InfoSec News 28JAN2026

General

• More from Brian Krebs, pivoting from the Kimwolf botnet, to an earlier antecedent - Badbox 2.0. This earlier botnet was used to help bootstrap the Kimwolf botnet, providing access to vulnerable IoT devices on which Badbox was running, as well as other vulnerable systems within the adjacent network. A typical Krebs'ing ensues, unpicking the identities behind the domains.
  • https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/
• Another Microsoft Office bug under active exploitation - emergency out-of-band patches rolling out. No real details supplied as yet, the workaround for earlier Office version points to Component Object Model (COM) object compatibility.

Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally.
...
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send a user a malicious Office file and convince them to open it.
...
This update addresses a vulnerability that bypasses OLE mitigations in Microsoft 365 and Microsoft Office which protect users from vulnerable COM/OLE controls.
...
Customers running Office 2021 and later will be automatically protected via a service-side change, but will be required to restart their Office applications for this to take effect.

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21509
• https://www.theregister.com/2026/01/27/office_zeroday_exploited_in_the/
• Browser extensions are rarely worth the risk - a new Malware as a Service (MaaS) toolkit is guaranteeing (on the top US$6k "Luxe Plan") to get malicious extensions onto the Google Chrome Web Store. Also offers silent side-loading into Chrome/Edge/Opera/Brave, via an executable. The extension will iFrame over target sites, call in to Command and Control (C2) frequently, and can deliver notifications as the browser.
  • https://www.varonis.com/blog/stanley-malware-kit
  • https://www.bleepingcomputer.com/news/security/new-malware-service-guarantees-phishing-extensions-on-chrome-web-store/
• WhatsApp is getting an enhanced-security mode dubbed "Strict Account Settings". It's a feature-versus-security compromise, following similar ideas from Apple ("Lockdown Mode") and Android ("Advanced Protection Mode").

This lockdown-style feature bolsters your security on WhatsApp even further with just a few taps by locking your account to the most restrictive settings like automatically blocking attachments and media from unknown senders, silencing calls from people you don’t know, and restricting other settings that may limit how the app works. You can turn on Strict Account Settings, which will be rolling out in the coming weeks, by going to your WhatsApp Settings, then to Privacy, and then to Advanced.

• https://blog.whatsapp.com/whatsapps-latest-privacy-protection-strict-account-settings
• https://about.fb.com/news/2026/01/whatsapp-strict-account-settings-safeguarding-against-cyber-attacks/
• https://www.itnews.com.au/news/whatsapp-unveils-high-security-mode-623204
• https://techcrunch.com/2026/01/27/whatsapp-is-rolling-out-a-new-stricter-security-setting-to-protect-users-from-cyber-attacts/
• https://therecord.media/whatsapp-spyware-anti-lockdown
• A little more on the ShinyHunters vishing attacks - SilentPush lists some sites they've seen targeted.
  • https://www.silentpush.com/blog/slsh-alert/
  • https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
  • https://www.theregister.com/2026/01/27/shinyhunters_claim_panera_bread/
• [CN] Money Laundering is big business.
  "Black U" usually refers to black market trading of USDT or trading through unofficial channels (typically defined as USDT obtained through irregular means such as money laundering, hacking, etc.)"

Chinese-language money laundering networks (CMLNs) now dominate known crypto money laundering activity, processing an estimated 20% of illicit crypto funds over the past five years. This growth is 7,325 times faster than growth of illicit inflows to centralized exchanges since 2020.
CMLNs processed $16.1 billion in 2025 — approximately $44 million per day across 1,799+ active wallets.
...
The illicit on-chain money laundering ecosystem has grown dramatically in recent years, increasing from $10 billion in 2020 to over $82 billion in 2025.

• https://www.chainalysis.com/blog/2026-crypto-money-laundering/
• https://therecord.media/chinese-money-launderers-moved-more-crypto-2025

Getting Techy

• There's a concerning API-permission problem in Kubernetes, that won't get fixed until fine-grained API permissions are built and rolled out. Exploitation is not caught by standard AuditPolicy logging.

Kubernetes administrators often grant access to the nodes/proxy resource to service accounts requiring access to data such as Pod metrics and Container logs. As such, Kubernetes monitoring tools commonly require this resource for reading data.
nodes/proxy GET allows command execution when using a connection protocol such as WebSockets. This is due to the Kubelet making authorization decisions based on the initial WebSocket handshake’s request without verifying CREATE permissions are present for the Kubelet’s /exec endpoint requiring different permissions depending solely on the connection protocol.
The result is anyone with access to a service account assigned nodes/proxy GET that can reach a Node’s Kubelet on port 10250 can send information to the /exec endpoint, executing commands in any Pod, including privileged system Pods, potentially leading to a full cluster compromise. Kubernetes AuditPolicy does not log commands executed through a direct connection to the Kubelet’s API.

• https://grahamhelton.com/blog/nodes-proxy-rce
• VM2 - "a sandbox that can run untrusted code with whitelisted Node's built-in modules" is being revived. Whilst not perfect, it offers some reasonable protection when running NodeJS content, in specific use-cases.
  • https://github.com/patriksimek/vm2
  • https://github.com/patriksimek/vm2/issues/533#issuecomment-3444774921
  • https://www.bleepingcomputer.com/news/security/critical-sandbox-escape-flaw-discovered-in-popular-vm2-nodejs-library/
• SpectreOps decided to have a closer look at Microsoft's Deployment Toolkit (MDT), for rolling out disk images. The results were so bad, Microsoft killed the toolkit, suggesting use of Windows Autopilot instead.

Microsoft is announcing the immediate retirement of Microsoft Deployment Toolkit (MDT). MDT will no longer receive updates, fixes, or support. Existing installations will continue to function as is. However, we encourage customers to transition to modern deployment solutions.

• https://specterops.io/blog/2026/01/21/task-failed-successfully-microsofts-immediate-retirement-of-mdt/
• https://learn.microsoft.com/en-us/troubleshoot/mem/configmgr/mdt/mdt-retirement
• Improving Windows Administrator Protection, through early engagement with Google Project Zero.

A headline feature introduced in the latest release of Windows 11, 25H2 is Administrator Protection. The goal of this feature is to replace User Account Control (UAC) with a more robust and importantly, securable system to allow a local user to access administrator privileges only when necessary.

• https://projectzero.google/2026/26/windows-administrator-protection.html

Geo-Politics

• [FR] France has started rolling out its home-grown video conferencing software, to replace US software (e.g. Zoom, Teams, Webex, Google Meet).

"This project is a concrete illustration of the Prime Minister and the Government's commitment to regaining our digital independence," said David Amiel, minister delegate for the Civil Service and State Reform. "We cannot risk having our scientific exchanges, our sensitive data, and our strategic innovations exposed to non-European actors. Digital sovereignty is simultaneously an imperative for our public services, an opportunity for our businesses, and insurance against future threats."

• https://www.theregister.com/2026/01/27/france_videoconferencing_visio/
• [FR] France is following the trend, passing a bill to ban under-15's from social media.

As social media has grown, so has concern that too much screen time is harming child development and contributing to mental health problems. "The emotions of our children and teenagers are not for sale or to be manipulated, either by American platforms or Chinese algorithms," Macron said in a video broadcast on Saturday.

The legislation stipulates that "access to an online social networking service provided by an online platform is prohibited for minors under the age of 15". The draft bill excludes online encyclopedias and educational platforms. An effective age verification system would have to come into force for the ban to become reality. Work on such a system is underway at the European level.

• https://www.lemonde.fr/en/france/article/2026/01/26/french-mps-approve-social-media-ban-for-children-under-15_6749837_7.html
• [KZ] Kazakhstan is "considering tightening legal responsibility for violations related to personal data protection".

“In implementing the constitutional rights of citizens to privacy and the protection of personal information, we are moving to a zero-tolerance policy in this area. Digital transformation should not undermine the security of citizens, and any irresponsible handling of personal data should be punished in accordance with the law”
In addition to criminal penalties for mass data breaches, the ministry is proposing to significantly increase administrative liability for officials violating information security standards.
The current maximum fine is approximately $17,000. The proposed new ceiling would be about $42,500.

• https://timesca.com/kazakhstan-considere-criminal-liability-for-mass-leaks-of-personal-data/
• [RU] A physical-security provider in Russia has had their systems taken offline, impacting car and building alarm systems.

Russian newspaper Kommersant reported that despite Delta’s assurances that most services were operating normally, users continued to describe widespread failures — including remote vehicle start systems malfunctioning, car doors locking unexpectedly, and engines shutting down while in motion.
Customers also reported alarm systems in homes and commercial buildings switching to emergency mode and becoming impossible to deactivate. Recorded Future News could not independently verify those reports.

• https://therecord.media/russia-delta-security-alarm-company-cyberattack
• [UK] Salt Typhoon attacks appear to have also targeted UK politicians.

The Telegraph reports that the activity focused on phones used by senior aides around former prime ministers Boris Johnson, Liz Truss, and Rishi Sunak, with the suspected access stretching back to 2021. Intelligence sources described the compromise as extensive, with one saying the activity went "right into the heart of Downing Street," although it remains unclear whether the prime ministers' own devices were accessed directly.
...
The breaches were reportedly discovered only in 2024, after the US disclosed that Chinese-linked hacking groups had gained deep access to telecommunications providers worldwide.

• https://www.theregister.com/2026/01/27/chinalinked_hackers_accused_of_yearslong/
• [US] The US Treasury Department has announced it's cancelling all contracts with Booz Allen Hamilton. Apparently, it's not over anything recent, nor over the Snowden leaks - instead it's something far closer to home - 2019-2021 leaks of tax returns for Trump et al.

In a press release, Treasury Secretary Scott Bessent announced that the unusual move was in response to Booz Allen contractor Charles Littlejohn, who stole the tax returns of more than 400,000 US taxpapers between 2018 and 2020 and gave some of them to the media. Bessent said that canceling Booz Allen's contracts "is an essential step to increasing Americans’ trust in government."
The announcement didn't identify which records Littlejohn stole or which media outlets received them, but court records and previously published stories about his case reveal that he stole tax returns for President Donald Trump, Jeff Bezos, Elon Musk and other billionaires and leaked them to the New York Times and ProPublica. Between them, the two outlets published dozens of stories in 2020 and 2021 based on the records, which showed, among other things, how little in federal taxes these and other super-rich Americans had paid on their massive earnings over the years, as well as the strategies they used to achieve this.

• https://www.zetter-zeroday.com/booz-allen-tech-contractor-took-irs-job-specifically-to-leak-trumps-tax-records/
• https://home.treasury.gov/news/press-releases/sb0371

Privacy

• Freedom of the Press Foundation have released a guide for media, on safeguarding sources. Contains some useful advice for anyone operating in a potentially hostile information environment.
  • https://freedom.press/digisec/blog/safeguarding-sources-and-sensitive-information-in-the-event-of-a-raid/
• [AT] The Austrian data protection authority (DSB) finds that Microsoft unlawfully used tracking cookies in Microsoft 365 Education, to track minors.

In its most recent decision, the DSB has once again found that Microsoft acted unlawfully. To be specific, the company placed tracking cookies on the devices of a minor using Microsoft 365 Education. According to Microsoft’s own documentation, these cookies analyse user behaviour, collect browser data and are used for advertising. The DSB has additionally ordered Microsoft to cease tracking the complainant within four weeks. Both the school and the Austrian Ministry of Education claimed they were not aware of such tracking cookies prior to the noyb complaints.

Tracking users without consent is not compliant with EU law, which is an issue for all organisations using Microsoft 365. The German data protection authorities have already considered Microsoft 365 to fall short of the requirements of the GDPR

• https://noyb.eu/en/noyb-win-microsoft-ordered-stop-tracking-school-children
• https://www.theregister.com/2026/01/27/microsft_illegally_installed_cookies_ruling_austra_school/
• [US] Google has agreed to pay US$68m to settle a lawsuit alleging that it used Google Assistant content to target advertising.

Plaintiffs ... respectfully move for preliminary approval of their $68,000,000 class settlement with Defendants Google LLC and Alphabet Inc. (together, “Google”). The Settlement, if approved, will resolve claims relating to Google’s alleged recording of individuals’ communications using Google Assistant and Google Assistant Enabled Devices without their consent and the use and disclosure of communications to third parties.

• https://storage.courtlistener.com/recap/gov.uscourts.cand.345331/gov.uscourts.cand.345331.549.0.pdf
• https://therecord.media/google-settles-millions-privacy-recording
• https://www.theguardian.com/technology/2026/jan/26/google-privacy-suit-settlement-voice-assistant

AI

• [CN] Moonshot AI have released a 2.5 update to their Kimi model (Mixture of Experts (MoE), 1T parameters, 32b active, 256k context), adding image input, as well improving "long-sequence tool calling and training on how to break down tasks for multiple agents to work on at once".
  • https://www.kimi.com/blog/kimi-k2-5.html
  • https://simonwillison.net/2026/Jan/27/kimi-k25/