Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 27 Jan – 2 Feb 2026

This week saw three critical attack vectors converge: network perimeter takeover via Fortinet CVE-2026-24858, state-sponsored Office zero-day exploitation by APT28, and antivirus supply chain compromise through eScan’s update infrastructure. Attackers demonstrated unprecedented speed—weaponizing fresh vulnerabilities within 72 hours and leveraging trusted security software distribution channels for malware delivery.

Key Metrics:

• 3 critical vulnerabilities actively exploited
• 200-500+ systems compromised via supply chain attack
• 60+ government targets hit by APT28 spear-phishing
• Network perimeter appliances globally vulnerable to immediate takeover

>>Outpace Attackers With AI-Based Automated Penetration Testing

INCIDENT FEED

INCIDENT 1: FORTINET FORTIOS SSO AUTHENTICATION BYPASS

Date of Attack: January 21-27, 2026

Overview

Attackers exploited CVE-2026-24858 (CVSS 9.4) in FortiCloud SSO across FortiOS, FortiAnalyzer, FortiManager, and FortiProxy appliances. Valid FortiCloud credentials bypass device-specific authentication, granting administrative access to any vulnerable device worldwide. Arctic Wolf confirmed exploitation as early as January 21 with rogue administrator accounts created within seconds of compromise.​

Explanation

The vulnerability exploits improper isolation between FortiCloud SSO device registration and authentication validation. Attackers with legitimate credentials register test devices, then authenticate against victim organizations’ appliances. Automated scripts create backdoor accounts (audit, backup, secadmin) and export firewall configurations containing network topology and credentials. Fortinet locked out two malicious accounts ([email protected], [email protected]) on January 22.​

Impact

• Complete firewall/VPN perimeter compromise
• Network topology and credential exposure
• Persistent backdoor administrator accounts
• Lateral movement gateway to internal networks

Details

text

CVE-2026-24858: CVSS 9.4 (Critical)

Affected: FortiOS 7.6.0-7.6.5, 7.4.0-7.4.10

Fix: 7.6.6+, 7.4.11+

MITRE ATT&CK: T1190 (Exploit Public-Facing Application)

IOCs: [email protected], [email protected]

Immediate Fix: config system global set admin-forticloud-sso-login disable end

Takeaway for CISO

Your Fortinet perimeter is a single-point failure. Disable FortiCloud SSO immediately across all appliances. Hunt for rogue admin accounts created January 21-27.

INCIDENT 2: APT28 WEAPONIZES MICROSOFT OFFICE ZERO-DAY

Date of Attack: January 29, 2026

Overview

Russian APT28 (Fancy Bear) exploited CVE-2026-21509 Mark-of-the-Web bypass in weaponized Word documents targeting 60+ Ukrainian government email addresses. Zscaler ThreatLabz detected Covenant Grunt C2 beaconing 72 hours post-Microsoft’s emergency patch (January 26). Documents created January 27 used Excel.Application OLE objects to bypass killbit protections.​

Explanation

CVE-2026-21509 (CVSS 7.8) allows malicious DOCX files to instantiate blocked COM objects despite MotW protection. APT28 embedded Covenant Grunt (C# implant) executing in-memory via Word’s process context—no macros, no UAC prompts. Persistence via HKCU\Software\Microsoft\Windows\Run\WindowsUpdate. Targets: Ukrainian executive authorities.​

Impact

• Government network footholds established
• Credential harvesting from LSASS memory
• Network reconnaissance and lateral movement
• Multi-month espionage persistence likely

Details

text

CVE-2026-21509: Office MotW Bypass (CVSS 7.8)

Payload: Covenant Grunt + MiniDoor backdoor

Persistence: HKCU\Run\WindowsUpdate

MITRE ATT&CK: T1566.001 (Spearphishing Attachment)

Detection: WINWORD.EXE spawning PowerShell/cmd.exe

Patch: KB5035XXX series (all Office versions)

Takeaway for CISO

Deploy Office patches today (not next Patch Tuesday). Hunt Covenant Grunt via registry Run keys and Office process spawning. Government/defense orgs are primary targets.

>>Outpace Attackers With AI-Based Automated Penetration Testing

INCIDENT 3: ESCAN ANTIVIRUS SUPPLY CHAIN ATTACK

Date of Attack: January 20, 2026

Overview

Attackers compromised eScan’s regional update server, distributing trojanized reload.exe (2.3MB vs legitimate 850KB) to 200-500+ customers across South Asia during a 2-hour window. Malware disabled eScan, established CONSCTLX.exe backdoor, and implemented anti-analysis evasion terminating if debuggers detected.​

Explanation

Attackers replaced legitimate updates with signed malware blocking eScan domains via HOSTS file (2.3.4.0 updates.escan.com), added registry exclusions, deleted core eScan executables, and deployed scheduled task persistence. Anti-analysis logic targeted ProcMon, Wireshark, debuggers specifically—indicating production system focus.​

Impact

• Antivirus transformed into malware distributor
• SYSTEM-level code execution on all updated systems
• Domain compromise risk via credential harvesting
• Supply chain trust erosion across security vendors

Details

text

Malicious Files: reload.exe (SHA256: 8a9b0c1d…), CONSCTLX.exe

HOSTS: 2.3.4.0 updates.escan.com

Registry: HKLM\Software\MicroWorld\eScan\Exclusions

Persistence: WindowsUpdate scheduled task

MITRE ATT&CK: T1195.002 (Software Supply Chain)

Immediate Action: Replace eScan entirely

Takeaway for CISO

Your AV vendor is your biggest supply chain risk. Switch from eScan immediately. Implement cryptographic update validation for all security software.

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial