Cyber Threat Intelligence 09 January 2025
-
Industrial Sector
- Cyber Threats Rising: US Critical Infrastructure Under Increasing Attack In 2025
"As we enter 2025, the frequency and sophistication of cyberattacks on critical national infrastructure (CNI) in the US are rising at an alarming rate. These attacks target the foundational systems that support everything from energy and water to transportation and communications, and the consequences are far-reaching and potentially catastrophic. They impact not just the operations of these services but also the very way of life for affected populations."
https://www.tripwire.com/state-of-security/cyber-threats-rising-us-critical-infrastructure-under-increasing-attack
Vulnerabilities
- Critical Vulnerabilities Found In Fancy Product Designer Plugin
"This blog post is about Fancy Product Designer plugin vulnerabilities. If you’re a Fancy Product Designer user, please delete or deactivate the plugin until the patch is released by the vendor."
https://patchstack.com/articles/critical-vulnerabilities-found-in-fancy-product-designer-plugin/
https://www.bleepingcomputer.com/news/security/unpatched-critical-flaws-impact-fancy-product-designer-wordpress-plugin/ - Ivanti Warns Of New Connect Secure Flaw Used In Zero-Day Attacks
"Ivanti is warning that hackers exploited a Connect Secure remote code execution vulnerability tracked as CVE-2025-0282 in zero-day attacks to install malware on appliances. The company says it became aware of the vulnerabilities after the Ivanti Integrity Checker Tool (ICT) detected malicious activity on customers' appliances. Ivanti launched an investigation and confirmed that threat actors were actively exploiting CVE-2025-0282 as a zero-day. CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allow a unauthenticated attacker to remotely execute code on devices."
https://www.bleepingcomputer.com/news/security/ivanti-warns-of-new-connect-secure-flaw-used-in-zero-day-attacks/
https://www.cisa.gov/news-events/alerts/2025/01/08/ivanti-releases-security-updates-connect-secure-policy-secure-and-zta-gateways
https://therecord.media/ivanti-warns-of-hackers-exploiting-new-vulnerability
https://www.securityweek.com/ivanti-warns-of-new-zero-day-attacks-hitting-connect-secure-product/
https://www.helpnetsecurity.com/2025/01/08/ivanti-exploited-connect-secure-zero-day-cve-2025-0282-cve-2025-0283/ - Chrome 131, Firefox 134 Updates Patch High-Severity Vulnerabilities
"Google and Mozilla on Tuesday announced the release of fresh security updates that patch several high-severity vulnerabilities in their popular browsers. Google has released a Chrome 131 update that resolves four security defects, including a high-severity type confusion flaw in the V8 JavaScript engine reported by an external researcher. Tracked as CVE-2025-0291, the externally reported issue earned the reporting researcher a $55,000 bug bounty reward, which suggests that an attacker could exploit it to execute arbitrary code remotely."
https://www.securityweek.com/chrome-131-firefox-134-updates-patch-high-severity-vulnerabilities/ - SonicWall Urges Admins To Patch Exploitable SSLVPN Bug Immediately
"SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is "susceptible to actual exploitation." In an email sent to SonicWall customers and shared on Reddit, the firewall vendor says the patches are available as of yesterday, and all impacted customers should install them immediately to prevent exploitation."
https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-exploitable-sslvpn-bug-immediately/
https://securityaffairs.com/172823/security/sonicwall-sonicos-authentication-bypass-flaw.html - CISA Adds One Vulnerability To The KEV Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-0282 Ivanti Connect Secure Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/01/08/cisa-adds-one-vulnerability-kev-catalog
Malware
- Hackers Exploit KerioControl Firewall Flaw To Steal Admin CSRF Tokens
"Hackers are trying to exploit CVE-2024-52875, a critical CRLF injection vulnerability that leads to 1-click remote code execution (RCE) attacks in GFI KerioControl firewall product. KerioControl is a network security solution designed for small and medium-sized businesses that combines firewall, VPN, bandwidth management, reporting and monitoring, traffic filtering, AV protection, and intrusion prevention. On December 16, 2024, security researcher Egidio Romano (EgiX) published a detailed writeup on CVE-2024-52875, demonstrating how a seemingly low-severity HTTP response splitting problem could escalate to 1-click RCE."
https://www.bleepingcomputer.com/news/security/hackers-exploit-keriocontrol-firewall-flaw-to-steal-admin-csrf-tokens/
https://censys.com/cve-2024-52875/
https://viz.greynoise.io/tags/kerio-control-cve-2024-52875-crlf-injection-attempt?days=10 - Social Engineering In Action: How Fraudsters Exploit Trust With Fake Refund Schemes In The Middle East
"Fraudsters have devised a sophisticated social engineering scheme that has proven its effectiveness in deceiving customers in the Middle East into disclosing their credit card credentials. This scheme involves impersonating government officials to gain the trust of its victims and utilizing Remote Access Software to steal user’s sensitive data. The scam specifically targets individuals who have previously submitted commercial complaints to the government services portal, either through its website or mobile app, regarding products or services purchased from online merchants."
https://www.group-ib.com/blog/social-engineering-in-action/
https://www.infosecurity-magazine.com/news/fake-government-officials-rats/
https://hackread.com/scammers-impersonate-swipe-otps-remote-access-apps/ - Backdooring Your Backdoors - Another $20 Domain, More Governments
"After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/SSL certificates for any .MOBI domain. This resulted in significant Internet-wide change, with Google petitioning the CAB Forum to wholly sunset the use of WHOIS for ownership validation when issuing CA-signed TLS/SSL certificates."
https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
https://www.bleepingcomputer.com/news/security/over-4-000-backdoors-hijacked-by-registering-expired-domains/
https://www.bankinfosecurity.com/blogs/abandoned-backdoors-how-malicious-infrastructure-lives-on-p-3790
https://cyberscoop.com/malicious-hackers-have-their-own-shadow-it-problem/
https://www.theregister.com/2025/01/08/backdoored_backdoors/ - Play Ransomware Attack Cases Detected By AhnLab EDR
"Play ransomware, also known as Balloonfly or PlayCrypt, was first identified in June 2022 and has reportedly attacked over 300 organizations worldwide since then. A notable characteristic of the ransomware, which remains actively in use, is its addition of the “.PLAY” extension to files following encryption. Like other ransomware threat actors, they steal information before encrypting systems to threaten victims and publish lists of attacked companies on their website."
https://asec.ahnlab.com/en/85580/ - Phish-Free PayPal Phishing
"As a CISO, I am always on high alert for phishing attempts, and this recent example immediately set off alarm bells. Most obviously, why am I even receiving this request? I don’t use my corporate email address in PayPal. Additionally, the To: address, “Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com,” is not mine."
https://www.fortinet.com/blog/threat-research/phish-free-paypal-phishing
https://www.darkreading.com/threat-intelligence/unconventional-cyberattacks-take-over-paypal-accounts
https://www.infosecurity-magazine.com/news/scammers-exploit-microsoft365/
https://hackread.com/paypal-phishing-scam-exploits-ms365-genuine-emails/ - Japan Links Chinese Hacker MirrorFace To Dozens Of Cyberattacks Targeting Security And Tech Data
"Japan on Wednesday linked more than 200 cyberattacks over the past five years targeting the country’s national security and high technology data to a Chinese hacking group, MirrorFace, detailing their tactics and calling on government agencies and businesses to reinforce preventive measures. The National Police Agency said its analysis on the targets, methods and infrastructure of the cyberattacks by MirrorFace from 2019 to 2024 concluded they were systematic attacks linked to China with an aim of stealing data on Japanese national security and advanced technology. The targets of the Chinese government-led cyberattacks included Japan’s Foreign and Defense ministries, the country’s space agency and individuals including politicians, journalists, private companies and think tanks related to advanced technology, the NPA said."
https://www.securityweek.com/japan-links-chinese-hacker-mirrorface-to-dozens-of-cyberattacks-targeting-security-and-tech-data/
https://techcrunch.com/2025/01/08/japan-says-chinese-hackers-targeted-its-government-and-tech-companies-for-years/ - “Butcher Shop” Phishing Campaign Targets Legal, Government And Construction Firms
"Our research team has uncovered a new phishing campaign targeting legal, government and construction sectors, dubbed “Butcher Shop” (yes, Butcher Shop). In this blog post, we break down how this campaign works, why it’s worth paying attention to, and steps you can take to protect your organisation."
https://www.obsidiansecurity.com/blog/butcher-shop-phishing-campaign-targets-organizations/
https://thehackernews.com/2025/01/neglected-domains-used-in-malspam-to.html - NonEuclid RAT
"At CYFIRMA, we provide cutting-edge intelligence on emerging cyber threats targeting organisations and individuals. The NonEuclid Remote Access Trojan (RAT) is a type of malicious software that enables unauthorised remote access and control of a victim’s computer, often without their awareness. This RAT, developed using C# and built for the .NET Framework 4.8, is designed to operate with minimal security checks, making it more difficult for security systems to detect and block its activities.
https://www.cyfirma.com/research/noneuclid-rat/
https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.html - State-Aligned APT Groups Are Increasingly Deploying Ransomware – And That’s Bad News For Everyone
"There was a time when the boundary between cybercrime and state-aligned threat activity was rather easy to discern. Cybercriminals were fuelled solely by the profit motive. And their counterparts in the government carried out mainly cyberespionage campaigns, plus the occasional destructive attack, to further their employers’ geopolitical goals. However, in recent months, this line has begun to dissolve, including when it comes to ransomware, a trend also noted by ESET’s latest Threat Report. This has potentially major implications for IT and security leaders – not only increasing the risk of attack, but also changing the calculus around how to mitigate that risk."
https://www.welivesecurity.com/en/business-security/state-aligned-apt-groups-increasingly-deploying-ransomware/
Breaches/Hacks/Leaks
- PowerSchool Hack Exposes Student, Teacher Data From K-12 Districts
"Education software giant PowerSchool has confirmed it suffered a cybersecurity incident that allowed a threat actor to steal the personal information of students and teachers from school districts using its PowerSchool SIS platform. PowerSchool is a cloud-based software solutions provider for K-12 schools and districts that supports over 60 million students and over 18,000 customers worldwide. The company offers a full range of services to help school districts operate, including platforms for enrollment, communication, attendance, staff management, learning systems, analytics, and finance."
https://www.bleepingcomputer.com/news/security/powerschool-hack-exposes-student-teacher-data-from-k-12-districts/
https://databreaches.net/2025/01/08/powerschool-discloses-breach-affecting-hosted-and-self-hosted-school-k-12-districts/
https://therecord.media/education-software-hack-exposes-student-teacher-data
https://www.theregister.com/2025/01/09/powerschool_school_data/ - Ransomware Targeting Infrastructure Hits Telecom Namibia
"The telecommunications provider for the African nation of Namibia suffered a significant ransomware attack late last year, becoming a visible symbol of the merging of two trends in the region: increasing attacks on critical infrastructure and the growing threat of ransomware. Last month, Telecom Namibia alerted customers that a successful attack by the ransomware-as-a-service (RaaS) group Hunters International led to users' information being leaked online. The company is working with law enforcement agencies and third-party incident responders to uncover additional details, CEO Stanley Shanapinda said in a Dec. 16 statement."
https://www.darkreading.com/cyberattacks-data-breaches/ransomware-targeting-infrastructure-telecom-namibia - Russian ISP Confirms Ukrainian Hackers "destroyed" Its Network
"Ukrainian hacktivists, part of the Ukrainian Cyber Alliance group, announced on Tuesday they had breached Russian internet service provider Nodex's network and wiped hacked systems after stealing sensitive documents. "The Russian internet provider Nodex in St. Petersburg was completely looted and wiped. Data exfiltrated, while the empty equipment without backups was left to them," the Ukrainian hacktivists announced yesterday on Telegram. The hackers also shared screenshots of the Russian ISP's VMware, Veeam backup, and Hewlett Packard Enterprise virtual infrastructure they hacked during the breach."
https://www.bleepingcomputer.com/news/security/russian-isp-confirms-ukrainian-hackers-destroyed-its-network/
https://therecord.media/russian-internet-provider-says-network-destroyed-cyberattack - Medical Billing Firm Medusind Discloses Breach Affecting 360,000 People
"Medusind, a leading billing provider for healthcare organizations, is notifying hundreds of thousands of individuals of a data breach that exposed their personal and health information more than a year ago, in December 2023. The Miami-based company operates 12 locations across the United States and India, and it also provides revenue cycle management services to over 6,000 healthcare providers, helping them reduce operating costs and maximize revenue."
https://www.bleepingcomputer.com/news/security/medical-billing-firm-medusind-discloses-breach-affecting-360-000-people/
General News
- Why An “all Gas, No Brakes” Approach For AI Use Won’t Work
"Machine learning and generative AI are changing the way knowledge workers do their jobs. Every company is eager to be “an AI company,” but AI can often seem like a black box, and the fear of security, regulatory and privacy risks can stymie innovation. Executives are under huge pressure to invest and prove ROI but often lack the proper guardrails and tools to ensure they can go through the process without legal or compliance concerns."
https://www.helpnetsecurity.com/2025/01/08/ai-gas-brakes-mindsets/ - Scaling Penetration Testing Through Smart Automation
"In this Help Net Security interview, Marko Simeonov, CEO of Plainsea, discusses how organizations can move beyond compliance-driven penetration testing toward a more strategic, risk-based approach. He explains how automation, human expertise, and continuous monitoring can transform penetration testing into a dynamic, business-critical process."
https://www.helpnetsecurity.com/2025/01/08/marko-simeonov-plainsea-penetration-testing-automation/ - Best Practices & Risks Considerations In LCNC And RPA Automation
"Technologies such as low-code/no-code (LCNC) and robotic process automation (RPA) have become fundamental in the digital transformation of companies. They continue to evolve and redefine software development, providing new possibilities for different organizations. This allows users with no programming experience — often called citizen developers — to create applications and automate processes, simplifying complex tasks and optimizing business operations."
https://www.darkreading.com/vulnerabilities-threats/best-practices-risks-considerations-lcnc-rpa-automation - Protecting Web-Based Work
"The web browser has transformed significantly in recent years, becoming one of the most used tools for work today. However, as organizations adopt hybrid work models and cloud-based operations, securing this work tool has proved a challenge. Security infrastructures haven’t evolved as fast as the browser, making them prone to cyberattacks. With browsers being the primary gateway to the internet, any security lapse can lead to broad opportunities for significant data breaches and operational disruptions. Understanding the risks and implementing robust security measures is crucial for safeguarding the work we do today."
https://www.paloaltonetworks.com/blog/2025/01/protecting-web-based-work/ - Cybersecurity Funding Reached $9.5 Billion In 2024: Report
"Funding raised by cybersecurity firms increased to $9.5 billion last year amid a decrease in funding volume, a new report from cybersecurity recruitment firm Pinpoint Search Group shows. The company tracked 304 funding rounds in 2024, 16% fewer compared to the 346 tracked during the previous year, but the raised amount went up 9% year-over-year, from $8.7 billion in 2023. While the number of early-stage funding rounds dominated the year, accounting for 59% of the total funding volume, late-stage rounds, which accounted for only 16% of the total, represented more than half of the raised funds."
https://www.securityweek.com/cybersecurity-funding-reached-9-5-billion-in-2024-report/ - Insider Threat: Tackling The Complex Challenges Of The Enemy Within
"The insider threat is a simple term for a mammoth and complex problem. It ranges from national security through theft of corporate intellectual property to malicious harm and accidental incompetence. Here we concentrate on the malicious insider threat. This involves foreign agents, legitimate but malcontent staff, criminally-bribed employees, and more. Just as these threats are diverse, so are the possible solutions."
https://www.securityweek.com/insider-threat-tackling-the-complex-challenges-of-the-enemy-within/ - Rationalizing The Stack: The Case For Security Vendor Consolidation
"In recent years, tighter security budgets and macroeconomic headwinds have created a need to optimize security spend. In this fiscal environment, security teams find themselves being asked to identify areas in which spend can be optimized. In other words, where can the same or improved ends be achieved through reduced means? One important part of this endeavor involves identifying areas in which a smaller number of platform-based solutions can replace a larger number of point solutions. These point solutions were most often acquired over time as the enterprise environment evolved, grew, and became increasingly cumbersome and complex. This resulted in a proliferation of point solutions that not only tie up monetary resources for license fees, they also tie up monetary and human resources to operate and maintain over time."
https://www.securityweek.com/rationalizing-the-stack-the-case-for-security-vendor-consolidation/ - Top 5 Malware Threats To Prepare Against In 2025
"2024 had its fair share of high-profile cyber attacks, with companies as big as Dell and TicketMaster falling victim to data breaches and other infrastructure compromises. In 2025, this trend will continue. So, to be prepared for any kind of malware attack, every organization needs to know its cyber enemy in advance. Here are 5 common malware families that you can start preparing to counter right now."
https://thehackernews.com/2025/01/top-5-malware-threats-to-prepare.html - Pall Mall Process To Tackle Commercial Hacking Proliferation Raises More Concerns Than Solutions
"A year on from the launch of the Pall Mall Process to tackle “the proliferation and irresponsible use” of commercial hacking tools, there are concerns among its participants that the initiative lacks the ability to actually change how these tools are traded and used. The market for what are formally called commercial cyber intrusion capabilities (CCICs) is growing, according to a consultation summary published by Pall Mall Process organizers Wednesday, which warned that the threats CCICs pose to national security and human rights “are expected to increase over the coming years.”"
https://therecord.media/pall-mall-process-commercial-hacking-concerns
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- Cyber Threats Rising: US Critical Infrastructure Under Increasing Attack In 2025
