no.security
About

Comprehensive cybersecurity intelligence covering threats, vulnerabilities, research, policy, and industry developments

11 min read · 11 stories

Daily Security Brief - January 17, 2026

Your comprehensive cybersecurity intelligence briefing covering threats, vulnerabilities, research, policy, and industry developments.

🔄 Updates on Previous Stories

Iran Internet Shutdown Passes 200 Hours — The Iranian internet blackout that began January 8th has now exceeded 200 hours, making it one of the longest shutdowns in global history. The death toll from ongoing protests has topped 3,000 according to human rights organizations. Reports indicate Iran is moving toward permanently blocking international internet access. Starlink terminals, smuggled into the country and now offered for free by SpaceX, face aggressive jamming as the regime attempts to suppress information flow. The UK has closed its Tehran embassy and the US Navy carrier strike group is repositioning in the region. [First covered: Jan 12 | Significant developments]

RondoDox Botnet Weaponizes HPE OneView Vulnerability at Scale — Check Point Research recorded over 40,000 exploitation attempts between 05:45 and 09:20 UTC on January 7th targeting CVE-2025-37164 in HPE OneView. The attacks are attributed to the RondoDox botnet, which targets IoT devices and web servers for DDoS and cryptomining. Government organizations were hit hardest, followed by financial services and industrial manufacturing. CISA has added the vulnerability to the KEV catalog. [First covered: Jan 16 | Now mass exploitation]

FortiSIEM CVE-2025-64155 Under Active Exploitation — The critical command injection vulnerability in Fortinet FortiSIEM disclosed this week is now being actively exploited following public PoC release. Multiple threat actors are targeting unpatched systems. Organizations running FortiSIEM should patch immediately. [First covered: Jan 15 | Now actively exploited]

🚨 Critical Threats & Incidents

Cisco AsyncOS Zero-Day Finally Patched After 7 Weeks of Chinese APT Exploitation

CVE: CVE-2025-20393 | Status: Patch Available | Severity: Critical | Exploitation: In the Wild

Cisco has finally released security updates for its Email Security Gateway and Secure Email and Web Manager devices, addressing a critical zero-day vulnerability that has been actively exploited by suspected Chinese threat actors since at least late November 2025.

The vulnerability stems from insufficient validation of HTTP requests in the Spam Quarantine feature. Successful exploitation allows unauthenticated attackers to execute arbitrary commands with root privileges on affected appliances. Cisco Talos researchers documented attackers installing a sophisticated toolkit on compromised devices:

  • AquaShell: Custom Python backdoor
  • AquaPurge: Log-purging tool to cover tracks
  • AquaTunnel: Reverse SSH backdoor
  • Chisel: Open-source tunneling tool for proxying traffic

Key Facts:

  • Vulnerability existed for 7 weeks before patch
  • Only appliances with Spam Quarantine enabled and internet-reachable were affected
  • Cisco has not disclosed the number of compromised systems
  • CISA added to KEV catalog in December

Mitigation Steps:

  • Email Security Gateway: Upgrade to AsyncOS v15.0.5-016, 15.5.4-012, or 16.0.4-016 or later
  • Secure Email and Web Manager: Upgrade to AsyncOS v15.0.2-007, 15.5.4-007, or 16.0.4-010 or later
  • Note: Devices automatically reboot after upgrade, clearing persistence mechanisms

References: Cisco Talos Blog, HelpNetSecurity

Eurail/Interrail Data Breach Exposes Passport Data of European Travelers

Impact: High | Sector: Transportation/Travel | Status: Under Investigation

Eurail B.V., which operates on behalf of a consortium of European railway companies, has disclosed a data breach affecting an unknown number of customers who purchased Eurail or Interrail train passes.

The attackers gained access to highly sensitive personal data including:

  • Full name, date of birth, gender
  • Email address, home address, phone number
  • Passport or ID number, country of issue, and expiration date

DiscoverEU participants under the EU’s Erasmus+ program face additional exposure: attackers may have accessed bank account numbers (IBAN), photocopies of passports/IDs, and health-related data.

Why This Matters: This breach represents a significant identity theft risk for European travelers. The combination of passport numbers, personal details, and travel patterns creates a high-value dataset for fraud and identity theft operations.

Key Actions:

  • Affected customers should monitor for phishing attempts impersonating Eurail
  • Change passwords on accounts using the same email
  • Monitor bank accounts for suspicious activity
  • Consider credit monitoring services if passport data was exposed

References: HelpNetSecurity, European Commission DiscoverEU Notice

🔓 Vulnerabilities & Patches

CVE-2026-0501: SAP S/4HANA SQL Injection - CVSS 9.9

CVE: CVE-2026-0501 | CVSS: 9.9 | Products: SAP S/4HANA | Status: Patched

SAP’s January 2026 Security Patch Day addresses 17 security notes including four critical vulnerabilities. The most severe is CVE-2026-0501, a SQL injection flaw in SAP S/4HANA that allows low-privilege users to fully compromise the database.

Additional Critical Vulnerabilities Patched:

  • CVE-2026-0500 (CVSS 9.6): Remote code execution in SAP Wily Introscope Enterprise Manager
  • CVE-2026-0498 (CVSS 9.1): Code injection in SAP S/4HANA
  • CVE-2026-0491 (CVSS 9.1): Code injection in SAP Landscape Transformation
  • CVE-2026-0492 (CVSS 8.8): Privilege escalation in SAP HANA 2.0
  • CVE-2026-0507 (CVSS 8.4): OS command injection via ABAP and RFCSDK servers

Immediate Action Required: Organizations running SAP environments should prioritize this patch cycle given the database compromise potential.

References: SAP Security Patch Day, TelefonicaTech

CVE-2025-69258: Trend Micro Apex Central Critical RCE - CVSS 9.8

CVE: CVE-2025-69258 | CVSS: 9.8 (vendor rating) | Products: Apex Central (Windows) | Status: Patched

Trend Micro has patched three severe vulnerabilities affecting Apex Central on Windows systems. The most critical, CVE-2025-69258, allows unauthenticated remote code execution with SYSTEM privileges.

Technical Details: An attacker can send a specially crafted message to the MsgReceiver.exe process on TCP port 20001, forcing the load of a malicious DLL that runs with SYSTEM privileges, completely compromising the security management server.

Additional Vulnerabilities:

  • CVE-2025-69259 (CVSS 7.5): Denial of service
  • CVE-2025-69260 (CVSS 7.5): Denial of service

Mitigation: Patch immediately, restrict network access to Apex Central management interface, and apply network controls.

References: Trend Micro Advisory KA-0022071

🎯 Threat Intelligence

RustyWater: MuddyWater APT Evolves Arsenal with Rust-Based Implant

Actor: MuddyWater (Iran/MOIS) | Targets: Israel, Middle East | Campaign: Active

CloudSEK has identified a significant evolution in the Iranian APT group MuddyWater’s capabilities. The threat actor, associated with Iran’s Ministry of Intelligence and Security (MOIS), has developed RustyWater—a new remote access implant written in Rust.

Campaign Details:

  • Delivered via spearphishing with Word documents featuring forged icons
  • Targets: Diplomatic, maritime, financial, and telecommunications sectors in the Middle East
  • Primary focus: Israeli organizations

RustyWater Capabilities:

  • Asynchronous C2 communications
  • Anti-analysis techniques
  • Registry-based persistence
  • Modular architecture for post-compromise extensions
  • Network reconnaissance
  • System metadata exfiltration
  • Remote shell command execution

Why Rust?: The choice of Rust represents a tactical evolution—Rust binaries are harder to reverse engineer and provide memory safety features that reduce certain classes of detection signatures. This mirrors a broader trend of APT groups modernizing their tooling.

References: CloudSEK Blog, CSOOnline

🔬 Security Research & Innovation

OPCOPRO: AI-Powered Financial Fraud Creates Fake Social Environments

Type: Fraud Research | Source: Check Point | Category: AI Threats

Check Point researchers have identified OPCOPRO, a sophisticated financial fraud operation that weaponizes artificial intelligence to create convincing fake investment environments.

Technical Innovation:

  • Language models generate fake profiles and automate interactions
  • WhatsApp groups populated by bots posing as multiple participants
  • Bots “confirm” fake earnings to build social proof
  • Malicious mobile apps simulate legitimate trading platforms
  • Apps display false positive balances to incentivize deposits

Attack Chain:

  1. Initial contact via SMS or ads appearing from financial institutions
  2. Victims download apps from official stores (Android/iOS)
  3. Apps require KYC processes with identity documents (data theft)
  4. False profit displays encourage additional deposits
  5. Infrastructure uses ephemeral hosting and crypto payments to avoid tracing

Why This Matters: This represents a new frontier in social engineering—AI doesn’t just generate phishing emails, it creates entire fake social realities. The use of official app stores and legitimate-looking KYC flows makes these scams particularly difficult to detect.

References: Check Point Mobile Security Blog

⚖️ Policy, Compliance & Regulations

Iran Moves Toward Permanent International Internet Blockade

Jurisdiction: Iran | Impact: 92 Million Citizens | Status: Escalating

Beyond the immediate humanitarian crisis, Iran’s internet shutdown has broader policy implications for the global internet governance community. Reports indicate the Iranian government is considering permanent disconnection from international internet infrastructure.

Policy Implications:

  • Sets precedent for prolonged nation-state internet isolation
  • Tests limits of satellite-based circumvention (Starlink)
  • Raises questions about global internet resilience
  • May accelerate “splinternet” trends

Starlink as Policy Flashpoint: The use of smuggled Starlink terminals by protestors has created a new dimension in the conflict between satellite internet providers and authoritarian regimes. Iran is actively jamming Starlink signals, and SpaceX has made the service free for Iranian users—a decision with significant geopolitical implications.

References: Reuters, Forbes, Chosun, France24

💼 Industry & Business

Security Vendor Patch Activity Intensifies in Early 2026

Type: Market Trend | Significance: Defensive Posture

This week has seen an unusually high volume of critical vulnerability patches from major security vendors:

  • Cisco: AsyncOS zero-day patch after 7 weeks
  • SAP: 4 critical vulnerabilities addressed
  • Trend Micro: CVSS 9.8 RCE in Apex Central
  • Fortinet: Critical FortiSIEM flaw under active exploitation
  • HPE: OneView hotfix enhanced after mass botnet attacks

Market Analysis: The velocity of critical patches suggests security vendors are under increasing pressure to respond to sophisticated threat actors who are reducing time-to-exploit. Organizations should expect continued high-tempo patching requirements throughout Q1 2026.

📚 Best Practices & Guidance

Defending Against APT-Level Email Gateway Attacks

Based on the Cisco AsyncOS campaign, organizations should review their email security posture:

Immediate Actions:

  1. Audit exposed services: Ensure Spam Quarantine and similar features aren’t unnecessarily internet-facing
  2. Implement network segmentation: Email security appliances should be in isolated network segments
  3. Enable logging and monitoring: Ensure comprehensive logging is enabled and forwarded to SIEM
  4. Check for IoCs: Review Cisco Talos blog for AquaShell, AquaPurge, AquaTunnel, and Chisel indicators

Detection Opportunities:

  • Monitor for unusual outbound connections from email security appliances
  • Alert on new processes spawned by email gateway services
  • Review for SSH connections originating from DMZ devices
  • Check for Python processes on email security appliances

🛠️ Products & Services

State of API Security 2026 Webinar

Vendor: 42Crunch | Date: January 29, 2026 11am EST | Type: Educational

42Crunch is hosting a webinar unveiling their State of API Security 2026 Report, analyzing real-world API vulnerabilities documented over the past two years. Topics include the persistence of BOLA vulnerabilities and implications of AI agents for API security.

👥 Community & Culture

The OSINT Newsletter Episode 10: Building Credibility Without Certifications

Jake Creps’ latest OSINT Podcast episode tackles a relevant career topic: why OSINT certifications often lag behind reality and what practitioners can do instead to build credibility. Key insights include focusing on demonstrable results over credentials, investigating GitHub profiles properly (contribution graphs can be misleading), and using local AI tools for private analysis.

💡 Security Professional Action Items

  1. IMMEDIATE: Patch Cisco Email Security Gateway if running Spam Quarantine (CVE-2025-20393)
  2. IMMEDIATE: Update SAP systems for CVE-2026-0501 SQL injection
  3. HIGH: Patch Trend Micro Apex Central for CVSS 9.8 RCE
  4. HIGH: Verify FortiSIEM patches applied for CVE-2025-64155
  5. HIGH: Check HPE OneView patching status given RondoDox botnet activity
  6. MEDIUM: Review email gateway exposure and network segmentation
  7. MEDIUM: Update threat hunting playbooks with AquaShell/RustyWater IoCs
  8. AWARENESS: Brief executive leadership on Iran shutdown implications for global internet
  9. TRAINING: Educate finance teams on AI-powered OPCOPRO-style investment scams
  10. PLANNING: Assess satellite internet contingency options for business continuity

📈 Threat Landscape Analysis

Today’s intelligence reveals several converging themes:

State-Level Sophistication Increasing: Both the Chinese APT exploiting Cisco AsyncOS for 7 weeks and MuddyWater’s evolution to Rust-based tooling demonstrate that nation-state actors continue to invest heavily in capabilities. The choice of Rust by MuddyWater mirrors DPRK groups’ recent adoption—expect more compiled-language malware in 2026.

Patch-to-Exploit Windows Shrinking: The HPE OneView vulnerability saw automated botnet exploitation within weeks of disclosure. The RondoDox botnet’s 40,000 attacks in under 4 hours demonstrates that exploit integration into criminal infrastructure is now measured in days, not weeks.

Infrastructure as Target: Email security gateways, API management platforms, and SIEM systems—the very tools organizations rely on for security—continue to be high-value targets. Attackers understand that compromising security infrastructure provides both access and cover.

AI Fraud Evolution: OPCOPRO represents a qualitative shift in social engineering—AI isn’t just automating existing fraud, it’s creating new attack patterns that exploit human psychology at scale.

Comprehensive balanced analysis from: Cisco Talos, HelpNetSecurity, Check Point Research, CloudSEK, TelefonicaTech, Trend Micro, SAP, Reuters, Forbes, France24, The OSINT Newsletter, Vulnerable U, APIsecurity.io

Issue #89 | January 17, 2026 | Coverage: 10 stories across 9 security segments 6 new stories | 3 significant updates