Microsoft patches over 160 vulnerabilities, including 3 actively exploited zero-days
Microsoft rolled out security updates to address more than 160 security flaws across a range of its software. Among the flaws fixed in this month’s batch of updates are three vulnerabilities in the Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) actively exploited in attacks. The flaws allow attackers to escalate their privileges to SYSTEM-level access.
Fortinet firewalls mass exploited, zero-day involved
Arctic Wolf Labs discovered a malicious campaign targeting Fortinet FortiGate firewall devices. The campaign, which has been ongoing since early December, involves unauthorized administrative access to the management interfaces of firewalls, creating new accounts, altering configurations, and exploiting VPN services.
Fortinet released a security advisory detailing an authentication bypass vulnerability (CVE-2024-55591) affecting its FortiOS and FortiProxy products. The flaw can be used by a remote attacker to gain super-admin privileges on the system. The advisory also includes Indicators of Compromise (IoCs) related to the attack campaign as well as a workaround to mitigate the threat. This includes disabling HTTP/HTTPS administrative interface or limiting IP addresses that can reach the administrative interface via local-in policies.
UK domain registrar Nominet compromised via Ivanti zero-day
UK's official domain registry Nominet has confirmed that its network was breached two weeks ago through a zero-day vulnerability in Ivanti VPN software. The vulnerability in question CVE-2025-0282, has been actively targeted by threat actors since mid-December 2024. Ivanti confirmed that the flaw was being actively exploited to compromise a limited number of customer systems. The vendor has since released security patches to address the issue.
According to Nominet, the attackers gained access to its network via remote access provided by Ivanti’s VPN software, which is used by Nominet employees for secure system access. The company said that it currently has no evidence of a data breach and that no backdoors were found on its systems.
Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers
A recently disclosed critical security vulnerability in the Aviatrix Controller cloud networking platform is being exploited by threat actors to deploy backdoors and cryptocurrency miners. Tracked as CVE-2024-50603, the flaw allows attackers to execute unauthenticated remote code, giving them the ability to inject malicious operating system commands.
Threat actors leak VPN credentials for 15K FortiGate devices
A new hacking group called "Belsen Group" has leaked sensitive data from over 15,000 FortiGate devices on the dark web. The leak, which includes configuration files, IP addresses, and VPN credentials, was released for free to promote the group. The data, a 1.6 GB archive organized by country, is believed to be tied to a 2022 zero-day vulnerability (CVE-2022-40684) that was exploited in attacks before a fix was available.
Russia-linked Star Blizzard cyber espionage campaign targets WhatsApp accounts
The Russian cyber espionage group Star Blizzard shifted its tactics in response to a law enforcement takedown of its infrastructure. In mid-November 2024, Microsoft Threat Intelligence observed the group launching a social engineering campaign targeting WhatsApp accounts of individuals in government and policy-related roles, particularly those involved in international relations with Russia. The shift in tactics follows the takedown of over 100 of the group's websites in October 2024.
Star Blizzard's latest spear-phishing campaign introduces a novel approach by targeting WhatsApp for the first time. However, it still follows the familiar tactics, techniques, and procedures (TTPs) previously seen in their attacks. The campaign begins with an email sent to the target to establish initial contact, followed by a second message containing a malicious link. The threat actor uses a sender address that impersonates a US government official, continuing their pattern of impersonating well-known political and diplomatic figures to increase the likelihood of target engagement.
Separately, cybersecurity firm Sekoia released a report detailing a series of sophisticated attacks against Kazakhstan attributed to the intrusion set UAC-0063 associated with Russian cyber espionage campaigns targeting government institutions in Central Asia, East Asia, and Europe. The threat actor is believed to share overlapping tactics, techniques, and procedures with APT28 (aka Fancy Bear, Sofacy, and Sednit), a notorious Russian state-sponsored hacking collective affiliated with the General Staff Main Intelligence Directorate (GRU). The most recent campaign linked to UAC-0063 involves sophisticated spear-phishing attacks leveraging custom malware strains known as HATVIBE and CHERRYSPY.
Ukraine's State Service for Special Communications and Information Protection (SSSCIP) reported that threat actors are increasingly exploiting legitimate services in Ukraine to carry out their malicious activities, with attacks mainly attributed to Russia-linked hacker groups. Most of the cyberattacks targeting Ukraine over the past year were intended for espionage, financial theft, or to inflict psychological damage. The attacks were predominantly carried out by three Russian-affiliated hacker groups: UAC-0010, UAC-0006, and UAC-0050.
North Korean Nickle Tapestry group linked to fraudulent crowdfunding campaigns
North Korean state-sponsored threat actor tracked as Nickle Tapestry has been linked to fake crowdfunding activity, extending beyond just fraudulent IT worker operations (both as individuals and under front companies) that help North Korea to evade sanctions and generate revenue for its weapons program.
Secureworks’ investigation revealed that Nickle Tapestry orchestrated a scam on the IndieGoGo crowdfunding platform in 2016, promoting a portable wireless memory device called ‘Kratos.’ While the campaign successfully garnered around $20,000 from backers, complaints from supporters suggest that they never received the product nor any refunds.
According to a recent joint advisory from the US, Japan, and the Republic of Korea, North Korean hackers stole around $660 million in cryptocurrency in 2024. DPRK’s hackers were behind at least five cryptocurrency heists last year, including the $308 million DMM Bitcoin theft, the $50 million Upbit heist, the theft of $16.13 million from Rain Management, $235 million from WazirX, and $50 million from Radiant Capital.
Earlier this week, the US Treasury Department has sanctioned a network linked to North Korea's Ministry of National Defense for generating revenue through illegal remote IT work schemes. The sanctions target North Korean front companies Korea Osong Shipping Co. and Chonsurim Trading Corporation, along with their leaders, Jong In Chol and Son Kyong Sik. Additionally, the Treasury sanctioned Liaoning China Trade, a Chinese company that supplied electronics to a North Korean weapons-trading entity, Department 53, which also generates revenue through IT and software development fronts.
Over 4K active hacker backdoors found in expiring or abandoned domains
Security researchers discovered and hijacked over 4,000 unique web backdoors that had been deployed by various threat actors. The backdoors, which had been abandoned or were reliant on expired infrastructure, were seized and sinkholed by WatchTowr Labs through the purchase and registration of over 40 domain names that these backdoors used for command-and-control (C2) communications. The firm managed to gain control of the compromised systems for as little as $20 per domain.
Global brute-force attacks target Microsoft 365 accounts using FastHTTP Go library
A coordinated cyberattack targeting Microsoft 365 accounts worldwide has been detected, utilizing the FastHTTP Go library to launch high-speed brute-force password attacks. The campaign, which was discovered on January 13, 2025, is primarily aimed at the Azure Active Directory Graph API. The attackers are using the FastHTTP framework, a high-performance HTTP server and client library in the Go programming language, to efficiently execute their brute-force attacks.
A separate report from Sekoia details a new adversary-in-the-middle (AitM) phishing kit, named Sneaky 2FA capable of stealing both credentials and two-factor authentication (2FA) codes from compromised Microsoft 365 accounts. Discovered in December 2024 by French cybersecurity company Sekoia, the kit has been active since at least October 2024. As of January 2025, nearly 100 domains hosting Sneaky 2FA phishing pages have been uncovered. The kit is sold as part of a phishing-as-a-service (PhaaS) offering by the cybercrime group "Sneaky Log," which operates through a sophisticated Telegram bot.
Massive botnet abuses misconfigured DNS records to deliver malware
A new botnet, comprising 13,000 hijacked MikroTik devices, has been leveraging a misconfiguration in domain name system (DNS) records to bypass email protections and distribute malware through spoofed emails. The attack exploits a flaw in the Sender Policy Framework (SPF) used to authenticate email senders by listing all authorized servers.
According to DNS security firm Infoblox, the threat actor took advantage of SPF records with an overly permissive configuration—specifically the "+all" option, which allows any server to send emails on behalf of a domain. This made it easy for attackers to spoof legitimate email addresses and deliver malicious payloads.
Imperva researchers discovered a new campaign targeting web servers running PHP-based applications to promote gambling platforms in Indonesia. The attackers are using a Python client to send millions of requests with a command to install GSocket (Global Socket), an open-source tool that that allows two users behind NAT or firewalls to establish secure TCP connections. The attackers interact with compromised servers by exploiting pre-existing webshells and sending high volumes of requests to common webshell paths using known parameters.
Codefinger hackers target Amazon S3 buckets with encryption attacks
Cybercriminals have begun leveraging Amazon Web Services (AWS) cloud storage tools to lock companies out of their data. The attacks, which began surfacing in early December, rely on AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature, allowing attackers to lock victims out of their own cloud-stored files by encrypting them with encryption keys they have stolen from the targeted organizations. The hackers begin by gaining access to a victim's AWS account, typically through stolen credentials or by exploiting compromised AWS keys. Once inside, they obtain the necessary encryption keys and initiate the encryption process on the victim’s S3 bucket data.
Global police op removes Chinese-backed PlugX malware from thousands of infected PCs
The US authorities together with French law enforcement conducted a multi-month operation aimed at dismantling a Chinese state-sponsored hacking group’s malware campaign. The operation successfully deleted the notorious “PlugX” malware from thousands of compromised computers worldwide. The malware campaign has been attributed to a China-backed threat actor tracked as Mustang Panda or Twill Typhoon. The group utilized a customized version of PlugX malware to infiltrate and remotely control victim computers, harvesting sensitive data and executing surveillance on targeted systems.
US charges operators of Blender and Sinbad cryptomixers
US authorities charged Roman Ostapenko, Alexander Oleynik, and Anton Tarasov for their involvement in running cryptocurrency mixers Blender.io and Sinbad.io allegedly used by criminals to launder funds tied to theft, ransomware, and other cybercrimes. Roman Ostapenko, 55, of Russia, faces one count of conspiracy to commit money laundering and two counts of operating an unlicensed money transmitting business. Alexander Oleynik, 44, also from Russia, and Anton Tarasov, 32, are each charged with one count of conspiracy to commit money laundering and one count of operating an unlicensed money transmitting business. Ostapenko and Oleynik were arrested on December 1, 2024, following a year-long investigation and the seizure of Sinbad.io’s online infrastructure. Currently, Tarasov remains at large.
Microsoft takes legal action against hackers exploiting AI for malicious purposes
Microsoft announced that it is taking legal action against a threat actor accused of operating a “hacking-as-a-service” infrastructure designed to bypass the safety controls of its generative artificial intelligence (AI) services, such as Azure OpenAI Service. The tech giant alleges that the group exploited the services to create harmful and offensive content, including violating the company’s terms of use and security protocols. The group reportedly developed software to exploit exposed customer credentials scraped from public websites. Using these credentials, the group accessed generative AI services, like DALL-E, and manipulated the system to produce harmful content, including violent or inappropriate images. Microsoft claims that the group then monetized this access by selling the generated services to other malicious actors.
TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi accused of illegally sending data to China
Austrian privacy non-profit None of Your Business (noyb) has filed complaints against companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, accusing them of violating EU data protection laws by unlawfully transferring user data to China. Noyb seeks an immediate halt to these transfers, arguing that these companies can’t protect user data from potential access by the Chinese government. The complaints have been lodged in Austria, Belgium, Greece, Italy, and the Netherlands.
