Russian Hackers Target Polish Grid, Multiple Supply Chain Attacks, and Two Critical Zero-Days Under Active Exploitation

Fortinet has confirmed that CVE-2026-24858 is a zero-day vulnerability, with active exploitation first observed on January 20, 2026. Attackers successfully compromised FortiGate firewalls, even those running the latest firmware at the time, by exploiting the FortiCloud SSO flaw to create new local administrator accounts. This provides attackers with persistent and privileged access, highlighting the critical need for immediate patching and thorough compromise hunting. The vulnerability's low attack complexity and lack of user interaction make it particularly dangerous.

Further analysis of the RedKitten campaign identifies the C# implant as 'SloppyMIO'. Initial access is now confirmed via password-protected Excel spreadsheets, a technique used to bypass email gateway scanning. The malware employs advanced evasion tactics including steganography to hide its configuration and AppDomain Manager injection for stealthy execution. Persistence is achieved through scheduled tasks. These new technical details highlight increased sophistication and evasiveness, making detection and mitigation more challenging for targeted human rights NGOs and activists.

Microsoft has confirmed that its internal threat intelligence teams were responsible for discovering the active exploitation of CVE-2026-21509, leading to the urgent out-of-band patch. Further details clarify the attack complexity as low with no privileges required, though user interaction is still necessary. New observables include monitoring for 'mshta.exe' spawned by Office applications. Detection methods are refined to include URL and File Analysis (D3-UA, D3-FA) for email gateways, and remediation guidance now specifies deployment via WSUS or Configuration Manager. No specific threat actor has been named.

The Catalan Cybersecurity Agency's 'Cybersecurity Outlook Report for 2026' reveals 82.6% of malicious emails now leverage generative AI, validating earlier predictions about AI weaponization. This significantly increases the sophistication and success rate of phishing, making scams 'almost perfect' and harder for users to identify. The report emphasizes the need for AI-powered defenses, updated user training, MFA, and browser isolation to combat this widespread threat, which has lowered the barrier to entry for criminals and increased attack scale.

A new Forescout Vedere Labs report, analyzing 900 million attacks in 2025, confirms a dramatic 84% increase in attacks leveraging OT-specific protocols like Modbus. Crucially, it highlights that 71% of exploited vulnerabilities are not listed in CISA's KEV catalog, challenging current prioritization strategies. This finding suggests a broader attack surface than previously understood, requiring organizations to adopt more comprehensive, risk-based vulnerability management beyond KEV lists. The report reinforces the escalating threat to industrial and IoT environments, emphasizing the need for enhanced network monitoring and device hardening.