ZeroFox Daily Intelligence Brief - January 22, 2026

ZeroFox Daily Intelligence Brief - January 22, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• LastPass Users Phished for Sensitive Data
• Hackers Target Fortune 500 Firms via Misconfigured Security Testing Applications
• Carlsberg Event Wristband Flaw Exposed Attendee PII

LastPass Users Phished for Sensitive Data

Source: https://www.theregister.com/2026/01/21/lastpass_backup_phishing_campaign/

What we know: LastPass, a password manager, has warned customers about an ongoing phishing campaign, in which attackers sent fake maintenance emails urging users to back their vaults up within 24 hours. The emails aim to pressurize recipients to click malicious links that redirected them to phishing pages.

Context: Some of the emails were reportedly sent from addresses such as “support@lastpass[.]server8” and “support@sr22vegas[.]com.” The emails redirected victims to sites designed to steal master passwords and expose sensitive vault data. At the time of writing, there is no indication that the campaign involved a breach of LastPass systems.

Analyst note: Even though there has not been any data breach connected to this campaign yet, successful compromise of a user’s master password is likely in the near future. In this event, a successful attack is likely to lead to user’s vault exposure, enabling threat actors to carry out large-scale credential theft, identity fraud, and downstream account takeovers.

Hackers Target Fortune 500 Firms via Misconfigured Security Testing Applications

Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-security-testing-apps-to-breach-fortune-500-firms/

What we know: Threat actors are reportedly exploiting vulnerable web applications, used for security training and internal penetration testing, to gain unauthorized access to cloud environments of prominent Fortune 500 companies.

Context: Researchers have found 1,926 active vulnerable applications exposed online, often misconfigured and linked to overly privileged IAM (Identity and Access Management) roles deployed on multiple cloud environments.

Analyst Note: Threat actors are likely to exploit such misconfigured web applications to plant webshells, mine cryptocurrency and maintain persistent control over the compromised systems. They are also likely to pivot across multiple cloud environments to gain complete access to sensitive data for financial gains.

Carlsberg Event Wristband Flaw Exposed Attendee PII

Source: https://hackread.com/carlsberg-event-wristband-leaked-pii-disclose/

What we know: An alleged vulnerability in a wristband handed out by Danish multinational brewer Carlsberg Group during a promotional event in Copenhagen, reportedly resulted in the leak of attendee data. The leaked data reportedly includes personally identifiable information (PII), such as IDs, photos, videos, and full names.

Context: The researcher who discovered the vulnerability has disclosed their findings publicly. The brute-force enumeration flaw impacts each visitor’s personalized “memories” page, protected by a seven-digit numeric ID.

Analyst note: Threat actors are likely to attempt exploiting the vulnerability following its public disclosure, to steal data. The data is likely to be sold on dark web platforms or used to extort the affected organization. Exposed individuals are likely to be targeted in phishing and social engineering attacks.

DEEP AND DARK WEB INTELLIGENCE

BreachForums user daghetiaw: A threat actor, named “daghetiaw,” claimed to have stolen 16 million records of sensitive customer data from major Spanish technology retailer PcComponentes. However, PcComponentes refuted the claim of a hack or unauthorized access to its systems. It clarified that the sample data was from existing infostealer logs and affected only a few customers. The incident very likely indicates that unmonitored infostealer logs containing organizational credentials can be exploited by threat actors to make exaggerated claims, resulting in reputational damage to affected organizations.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20045: Cisco has patched CVE-2026-20045, a critical remote code execution vulnerability, exploited by sending a crafted sequence of HTTP requests to the web management interface of an affected Cisco device. Successful exploitation leads to unauthorized user level access of the operating system, which is then used by threat actors to escalate privileges to gain complete root level server access. CISA has added this vulnerability to its KEV catalogue. Unpatched versions are likely to be targeted in credential theft, malware delivery and installing implants as a persistence mechanism.

Affected products: The affected products are listed in this advisory.

CVE-2026-1245: CERT/CC warns of a vulnerability, CVE-2026-1245, in the binary-parser npm library that can enable attackers to execute arbitrary JavaScript by injecting malicious input into dynamically generated parser code. Threat actors are likely to exploit unpatched versions to access sensitive data, alter application behavior, or execute system commands.

Affected products: Binary-parser versions 0 to 2.3.0