SonicWall SMA zero-day exploited in attacks
A zero-day vulnerability in SonicWall Secure Mobile Access (SMA) 1000 Series appliances is currently being exploited by attackers. The vulnerability affects the Appliance Management Console (AMC) and Central Management Console (CMC) of the SMA 1000 series. The flaw (CVE-2025-23006), described as a deserialization of untrusted data issue, could allow an attacker to trigger the execution of arbitrary OS commands if certain conditions are met. The vulnerability is present in version 12.4.3-02804 (platform-hotfix) and earlier versions of the SMA 1000 appliances. SonicWall has released a patch in version 12.4.3-02854 (platform-hotfix) and higher versions to address the issue.
Cisco has also disclosed several vulnerabilities, a privilege escalation vulnerability (CVE-2025-20156) and a heap-based buffer overflow flaw (CVE-2025-20128) in Cisco Meeting Management. The latter flaw, when exploited, could terminate the ClamAV scanning process on endpoints running the Cisco Secure Endpoint Connector. Cisco has confirmed that proof-of-concept (PoC) exploit code for CVE-2025-20128 is already available, but there is currently no evidence that it is being actively exploited.
AIRASHI DDoS botnet exploits a zero-day vulnerability in cnPilot routers
Threat actors have been exploiting an unspecified zero-day vulnerability in Cambium Networks' cnPilot routers to deploy a variant of the AISURU botnet malware, now dubbed AIRASHI. According to cybersecurity firm QiAnXin XLab, the attacks have been active since June 2024, using the vulnerability to infect vulnerable routers. In addition to the cnPilot routers, the AIRASHI botnet has also been exploiting vulnerabilities in other network devices, including Zyxel firewalls, Drytek and Linksys routers, and various devices such as AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT products.
In a separate report, cybersecurity firm Qualys detailed a new variant of Mirai botnet malware, which targets known vulnerabilities in AVTECH IP cameras and Huawei HG532 routers to gain access to these devices and ensnare them into a vast network of compromised systems.
Content delivery network services provider CloudFlare said it detected a largest DDoS attack to date peaking at 5.6 terabits per second. The attack, launched from a Mirai-based botnet consisting of 13,000 compromised devices, was aimed at disrupting an internet service provider (ISP) in Eastern Asia. The UDP-based attack lasted 80 seconds but had no impact on the target.
Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory about active exploitation of chained vulnerabilities in Ivanti Cloud Service Appliances (CSA). The vulnerabilities (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380) were used by attackers in September 2024 to breach systems, execute remote code, steal credentials, and deploy webshells on victim networks.
The attackers employed two exploit chains: one combined CVE-2024-8963 (an administrative bypass) with CVE-2024-8190 and CVE-2024-9380 (both remote code execution vulnerabilities), while the second chain paired CVE-2024-8963 with CVE-2024-9379, an SQL injection vulnerability. These vulnerabilities allowed attackers to gain unauthorized access and execute malicious actions on affected systems.
China-aligned PlushDaemon APT linked to 2023 VPN supply chain attack
A previously undocumented advanced persistent threat (APT) group, dubbed “PlushDaemon,” has orchestrated a sophisticated supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023. The campaign involved the compromise of the installer for the VPN software, which was used to deploy a highly advanced backdoor dubbed ‘SlowStepper.’
The attackers replaced a legitimate installer with a malicious version that not only installed the VPN software but also planted the SlowStepper backdoor, giving the attackers persistent access to infected systems. SlowStepper is described as a toolkit that includes over 30 modules written in a mix of C++, Python, and Go, allowing attackers to execute a wide range of malicious activities on compromised networks.
Russian Sandworm APT resumes wiper attacks
Russia-linked threat actor tracked as Seashell Blizzard (aka Sandworm and APT44) has been observed resuming the use of the wipers WalnutWipe and SharpWipe, and expanded the use of the Prickly Pear malware downloader. The group has been conducting spear-phishing campaigns against the European energy sector.
N.Korean IT workers steal sensitive data from their employers and use it for extortion
The FBI has issued a warning about North Korean IT workers involved in schemes to steal sensitive data from their employers, which is then used for extortion. The workers, often hired remotely by US companies, exfiltrate proprietary data and hold it hostage, demanding ransom. In some cases, if the ransom is not paid, the stolen data is made public. The US Justice Department has indicted two North Koreans and three accomplices for a multi-year fraudulent remote IT work operation that targeted over 60 U.S. companies. The FBI has observed an escalation in the tactics used by these workers, including copying company code to personal cloud accounts and attempting to harvest sensitive credentials for further access and compromise.
Separately, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) imposed sanctions on two Chinese cyber actors involved in high-profile cyberattacks targeting US government systems and critical infrastructure.
North Korean Lazarus Group targets software devs in Operation 99 campaign
Security researchers have uncovered a new malicious campaign orchestrated by the notorious Lazarus Group, a North Korean state-sponsored hacking collective known for its global cyber-espionage operations. The campaign, dubbed 'Operation 99,' was first spotted on January 9 and is currently targeting software developers across the globe.
Operation 99 is designed to infiltrate developer environments and steal highly sensitive information, including source code, configuration files, API keys, and cryptocurrency wallet credentials.
Sophisticated malware campaign is targeting Chinese-speaking regions
Cybersecurity experts spotted a series of cyberattacks that have specifically targeted Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China. The attacks involve a multi-stage infection chain that delivers the ValleyRAT malware through a loader called PNGPlug. ValleyRAT, a Remote Access Trojan (RAT) that has been observed in the wild since 2023, gives attackers unauthorized control over infected machines. Recent versions of the malware feature capabilities such as capturing screenshots and clearing Windows event logs, making it a highly effective tool for espionage and data exfiltration.
GamaCopy mimics FSB-linked Gamaredon APT to launch attacks on Russia
A new cyber-espionage group, GamaCopy (aka Core Werewolf), has been using military-themed bait to launch attacks on Russian organizations, emulating the tactics of the notorious Russian hacking group Gamaredon. The campaign, which has been ongoing since June 2023, has targeted critical sectors in Russia, including defense and infrastructure, with the goal of stealing sensitive information.
In a separate report, researchers shared new details about infrastructure used by the Ghostwriter threat actor (aka UNC1151 and UAC-0057) to launch cyber attacks, primarily targeting Ukraine and other Eastern European countries.
A recent report from Recorded Future details the tactics of Crazy Evil, a Russian crypto scamming group known for its sophisticated methods. Operating as a "traffer team," Crazy Evil redirects legitimate traffic to malicious landing pages using social engineering techniques. Since 2021, the group has focused on targeting cryptocurrencies, NFTs, smart contracts, and web3 projects. The gang’s malicious activities include stealing digital assets, committing identity fraud, and spreading info-stealers across social media platforms.
Threat actors are impersonating Ukraine’s CERT using AnyDesk
Ukraine's Government Computer Emergency Response Team (CERT-UA), operating under the State Special Communications Service, has issued a warning regarding multiple incidents where cybercriminals have been impersonating the CERT-UA team by using the AnyDesk remote access software. In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA. They used the name "CERT. UA," along with its logo and the identifier “1518341498,” which could vary. In their communications, the impersonators stated that they were conducting a “security audit to assess the level of protection.”
New Android malware linked to Indian DoNot Team APT
CYFIRMA researchers have uncovered an Android malware campaign, which they have traced back to the Indian APT (Advanced Persistent Threat) group, known as DoNot Team. The malware, named Tanzeem and Tanzeem Update, was first detected by CYFIRMA in October and December 2024, respectively. Both versions of the malware share similar code with only minor differences, such as variations in the user interface and color schemes.
New STAC5143 and STAC5777 ransomware campaigns using email bombing, Microsoft Teams vishing
Sophos researchers have detailed two new ransomware campaigns targeting corporate organizations, which use deceptive tactics to trick victims into providing remote access to their machines. Tracked as STAC5143 and STAC5777, the campaigns are designed to overwhelm victims with massive volumes of spam emails, sometimes reaching up to 3,000 in less than an hour. Victims are then contacted via Microsoft Teams by someone pretending to be from the company's IT department, offering supposed assistance. The attacker encourages the victim to install remote access software, such as Quick Assist, or to enable screen sharing via Teams. This enables the attacker to take control of the victim's machine and install malware, which is typically used for data theft and extortion.
US President Trump grants full pardon to Silk Road founder Ross Ulbricht
US President Donald Trump on Tuesday announced he has granted a “full and unconditional pardon” to Ross Ulbricht, the convicted creator of the Silk Road, a notorious online black market that facilitated the trade of illegal drugs and other illicit goods. Ulbricht has spent over a decade behind bars after being sentenced to life in prison without the possibility of parole for his role in running the marketplace.
In other news, Conor Fitzpatrick, also known as "Pompompurin," the founder of the cybercrime platform BreachForums, will be re-sentenced after an appellate court overturned a previous district court decision that handed him a light sentence. Fitzpatrick had pleaded guilty to charges including possession of child pornography and conspiracy to traffic in stolen personal data. Initially, he was sentenced to just 17 days in prison and 20 years of supervised release, with the court citing his young age (21) and autism spectrum disorder diagnosis as factors that would complicate his treatment in prison.
Fitzpatrick, arrested in 2023, had run BreachForums, which was involved in stealing sensitive data, including from the FBI and Washington D.C.'s healthcare marketplace. After his guilty plea, he violated the terms of his release by accessing the internet and engaging in Discord chatrooms, where he denied his guilt, joked about selling data to foreign governments, and discussed hacking targets. The prosecution recommended a prison sentence of at least 188 months, but the judge imposed no additional prison time beyond the 17 days Fitzpatrick had already served. The appellate court’s decision means Fitzpatrick will now face a new sentencing hearing.
Europol's largest-ever operation seizes millions in criminal assets worldwide
Europol has announced its largest-ever operation has resulted in the seizure of millions in criminal assets worldwide. The operation, known as Project A.S.S.E.T. (Asset Search and Seize Enforcement Taskforce), wrapped up on January 17, 2025, after a joint effort involving more than 80 financial experts and 43 law enforcement agencies across 28 countries. The global operation uncovered 53 properties, eight of which were valued at 38.5 million euros ($40 million). Additionally, investigators traced over 220 bank accounts, including one with a balance of $5.6 million. Authorities also uncovered 83 crypto wallets and addresses linked to criminal organizations. Among the assets seized were 15 companies and over 20 luxury yachts, alongside high-end vehicles, all valued at hundreds of thousands of dollars.
