DigiCert’s Open-Source Intelligence (OSINT) Report – January 16 – January 22, 2026

Researchers Gain Access to Hacker-Controlled Domain Server via Name Server Delegation Flaw

(TLP: CLEAR Researchers uncovered a large-scale push-notification fraud ecosystem after identifying domains with improper name-server delegation that left them effectively unmanaged. By registering these misconfigured domains, they gained full visibility into attacker infrastructure and intercepted 57 million logs over 15 days. The captured data showed extensive tracking of victim devices, unencrypted telemetry, and a global operation spanning more than 60 languages, with heavy concentration in South and Southeast Asia. Notification content impersonated financial institutions, exploited current events, and delivered high-volume social-engineering lures—averaging 140 notifications per victim per day. Analysis of the monetization model revealed that the operation relied primarily on impression-based revenue, generating roughly $350 per day across observed domains, while click-through rates were extremely low. The infrastructure was distributed across multiple commercial services—image hosting, tracking, routing, and payment processing—creating a fragmented supply chain that obscured accountability. The findings highlight systemic risks in DNS management, as similar misconfigurations continue to enable domain takeovers that can support fraud, malware distribution, and credential-harvesting operations.

(TLP: CLEAR) Comments: A single DNS configuration issue can unintentionally expose the inner workings of an active online operation. By taking control of domains that were still receiving traffic, researchers were able to observe the scale, geographic distribution, and behavioral patterns of a push-notification campaign in real time. The data they collected highlights how these operations depend on high-volume delivery, multilingual content, and a network of supporting services to maintain reach. This case reinforces the value of monitoring DNS delegation and domain lifecycle management, both for defensive assurance and for identifying opportunities to analyze threat infrastructure when misconfigurations occur.

 (TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-20: “SECURE NAME/ADDRESS RESOLUTION SERVICE (AUTHORITATIVE SOURCE)”: Control: 

• Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and 
• Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.

(TLP: CLEAR) DigiCert: Digicert’s authoritative DNS solution, UltraDNS, provides one-click DNSSEC protection to ensure the integrity of your DNS from malicious attacks, such as cache poisoning and DNS hijacking

Source: https://cyberpress.org/name-server-delegation-flaw-hacker-domain-access/

NCSC Names and Shames Pro-Russia Hacktivist Group amid Escalating DDoS attacks on UK Public Services

(TLP: CLEAR) The UK’s National Cyber Security Centre (NCSC) has publicly attributed a wave of escalating distributed denial-of-service (DDoS) attacks against UK public services to pro‑Russia hacktivist activity, warning that the threat is driven by geopolitical ideology rather than financial motivation. The advisory highlights a sustained campaign targeting local government websites, civic services, and public‑facing infrastructure, where service availability is closely tied to public trust. While the attacks are often technically unsophisticated, the NCSC stressed that their operational impact can be significant, disrupting access to essential services and creating recovery and reputational costs for affected organizations. NCSC specifically named the hacktivist collective NoName057(16) as a persistent actor behind many of the recent disruptions. The group has been active since 2022, coordinating attacks primarily through messaging platforms and using a self-developed DDoS tool known as DDoSia, which lowers the technical barrier for participation. Activity attributed to the group has targeted organizations perceived as supporting Western involvement in Ukraine and has extended across multiple European countries. The advisory notes that this form of ideologically motivated hacktivism continues to evolve, with increasing collaboration, reuse of tooling, and attempts to broaden impact beyond temporary website outages. As a result, the NCSC is urging public sector bodies and critical service operators to strengthen DoS resilience measures and treat hacktivist campaigns as a persistent and enduring threat rather than isolated nuisance activity.

(TLP: CLEAR) Comments: The recent surge in denial‑of‑service activity underscores how ideologically motivated hacktivism continues to pose a persistent operational risk, even when individual attacks are relatively low in technical sophistication. The targeting of local government and public‑facing services appears deliberate, aiming to maximize disruption and erode public trust by temporarily denying access to essential digital services. The use of easily distributed tooling and online coordination platforms lowers barriers to participation, enabling loosely affiliated supporters to contribute to sustained attack campaigns. Although these activities are not assessed as centrally state‑directed, they align closely with broader geopolitical objectives, blurring the line between independent hacktivism and state‑aligned influence operations. From a defensive standpoint, the activity reinforces the need for DoS resilience and rapid recovery planning, as prevention alone is unlikely to deter repeat attacks from ideologically driven actors willing to trade technical sophistication for persistence and visibility.

(TLP: CLEAR) Recommended best practices/regulations: UK National Cyber Security Centre “Denial of Service (DoS) Guidance”: We recommend that you:

• Understand the denial-of-service mitigations that your ISP has in place on your account. If additional mitigations are available, decide whether you want them enabled on your account, or the circumstances under which you could deploy them if an attack was threatened. Examine the service’s SLA for details of any mitigation.
• Look into third party DDOS mitigation services that can be used to protect against network traffic-based attacks.
• Consider deploying a Content Delivery Network, for web-based services
• Understand when and how your service provider might limit your network access in order to protect their other customers.
• Consider using multiple service providers for some functionality

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://www.itpro.com/security/cyber-attacks/ncsc-names-and-shames-pro-russia-hacktivist-group-amid-escalating-ddos-attacks-on-uk-public-services

Otelier Data Breach Exposes Info, Hotel Reservations of Millions

(TLP: CLEAR) Otelier suffered a significant third-party breach after threat actors used infostealer-harvested employee credentials to access the company’s Atlassian environment and pivot into its AWS S3 storage. Over several months, the attackers exfiltrated roughly 7.8 TB of data containing hotel reservation records, operational documents, nightly audit reports, and internal communications tied to major hospitality brands including Marriott, Hilton, Hyatt, and Wyndham. The actors mistakenly attempted to extort Marriott directly, believing the compromised S3 buckets belonged to the hotel chain, and ultimately lost access only after Otelier rotated credentials in September. The exposed data includes tens of millions of reservation entries and hundreds of thousands of unique email addresses, creating a broad attack surface for downstream phishing, impersonation, and fraud campaigns. While no payment card data or passwords appear to have been compromised, the volume and sensitivity of the operational documents elevate the risk of targeted social engineering and supply-chain exploitation across the hospitality sector. The incident underscores the systemic fragility introduced by infostealer-driven credential compromise, weak internal credential hygiene, and insufficient cloud-access governance—highlighting the need for stricter IAM controls, continuous monitoring, and rigorous third-party risk validation.

(TLP: CLEAR) Comments: The Otelier incident is a textbook example of how infostealer-harvested credentials can unravel an entire SaaS provider’s security posture. The attackers didn’t need to exploit a zero-day or bypass complex defenses—they simply used stolen employee credentials to access Otelier’s Atlassian environment. From there, they found additional credentials stored inside internal tickets and documentation, which allowed them to pivot into Otelier’s AWS S3 buckets. This chain of failures shows a breakdown in credential hygiene, internal access governance, and sensitive-data handling inside collaboration tools. The breach occurred because Otelier relied on static credentials, stored them improperly, and lacked strong detection around cloud-storage access patterns.The result was the exfiltration of 7.8 TB of reservation and operational data tied to major hotel brands, exposing millions of guest records and internal business documents. Even though no payment data or passwords were included, the scale and sensitivity of the operational data significantly elevated downstream risks particularly phishing, impersonation, fraud, and supply-chain targeting across the hospitality sector. The breach underscores a broader industry problem: third-party vendors often become the weakest link, and infostealer-driven credential compromise continues to be one of the most effective and under-monitored intrusion vectors.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.bleepingcomputer.com/news/security/otelier-data-breach-exposes-info-hotel-reservations-of-millions/

1.2 Billion LinkedIn Users Put on Alert After Policy Violation Threat

(TLP: CLEAR) A new wave of LinkedIn credential-theft attacks is targeting the platform’s 1.2 billion users by abusing the appearance of legitimate “policy violation” warnings. Attackers are replying to user posts with comments that look like official LinkedIn messages, claiming the user has violated platform rules and must “appeal” via an external link. The trick is especially convincing because the threat actors are using LinkedIn’s own URL shortener (lnkd.in), making the malicious links appear authentic and difficult to distinguish from legitimate LinkedIn infrastructure. Once victims click the link, they’re taken to a fake login page designed to harvest account credentials. Compromising a LinkedIn account is particularly valuable because it provides access to professional networks, customers, colleagues, and business contacts, enabling downstream fraud, impersonation, and social-engineering attacks. LinkedIn has acknowledged the malicious activity and says its teams are working to remove the fraudulent posts. Security analysts quoted in the article emphasize that real account moderation actions are typically delivered via email or account dashboards, not through public comment replies, and users should carefully inspect shortened links before interacting with them.

(TLP: CLEAR) Comments: This campaign is a strong reminder that social-engineering tradecraft continues to evolve faster than platform defenses. By abusing LinkedIn’s own URL shortener (lnkd.in), attackers are exploiting a trusted brand signal to bypass user suspicion and automated filtering. That’s a meaningful escalation: threat actors no longer just impersonate LinkedIn. They’re weaponizing LinkedIn’s infrastructure to increase credibility and click-through rates. It mirrors the broader trend of adversaries shifting from email-based phishing to in-platform social engineering, where trust is higher and scrutiny is lower. The attack also highlights how professional-network compromise has become a high-value objective. A stolen LinkedIn account isn’t just a social profile—it’s a pre-built spear phishing platform with access to coworkers, clients, vendors, and executives depending on the account. Once an attacker controls an account, they can pivot into business email compromise, invoice fraud, credential harvesting, and supply-chain targeting with far higher success rates. The fact that these lures are delivered as public comments makes them scalable and difficult for LinkedIn to pre-emptively filter. This is a classic example of attackers exploiting platform trust, user urgency, and brand familiarity to drive credential theft at massive scale.

(TLP: CLEAR) Recommended best practices/regulations: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://www.forbes.com/sites/daveywinder/2026/01/16/12-billion-linkedin-users-put-on-alert-after-policy-violation-attacks/