Weekly Cyber Update: 06 February 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

ShinyHunters use dynamic vishing tech to steal SSO credentials

Infamous threat collective ShinyHunters has been targeting organisations again in a data extortion campaign fuelled by sophisticated vishing attacks. According to a new Google Mandiant report, the group poses as the IT helpdesk in calls with employees, directing victims to corporate-branded phishing domains used to capture SSO credentials and MFA codes. ShinyHunters then uses this access to steal data from SaaS apps and extort the companies involved.

Why it matters:

SSO enables a single vishing attack to result in widespread compromise of SaaS apps. Okta has previously warned that vishing-as-a-service kits are democratising such efforts and enabling threat actors to adapt attacks on the fly to defeat non-phishing-resistant MFA.

Assured’s recommended action:

Mandiant has published a comprehensive guide with proactive hardening, logging and detection recommendations.

---

MongoDB instances continue to be targeted in data extortion attacks

Researchers have discovered an automated data extortion campaign targeting misconfigured MongoDB instances. Approximately 1,400 servers with unrestricted access have been compromised, just under half of the estimated total that could be accessed without authentication. The underlying databases were wiped, with the threat actor demanding a $500 (£370) ransom in Bitcoin.

Why it matters:

These attacks were popular pre-2021, but this latest round shows that cyber hygiene remains poor in many organisations. If impacted, organisations could suffer operational disruption and financial/reputational damage.

Assured’s recommended action:

Ensure MongoDB instances are patched and properly configured (i.e., with strong passwords and MFA), and that sensitive data is encrypted at rest.

---

Coinbase reveals insider breach via former contractor

Coinbase has confirmed that a former contractor accessed the data of around 30 customers last December. The breach exposed email addresses, names, dates of birth, phone numbers, KYC information, cryptocurrency wallet balances, and transactions. Following the incident, the Scattered Lapsus Hunters (SLH) collective posted screenshots of an internal Coinbase support interface on Telegram, which they later deleted.

Why it matters:

Business process outsourcing (BPO) companies are an increasingly popular target for threat actors, and SLH has previously boasted of bribing insiders. Malicious insider breaches are harder to detect than external attacks and can be more expensive to remediate.

Assured’s recommended action:

CISOs should advance zero-trust plans by implementing least-privilege access policies. User behaviour analytics can also help detect unusual insider activity. Contracts with BPOs should mandate rigorous background checks and impose heavy penalties for insider breaches.

---

Multiple critical n8n bugs could allow complete remote takeover

Researchers have identified several critical vulnerabilities in the popular n8n open-source workflow automation platform. Collectively labelled CVE-2026-25049, exploitation of the bugs could enable complete compromise of the n8n instance and execution of arbitrary system commands on the server.

Why it matters:

CVE-2026-25049 enables attackers to install malware, steal a broad sweep of data, move laterally into cloud environments and hijack/sabotage AI pipelines.

Assured’s recommended action:

CISOs should patch the CVSS 9.8 vulnerability immediately by upgrading to version 1.123.17, 2.5.2, or later. Network segmentation, runtime monitoring, and disabling unauthenticated webhooks will also help harden systems against attacks.

---

AI-powered voice and virtual meeting fraud soars 1000%+ in a year

New research from Pindrop reveals a 1210% increase in AI-enabled fraud attempts between January and December 2025. Specifically, it covers voice and virtual meeting fraud driven by deepfakes, voice bots, and other technologies. The tech has made this type of fraud cheaper,

Why it matters:

Adversaries can use these tools to achieve customer and employee account takeover – the latter, possibly leading to data theft and ransomware-related extortion. Virtual meeting fraud operates similarly to business email compromise (BEC).

Assured’s recommended action:

Tackle BEC-style fraud by updating processes for approving big-money transfers (e.g., out-of-band authentication and challenge-response questions). Harden the call centre/IT helpdesk with AI-powered voice liveness detection technology. Update security awareness training for employees and conduct deepfake red teaming.

---

0apt unmasked as a scam-as-a-service outfit

Self-styled ransomware-as-a-service operation 0apt has been branded a fake by security experts. The group burst onto the scene in late January, posting almost 200 companies on its extortion leak site. However, subsequent analysis has revealed that many of the files purporting to contain data samples were empty. The group’s infrastructure appears to be a bizarre mix of “AI-generated scripts and amateur web development”. And code analysis reveals internal comments written in Hindi or Urdu – not the Russian one would expect from a RaaS group.

Why it matters:

Organisations that are quick to engage with digital extortionists to mitigate reputational damage may end up paying them without first verifying whether the threat is legitimate.

Assured’s recommended action:

Always verify the validity of any allegedly stolen files. Check network logs for evidence of mass exfiltration and possible data encryption before deciding whether to engage with extortionists.