Anomali Cyber Watch: Cisco ISE Flaw, Ni8mare, N8scape, Zero-Click Prompt Injection and more

<div id="weekly"> <div id="trending-threats" class="trending-threats-article"> <h2 id="article-1"><a href="https://www.theregister.com/2026/01/08/rcisco_ise_bug_poc/ " target="_blank" rel="noopener noreferrer">Cisco ISE Flaw Enables Arbitrary File Read via Administrative Access</a></h2> <p>(published: January 8, 2026)</p> <p> A newly disclosed vulnerability in Cisco Identity Services Engine (ISE) has gained attention following the release of a public proof of concept. The issue, tracked as CVE-2026-20029, stems from improper XML parsing within a web-based management interface, enabling an authenticated attacker with administrative privileges to read arbitrary files from the underlying operating system. This could expose sensitive information that should remain inaccessible, even to administrators. Cisco confirmed the flaw affects multiple supported versions of ISE and ISE Passive Identity Connector (ISE-PIC), regardless of configuration, and has released patches to address the issue. While the vulnerability carries a medium CVSS score of 4.9, the existence of a working PoC increases the likelihood of real-world abuse, particularly in enterprise environments where ISE plays a central role in identity and access control. Cisco advises applying updates promptly and limiting exposure of management interfaces.<br> <br><b>Analyst Comment:</b> The most important factor here is not the CVSS score, but the presence of a public proof of concept. History consistently shows that PoCs accelerate attacker interest, especially once a technique is documented and reusable. Although exploitation requires administrative access, that condition often aligns with post-compromise scenarios where attackers already possess elevated credentials. In identity infrastructure like Cisco ISE, the ability to read arbitrary files can expose credentials, configuration data, or internal secrets that enable further lateral movement. Defenders should treat PoC disclosure as the escalation point. Patch without delay, restrict management interface access, reduce standing administrative privileges, and review logs for abnormal administrative behavior that may indicate early-stage abuse rather than a fully realized breach.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/10093">T1068 - Exploitation For Privilege Escalation</a><br> </p> <h2 id="article-1"><a href="https://www.rapid7.com/blog/post/etr-ni8mare-n8scape-flaws-multiple-critical-vulnerabilities-affecting-n8n/" target="_blank" rel="noopener noreferrer">Ni8mare and N8scape Vulnerabilities Expose n8n Automation Platforms to Full Compromise </a></h2> <p>(published: January 8, 2026)</p> <p> Multiple critical vulnerabilities have been disclosed in the n8n workflow automation platform, collectively creating a high risk of full system compromise for exposed deployments. The most severe issue, known as Ni8mare (CVE-2026-21858, CVSS 10.0), allows unauthenticated remote attackers to abuse improper file handling in custom web forms to read arbitrary files and impersonate administrative users. Successful exploitation can enable complete control of the affected instance and, in certain configurations, lead to remote code execution. Additional critical flaws, including the N8scape vulnerability (CVE-2025-68668, CVSS 9.9) and expression injection issues, can be chained after initial access to expand attacker capabilities and persistence. These weaknesses primarily affect self hosted n8n environments that are internet facing. Security researchers and the vendor recommend immediate upgrades to patched versions beginning with 1.121.0, along with restricting external access and reviewing automation workflows that interact with sensitive systems.<br> <br><b>Analyst Comment:</b> The real risk here is not just the severity of the individual flaws, but where n8n typically sits in an environment. Automation platforms are often trusted by default and wired directly into APIs, credentials, and internal systems. An unauthenticated path to administrator access turns n8n into a high impact control point for attackers rather than a single compromised service. Defenders should treat any exposed n8n instance as a potential pivot into broader infrastructure. Beyond patching, teams should reassess whether these platforms need direct internet exposure at all and review workflows as security sensitive assets. If an attacker can alter automation logic, they can quietly move data, abuse integrations, and persist without triggering traditional endpoint defenses.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012">T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a><br> </p> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/new-zeroclick-attack-chatgpt/ " target="_blank" rel="noopener noreferrer">Zero-Click Prompt Injection Abuse Enables Silent Data Exfiltration via AI Agents </a></h2> <p>(published: January 9, 2026)</p> <p> A newly disclosed exploitation technique, referred to as "ZombieAgent," allows attackers to exfiltrate data through OpenAI's ChatGPT without requiring any direct interaction from the victim. Researchers identified the issue and reported it responsibly to OpenAI in September 2025 via the BugCrowd platform. OpenAI patched the vulnerability in mid-December 2025. The attack abuses how ChatGPT processes and acts on external data sources and connected services. By embedding malicious instructions or payloads within content that the AI ingests, such as emails, cloud documents, or integrated third party services, an attacker can influence the model's behavior and trigger unintended actions. This can result in sensitive information being accessed or transmitted without user awareness. The technique relies on indirect prompt injection and the automated execution paths of AI agents rather than traditional user driven exploitation. This class of zero click attack demonstrates how AI systems that autonomously interpret trusted data can be abused as execution mechanisms, expanding the threat landscape beyond conventional application vulnerabilities.<br> <br><b>Analyst Comment:</b> The key point here is that AI agents are starting to function as privileged intermediaries rather than passive tools. This technique does not rely on tricking a user or exploiting a traditional software flaw. It exploits trust and autonomy. If an AI agent is authorized to automatically read emails or documents and has access to internal data or outbound actions, a maliciously crafted message can act as the trigger. The AI processes the content, follows embedded instructions, and may expose or transmit sensitive information without any user interaction. That is what makes this zero click. For defenders, the takeaway is clear. AI agents should be treated like service accounts with strict permissions, limited memory, and full visibility into what they ingest and output. Prompt injection is moving from a curiosity to a practical initial access vector, and it needs to be accounted for in enterprise threat models now.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9585">T1059 - Command And Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a><br> </p> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/phishing-exploits-misconfigured/" target="_blank" rel="noopener noreferrer">Phishing Attacks Exploit Misconfigured Email Routing to Spoof Internal Domains </a></h2> <p>(published: January 8, 2026)</p> <p> A growing wave of phishing campaigns is abusing misconfigured email routing and weak domain spoof protections to make malicious messages appear as though they originate from within the target organization. Cybercriminals are exploiting gaps in SPF, DKIM, and DMARC enforcement, especially where email routing is complex or reliant on third-party services, allowing forged messages that mimic internal communications such as HR notices, shared documents, password reset prompts, and voicemail alerts. These crafted lures frequently use phishing-as-a-service platforms like Tycoon2FA to harvest credentials, bypass multi-factor controls, and facilitate business email compromise or financial fraud. Misconfigured MX records or lax policies (for example, DMARC set to “none”) fail to block these spoofed deliveries, increasing success rates. Security advisories emphasize enforcing strict SPF and DMARC reject policies and correctly configuring mail connectors to mitigate this emergent threat. <br> <br><b>Analyst Comment:</b> What makes this campaign especially effective is that it targets email architecture rather than user behavior. By abusing environments where MX records do not point directly to Microsoft 365, attackers can bypass Microsoft’s native spoof detection and make phishing emails appear genuinely internal, with the organization’s own domain in both the sender and recipient fields. This shifts the risk from poor user judgment to misaligned trust between email platforms. For defenders, the key takeaway is that complex or hybrid mail routing introduces security gaps that are often invisible until abused. Auditing MX records, enforcing strict SPF, DKIM, and DMARC alignment across all mail paths, and removing implicit trust in upstream gateways are critical steps to close this exposure before it is weaponized. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883">T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/10028">T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/10090">T1557.002 - Man-in-the-Middle: Arp Cache Poisoning</a> | <a href="https://ui.threatstream.com/attackpattern/10006">T1110.003 - Brute Force: Password Spraying</a> | <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a><br> </p> <h2 id="article-1"><a href="https://www.theregister.com/2026/01/08/ransomware_2025_emsisoft/" target="_blank" rel="noopener noreferrer">Ransomware Activity in the U.S. Continued to Rise in 2025 </a></h2> <p>(published: January 8, 2026)</p> <p> Ransomware impact increased in 2025 despite ongoing law enforcement disruption efforts. Open-source leak-site tracking shows a significant rise in publicly claimed victims, with totals exceeding 8,000 globally, representing year-over-year growth of roughly one third to nearly one half depending on the dataset. The number of active ransomware groups also expanded into the hundreds, reflecting continued fragmentation and churn rather than consolidation. While several prominent groups ceased operations during the year, others quickly emerged or scaled up to replace them, maintaining overall pressure on organizations. Notably, the average number of victims per active group remained relatively stable, indicating that newer or rebranded actors were able to operate effectively. The data suggests that social engineering and credential-based access remain common contributors to ransomware incidents, and that actual victim counts likely exceed what is publicly observable through extortion sites.<br> <br><b>Analyst Comment:</b> Groups come and go, but the volume of victims stays high because attackers keep using the same reliable access paths. Phishing, stolen credentials, and weak identity controls are still doing the heavy lifting, which allows new or rebranded groups to operate effectively almost immediately. The stable victim rate per group shows this is not a maturity problem, it is an access problem. For defenders, the practical takeaway is that tracking ransomware names has limited value on its own. Effort is better spent on tightening identity security, reducing exposure to social engineering, and limiting what an attacker can do after initial access.<br> </p> <h2 id="article-1"><a href="https://www.infosecurity-magazine.com/news/ghost-tap-malware-remote-nfc-fraud/ " target="_blank" rel="noopener noreferrer">Android Ghost Tap Malware Drives Remote NFC Payment Fraud Campaigns</a></h2> <p>(published: January 7, 2026)</p> <p> Cybersecurity researchers have identified a significant rise in remote contactless payment fraud driven by Android malware known as Ghost Tap. This malware enables threat actors to conduct unauthorized NFC “tap-to-pay” transactions without direct access to victims’ physical bank cards by relaying Near Field Communication traffic from compromised devices to attacker-controlled systems. Operators distribute Ghost Tap via malicious Android APKs masquerading as banking or financial apps, often leveraging social engineering to harvest credit card details and one-time passwords required to provision cards into mobile wallets such as Apple Pay and Google Pay. Once provisioned, criminals can perform fraudulent payments through intermediary devices or mule networks located anywhere in the world. Analysts link this trend to Chinese-origin malware ecosystems advertised on Telegram, with documented unauthorized transactions and systemic financial losses. This tactic fits into the broader NFC relay fraud landscape, where criminals weaponize tools like NFCGate and collaborate with money mules to scale cash-outs.<br> <br><b>Analyst Comment:</b> The most important takeaway here is how central malicious app installation is to making this fraud work. Ghost Tap does not rely on exploiting flaws in NFC itself; it relies on users being convinced to install untrusted Android apps that quietly hand attackers everything they need to provision a card into a mobile wallet. Once that step succeeds, the fraud is already lost. This reinforces a basic but critical defense principle: apps should only ever be installed from legitimate sources such as official app stores. Sideloaded or “helper” apps remain one of the easiest and most reliable entry points for financial malware. From a defender perspective, enforcing app source restrictions, monitoring wallet enrollment behavior, and educating users about installation risks will do more to disrupt this activity than chasing individual fraudulent transactions after the fact.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9925">T1056.004 - Input Capture: Credential Api Hooking</a> | <a href="https://ui.threatstream.com/attackpattern/9617">T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9723">T1102.002 - Web Service: Bidirectional Communication</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/black-cat-behind-seo-poisoning-malware.html" target="_blank" rel="noopener noreferrer">Black Cat SEO Poisoning Malware Campaign Exploits Software Search Results </a></h2> <p>(published: January 7, 2026)</p> <p> Black Cat–linked threat actors have been observed conducting a large-scale SEO poisoning campaign that abuses search engine rankings to distribute trojanized installers for widely used software. Users searching for legitimate applications such as Notepad++, Chrome, QQ International, and iTools are redirected to realistic fake download sites that deliver malware-laced installers. Once executed, the malware establishes persistence, communicates with attacker-controlled infrastructure, and enables remote access and data collection. Additional reporting indicates the campaign operated at significant scale, with hundreds of thousands of infections, largely concentrated in China. The activity appears focused on access building and reconnaissance rather than immediate ransomware deployment, underscoring how search-driven software downloads remain a highly effective infection vector when users rely on search results instead of verified vendor sources. <br> <br><b>Analyst Comment:</b> This campaign is a reminder that SEO poisoning works precisely because it blends into normal behavior. Nothing about searching for software or installing a familiar application feels suspicious to most users, and attackers exploit that trust gap at scale. The key risk is not a technical flaw in the software itself, but the decision point before installation. Once a trojanized installer runs, defenders are already reacting too late. The most effective mitigation is procedural rather than technical: enforce trusted download sources, block installer execution from user download directories, and monitor for new persistence immediately following software installs. <br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9784">T1189 - Drive-By Compromise</a> | <a href="https://ui.threatstream.com/attackpattern/9615">T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9588">T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9802">T1005 - Data From Local System</a><br> <b>Target Region:</b> Asia<br> <b>Target Country:</b> China<br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/muddywater-launches-rustywater-rat-via.html " target="_blank" rel="noopener noreferrer">MuddyWater Upgrades Espionage Arsenal with RustyWater RAT in Middle East Spear-Phishing </a></h2> <p>(published: January 10, 2026)</p> <p> Iran-linked advanced persistent threat group MuddyWater has launched a targeted spear-phishing campaign against diplomatic, maritime, financial, and telecommunications organisations across the Middle East, deploying a newly identified Rust-based remote access trojan named RustyWater. Attackers send convincing emails with weaponised Microsoft Word attachments that use icon spoofing and VBA macros to drop the RustyWater binary. The implant features asynchronous command-and-control, anti-analysis routines, Windows Registry persistence, multi-layer data obfuscation (JSON → Base64 → XOR), and evasive techniques including scanning for more than 25 antivirus and EDR products. This shift from traditional PowerShell and VBS loaders to a compiled Rust implant reflects a strategic tooling evolution designed to reduce noise, complicate analysis, and extend stealthy access. <br> <br><b>Analyst Comment:</b> What stands out in this activity is that MuddyWater has improved its malware, but not its entry point. RustyWater is more discreet and harder to analyze once it is running, yet the attack still relies on a familiar tactic: getting someone to open a document and enable macros. For defenders, that is the key takeaway. Strong controls around email attachments, macro execution, and early endpoint behavior can stop this campaign before the more advanced tooling ever comes into play. The sophistication is in what happens after access, but the opportunity to prevent it appears right at the start.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001">T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9853">T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/9591">T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9835">T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9933">T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9715">T1071.001 - Application Layer Protocol: Web Protocols</a><br> </p> <h2 id="article-1"><a href="https://thehackernews.com/2026/01/chinese-linked-hackers-exploit-vmware.html" target="_blank" rel="noopener noreferrer">China-Linked ESXi VM Escape Exploit Observed in the Wild </a></h2> <p>(published: January 9, 2026)</p> <p> Chinese-speaking threat actors deployed a sophisticated exploit toolkit against VMware ESXi hypervisors, achieving a full virtual machine escape that compromised the host from within a guest VM. Initial access stemmed from a compromised SonicWall VPN appliance and led to Domain Admin credential abuse and lateral movement. Analysis revealed the toolkit likely pre-dated public disclosure of the underlying VMware zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) by over a year and supports a wide range of ESXi builds from 5.1 through 8.0. The exploit chain disables VMCI drivers, uses a BYOD loader to insert an unsigned kernel driver, and installs a VSOCK-based backdoor on the hypervisor itself. This activity was halted before ransomware or data exfiltration.<br> <br><b>Analyst Comment:</b> This case highlights how hypervisor exploitation is being used as a late-stage escalation technique, not an initial entry vector. The attackers first gained access through a VPN appliance and abused Domain Admin credentials before deploying the ESXi exploit, showing that strong internal access often comes before high-impact exploitation. The key lesson for defenders is twofold. First, ESXi hosts should be treated as high-value assets and patched promptly, as VM escape turns a single compromised VM into host-level control. Second, early indicators such as edge device compromise and privileged credential misuse near virtualization infrastructure should be treated as serious escalation signals. Stopping attackers earlier in the chain can prevent them from ever reaching the hypervisor, where the impact becomes far harder to contain.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10098">T1133 - External Remote Services</a> | <a href="https://ui.threatstream.com/attackpattern/9752">T1203 - Exploitation For Client Execution</a> | <a href="https://ui.threatstream.com/attackpattern/10093">T1068 - Exploitation For Privilege Escalation</a> | <a href="https://ui.threatstream.com/attackpattern/10079">T1562.001 - Impair Defenses: Disable Or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9588">T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9604">T1021 - Remote Services</a> | <a href="https://ui.threatstream.com/attackpattern/9870">T1078 - Valid Accounts</a><br> </p> <h2 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/instagram-denies-breach-amid-claims-of-17-million-account-data-leak/" target="_blank" rel="noopener noreferrer">Instagram Denies Data Breach Despite Claims of 17.5 Million Account Data Leak</a></h2> <p>(published: January 11, 2026)</p> <p> Instagram has publicly denied that a system breach occurred, after reports claimed that personal data from approximately 17.5 million user accounts had been scraped and posted on hacking forums. The incident began when millions of users received unsolicited password reset emails, which appeared legitimate and raised fears of a mass compromise. A dataset purportedly containing phone numbers, usernames, email addresses, partial physical addresses, and Instagram IDs was shared online, allegedly stemming from an API scraping event. Meta says the email surge resulted from a technical issue that allowed an external party to trigger password reset requests, not from unauthorized access to internal systems, and insists accounts remain secure. Users are advised to ignore unsolicited reset links and enable two-factor authentication. Security analysts caution that even without a confirmed breach, exposed personal details could fuel phishing and social engineering campaigns.<br> <br><b>Analyst Comment:</b> For individual users, the most important point is that Instagram has stated there is no evidence of a breach of its internal systems, and accounts are not believed to be directly compromised. That said, the reported dataset and the surge in password reset emails show how easily account details can be misused even without a hack. If your email or phone number is exposed, it can be reused in convincing phishing or impersonation attempts that appear to come from Instagram. Users should only act on password resets they personally request, be cautious of follow-up messages asking for verification, and enable two-factor authentication to reduce risk. This incident is a reminder that personal data does not need to be stolen in a breach to be dangerous, and that vigilance matters even when a platform says its systems are secure.<br> <br><b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9794">T1119 - Automated Collection</a><br> </p> </div> </div>