The Cyber Byte - 19 January 2026
Recent cyber threat reporting highlights the increasing sophistication of social engineering, with threat actors manipulating help desks to bypass MFA and state-sponsored groups like Konni APT abusing legitimate advertising platforms for initial access [5, 7]. New vulnerabilities in AI platforms, such as Google's Vertex AI, are creating novel privilege escalation paths by allowing the takeover of high-permission service agents [8]. Concurrently, law enforcement continues to disrupt major ransomware operations, with a joint Ukrainian-German effort identifying members of a prolific Russia-affiliated group [9].
Significant Cyber Incidents and Articles of Interest
Payroll Diversion via Social Engineering: A recent incident response investigation revealed a threat actor successfully diverted employee paychecks by targeting organizational help desks. The attacker used social engineering, likely leveraging publicly available information from social media, to impersonate employees and convince help desk personnel at payroll, IT, and HR services to perform password resets and re-enroll MFA devices. Once authenticated into the payroll system, the actor compromised multiple employee accounts and modified direct-deposit details to redirect funds to attacker-controlled accounts, with the fraudulent activity only being discovered when employees reported missing paychecks [5].
Google Vertex AI Exposes Privilege Escalation Flaws: Security researchers discovered two privilege escalation vulnerabilities in Google's Vertex AI platform, which stem from insecure default configurations. Dubbed "Double Agent," the attack paths in the Vertex AI Agent Engine and Ray on Vertex AI allow a low-privileged user, such as one with a "Viewer" role, to achieve remote code execution and extract the credentials of high-privileged Service Agents. This "confused deputy" attack effectively allows an attacker to escalate privileges to read and write to storage buckets, access chat sessions and LLM memories, and interact with other Google Cloud services, highlighting significant identity risks in emerging AI infrastructure [8].
China-Linked Actor Targets North American Critical Infrastructure: Advanced threat actor UAT-8837, believed to be linked to China, exploited a zero-day vulnerability (CVE-2025-53690) in Sitecore products to gain initial access to critical infrastructure systems in North America. The ViewState Deserialization flaw was actively exploited before public disclosure, with attackers deploying the WeepSteel reconnaissance backdoor. The group gains initial access by exploiting vulnerabilities, including a recently discovered Sitecore zero-day flaw (CVE-2025-53690), or by using compromised credentials. Post-exploitation, UAT-8837 uses hands-on-keyboard techniques, employing a mix of open-source tools and living-off-the-land binaries like dsquery and SharpHound to perform reconnaissance, harvest credentials, and move laterally within the network [2].