Cyber Threat Intelligence 29 January 2025
-
Industrial Sector
- Rockwell Automation FactoryTalk
"Successful exploitation of these vulnerabilities could allow an attacker to execute code on the device with elevated privileges."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-03 - Schneider Electric Power Logic
"Successful exploitation of these vulnerabilities could allow an attacker to modify data or cause a denial-of-service condition on web interface functionality."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-02 - Rockwell Automation DataMosaix Private Cloud
"Successful exploitation of these vulnerabilities could overwrite reports, including user projects."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-05 - Schneider Electric RemoteConnect And SCADAPack x70 Utilities
"Successful exploitation of this vulnerability could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-06 - B&R Automation Runtime
"Successful exploitation of this vulnerability could allow an attacker to masquerade as legitimate services on impacted devices."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-01 - Rockwell Automation FactoryTalk
"Successful exploitation of these vulnerabilities could allow an attacker to gain unauthenticated access to system configuration files and execute DLLs with elevated privileges."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-04
New Tooling
- BloodyAD: Open-Source Active Directory Privilege Escalation Framework
"BloodyAD is an open-source Active Directory privilege escalation framework that uses specialized LDAP calls to interact with domain controllers. It enables various privilege escalation techniques within Active Directory environments."
https://www.helpnetsecurity.com/2025/01/28/bloodyad-active-directory-privilege-escalation/
https://github.com/CravateRouge/bloodyAD
Vulnerabilities
- VMware Warns Of High-Risk Blind SQL Injection Bug In Avi Load Balancer
"Virtualization technology giant VMware on Tuesday issued an urgent alert for a blind SQL injection flaw in its Avi Load Balancer, warning that attackers would exploit the issue to gain broader database access. The vulnerability, tracked as CVE-2025-22217, carries a CVSS severity score of 8.6/10. The company described the security defect as an unauthenticated blind SQL Injection vulnerability and urged enterprise admins to apply available patches urgently as there are no pre-patch workarounds. A high-risk bulletin from VMware warned that “a malicious user with network access may be able to use specially crafted SQL queries to gain database access.”"
https://www.securityweek.com/vmware-warns-of-high-risk-blind-sql-injection-bug-in-avi-load-balancer/
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346
https://securityaffairs.com/173569/security/vmware-fixed-avi-load-balancer-flaw.html - (Non-US) :: DSL-3788 :: H/W Rev. Ax/Bx :: F/W v1.01R1B036_EU_EN :: Unauthenticated Remote Code Execution (RCE) Vulnerability
"On November 25, 2024, a third party, from SECURE NETWORK BVTECH, reported the D-Link DSL-3788 hardware revision B2 with firmware version vDSL-3788_fw_revA1_1.01R1B036_EU_EN or below, of a Unauthenticated Remote Code Execution (RCE) vulnerability. When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches. Patches were release within the 90-day of the report of the vulnerabilities. D-Link takes network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures."
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10418 - New Apple CPU Side-Channel Attacks Steal Data From Browsers
"A team of security researchers has disclosed new side-channel vulnerabilities in modern Apple processors that could steal sensitive information from web browsers. The Georgia Institute of Technology and Ruhr University Bochum researchers, who presented another attack dubbed 'iLeakage' in October 2023, presented their new findings in two separate papers, namely FLOP and SLAP, which show distinct flaws and ways to exploit them. The flaws stem from faulty speculative execution implementation, the underlying cause of notorious attacks like Spectre and Meltdown."
https://www.bleepingcomputer.com/news/security/new-apple-cpu-side-channel-attack-steals-data-from-browsers/
https://arstechnica.com/security/2025/01/newly-discovered-flaws-in-apple-chips-leak-secrets-in-safari-and-chrome/
https://www.theregister.com/2025/01/29/flop_and_slap_attacks_apple_silicon/ - Actively Exploited Fortinet Zero-Day Gives Attackers Super-Admin Privileges
"Fortinet has patched an actively exploited zero-day authentication bypass flaw affecting its FortiOS and FortiProxy products, which attackers have been exploiting to gain super-administrative access to devices to conduct nefarious activities, including breaching corporate networks. Fortinet characterized the flaw, rated as critical and tracked as CVE-2024-55591 (CVSS 9.6), as an "authentication bypass using an alternate path or channel vulnerability" that "may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module," according to a FortiGuard Labs security advisory last week."
https://www.darkreading.com/cloud-security/actively-exploited-fortinet-zero-day-attackers-super-admin-privileges - New Cookie Sandwich Technique Allows Stealing Of HttpOnly Cookies
"The “Cookie Sandwich Attack” showcases a sophisticated way of exploiting inconsistencies in cookie parsing by web servers. This technique allows attackers to manipulate HTTP cookie headers to expose sensitive session cookies, including those marked with the HttpOnly flag, making it possible to access restricted data through client-side scripts. By combining legacy cookie standards, special characters, and browser behavior, this attack represents a critical threat to poorly configured web applications."
https://gbhackers.com/new-cookie-sandwich-technique-allows-stealing-of-httponly-cookies/
Malware
- Arctic Wolf Observes Campaign Exploiting SimpleHelp RMM Software For Initial Access
"On 22 January 2025, Arctic Wolf began observing a campaign involving unauthorised access to devices running SimpleHelp RMM software as an initial access vector. Roughly a week prior to the emergence of this campaign, several vulnerabilities had been publicly disclosed in SimpleHelp by Horizon3 (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728). On affected SimpleHelp servers, these vulnerabilities could allow threat actors to download arbitrary files, upload arbitrary files as an administrative user, and escalate privileges to administrative users."
https://arcticwolf.com/resources/blog-uk/arctic-wolf-observes-campaign-exploiting-simplehelp-rmm-software-initial-access/
https://www.bleepingcomputer.com/news/security/hackers-exploiting-flaws-in-simplehelp-rmm-to-breach-networks/ - Phorpiex - Downloader Delivering Ransomware
"Cybereason Security Services issues Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigate the Phorpiex botnet which is then able to deliver LockBit Black Ransomware (aka LockBit 3.0)."
https://www.cybereason.com/blog/threat-analysis-phorpiex-downloader - New TorNet Backdoor Seen In Widespread Campaign
"The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments."
https://blog.talosintelligence.com/new-tornet-backdoor-campaign/
https://thehackernews.com/2025/01/purecrypter-deploys-agent-tesla-and-new.html
https://hackread.com/tornet-backdoor-exploits-tor-network-phishing-attack/
https://www.helpnetsecurity.com/2025/01/28/tornet-tor-backdoor-infostealers/ - Malware Alert: Fake Judicial Review Emails Deliver SapphireRAT Targeting Latin American Victims
"The Cofense Phishing Defense Center (PDC) has discovered a new wave of sophisticated attacks that leverage judicial receipts for legal processes with multiple-layer techniques to distribute and execute SapphireRAT. The threat is particularly focused on organizations across Latin America, where threat actors are targeting industries with valuable data or critical infrastructure. The attack’s complexity lies in its ability to bypass traditional security measures, including email filtering and antivirus solutions, by disguising itself as legitimate communication related to legal matters."
https://cofense.com/blog/malware-alert-fake-judicial-review-emails-deliver-sapphirerat-targeting-latin-american-victims - API Supply Chain Attacks — The Sky's The Limit
"Salt Labs has identified an account takeover vulnerability in a popular online top-tier travel service for hotel and car rentals. The service is integrated into dozens of commercial airline online services and allows airline users to add hotel bookings to their airline itinerary. By exploiting this flaw, attackers can gain unauthorized access to any user’s account within the system, effectively allowing them to impersonate the victim and perform an array of actions on their behalf — including booking hotels and car rentals using the victim's airline loyalty points, canceling or editing booking information, and more."
https://salt.security/blog/api-supply-chain-attacks---the-skys-the-limit
https://thehackernews.com/2025/01/oauth-redirect-flaw-in-airline-travel.html
https://www.darkreading.com/application-security/oauth-flaw-exposed-millions-airline-users-account-takeovers
https://www.infosecurity-magazine.com/news/api-supply-chain-attacks-millions/ - Phishing Campaign Baits Hook With Malicious Amazon PDFs
"Researchers are highlighting the rise of a new phishing tactic: a campaign that uses PDF documents to trick victims by announcing expired Amazon Prime memberships. Users are targeted by email and, after clicking on the PDFs, are taken to pages that impersonate Amazon, where they are urged to input their personal details and credit card information. The researchers at Palo Alto Networks Unit42 who discovered the campaign have collected 31 PDF files with links to these phishing sites, none of which had been submitted to VirusTotal."
https://www.darkreading.com/cyberattacks-data-breaches/phishing-campaign-malicious-amazon-pdfs
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-01-24-IOCs-for-phishing-campaign-impersonating-amazon.txt - Cat’s Out Of The Bag: Lynx Ransomware-As-a-Service
"Ransomware remains one of the most profitable cyberthreats, with new variants and business models evolving faster than many organizations can respond. Fueled by the expansion of Ransomware-as-a-Service (RaaS), the proliferation of stolen data on Dedicated Leak Sites (DLS), and the rise of affiliate-driven operations, these attacks have become both more pervasive and more sophisticated. The Lynx RaaS group stands out for its highly organized platform, structured affiliate program, and robust encryption methods. In this blog, we provide an exclusive look at Lynx’s affiliate panel, internal communications, and technical arsenal, revealing how this criminal ecosystem orchestrates ransomware attacks and manages victims."
https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
https://www.darkreading.com/threat-intelligence/lynx-raas-group-industrializes-cybercrime-with-affiliate-operations
https://www.infosecurity-magazine.com/news/lynx-ransomware-sophisticated/ - GitHub’s Dark Side: Unveiling Malware Disguised As Cracks, Hacks, And Crypto Tools
"Video game hacks, cracked software, and free crypto tools remain popular bait for malware authors. Recently, McAfee Labs uncovered several GitHub repositories offering these tempting “rewards,” but a closer look reveals something more sinister. As the saying goes, if it seems too good to be true, it probably is. GitHub is often exploited for malware distribution due to its accessibility, trustworthiness, and developer-friendly features. Attackers can easily create free accounts and host repositories that appear legitimate, leveraging GitHub’s reputation to deceive users."
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/githubs-dark-side-unveiling-malware-disguised-as-cracks-hacks-and-crypto-tools/
https://hackread.com/lumma-stealer-github-fake-crypto-tools-game-mods/ - Unmasking FleshStealer: A New Infostealer Threat In 2025
"Last year, information-stealing malware infected over 18 million devices, resulting in the exposure and sale of over 2.4 billion compromised credentials. This sensitive data—including login and account data, financials, and a gamut of personally identifiable information (PII)—allowed threat actors to carry out crippling ransomware attacks and numerous high-profile data breaches."
https://flashpoint.io/blog/fleshstealer-infostealer-threat-2025/
Breaches/Hacks/Leaks
- Engineering Giant Smiths Group Discloses Security Breach
"London-based engineering giant Smiths Group disclosed a security breach after unknown attackers gained access to the company's systems. Smiths is a British multinational listed on the London Stock Exchange that employs more than 15,000 people in over 50 countries. It also provides products to customers in the energy, safety, security, aerospace, and defense markets and reported £3,132 million in revenue last year."
https://www.bleepingcomputer.com/news/security/engineering-giant-smiths-group-discloses-security-breach/ - Hackers Claim 2nd Breach At HP Enterprise, Plan To Sell Access
"IntelBroker targets Hewlett-Packard Enterprise (HPE) again, claiming to have access to the company’s internal infrastructure and the possibility of selling to access rather than selling data. IntelBroker, a notorious hacker linked to prior high-profile cyberattacks, has announced an alleged new data breach of Hewlett-Packard Enterprise (HPE). The hacker claims to have accessed and cloned new data from HPE’s repositories."
https://hackread.com/hackers-claim-2nd-breach-hp-enterprise-sell-access/ - ENGlobal Says Personal Information Accessed In Ransomware Attack
"Energy sector contractor ENGlobal Corporation has confirmed that personal information was compromised during a November 2024 ransomware attack. The incident occurred on November 25 and resulted in ENGlobal taking certain systems offline as a containment measure, leaving access to only essential business operations available. In early December, the company informed the US Securities and Exchange Commission (SEC) that certain data on its systems had been encrypted during the attack, but made no mention of any data theft."
https://www.securityweek.com/englobal-says-personal-information-accessed-in-ransomware-attack/
https://therecord.media/englobal-ransomware-attack-six-weeks-disruption
https://securityaffairs.com/173566/cyber-crime/englobal-disclosed-a-ransomware-attack.html
https://www.infosecurity-magazine.com/news/englobal-attack-sensitive-data/ - Texas Utility Firm Investigating Potential Leak Of Customer Data Tied To 2023 MOVEit Breach
"A large Texas energy company confirmed it is investigating reports of stolen customer data that has been published on a cybercriminal forum after it was allegedly taken during a 2023 breach. CenterPoint Energy told Recorded Future News that it is aware of reports that customer data has been leaked after researchers uncovered a cybercriminal forum post with the information. “Based on our investigation, we believe this data was obtained from a third-party vendor’s system,” a spokesperson for CenterPoint Energy said. “We have no reason to believe that our network was compromised in connection with this issue.”"
https://therecord.media/texas-utility-firm-investigating-potential-data-leak-moveit-breach - Baguette Bandits Strike Again With Ransomware And a Side Of Mockery
"Hellcat, the ransomware crew that infected Schneider Electric and demanded $125,000 in baguettes, has aggressively targeted government, education, energy, and other critical industries since it emerged around mid-2024. Like many of the emerging cybercrime organizations, Hellcat uses a ransomware-as-a-service business model, offering infrastructure, encryption tools, and other malware to affiliates in exchange for a portion of the profits. Its primary operators seem to be high-ranking BreachForums members [PDF]."
https://www.theregister.com/2025/01/28/baguettes_bandits_strike_again/
General News
- Global Cybersecurity Outlook 2025
"Following decades of relative stability, the world today is marked by increased geopolitical conflicts. The fallout of this turbulence in the digital realm – the growing prowess of cybercriminals, rapid advances in emerging technologies and widening cyber capabilities – have led to a cyberspace that is more complex than ever before. Against this backdrop, the Global Cybersecurity Outlook serves as an indispensable tool to help leaders navigate such complexity and identify essential actions to build resilient ecosystems."
https://www.weforum.org/publications/global-cybersecurity-outlook-2025/in-full/
https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf
https://blog.barracuda.com/2025/01/27/cybersecurity-skills-gap-widens-again - Mega-Breaches Bump Up 2024 Victim Count
"The number of U.S. organizations year-over-year falling victim to a data breach appears to be holding steady, a number that masks a growing number of victims affected by mega-breaches. An annual tally of breach data printed Tuesday by the nonprofit Identity Theft Resource Center counted 3,158 reported data breaches in 2024, down just 1% from 2023. But while the number of known breaches has remained flat, breach notices issued to U.S. victims increased three-fold from 2023, reaching 1.7 billion notifications, largely tied to six incidents. They included an incident at Ticketmaster that resulted in 560 million notifications and a separate breach of Advanced Auto Parts, which triggered 380 million notifications."
https://www.bankinfosecurity.com/mega-breaches-bump-up-2024-victim-count-a-27382
https://www.idtheftcenter.org/publication/2024-data-breach-report/
https://www.infosecurity-magazine.com/news/mega-data-breaches-us-victim-17/ - Reporting a Breach Or Vuln? Be Sure Your Lawyer's On Call
"While disclosure of software vulnerabilities and data breaches has become more accepted over the past three decades, researchers and whistleblowers continue to risk lawsuits and criminal charges depending on the country in which they live. In April 2022, for example, police in Istanbul arrested independent Turkish journalist İbrahim Haskoloğlu after he revealed details of a breach of government data in Turkey. The country's ruling party has since proposed a law to make the false reporting of a data breach a crime punishable by two to five years in prison — a law that critics say will prevent disclosure of real data breaches."
https://www.darkreading.com/cyber-risk/security-researchers-whistleblowers-face-crackdowns-globally - Cryptographic Agility's Legislative Possibilities & Business Benefits
"One of cybersecurity's major pitfalls is assuming that risks will always stay the same. Failing to consider emerging threats has caused detriment in the security field. When varied threats already exist that are time-tested and successful, like ransomware, phishing, or business email compromise, security professionals often don't consider that new risks arise daily."
https://www.darkreading.com/vulnerabilities-threats/cryptographic-agility-legislative-possibilities-benefits - 58% Of Ransomware Victims Forced To Shut Down Operations
"Over half (58%) of organizations hit by ransomware in 2024 were forced to shut down operations in order to recover, according to a new report by the Ponemon Institute. This represents a significant increase from the previous Global Cost of Ransomware Study by Ponemon from 2021, which found that 45% of ransomware victims shut down operations as a consequence of the attack. The new report emphasized the growing impact ransomware attacks are having on victims’ revenue and reputations."
https://www.infosecurity-magazine.com/news/ransomware-victims-shut-operations/ - How Long Does It Take Hackers To Crack Modern Hashing Algorithms?
"While passwords remain the first line of defense for protecting user accounts against unauthorized access, the methods for creating strong passwords and protecting them are continually evolving. For example, NIST password recommendations are now prioritizing password length over complexity. Hashing, however, remains a non-negotiable. Even long secure passphrases should be hashed to prevent them from being completely exposed in the event of a data breach – and never stored in plaintext."
https://thehackernews.com/2025/01/how-long-does-it-take-hackers-to-crack.html - Report: Almost Half Of State Consumer Privacy Laws Fail To Protect Individuals’ Data
"Nearly half of state consumer privacy laws fail to adequately protect individuals’ data and have made consumer protections weaker than they were before the laws were passed, according to a report released Tuesday. Of 19 states with data privacy laws, eight failed an assessment conducted by two leading advocacy groups, the Electronic Privacy Information Center (EPIC) and U.S. PIRG Education Fund. “Many of these ‘privacy laws’ protect privacy in name only,” Caitriona Fitzgerald, deputy director of EPIC, said in a statement. “In effect, they allow companies to continue hoarding our personal data and using it for whatever purposes they want.”"
https://therecord.media/state-consumer-privacy-laws-failing-to-protect-data
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Rockwell Automation FactoryTalk