WEEKLY TOP TEN: January 12, 2025, 16:00 GMT
- China-Linked UAT-8837 Exploits Sitecore Zero-Day for Initial Access
A China-linked advanced threat actor tracked as UAT-8837 has been observed exploiting a zero-day vulnerability in Sitecore content management systems to gain initial access into targeted North American infrastructure. Cisco Talos reported the activity on Jan 16 after telemetry showed attackers chaining known and unknown bugs to bypass authentication and achieve footholds. The campaign appears focused on penetrating critical enterprise environments rather than generic web defacement, raising concerns for organizations relying on Sitecore for digital platforms. - University of Hawaii Cancer Center Patient Data Accessed
The University of Hawaii Cancer Center disclosed on Jan 12 that its patient and research data was accessed by unauthorized actors in a ransomware-linked attack first identified in 2025. Patient records, potentially including Social Security numbers and historical clinical data, were copied before systems were encrypted. The center is working with law enforcement and cybersecurity experts to contain further spread and notify affected individuals, emphasizing the persistent risk of legacy data exposure long after initial compromise. - Meta Instagram Data Exposure Fueling Phishing
In a dataset leak affecting approximately 17.5 million Instagram users, names, emails, and phone numbers began circulating on underground forums and were rapidly weaponized in phishing campaigns targeting business and influencer accounts. Meta clarified that no new system breach occurred, attributing the exposure to historical scraping, but the operational impact was immediate: widespread fraudulent password reset and account-takeover attempts were reported within 24 hours. - Five Belgian Hospitals Data Breach via Shared Supplier
Separate from AZ Monica’s outage, a supplier of patient registration software was found to have leaked login and personal data tied to five Belgian hospitals, exposing about 71,000 patient and provider credentials on darknet forums. The supplier’s breach highlights systemic risk from shared healthcare IT vendors, prompting wider incident response and forced password resets across affected institutions. - Microsoft Patch Tuesday Fixes Actively Exploited Zero-Day
Microsoft released its first Patch Tuesday of 2026, addressing 114 vulnerabilities across Windows, Office, Azure, and Edge. Three zero-days were included, one already exploited in the wild. The flaws ranged from privilege escalation to remote code execution, underscoring the urgency for enterprises to patch immediately. - Target Confirms Internal Source Code Leak After Hack
Major U.S. retailer Target Corporation faced a security breach in which hackers claimed to obtain internal source code repositories from the company’s development servers. After the activity was reported, Target took the affected dev server offline and restricted access, but samples of the allegedly stolen code surfaced publicly before removal. While the full extent of the compromise and systems affected has not been disclosed, leaked source code can materially increase risk to applications, cloud environments, and developer pipelines if re-used credentials or API keys are exposed. - Critical Fortinet FortiSIEM Flaw Actively Exploited in Attacks
Security researchers confirmed that attackers are exploiting a critical vulnerability in Fortinet’s FortiSIEM product (CVE-2025-64155) with public proof-of-concept code available as of Jan 16. The flaw allows unauthenticated attackers to perform arbitrary writes and escalate privileges to root by abusing exposed command handlers. Organizations deploying FortiSIEM for security event management should consider these exploit attempts high risk and prioritize mitigation — especially in environments where FortiSIEM has administrative network access. - Gootloader Malware Now Uses 1,000-Part ZIP Delivery
The Gootloader malware family, often used to establish initial access for broader intrusion activities, has evolved its delivery mechanism by using malformed ZIP archives split into up to 1,000 parts. This technique — reported Jan 15 — frustrates detection and analysis tools when reconstructing the payload. This stealthier packaging method increases the odds of successful delivery and execution, particularly against automated sandbox environments, raising the bar for defenders to adjust detection logic. - Credential-Stealing Chrome Extensions Target Enterprise HR Platforms
Security teams have identified a set of malicious Chrome extensions impersonating tools for HR and ERP platforms such as Workday and NetSuite that harvest enterprise credentials. Reported Jan 17, these extensions can capture authentication tokens and redirect users away from management controls, heightening risk of lateral movement and account takeover across business environments that use these widely deployed enterprise systems. - StealC Malware Control Panel Flaw Exposed Attacker Infrastructure
Researchers exploited a cross-site scripting flaw in the StealC info-stealing malware’s control panel to observe active sessions and gain insight into attacker infrastructure on Jan 16. While this is a defensive intelligence win, it highlights that StealC operators maintain exposed web services that can empower credential theft and subsequent breaches for enterprises. Those tracking attacker tooling should note this exposure as giving defenders a temporary window to understand ongoing operations.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.