Sandworm Hackers Linked to Failed DynoWiper Attack on Poland’s Power Grid
Russian state-sponsored hacking group Sandworm has been attributed to what Polish officials called the “largest cyber attack” targeting Poland’s energy infrastructure in years. The attacks occurred on December 29-30, 2025, targeting two combined heat and power plants and a system managing electricity from wind turbines and solar farms. ESET researchers analyzed the novel malware, which they named DynoWiper, and attributed the campaign to Sandworm (also known as Seashell Blizzard or APT44) “with medium confidence” based on tactics, techniques, and code overlaps with previous attacks. The timing was significant—exactly 10 years after Sandworm’s 2015 BlackEnergy attack on Ukraine’s power grid, which left 230,000 people without electricity. While Polish officials reported the attack was thwarted and no blackout occurred, authorities estimate it could have affected 500,000 homes. Poland’s Prime Minister Donald Tusk confirmed the country is working on legislation to strengthen cybersecurity requirements for critical infrastructure.
Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware
FortiGuard Labs has detailed a sophisticated multi-stage malware campaign primarily targeting users in Russia that combines social engineering, security bypass, surveillance, and ransomware delivery. The attack begins with business-themed documents in compressed archives containing malicious LNK shortcuts disguised as text files. What sets this campaign apart is its operational abuse of Defendnot, a research tool that exploits Windows Security Center trust mechanisms to disable Microsoft Defender by registering a fake antivirus product. The campaign deploys Amnesia RAT for comprehensive data theft—targeting browser credentials, Telegram sessions, cryptocurrency wallets, Discord tokens, and Steam data—while also capturing screenshots every 30 seconds. The attack culminates with Hakuna Matata ransomware that encrypts files with the “@NeverMind12F” extension and a WinLocker component that enforces complete desktop lockout with Russian-language ransom demands. Attackers use GitHub for script distribution and Dropbox for binary payloads, complicating takedown efforts.
VMware vCenter Server Flaw Patched 18 Months Ago Now Under Active Exploitation
CISA has added CVE-2024-37079 (CVSS 9.8) to its Known Exploited Vulnerabilities catalog after Broadcom confirmed the critical VMware vCenter Server flaw is now being actively exploited—more than 18 months after patches were released in June 2024. The vulnerability is a heap overflow in the DCERPC protocol implementation that allows attackers with network access to achieve remote code execution by sending specially crafted packets, without requiring authentication or user interaction. Federal agencies have until February 13, 2026 to patch vulnerable systems. Security experts note that vCenter Server shouldn’t be internet-exposed, suggesting attackers likely already had initial network access and are using the vulnerability to expand control. CISA’s KEV catalog lists the bug’s use in ransomware campaigns as “unknown,” and Broadcom has not disclosed details about the scope of exploitation.
Fortinet Admits FortiCloud SSO Bypass Still Exploitable Despite December Patch
Fortinet has confirmed that a critical authentication bypass vulnerability in FortiOS (CVE-2025-59718) persists even in devices running the supposedly patched firmware versions, following reports from enterprise administrators of suspicious logins on updated FortiGate firewalls. Arctic Wolf observed automated malicious activity starting January 15, 2026, involving unauthorized configuration changes, creation of generic admin accounts for persistence, and exfiltration of firewall configuration files. The attacks exploit SAML-based single sign-on functionality, with attackers spinning up VPN-enabled accounts and stealing configuration files in seconds—behavior strongly suggesting automation. Fortinet CISO Carl Windsor acknowledged the company has “identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new attack path.” The company is working on a fix and has advised customers to disable FortiCloud admin login and restrict access to administration panels from the internet.
CISA Adds Five New Vulnerabilities to KEV Catalog Including Zimbra, Vite, and Versa Flaws
CISA added five security vulnerabilities to its Known Exploited Vulnerabilities catalog on January 22-23, 2026, citing evidence of active exploitation in the wild. The newly added flaws include: CVE-2025-68645, a PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (CVSS 8.8); CVE-2025-34026, an improper authentication vulnerability in Versa Concerto; CVE-2025-54313, an embedded malicious code vulnerability in the Prettier eslint-config-prettier package; and CVE-2025-31125, an improper access control vulnerability in Vite Vitejs. Per Binding Operational Directive 22-01, federal civilian executive branch agencies are required to remediate these vulnerabilities by the designated due dates. CISA strongly urges all organizations to prioritize timely remediation of KEV catalog vulnerabilities as part of their vulnerability management practices.
