Nation-state operators and ransomware affiliates converged on critical infrastructure this week, targeting utilities, enterprise management platforms, and network edge devices with tactics that exploit trusted authentication mechanisms and kernel-level access.

Russia’s Sandworm deployed a new data-wiping malware against Poland’s power grid on the 10th anniversary of their Ukraine blackout operation. Fortinet confirmed that CVE-2025-59718 exploitation continues even on fully patched firewalls, suggesting bypass techniques or incomplete patches. A new ransomware family called Osiris leveraged BYOVD techniques with the POORTRY driver to disable EDR at kernel level, and CISA added a year-old VMware vCenter RCE to KEV after confirming active exploitation.

The pattern: adversaries aren’t chasing new vulnerabilities. They’re systematically dismantling platform-level trust mechanisms (SSO authentication, signed drivers, hypervisor management) that defenders assume are hardened by default.

Sandworm DynoWiper Attack on Poland’s Power Infrastructure

What happened: Russian GRU-linked threat group Sandworm attempted destructive wiper attacks against Poland’s energy sector on December 29-30, 2025, targeting two combined heat-and-power plants and renewable energy management systems. ESET attributed the attack with medium confidence based on TTP overlaps and timing. The operation executed precisely 10 years after Sandworm’s 2015 Ukraine power grid attack that caused the first malware-facilitated blackout. Polish Energy Minister Milosz Motyka called it the strongest attack on Poland’s energy infrastructure in years, stating it could have disrupted power and heat to 500,000 people if successful. The attack was unsuccessful, but deployment of DynoWiper malware confirms destructive intent.

Technical details that matter:

• Wiper Malware: DynoWiper (detected as Win32/KillFiles.NMO) designed to irreversibly destroy data on targeted systems and render them inoperable
• Attribution Basis: Code overlaps with previous Sandworm destructive campaigns (CaddyWiper against Ukraine 2022, BlackEnergy 2015), similar TTP patterns to established GRU operations
• Target Selection: Two CHP (combined heat and power) plants plus systems managing electricity from wind turbines and photovoltaic farms. Targeting renewable energy management specifically disrupts modern grid balancing
• Symbolic Timing: 10-year anniversary operation signals adversary awareness of their operational history and deliberate messaging to Ukraine/NATO allies
• Attack Surface: Disruption of communication links between renewable installations and power distribution operators, not just generation capacity

Why you should care: Critical infrastructure wiper attacks represent the apex threat for utilities and industrial operators. Unlike ransomware (which needs operational systems to extort payment), wipers exist purely for destruction or geopolitical signaling. Sandworm’s targeting of Poland, a NATO member and Ukraine supporter, demonstrates willingness to conduct destructive operations against allied nations’ infrastructure.

The renewable energy management focus shows attackers understand modern grid dependencies. These systems weren’t designed with adversarial nation-state threat models in mind, yet they’re now single points of failure for grid stability. The 10-year timing pattern suggests Sandworm maintains institutional memory and deliberately times operations for strategic effect, not just opportunistic access.

Key sources:

• https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/
• https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/
• https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/
• https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/

Fortinet FortiCloud SSO Bypass: Exploitation Continues on Patched Systems

What happened: Fortinet confirmed on January 23 that CVE-2025-59718 exploitation continues against fully patched FortiGate firewalls, over a month after releasing fixes in early December. Arctic Wolf observed a new wave of automated attacks beginning January 15, creating generic admin accounts with VPN access and exfiltrating firewall configurations within seconds.

Attacks mirror December’s malicious SSO login campaign but now succeed against devices running the latest patched versions, forcing Fortinet to admit “the issue is applicable to all SAML SSO implementations” and promise an additional fix. Nearly 11,000 Fortinet devices with FortiCloud SSO enabled remain exposed online. CISA added CVE-2025-59718 to KEV on December 16 with a one-week federal remediation deadline.

Technical details that matter:

• Root Cause: Improper verification of cryptographic signature (CWE-347) in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager allowing unauthenticated SAML message forgery when FortiCloud SSO enabled
• Patch Bypass: Original December 9 patches apparently incomplete. Fortinet confirmed January 23 that “exploitation of CVE-2025-59718 has occurred” on fully updated systems, indicating either bypass technique or incomplete remediation
• Attack Pattern: Automated campaigns creating accounts (“vpnuser”, generic names) with VPN access, downloading system configuration files containing hashed credentials via GUI (action=”download” in logs), exfiltration within seconds of successful auth bypass
• Default-Unsafe Configuration: FortiCloud SSO disabled by default in factory settings, but automatically enabled when admins register devices through FortiCare GUI unless explicitly disabled. Many customers unaware of exposure
• IOC Patterns: Arctic Wolf identified malicious SSO logins from hosting providers (199.247.7.82 among others), immediate config downloads, scheduled task creation for persistence
• Scope Expansion: Fortinet broadened advisory to warn “all SAML SSO implementations” vulnerable, not just FortiCloud. Impacts any SAML-based SSO configuration on affected products

Why you should care: This represents authentication system compromise at scale, not just another CVE. Network edge devices (firewalls, VPN concentrators) are the institutional trust boundary, and Fortinet gear protects thousands of enterprises and critical infrastructure organizations. The patch bypass confirms attackers either found additional exploitation vectors or the cryptographic signature verification fix was incomplete, meaning patched organizations remained vulnerable for 6+ weeks while believing they were protected.

Automated attacks extracting firewall configs suggest credential harvesting for broader campaign phases. Configuration files contain VPN settings, internal network topology, authentication databases (even if hashed), and policy rules. The “default-unsafe” behavior (SSO enabled on registration unless manually disabled) means many organizations are exposed without explicitly choosing to enable the feature. For institutions operating edge infrastructure, this is a supply chain trust failure. You can’t defend against SAML authentication bypass at the network perimeter if the perimeter device itself is compromised.

Key sources:

• https://www.bleepingcomputer.com/news/security/fortinet-confirms-critical-forticloud-auth-bypass-not-fully-patched/
• https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719/
• https://www.rapid7.com/blog/post/etr-critical-vulnerabilities-in-fortinet-cve-2025-59718-cve-2025-59719-exploited-in-the-wild/
• https://fortiguard.fortinet.com/psirt/FG-IR-25-647

Osiris Ransomware: BYOVD Attacks with POORTRY Driver Target Enterprise

What happened: Security researchers disclosed a new ransomware family called Osiris that targeted a major food service franchisee operator in Southeast Asia in November 2025. Attackers leveraged Bring Your Own Vulnerable Driver (BYOVD) techniques using the POORTRY malicious driver to disable security software at kernel level before deploying encryption. Symantec Threat Hunter Team identified operational overlaps with INC ransomware operators, including identical Mimikatz variants (same filename “kaz.exe”), data exfiltration to Wasabi cloud buckets, and use of modified RustDesk for remote access. Osiris appears to be wielded by experienced attackers who understand EDR evasion through kernel-mode driver abuse rather than typical ransomware affiliate tactics.

Technical details that matter:

• BYOVD Implementation: POORTRY driver (masquerading as Malwarebytes anti-exploit driver) loaded via Stonestop loader to gain kernel-mode access, terminate security processes, and disable EDR before ransomware deployment
• POORTRY Background: Custom-developed attacker driver (not legitimate vulnerable driver) that achieved signing, previously used by Medusa ransomware in 2024-2025. Unlike typical BYOVD attacks using legitimate vulnerable drivers (e.g., Gigabyte, ASRock), POORTRY represents attacker-controlled signed code with kernel privileges
• Toolchain: KillAV deployed for additional security process termination, RDP enabled for remote access, modified RustDesk for persistence and C2, living-off-the-land techniques throughout
• Encryption Scheme: Hybrid crypto combining elliptic curve cryptography with AES-128-CTR, unique key per file, asynchronous I/O for performance, appends “.Osiris” extension
• INC Ransomware Links: Same Mimikatz build/filename, identical exfiltration infrastructure (Wasabi buckets), similar post-exploitation patterns suggest either INC rebrand, affiliate crossover, or shared tooling/operators
• Credential Theft: Mimikatz deployment for credential extraction, likely enabling lateral movement and domain privilege escalation

Why you should care: BYOVD is now the dominant defense evasion technique for ransomware operators targeting enterprise environments. Osiris demonstrates the evolution from commodity ransomware to sophisticated adversary operations that neutralize endpoint security at the kernel level before encryption. POORTRY’s signed status (even if malicious) means it loads in environments with driver signature enforcement, bypassing a key Windows security control. For defenders, this creates a detection gap. Your EDR cannot detect its own termination if the attacker achieves kernel-mode execution first.

The food service franchisee targeting shows these techniques aren’t limited to critical infrastructure or government. Any enterprise with valuable data and modern endpoint protection is a candidate for BYOVD-enabled attacks. The operational links to INC ransomware suggest experienced operators are either launching new brands or affiliates are sharing advanced toolsets across ransomware families, raising the baseline capability level industry-wide.

Key sources:

• https://www.security.com/threat-intelligence/new-ransomware-osiris
• https://thehackernews.com/2026/01/new-osiris-ransomware-emerges-as-new.html
• https://siliconangle.com/2026/01/22/new-osiris-ransomware-reveals-sophisticated-tactics-experienced-attackers/
• https://www.webpronews.com/osiris-ransomware-inc-groups-byovd-attacks-and-mitigation-tips/

The Pattern This Week

Infrastructure trust mechanisms are the new vulnerability class. Sandworm targeted renewable energy management systems that utilities assume are isolated from adversary reach. Fortinet’s SSO bypass exploits SAML authentication, the federated identity protocol enterprises adopted specifically to improve security. Osiris deploys signed drivers with kernel privileges, subverting Windows driver signature enforcement designed to prevent exactly this attack.

The defender’s gap isn’t detection capability. It’s architectural: these platforms (edge devices, hypervisors, kernel drivers, SSO providers) exist at trust boundaries where security controls either don’t apply or can’t function once compromised. You can’t patch FortiGate from behind FortiGate if authentication is already bypassed. You can’t use EDR to detect EDR’s termination at kernel level.

When the platform itself is the attack surface, your security stack is looking in the wrong place.

See you next week.