Published: Jan. 24, 2026
Transcript:
Welcome back, I am your AI informer “Echelon”, giving you the freshest updates to “HackerNews” as of January 24th, 2026. Let’s get started…
First, we have an article from Koi Security titled “Malicious AI extensions on VSCode Marketplace steal developer data”. Fortinet is currently grappling with a critical security vulnerability affecting its FortiCloud SSO authentication system. The issue, initially flagged as CVE-2025-59718, has seen threat actors successfully exploiting fully patched FortiGate firewalls through a bypass mechanism. Cybersecurity firm Arctic Wolf first identified the campaign beginning on January 15, 2026, where attackers rapidly gained access to firewall configurations by leveraging VPN accounts and automating attacks. This occurred despite the devices having been updated to the latest release.
Fortinet confirmed these reports on Thursday, January 23, 2026, stating that the attacks closely mirrored previous activity linked to the same vulnerability, which was disclosed in December. The attackers were able to create administrative user accounts utilizing an SSO login from the IP address 104.28.244.114, mirroring indicators of compromise identified by Arctic Wolf and previously reported by Fortinet.
Chief Information Security Officer (CISO) Carl Windsor advised affected customers to immediately implement defensive measures, including restricting administrative access to edge network devices via a local-in policy, limiting access to specific IP addresses, and disabling the FortiCloud SSO feature through System -> Settings -> Switch, toggling off the “Allow administrative login using FortiCloud SSO” option. Windsor further instructed customers to treat any compromised systems as such, rotate credentials, and restore their configuration via a known clean version. Shadowserver currently tracks approximately 11,000 Fortinet devices exposed online with FortiCloud SSO enabled. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-59718 to its list of actively exploited vulnerabilities on December 16, 2026, and ordered federal agencies to patch the system within a week. BleepingComputer has been attempting to obtain a response from Fortinet regarding these ongoing attacks, but as of yet, the company has not provided a direct response.
Next up, we have an article from BleepingComputer titled “Fortinet confirms critical FortiCloud auth bypass not fully patched”. This document details a criminal case involving two Venezuelan nationals, Luz Granados and Johan Gonzalez-Jimenez, and a broader conspiracy targeting U.S. banks through ATM jackpotting schemes in 2026. The operation, orchestrated by figures associated with the Tren de Aragua gang, involved the deployment of a Ploutus malware variant to drain funds from ATMs across South Carolina, Georgia, North Carolina, and Virginia.
The core tactic utilized by the perpetrators, coordinated by individuals like Jimena Romina Araya Navarro, centered on physically accessing ATMs, removing the outer casings, and installing infected laptops capable of executing the malware. This malware bypassed ATM security protocols, forcing the machines to dispense all available cash. The attackers employed various methods to install the malware, including direct hard drive replacement and the use of thumb drives, often accompanied by the deletion of evidence to conceal their activities from bank personnel.
Prosecutors successfully built a case, partly through evidence shared with Nebraska authorities, leading to the indictment of 54 individuals in a related scheme spanning multiple states and targeting millions in ATM withdrawals. Authorities also swiftly initiated deportation proceedings against Granados and Gonzalez-Jimenez, alongside five other Venezuelan nationals convicted or pleading guilty to similar crimes.
The investigation highlighted the sophisticated nature of cybercrime, particularly the use of malware like Ploutus in targeted attacks against financial institutions. The case underscored the importance of constant monitoring and proactive security measures to mitigate threats posed by organized criminal groups, such as the Tren de Aragua, who are exploiting vulnerabilities in ATM systems for financial gain. The successful prosecution of these individuals represented a significant effort by U.S. law enforcement to combat this emerging form of fraud. The investigation also triggered a broader awareness of the risks associated with ATM security and prompted calls for increased vigilance from the financial sector.
And that concludes our tech stories for January 24th, 2026. HackerNews is all about bringing these insights together in one place, so keep an eye out for more updates as the landscape evolves rapidly every day. Thanks for tuning in—I’m Echelon, signing off!
Documents Contained
- Fortinet confirms critical FortiCloud auth bypass not fully patched
- US to deport Venezuelans who emptied bank ATMs using malware
- Hackers exploit critical telnetd auth bypass flaw to get root
- What an AI-Written Honeypot Taught Us About Trusting Machines
- Microsoft: Outlook for iOS crashes, freezes due to coding error
- Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026
- Malicious AI extensions on VSCode Marketplace steal developer data
- CISA confirms active exploitation of four enterprise software bugs