The internet is still on fire. Here’s what matters this week.
Every week brings “new and exciting” ways for criminals to make a living. This week’s highlights include a residential proxy network getting kneecapped, a Microsoft Office zero-day being actively exploited, MongoDB servers being held ransom at scale, and attackers hijacking exposed AI endpoints like it’s a side hustle.
Below is the short, useful version. The one that helps you reduce risk, not just increase anxiety.
1) Residential Proxy Botnet Disrupted (IPIDEA)
Google took action to disrupt IPIDEA, a large residential proxy network made up of everyday user devices. These proxy networks let attackers hide malicious traffic behind “normal-looking” home IP addresses, which makes detection harder and fraud easier. Google pursued legal action to seize/sinkhole the command-and-control domains, reportedly cutting the available pool by millions of devices.
Why you should care:
If a user installs sketchy “monetize your bandwidth” software (or an app bundles an SDK that does it quietly), your environment can get dragged into someone else’s attack chain.
Quick actions:
-
Block known proxy/VPN exit traffic where possible
-
Monitor unusual outbound connections
-
Lock down browser extensions and “free utility” installs
2) Microsoft Office Zero-Day Patched (CVE-2026-21509)
Microsoft released out-of-band patches for a high-severity Office vulnerability being exploited in the wild. It’s described as a security feature bypass related to OLE mitigations in Microsoft 365 and Office.
Why you should care:
Office is still the world’s favorite delivery mechanism. If you delay patching because “updates are annoying,” the attackers thank you for your service.
Quick actions:
-
Patch Microsoft Office / Microsoft 365 apps ASAP
-
Tighten attachment handling and block risky file types
-
Ensure EDR is active and tamper-protected
3) Ivanti EPMM Zero-Days = Remote Code Execution (CVE-2026-1281 / CVE-2026-1340)
Ivanti shipped patches for two EPMM vulnerabilities exploited as zero-days, allowing unauthenticated remote code execution. A working PoC was reportedly available as of Jan 30, 2026, and the impact is “significant” because EPMM systems can hold sensitive user and device data.
Why you should care:
Any endpoint management server is basically a “keys to the kingdom” box. If it’s exposed, it’s a target.
Quick actions:
-
Patch EPMM immediately
-
Restrict access to management interfaces (VPN/IP allowlists)
-
Review privileged accounts and audit access logs
4) LLM-jacking: Attackers Hijacking Exposed AI Endpoints at Scale
A campaign dubbed Operation Bizarre Bazaar is targeting exposed or misconfigured LLM/MCP endpoints to hijack resources, resell API access, exfiltrate data, and potentially move laterally. Misconfigs called out include:
-
Ollama exposed on port 11434 without auth
-
OpenAI-compatible APIs on 8000
-
Publicly reachable MCP servers
-
“Dev/staging” AI systems with public IPs
Access was reportedly being sold via an underground marketplace.
Why you should care:
AI isn’t just a tool. It’s now an attack surface with expensive compute, sensitive prompts, and juicy lateral movement paths.
Quick actions:
-
Put AI endpoints behind authentication and network controls
-
Add rate limits and cost monitoring
-
Log prompts, access, and admin actions (securely)
5) MongoDB Servers Extorted: “Pay BTC or else”
A threat actor targeted misconfigured MongoDB servers to drop ransom notes across more than 1,400 databases, demanding Bitcoin. The recap notes a large number of exposed servers, with thousands reachable without authentication, and many running vulnerable older versions.
Why you should care:
This is not sophisticated. It’s the internet’s version of checking car doors in a parking lot. And it works.
Quick actions:
-
Never expose databases directly to the internet
-
Enforce authentication + IP restrictions
-
Patch and upgrade older MongoDB versions
-
Backups that are tested and offline-capable
6) The “Small Stuff” That’s Actually Big Stuff
This week also called out a few tactics worth watching:
-
Outlook add-in exfiltration blind spot (especially via OWA) that can avoid typical audit logging in some scenarios
-
A Unicode slash trick (division slash ∕ vs /) used to evade link detection filters
-
A malicious VS Code extension using creative infrastructure tricks to deliver stealer malware
Why you should care:
Attackers aren’t always “hacking.” Sometimes they’re just exploiting blind spots, trust, and sloppy defaults.
What We’re Doing About It (SpeakGeek approach)
If you’re a small business, the fix isn’t “buy 14 more tools.” The fix is doing the fundamentals like an adult:
-
Aggressive patching for exploited vulnerabilities
-
MFA that doesn’t fold under phishing
-
Asset inventory (you can’t defend what you don’t know exists)
-
Backups you can actually restore
-
Monitoring that catches weird behavior early
If you’re in Las Vegas, Henderson, or Pahrump and you want this handled proactively (not “after the panic”), that’s literally what we do at SpeakGeek PCs.
Want a quick checkup?
If you’re not sure whether your environment has any of these exposures (public databases, risky endpoints, weak patch posture), we can run a quick assessment and tell you what’s urgent vs what’s just noise.
