🔐 This Week’s Securityish Brief
DynoWiper wiper malware used in a Sandworm attempt against Poland’s power sector.
Fortinet admits a FortiGate SSO vulnerability is still being exploited even after a December patch.
ShinyHunters claim Okta based breaches at Crunchbase, Betterment and more through voice phishing.
Tesla infotainment system and car tech hacked at Pwn2Own Automotive 2026 using 37 zero day flaws.
DynoWiper Malware Targeted Polish Power Sector in Sandworm Attack
State sponsored attack
🔐 The Securityish Brief: Russian linked Sandworm hackers tried to disrupt parts of Poland’s power grid in late December using a new file wiping malware strain called DynoWiper. The attack hit two combined heat and power plants and a renewable energy management system but was contained before it caused a major outage.
🔍 The Breakdown:
The attempted attack took place on December 29 and 30, 2025, against energy infrastructure in Poland.
DynoWiper is a wiper malware that deletes files so affected systems may not be able to boot until fully rebuilt.
Polish officials publicly tied the operation to Sandworm, a Russian aligned group with a long track record of grid attacks.
ESET reported that this is part of a broader pattern of Sandworm activity since the invasion of Ukraine.
📢 Why it matters: Most people never touch industrial control systems but everyone depends on power, heat and public services staying online. When a state backed group tries to wipe parts of a national grid it shows that modern conflicts now include targeting infrastructure, not just websites and emails, and that even well defended networks can still be pushed and probed.
🛡️ What You Should Do: If you work around critical infrastructure, make sure backup and recovery plans are tested and not just written down, and push for strong network separation between operational systems and office or internet facing networks. For everyone else, treat short power, payment or connectivity issues as something worth preparing for with basic supplies and offline copies of key information so that a brief outage is an inconvenience rather than a crisis.
Fortinet admits a FortiGate SSO vulnerability is still being exploited even after a December patch.
Vulnerability
🔐 The Securityish Brief: Fortinet has confirmed that a single sign on vulnerability in FortiCloud and FortiGate SAML based SSO is still being exploited even after a December patch. Customers reported suspicious logins and tampered firewall settings on fully updated devices, showing that attackers found a new path into the same underlying flaw.
🔍 The Breakdown:
The issue involves SAML based SSO for Fortinet devices, including FortiCloud managed firewalls.
After Fortinet shipped a patch in December 2025, customers still saw unauthorized logins and new admin accounts appear.
Fortinet says attackers are using an alternate attack path that was not fully blocked by the original fix.
Reports describe VPN enabled backdoor admin accounts being created so configuration files can be pulled off devices.
Fortinet is investigating and has warned that the weakness affects any SAML SSO integration, not just FortiCloud.
📢 Why it matters: Many organizations trust Fortinet gear as a choke point that protects everything behind it. If attackers can still log in through a flawed SSO flow on a device that appears fully patched, they can quietly change rules, add hidden users and exfiltrate configurations that make further attacks much easier, which turns a single identity gap into a broad network level risk.
🛡️ What You Should Do: If you use Fortinet products, review Fortinet advisories and temporarily disable or restrict SAML based SSO where possible until updated guidance is available, then monitor authentication logs for unusual logins or new admin accounts and lock down management interfaces behind VPN and admin networks only. Work with your security team to rotate credentials and re validate firewall rules on any device that shows unexplained changes so that a stealthy configuration tweak does not linger for months.
ShinyHunters Target SSO Accounts in Voice Phishing Attacks
Breach
🔐 The Securityish Brief: The extortion group ShinyHunters has claimed it used voice phishing to steal Okta single sign on codes and then breach customers including Crunchbase and Betterment. The group says it leaked tens of millions of records containing personal and corporate data and hinted that more unnamed victims were hit in the same campaign.
🔍 The Breakdown:
ShinyHunters says it called employees while pretending to be IT support and guided them through fake login pages.
The group claims over 20 million records from Betterment and around 2 million from Crunchbase were exposed.
Leaked data reportedly includes personally identifiable information and internal corporate documents.
The group suggests that additional companies were compromised but has not yet named them.
📢 Why it matters: Single sign on is convenient because one login unlocks many apps, but that means one successful scam can expose email, customer data and internal tools at once. When an attacker tricks just one person into approving a fake prompt or sharing a code, the impact ripples out to millions of people whose details and accounts sit behind that centralized login.
🛡️ What You Should Do: Treat any unexpected call, text or chat about logins as suspicious and hang up so you can reach your bank, employer or provider through a trusted number or app, and never read multi factor codes aloud or type them into pages you arrived at from a link in a message.
Tesla Hacked at Pwn2Own Automotive 2026 with 37 Zero-Days Exploited
Vulnerability
🔐 The Securityish Brief: At the Pwn2Own Automotive 2026 contest in Tokyo, researchers hacked Tesla’s infotainment system and other car tech using 37 zero day vulnerabilities. The Tesla exploits alone earned more than half a million dollars in prizes and showed that even fully updated vehicles and chargers can still hide serious software flaws.
🔍 The Breakdown:
Pwn2Own Automotive 2026 ran from January 21 to 23 and focused on in car systems and charging gear.
The Synacktiv team chained an information leak issue with an out of bounds write flaw to gain root on Tesla’s infotainment system.
In total, 37 previously unknown vulnerabilities were demonstrated against Tesla and other automotive targets.
Other teams hit popular EV chargers, navigation units and automotive operating systems with remote code execution.
📢 Why it matters: While these demonstrations were run by ethical hackers under responsible disclosure rules, they highlight the need for fast vendor patching and for drivers and fleets to keep car software and charger firmware updated rather than treating vehicles as static appliances.
🛡️ What You Should Do: Check your vehicle menu or app for available updates and install them, especially for infotainment and connectivity features, and do the same for any home or work EV chargers that can get firmware updates. If you manage a fleet or charging sites, track which models you run, subscribe to security bulletins from manufacturers and build software update windows into your normal maintenance cycle so that fixes for issues like these do not sit unused.
📰 Other Trending Articles
💡 Tip Of The Week
Pick one main login, such as your work SSO account or primary email, and spend five minutes reviewing which apps, services and devices have access to it, then remove anything you do not recognize or no longer use.
This reduces the blast radius if that single account is ever abused, since old tools, forgotten phone numbers and unused browser sessions will no longer be able to approve logins or see your data, and most services make this easy to do from a security or connected apps page in their settings.
🧠 Key Terms & Concepts
DynoWiper: A wiper malware strain that deletes files on power sector systems so they may not boot, similar to wiping the hard drive in a laptop until it is rebuilt from backups.
Single sign on (SSO): A login setup where one account unlocks many apps, like using one work username and password to access email, chat and your CRM instead of separate logins.
Zero day vulnerability: A software flaw that attackers can exploit before the vendor has released a fix, such as the bugs demonstrated against Tesla at Pwn2Own.
Voice phishing: A scam where criminals call you pretending to be support or a trusted company so they can talk you into sharing logins, multi factor codes or payments.
Wiper malware: Malicious software designed to destroy data rather than just steal it, often used in politically motivated attacks against governments or infrastructure.
📣 Did you know?
61% of U.S. adults surveyed said they’ve learned their personal data was breached on at least one account (based on ~1,200 respondents in U.S. News’ “Digital Privacy Survey Report 2024”).
