ShinyHunters launch vishing attacks on SSO accounts in a new campaign | Cyber Intelligence Briefing: 30 January 2026

Top news stories this week

1. Vishous attacks. ShinyHunters launch vishing attacks on SSO accounts in a new campaign. 
   
2. Exit RAMP. The FBI seizes RAMP cybercrime forum. 
3. LeakGPT. Acting head of US cyber security agency uploads internal documents into ChatGPT.
   
4. Fast money. More than 30 indicated for ATM hijacking scheme. 
5. Art attack. Renowned German State museum becomes victim of cyberattack.
   
6. Patch Me Now. VMware, Fortinet, SolarWinds and Microsoft identify new critical vulnerabilities
   

1. ShinyHunters launch vishing attacks on SSO accounts in a new campaign 

The ShinyHunters extortion gang has claimed responsibility for a wave of voice phishing (vishing) attacks targeting Single Sign-On (SSO) accounts at Okta, Microsoft, and Google. In these attacks the threat actors impersonate IT support, tricking employees into providing their authentication details. The group relaunched its Tor data leak site, which currently lists breaches at SoundCloud, Betterment and Crunchbase. 

So what?

Organisations should enhance their employee training in response to evolving vishing and social engineering attacks. 

[Researcher: Milda Petraityte]

2. The FBI seizes RAMP cybercrime forum

The FBI has seized the notorious Russian Anonymous Marketplace (RAMP) cybercrime forum, a platform used to advertise a wide range of malware and hacking services. It gained notoriety as one of the only forums allowing open discussion of ransomware. This gives law enforcement access to user data from the forum, potentially including incriminating information.

So what?

This seizure is likely to provide valuable intelligence on criminal participants, resulting in further opportunities for law enforcement action. 

[Researcher: Tlhalefo Dikolomela]

3. Acting head of US cyber security agency uploads internal documents into ChatGPT 

The acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) uploaded sensitive government contracting documents to a public version of ChatGPT, triggering automated security alerts at the agency, which is responsible for defending federal networks and critical infrastructure. The incident occurred following a personal request to use ChatGPT, when the AI tool was blocked for most employees over concerns that sensitive information could be retained outside federal systems. 

So what?

Organisations should ensure that security policies and procedures are current and appropriate – and enforced at the very top level.

Contact experts such as S-RM to get the latest views on what good AI governance looks like – whether you’re moving fast on AI or still determining your approach.

[Researcher: Lester Lim]

4. Millions of dollars stolen in ATM jacking scheme 

The US Department of Justice has charged multiple individuals involved in a scheme to infect ATMs with Plotus malware. The malware overrides ATM security systems and forces the release of cash from machines. The use of Ploutus has been linked to the Tren de Aragua gang, who are reported to have used the malware to steal USD 5.4 million to fund their criminal operations.  

SO WHAT? 

It is essential to ensure that physically accessible systems have access via external drives and USBs blocked. 

[Researcher: Adelaide Parker]

5. Renowned German state museum becomes victim of cyberattack. 

The Dresden State Art Collection has suffered a cyberattack impacting visitor and web services. While remediation is underway, the LKA of Saxony is continuing investigations. The museum previously fell victim to burglary in 2019 with stolen goods worth estimated at €113 million, making it one of Germany’s ‘heists of the century’. 

So What?

While primary attack surfaces vary, institutions need to consider their digital vulnerabilities as much as their physical attack vectors.  

[Researcher: Jenny Eysert]

6. VMware, Fortinet, SolarWinds and Microsoft identify new critical vulnerabilities.   

In the past week multiple vendors declared critical vulnerabilities that include RCE flaws, 0-Days and SSO-bypassing.  

• VMWare identified an active RCE exploit of their VMware vCenter servers based off an older vulnerability, tracked as CVE-2024-37079,

• SolarWinds has reported two CVEs, tracked as CVE-2025-40553 and CVE-2025-40551, are being abused for remote code executions.

• Fortinet has released a patch for the SSO-bypass (CVE-2026-24858)

• Microsoft has issued an emergency patch for a 0-Day vulnerability (CVE-2026-21509) outside of their regular patch-cycle on Monday.

SO WHAT? 

Urgently apply vendor recommendations and patching notes to mitigate any vulnerabilities in your system before attackers can exploit them!

[Researcher: Jenny Eysert ]