Cybersecurity Headlines – January 28, 2026

Host: Sarah Lane
Main Theme:
Daily round-up of major cybersecurity stories in government, ransomware evolution, surveillance technology, critical vulnerabilities, and mobile privacy defenses.

1. US Cyber Chief Uploaded Sensitive Files into Public ChatGPT

(00:10–01:18)

Incident: Madhu Gautamakala, acting US cyber chief, uploaded documents labeled "For Official Use Only" into a public ChatGPT instance.
Context: Occurred last summer, alerted Department of Homeland Security (DHS) security systems.
Details:
- Documents were not classified, but raised concerns about exposure of sensitive government material.
- Gautamakala had a special exception to use ChatGPT, otherwise blocked for DHS staff.
- Triggered an internal review; DHS has not disclosed conclusions.
Notable Quote:

“The documents weren't classified, but the uploads prompted an internal review to determine whether sensitive government material had been exposed.” – Sarah Lane (00:30)
Takeaway: Highlights persistent risks in AI tool adoption within sensitive environments.

2. "Sicarii" (Sakari) Ransomware Can’t Be Decrypted

(01:18–02:01)

Key Point: Security research by Halcyon and Check Point reveals that the new "Sakari" ransomware is fundamentally flawed.
Technical Details:
- Generates fresh RSA keys each time, discards the private key—making decryption impossible even for attackers.
- Emerged via ransomware-as-a-service.
- Uses Hebrew language/symbols, possibly as a false flag; code suggests AI assistance.
Advice:
- Victims are strongly urged not to pay the ransom—data recovery isn’t possible.
Notable Quote:

“The malware generates fresh RSA keys on each execution and discards the private key, leaving no viable recovery path.” – Sarah Lane (01:30)

3. WhatsApp Introduces Anti-Spyware Account Lockdown Feature

(02:02–02:37)

Feature Overview: High-risk users (journalists, activists, etc.) can now lock accounts to block media/attachments from non-contacts.
Context: Joins Apple’s Lockdown Mode and Google’s Advanced Protection as a free security safeguard.
Recognition:
- Praised by civil rights group AccessNow as a useful, free tool against sophisticated spyware.
Activation:
- Located in WhatsApp: Settings > Privacy > Advanced
Notable Quote:

“Digital civil rights group AccessNow called it a useful free safeguard for journalists, activists and other vulnerable users.” – Sarah Lane (02:24)

4. Mustang Panda Deploys Updated Info-Stealers

(02:37–03:16)

Actors: Chinese-linked cyber-espionage group Mustang Panda, using updated “Cool client” malware.
Targets: Governments in Myanmar, Mongolia, Malaysia, Russia, and Pakistan.
Capabilities:
- Clipboard monitoring, Chromium credential theft, tracking active windows.
- Plugins for remote shell access, file/service management.
- Data exfiltration using hard-coded API tokens for Google Drive and PixelDrain.

5. Federal Judge Dismisses Virginia Flock Camera Surveillance Suit

(03:17–03:49)

Ruling: Norfolk, VA’s deployment of 176 flock license plate cameras not unconstitutional.
Judgment Reasoning:
- Network too sparse to track full movements (“not like” phone/aerial tracking).
- Contrasts with stricter rulings in other jurisdictions.
Looking Ahead: Plaintiff plans to appeal; broader privacy debate continues.

6. WinRAR Path Traversal Vulnerability Still Exploited

(03:50–04:25)

Flaw Use: Ongoing exploitation by state and criminal groups (Russia-aligned Turla, China-linked actors).
Operation: Allows dropping payloads via booby-trapped archives—often lands in Windows startup.
Started: Mid-2025.
Notable Quote:

“Winrar path traversal flaw is still being exploited by both state backed and financially motivated groups for initial access.” – Sarah Lane (03:50)
Market: Increasing demand for packaged WinRAR exploits.

7. Decade-Old Telnet Flaw Reemerges as Critical Threat

(04:25–05:02)

Details:
- Authentication bypass in GNU/Netutils’ TelnetD server lets attackers log in as root via argument injection.
- Major exposure in “legacy IoT and OT equipment.”
Response:
- CISA added it to the Known Exploited Vulnerabilities (KEV) list.
- Updates lag due to supply chain issues; patches may take years to become widespread.
Trends: Telnet use is rising as SSH adoption falls.
Recommendation: Eliminate or tightly isolate telnet services.

8. Fortinet Forta Cloud SSO 0day Used in Real Attacks

(05:02–05:45)

Incident:
- Authentication bypass 0day lets attackers create rogue admin accounts, extract firewall configs on even patched Fortigate appliances.
Company Response:
- Disabled abused SSO accounts.
- Temporarily shut down SSO globally, restored with interim server-side blocks.
- Advised admins to treat all impacted devices as compromised.
Scope: Vulnerability also affects other SAML SSO workflows.
Notable Quote:

“The flaw… lets attackers with a Forta Cloud account authenticate to other customers devices.” – Sarah Lane (05:28)

Most Memorable Moment

On ransomware victims being unable to recover:

“Victims are urged not to pay.” – Sarah Lane (01:40)
A rare instance in ransomware news: paying the attackers guarantees no help.

[End of Content Recap]

Host: Sarah Lane
For More: Full stories and CISOs' product solution podcasts at cisoseries.com

This summary covers all major news and expert insights from the January 28, 2026 Cybersecurity Headlines episode—enabling readers to grasp the crucial developments of the day without missing the details or tone of the original.

Transcript

A (0:00)

From the CISO series. It's Cybersecurity Headlines.

B (0:07)

These are the cybersecurity headlines for Wednesday, January 28, 2026. I'm Sarah Lane. US cyber chief uploaded sensitive files into public chatgpt POLITICO Sources say the US's acting cyber chief, Madhu Gautamakala, uploaded contracting documents marked for for official use only into a public version of ChatGPT last summer, triggering automated security alerts inside the Department of Homeland Security. The documents weren't classified, but the uploads prompted an internal review to determine whether sensitive government material had been exposed. Gautamakala had received a special Exception to use ChatGPT at a time when it was blocked for other DHS employees. DHS hasn't said what the review concluded. Vive Coded Sakari ransomware can't be decrypted Security researchers at Halcyon and Check Point Research say a new ransomware strain called Sakari is so poorly built that paying the ransom won't decrypt victims data. The malware generates fresh RSA keys on each execution and discards the private key, leaving no viable recovery path. Sakari surfaced as a ransomware as a service offering and uses Hebrew symbols and language that Check Point believes may be machine translated and a false flag identity. Researchers say the code likely involved AI tooling and victims are urged not to pay. WhatsApp account feature combats spyware WhatsApp introduced a strict account settings option that lets high risk users lock down their accounts against security sophisticated spyware attacks. The feature blocks attachments and media from non contacts and joins protections like Apple's lockdown mode and Google's advanced protection. Digital civil rights group AccessNow called it a useful free safeguard for journalists, activists and other vulnerable users. Users can enable it under Settings Privacy Advanced Mustang Panda deploys infostealers via Cool clients Kaspersky researchers say China linked Mustang Panda is running an updated Cool client backdoor in espionage operations against government targets in Myanmar, Mongolia, Malaysia, Russia and Pakistan. The new variant adds clipboard monitoring browser credential theft across chromium based browsers, active window tracking and expanded plugins for remote shell access, file and service management. Researchers also saw operators using hard coded API tokens for Google Drive and Pixel Drain to exfiltrate data. Huge thanks to our sponsor Conveyor Ever dream of giving customers instant answers to their security questions without ever filling out another questionnaire? Meet Conveyor's new Trust center agent. The agent lives in your Conveyor Trust center and answers every customer question, surfaces, documents and even completes full questionnaires instantly so customers can finish their review and be on their way. Top tech companies like Atlassian, Zapier and more are using Conveyor to automate away tedious work. Learn more@conveyor.com Judge dismisses Virginia Flock Camera Case A federal judge upheld Norfolk, Virginia's use of 176 flock automated license plate reader cameras, rejecting claims they amount to unconstitutional warrantless surveillance. The court ruled the network is too sparse to reveal a whole picture of someone's movements, contrasting it with mobile phone tracking and aerial surveillance cases. The Institute for Justice, which brought the suit, plans to appeal as other cities end flaw contracts over privacy concerns. WinRAR flaw still exploited Google's Threat intel unit says the Winrar path traversal flaw is still being exploited by both state backed and financially motivated groups for initial access. The bug lets attackers use alternate data streams to drop payloads, often into Windows startup via booby trapped archives. Activity started in mid-2025 and involves RA, Russia aligned units, Turla and China linked actors, plus criminals pushing rats and stealers. Google notes a growing market for packaged WinRAR exploits Telnet flaw exposes Forgotten attack Surface Threat actors are exploiting a decade old authentication bypass in GNU and Netutil's TelnetD server that CISA just added to its Kev list. The bug lets attackers log in as root use using a simple argument injection Net. Utils fixed it in version 2.8, but hundreds of thousands of exposed telnet instances are still online, particularly in legacy IoT and OT equipment. Data from Forescout shows telnet usage is rising across industries while SSH declines. Researchers say patches may take years due to supply chain dependencies and advise eliminating or isolating telnet services. Fortinet blocks exploited 0day Fortinet confirmed a new Forta Cloud SSO authentication bypass, 0day, that attackers used to create rogue admin accounts and pull firewall configs from fully patched Fortigate devices. The company disabled abused Forta Cloud SSO accounts, then temporarily shut off SSO globally before restoring it with server side blocks for vulnerable firmware while patches are developed. The flaw, which also affects other SAML SSO paths, lets attackers with a Forta Cloud account authenticate to other customers devices. Fortinet is telling admins to treat impacted systems as compromised. Have you checked out our Security? You should Know Podcast each episode we answer all the questions CISOs have when first learning about a new solution. We have featured dozens of vendor solutions on the show already. If you're in the market for a new security solution, head on over to cisoseries.com to check out some episodes. We've categorized them by product, so it's easy to find the information you need. If you have thoughts on the news from today or about our show in general, be sure to reach out to us. Feedbackisoseries.com we'd really love to hear from you. I am Sarah Lane, reporting for the CISO series. Thank you for listening and we will talk to you tomorrow.

Cybersecurity Headlines – January 28, 2026

Host: Sarah Lane
Main Theme:
Daily round-up of major cybersecurity stories in government, ransomware evolution, surveillance technology, critical vulnerabilities, and mobile privacy defenses.

1. US Cyber Chief Uploaded Sensitive Files into Public ChatGPT

(00:10–01:18)

Incident: Madhu Gautamakala, acting US cyber chief, uploaded documents labeled "For Official Use Only" into a public ChatGPT instance.
Context: Occurred last summer, alerted Department of Homeland Security (DHS) security systems.
Details:
- Documents were not classified, but raised concerns about exposure of sensitive government material.
- Gautamakala had a special exception to use ChatGPT, otherwise blocked for DHS staff.
- Triggered an internal review; DHS has not disclosed conclusions.
Notable Quote:

“The documents weren't classified, but the uploads prompted an internal review to determine whether sensitive government material had been exposed.” – Sarah Lane (00:30)
Takeaway: Highlights persistent risks in AI tool adoption within sensitive environments.

2. "Sicarii" (Sakari) Ransomware Can’t Be Decrypted

(01:18–02:01)

Key Point: Security research by Halcyon and Check Point reveals that the new "Sakari" ransomware is fundamentally flawed.
Technical Details:
- Generates fresh RSA keys each time, discards the private key—making decryption impossible even for attackers.
- Emerged via ransomware-as-a-service.
- Uses Hebrew language/symbols, possibly as a false flag; code suggests AI assistance.
Advice:
- Victims are strongly urged not to pay the ransom—data recovery isn’t possible.
Notable Quote:

“The malware generates fresh RSA keys on each execution and discards the private key, leaving no viable recovery path.” – Sarah Lane (01:30)

3. WhatsApp Introduces Anti-Spyware Account Lockdown Feature

(02:02–02:37)

Feature Overview: High-risk users (journalists, activists, etc.) can now lock accounts to block media/attachments from non-contacts.
Context: Joins Apple’s Lockdown Mode and Google’s Advanced Protection as a free security safeguard.
Recognition:
- Praised by civil rights group AccessNow as a useful, free tool against sophisticated spyware.
Activation:
- Located in WhatsApp: Settings > Privacy > Advanced
Notable Quote:

“Digital civil rights group AccessNow called it a useful free safeguard for journalists, activists and other vulnerable users.” – Sarah Lane (02:24)

4. Mustang Panda Deploys Updated Info-Stealers

(02:37–03:16)

Actors: Chinese-linked cyber-espionage group Mustang Panda, using updated “Cool client” malware.
Targets: Governments in Myanmar, Mongolia, Malaysia, Russia, and Pakistan.
Capabilities:
- Clipboard monitoring, Chromium credential theft, tracking active windows.
- Plugins for remote shell access, file/service management.
- Data exfiltration using hard-coded API tokens for Google Drive and PixelDrain.

5. Federal Judge Dismisses Virginia Flock Camera Surveillance Suit

(03:17–03:49)

Ruling: Norfolk, VA’s deployment of 176 flock license plate cameras not unconstitutional.
Judgment Reasoning:
- Network too sparse to track full movements (“not like” phone/aerial tracking).
- Contrasts with stricter rulings in other jurisdictions.
Looking Ahead: Plaintiff plans to appeal; broader privacy debate continues.

6. WinRAR Path Traversal Vulnerability Still Exploited

(03:50–04:25)

Flaw Use: Ongoing exploitation by state and criminal groups (Russia-aligned Turla, China-linked actors).
Operation: Allows dropping payloads via booby-trapped archives—often lands in Windows startup.
Started: Mid-2025.
Notable Quote:

“Winrar path traversal flaw is still being exploited by both state backed and financially motivated groups for initial access.” – Sarah Lane (03:50)
Market: Increasing demand for packaged WinRAR exploits.

7. Decade-Old Telnet Flaw Reemerges as Critical Threat

(04:25–05:02)

Details:
- Authentication bypass in GNU/Netutils’ TelnetD server lets attackers log in as root via argument injection.
- Major exposure in “legacy IoT and OT equipment.”
Response:
- CISA added it to the Known Exploited Vulnerabilities (KEV) list.
- Updates lag due to supply chain issues; patches may take years to become widespread.
Trends: Telnet use is rising as SSH adoption falls.
Recommendation: Eliminate or tightly isolate telnet services.

8. Fortinet Forta Cloud SSO 0day Used in Real Attacks

(05:02–05:45)

Incident:
- Authentication bypass 0day lets attackers create rogue admin accounts, extract firewall configs on even patched Fortigate appliances.
Company Response:
- Disabled abused SSO accounts.
- Temporarily shut down SSO globally, restored with interim server-side blocks.
- Advised admins to treat all impacted devices as compromised.
Scope: Vulnerability also affects other SAML SSO workflows.
Notable Quote:

“The flaw… lets attackers with a Forta Cloud account authenticate to other customers devices.” – Sarah Lane (05:28)

Most Memorable Moment

On ransomware victims being unable to recover:

“Victims are urged not to pay.” – Sarah Lane (01:40)
A rare instance in ransomware news: paying the attackers guarantees no help.

[End of Content Recap]

Host: Sarah Lane
For More: Full stories and CISOs' product solution podcasts at cisoseries.com

wavePod

US cyber chief uploaded sensitive files into public ChatGPT, Vibe-coded 'Sicarii' ransomware can't be decrypted, WhatsApp account feature combats spyware

Summary

Cybersecurity Headlines – January 28, 2026

1. US Cyber Chief Uploaded Sensitive Files into Public ChatGPT

2. "Sicarii" (Sakari) Ransomware Can’t Be Decrypted

3. WhatsApp Introduces Anti-Spyware Account Lockdown Feature

4. Mustang Panda Deploys Updated Info-Stealers

5. Federal Judge Dismisses Virginia Flock Camera Surveillance Suit

6. WinRAR Path Traversal Vulnerability Still Exploited

7. Decade-Old Telnet Flaw Reemerges as Critical Threat

8. Fortinet Forta Cloud SSO 0day Used in Real Attacks

Most Memorable Moment

[End of Content Recap]

Transcript

Summary

Cybersecurity Headlines – January 28, 2026

1. US Cyber Chief Uploaded Sensitive Files into Public ChatGPT

2. "Sicarii" (Sakari) Ransomware Can’t Be Decrypted

3. WhatsApp Introduces Anti-Spyware Account Lockdown Feature

4. Mustang Panda Deploys Updated Info-Stealers

5. Federal Judge Dismisses Virginia Flock Camera Surveillance Suit

6. WinRAR Path Traversal Vulnerability Still Exploited

7. Decade-Old Telnet Flaw Reemerges as Critical Threat

8. Fortinet Forta Cloud SSO 0day Used in Real Attacks

Most Memorable Moment

[End of Content Recap]