Category: Cybersecurity

Cybersecurity researchers have discovered a new campaign attributed to a China-linked threat actor known as UAT-8099 that took place between late 2025 and early 2026.

The activity, discovered by Cisco Talos, has targeted vulnerable Internet Information Services (IIS) servers located across Asia, but with a specific focus on targets in Thailand and Vietnam. The scale of the campaign is currently unknown.

“UAT-8099 uses web shells and PowerShell to execute scripts and deploy the GotoHTTP tool, granting the threat actor remote access to vulnerable IIS servers,” security researcher Joey Chen said in a Thursday breakdown of the campaign.

UAT-8099 was first documented by the cybersecurity company in October 2025, detailing the threat actor’s exploitation of IIS servers in India, Thailand, Vietnam, Canada, and Brazil to facilitate search engine optimization (SEO) fraud. The attacks involve infecting the servers with a known malware referred to as BadIIS.

The hacking group is assessed to be of Chinese origin, with the attacks dating back to April 2025. The threat cluster also shares similarities with another BadIIS campaign codenamed WEBJACK by Finnish cybersecurity vendor WithSecure in November 2025, based on overlaps in tools, command-and-control (C2) infrastructure, and victimology footprint.

The latest campaign is focused on compromising IIS servers located in India, Pakistan, Thailand, Vietnam, and Japan, although Cisco said it observed a “distinct concentration of attacks” in Thailand and Vietnam.

“While the threat actor continues to rely on web shells, SoftEther VPN, and EasyTier to control compromised IIS servers, their operational strategy has evolved significantly,” Talos explained. “First, this latest campaign marks a shift in their black hat SEO tactics toward a more specific regional focus. Second, the actor increasingly leverages red team utilities and legitimate tools to evade detection and maintain long-term persistence.”

Another notable shift revolves around the use of GotoHTTP to remotely control the infected server. The tool is launched by means of a Visual Basic Script that is downloaded by a PowerShell command that’s run following the deployment of a web shell.

The BadIIS malware deployed in the attacks is two new variants customized to target specific regions: While BadIIS IISHijack singles out victims in Vietnam, BadIIS asdSearchEngine is primarily aimed at targets in Thailand or users with Thai language preferences.

The end goal of the malware still largely remains the same. It scans incoming requests to IIS servers to check if the visitor is a search engine crawler. If that’s the case, the crawler is redirected to an SEO fraud site. However, if the request is from a regular user and the Accept-Language header in the request indicates Thai, it injects HTML containing a malicious JavaScript redirect into the response.

Cisco Talos said it identified three distinct variants within the BadIIS asdSearchEngine cluster –

• Exclusive multiple extensions variant, which checks the file path in the request and ignores it if it contains an extension on its exclusion list that can either be resource intensive or hamper the website’s appearance
• Load HTML templates variant, which contains an HTML template generation system to dynamically create web content by loading templates from disk or using embedded fallbacks and replacing placeholders with random data, dates, and URL-derived content
• Dynamic page extension/directory index variant, which checks if a requested path corresponds to a dynamic page extension or a directory index

“We assess that the threat actor, UAT-8099, implemented this feature to prioritize SEO content targeting while maintaining stealth,” Talos said of the third variant.

“Since SEO poisoning relies on injecting JavaScript links into pages that search engines crawl, the malware focuses on dynamic pages (e.g., default.aspx, index.php) where these injections are most effective. Furthermore, by restricting hooks to other specific file types, the malware avoids processing incompatible static files, thereby preventing the generation of suspicious server error logs.”

There are also signs that the threat actor is actively refining its Linux version of BadIIS. An ELF binary artifact uploaded to VirusTotal in early October 2025 includes proxy, injector, and SEO fraud modes as before, while limiting the targeted search engines to only crawlers from Google, Microsoft Bing, and Yahoo!

A new joint investigation by SentinelOne SentinelLABS, and Censys has revealed that the open-source artificial intelligence (AI) deployment has created a vast “unmanaged, publicly accessible layer of AI compute infrastructure” that spans 175,000 unique Ollama hosts across 130 countries.

These systems, which span both cloud and residential networks across the world, operate outside the guardrails and monitoring systems that platform providers implement by default, the company said. The vast majority of the exposures are located in China, accounting for a little over 30%. The countries with the most infrastructure footprint include the U.S., Germany, France, South Korea, India, Russia, Singapore, Brazil, and the U.K.

“Nearly half of observed hosts are configured with tool-calling capabilities that enable them to execute code, access APIs, and interact with external systems, demonstrating the increasing implementation of LLMs into larger system processes,” researchers Gabriel Bernadett-Shapiro and Silas Cutler added.

Ollama is an open-source framework that allows users to easily download, run, and manage large language models (LLMs) locally on Windows, macOS, and Linux. While the service binds to the localhost address at 127.0.0[.]1:11434 by default, it’s possible to expose it to the public internet by means of a trivial change: configuring it to bind to 0.0.0[.]0 or a public interface.

The fact that Ollama, like the recently popular Moltbot (formerly Clawdbot), is hosted locally and operates outside of the enterprise security perimeter, poses new security concerns. This, in turn, necessitates new approaches to distinguish between managed and unmanaged AI compute, the researchers said.

Of the observed hosts, more than 48% advertise tool-calling capabilities via their API endpoints that, when queried, return metadata highlighting the functionalities they support. Tool calling (or function calling) is a capability that allows LLMs to interact with external systems, APIs, and databases, enabling them to augment their capabilities or retrieve real-time data.

“Tool-calling capabilities fundamentally alter the threat model. A text-generation endpoint can produce harmful content, but a tool-enabled endpoint can execute privileged operations,” the researchers noted. “When combined with insufficient authentication and network exposure, this creates what we assess to be the highest-severity risk in the ecosystem.”

The analysis has also identified hosts supporting various modalities that go beyond text, including reasoning and vision capabilities, with 201 hosts running uncensored prompt templates that remove safety guardrails.

The exposed nature of these systems means they could be susceptible to LLMjacking, where a victim’s LLM infrastructure resources are abused by bad actors to their advantage, while the victim foots the bill. These could range from generating spam emails and disinformation campaigns to cryptocurrency mining and even reselling access to other criminal groups.

The risk is not theoretical. According to a report published by Pillar Security this week, threat actors are actively targeting exposed LLM service endpoints to monetize access to the AI infrastructure as part of an LLMjacking campaign dubbed Operation Bizarre Bazaar.

The findings point to a criminal service that contains three components: systematically scanning the internet for exposed Ollama instances, vLLM servers, and OpenAI-compatible APIs running without authentication, validating the endpoints by assessing response quality, and commercializing the access at discounted rates by advertising it on silver[.]inc, which operates as a Unified LLM API Gateway.

“This end-to-end operation – from reconnaissance to commercial resale – represents the first documented LLMjacking marketplace with complete attribution,” researchers Eilon Cohen and Ariel Fogel said. The operation has been traced to a threat actor named Hecker (aka Sakuya and LiveGamer101).

The decentralized nature of the exposed Ollama ecosystem, one that’s spread across cloud and residential environments, creates governance gaps, not to mention creates new avenues for prompt injections and proxying malicious traffic through victim infrastructure.

“The residential nature of much of the infrastructure complicates traditional governance and requires new approaches that distinguish between managed cloud deployments and distributed edge infrastructure,” the companies said. “For defenders, the key takeaway is that LLMs are increasingly deployed to the edge to translate instructions into actions. As such, they must be treated with the same authentication, monitoring, and network controls as other externally accessible infrastructure.”

Ravie LakshmananJan 29, 2026Vulnerability / Software Security

SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE).

The list of vulnerabilities is as follows –

• CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality
• CVE-2025-40537 (CVSS score: 7.5) – A hard-coded credentials vulnerability that could allow access to administrative functions using the “client” user account
• CVE-2025-40551 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
• CVE-2025-40552 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods
• CVE-2025-40553 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
• CVE-2025-40554 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk

While Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the first three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the issues have been addressed in WHD 2026.1.

“Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution,” Rapid7 said.

“RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.”

While CVE-2025-40552 and CVE-2025-40554 have been described as authentication bypasses, they could also be leveraged to obtain RCE and achieve the same impact as the other two RCE deserialization vulnerabilities, the cybersecurity company added.

In recent years, SolarWinds has released fixes to resolve several flaws in its Web Help Desk software, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. It’s worth noting that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which, in turn, is a patch bypass of CVE-2024-28986.

In late 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

In a post explaining CVE-2025-40551, Horizon3.ai’s Sebree described it as yet another deserialization vulnerability stemming from the AjaxProxy functionality that could result in remote code execution. To achieve RCE, an attacker needs to carry out the following series of actions –

• Establish a valid session and extract key values
• Create a LoginPref component
• Set the state of the LoginPref component to allow us to access the file upload
• Use the JSONRPC bridge to create some malicious Java objects behind the scenes
• Trigger these malicious Java objects

With flaws in Web Help Desk having been weaponized in the past, it’s essential that customers move quickly to update to the latest version of the help desk and IT service management platform.

Google on Wednesday announced that it worked together with other partners to disrupt IPIDEA, which it described as one of the largest residential proxy networks in the world.

To that end, the company said it took legal action to take down dozens of domains used to control devices and proxy traffic through them. As of writing, IPIDEA’s website (“www.ipidea.io”) is no longer accessible. It advertised itself as the “world’s leading provider of IP proxy” with more than 6.1 million daily updated IP addresses and 69,000 daily new IP addresses.

“Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes,” John Hultquist, Google Threat Intelligence Group’s (GTIG) chief analyst, said in a statement shared with The Hacker News.

“By routing traffic through a person’s home internet connection, attackers can hide in plain sight while infiltrating corporate environments. By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices.”

Google said that, as recently as this month, IPIDEA’s proxy infrastructure has been leveraged by more than 550 individual threat groups with varying motivations, such as cybercrime, espionage, advanced persistent threat (APTs), information operations, from across the world, including China, North Korea, Iran, and Russia. These activities ranged from access to victim SaaS environments, on-premises infrastructure, and password spray attacks.

In an analysis published earlier this month, Synthient revealed that the threat actors behind the AISURU/Kimwolf botnet were abusing security flaws in residential proxy services like IPIDEA to relay malicious commands to susceptible Internet of Things (IoT) devices behind a firewall within local networks to propagate the malware.

The malware that turns consumer devices into proxy endpoints is stealthily bundled within apps and games pre-installed on off-brand Android TV streaming boxes. This forces the infected device to relay malicious traffic and participate in distributed denial-of-service (DDoS) attacks.

The tech giant’s threat intelligence team said IPIDEA has become notorious for its role in facilitating a number of botnets, including the China-based BADBOX 2.0. In July 2025, Google filed a lawsuit against 25 unnamed individuals or entities in China for allegedly operating the botnet and its associated residential proxy infrastructure.

It also pointed out that the proxy applications from IPIDEA not only routed traffic through the exit node device, but also sent traffic to the device with the goal of compromising it, posing severe risks to consumers whose devices may have knowingly or unknowingly joined the proxy network.

The proxy network that powers IPIDEA is not a monolithic entity. Rather, it’s a collection of multiple well-known residential proxy brands under its control –

• Ipidea (ipidea[.]io)
• 360 Proxy (360proxy[.]com)
• 922 Proxy (922proxy[.]com)
• ABC Proxy (abcproxy[.]com)
• Cherry Proxy (cherryproxy[.]com)
• Door VPN (doorvpn[.]com)
• Galleon VPN (galleonvpn[.]com)
• IP 2 World (ip2world[.]com)
• Luna Proxy (lunaproxy[.]com)
• PIA S5 Proxy (piaproxy[.]com)
• PY Proxy (pyproxy[.]com)
• Radish VPN (radishvpn[.]com)
• Tab Proxy (tabproxy[.]com)

“The same actors that control these brands also control several domains related to Software Development Kits (SDKs) for residential proxies,” Google said. “These SDKs are not meant to be installed or executed as standalone applications, rather they are meant to be embedded into existing applications.”

These SDKs are marketed to third-party developers as a way to monetize their Android, Windows, iOS, and WebOS applications. Developers who integrate the SDKs into their apps are paid by IPIDEA on a per-download basis. This, in turn, transforms a device that installs these apps into a node for the proxy network, while simultaneously providing the advertised functionality. The names of the SDKs controlled by the IPIDEA actors are listed below –

• Castar SDK (castarsdk[.]com)
• Earn SDK (earnsdk[.]io)
• Hex SDK (hexsdk[.]com)
• Packet SDK (packetsdk[.]com)

The SDKs have significant overlaps in their command-and-control (C2) infrastructure and code structure. They follow a two-tier C2 system where the infected devices contact a Tier One server to retrieve a set of Tier Two nodes to connect to. The application then initiates communication with the Tier Two server to periodically poll for payloads to proxy through the device. Google’s analysis found that there are about 7,400 Tier Two servers.

Besides proxy services, the IPIDEA actors have been found to control domains that offer free Virtual Private Network (VPN) tools, which are also engineered to join the proxy network as an exit node incorporating either the Hex or Packet SDK. The names of the VPN services are as follows –

• Galleon VPN (galleonvpn[.]com)
• Radish VPN (radishvpn[.]com
• Aman VPN (defunct)

In addition, GTIG said it identified 3,075 unique Windows binaries that have sent a request to at least one Tier One domain, some of which masqueraded as OneDriveSync and Windows Update. These trojanized Windows applications were not distributed by the IPIDEA actors directly. As many as 600 Android applications (spanning utilities, games, and content) from multiple download sources have been flagged for containing code connecting to Tier One C2 domains by using the monetization SDKs to enable the proxy behavior.

In a statement shared with The Wall Street Journal, a spokesperson for the Chinese company said it had engaged in “relatively aggressive market expansion strategies” and “conducted promotional activities in inappropriate venues (e.g., hacker forums),” and it has “explicitly opposed any form of illegal or abusive conduct.”

To counter the threat, Google said it has updated Google Play Protect to automatically warn users about apps containing IPIDEA code. For certified Android devices, the system will automatically remove these malicious applications and block any future attempts to install them.

“While proxy providers may claim ignorance or close these security gaps when notified, enforcement and verification are challenging given intentionally murky ownership structures, reseller agreements, and diversity of applications,” Google said.

The Hacker NewsJan 29, 2026Threat Intelligence / Incident Response

Beyond the direct impact of cyberattacks, enterprises suffer from a secondary but potentially even more costly risk: operational downtime, any amount of which translates into very real damage. That’s why for CISOs, it’s key to prioritize decisions that reduce dwell time and protect their company from risk.

Three strategic steps you can take this year for better results:

1. Focus on today’s actual business security risks

Any efficient SOC is powered by relevant data. That’s what makes targeted, prioritized action against threats possible. Public or low-quality feeds may have been sufficient in the past, but in 2026, threat actors are more funded, coordinated, and dangerous than ever. Accurate and timely information is a deciding factor when counteracting them.

It’s the lack of relevant data that doesn’t allow SOCs to maintain focus on the real risks relevant here and now. Only continuously refreshed feeds sourced from active threat investigations can enable smart, proactive action.

STIX/TAXII-compatible Threat Intelligence Feeds by ANY.RUN allows security teams to focus on threats targeting organizations today. Sourced from the latest manual investigations of malware and phishing done by 15K SOC teams и 600K analysts, this solution provides:

• Early threat detection: fresh, extensive data expands threat coverage for attack prevention.
• Mitigated risk of incidents: being informed about the most relevant malicious indicators minimizes the chance of incidents.
• Stability in operations: destructive downtime is prevented, ensuring the company’s sustainability.

TI Feeds deliver quantifiable results across SOC processes

By delivering relevant intel to your SIEM, EDRXDR, TIP, or NDR, TI Feeds expand threat coverage and offer actionable insights on attacks that have just happened to companies like yours.

Result: Up to 58% more threats detected for a reduced chance of business disruption.

2. Shield analysts from false positives

As a CISO, one of the most effective things you can do to mitigate burnout and improve SOC performance has more to do with analysts’ daily operations rather than overall management.

Analysts show better results when they can stay focused on real threats and actually do the job that matters. But false positives, duplicates, and other noise in threat data drain them. It slows down response and increases the risk of missed incidents.

Unlike other feeds with largely outdated and unfiltered indicators, ANY.RUN’s TI Feeds deliver verified intel with near-zero false positive rates and real-time updates. IPs, domains, and hashes are validated and 99% unique.

TI Feeds promote early detection with fresh indicators available via API/SDK and STIX/TAXII integrations

Integrating TI Feeds into your stacks means:

• Taking resource-efficient action against threats for breach mitigation
• Avoiding workflow disruptions and costly escalations
• Achieving better SOC team performance, morale, and impact

Result: Higher productivity across SOC analyst Tiers with 30% fewer Tier 1 to Tier 2 escalations.

3. Shorten the gap between knowing and doing

Mature SOCs move from detection to response fast. This requires context: something that’s missing from ordinary threat intelligence. Without sufficient insights into malicious behavior, the investigation across multiple resources takes too much time and energy, heightening the chance of operational downtime.

How TI Feeds benefit SOCs across tiers

TI Feeds address the gap between alert and action. With behavioral context sourced from real sandbox analyses done globally by 15K+ security teams, it shortens MTTD & MTTR, helping businesses:

• Reduce breach impact at scale by enriching indicators with real-world attacker behavior from active campaigns.
• Prevent incident escalation caused by uncertainty and slow validation during early investigation stages.
• Maintain operational continuity by accelerating investigations before attacks affect core business processes.

Result: 21 min faster Mean Time to Respond and lower incident response costs.

Conclusion

Prioritizing relevant threat intelligence, filling operational gaps, and improving the entire workflow from triage to response directly impacts performance rates across SOCs. For CISOs, this translated into a clear priority: take targeted action to reduce dwell time by empowering analysts with actionable, relevant, and unique threat intelligence feeds, enabling fast and confident decision-making.

A study by OMICRON has revealed widespread cybersecurity gaps in the operational technology (OT) networks of substations, power plants, and control centers worldwide. Drawing on data from more than 100 installations, the analysis highlights recurring technical, organizational, and functional issues that leave critical energy infrastructure vulnerable to cyber threats.

The findings are based on several years of deploying OMICRON’s intrusion detection system (IDS) StationGuard in protection, automation, and control (PAC) systems. The technology, which monitors network traffic passively, has provided deep visibility into real-world OT environments. The results underscore the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures.

Connection of an IDS in PAC systems (circles indicate mirror ports)

StationGuard deployments, often carried out during security assessments, revealed vulnerabilities such as unpatched devices, insecure external connections, weak network segmentation, and incomplete asset inventories. In many cases, these security weaknesses were identified within the first 30 minutes of connecting to the network. Beyond security risks, the assessments also uncovered operational issues like VLAN misconfigurations, time synchronization errors, and network redundancy problems.

In addition to technical shortcomings, the findings point to organizational factors that contribute to these risks — including unclear responsibilities for OT security, limited resources, and departmental silos. These findings reflect a growing trend across the energy sector: IT and OT environments are converging rapidly, yet security measures often fail to keep pace. How are utilities adapting to these complex risks, and what gaps remain that could leave critical systems exposed?

Why OT Networks Need Intrusion Detection

The ability to detect security incidents is an integral part of most security frameworks and guidelines, including the NIST Cybersecurity Framework, IEC 62443, and the ISO 27000 standard series. In substations, power plant control systems, and control centers, many devices operate without standard operating systems, making it impossible to install endpoint detection software. In such environments, detection capabilities must be implemented at the network level.

OMICRON’s StationGuard deployments typically use network mirror ports or Ethernet TAPs to passively monitor communication. Besides detecting intrusions and cyber threats, the IDS technology provides key benefits, including:

• Visualization of network communication
• Identification of unnecessary services and risky network connections
• Automatic asset inventory creation
• Detection of device vulnerabilities based on this inventory

Assessing Risks: Methodology Behind the Findings

The report is based on years of IDS installations. The first installation dates back to 2018. Since then, several hundred installations and security assessments have been conducted at substations, power plants, and control centers in dozens of countries. The findings are grouped into three categories:

1. Technical security risks
2. Organizational security issues
3. Operational and functional problems

In most cases, critical security and operational issues were detected within minutes of connecting the IDS to the network.

Typically, sensors were connected to mirror ports on OT networks, often at gateways and other critical network entry points, to capture key communication flows. In many substations, bay-level monitoring was not required, as multicast propagation made the traffic visible elsewhere in the network.

Hidden Devices and Asset Blind Spots

Accurate asset inventories are essential for securing complex energy systems. Creating and maintaining such directories manually is time-consuming and error-prone. To address this, OMICRON used both passive and active methods for automated asset discovery.

Passive asset identification relies on existing system configuration description (SCD) files, standardized under IEC 61850-6, which contain detailed device information. However, passive monitoring alone proved insufficient in many cases, as essential data such as firmware versions are not transmitted in normal PAC communication.

Active querying of device information, on the other hand, leverages the MMS protocol to retrieve nameplate data such as device names, manufacturers, model numbers, firmware versions, and sometimes even hardware identifiers. This combination of passive and active techniques provided a comprehensive asset inventory across installations.

Example of device information retrievable via SCL and MMS active querying

Which Technical Cybersecurity Risks Are Most Common?

OMICRON’s analysis identified several recurring technical issues across energy OT networks:

• Vulnerable PAC devices:

  Many PAC devices were found to be operating with outdated firmware containing known vulnerabilities. A notable example is the CVE-2015-5374 vulnerability, which allows a denial-of-service attack on protective relays with a single UDP packet. Although patches have been available since 2015, numerous devices remain unpatched. Similar vulnerabilities in GOOSE implementations and MMS protocol stacks pose additional risks.

• Risky external connections:

  In several installations, undocumented external TCP/IP connections were found, in some cases exceeding 50 persistent connections to external IP addresses in a single substation.

• Unnecessary insecure services:

  Common findings included unused Windows file sharing services (NetBIOS), IPv6 services, license management services running with elevated privileges, and unsecured PLC debugging functions.

• Weak network segmentation:

  Many facilities operated as a single large flat network, allowing unrestricted communication between hundreds of devices. In some cases, even office IT networks were reachable from remote substations. Such architectures significantly increase the impact radius of cyber incidents.

• Unexpected devices:

  Untracked IP cameras, printers, and even automation devices frequently appeared on networks without being documented in asset inventories, creating serious blind spots for defenders.

The Human Factor: Organizational Weaknesses in OT Security

Beyond technical flaws, OMICRON also observed recurring organizational challenges that exacerbate cyber risk. These include:

• Departmental boundaries between IT and OT teams
• Lack of dedicated OT security personnel
• Resource constraints are limiting the implementation of security controls

In many organizations, IT departments remain responsible for OT security — a model that often struggles to address the unique requirements of energy infrastructure.

When Operations Fail: Functional Risks in Substations

The IDS deployments also revealed a range of operational problems unrelated to direct cyber threats but still affecting system reliability. The most common were:

• VLAN issues were by far the most frequent, often involving inconsistent VLAN tagging of GOOSE messages across the network.
• RTU and SCD mismatches led to broken communication between devices, preventing SCADA updates in several cases.
• Time synchronization errors ranged from simple misconfigurations to devices operating with incorrect time zones or default timestamps.
• Network redundancy issues involving RSTP loops and misconfigured switch chips caused severe performance degradation in some installations.

These operational weaknesses not only impact availability but can also amplify the consequences of cyber incidents.

Functional monitoring related alert messages

What Can Utilities Learn from These Findings?

The analysis of over 100 energy facilities highlights the urgent need for robust, purpose-built security solutions that are designed for the unique challenges of operational technology environments.

With its deep protocol understanding and asset visibility, the StationGuard Solution provides security teams with the transparency and control needed to protect critical infrastructure. Its built-in allowlisting detects even subtle deviations from expected behavior, while its signature-based detection identifies known threats in real time.

The system’s ability to monitor both IT and OT protocols — including IEC 104, MMS, GOOSE, and more — allows utilities to detect and respond to threats at every layer of their substation network. Combined with features like automated asset inventories, role-based access control, and seamless integration into existing security workflows, StationGuard enables organizations to strengthen resilience without disrupting operations.

To learn more about how StationGuard supports utilities in closing these critical security gaps, visit our website.

StationGuard Solution

Ravie LakshmananJan 29, 2026Cybersecurity / Hacking News

This week’s updates show how small changes can create real problems. Not loud incidents, but quiet shifts that are easy to miss until they add up. The kind that affects systems people rely on every day.

Many of the stories point to the same trend: familiar tools being used in unexpected ways. Security controls are being worked on. Trusted platforms turning into weak spots. What looks routine on the surface often isn’t.

There’s no single theme driving everything — just steady pressure across many fronts. Access, data, money, and trust are all being tested at once, often without clear warning signs.

This edition pulls together those signals in short form, so you can see what’s changing before it becomes harder to ignore.

Seen together, these stories show problems building slowly, not all at once. The same gaps are being used again and again until they work.

Most of this didn’t start this week. It’s growing, spreading, and getting easier for attackers to repeat. The full list helps show where things are heading before they become normal.

Ravie LakshmananJan 28, 2026Vulnerability / Open Source

A critical sandbox escape vulnerability has been disclosed in the popular vm2 Node.js library that, if successfully exploited, could allow attackers to run arbitrary code on the underlying operating system.

The vulnerability, tracked as CVE-2026-22709, carries a CVSS score of 9.8 out of 10.0 on the CVSS scoring system.

“In vm2 for version 3.10.0, Promise.prototype.then Promise.prototype.catch callback sanitization can be bypassed,” vm2 maintainer Patrik Simek said. “This allows attackers to escape the sandbox and run arbitrary code.”

vm2 is a Node.js library used to run untrusted code within a secure sandboxed environment by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment.

The newly discovered flaw stems from the library’s improper sanitization of Promise handlers, which creates an escape vector that results in the execution of arbitrary code outside the sandbox boundaries.

“The critical insight is that async functions in JavaScript return `globalPromise` objects, not `localPromise` objects. Since `globalPromise.prototype.then` and `globalPromise.prototype.catch` are not properly sanitized (unlike `localPromise`),” Endor Labs researchers Peyton Kennedy and Cris Staicu said.

While CVE-2026-22709 has been addressed in vm2 version 3.10.2, it’s the latest in a steady stream of sandbox escapes that have plagued the library in recent years. This includes CVE-2022-36067, CVE-2023-29017, CVE-2023-29199, CVE-2023-30547, CVE-2023-32314, CVE-2023-37466, and CVE-2023-37903.

The discovery of CVE-2023-37903 in July 2023 also led Simek to announce that the project was being discontinued. However, these references have since been removed from the latest README file available on its GitHub repository. The Security page has also been updated as of October 2025 to mention that vm2 3.x versions are being actively maintained.

However, vm2’s maintainer has also acknowledged that new bypasses will likely be discovered in the future, urging users to make sure that they keep the library up to date and consider other robust alternatives, such as isolated-vm, for stronger isolation guarantees.

“Instead of relying on the problematic vm model, the successor to vm2, isolated-vm relies on V8’s native Isolate interface, which offers a more solid foundation, but even then, the maintainers of vm2 stress the importance of isolation and actually recommend Docker with logical separation between components,” Semgrep said.

In light of the criticality of the flaw, users are recommended to update to the most recent version (3.10.3), which comes with fixes for additional sandbox escapes.

Ravie LakshmananJan 28, 2026Critical Infrastructure / Threat Intelligence

The “coordinated” cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM.

Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy resources (DERs).

“The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites,” Dragos said. “While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site.”

It’s worth pointing out that ELECTRUM and KAMACITE share overlaps with a cluster referred to as Sandworm (aka APT44 and Seashell Blizzard). KAMACITE focuses on establishing and maintaining initial access to targeted organizations using spear-phishing, stolen credentials, and exploitation of exposed services.

“Following access enablement, ELECTRUM conducts operations that bridge IT and OT environments, deploying tooling within operational networks, and performs ICS-specific actions that manipulate control systems or disrupt physical processes,” Dragos said. “These actions have included both manual interactions with operator interfaces and the deployment of purpose-built ICS malware, depending on the operational requirements and objectives.”

Put differently, the two clusters have clear separation of roles and responsibilities, enabling flexibility in execution and facilitating sustained OT-focused intrusions when conditions are favourable. As recently as July 2025, KAMACITE is said to have engaged in scanning activity against industrial devices located in the U.S.

Although no follow-on OT disruptions have been publicly reported to date, this highlights an operational model that is not geographically constrained and facilitates early-stage access identification and positioning.

“KAMACITE’s access-oriented operations create the conditions under which OT impact becomes possible, while ELECTRUM applies execution tradecraft when timing, access, and risk tolerance align,” it explained. “This division of labor enables flexibility in execution and allows OT impact to remain an option, even when it is not immediately exercised. This extends risk beyond discrete incidents and into prolonged periods of latent exposure.”

Dragos said the Poland attack targeted systems that facilitate communication and control between grid operators and DER assets, including assets that enable network connectivity, allowing the adversary to successfully disrupt operations at about 30 distributed generation sites.

The threat actors are assessed to have breached Remote Terminal Units (RTUs) and communication infrastructure at the affected sites using exposed network devices and exploited vulnerabilities as initial access vectors. The findings indicate that the attackers possess a deep understanding of electrical grid infrastructure, allowing them to disable communications equipment, including some OT devices.

That said, the full scope of the malicious actions undertaken by ELECTRUM is unknown, with Dragos noting that it’s unclear if the threat actor attempted to issue operational commands to this equipment or focused solely on disabling communications.

The Poland attack is also assessed to be more opportunistic and rushed than a precisely planned operation, allowing the hackers to take advantage of the unauthorized access to inflict as much damage as possible by wiping Windows-based devices to impede recovery, resetting configurations, or attempting to permanently brick equipment. The majority of the equipment is targeted at grid safety and stability monitoring, per Dragos.

“This incident demonstrates that adversaries with OT-specific capabilities are actively targeting systems that monitor and control distributed generation,” it added. “The disabling of certain OT or industrial control system (ICS) equipment beyond repair at the site moved what could have been seen as a pre-positioning attempt by the adversary into an attack.”