Svoboda Cybersecurity Brief January 10, 2026

NZ Manage My Health breach exposes 126,000 patient records

A cyberattack on New Zealand’s Manage My Health portal compromised clinical records of 126,000 patients, including discharge summaries and referral data from 45 Northland general practices. The threat actor “Kazu” removed stolen data samples from leak sites, suggesting potential ransom payment despite law enforcement advisories.
Source: DataBreaches.net

Illinois DHS exposes 700K residents’ data via misconfigured maps

The Illinois Department of Human Services accidentally exposed Medicaid/SNAP recipient data for 3+ years due to publicly accessible mapping tools with incorrect privacy settings. The breach included addresses, case numbers, and medical plan details, though names weren’t compromised in most records.
Source: BleepingComputer

Trend Micro patches critical RCE flaw in Apex Central (CVE-2025-69258)

A LoadLibraryEX vulnerability allows unauthenticated attackers to execute SYSTEM-level code via malicious DLL injection in Trend Micro’s Apex Central console. The 9.8 CVSS-rated flaw affects on-premises versions below Build 7190.
Impact: Remote code execution with highest privileges.
Mitigation: Apply Critical Patch Build 7190 immediately and restrict remote access.
Source: The Hacker News

Chinese hackers exploit VMware ESXi zero-days pre-disclosure

A Chinese-speaking threat actor used a SonicWall VPN compromise to deploy VMware ESXi exploits (CVE-2025-22224/5/6) developed over a year before Broadcom’s March 2025 patch. The toolkit included VM escape capabilities via VSOCKpuppet backdoor communicating on port 10000.
Impact: Hypervisor compromise enabling ransomware deployment.
Mitigation: Patch all ESXi instances and monitor VSOCK traffic.
Source: The Hacker News

North Korea’s Kimsuky deploys QR code phishing (“quishing”)

APT43 targeted US think tanks and governments with malicious QR codes redirecting to credential harvesters, bypassing email defenses via mobile device compromise. Attacks used session token theft to circumvent MFA on Microsoft 365/Okta portals.
Source: SecurityWeek

CISA retires 10 emergency directives in bulk closure

The cybersecurity agency sunsetted directives from 2019-2024 addressing threats like SolarWinds, Exchange, and VMware flaws, as requirements are now covered under Binding Operational Directive 22-01’s Known Exploited Vulnerabilities catalog.
Source: BleepingComputer

Hackers abuse misconfigured proxies for free LLM access

Attackers scanned 73+ commercial LLM endpoints (OpenAI, Anthropic, Google) using low-noise queries to identify vulnerable proxies. GreyNoise observed 80,000+ sessions from VPS IPs across 27 countries, suggesting reconnaissance for future attacks.
Impact: Unauthorized access to paid AI services.
Mitigation: Restrict proxy access and monitor for anomalous query patterns.
Source: BleepingComputer

Illinois man charged for Snapchat account hijacking scheme

Kyle Svara allegedly phished 570+ women by impersonating Snapchat support to steal nudes, which he sold/traded via Reddit and Kik. One client was a convicted university coach who hired him to hack student accounts.
Source: BleepingComputer

Share this brief: https://svo.bz/a0Pk