# Today's Top Stories

A Russian-speaking threat actor used generative AI tools to compromise over 600 FortiGate firewalls across 55+ countries, targeting credentials and backups for potential ransomware follow-on attacks. Amazon's threat intelligence team discovered the campaign, highlighting how adversaries are leveraging AI to scale traditional firewall exploitation techniques.

Security researchers identified critical vulnerabilities in several Android mental health apps with 14.7 million combined Google Play downloads that expose users' sensitive medical information. The flaws demonstrate how healthcare-related mobile applications continue to lack proper security controls despite handling highly sensitive patient data.

APT28 conducted Operation MacroMaze between September 2025 and January 2026, targeting Western and Central European entities using webhook-based macro malware and legitimate services exploitation. The Russian state-sponsored group's campaign demonstrates continued evolution in their attack methodology while maintaining focus on European targets.

Iran's MuddyWater threat group deployed new malware strains including GhostFetch, CHAR, and HTTP_VIP in Operation Olalampo, targeting organizations across the Middle East and Africa starting January 26, 2026. The campaign showcases the group's continued development of fresh attack tools amid escalating regional tensions.

CISA added two recently patched RoundCube Webmail vulnerabilities to its Known Exploited Vulnerabilities catalog after detecting active exploitation in attacks, ordering federal agencies to patch within three weeks. The XSS flaws in the widely-used webmail platform affect SVG document processing capabilities.

ATM jackpotting attacks surged in 2025, costing banks over $20 million in losses as criminals continue using decade-old tools and tactics to force cash dispensers to dispense money. The resurgence demonstrates how legacy ATM security vulnerabilities remain exploitable despite years of awareness.

The University of Mississippi Medical Center closed all 36 clinics statewide and canceled elective procedures following a ransomware attack, demonstrating the severe operational impact on healthcare delivery. The incident highlights healthcare's continued vulnerability to ransomware disrupting patient care across entire regional networks.

The Everest ransomware group breached Vikor Scientific (now Vanta Diagnostics), a US healthcare diagnostic firm, affecting 140,000 individuals' personal and medical information. The attack on the laboratory services provider adds to the growing list of healthcare data breaches exposing sensitive patient records.

Socket discovered the SANDWORM_MODE supply chain campaign using at least 19 malicious npm packages to harvest cryptocurrency keys, CI secrets, and API tokens in a Shai-Hulud-like worm attack. The active campaign targets developers' credentials and cryptocurrency wallets through compromised JavaScript packages.

Romanian hacker Catalin Dragomir pleaded guilty in US court to selling network access to an Oregon state government office, demonstrating how cybercriminals monetize compromised government infrastructure. The case highlights the ongoing threat of initial access brokers targeting state and local government networks.