Svoboda Cybersecurity Brief January 16, 2026

Critical WordPress Modular DS Plugin Flaw Exploited for Admin Access

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the Modular DS WordPress plugin (≤v2.5.1) allows unauthenticated attackers to gain admin privileges via bypassed authentication routes and auto-login fallback mechanisms. Actively exploited since January 13, 2026, with attacks originating from IPs 45.11.89[.]19 and 185.196.0[.]11.
Impact: Full site compromise, malware injection, or redirection to scams.
Mitigation: Update to v2.5.2+, review server logs for suspicious /api/modular-connector/login/ requests, and regenerate WordPress salts.
Source: The Hacker News

Microsoft Disrupts RedVDS Cybercrime Platform Used for $40M Fraud

Microsoft seized infrastructure of RedVDS, a cybercrime service renting virtual Windows servers ($24/month) to threat actors (Storm-2470) for phishing, BEC scams, and credential theft. The platform facilitated attacks compromising 191,000 organizations since September 2025, using cloned Windows Server 2022 images (ID: WIN-BUNS25TD77J) and AI tools for lure generation.
Source: BleepingComputer

Palo Alto Firewalls Vulnerable to DoS via GlobalProtect Flaw (CVE-2026-0227)

A high-severity flaw in PAN-OS (v10.1+) with GlobalProtect enabled allows unauthenticated attackers to crash firewalls into maintenance mode. PoC exploit exists, but no in-the-wild attacks observed. Shadowserver tracks ~6,000 exposed instances.
Impact: Service disruption requiring manual reboot.
Mitigation: Apply patches (e.g., PAN-OS 12.1.4, 11.2.10-h2) or disable GlobalProtect if unused.
Source: The Hacker News

AWS CodeBuild Misconfiguration Exposed GitHub Repositories to Takeover

A misconfigured regex filter in AWS CodeBuild (fixed September 2025) could have allowed attackers to hijack AWS’s JavaScript SDK and other repos by predicting GitHub user IDs and stealing admin tokens. Dubbed “CodeBreach,” the flaw bypassed webhook filters due to missing regex anchors (^/$).
Impact: Supply chain compromise via malicious code injection.
Mitigation: Use exact regex matches, restrict PAT permissions, and audit CI/CD pipelines.
Source: The Hacker News

Gootloader Malware Evolves with 1,000-Part ZIP Archives for Evasion

Gootloader now uses concatenated ZIP archives (500–1,000 parts) with truncated EOCD records and randomized metadata to crash analysis tools (7-Zip/WinRAR). Delivered via XOR-encoded blobs, it executes JScript payloads via Windows Script Host.
Impact: Initial access for ransomware and credential theft.
Mitigation: Block wscript.exe/cscript.exe for downloads, set JScript defaults to Notepad.
Source: BleepingComputer

StackWarp Attack Breaks AMD SEV-SNP Confidential VM Isolation

A hardware flaw (CVE-2025-29943) in AMD Zen 1–5 CPUs lets malicious VM hosts hijack guest execution via stack engine synchronization failures, enabling RSA key theft and kernel-mode code execution. Patched for EPYC servers since July 2025.
Impact: Compromise of confidential VMs in cloud environments.
Mitigation: Apply AMD firmware updates.
Source: SecurityWeek

Grubhub Confirms Data Breach Linked to ShinyHunters Extortion

Grubhub admitted a breach involving Zendesk data theft, with ShinyHunters demanding Bitcoin to prevent leaks of Salesforce (Feb 2025) and newer Zendesk data. Attackers likely used credentials from the Salesloft Drift breach (August 2025).
Source: BleepingComputer

Critical Bluetooth Flaw (WhisperPair) Lets Attackers Hijack Audio Devices

CVE-2025-36911 in Google’s Fast Pair protocol allows forced pairing with devices (e.g., Sony, JBL, Xiaomi) within 14m, enabling eavesdropping or location tracking via Find My Device. Patches rolling out slowly.
Impact: Unauthorized audio control and user tracking.
Mitigation: Update device firmware; disable Fast Pair if possible.
Source: BleepingComputer

VoidLink Linux Malware Targets Cloud with Zig-Based Modular Framework

A Chinese-linked framework (VoidLink) uses Zig-written implants to steal cloud credentials, evade detection via LD_PRELOAD rootkits, and communicate via HTTP/ICMP/DNS. Targets AWS, GCP, and Kubernetes environments.
Impact: Long-term espionage or supply-chain attacks.
Mitigation: Monitor for unusual LD_PRELOAD usage and cloud API anomalies.
Source: SecurityWeek

Central Maine Healthcare Breach Exposes 145K Patients’ Data

A March–June 2025 intrusion compromised SSNs, health insurance, and treatment details. Notifications began in July, with credit monitoring offered.
Source: SecurityWeek

JPMorgan Accuses Ex-Advisor of Stealing Client Data for LPL Recruitment

A Florida advisor allegedly accessed 175 client profiles via JPMorgan’s Advisor Central before resigning, violating loyalty agreements.
Source: DataBreaches

HHS OCR Prioritizes HIPAA Enforcement on Hacking, Risk Management

2026 priorities include hacking/ransomware cases, Part 2 substance use records, and parental access to minors’ health data. No direct answer on reduced investigation capacity due to layoffs.
Source: DataBreaches

Share this brief: https://svo.bz/KZq0