Cybersecurity Headlines – January 28, 2026

Host: Sarah Lane
Main Theme:
Daily round-up of major cybersecurity stories in government, ransomware evolution, surveillance technology, critical vulnerabilities, and mobile privacy defenses.

1. US Cyber Chief Uploaded Sensitive Files into Public ChatGPT

(00:10–01:18)

• Incident: Madhu Gautamakala, acting US cyber chief, uploaded documents labeled "For Official Use Only" into a public ChatGPT instance.
• Context: Occurred last summer, alerted Department of Homeland Security (DHS) security systems.
• Details:
  • Documents were not classified, but raised concerns about exposure of sensitive government material.
  • Gautamakala had a special exception to use ChatGPT, otherwise blocked for DHS staff.
  • Triggered an internal review; DHS has not disclosed conclusions.
• Notable Quote:

  “The documents weren't classified, but the uploads prompted an internal review to determine whether sensitive government material had been exposed.” – Sarah Lane (00:30)

• Takeaway: Highlights persistent risks in AI tool adoption within sensitive environments.

2. "Sicarii" (Sakari) Ransomware Can’t Be Decrypted

(01:18–02:01)

• Key Point: Security research by Halcyon and Check Point reveals that the new "Sakari" ransomware is fundamentally flawed.
• Technical Details:
  • Generates fresh RSA keys each time, discards the private key—making decryption impossible even for attackers.
  • Emerged via ransomware-as-a-service.
  • Uses Hebrew language/symbols, possibly as a false flag; code suggests AI assistance.
• Advice:
  • Victims are strongly urged not to pay the ransom—data recovery isn’t possible.
• Notable Quote:

  “The malware generates fresh RSA keys on each execution and discards the private key, leaving no viable recovery path.” – Sarah Lane (01:30)

3. WhatsApp Introduces Anti-Spyware Account Lockdown Feature

(02:02–02:37)

• Feature Overview: High-risk users (journalists, activists, etc.) can now lock accounts to block media/attachments from non-contacts.
• Context: Joins Apple’s Lockdown Mode and Google’s Advanced Protection as a free security safeguard.
• Recognition:
  • Praised by civil rights group AccessNow as a useful, free tool against sophisticated spyware.
• Activation:
  • Located in WhatsApp: Settings > Privacy > Advanced
• Notable Quote:

  “Digital civil rights group AccessNow called it a useful free safeguard for journalists, activists and other vulnerable users.” – Sarah Lane (02:24)

4. Mustang Panda Deploys Updated Info-Stealers

(02:37–03:16)

• Actors: Chinese-linked cyber-espionage group Mustang Panda, using updated “Cool client” malware.
• Targets: Governments in Myanmar, Mongolia, Malaysia, Russia, and Pakistan.
• Capabilities:
  • Clipboard monitoring, Chromium credential theft, tracking active windows.
  • Plugins for remote shell access, file/service management.
  • Data exfiltration using hard-coded API tokens for Google Drive and PixelDrain.

5. Federal Judge Dismisses Virginia Flock Camera Surveillance Suit

(03:17–03:49)

• Ruling: Norfolk, VA’s deployment of 176 flock license plate cameras not unconstitutional.
• Judgment Reasoning:
  • Network too sparse to track full movements (“not like” phone/aerial tracking).
  • Contrasts with stricter rulings in other jurisdictions.
• Looking Ahead: Plaintiff plans to appeal; broader privacy debate continues.

6. WinRAR Path Traversal Vulnerability Still Exploited

(03:50–04:25)

• Flaw Use: Ongoing exploitation by state and criminal groups (Russia-aligned Turla, China-linked actors).
• Operation: Allows dropping payloads via booby-trapped archives—often lands in Windows startup.
• Started: Mid-2025.
• Notable Quote:

  “Winrar path traversal flaw is still being exploited by both state backed and financially motivated groups for initial access.” – Sarah Lane (03:50)

• Market: Increasing demand for packaged WinRAR exploits.

7. Decade-Old Telnet Flaw Reemerges as Critical Threat

(04:25–05:02)

• Details:
  • Authentication bypass in GNU/Netutils’ TelnetD server lets attackers log in as root via argument injection.
  • Major exposure in “legacy IoT and OT equipment.”
• Response:
  • CISA added it to the Known Exploited Vulnerabilities (KEV) list.
  • Updates lag due to supply chain issues; patches may take years to become widespread.
• Trends: Telnet use is rising as SSH adoption falls.
• Recommendation: Eliminate or tightly isolate telnet services.

8. Fortinet Forta Cloud SSO 0day Used in Real Attacks

(05:02–05:45)

• Incident:
  • Authentication bypass 0day lets attackers create rogue admin accounts, extract firewall configs on even patched Fortigate appliances.
• Company Response:
  • Disabled abused SSO accounts.
  • Temporarily shut down SSO globally, restored with interim server-side blocks.
  • Advised admins to treat all impacted devices as compromised.
• Scope: Vulnerability also affects other SAML SSO workflows.
• Notable Quote:

  “The flaw… lets attackers with a Forta Cloud account authenticate to other customers devices.” – Sarah Lane (05:28)

Most Memorable Moment

On ransomware victims being unable to recover:

“Victims are urged not to pay.” – Sarah Lane (01:40)
A rare instance in ransomware news: paying the attackers guarantees no help.

[End of Content Recap]

• Host: Sarah Lane
• For More: Full stories and CISOs' product solution podcasts at cisoseries.com

This summary covers all major news and expert insights from the January 28, 2026 Cybersecurity Headlines episode—enabling readers to grasp the crucial developments of the day without missing the details or tone of the original.