no.security
About

Comprehensive cybersecurity intelligence covering threats, vulnerabilities, research, policy, and industry developments

17 min read · 19 stories

Daily Security Brief - January 18, 2026

🔄 Updates on Previous Stories

China’s Cybersecurity Software Ban Takes Effect

Original Coverage: January 15, 2026

Beijing’s directive ordering Chinese companies to stop using US and Israeli cybersecurity products continues to make waves as affected vendors respond. The ban encompasses major names including VMware (Broadcom), Palo Alto Networks, Fortinet, Check Point, CrowdStrike, Mandiant, SentinelOne, and Rapid7. While several affected vendors claim minimal China presence, the directive marks a significant escalation in technology decoupling. This aligns with China’s broader “digital sovereignty” strategy amid intensifying US-China tech competition. Chinese authorities have not publicly commented on the measure.

UAT-8837 Campaign Expands with Sitecore Zero-Day

Original Coverage: January 15, 2026 (UAT-8837 critical infrastructure targeting)

New intelligence from Cisco Talos reveals China-linked APT group UAT-8837 is now leveraging a zero-day vulnerability in Sitecore content management software as part of their ongoing campaign against North American critical infrastructure. The threat actor combines Sitecore exploitation with compromised Active Directory environments for persistent access, demonstrating continued evolution of their tactics.

🚨 Critical Threats & Incidents

CISA Mandates Emergency Patching of Gogs Zero-Day Under Active Exploitation

Impact: High | Sector: Software Development, DevOps | Status: Active Exploitation

CISA has issued an emergency directive ordering federal agencies to patch a high-severity vulnerability (CVE-2025-8110, CVSS 8.7) in the Gogs self-hosted Git service after confirming active zero-day exploitation. The remote code execution flaw poses significant risks to development and CI/CD environments across government and enterprise networks.

The vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on January 12, 2026, giving Federal Civilian Executive Branch (FCEB) agencies until February 3, 2026 to implement patches. However, security experts are urging immediate remediation given the active exploitation status.

Gogs is a popular open-source, self-hosted Git service used by organizations seeking lightweight alternatives to GitHub Enterprise or GitLab. The widespread deployment of Gogs in development pipelines makes this vulnerability particularly concerning, as successful exploitation could enable supply chain compromises through code repository manipulation.

Key Facts:

  • CVE-2025-8110 with CVSS score of 8.7 (High)
  • Active zero-day exploitation confirmed before patch availability
  • Affects self-hosted Git service deployments
  • Federal deadline: February 3, 2026

Immediate Actions:

  • Inventory all Gogs instances in your environment
  • Apply patches immediately regardless of FCEB status
  • Monitor development environments for indicators of compromise
  • Review Git repository integrity for unauthorized changes

References: BleepingComputer, Infosecurity Magazine, Security Affairs

Keylogger Campaign Compromises Employee Store of Major US Bank

Impact: High | Sector: Financial Services | Status: Active

Sansec researchers have discovered an active keylogger malware infection on the employee merchandise store of a top-3 US bank, potentially exposing credentials and payment information for over 200,000 employees. The malware silently harvests all form data including passwords and credit card details entered on the compromised platform.

The discovery highlights the persistent threat of Magecart-style attacks against third-party platforms connected to major organizations. While the employee store is a separate platform from core banking systems, the harvested credentials could enable credential stuffing attacks against internal systems if employees reuse passwords.

This attack underscores how threat actors are increasingly targeting employee-facing platforms as indirect entry points into high-value enterprises. The banking sector’s interconnected ecosystem of vendors, partners, and internal services creates multiple attack surfaces beyond traditional perimeter defenses.

Key Facts:

  • Active keylogger on employee merchandise portal
  • 200,000+ bank employees potentially exposed
  • Credential and payment card data at risk
  • Classic supply chain attack vector

References: Sansec Research

Ransomware Attack Cripples South Korea’s Kyowon Group

Impact: High | Sector: Education, Financial Services | Status: Investigating

South Korean conglomerate Kyowon Group has confirmed a ransomware attack that disrupted operations across its education technology and financial services businesses. The incident, first detected on January 10, 2026, led to significant service outages affecting approximately 600 subsidiary operations and potentially millions of customers.

Kyowon Group is one of South Korea’s largest education companies, operating learning centers, publishing educational materials, and providing financial services. The attack forced the company to shut down portions of its internal network while investigators work to contain the spread and assess data exfiltration.

The company has not confirmed which ransomware group is responsible, but the attack pattern—including data theft claims—follows typical double-extortion tactics. This marks another significant ransomware incident targeting Asian conglomerates with complex supply chains and limited downtime tolerance.

Key Facts:

  • Detected January 10, 2026 at approximately 10 a.m. local time
  • ~600 subsidiaries and operations affected
  • Education and financial services sectors impacted
  • Data exfiltration suspected (double-extortion likely)

References: Security Affairs, BleepingComputer, The Record

Canadian Investment Regulator CIRO Confirms Breach Affecting 750,000 Investors

Impact: High | Sector: Financial Services, Regulatory | Status: Notification in Progress

The Canadian Investment Regulatory Organization (CIRO), Canada’s national investment oversight body, has disclosed that approximately 750,000 Canadian investors had personal information compromised in a cybersecurity incident discovered last summer. Notification letters began being sent to affected individuals on January 14, 2026.

CIRO oversees investment dealers and mutual fund dealers across Canada, meaning the breach potentially exposed sensitive financial information of retail investors. The regulator has not disclosed the attack method or responsible threat actors, but the scale of impact raises serious concerns about regulatory body security postures.

This incident joins a growing list of attacks against financial regulators and oversight bodies, demonstrating that threat actors view these organizations as high-value targets due to the sensitive data they maintain on market participants and investors.

Key Facts:

  • ~750,000 Canadian investors affected
  • Incident occurred summer 2025, disclosed January 2026
  • National investment regulatory body compromised
  • Notification letters via email and Canada Post

References: The Record, The Globe and Mail, CTV News

Monroe University Breach Exposes 320,000 Students and Staff

Impact: High | Sector: Higher Education | Status: Investigating

Monroe University has disclosed that a December 2024 cyberattack compromised personal, financial, and health information of over 320,000 individuals including students, staff, and alumni. The New York-based institution revealed that attackers maintained unauthorized access to computer systems for approximately two weeks before detection.

The exposed data reportedly includes Social Security numbers, financial account information, and medical records—a particularly damaging combination that creates significant identity theft and fraud risks for victims. The university is providing credit monitoring services to affected individuals.

Higher education institutions continue to be prime targets for cybercriminals due to their combination of valuable research data, extensive personally identifiable information, and often under-resourced security programs compared to similarly-sized enterprises.

Key Facts:

  • 320,000+ individuals affected
  • Two-week unauthorized access period
  • SSNs, financial data, and medical records exposed
  • Credit monitoring being provided

References: BleepingComputer, SC World, Cybernews

🔓 Vulnerabilities & Patches

deVixor Android Banking Trojan Adds Ransomware Capabilities

Type: Mobile Malware | Platform: Android | Targets: Banking, Cryptocurrency | Status: Active Campaign

Security researchers at Cyble have documented deVixor, an evolving Android banking malware that has matured into a full-featured remote access trojan (RAT) with newly added ransomware capabilities. The malware primarily targets Iranian users through phishing websites masquerading as legitimate banking and government applications.

deVixor’s capabilities include bank fraud through JavaScript injection on legitimate banking pages, credential theft, keylogging, screen capture, and device locking for cryptocurrency ransom payments. The malware uses Firebase and Telegram for command-and-control communications, making detection more challenging through traffic analysis.

The addition of ransomware functionality to a banking trojan represents a concerning trend of malware convergence, where threat actors maximize monetization potential by combining multiple attack capabilities in a single tool. This approach allows attackers to pivot strategies based on victim value—extracting banking credentials from some targets while encrypting devices of others.

Technical Details:

  • JavaScript injection for real-time credential theft
  • Screen capture and keylogging capabilities
  • Device lock/ransomware feature for crypto extortion
  • Firebase and Telegram C2 infrastructure
  • Targets Iranian banking and government services

Mitigation:

  • Only install apps from official Google Play Store
  • Verify app permissions before installation
  • Use mobile threat detection solutions
  • Monitor for unusual app behavior and data usage

References: Cyble Research, SC World

🔬 Security Research & Innovation

DragonForce Ransomware Exploits SimpleHelp Vulnerabilities to Compromise MSPs

Type: Ransomware Campaign Analysis | Source: Sophos MDR

Sophos Managed Detection and Response has published detailed analysis of DragonForce ransomware actors exploiting vulnerabilities in SimpleHelp remote monitoring and management (RMM) software to compromise managed service providers (MSPs) and propagate attacks across customer networks.

The attack chain demonstrates sophisticated understanding of MSP environments: by compromising the RMM tool that MSPs use to manage client systems, attackers gain efficient access to potentially hundreds of downstream organizations through a single initial breach. This represents an evolution of the “one-to-many” supply chain attack model.

SimpleHelp is widely deployed among small and mid-sized MSPs, making this vulnerability particularly impactful for organizations that rely on managed services for IT and security operations. The research highlights the need for MSPs to prioritize patching of their management tools and implement zero-trust architectures that limit lateral movement even when administrative tools are compromised.

Why This Matters:

  • MSP compromise enables mass downstream attacks
  • RMM tools represent high-value targets for ransomware operators
  • Small MSPs may lack resources for rapid patch deployment
  • Customers inherit security posture of their MSP

Recommendations:

  • MSPs should immediately patch SimpleHelp instances
  • Implement network segmentation for management tools
  • Deploy EDR across managed endpoints
  • Review MSP access controls and privileged access management

References: Sophos Blog

⚖️ Policy, Compliance & Regulations

Dutch Court Sentences Port Hacker to Seven Years for Drug Trafficking Scheme

Jurisdiction: Netherlands | Sentence: 7 Years | Impact: Maritime/Logistics

A Dutch appeals court has sentenced a 44-year-old man to seven years in prison for hacking port systems in Rotterdam, Barendrecht, and Antwerp to facilitate cocaine smuggling operations. The case represents one of the most significant prosecutions linking cybercrime directly to physical criminal enterprise.

The hacker gained unauthorized access to container tracking and logistics systems, allowing criminal organizations to identify and intercept containers carrying drug shipments before customs inspection. The scheme demonstrated how cyberattacks against critical infrastructure can directly enable traditional organized crime operations.

This prosecution sends a strong message about the serious legal consequences awaiting hackers who enable physical criminal enterprises. The seven-year sentence—substantial for cybercrime—reflects the court’s recognition of the broader criminal impact enabled by the technical breach.

Key Points:

  • Cyberattack directly enabled drug trafficking operations
  • Port of Rotterdam and Antwerp systems compromised
  • Container tracking manipulation to avoid customs
  • Significant sentence for cyber-enabled crime

References: The Record, Security Affairs

U.S. Reviews Cyber Command-NSA Dual-Hat Leadership Structure

Jurisdiction: United States | Topic: Military/Intelligence Organization | Status: Under Review

Defense officials are reassessing the longstanding practice of a single leader overseeing both U.S. Cyber Command and the National Security Agency, citing concerns over mission scale, operational focus, and increasing geopolitical cyber pressures. The “dual-hat” arrangement has been in place since Cyber Command’s establishment.

Proponents of splitting the roles argue that both organizations have grown too large and complex for effective unified leadership, and that offensive cyber operations require different command priorities than signals intelligence collection. Critics counter that the arrangement enables efficient coordination between offense and defense.

The review comes amid broader discussions about potentially establishing a dedicated Cyber Force as a separate military branch, reflecting the growing strategic importance of cyberspace as a domain of military operations.

References: DefenseScoop

DHS Restructures Critical Infrastructure Cybersecurity Liability Framework

Jurisdiction: United States | Impact: Critical Infrastructure Operators | Status: Announced

The Department of Homeland Security has announced plans to restructure its approach to cybersecurity liability protections for critical infrastructure operators, replacing the existing CIPAC (Critical Infrastructure Partnership Advisory Council) framework. The new model aims to improve collaboration and legal clarity for private-sector partners sharing threat information with government.

The restructuring addresses longstanding industry concerns about liability exposure when participating in information sharing programs. Clear liability protections are considered essential for encouraging private sector organizations to share incident details and threat intelligence with government agencies.

References: CyberScoop

France’s CNIL Issues New GDPR Fine for Cybersecurity Failures

Jurisdiction: European Union/France | Type: Enforcement | Impact: Data Controllers

France’s data protection authority (CNIL) has announced a new fine tied to cybersecurity failures, reinforcing strict GDPR enforcement and signaling continued regulatory scrutiny over data protection controls. The fine demonstrates regulators’ ongoing focus on security measures as a core component of data protection compliance.

Organizations processing EU personal data should note that CNIL and other European DPAs increasingly view inadequate security controls as violations of GDPR’s Article 32 (security of processing) requirements, independent of whether an actual breach occurs.

References: The Record

🎯 Threat Intelligence

Europol Warns Qilin Ransomware “Reward” Offer is Fraudulent

Type: Threat Actor Deception | Actor: Unknown | Status: Active Scam

Europol has issued a public warning that a circulating offer promising financial rewards for intelligence on the Qilin ransomware group is fraudulent. Authorities believe the scheme is designed to harvest sensitive information from security researchers and potential victims, or to exploit individuals seeking to provide information.

The fake reward campaign demonstrates how ransomware ecosystems increasingly leverage deception against defenders and researchers—not just victims. This “meta-scam” approach creates additional risk for those investigating ransomware operations or attempting to assist law enforcement.

Security researchers and organizations should verify any apparent law enforcement communications through official channels before engaging, and exercise extreme caution with unsolicited requests for information about threat actor activities.

TTPs Observed:

  • Impersonation of law enforcement reward programs
  • Targeting of security researchers and potential informants
  • Information harvesting through social engineering
  • Exploitation of anti-ransomware sentiment

References: SecurityWeek

Cyber Agencies Warn of Escalating Threats to Industrial Control Systems

Source: US/Allied Cyber Agencies | Targets: Energy, Water, Manufacturing | Status: Ongoing

U.S. and allied cyber agencies have issued a joint warning about escalating threats to industrial control systems (ICS), citing increased reconnaissance and intrusion activity targeting energy, water, and manufacturing sectors. Officials assess that adversaries may be positioning for future disruption rather than immediate attacks.

CISA released fifteen ICS advisories on January 15, 2026 alone, covering vulnerabilities in products from Siemens, Rockwell Automation, and other major industrial vendors. The advisory volume reflects both vendor disclosure improvements and the expanding attack surface of connected operational technology.

The warning aligns with broader intelligence indicating that state-sponsored actors, particularly from China and Russia, are conducting systematic reconnaissance of critical infrastructure to develop options for potential future conflicts.

Sectors at Risk:

  • Energy generation and distribution
  • Water and wastewater treatment
  • Manufacturing and process control
  • Transportation and logistics

References: The Record, Industrial Cyber

Malicious Chrome Extension Drains Cryptocurrency via API Key Theft

Type: Supply Chain Attack | Platform: Chrome Browser | Targets: Cryptocurrency Users

Security researchers have uncovered a Chrome browser extension that silently exfiltrates API keys used by cryptocurrency platforms, allowing attackers to drain wallets without triggering standard security alerts. The campaign highlights ongoing risks from browser extension supply chains.

By targeting API keys rather than wallet credentials directly, attackers can programmatically access exchange accounts and execute transactions without requiring secondary authentication challenges. This approach is more subtle than traditional credential theft and harder for users to detect.

Indicators:

  • Unexpected cryptocurrency transactions
  • API key usage from unknown locations
  • Extensions requesting excessive permissions

Mitigation:

  • Audit installed browser extensions regularly
  • Use hardware wallets for significant holdings
  • Implement API key restrictions where possible
  • Enable exchange withdrawal address whitelisting

References: Security Online

Black Axe Cybercrime Network Disrupted in Major International Operation

Operation: Europol-Led | Arrests: 34 | Location: Spain, Germany

Spanish police have arrested 34 individuals suspected of operating within the Black Axe cybercrime organization as part of a coordinated international operation with Europol and German authorities. Black Axe is a notorious Nigerian-origin organized crime network involved in cyber fraud, romance scams, business email compromise, and money laundering.

The operation targeted the network’s European operations, disrupting infrastructure used for laundering proceeds from various online fraud schemes. Black Axe has been identified by law enforcement agencies globally as a significant threat due to its scale, sophistication, and diversified criminal portfolio.

Operation Details:

  • 34 arrests across Spain and Germany
  • Europol coordination with national authorities
  • Targeting fraud and money laundering operations
  • Part of broader Black Axe disruption efforts

References: CyberScoop, SC World

📚 Best Practices & Guidance

Australia Releases AI Cybersecurity Guidance for Small Businesses

Source: Australian Cyber Security Centre (ACSC) | Topic: AI Adoption Security | Audience: SMBs

The Australian government has released comprehensive guidance to help small businesses adopt artificial intelligence technologies securely. The publication addresses data protection, governance frameworks, and cyber risk management considerations specific to AI implementation in resource-constrained environments.

The guidance acknowledges that small businesses face unique challenges when adopting AI: limited security expertise, budget constraints, and reliance on third-party AI services. It provides practical frameworks for evaluating AI vendor security, protecting training data, and managing AI-specific risks like prompt injection and data poisoning.

Key Recommendations:

  • Evaluate AI vendor security practices before adoption
  • Implement data classification for AI training data
  • Establish governance for AI decision-making
  • Monitor AI systems for unexpected behaviors
  • Maintain human oversight of AI-driven processes

References: Australian Cyber Security Centre

👥 Community & Culture

UK Event: Generative AI & Cybersecurity - Risks and Opportunities

Type: Conference | When: 2026 (Date TBD) | Location: United Kingdom

The Cybersecurity Club is hosting a UK edition event focused on generative AI’s dual role in cybersecurity. The event will explore how AI can modernize Security Operations Centers through intelligent automation and predictive threat detection, while also examining the new class of AI-driven threats including sophisticated phishing, adaptive malware, and LLM-engineered exploits.

Topics will include SOC transformation, AI-powered threat detection, and defensive strategies against AI-generated attacks. The event targets UK organizations navigating the complex landscape of AI adoption in security operations.

Registration: Contact team@thecybersecurity.club

💡 Security Professional Action Items

Based on today’s coverage, here are prioritized actions across all segments:

  1. IMMEDIATE: Patch all Gogs instances (CVE-2025-8110) - active exploitation confirmed
  2. IMMEDIATE: Audit SimpleHelp RMM deployments for DragonForce indicators (MSPs)
  3. HIGH: Review Android mobile security policies given deVixor banking trojan capabilities
  4. HIGH: Verify employee awareness of browser extension risks for crypto users
  5. MEDIUM: Assess third-party vendor security for employee-facing platforms (keylogger risk)
  6. MEDIUM: Review ICS/OT network segmentation and monitoring capabilities
  7. PLANNING: Evaluate AI adoption security using Australian ACSC guidance framework
  8. PLANNING: Monitor CIRO breach notifications if serving Canadian investors
  9. AWARENESS: Brief teams on fake Qilin reward scam targeting researchers
  10. POLICY: Track DHS CIPAC restructuring for information sharing implications

📈 Threat Landscape Analysis

Today’s briefing reveals several concerning patterns across the cybersecurity landscape:

Supply Chain Risks Intensify: Multiple stories highlight third-party risk—from SimpleHelp RMM tools enabling MSP compromise, to browser extensions stealing API keys, to employee merchandise stores serving as credential harvesting platforms. Organizations must extend their security perimeter thinking to encompass all connected services, not just core systems.

Regulatory Bodies as Targets: The CIRO breach affecting 750,000 Canadian investors demonstrates that financial regulators themselves hold valuable data that attracts sophisticated attackers. Organizations should not assume regulatory oversight bodies have superior security postures.

Geopolitical Cyber Fragmentation: China’s ban on Western cybersecurity software, combined with ongoing APT campaigns against critical infrastructure, signals deepening cyber fragmentation along geopolitical lines. Global organizations must prepare for increasingly divergent regulatory environments and potential technology restrictions.

Development Infrastructure Under Fire: The Gogs zero-day exploitation and ICS warnings highlight that threat actors are systematically targeting the tools and systems that organizations use to build and operate their technology—not just the end products. CI/CD pipelines and operational technology deserve dedicated security attention.

Ransomware Evolution Continues: DragonForce’s MSP targeting and deVixor’s addition of ransomware to banking trojan capabilities show ransomware operators continuing to innovate on both delivery methods and monetization strategies.

Comprehensive balanced analysis from: The Cybersecurity Club, BleepingComputer, The Record, Security Affairs, Sophos, Sansec, Cyble, CyberScoop, SecurityWeek, Industrial Cyber, CISA, Australian Cyber Security Centre

Issue #[318] | January 18, 2026 | Coverage: 15 stories across 8 security segments 12 new stories | 3 updates