Cybersecurity Headlines - January 27, 2026

Host: Sarah Lane
Podcast: CISO Series

Overview

This episode offers a rapid-fire roundup of significant stories in the world of cybersecurity, including a critical Office zero-day patch from Microsoft, targeted phishing campaigns in India, North Korean-linked attacks on blockchain developers, and new guidance for post-quantum cryptography. Sarah Lane delivers concise, expertly verified updates geared toward InfoSec professionals and practitioners.

Key Discussion Points and Insights

1. Microsoft Office Zero-Day Vulnerability Patched

[00:15-01:09]

Issue: Microsoft addressed a high-severity zero-day vulnerability in Office actively being exploited.
Details: The vulnerability allows local, unauthenticated attackers to bypass security features by coercing a user into opening a malicious Office file.
Response:
- Immediate fixes were pushed for Office 2021 and Microsoft 365.
- Office 2016 and 2019 patches are still pending; Microsoft is offering temporary registry mitigations.
Notable Insight: Attack requires only basic user interaction, highlighting the ongoing risk in social engineering via document files.

"The flaw lets local unauthenticated attackers bypass security features with low complexity user interaction attacks by getting someone to open a malicious Office file."
– Sarah Lane [00:24]

2. Indian Users Targeted by Blackmoon Phishing Campaign

[01:10-01:50]

Discovery: E Center’s Threat Response Unit identifies a phishing campaign by attackers impersonating India's income tax department.
Threats Used:
- Modified Blackmoon Banking Trojan
- Chinese-made remote monitoring tool SyncFuture TSM
- Techniques: DLL side loading, UAC bypass, antivirus evasion, and privilege escalation.
Purpose: Persistence, surveillance, and data theft, turning infected machines into espionage platforms.
Tactics: Multi-stage malware delivery and convincing fake tax notices as lures.

3. Konni Group Targets Blockchain Developers

[01:51-02:25]

Actors: North Korea-linked Konni group.
Targets: Blockchain developers in Japan, Australia, and India.
Method: Phishing campaigns using project documentation as lures to compromise development environments and steal wallet credentials.
Innovation:
- Use of AI-generated PowerShell backdoors with “unusually clean structure.”
- Suggests a move toward longer-term persistence, broadening from traditional South Korea targets.

"The campaign uses an AI generated PowerShell backdoor with unusually clean structure, pointing to a shift towards longer term persistence..."
– Sarah Lane [02:18]

4. CISA's Post-Quantum Cryptography Categories Released

[02:26-02:57]

Update: CISA, with NSA input, publishes the first list of hardware/software product categories using or moving to post-quantum cryptography (PQC).
Motivation: Prepares organizations for threats quantum computing poses to current public key cryptography.
Included Categories: Cloud services, browsers, messaging, endpoint security, and networking—covering key establishment and digital signatures.
Procurement Guidance: Future purchases in these categories should be PQC-capable.

5. Cloudflare IPv6 BGP Route Leak from Misconfiguration

[03:24-03:49]

Incident: 25 minutes of IPv6 BGP route leaks in Miami led to network disruption and 12 Gbps of dropped traffic.
Root Cause: Internal IPv6 prefixes were erroneously announced externally due to a router policy misconfiguration.
Response: Engineers fixed the configuration, paused automation, and restored normal routing.

6. Physical Security Vulnerabilities in European Access Systems

[03:50-04:24]

Research: SEC Consult found over 20 vulnerabilities in dormakaba's exospace systems, used for physical access in major European enterprises.
Exposed Flaws: Hard-coded credentials, weak cryptography, command injection, and path traversal.
Risk: Potential for attackers to unlock doors, steal PINs, or move laterally within networks—some systems are Internet-exposed.
Mitigation: Issues patched over 18 months; exploitation usually requires internal access but direct external threats exist.

7. Stanley Malware-as-a-Service for Chrome Phishing Extensions

[04:25-05:02]

Discovery: Varonis researchers find "Stanley," a malware service selling Chrome extensions designed to evade Google's Web Store review.
Features:
- Overlays fullscreen phishing iframes, shows real URL bar.
- Silent installs on Chrome, Edge, and Brave.
- Subscription “Lux” tier offers publishing, C2 polling, geotargeting, and notification lures.

8. Real-Time Voice Phishing Attacks on SSO Accounts

[05:03-05:42]

New Tactic: Real-time "vishing" attacks target single sign-on (SSO) accounts using spoofed domains and live phone calls.
Goal: Thieves synchronize with MFA prompts to steal credentials.
Impact: Data exfiltration and extortion, affecting notable victims like SoundCloud and Betterment.
Research Insight: No vendor vulnerabilities; social engineering and advanced tooling drive these attacks.

"There's no vendor vulnerability involved, just social engineering with more convincing tooling."
– Sarah Lane [05:39]

Notable Quotes & Memorable Moments

“The flaw lets local unauthenticated attackers bypass security features with low complexity user interaction attacks by getting someone to open a malicious Office file.”
— Sarah Lane [00:24]
“The campaign uses an AI generated PowerShell backdoor with unusually clean structure, pointing to a shift towards longer term persistence…”
— Sarah Lane [02:18]
“There's no vendor vulnerability involved, just social engineering with more convincing tooling.”
— Sarah Lane [05:39]

Important Segment Timestamps

Microsoft Office Zero-Day: [00:15-01:09]
Blackmoon in India: [01:10-01:50]
Konni & Blockchain: [01:51-02:25]
CISA PQC Guidance: [02:26-02:57]
Cloudflare Route Leak: [03:24-03:49]
Physical Access Vulnerabilities: [03:50-04:24]
"Stanley" Chrome Phishing: [04:25-05:02]
Real-Time SSO Vishing: [05:03-05:42]

Tone & Style

Sarah Lane’s delivery remains concise, matter-of-fact, and direct, reflecting the urgency and seriousness of the topics. The language is technical but accessible, targeting InfoSec professionals as well as broader IT audiences.

For deeper dives, visit cisoseries.com for full stories and expert analysis.

Cybersecurity Headlines - January 27, 2026

Host: Sarah Lane
Podcast: CISO Series

Overview

Key Discussion Points and Insights

1. Microsoft Office Zero-Day Vulnerability Patched

[00:15-01:09]

Issue: Microsoft addressed a high-severity zero-day vulnerability in Office actively being exploited.
Details: The vulnerability allows local, unauthenticated attackers to bypass security features by coercing a user into opening a malicious Office file.
Response:
- Immediate fixes were pushed for Office 2021 and Microsoft 365.
- Office 2016 and 2019 patches are still pending; Microsoft is offering temporary registry mitigations.
Notable Insight: Attack requires only basic user interaction, highlighting the ongoing risk in social engineering via document files.

"The flaw lets local unauthenticated attackers bypass security features with low complexity user interaction attacks by getting someone to open a malicious Office file."
– Sarah Lane [00:24]

2. Indian Users Targeted by Blackmoon Phishing Campaign

[01:10-01:50]

Discovery: E Center’s Threat Response Unit identifies a phishing campaign by attackers impersonating India's income tax department.
Threats Used:
- Modified Blackmoon Banking Trojan
- Chinese-made remote monitoring tool SyncFuture TSM
- Techniques: DLL side loading, UAC bypass, antivirus evasion, and privilege escalation.
Purpose: Persistence, surveillance, and data theft, turning infected machines into espionage platforms.
Tactics: Multi-stage malware delivery and convincing fake tax notices as lures.

3. Konni Group Targets Blockchain Developers

[01:51-02:25]

Actors: North Korea-linked Konni group.
Targets: Blockchain developers in Japan, Australia, and India.
Method: Phishing campaigns using project documentation as lures to compromise development environments and steal wallet credentials.
Innovation:
- Use of AI-generated PowerShell backdoors with “unusually clean structure.”
- Suggests a move toward longer-term persistence, broadening from traditional South Korea targets.

"The campaign uses an AI generated PowerShell backdoor with unusually clean structure, pointing to a shift towards longer term persistence..."
– Sarah Lane [02:18]

4. CISA's Post-Quantum Cryptography Categories Released

[02:26-02:57]

Update: CISA, with NSA input, publishes the first list of hardware/software product categories using or moving to post-quantum cryptography (PQC).
Motivation: Prepares organizations for threats quantum computing poses to current public key cryptography.
Included Categories: Cloud services, browsers, messaging, endpoint security, and networking—covering key establishment and digital signatures.
Procurement Guidance: Future purchases in these categories should be PQC-capable.

5. Cloudflare IPv6 BGP Route Leak from Misconfiguration

[03:24-03:49]

Incident: 25 minutes of IPv6 BGP route leaks in Miami led to network disruption and 12 Gbps of dropped traffic.
Root Cause: Internal IPv6 prefixes were erroneously announced externally due to a router policy misconfiguration.
Response: Engineers fixed the configuration, paused automation, and restored normal routing.

6. Physical Security Vulnerabilities in European Access Systems

[03:50-04:24]

Research: SEC Consult found over 20 vulnerabilities in dormakaba's exospace systems, used for physical access in major European enterprises.
Exposed Flaws: Hard-coded credentials, weak cryptography, command injection, and path traversal.
Risk: Potential for attackers to unlock doors, steal PINs, or move laterally within networks—some systems are Internet-exposed.
Mitigation: Issues patched over 18 months; exploitation usually requires internal access but direct external threats exist.

7. Stanley Malware-as-a-Service for Chrome Phishing Extensions

[04:25-05:02]

Discovery: Varonis researchers find "Stanley," a malware service selling Chrome extensions designed to evade Google's Web Store review.
Features:
- Overlays fullscreen phishing iframes, shows real URL bar.
- Silent installs on Chrome, Edge, and Brave.
- Subscription “Lux” tier offers publishing, C2 polling, geotargeting, and notification lures.

8. Real-Time Voice Phishing Attacks on SSO Accounts

[05:03-05:42]

New Tactic: Real-time "vishing" attacks target single sign-on (SSO) accounts using spoofed domains and live phone calls.
Goal: Thieves synchronize with MFA prompts to steal credentials.
Impact: Data exfiltration and extortion, affecting notable victims like SoundCloud and Betterment.
Research Insight: No vendor vulnerabilities; social engineering and advanced tooling drive these attacks.

"There's no vendor vulnerability involved, just social engineering with more convincing tooling."
– Sarah Lane [05:39]

Notable Quotes & Memorable Moments

“The flaw lets local unauthenticated attackers bypass security features with low complexity user interaction attacks by getting someone to open a malicious Office file.”
— Sarah Lane [00:24]
“The campaign uses an AI generated PowerShell backdoor with unusually clean structure, pointing to a shift towards longer term persistence…”
— Sarah Lane [02:18]
“There's no vendor vulnerability involved, just social engineering with more convincing tooling.”
— Sarah Lane [05:39]

Important Segment Timestamps

Microsoft Office Zero-Day: [00:15-01:09]
Blackmoon in India: [01:10-01:50]
Konni & Blockchain: [01:51-02:25]
CISA PQC Guidance: [02:26-02:57]
Cloudflare Route Leak: [03:24-03:49]
Physical Access Vulnerabilities: [03:50-04:24]
"Stanley" Chrome Phishing: [04:25-05:02]
Real-Time SSO Vishing: [05:03-05:42]

Tone & Style

For deeper dives, visit cisoseries.com for full stories and expert analysis.

wavePod

Microsoft patches Office zero-day vulnerability, Indian users targeted by Blackmoon, Konni targets blockchain developers

Powered by Wave AI

Summary

Cybersecurity Headlines - January 27, 2026

Overview

Key Discussion Points and Insights

1. Microsoft Office Zero-Day Vulnerability Patched

2. Indian Users Targeted by Blackmoon Phishing Campaign

3. Konni Group Targets Blockchain Developers

4. CISA's Post-Quantum Cryptography Categories Released

5. Cloudflare IPv6 BGP Route Leak from Misconfiguration

6. Physical Security Vulnerabilities in European Access Systems

7. Stanley Malware-as-a-Service for Chrome Phishing Extensions

8. Real-Time Voice Phishing Attacks on SSO Accounts

Notable Quotes & Memorable Moments

Important Segment Timestamps

Tone & Style

Summary

Cybersecurity Headlines - January 27, 2026

Overview

Key Discussion Points and Insights

1. Microsoft Office Zero-Day Vulnerability Patched

2. Indian Users Targeted by Blackmoon Phishing Campaign

3. Konni Group Targets Blockchain Developers

4. CISA's Post-Quantum Cryptography Categories Released

5. Cloudflare IPv6 BGP Route Leak from Misconfiguration

6. Physical Security Vulnerabilities in European Access Systems

7. Stanley Malware-as-a-Service for Chrome Phishing Extensions

8. Real-Time Voice Phishing Attacks on SSO Accounts

Notable Quotes & Memorable Moments

Important Segment Timestamps

Tone & Style