For the latest discoveries in cyber research for the week of 19th January, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
- Spanish energy company Endesa has disclosed a data breach after unauthorized access to a commercial platform used to manage customer information. Media report attackers listed over 1 terabyte of data, including IBANs, for sale.
- Belgian hospital AZ Monica has experienced a cyberattack that forced the shutdown of IT systems across its Deurne and Antwerp campuses. Surgeries were canceled, emergency capacity reduced, and the Red Cross transferred seven critical patients, while radiology, imaging, and chemotherapy were postponed and doctors lacked access to electronic records.
- South Korean conglomerate Kyowon has reported a ransomware attack disrupting operations and potentially exposing customer information. Authorities estimate up to 9.6 million accounts could be affected, with approximately 600 of 800 servers compromised, while the company assesses data exposure and no group has claimed responsibility.
- US digital investment advisor Betterment has disclosed a breach after a social engineering attack on a third party marketing platform enabled access used to send crypto phishing emails. Exposed data includes names, emails, postal addresses, phone numbers, and dates of birth, while customer accounts were not compromised.
- Eurail, operator of Interrail and Eurail passes, has discloseda security incident affecting customers and seat reservations. Reports note exposure of personal, order, and reservation details, with some outlets referencing possible ID document copies and banking identifiers. DiscoverEU travelers may also be affected.
- Anchorage Police Department (APD) has addresseda third party incident tied to Whitebox Technologies, a data migration vendor supporting multiple agencies. APD disabled vendor access and removed remaining data from provider systems, noting no evidence of APD data misuse as mitigation steps continued.
- Armenia’s government has acknowledgeda potential leak after an actor advertised eight million records allegedly from official systems for 2,500 dollars. Early indications suggest data may stem from an electronic civil litigation platform, and authorities are validating the claims.
- US nonprofit Central Maine Healthcare has disclosed a breach affecting 145,381 individuals after intruders persisted on its network between March and June 2025. Compromised data includes personal, treatment, and insurance information. Notifications began this month across affected communities in central, western, and mid-coast Maine.
VULNERABILITIES AND PATCHES
- Check Point Research observed active exploitation of CVE-2025-37164 in HPE OneView, a CVSS 10.0 remote code execution flaw impacting versions 5.20 through 10.20. RondoDox botnet exploited this vulnerability starting January 7th. The exploitation was reported to CISA, which added the bug to KEV.
Check Point IPS provides protection against this threat (HPE OneView Remote Code Execution (CVE-2025-37164))
- Microsoft January Patch Tuesday addressed 114 vulnerabilities, including one actively exploited zero-day, CVE-2026-20805 in Desktop Window Manager. Eight critical flaws were fixed across Windows and components.
Check Point IPS provides protection against this threat (Microsoft Desktop Windows Manager Information Disclosure (CVE-2026-20805))
- A patch was releasedfor CVE-2026-23550 in the Modular DS WordPress plugin, rated maximum severity. Active exploitation began January 13 and allows unauthenticated admin takeover via exposed routes. Users should upgrade to version 2.5.2 from 2.5.1 or earlier immediately.
- A critical flaw (CVE-2025-36911) in Google’s Fast Pair protocol enables hijacking of Bluetooth audio accessories, eavesdropping, and tracking. Fixes require firmware updates from device vendors rather than phone updates, with many impacted models pending patches.
THREAT INTELLIGENCE REPORTS
- Check Point Research recorded a sharp December surge in cyber attacks in Latin America, where organizations averaged 3,065 weekly hits, a 26% year-over-year increase, while the global average reached 2,027 attacks. Ransomware activity accelerated with 945 publicly reported attacks, 60% increase year over year.
- Check Point Research has revealed VoidLink, a cloud-native Linux framework with loaders, implants, rootkits, and modular plugins designed for persistence across containers and Kubernetes. It uses rootkits and over 30 modular plugins for credential theft, lateral movement, and covert communication. The toolkit appears China-affiliated and is rapidly evolving, yet no real-world infections have been confirmed.
- Check Point Research uncovered the Sicarii ransomware-as-a-service operation, emerging in late 2025, which uses explicit Israeli/Jewish branding despite Russian-language activity and limited Hebrew proficiency, suggesting possible identity manipulation. The malware geo-fences to avoid Israeli systems, steals data and credentials, scans networks and attempts Fortinet exploitation.
- Check Point Research identified Microsoft as the most impersonated brand in Q4 2025 phishing rank, representing 22 percent of attempts, with Google at 13 percent and Amazon at 9 percent. Campaigns spoofed Roblox, Netflix account recovery, and Spanish Facebook pages to steal credentials, enabling account takeover and enterprise access.
