10 January 2025

Cyber Security Week in Review: January 10, 2025


Cyber Security Week in Review: January 10, 2025

Hackers are exploiting critical Ivanti Connect Secure 0Day flaw to deploy malware

Hackers are exploiting a critical zero-day vulnerability (CVE-2025-0282) in Ivanti Connect Secure VPN appliances, disclosed on January 8, 2025. The stack-based buffer overflow flaw affects older versions of Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways.

While attacks appear limited to Connect Secure appliances, cybersecurity firm Mandiant revealed the vulnerability has been exploited since mid-December, using the SPAWN malware toolkit and custom malware families ‘Dryhook’ and ‘Phasejam.’

The SPAWN toolkit, linked to the suspected China-based espionage group UNC5337 (part of the larger UNC5221 cluster), includes tools like SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. However, Dryhook and Phasejam have not been linked to any known threat actor. It is possible that several separate threat actors are responsible for developing the SPAWN and Dryhook and Phasejam malware. The researchers believe that CVE-2025-0282 is being exploited by multiple threat actors, but currently there’s not enough evidence to assess how many threat actors are abusing the flaw.

US sanctions a Chinese firm linked to state-sponsored Flax Typhoon hacks

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against Integrity Technology Group, Incorporated (Integrity Tech), a Beijing-based cybersecurity company, for its involvement in multiple computer intrusion incidents targeting US entities. The cyberattacks have been linked to a Chinese state-sponsored Advanced Persistent Threat (APT) group tracked as Flax Typhoon that has been active since at least 2021. According to OFAC, Integrity Tech provided support for Flax Typhoon's malicious cyber activities. Between summer 2022 and fall 2023, the group routinely leveraged infrastructure tied to Integrity Tech during its exploitation campaigns. The group used virtual private network software and remote desktop protocols to infiltrate multiple US and European entities.

High-severity Oracle, Mitel flaws exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three critical vulnerabilities impacting Mitel MiCollab and Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog. The newly added vulnerabilities are CVE-2024-41713, a path traversal vulnerability in Mitel MiCollab, which allows an attacker to gain unauthorized and unauthenticated access, CVE-2024-55550, another path traversal flaw in Mitel MiCollab that could be used an authenticated attacker with administrative privileges to read local files on the system due to insufficient input sanitization. The third actively exploited vulnerability is CVE-2020-2883, a remote code execution flaw in Oracle WebLogic Server, which can be exploited by an unauthenticated attacker with network access via IIOP or T3 protocols. Notably, CVE-2024-41713 and CVE-2024-55550 can be chained together, enabling a remote, unauthenticated attacker to read arbitrary files on the server.

In related news, Palo Alto Networks and SonicWall released patches to address a number of vulnerabilities in their Expedition and SonicOS products.

Mirai botnet variant exploits Four-Faith industrial router Flaw for DDoS attacks

A new Mirai botnet variant has been exploiting a high-risk vulnerability in Four-Faith industrial routers since November 2024. The botnet has been linked to a massive campaign of distributed denial-of-service (DDoS) attacks, primarily targeting entities across China, Iran, Russia, Turkey, and the United States.

The malware leverages a zero-day vulnerability, tracked as CVE-2024-12856, in Four-Faith router models F3x24 and F3x36. This command injection flaw exploits unchanged default credentials to gain initial access. First observed on November 9, 2024, the botnet also uses over 20 known vulnerabilities, affecting Huawei routers (CVE-2017-17215), LB-Link devices (CVE-2023-26801), PTZOptics IP camera (CVE-2024-8956), ASUS routers, Neterbit routers and Vimar smart home devices.

Additionally, Ficora and Capsaicin botnets have been observed targeting outdated D-Link routers. Among the targeted models are popular D-Link routers widely used by both individuals and organizations, including DIR-645, DIR-806, GO-RT-AC750, DIR-845L. For initial access the attackers exploit known vulnerabilities such as CVE-2015-2051.

China-affiliated MirrorFace group linked to attacks on Japanese entities

Japan's National Police Agency (NPA) and National Center of Incident Readiness and Strategy for Cybersecurity (NCSC) have accused the China-linked threat actor MirrorFace, also known as Earth Kasha, of orchestrating a persistent cyberattack campaign since 2019. The group, believed to be a sub-group of APT10, primarily targets Japanese organizations to steal information related to national security and advanced technology.

Three major campaigns were observed, one of which (2019-2023) targeted think tanks, governments, politicians, and media using spear-phishing emails to deploy tools like LODEINFO, NOOPDOOR, and LilimRAT.

The second campaign (2023) focused on industries such as semiconductors and aerospace by exploiting vulnerabilities in internet-facing devices to deliver malware like Cobalt Strike Beacon.

The next campaign (2024) was aimed at academia, think tanks, and media and involved spear-phishing emails using ANEL malware.

Also, Chinese state-backed threat actor, known as Silk Typhoon (Hafnium), has been linked to the US Office of Foreign Assets Control (OFAC) hack that occurred in December 2024. Silk Typhoon is believed to have stolen a digital key from BeyondTrust, a third-party service provider, and used it to access unclassified information relating to potential sanctions actions and other documents, Bloomberg reported.

CNN reported on Friday that Chinese hackers breached the Committee on Foreign Investment in the US (CFIUS), a government agency that reviews foreign investments for national security risks. The breach appears to be part of a broader hacking campaign targeting the Treasury Department’s unclassified system. CFIUS recently expanded its authority to more closely examine real estate transactions near US military bases, CNN noted.

According to a new Recorded Future’s report, between July 2023 and December 2024, the China-linked RedDelta threat actor targeted Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, deploying a customized PlugX backdoor. The attacks used lure documents referencing topics like Taiwan's 2024 presidential candidate Terry Gou, Vietnam's National Holiday, Mongolian flood protection, and ASEAN meeting invitations.

Notable breaches include the Mongolian Ministry of Defense in August 2024 and Vietnam's Communist Party in November 2024. Additionally, RedDelta targeted entities in Malaysia, Japan, the US, Ethiopia, Brazil, Australia, and India from September to December 2024.

Ukrainian hacktivists breach Russian ISP Nodex

Ukrainian hacktivists from the Ukrainian Cyber Alliance announced they breached and wiped the network of Russian ISP Nodex after exfiltrating sensitive data. The hacktivists said they left the ISP’s equipment without backups. Nodex confirmed the attack, describing it as a planned operation likely originating from Ukraine. The breach disrupted Nodex's services, as confirmed by NetBlocks, which reported connectivity issues across the ISP’s fixed-line and mobile networks. Hacktivists also shared screenshots of compromised VMware, Veeam backup, and Hewlett Packard Enterprise systems.

New Playfulghost multifunctional backdoor weaponizes VPN apps

Cybersecurity researchers have discovered a new malware strain dubbed Playfulghost, which comes with a variety of information-gathering capabilities. The malware's features include keylogging, screen capture, audio capture, remote shell access, and file transfer or execution.

According to Google’s Managed Defense team, Playfulghost exhibits functional similarities to Gh0st RAT, a remote administration tool whose source code was publicly leaked in 2008.

NonEuclid RAT exploits UAC bypass and AMSI evasion for stealthy cyberattacks

A sophisticated new remote access trojan (RAT) named ‘NonEuclid’ has been discovered, which allows attackers to seize control of compromised Windows systems while evading detection with advanced techniques.

Developed in C# for the .NET Framework 4.8, NonEuclid leverages features like antivirus bypass, privilege escalation, anti-detection mechanisms, and ransomware encryption.

Threat actors weaponize OAST techniques across npm, PyPI, and RubyGems ecosystems

Socket's threat research team released a report detailing how threat actors are exploiting Out-of-Band Application Security Testing (OAST) techniques to exfiltrate sensitive data and perform remote reconnaissance within developer environments. The malicious activities have been identified across popular package ecosystems, including npm, PyPI, and RubyGems.

Malicious npm campaign targets Ethereum devs with fake Hardhat packages

A sophisticated npm supply chain attack is targeting developers impersonating Hardhat plugins and the Nomic Foundation to steal sensitive data, including private keys, mnemonics, and configuration details. The ongoing campaign involves malicious npm packages that mimic legitimate plugins.

Banshee Stealer uses advanced string encryption inspired by Apple's XProtect

Check Point Research (CPR) spotted an updated version of the Banshee macOS Stealer, a malware designed to steal browser credentials, cryptocurrency wallets, and sensitive data. The new version employs string encryption inspired by Apple’s XProtect, likely helping it evade antivirus detection. Threat actors distribute Banshee via phishing websites and fake GitHub repositories, often mimicking popular software like Chrome and Telegram. Notably, the update removes a Russian language check, broadening the malware's target scope.

FireScam malware masquerading as fake Telegram Premium app targets Android users

A new Android info-stealer malware called FireScam has been discovered masquerading as a fake Telegram Premium app, distributed via a phishing site hosted on GitHub.io. The phishing site impersonates RuStore, a popular app store widely used in Russia. The FireScam malware exfiltrates sensitive data from infected Android devices, including notifications, messages, and app data, to a Firebase Realtime Database endpoint. FireScam has been described by researchers as a “sophisticated and multifaceted threat” with extensive surveillance capabilities.

New Discord info-stealer campaign targets gamers

A malicious info-stealer campaign targeting gamers is underway. According to a new report from Malwarebytes, the scheme begins with a seemingly innocent direct message (DM) on a Discord server. The message often comes from a purported game developer asking if the recipient is interested in beta testing a new video game. Victims may also receive such requests via text message or email.

To lure victims, the attacker provides a download link and a password for an archive that supposedly contains the game installer. The archives are hosted on various platforms, including Dropbox, Catbox, and even Discord's content delivery network (CDN).

Threat actors use fake PoC to trick victims into downloading info-stealers

Threat actors have crafted a fake proof-of-concept (PoC) exploit for a Microsoft Windows LDAP vulnerability (CVE-2024-49113), targeting security researchers, according to Trend Micro. The fake PoC, linked to a flaw patched in December 2024, is hosted in a malicious repository. When executed, it deploys information-stealing malware to exfiltrate sensitive computer and network data.

New phishing campaign uses targets PayPal users

A new phishing campaign exploits legitimate PayPal links to deceive victims into granting attackers control of their accounts. The phishing emails mimic genuine PayPal notifications, including transaction details and warnings, and originate from legitimate PayPal addresses, enabling them to bypass security checks. Victims clicking the provided link are directed to an authentic PayPal login page showing a payment request. Upon entering their credentials, users are unknowingly linking their PayPal account to the attacker's email address, effectively handing over account control.

Back to the list

Latest Posts

Cybersecurity Week in Review: January 24, 2025

Cybersecurity Week in Review: January 24, 2025

In brief: SonicWall SMA zero-day exploited in attacks, hackers are exploiting older Ivanti flaws, and more.
24 January 2025
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers

The attacks have been active since June 2024.
23 January 2025
SonicWall SMA zero-day exploited in attacks

SonicWall SMA zero-day exploited in attacks

SonicWall has released a patch in version 12.4.3-02854 and higher versions to address the issue.
23 January 2025