Security Intelligence for Real-World Decisions
← Back to Archive

CISA Flags Actively Exploited HPE OneView Flaw; FBI Warns of North Korean QR Code Phishing; China-Linked APT Targets Telecom Networks

Executive Summary

This week's intelligence highlights significant developments across multiple threat vectors affecting critical infrastructure. Key developments include:

  • Active Exploitation Alert: CISA has added a maximum-severity HPE OneView vulnerability (CVE score 10) to its Known Exploited Vulnerabilities catalog, alongside a Microsoft Office flaw. Federal agencies face mandatory remediation deadlines.
  • Nation-State Activity: The FBI issued a flash alert warning of North Korean Kimsuky hackers deploying malicious QR codes in spear-phishing campaigns targeting U.S. organizations. Separately, China-linked threat actor UAT-7290 has expanded telecom espionage operations into Southeastern Europe using Linux-based malware.
  • Critical Vulnerabilities: Multiple maximum-severity flaws disclosed this week, including CVE-2026-21858 (CVSS 10) in the n8n workflow automation platform affecting approximately 100,000 exposed servers, and critical vulnerabilities in Coolify self-hosting platform enabling full server compromise.
  • Policy Developments: The Trump administration withdrew the U.S. from 66 international organizations, including cybersecurity-focused bodies such as the Global Forum on Cyber Expertise (GFCE). The UK government unveiled a new cyber action plan focused on government systems. CISA retired 10 emergency directives issued between 2019-2024.
  • Physical Security Concerns: Water ISAC issued alerts regarding potential security risks to critical infrastructure following U.S. operations in Venezuela, and a violent extremist group claimed responsibility for an arson attack on Berlin's power grid.

Threat Landscape

Nation-State Threat Actor Activities

North Korea – Kimsuky APT Group

The FBI released a flash advisory on January 8, 2026, warning that North Korean state-sponsored hackers from the Kimsuky group are leveraging malicious QR codes in sophisticated spear-phishing campaigns targeting U.S. organizations. This represents an evolution in the group's tactics, moving beyond traditional email-based phishing to exploit the growing use of QR codes in business communications.

Analyst Assessment: The use of QR codes presents unique challenges for security teams, as these codes can bypass traditional email security filters and exploit user trust. Organizations should implement QR code scanning policies and educate personnel about this emerging threat vector.

China – UAT-7290

A China-nexus threat actor designated UAT-7290 has been attributed to espionage-focused intrusions against telecommunications providers in South Asia and has recently expanded operations to Southeastern Europe. The group employs Linux-based malware and Operational Relay Box (ORB) nodes to maintain persistent access to target networks.

Key TTPs Observed:

  • Exploitation of edge devices for initial access
  • Deployment of custom Linux malware toolkits
  • Use of ORB nodes for command and control
  • Long-term persistence focused on intelligence collection

Analyst Assessment: The telecommunications sector remains a high-priority target for Chinese intelligence operations due to the strategic value of communications metadata and the potential for downstream access to other critical infrastructure sectors. The expansion into Southeastern Europe suggests broadening collection requirements.

Ransomware and Cybercriminal Developments

Ransomware Groups Defeating EDR Systems

The New York State Intelligence Center (NYSIC) issued a report indicating that ransomware groups are successfully defeating Endpoint Detection and Response (EDR) systems, likely resulting in longer dwell times within victim networks. This development underscores the need for defense-in-depth strategies that do not rely solely on endpoint protection.

Astaroth Banking Trojan Campaign

A new campaign is distributing the Astaroth banking trojan across Brazil using WhatsApp as a distribution vector. The malware spreads through auto-messaging to contacts, creating a worm-like propagation mechanism. While currently focused on Brazilian financial institutions, similar techniques could be adapted for other regions.

Botnet Activity

  • Kimwolf Botnet: Analysis reveals the destructive Kimwolf botnet has grown to infect more than two million devices by mass-compromising unofficial Android TV streaming devices.
  • GoBruteforcer Botnet: A new botnet targeting exposed Linux servers through brute-force attacks on FTP, MySQL, and other services has been observed in active campaigns.

Physical Security Threats

Berlin Power Grid Arson Attack

Water ISAC reported that a violent extremist group has claimed responsibility for an arson attack targeting Berlin's power grid infrastructure. This incident highlights the ongoing physical security threats to energy infrastructure from ideologically motivated actors.

Venezuela-Related Security Risks

Water ISAC issued a TLP:AMBER advisory regarding potential cybersecurity and physical security risks to critical infrastructure following recent U.S. operations in Venezuela, including the seizure of a Russian-flagged oil tanker. Infrastructure operators should maintain heightened awareness for potential retaliatory actions.

Communications Infrastructure Threats

Water ISAC is analyzing rising physical security threats to communications infrastructure, indicating an uptick in incidents targeting telecommunications facilities.

Emerging Attack Vectors

AI-Enabled Attacks

Researchers at Radware have discovered new zero-click prompt injection attacks in ChatGPT's agentic features that could allow attackers to steal user data without requiring user interaction. As AI tools become more integrated into enterprise workflows, these attack vectors present growing risks.

Supply Chain Threats

Three malicious npm packages designed to deliver a previously undocumented malware called NodeCordRAT have been discovered. The packages used Bitcoin-themed naming to attract developers, highlighting ongoing supply chain risks in open-source ecosystems.

Sector-Specific Analysis

Energy Sector

Physical Attack on European Grid Infrastructure

The claimed arson attack on Berlin's power grid represents a concerning escalation in physical threats to energy infrastructure. European energy operators should review physical security measures and coordinate with law enforcement on threat intelligence.

Geopolitical Tensions

The U.S. seizure of a Russian-flagged oil tanker linked to Venezuela may increase the risk of retaliatory cyber or physical attacks against U.S. energy infrastructure. Energy sector operators should maintain heightened monitoring and ensure incident response plans are current.

Recommended Actions:

  • Review physical security measures at critical facilities
  • Enhance monitoring for anomalous network activity
  • Coordinate with sector ISACs for threat intelligence updates
  • Verify backup power and resilience capabilities

Water & Wastewater Systems

Q4 2025 Incident Survey

Water ISAC has opened its quarterly incident survey for Q4 2025. Water and wastewater utilities are encouraged to participate to support sector-wide threat analysis and trend identification.

Managed Service Provider Guidance

Water ISAC released guidance on choosing managed service providers, providing insights for utilities evaluating third-party IT and OT support. Given the sector's resource constraints, this guidance is particularly relevant for smaller utilities considering outsourced security services.

Recommended Actions:

  • Complete the Q4 2025 incident survey
  • Review MSP contracts and security requirements
  • Assess physical security posture in light of recent extremist activity

Communications & Information Technology

Telecom Sector Under Active Targeting

The UAT-7290 campaign against telecommunications providers represents a significant threat to the communications sector. The group's use of edge device exploits and Linux malware indicates sophisticated capabilities designed for long-term access to telecom networks.

Rising Physical Threats

Water ISAC analysis indicates rising physical security threats to communications infrastructure. Telecom operators should coordinate with law enforcement and review physical security measures at critical facilities.

Cisco Switch Stability Issues

Multiple Cisco switch models are experiencing reboot loops due to a DNS client bug. While not a security vulnerability, this availability issue could impact network operations. Cisco is investigating the root cause.

Recommended Actions:

  • Audit edge devices for unauthorized access or compromise indicators
  • Implement enhanced monitoring for Linux-based systems
  • Review physical security at telecommunications facilities
  • Monitor Cisco advisories for switch stability updates

Transportation Systems

Maritime Security Operations

The U.S. Coast Guard has announced Operation RENEW 2026 to maintain heating oil supply during winter months. This operation ensures critical fuel deliveries continue despite potential disruptions.

Weather-Related Disruptions

Two powerful cross-country storms are underway, with winter storm warnings issued for four U.S. states. Transportation operators should prepare for potential service disruptions and coordinate with emergency management agencies.

Recommended Actions:

  • Review winter weather contingency plans
  • Coordinate with fuel suppliers on delivery schedules
  • Ensure communication systems are resilient to weather impacts

Healthcare & Public Health

Medical Device Security Alert

CISA issued an advisory warning that unauthenticated Bluetooth access in WHILL wheelchair devices allows for unauthorized movement control. While the immediate risk is limited, this vulnerability highlights ongoing concerns about medical device security.

AI Health Data Privacy

OpenAI launched ChatGPT Health with isolated, encrypted health data controls. Healthcare organizations evaluating AI tools should carefully assess data handling practices and ensure compliance with HIPAA and other regulatory requirements.

Recommended Actions:

  • Inventory WHILL devices and implement compensating controls
  • Review AI tool usage policies for health data handling
  • Ensure medical device security programs address Bluetooth vulnerabilities

Financial Services

Banking Trojan Campaign

The Astaroth banking trojan campaign targeting Brazilian financial institutions through WhatsApp distribution demonstrates evolving social engineering techniques. While currently regional, financial institutions globally should monitor for similar campaigns.

Identity Security Investment

CrowdStrike's $740 million acquisition of identity security firm SGNL underscores the growing importance of identity protection in enterprise security. The deal aims to enhance continuous identity protection for both human and AI-driven access.

Recommended Actions:

  • Monitor for WhatsApp-based malware distribution attempts
  • Review identity and access management programs
  • Assess AI access controls and governance frameworks

Hospitality Sector

New Malware Campaign

Security Magazine reports a new malware campaign specifically targeting the hospitality sector. Details remain limited, but hospitality organizations should increase monitoring and ensure security controls are current.

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE/Identifier Product CVSS Status Action Required
HPE OneView Flaw HPE OneView 10.0 ACTIVELY EXPLOITED Patch immediately; added to CISA KEV
Microsoft Office Flaw Microsoft Office High ACTIVELY EXPLOITED Patch immediately; added to CISA KEV
CVE-2026-21858 n8n Workflow Platform 10.0 PoC Available Patch immediately; ~100K servers exposed
Coolify Flaws (11) Coolify Self-Hosting Critical Disclosed Update to patched version
Cisco ISE Flaw Cisco ISE/ISE-PIC Medium PoC Available Apply Cisco updates
jsPDF Vulnerability jsPDF Library Critical Patched Update Node.js deployments
Veeam Backup Flaws Veeam Backup Suite High Patched Apply vendor updates

CISA Advisories and Actions

Known Exploited Vulnerabilities (KEV) Additions

CISA added two vulnerabilities to the KEV catalog on January 8, 2026:

  • HPE OneView: Maximum-severity code injection flaw exploitable without authentication for remote code execution
  • Microsoft Office: Details pending; federal agencies must remediate per BOD 22-01

Emergency Directive Retirements

CISA retired 10 Emergency Directives issued between 2019 and 2024, indicating that required actions have been completed or are now covered by standing guidance. This rare bulk closure reflects maturation of federal cybersecurity posture in addressed areas.

Notable Patches and Updates

  • Cisco ISE: Patches released for medium-severity vulnerability with public PoC exploit
  • n8n Platform: Critical update available for CVE-2026-21858; administrators should prioritize patching
  • jsPDF: Update addresses arbitrary file read vulnerability in Node.js deployments
  • Veeam Backup: Patches address RCE and malicious backup configuration file creation

Recommended Defensive Measures

  • Prioritize KEV Remediation: HPE OneView and Microsoft Office vulnerabilities are under active exploitation
  • Audit n8n Deployments: Approximately 100,000 servers potentially exposed; verify patching status
  • Review EDR Effectiveness: Given reports of ransomware groups defeating EDR, implement defense-in-depth
  • QR Code Security: Implement policies for scanning QR codes and educate users on Kimsuky campaign
  • Edge Device Hardening: UAT-7290 exploits edge devices; audit and harden perimeter systems

Resilience & Continuity Planning

Lessons Learned

Jaguar Land Rover Cyberattack Recovery

Six months after experiencing a cyberattack, Jaguar Land Rover reported Q3 wholesales down 43%. This significant business impact underscores the importance of robust incident response and business continuity planning. Key takeaways:

  • Cyberattack impacts can persist for months beyond initial incident
  • Supply chain and manufacturing disruptions have cascading effects
  • Business continuity plans should account for extended recovery timelines

Breach Recovery Timelines

Absolute Security research indicates that one-fifth of breaches take two weeks or more to recover from. Organizations should:

  • Plan for extended recovery scenarios in business continuity exercises
  • Ensure backup and recovery capabilities are tested regularly
  • Maintain offline backup copies to protect against ransomware

Supply Chain Security

Open Source Software Risks

The discovery of NodeCordRAT malware in npm packages and the React2Shell vulnerability response highlight ongoing supply chain risks in open-source software. Chainguard's analysis of trusted open source consumption patterns provides insights for organizations managing these risks.

Managed Service Provider Selection

Water ISAC's guidance on choosing MSPs provides a framework for evaluating third-party security providers. Key considerations include:

  • Security certifications and compliance attestations
  • Incident response capabilities and SLAs
  • Access controls and privileged account management
  • Data handling and privacy practices

Cross-Sector Dependencies

Energy-Communications Nexus

The Berlin power grid arson attack and rising threats to communications infrastructure highlight the interdependencies between energy and communications sectors. Disruptions to either sector can cascade to affect multiple critical infrastructure domains.

Weather Impact Coordination

With two major winter storms affecting multiple states, cross-sector coordination is essential. Transportation, energy, and communications operators should coordinate response efforts and share situational awareness.

Regulatory & Policy Developments

U.S. Policy Changes

International Organization Withdrawals

The Trump administration withdrew the U.S. from 66 international organizations, including several with cybersecurity relevance:

  • Global Forum on Cyber Expertise (GFCE): International platform for cyber capacity building
  • European Centre of Excellence for Countering Hybrid Threats: Focuses on hybrid threat analysis and response

Analyst Assessment: These withdrawals may impact international cybersecurity cooperation and information sharing. Critical infrastructure operators should monitor for any effects on threat intelligence sharing and international coordination mechanisms.

Defense Contractor Executive Order

The White House issued an executive order targeting defense contractor performance and production. Defense industrial base organizations should review the order's requirements and assess compliance implications.

FCC Drone Regulations

The FCC revised covered list rules, introducing temporary exemptions for Blue UAS and Buy American drones. Organizations using unmanned systems should review updated compliance requirements.

International Developments

UK Cyber Action Plan

The UK government unveiled a new cyber action plan focused on government systems. Notably, the plan does not include guidance for the private sector or critical national infrastructure, representing a government-centric approach to cyber resilience.

NIS2 Implementation (Germany)

Germany's BSI launched a new portal to support NIS2 directive implementation. European critical infrastructure operators should monitor NIS2 compliance requirements and deadlines.

Microsoft 365 MFA Requirement

Microsoft will begin enforcing multi-factor authentication for Microsoft 365 admin center sign-ins starting February 2026. Organizations should:

  • Ensure all admin accounts have MFA configured
  • Review emergency access procedures
  • Update documentation and training materials

Training & Resource Spotlight

New Resources

Water ISAC MSP Selection Guide

Water ISAC released comprehensive guidance on selecting managed service providers, particularly relevant for water and wastewater utilities with limited internal IT resources. Access the guide (membership required for full content).

Agentic AI Security Framework

SecurityWeek published analysis on rethinking security for agentic AI, providing a framework for organizations deploying autonomous AI systems. Key recommendations include shifting from static policy enforcement to real-time behavioral governance.

Edge IoT Security Guidance

CSO Online published guidance on cybersecurity at the edge, focusing on securing rugged IoT devices in mission-critical environments. Relevant for industrial control system operators and critical infrastructure with distributed sensor networks.

Industry Investment Trends

Significant cybersecurity investments this week signal market priorities:

  • Cyera: Raised $400 million at $9 billion valuation for data security platform
  • CrowdStrike/SGNL: $740 million acquisition for identity security
  • Blackbird.AI: Raised $28 million for narrative intelligence platform

These investments highlight growing focus on data security, identity protection, and disinformation defense.

Professional Development

CISO Career Guidance

CSO Online published profiles and guidance on CISO career development, including certification recommendations and trend analysis for 2026.

Looking Ahead: Upcoming Events

Key Dates and Considerations

February 2026

  • Microsoft 365 MFA Enforcement: Multi-factor authentication will be required for Microsoft 365 admin center access. Organizations should complete MFA deployment before enforcement begins.

Threat Periods Requiring Heightened Awareness

  • Winter Storm Response: Two major cross-country storms may impact critical infrastructure operations through mid-January. Maintain heightened monitoring and coordination.
  • Venezuela-Related Tensions: Following U.S. seizure of Russian-flagged tanker, monitor for potential retaliatory cyber or physical actions against U.S. infrastructure.
  • Coast Guard Operation RENEW 2026: Ongoing operation to maintain heating oil supply; maritime and energy sectors should coordinate as needed.

Anticipated Regulatory Milestones

  • NIS2 Implementation: European organizations should monitor national implementation timelines and compliance requirements.
  • CISA KEV Remediation Deadlines: Federal agencies must remediate newly added HPE OneView and Microsoft Office vulnerabilities per BOD 22-01 timelines.

Seasonal Security Considerations

  • Winter Weather Impacts: Cold weather increases demand on energy infrastructure and may stress transportation systems. Ensure backup power and communication systems are operational.
  • Heating Oil Supply: Coast Guard Operation RENEW 2026 supports critical fuel deliveries; monitor for any supply disruptions.

This intelligence briefing is based on open-source reporting from January 2-9, 2026. Information is provided for situational awareness and should be validated against authoritative sources before operational decisions. Organizations are encouraged to share relevant threat information through appropriate sector ISACs and public-private partnership channels.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.