Cyber Threat Intelligence 30 January 2025
-
Financial Sector
- Preparing Financial Institutions For The Next Generation Of Cyber Threats
"In this Help Net Security interview, James Mirfin, SVP and Head of Risk and Identity Solutions at Visa, discusses key priorities for leaders combating fraud, the next-generation threats institutions must prepare for, and the role of collaboration between financial sectors and government agencies in countering cybercrime."
https://www.helpnetsecurity.com/2025/01/29/james-mirfin-visa-financial-institutions-threats/
Industrial Sector
- Threat Predictions For Industrial Enterprises 2025
"Innovations are changing our lives. Today, the world is on the threshold of another technical revolution. Access to new technologies is a ticket to the future, a guarantee of economic prosperity and political sovereignty. Therefore, many countries are looking for their way into the new technological order, investing in promising research and development in a variety of areas: AI and machine learning, quantum computing, optical electronics, new materials, energy sources and types of engines, satellites and telecommunications, genetics, biotechnology and medicine."
https://securelist.com/industrial-threat-predictions-2025/115327/
Vulnerabilities
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution
"A critical security flaw has been disclosed in the Cacti open-source network monitoring and fault management framework that could allow an authenticated attacker to achieve remote code execution on susceptible instances. The flaw, tracked as CVE-2025-22604, carries a CVSS score of 9.1 out of a maximum of 10.0. "Due to a flaw in the multi-line SNMP result parser, authenticated users can inject malformed OIDs in the response," the project maintainers said in an advisory released this week."
https://thehackernews.com/2025/01/critical-cacti-security-flaw-cve-2025.html
https://securityaffairs.com/173597/security/critical-rce-cacti-framework.html - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation, as confirmed by Fortinet.
CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/01/29/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/173622/hacking/us-cisa-adds-apple-products-flaw-known-exploited-vulnerabilities-catalog.html - The Tainted Voyage: Uncovering Voyager's Vulnerabilities
"Voyager is a popular open-source PHP package designed to streamline the management of Laravel applications. It provides a pre-built, user-friendly admin interface and offers a range of features, such as BREAD operations, media management, user management, and more. With over 11,000 GitHub stars and millions of downloads, it has established itself as a reliable and widely-used solution in the Laravel community."
https://www.sonarsource.com/blog/the-tainted-voyage-uncovering-voyagers-vulnerabilities/
https://www.bleepingcomputer.com/news/security/laravel-admin-package-voyager-vulnerable-to-one-click-rce-flaw/ - Whatsup Gold, Observium And Offis Vulnerabilities
"Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold. These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product."
https://blog.talosintelligence.com/whatsup-gold-observium-offis-vulnerabilities/ - Noma Research Discovers RCE Vulnerability In AI-Development Platform, Lightning AI
"The fast-paced evolution of AI demands agility and innovation, but this “move fast and break things” approach comes with inherent risks. While MLOps platforms unlock tremendous opportunities, vulnerabilities within these systems can have far-reaching consequences, underscoring the critical need for comprehensive security controls throughout every stage of the AI development lifecycle. At Noma Security, our research team has collaborated with leading AI companies to identify and address common security risks that could expose sensitive user data. Our commitment to proactive security research aims to fortify the industry’s defenses and promote safer AI innovation. Our first blog will focus on one of the widely adopted AI-development tools, Lightning AI Studios."
https://noma.security/noma-research-discovers-rce-vulnerability-in-ai-development-platform-lightning-ai/
https://cyberscoop.com/lightningai-vulnerability-noma-cloud-phishing/ - Critical Vulnerabilities In Node.js Expose Systems To Remote Attacks
"A series of critical security vulnerabilities have been discovered in multiple versions of Node.js, a popular open-source JavaScript runtime used to build scalable network applications. These vulnerabilities, outlined in CERT-In Vulnerability Note CIVN-2025-0011, have been classified as high severity, with the potential to compromise sensitive information, disrupt services, and even execute arbitrary code. Users of Node.js, including developers and organizations relying on this platform, are urged to take immediate action to secure their systems."
https://cyble.com/blog/critical-vulnerabilities-in-node-js-expose-systems/
Malware
- UAC-0063: Cyber Espionage Operation Expanding From Central Asia
"Bitdefender Labs warns of an active cyber-espionage campaign targeting organizations in Central Asia and European countries. The group, tracked as UAC-0063, employs sophisticated tactics to infiltrate high-value targets, including government entities and diplomatic missions, expanding their operations into Europe. Since the start of the Ukraine war , the geopolitical landscape of Central Asia has undergone significant shifts, impacting the region's relationships with both Russia and China. Russia's influence, once dominant, has noticeably declined due to its actions in Ukraine, which have damaged its reputation as a regional security guarantor, with some Central Asian countries feeling that Russia doesn't respect their sovereignty."
https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia
https://thehackernews.com/2025/01/uac-0063-expands-cyber-attacks-to.html
https://hackread.com/russian-uac-0063-europe-central-asia-advanced-malware/ - Active Exploitation Of Zero-Day Zyxel CPE Vulnerability (CVE-2024-40891)
"GreyNoise is observing active exploitation attempts targeting a zero-day critical command injection vulnerability in Zyxel CPE Series devices tracked as CVE-2024-40891. At this time, the vulnerability is not patched, nor has it been publicly disclosed. Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration. At publication, Censys is reporting over 1,500 vulnerable devices online. CVE-2024-40891 is very similar to CVE-2024-40890 (observed authentication attempts, observed command injection attempts), with the main difference being that the former is telnet-based while the latter is HTTP-based. Both vulnerabilities allow unauthenticated attackers to execute arbitrary commands using service accounts (supervisor and/or zyuser)."
https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891
https://thehackernews.com/2025/01/zyxel-cpe-devices-face-active.html
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-unpatched-flaw-in-zyxel-cpe-devices/
https://www.darkreading.com/endpoint-security/unpatched-zyxel-cpe-zero-day-cyberattackers
https://www.securityweek.com/new-zyxel-zero-day-under-attack-no-patch-available/
https://www.helpnetsecurity.com/2025/01/29/zyxel-cpe-devices-under-attack-vulnerability-cve-2024-40891/
https://securityaffairs.com/173589/hacking/zyxel-cpe-series-devices-cve-2024-40891-exploited.html - Threat Actors Exploit Government Website Vulnerabilities For Phishing Campaigns
"Cofense Intelligence has continually observed the abuse or usage of legitimate domain service exploitation. This report highlights observed phishing threat actor abuse of .gov top-level domains (TLDs) for different countries over two years from November 2022 to November 2024. Threat actors regularly abuse legitimate domains for malicious purposes such as hosting files or credential phishing, serving as a command and control (C2), or being used to redirect to a malicious page owned by the threat actor. Unfortunately, .gov domains are no exception to this abuse, although they appear to be abused less frequently than other domains."
https://cofense.com/blog/threat-actors-exploit-government-website-vulnerabilities-for-phishing-campaigns
https://www.infosecurity-magazine.com/news/threat-actors-exploit-gov-websites/ - Researchers Uncover Lazarus Group Admin Layer For C2 Servers
"An ongoing investigation into recent attacks by North Korea's Lazarus group on cryptocurrency entities and software developers worldwide has uncovered a hidden administrative layer that the threat actor has been using to centrally manage the campaign's command-and-control (C2) infrastructure. The investigation by researchers at SecurityScorecard showed Lazarus using the newly discovered infrastructure to maintain direct oversight over compromised systems, control payload delivery on them, and efficiently manage exfiltrated data. Significantly, the threat actor is using the same Web-based admin platform in other campaigns, including one involving the impersonation of IT workers, the security vendor found."
https://www.darkreading.com/cyberattacks-data-breaches/researchers-uncover-lazarus-admin-layer-c2-servers
https://securityscorecard.com/wp-content/uploads/2025/01/Operation-Phantom-Circuit-Report_012725_03.pdf
https://thehackernews.com/2025/01/lazarus-group-uses-react-based-admin.html
https://www.theregister.com/2025/01/29/lazarus_groups_supply_chain_attack/ - Active Exploitation: New Aquabot Variant Phones Home
"Aquabot is a botnet that was built off the Mirai framework with the ultimate goal of distributed denial of service (DDoS). Its name is derived from the filename present in the analysis: “Aqua.” It has been known since November 2023 and first reported on by Antiy Labs. There are currently three known versions; we are introducing the third in this blog post. The first version was very similar to Mirai’s base framework, and the second version tacked on concealment and persistence mechanisms, such as preventing device shutdown and restart. For a full technical analysis, we recommend reading Antiy’s write-up."
https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones
https://www.darkreading.com/endpoint-security/mirai-variant-aquabot-exploits-mitel-phone-flaws
https://www.bleepingcomputer.com/news/security/new-aquabotv3-botnet-malware-targets-mitel-command-injection-flaw/
https://www.securityweek.com/aquabot-botnet-targeting-vulnerable-mitel-phones/
https://securityaffairs.com/173607/breaking-news/aquabot-variant-v3-targets-mitel-sip-phones.html
https://www.theregister.com/2025/01/29/ddos_attacks_aquabot_mitel/ - DeepSeek’s Popularity Exploited By Malware Peddlers, Scammers
"As US-based AI companies struggle with the news that the recently released Chinese-made open source DeepSeek-R1 reasoning model performs as well as theirs for a fraction of the cost, users are rushing to try out DeepSeek’s AI tool. In the process, they have pushed it to the top of the list of most popular iOS and Android apps."
https://www.helpnetsecurity.com/2025/01/29/deepseek-popularity-exploited-malware-scams/ - Nation-State Hackers Abuse Gemini AI Tool
"Nation-state threat actors are frequently abusing Google’s generative AI tool Gemini to support their malicious cyber operations. An analysis by the Google Threat Intelligence Group (GTIG) highlighted that APT groups from Iran, China, Russia and North Korea are using the large language model (LLM) for a wide range of malicious activity. Tasks primarily revolve around research, vulnerability exploitation, malware development and creating and localizing content like phishing emails."
https://www.infosecurity-magazine.com/news/nation-state-abuse-gemini-ai/ - How Interlock Ransomware Infects Healthcare Organizations
"Ransomware attacks have reached an unprecedented scale in the healthcare sector, exposing vulnerabilities that put millions at risk. Recently, UnitedHealth revealed that 190 million Americans had their personal and healthcare data stolen during the Change Healthcare ransomware attack, a figure that nearly doubles the previously disclosed total. This breach shows just how deeply ransomware can infiltrate critical systems, leaving patient trust and care hanging in the balance."
https://thehackernews.com/2025/01/how-interlock-ransomware-infects.html - CL-STA-0048: An Espionage Operation Against High-Value Targets In South Asia
"We identified a cluster of activity that we track as CL-STA-0048. This cluster targeted high-value targets in South Asia, including a telecommunications organization. This activity cluster used rare tools and techniques including the technique we call Hex Staging, in which the attackers deliver payloads in chunks. Their activity also includes exfiltration over DNS using ping, and abusing the SQLcmd utility for data theft. Based on an analysis of the tactics, techniques and procedures (TTPs), as well as the tools used, the infrastructure and the victimology, we assess with moderate-high confidence that this activity originates in China."
https://unit42.paloaltonetworks.com/espionage-campaign-targets-south-asian-entities/
Breaches/Hacks/Leaks
South Africa’s Government-Run Weather Service Knocked Offline By Cyberattack
"A cyberattack has forced the government-run South African Weather Service (SAWS) offline, limiting access to a critical service used by the country’s airlines, farmers and allies. The website for SAWS has been down since Sunday evening, according to a statement posted to social media. SAWS has had to use Facebook, X and other sites to share daily information on thunderstorms, wildfires and other weather events. SAWS said its Information and Communication Technology (ICT) systems went down “following a security breach by criminal elements.”"
https://therecord.media/south-african-weather-service-cyberattack- Solana Pump[.]fun Tool DogWifTool Compromised To Drain Wallets
"Hackers have compromised the Windows version of the DogWifTools software for promoting meme coins on the Solana blockchain in a supply-chain attack that drained users' wallets. The developers claim that a malicious threat actor compromised the project's private GitHub repository after reverse engineering the software to extract a GitHub token. The maintainers of the platform said on the official Discord channel that the threat actor gained access to the GitGub repository and trojanized DogWifTools versions 1.6.3 through 1.6.6. DogWifTools is a platform that assists developers in launching and promoting meme coins on the Solana blockchain. It offers volume automation, bundling, comment bots to boost engagement, and high activity simulation to help tokens trend on Pump[.]fun."
https://www.bleepingcomputer.com/news/security/solana-pumpfun-tool-dogwiftool-compromised-to-drain-wallets/ - Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History
"Wiz Research has identified a publicly accessible ClickHouse database belonging to DeepSeek, which allows full control over database operations, including the ability to access internal data. The exposure includes over a million lines of log streams containing chat history, secret keys, backend details, and other highly sensitive information. The Wiz Research team immediately and responsibly disclosed the issue to DeepSeek, which promptly secured the exposure. In this blog post, we will detail our discovery and also consider the broader implications for the industry at large."
https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
https://www.theregister.com/2025/01/30/deepseek_database_left_open/ - Wacom Says Crooks Probably Swiped Customer Credit Cards From Its Online Checkout
"Graphics tablet maker Wacom has warned customers their credit card details may well have been stolen by miscreants while they were buying stuff from its website. We're told people's payment information was likely pilfered from the biz's online store between the end of November and early January, and that if you get a message from Wacom about this then consider yourself affected. If not, don't worry about it for now. "While we are still investigating," the Japan-based manufacturer told punters in an email seen by The Register today, "we believe it may have occurred between November 28, 2024 and January 8, 2025."
https://www.theregister.com/2025/01/30/wacom_data_loss/
General News
- Data Privacy Day 2025: Time For Data Destruction To Become Standard Business Practice
"Compliance standards are shining new light on the need to better control and protect data. There are a multitude of different ways to implement a data protection and security strategy, but most organizations would admit that destroying data is not one typically prioritized. As well as good business and cyber process, there are also data privacy regulations which mandate the deletion of data, such as the “right to be forgotten” under GDPR. Organizations need to be of the mindset that they both could and should be reducing their data estate as a part of normal business and compliance operations."
https://www.darkreading.com/data-privacy/data-privacy-day-2025-time-for-data-destruction-to-become-standard-business-practice - Only 13% Of Organizations Fully Recover Data After a Ransomware Attack
"Ransomware attacks are disrupting and undermining business operations and draining revenue streams, according to Illumio. Findings from the study reveal that 58% of organizations had to shut down operations following a ransomware attack, up from 45% in 2021. 40% reported a significant loss of revenue (up from 22% in 2021); 41% lost customers; and 40% had to eliminate jobs."
https://www.helpnetsecurity.com/2025/01/29/ransomware-attacks-business-operations-disruption/ - 4 Trends In Software Supply Chain Security
"Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised. Expect to see more software supply chain attacks moving forward. According to ReversingLabs’ The State of Software Supply Chain Security 2024 study, attacks against the software supply chain are getting easier and more ubiquitous."
https://securityintelligence.com/articles/4-trends-in-software-supply-chain-security/ - How Cyberattacks On Grocery Stores Could Threaten Food Security
"Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released. Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut down online ordering. Additionally, Hannaford’s website was offline for several days. Food supply issues have lasted several weeks in some cases, especially in the New England area, illustrating the impact cyberattacks have on people’s everyday lives."
https://securityintelligence.com/articles/how-cyberattacks-on-grocery-stores-could-threaten-food-security/ - Scores Of Critical UK Government IT Systems Have Major Security Holes
"The UK government’s spending watchdog has raised grave concerns about the cyber-resilience of critical IT systems across departments, highlighting major gaps in system controls and visibility. The warnings came from the National Audit Office (NAO) in its Government cyber resilience report published today. It revealed that a 2024 assessment by the government’s new cyber assurance scheme, GovAssure, found that 58 critical departmental IT systems had “significant” gaps in cyber resilience, creating “extremely high” risk."
https://www.infosecurity-magazine.com/news/scores-critical-government-it/ - FBI Seizes Cracked[.]io, Nulled[.]to Hacking Forums In Operation Talent
"The FBI has seized the domains for the infamous Cracked[.]io and Nulled[.]to hacking forums, which are known for their focus on cybercrime, password theft, cracking, and credential stuffing attacks. While some of their members also engaged in ethical hacking discussions, the sites were widely regarded as a hub for cybercriminal activity. They also hosted content related to software cracks, hacking tools like "configs" used by credential stuffing attack tools (e.g., OpenBullet and SilverBullet), and other illicit activities, including a "combo lists" marketplace with stolen credentials or databases."
https://www.bleepingcomputer.com/news/security/fbi-seizes-crackedio-nulledto-hacking-forums-in-operation-talent/
https://cyberscoop.com/fbi-seized-cracked-nulled-sellix-cybercriminal-forum/
https://hackread.com/fbi-seizes-hacking-forums-cracked-to-nulled-to/ - The Old Ways Of Vendor Risk Management Are No Longer Good Enough
"In June 2023, the MOVEit supply chain attack served as a harsh reminder of the vulnerabilities in our software-as-a-service (SaaS) ecosystem. Third-party risk management (TPRM) in today's world of SaaS applications is no longer just about ticking boxes on a checklist. The old methods, with their static questionnaires and outdated ISO 27001 and System and Organization Controls (SOC) — SOC 1, SOC 2, and SOC 3 — reports are simply not efficient anymore. With cyber threats, such as supply chain attacks and third-party integration exploits, becoming more sophisticated, organizations need a dynamic approach to managing SaaS vendors. Embracing automation, real-time visibility, and targeted assessments are crucial steps to stay ahead of potential risks."
https://www.darkreading.com/vulnerabilities-threats/old-ways-vendor-risk-management-no-longer-good-enough - AI Surge Drives Record 1205% Increase In API Vulnerabilities
"AI-driven API vulnerabilities have skyrocketed by 1205% in the past year. The figures come from the 2025 API ThreatStats Report by Wallarm, which highlights how AI has become the biggest driver of API security threats, with nearly 99% of AI-related vulnerabilities tied to API flaws. The study also found that 57% of AI-powered APIs were accessible externally, while 89% lacked secure authentication. Only 11% implemented robust security measures."
https://www.infosecurity-magazine.com/news/ai-surge-record-1205-increase-api/
https://www.wallarm.com/reports/2025-api-security-report - Racing The Clock: Outpacing Accelerating Attacks
"2024 was the year cyber threats got quicker. Cyber attackers really picked up the pace, executing faster, more efficient breaches that pushed traditional defenses to their limits. Our research reveals 2024 saw a 22% increase in attack speed compared to 2023, with the fastest incident achieving lateral movement in just 27 minutes. This quicker infiltration leaves organizations with even less time to respond, making automated defenses crucial in matching—and surpassing—the speed of adversaries."
https://www.reliaquest.com/blog/racing-the-clock-outpacing-accelerating-attacks/
https://www.infosecurity-magazine.com/news/breakout-time-accelerates-22/ - Cyber Insights 2025: Artificial Intelligence
"Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Artificial Intelligence. Artificial intelligence burst into public consciousness in November 2022 when OpenAI made ChatGPT available over the internet. ChatGPT is a specialized form of machine learning (ML) known as a generative pre-trained transformer (GPT) working with a large language model (LLM). The bottom line is that a user can interact with the AI using natural language and receive output delivered in natural language."
https://www.securityweek.com/cyber-insights-2025-artificial-intelligence/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Preparing Financial Institutions For The Next Generation Of Cyber Threats