom. In Canada, the Toronto Public Library spent months recovering from a ransomware attack, describing the incident as a “crime scene.”

Clothing retailer Under Armour is investigating a recent data breach that purloined customers’ email addresses and other personal information, but so far there are no signs the hackers stole any passwords or financial information.

The breach is believed to have happened late last year, and affected 72 million email addresses, according to information cited by the cybersecurity website Have I Been Pwned. Some of the records taken also included personal information that included names, genders, birthdates and ZIP codes.

In an Under Armour statement acknowledging its investigation into the claims of a data breach, the Baltimore-based company said: “We have no evidence to suggest this issue has affected UA.com or systems used to process payments or store customer passwords. Any implication that sensitive personal information of tens of millions of customers has been compromised is unfounded.”

Have I Been Pwned CEO Troy Hunt said that he agrees with Under Armour’s assertion, based on the information that has emerged so far. But he also said he was surprised by the lack of an official disclosure statement from the company.

seclists.org
From: Simon Josefsson <simon () josefsson org>
Date: Tue, 20 Jan 2026 15:00:07 +0100

If you are tired of modern age vulnerabilities, and remember the good
old times on bugtraq, I hope you will appreciate this one. If someone
can allocated a CVE, we will add it in future release notes.

/Simon

GNU InetUtils Security Advisory: remote authentication by-pass in telnetd

The telnetd server invokes /usr/bin/login (normally running as root)
passing the value of the USER environment variable received from the
client as the last parameter.

If the client supply a carefully crafted USER environment value being
the string "-f root", and passes the telnet(1) -a or --login parameter
to send this USER environment to the server, the client will be
automatically logged in as root bypassing normal authentication
processes.

This happens because the telnetd server do not sanitize the USER
environment variable before passing it on to login(1), and login(1)
uses the -f parameter to by-pass normal authentication.

Severity: High

Vulnerable versions: GNU InetUtils since version 1.9.3 up to and
including version 2.7.

Example

On a Trisquel GNU/Linux 11 aramo laptop:

root@kaka:~ sudo apt-get install inetutils-telnetd telnet
root@kaka:~ sudo sed -i 's/#<off># telnet/telnet/' /etc/inetd.conf
root@kaka:~ sudo /etc/init.d/inetutils-inetd start
root@kaka:~ USER='-f root' telnet -a localhost
...
root@kaka:~#

History

The bug was introduced in the following commit made on 2015 March 19:

https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87

Based on mailing list discussions:

https://lists.gnu.org/archive/html/bug-inetutils/2014-12/msg00012.html
https://lists.gnu.org/archive/html/bug-inetutils/2015-03/msg00001.html

It was included in the v1.9.3 release made on 2015 May 12.

Recommendation

Do not run a telnetd server at all. Restrict network access to the
telnet port to trusted clients.

Apply the patch or upgrade to a newer release which incorporate the
patch.

Workaround

Disable telnetd server or make the InetUtils telnetd use a custom
login(1) tool that does not permit use of the '-f' parameter.

Further research

The template for invoking login(1) is in telnetd/telnetd.c:

/* Template command line for invoking login program.  */
char *login_invocation =
#ifdef SOLARIS10
  /* TODO: `-s telnet' or `-s ktelnet'.
   *       `-u' takes the Kerberos principal name
   *       of the authenticating, remote user.
   */
  PATH_LOGIN " -p -h %h %?T{-t %T} -d %L %?u{-u %u}{%U}"
#elif defined SOLARIS
  /* At least for SunOS 5.8.  */
  PATH_LOGIN " -h %h %?T{%T} %?u{-- %u}{%U}"
#else /* !SOLARIS */
  PATH_LOGIN " -p -h %h %?u{-f %u}{%U}"
#endif
  ;

The variable expansion happens in telnetd/utility.c:

/* Expand a variable referenced by its short one-symbol name.
   Input: exp->cp points to the variable name.
   FIXME: not implemented */
char *
_var_short_name (struct line_expander *exp)
{
  char *q;
  char timebuf[64];
  time_t t;
  switch (*exp->cp++)
    {
    case 'a':
#ifdef AUTHENTICATION
      if (auth_level >= 0 && autologin == AUTH_VALID)
        return xstrdup ("ok");
#endif
      return NULL;
    case 'd':
      time (&t);
      strftime (timebuf, sizeof (timebuf),
                "%l:%M%p on %A, %d %B %Y", localtime (&t));
      return xstrdup (timebuf);
    case 'h':
      return xstrdup (remote_hostname);
    case 'l':
      return xstrdup (local_hostname);
    case 'L':
      return xstrdup (line);
    case 't':
      q = strchr (line + 1, '/');
      if (q)
        q++;
      else
        q = line;
      return xstrdup (q);
    case 'T':
      return terminaltype ? xstrdup (terminaltype) : NULL;
    case 'u':
      return user_name ? xstrdup (user_name) : NULL;
    case 'U':
      return getenv ("USER") ? xstrdup (getenv ("USER")) : xstrdup ("");
    default:
      exp->state = EXP_STATE_ERROR;
      return NULL;
    }
}

Thus there is potential for similar vulnerabilities for other
variables.

On non-GNU/Linux systems, only the remote hostname field is of
interest. The remote_hostname variable is populated in the function
telnetd_setup from telnetd/telnetd.c by calling getnameinfo() or
gethostbyaddr() depending on platform. This API is generally not
considered to return trusted data, thus relying on it to not return a
value such as 'foo -f root' is not advisable.

Patch

We chose to sanitize all variables for expansion. The following two
patches are what we suggest:

https://codeberg.org/inetutils/inetutils/commit/fd702c02497b2f398e739e3119bed0b23dd7aa7b
https://codeberg.org/inetutils/inetutils/commit/ccba9f748aa8d50a38d7748e2e60362edd6a32cc

Credits

This vulnerability was found and reported by Kyu Neushwaistein aka
Carlos Cortes Alvarez on 2026-01-19.

Initial patch by Paul Eggert on 2026-01-20. Simon Josefsson improved
the patch to also cover similar concerns with other expansions.

This advisory was drafted by Simon Josefsson on 2026-01-20.

bleepingcomputer.com
By Sergiu Gatlan
January 21, 2026 12:49 PM

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.

Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.

"We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said.

The customer shared logs showing that the admin user was created from an SSO login of cloud-init@mail.io from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.

"We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added.

BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.

Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.

To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.

However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.

CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.

Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.

cybernews.com/
Vilius Petkauskas
Deputy Editor

Luxshare, one of Apple’s key partners in assembling iPhones, AirPods, Apple Watches, and Vision Pro, allegedly suffered a data breach, orchestrated by a ransomware cartel. The attackers are threatening to leak data from Apple, Nvidia, and LG unless the company pays a ransom.

Key takeaways:
Luxshare, Apple's key iPhone assembler, allegedly suffered a ransomware attack threatening confidential product data leaks from multiple tech giants.
RansomHub attackers claim access to 3D CAD models, circuit board designs, and engineering documentation from Apple and Nvidia products.
Cybernews researchers claim leaked data includes confidential Apple-Luxshare repair projects, employee PII, and product design files from 2019-2025.
The breach could enable competitors to reverse-engineer products, manufacture counterfeits, and exploit hardware vulnerabilities in Apple devices.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
The Luxshare data breach allegedly occurred last month, with attackers claiming December 15th, 2025, as the date Apple key partners’ data was encrypted. The alleged attackers, RansomHub, announced the Luxshare data breach on their dark web forum.

Luxshare is an essential partner to the American giant. Many Apple products, including iPhone, AirPods, Apple Watch are assembled at Luxshare, which means the company has very intimate information about Apple’s products.

The conversation on this topic is live. Join in the discussion.

“We were waiting for you for quite some time, but it seems that your IT department decided to conceal the incident that took place in your company. We strongly recommend that you contact us to prevent your confidential data and project documents from being leaked,” the attackers claim.

We have reached out to the company and will update the article once we receive a reply. We have also reached out to Apple and will add its response as soon as we receive it.

Luxshare data breach claims on the dark web
Attakers' post announcing Luxshare data breach. Image by Cybernews.
What data did the Luxshare data breach expose?
The Cybernews research team investigated the data sample that the attackers attached to the post.

According to our team, the leaked data includes details on what appear to be confidential projects regarding device repair and shipping between Apple and Luxshare, including timelines, detailed processes, and information about other Luxshare clients.

Moreover, the leaked information appears to include personal identifiable information (PII) of individuals working on specific projects, with their full names, job positions and work emails exposed.

Luxshare data breach projects
Alleged information on Apple and Luxshare projects. Image by Cybernews.
“Dates of these projects range from 2019 to 2025 and the information appears to expose sensitive business operations. Additionally, .dwg and gerber files, which are often used to create product model designs, are also included,” the team explained.

While Apple’s assembler data breach is still unconfirmed, the team believes that the information included in the post appears to be legitimate.

Luxshare data breach team info
Alleged information about Luxshare staff working on Apple projects. Image by Cybernews.
What do the Luxshare attackers say?
The RansomHub attackers claim to have wide access to confidential Luxshare client data. The stolen data supposedly ranges from 3D product models to circuit board design data, information that’s highly coveted by corporate spies.

According to the attackers, they have accessed archives that contain:

Confidential 3D CAD product models, 3D engineering design data, 3D engineering documentation
Access to high-precision geometric data for Parasolid products
2D component drawings for manufacturing
Mechanical component drawings
Confidential engineering drawings in PDF format
Electronic design documentation
Electrical and layout architecture data
Printed circuit board manufacturing data
“The archives contain data from Apple, Nvidia, as well as LG, Geely, Tesla, and other large companies whose production and R&D information is publicly available. Protected by a non-disclosure agreement,” the attackers claim.

If confirmed, the attack could be disastrous for Luxshare and its partners. For one, attackers could sell the data to competitors who could utilize the stolen details to reverse-engineer products, bypass years of R&D, and manufacture counterfeits.

The cybersecurity implications are also extreme as attackers could clearly uncover hardware vulnerabilities, chip locations, and power systems, which would be beneficial to target firmware or carry out supply chain attacks.

China-based Luxshare is a behemoth in the electronics manufacturing industry. Based in the country’s tech heart, Shenzhen, the company employs over 230,000 people and reports revenues of over $37 billion.

According to reporting by the Wall Street Journal, Luxshare’s importance to Apple’s supply chain ballooned after its main assembler, Foxconn, went through a series of production halting protests.

Who are the Luxshare attackers?
First spotted in 2024, RansomHub is a well established actor in the ransomware scene. For example, the gang proved itself to be one of the most active ransomware gangs of the past couple of years.

According to security experts, RansomHub is among the most prolific ransomware-as-a-service (RaaS) operations, emerging after ALPHV (BlackCat) disappeared. It primarily targets industrial manufacturing and healthcare.

RansomHub brought some technological innovations to the table. Its tools are capable of remote encryption. The affiliates exploit exposed unprotected machines, reducing the risk of detection and increasing the success rate of attacks.

According to a CISA advisory, the cybercrooks breached nearly 500 victims in 2024, almost at a rate of one victim per day. The cyber watchdog also provides a full list of the Kremlin-backed gang's known IOCs, including IP addresses, tools, known URLs, email addresses, and more.

Updated on January 19th [01:30 p.m. GMT] with a insights from the Cybernews research team.