NCSC warns UK organisations over DOS threats from hacktivist groups

The National Cyber Security Centre (NCSC), part of GCHQ, issued a fresh alert warning that UK organisations continue to be targeted by Russian state aligned hacktivist groups. The activity is focused on disruption rather than financial gain, with denial of service attacks aimed at overwhelming networks and online services.

Local authorities and operators of critical national infrastructure are among those most at risk. While DoS attacks are often technically simple, the NCSC stresses that their impact can be severe, causing service outages, operational disruption, and significant recovery costs.

The warning follows a joint international advisory issued in December 2025, highlighting sustained targeting of NATO member states and European organisations perceived to support Ukraine.

Speaking on the alert, Jonathon Ellison, Director of National Resilience at the NCSC, urged organisations to act now by reviewing defences and prepare effective response plans.

Critical AI framework flaws exposed

Security researchers have identified two critical vulnerabilities in Chainlit, a widely used open-source AI application framework, exposing serious risks for organisations accelerating AI adoption. The findings coincide with the launch of Project DarkSide, an initiative focused on uncovering weaknesses across AI development building blocks.

Tracked as CVE-2026-22218 and CVE-2026-22219, the flaws allow unauthenticated attackers to read arbitrary files and perform server-side request forgery. Exploitation requires no user interaction and can lead to the leakage of cloud credentials, database contents, environment variables, and proprietary source code. In cloud environments, this can enable lateral movement and full infrastructure compromise.

With an estimated 700,000 monthly downloads and active enterprise and academic deployments, the exposure is significant. Chainlit has released version 2.9.4 to address both issues.

Until patching is complete, detection guidance has been shared, alongside warnings that insecure AI foundations are rapidly expanding organisational attack surfaces.

Zendesk systems abused for spam

A large-scale global spam wave has been linked to the abuse of unsecured Zendesk support systems, with recipients reporting hundreds of emails arriving within minutes. The campaign began on 18 January, quickly drawing attention on social media due to the sheer volume and unusual nature of the messages.

The emails are generated when attackers submit fake support tickets using unverified email addresses. Zendesk’s automated confirmation replies then turn legitimate customer service platforms into an unwitting mass-spam engine. While the messages do not appear to contain malicious links or direct phishing lures, their chaotic and sometimes alarming subject lines have caused confusion and concern.

Impacted organisations include Discord, Dropbox, NordVPN, Riot Games, and several public sector bodies. Subjects range from fake law enforcement notices to offers of free services, often written using decorative Unicode text.

The incident highlights how basic verification gaps in widely used platforms can be exploited at scale, even without deploying traditional malware or phishing techniques.

Fortinet patch bypass under attack

Fortinet customers are reporting active exploitation of a patch bypass affecting a previously fixed FortiGate authentication vulnerability, CVE-2025-59718. Attackers are abusing the flaw to compromise firewalls running patched FortiOS versions, including 7.4.9 and 7.4.10, raising concerns that the original fix was incomplete.

Multiple administrators have observed unauthorised admin accounts created via malicious FortiCloud SSO logins, activity consistent with exploitation techniques previously documented by Arctic Wolf in December 2025. Fortinet is reportedly preparing additional updates, including FortiOS 7.4.11, to fully address the issue.

The vulnerability has been added to CISA’s catalogue of actively exploited flaws, while Shadowserver continues to track thousands of exposed devices.

Administrators are advised to disable FortiCloud SSO where possible until a complete fix is available, as attackers also target other unpatched Fortinet products, including FortiSIEM.

Fortune 500 firms exposed by misconfigured test apps

Threat actors are actively exploiting misconfigured security testing applications to break into live cloud environments, according to new findings from Pentera. Intentionally vulnerable tools such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP are being abused when left exposed on the public internet and deployed with excessive cloud privileges.

Pentera identified 1,926 vulnerable instances across AWS, Azure, and GCP, many linked to overly permissive IAM roles and default credentials. The exposed applications belonged to multiple Fortune 500 organisations, including Cloudflare, F5, and Palo Alto Networks, all of which have since remediated the issues.

Researchers found clear evidence of active exploitation, including Monero crypto mining via XMRig, persistent backdoors, and PHP webshells enabling full system control. The findings underline how insecure non-production assets can become high-impact entry points into enterprise cloud environments.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.