In this week’s news: Mandiant releases rainbow table that cracks weak admin password in 12 hours,  LOTUSLITE Backdoor Targets U.S. Government , Bug in StealC Malware Panel Gives Researchers Insight Into Cybercrime Operations,  Cisco 0-Day RCE Secure Email Gateway, Malicious Chrome extensions targets HR, data breach at Canada’s investment watchdog, supply chain vulnerability in AWS CodeBuild recently put the entire AWS Console at risk and Critical WhisperPair flaw lets hackers track, eavesdrop via Bluetooth audio devices

Subscribe to this newsletter
Read the Blog

A massive security hole that could have given hackers total control over Amazon Web Services (AWS) was recently fixed before anyone could actually use it for harm. The discovery, made by Wiz Research, prevented what they called a historic near miss for the millions of businesses and people who rely on the cloud every day.
https://hackread.com/how-2-missing-chars-compromised-aws/

Cisco has confirmed the active exploitation of a critical zero-day remote code execution (RCE) vulnerability affecting its Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw, tracked as CVE-2025-20393, allows unauthenticated attackers to execute arbitrary commands with root-level privileges, posing a severe risk to organizations worldwide.
https://hackalert0.blogspot.com/2026/01/cisco-0-day-rce-secure-email-gateway.html

Mandiant has released a database that allows any administrative password protected by Microsoft?s NTLM.v1 hash algorithm to be hacked in an attempt to nudge users who continue using the deprecated function despite known weaknesses.
https://arstechnica.com/security/2026/01/mandiant-releases-rainbow-table-that-cracks-weak-admin-password-in-12-hours/

A data breach at Canada?s investment watchdog, Canadian Investment Regulatory Organization (CIRO), impacted about 750,000 people. The Canadian Investment Regulatory Organization (CIRO) is Canada’s national self-regulatory body overseeing investment dealers and marketplaces, protecting investors, enforcing compliance, and maintaining fair, efficient capital markets. CIRO announced that threat actors stole the personal data of 750,000 people in an August 2025 phishing attack. The breach forced some systems offline but did not disrupt critical operations.
https://securityaffairs.com/186993/data-breach/data-breach-at-canadas-investment-watchdog-canadian-investment-regulatory-organization-impacts-750000-people.html

Security researchers have discovered a critical vulnerability in Google's Fast Pair protocol that can allow attackers to hijack Bluetooth audio accessories, track users, and eavesdrop on their conversations. The flaw (tracked as CVE-2025-36911 and dubbed WhisperPair) affects hundreds of millions of wireless headphones, earbuds, and speakers from multiple manufacturers that support Google's Fast Pair feature.
https://www.bleepingcomputer.com/news/security/critical-whisperpair-flaw-lets-hackers-track-eavesdrop-via-bluetooth-audio-devices/

A critical Modular DS WordPress flaw (CVE-2026-23550) is actively exploited, enabling unauthenticated privilege escalation. Threat actors are actively exploiting a critical Modular DS WordPress vulnerability tracked as CVE-2026-23550 (CVSS score of 10).
https://securityaffairs.com/186976/security/actively-exploited-critical-flaw-in-modular-ds-wordpress-plugin-enables-admin-takeover.html

A new espionage campaign targeting U.S. government entities has been uncovered, utilizing a custom backdoor dubbed LOTUSLITE. Researchers from the Acronis Threat Research Unit (TRU) have linked the activity with moderate confidence to the China-aligned threat group Mustang Panda, citing overlaps in tradecraft and infrastructure.
https://securityonline.info/new-lotuslite-backdoor-targets-u-s-government-in-suspected-mustang-panda-campaign/

Malicious Chrome extensions on the Chrome Web Store masquerading as productivity and security tools for enterprise HR and ERP platforms were discovered stealing authentication credentials or blocking management pages used to respond to security incidents.
https://www.bleepingcomputer.com/news/security/credential-stealing-chrome-extensions-target-enterprise-hr-platforms/

Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia-linked ransomware-as-a-service (RaaS) group Black Basta. In addition, the group's alleged leader, a 35-year-old Russian national named Oleg Evgenievich Nefedov, has been added to the European Union's Most Wanted and INTERPOL's Red Notice lists, authorities noted.
https://thehackernews.com/2026/01/black-basta-ransomware-hacker-leader.html

Cisco Talos reports that threat group UAT-8837, likely linked to China, has targeted critical infrastructure in North America since at least last year. The activity shows tactics overlapping with known China-linked clusters.
https://securityaffairs.com/186999/breaking-news/china-linked-apt-uat-8837-targets-north-american-critical-infrastructure.html

Sysdig Threat Research Team (TRT) took a deeper look at Voidlink, examining its binaries to better understand the malware?s loader chain, rootkit internals, and control mechanisms.
https://www.sysdig.com/blog/voidlink-threat-analysis-sysdig-discovers-c2-compiled-kernel-rootkits

Cybersecurity researchers have uncovered a serious security flaw in the control panel used by operators of the StealC malware. This weakness allowed experts to secretly observe how the attackers were running their operations.
https://cybersecurity88.com/news/xss-bug-in-stealc-malware-panel-gives-researchers-insight-into-cybercrime-operations/