Cyber Threat Intelligence 31 January 2025
-
Healthcare Sector
- Contec Health CMS8000 Patient Monitor
"Successful exploitation of these vulnerabilities could allow an attacker to remotely send specially formatted UDP requests or connect to an unknown external network that would allow them to write arbitrary data, resulting in remote code execution. The device may also leak patient information and sensor data to the same unknown external network. Simultaneous exploitation of all vulnerable devices on a shared network is possible."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-030-01
https://www.bleepingcomputer.com/news/security/backdoor-found-in-two-healthcare-patient-monitors-linked-to-ip-in-china/
https://www.bankinfosecurity.com/attackers-could-gain-control-2-flawed-patient-monitors-a-27414
Industrial Sector
- Hitachi Energy UNEM
"Successful exploitation of these vulnerabilities could allow an attacker to cause a denial of service, execute unintended commands, access sensitive information, or execute arbitrary code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-01 - Schneider Electric System Monitor Application In Harmony And Pro-Face PS5000 Legacy Industrial PCs
"Successful exploitation of this vulnerability could allow an attacker to access sensitive information."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-03 - New Rock Technologies Cloud Connected Devices
"Successful exploitation of these vulnerabilities could allow an attacker full control of the device."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02 - Rockwell Automation KEPServer
"Successful exploitation of this vulnerability could cause the device to crash."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-04 - Rockwell Automation FactoryTalk AssetCentre
"Successful exploitation of these vulnerabilities could allow an attacker to extract passwords, access, credentials, or impersonate other users."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-05
New Tooling
- ExtensionHound: Open-Source Tool For Chrome Extension DNS Forensics
"Traditional monitoring tools reveal only traffic from the Chrome process, leaving security teams uncertain about which extension is responsible for a suspicious DNS query. ExtensionHound solves this by analyzing Chrome’s internal network state and linking DNS activity to specific extensions."
https://www.helpnetsecurity.com/2025/01/30/extensionhound-open-source-tool-chrome-extension-dns-forensics/
https://github.com/arsolutioner/ExtensionHound
Vulnerabilities
- Browser Syncjacking: How Any Browser Extension Can Be Used To Takeover Your Device
"The recent wave of OAuth attacks on Chrome extension developers have spotlighted browser extensions as a critical threat to enterprise security. However, most of these attacks have primarily been around data exfiltration or unauthorized access to specific web applications. It was thought to be impossible to gain full control of the browser, much less the device, through a browser extension due to the way the extension subsystems were designed."
https://labs.sqrx.com/browser-syncjacking-cc602ea0cbd0
https://www.bleepingcomputer.com/news/security/new-syncjacking-attack-hijacks-devices-using-chrome-extensions/
https://hackread.com/squarex-discloses-browser-syncjacking-a-new-attack-technique-that-provides-full-browser-and-device-control-putting-millions-at-risk/
https://www.infosecurity-magazine.com/news/full-browser-device-takeover/ - Time Bandit ChatGPT Jailbreak Bypasses Safeguards On Sensitive Topics
"A ChatGPT jailbreak flaw, dubbed "Time Bandit," allows you to bypass OpenAI's safety guidelines when asking for detailed instructions on sensitive topics, including the creation of weapons, information on nuclear topics, and malware creation. The vulnerability was discovered by cybersecurity and AI researcher David Kuszmar, who found that ChatGPT suffered from "temporal confusion," making it possible to put the LLM into a state where it did not know whether it was in the past, present, or future. Utilizing this state, Kuszmar was able to trick ChatGPT into sharing detailed instructions on usually safeguarded topics."
https://www.bleepingcomputer.com/news/security/time-bandit-chatgpt-jailbreak-bypasses-safeguards-on-sensitive-topics/ - 2025 GitHub Copilot Vulnerabilities – Technical Overview
"During Q4, the Apex Security research team uncovered two vulnerabilities in GitHub Copilot, as published in Dark Reading—one that lets it slip into an existential crisis and another that grants unrestricted access to OpenAI’s models. Both exploits reveal a concerning truth: AI assistants are more susceptible to manipulation than we’d like to admit. In this blog, we explore how a simple affirmation—just the word “Sure”—can turn Copilot into revealing its secret desires and bending ethical boundaries. And in a separate investigation, we show how tweaking proxy settings can hijack Copilot’s access, turning it into a gateway to unrestricted AI power."
https://www.apexhq.ai/blog/blog/2025-github-copilot-vulnerabilities-technical-overview
https://www.darkreading.com/vulnerabilities-threats/new-jailbreaks-manipulate-github-copilot - TeamViewer Patches High-Severity Vulnerability In Windows Applications
"TeamViewer this week announced patches for a high-severity elevation of privilege vulnerability in its remote access solutions for Windows. Tracked as CVE-2025-0065 (CVSS score of 7.8), the bug is described as an improper neutralization of argument delimiters in the ‘TeamViewer_service.exe’ component of the software. Successful exploitation of the security defect, TeamViewer warns, could allow an unprivileged attacker with local access to a Windows system to perform argument injection and elevate their privileges."
https://www.securityweek.com/teamviewer-patches-high-severity-vulnerability-in-windows-applications/
https://securityaffairs.com/173658/security/teamviewer-windows-client-flaw.html
Malware
- Coyote Banking Trojan: A Stealthy Attack Via LNK Files
"Over the past month, FortiGuard Labs has identified several similar LNK files containing PowerShell commands designed to execute malicious scripts and connect to remote servers. These files are part of multi-stage operations that ultimately deliver the Coyote Banking Trojan. This malware primarily targets users in Brazil, seeking to harvest sensitive information from over 70 financial applications and numerous websites. Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials. In this article, we will detail the behavior of each stage."
https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files - Microsoft Advertisers Phished Via Malicious Google Ads
"Just days after we uncovered a campaign targeting Google Ads accounts, a similar attack has surfaced, this time aimed at Microsoft advertisers. These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft’s advertising platform. Microsoft does purchase ad space on its rival’s dominant search engine; however, we found Google sponsored results for “Microsoft Ads” (formerly known as Bing Ads) that contained malicious links created by impostors. Through shared artifacts, we were able to identify additional phishing infrastructure targeting Microsoft accounts going back to a couple of years at least. We have reported these incidents to Google."
https://www.malwarebytes.com/blog/news/2025/01/microsoft-advertisers-phished-via-malicious-google-ads - No Need To RSVP: a Closer Look At The Tria Stealer Campaign
"Since mid-2024, we’ve observed a malicious Android campaign leveraging wedding invitations as a lure to social-engineer victims into installing a malicious Android app (APK), which we have named “Tria Stealer” after unique strings found in campaign samples. The primary targets of the campaign are users in Malaysia and Brunei, with Malaysia being the most affected country. Our investigation suggests that this campaign is likely operated by an Indonesian-speaking threat actor, as we found artifacts written in the Indonesian language, namely several unique strings embedded in the malware and the naming pattern of the Telegram bots that are used for hosting C2 servers."
https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/115295/ - Lumma Stealer’s GitHub-Based Delivery Explored Via Managed Detection And Response
"Trend MicroManaged XDR uncovered a sophisticated campaign involving Lumma Stealer, an information-stealing malware, that was being distributed through GitHub's release infrastructure. The investigation revealed that malicious actors exploited GitHub as a trusted platform to deliver the stealer, which subsequently initiated additional malicious activities. It then downloaded and executed other threats, including SectopRAT (a remote access trojan), Vidar, Cobeacon, and another Lumma Stealer variant."
https://www.trendmicro.com/en_us/research/25/a/lumma-stealers-github-based-delivery-via-mdr.html - HTTP Client Tools Exploitation For Account Takeover Attacks
"HTTP client tools are software applications or libraries used to send HTTP requests and receive HTTP responses from web servers. These tools allow users to craft requests with various HTTP methods (e.g., GET, POST, PUT, DELETE), customize headers, include payloads, and inspect server responses. Proofpoint has observed a rising trend of attackers repurposing legitimate HTTP client tools, such as those emulating XMLHttpRequest and Node.js HTTP requests, to compromise Microsoft 365 environments. Originally sourced from public repositories like GitHub, these tools are increasingly used in attacks like Adversary-in-the-Middle (AitM) and brute force techniques, leading to numerous account takeover (ATO) incidents."
https://www.proofpoint.com/us/blog/threat-insight/http-client-tools-exploitation-account-takeover-attacks
https://www.infosecurity-magazine.com/news/attackers-increase-use-http/ - 10,000 WordPress Websites Found Delivering MacOS And Windows Malware
"This week we identified over 10,000 WordPress sites showing fake Google browser update pages in the browser of visitors via an iframe. The page delivers cross-platform malware, both AMOS (Atomic macOS Stealer), which targets Apple users, and SocGholish, which targets Windows users."
https://cside.dev/blog/10-000-wordpress-websites-found-delivering-macos-and-microsoft-malware
Breaches/Hacks/Leaks
- Ransomware Attack Disrupts New York Blood Donation Giant
"The New York Blood Center (NYBC), one of the world's largest independent blood collection and distribution organizations, says a Sunday ransomware attack forced it to reschedule some appointments. NYBC collects almost 4,000 units of blood products every day and serves more than 75 million people in more than a dozen states. It also provides transfusion-related medical services to over 500 hospitals nationwide. On Wednesday, NYBC said it detected the attack after noticing suspicious activity on its IT systems over the weekend, on January 26."
https://www.bleepingcomputer.com/news/security/ransomware-attack-disrupts-new-york-blood-donation-giant/
https://www.darkreading.com/cyberattacks-data-breaches/two-attacks-target-healthcare-sector-adds-growing-list-ransomware-threats
https://therecord.media/ransomware-attack-new-york-blood-center-forces-workarounds
https://www.bankinfosecurity.com/ny-blood-center-attack-disrupts-suppliers-in-several-states-a-27413
https://www.infosecurity-magazine.com/news/ransomware-blood-donation-services/
https://www.theregister.com/2025/01/30/ransomware_attack_at_new_york/ - Exclusive: Apex Custom Software Hacked, Threat Actors Threaten To Leak The Software
"On January 20, the hackers known as 0mid16B tweeted, “At 7:40AM 20th Jan (US time), a US healthcare software provider has been hacked. All data in server has been deleted. 48 hours left before we publish all data.” The attached screenshot showed a listing of medications, but without any patient information attached. Two days later, they tweeted information about Cardinal Health, but again, it did not appear linked to any protected health information (PHI). They also published some Cardinal Health employee login information that included names, email addresses, and passwords in plaintext."
https://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/ - Frederick Health Hit By Ransomware Attack
"Maryland healthcare provider Frederick Health is scrambling to restore its systems after taking them offline in response to a ransomware attack. The disruption, the healthcare network said on Monday, caused certain delays in its services, as it reverted to downtime procedures. “Our facilities remain open, and we continue to provide care for our patients using established back-up processes and other downtime procedures,” the organization said in an incident notice, but announced the next day that the Frederick Health Village Laboratory had been closed."
https://www.securityweek.com/frederick-health-hit-by-ransomware-attack/ - 152,000 Impacted By Data Breach At Berman & Rabin
"Law firm Berman & Rabin is notifying roughly 152,000 individuals that their personal information was compromised in a July 2024 ransomware attack. On July 8, the company said in a notification letter to the impacted individuals, Berman & Rabin identified suspicious activity on its systems, which included the encryption of certain data. The law firm determined that the threat actor behind the attack had access to its network between July 5 and July 8, and that they accessed certain systems and exfiltrated data from them."
https://www.securityweek.com/152000-impacted-by-data-breach-at-berman-rabin/
General News
- PrintNightmare Aftermath: Windows Print Spooler Is Better. What's Next?
"The 2021 PrintNightmare vulnerability exposed multiple deep-rooted security flaws in Microsoft's Print Spooler service, a core Windows component. The flaws, which had persisted in the Print Spooler for years, forced Microsoft to change the default behavior of the service, and organizations to change how they enabled printing services for users. While Microsoft's changes have overall improved Print Spooler's security, researchers caution the service still remains a prime target for attackers. The potential weaknesses resulting from Microsoft's efforts to maintain backward compatibility with legacy code leaves Print Spooler vulnerable."
https://www.darkreading.com/endpoint-security/windows-print-spooler-security-improves-in-wake-of-printnightmare-scare - How We Kept The Google Play & Android App Ecosystems Safe In 2024
"Android and Google Play comprise a vibrant ecosystem with billions of users around the globe and millions of helpful apps. Keeping this ecosystem safe for users and developers remains our top priority. However, like any flourishing ecosystem, it also attracts its share of bad actors. That’s why every year, we continue to invest in more ways to protect our community and fight bad actors, so users can trust the apps they download from Google Play and developers can build thriving businesses."
https://security.googleblog.com/2025/01/how-we-kept-google-play-android-app-ecosystem-safe-2024.html
https://www.bleepingcomputer.com/news/security/google-blocked-236-million-risky-android-apps-from-play-store-in-2024/
https://www.infosecurity-magazine.com/news/google-blocked-236-million-policy/ - Talos IR Trends Q4 2024: Web Shell Usage And Exploitation Of Public-Facing Applications Spike
"Threat actors increasingly deployed web shells against vulnerable web applications and primarily exploited vulnerable or unpatched public-facing applications to gain initial access in Q4, a notable shift from previous quarters. The functionality of the web shells and targeted web applications varied across incidents, highlighting the multitude of ways threat actors can leverage vulnerable web servers as a gateway into a victim’s environment. Prior to this quarter, use of valid accounts had been Cisco Talos Incident Response (Talos IR)’s most observed method of initial access for over a year."
https://blog.talosintelligence.com/talos-ir-trends-q4-2024/ - Department Of Justice Partners With Dutch Police To Break Up HeartSender Network
"Authorities in the United States and the Netherlands have dismantled a sophisticated Pakistan-based cybercrime network known as Saim Raza. The operation, dubbed “Operation Heart Blocker,” culminated Wednesday with the coordinated seizure of 39 domains and servers. Also known as HeartSender, Saim Raza was responsible for developing and selling phishing kits, with the Department of Justice claiming the software resulted in over $3 million in victim losses."
https://cyberscoop.com/doj-saim-raza-heartsender-takedown/ - Cyber Insights 2025: Cyberinsurance – The Debate Continues
"SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss what to expect with Cyberinsurance. Cyberinsurance offers a risk transfer option for the management of cybersecurity risk. This risk is complicated by the ever-changing nature of the threats and the attack surface. The cybersecurity industry has so far failed to get ahead of the attackers. Can the cyberinsurance industry do any better? Is it even possible for insurers to match cover with cost in a mutually beneficial manner on an ongoing basis?"
https://www.securityweek.com/cyber-insights-2025-cyberinsurance-the-debate-continues/ - Recent Jailbreaks Demonstrate Emerging Threat To DeepSeek
"Unit 42 researchers recently revealed two novel and effective jailbreaking techniques we call Deceptive Delight and Bad Likert Judge. Given their success against other large language models (LLMs), we tested these two jailbreaks and another multi-turn jailbreaking technique called Crescendo against DeepSeek models. We achieved significant bypass rates, with little to no specialized knowledge or expertise being necessary."
https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Contec Health CMS8000 Patient Monitor