Cyber Threat Intelligence 05 February 2025
-
Financial Sector
- 8 Steps To Secure GenAI Integration In Financial Services
"GenAI offers financial services institutions enormous opportunities, particularly in unstructured dataset analysis and management, but may also increase security risks, according to FS-ISAC. GenAI can organize oceans of information and retrieve insights from it that you can use to improve business operations, maximize your markets, and enhance the customer experience. Those GenAI-analyzed datasets can turn up information about fraud, threats, and risks, which present remarkable security opportunities."
https://www.helpnetsecurity.com/2025/02/04/financial-institutions-genai-risks/
Industrial Sector
- CISA Releases Nine Industrial Control Systems Advisories
"CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS."
https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-releases-nine-industrial-control-systems-advisories
Vulnerabilities
- Microsoft Patches Critical Azure AI Face Service Vulnerability With CVSS 9.9 Score
"Microsoft has released patches to address two Critical-rated security flaws impacting Azure AI Face Service and Microsoft Account that could allow a malicious actor to escalate their privileges under certain conditions."
https://thehackernews.com/2025/02/microsoft-patches-critical-azure-ai.html - Netgear Warns Users To Patch Critical WiFi Router Vulnerabilities
"Netgear has fixed two critical vulnerabilities affecting multiple WiFi router models and urged customers to update their devices to the latest firmware as soon as possible. The security flaws impact multiple WiFi 6 access points (WAX206, WAX214v2, and WAX220) and Nighthawk Pro Gaming router models (XR1000, XR1000v2, XR500). Although the American computer networking company did not disclose more details about the two bugs, it did reveal that unauthenticated threat actors can exploit them for remote code execution (tracked internally as PSV-2023-0039) and authentication bypass (PSV-2021-0117) in low-complexity attacks that don't require user interaction."
https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch-critical-wifi-router-vulnerabilities/
https://kb.netgear.com/000066557/Security-Advisory-for-Authentication-Bypass-on-Some-Wireless-Access-Points-PSV-2021-0117
https://securityaffairs.com/173839/security/netgear-wifi-routers-flaws.html - Zyxel Telnet Vulnerabilities
"VulnCheck independently discovered vulnerabilities affecting Zyxel Customer Premises Equipment (CPE) after running into the hardware in the real world. The combination of the vulnerabilities allows for unauthenticated code execution via Telnet. A week ago, our friends at GreyNoise blogged about attackers actively using these vulnerabilities against their honeypot network, and the associated tag continues to flag ongoing activity."
https://vulncheck.com/blog/zyxel-telnet-vulns
https://www.bleepingcomputer.com/news/security/zyxel-wont-patch-newly-exploited-flaws-in-end-of-life-routers/ - Microsoft SharePoint Connector Flaw Could've Enabled Credential Theft Across Power Platform
"Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user's credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf of the impersonated user, enabling unauthorized access to sensitive data, Zenity Labs said in a report shared with The Hacker News ahead of publication."
https://thehackernews.com/2025/02/microsoft-sharepoint-connector-flaw.html - AMD Patches CPU Vulnerability That Could Break Confidential Computing Protections
"AMD on Monday announced patches for a microprocessor vulnerability that could lead to loss of Secure Encrypted Virtualization (SEV) protection, allowing attackers to load malicious microcode. Tracked as CVE-2024-56161 (CVSS score of 7.2), the bug is described as an improper signature verification in the microcode patch loader on the AMD CPU read-only memory. The security defect “may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP,” AMD explains in its advisory."
https://www.securityweek.com/amd-patches-cpu-vulnerability-found-by-google/
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3019.html
https://thehackernews.com/2025/02/amd-sev-snp-vulnerability-allows.html
https://securityaffairs.com/173831/security/amd-flaw-allowed-load-malicious-microcode.html - 8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur
"Surprise surprise, we've done it again. We've demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, supply chains, software development systems and environments, and more. “Ugh, won’t they just stick to creating poor-quality memes?” we hear you moan. Maybe we should, maybe we shouldn’t - regardless, it’s too late at this stage and so we have to live with it."
https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
https://www.theregister.com/2025/02/04/abandoned_aws_s3/
Malware
- CVE-2025-0411: Ukrainian Organizations Targeted In Zero-Day Campaign And Homoglyph Attacks
"On September 25, 2024, the Trend Micro Zero Day Initiative (ZDI) Threat Hunting team identified a zero-day vulnerability exploited in-the-wild and associated with the deployment of the loader malware known as SmokeLoader. This vulnerability is believed to be used by Russian cybercrime groups to target both governmental and non-governmental organizations in Ukraine, with cyberespionage being the most likely purpose of these attacks as part of the ongoing Russo-Ukrainian conflict. The exploitation involves the use of compromised email accounts and a zero-day vulnerability existing in the archiver tool 7-Zip (CVE-2025-0411), which was manipulated through homoglyph attacks (which we will also define and explain in this blog entry)."
https://www.trendmicro.com/en_us/research/25/a/cve-2025-0411-ukrainian-organizations-targeted.html
https://thehackernews.com/2025/02/russian-cybercrime-groups-exploiting-7.html
https://www.bleepingcomputer.com/news/security/7-zip-motw-bypass-exploited-in-zero-day-attacks-against-ukraine/
https://www.bankinfosecurity.com/russian-smokeloader-campaign-in-ukraine-uses-7-zip-zero-day-a-27442
https://www.helpnetsecurity.com/2025/02/04/russian-cybercrooks-exploited-7-zip-zero-day-vulnerability-cve-2025-0411/ - Google Play, Apple App Store Apps Caught Stealing Crypto Wallets
"Android and iOS apps on the Google Play Store and Apple App Store contain a malicious software development kit (SDK) designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) stealers. The campaign is called "SparkCat" after the name ("Spark") of one of the malicious SDK components in the infected apps, with developers likely not knowingly participating in the operation. According to Kaspersky, on Google Play alone, where download numbers are publicly available, the infected apps were downloaded over 242,000 times."
https://www.bleepingcomputer.com/news/mobile/google-play-apple-app-store-apps-caught-stealing-crypto-wallets/ - CPR Finds Threat Actors Already Leveraging DeepSeek And Qwen To Develop Malicious Content
"Soon after the launch of AI models DeepSeek and Qwen, Check Point Research witnessed cyber criminals quickly shifting from ChatGPT to these new platforms to develop malicious content. Threat actors are sharing how to manipulate the models and show uncensored content, ultimately allowing hackers and criminals to use AI to create malicious content. Called jailbreaking, there are many methods to remove censors from AI models. However, we now see in-depth guides to jailbreaking methods, bypassing anti-fraud protections, and developing malware itself."
https://blog.checkpoint.com/artificial-intelligence/cpr-finds-threat-actors-already-leveraging-deepseek-and-qwen-to-develop-malicious-content/ - MacOS FlexibleFerret | Further Variants Of DPRK Malware Family Unearthed
"Last week Apple pushed a signature update to its on-device malware tool XProtect to block several variants of what it called the macOS Ferret family: FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES. This DPRK-attributed malware family was first described by researchers in December and further in early January and identified as part of the North Korean Contagious Interview campaign, in which threat actors lure targets to install malware through the job interview process."
https://www.sentinelone.com/blog/macos-flexibleferret-further-variants-of-dprk-malware-family-unearthed/
https://www.darkreading.com/threat-intelligence/ferret-malware-added-contagious-interview-threat-campaign
https://thehackernews.com/2025/02/north-korean-hackers-deploy-ferret.html
https://hackread.com/north-korea-flexibleferret-malware-macos-fake-zoom-job-scams/ - Cybercriminals Court Traitorous Insiders Via Ransom Notes
"Ransomware actors are utilizing a previously unseen tactic in their ransomware notes: posting advertisements to solicit insider information. Researchers at the GroupSense threat intelligence team shared their findings with Dark Reading, including screenshots of the strategies these gangs are using. Groups including Sarcoma and another syndicate believed to be impersonating LockBit ransomware, known as DoNex, have adopted the strategy, the firm noted."
https://www.darkreading.com/threat-intelligence/cybercriminals-traitorous-insiders-ransom-notes - Infrastructure Laundering: Silent Push Exposes Cloudy Behavior Around FUNNULL CDN Renting IPs From Big Tech
"Silent Push is coining the term “Infrastructure Laundering” to describe a growing criminal practice our analysts have observed where threat actors operating “hosting companies” rent IP addresses from mainstream hosting providers and map them to their criminal client websites."
https://www.silentpush.com/blog/infrastructure-laundering/
https://www.darkreading.com/cloud-security/chinese-infrastructure-laundering-abuses-aws-microsoft-cloud - Analyzing ELF/Sshdinjector.A!tr With a Human And Artificial Analyst
"ELF/Sshdinjector.A!tr is a collection of malware that can be injected into the SSH daemon. Samples of this malware collection surfaced around mid-November 2024. While we have a good amount of threat intelligence on them (e.g., they are attributed to the DaggerFly espionage group and were used during the Lunar Peek campaign against network appliances), nobody seems to have looked into what they actually do. In this blog post, we will focus on the reverse engineering of the attack’s binaries and how this reverse engineering was achieved."
https://www.fortinet.com/blog/threat-research/analyzing-elf-sshdinjector-with-a-human-and-artificial-analyst
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-use-new-ssh-backdoor-in-network-device-hacks/
https://www.infosecurity-magazine.com/news/daggerfly-linux-malware-network/ - Rat Race: ValleyRAT Malware Targets Organizations With New Delivery Techniques
"This blog explores the broader execution course and updated delivery technique of ValleyRAT. While investigating this threat, we observed that the actor has updated their tactics, techniques, and procedures (TTPs) this year. Interestingly, the actor reused the same URL for both the older and newer versions of their attack."
https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/
https://hackread.com/valleyrat-malware-variant-fake-chrome-downloads/ - 22 New Mac Malware Families Seen In 2024
"Nearly two dozen new macOS malware families were observed in 2024, according to Patrick Wardle, a reputable security researcher who specializes in Apple products. The number of macOS malware families that emerged in 2024 was 22. This is roughly the same as in 2023, but significantly higher than in 2021 and 2022. The latest macOS malware roundup looks at stealers, ransomware, backdoors and downloaders, and does not include adware and malware from previous years. The list of macOS stealers that emerged in 2024 includes CloudChat, Poseidon (aka Rodrigo), Cthulhu, BeaverTail, PyStealer, and Banshee."
https://www.securityweek.com/22-new-mac-malware-families-seen-in-2024/ - Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching For Persistence
"Socket researchers have discovered a malicious typosquat package in the Go ecosystem, impersonating the widely used BoltDB database module (github.com/boltdb/bolt), a tool trusted by many organizations including Shopify and Heroku. The BoltDB package is widely adopted within the Go ecosystem, with 8,367 other packages depending on it. Its extensive use across thousands of projects positions BoltDB among the most prominent and trusted modules in the Go community."
https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
https://thehackernews.com/2025/02/malicious-go-package-exploits-module.html
https://www.theregister.com/2025/02/04/golang_supply_chain_attack/ - Russian Cyber Research Companies Post Alerts About Infostealer, Industrial Threats
"Russian cybersecurity companies released multiple research reports about specific threats over the last week, including one about a “large-scale” information-stealing campaign targeting local organizations with Nova malware. According to a report released late last week by Moscow-based cybersecurity firm BI.ZONE, Nova is a commercial stealer sold on dark web marketplaces by unknown cybercriminals as a service. The malware’s pricing starts at $50 for a monthly license and goes up to $630 for a lifetime license."
https://therecord.media/russia-cybersecurity-research-bizone-nova-infostealer - Stealers On The Rise: A Closer Look At a Growing MacOS Threat
"We recently identified a growing number of attacks targeting macOS users across multiple regions and industries. Our research has identified three particularly prevalent macOS infostealers in the wild, which we will explore in depth: Poseidon, Atomic and Cthulhu. We’ll show how they operate and how we detect their malicious activity."
https://unit42.paloaltonetworks.com/macos-stealers-growing/ - Targeting Microsoft ADFS: How Phishing Campaigns Bypass Multi-Factor Authentication To Enable Account Takeover
"A sophisticated phishing campaign is targeting organizations that rely on Microsoft’s Active Directory Federation Services (ADFS), exploiting the trusted environment of ADFS with spoofed login pages to harvest user credentials and bypass multi-factor authentication (MFA). This allows attackers to take over accounts and gain unauthorized access to critical systems and data, putting sensitive information and organizational security at significant risk."
https://abnormalsecurity.com/resources/targeting-microsoft-adfs-phishing-bypass-mfa-for-account-takeover
https://www.infosecurity-magazine.com/news/phishing-attack-bypasses-microsoft/ - SparkRAT: Server Detection, MacOS Activity, And Malicious Connections
"SparkRAT, first released on GitHub in 2022 by user XZB-1248, remains a favored tool due to its modular design, web-based user interface, and cross-platform support for Windows, macOS, and Linux systems. The malware has been deployed as a post-exploitation tool in campaigns associated with CVE-2024-27198 and observed in cyber espionage operations targeting government organizations. In our previous post from April last year titled "Spotting SparkRAT: Detection Tactics & Sandbox Findings", we provided a high-level overview of the RAT, analyzing an implant and its C2 server."
https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections - Technical Analysis Of Xloader Versions 6 And 7 | Part 1
"Xloader is a malware family that is the successor to Formbook with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. The author of Xloader regularly adds new functionality to target more applications and features to increase the volume of data collection that can be sold or used in further attacks. With each update, Xloader’s code includes increasingly complex layers of encryption and obfuscation to complicate analysis. Previously, Zscaler ThreatLabz examined version 4.3 of Xloader, which introduced multi-layer code encryption to conceal its key components."
https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-1 - Cyble Sensors Detect Attacks On Apache OFBiz, Palo Alto Networks
"Cyble honeypot sensors have detected new attack attempts on vulnerabilities in Palo Alto Networks’ web management interface and the Apache OFBiz ERP system, among dozens of other exploits picked up by Cyble sensors. Cyble’s recent sensor intelligence report to clients examined more than 30 vulnerabilities under active exploitation by hackers and also looked at persistent attacks against Linux systems and network and IoT devices. Threat actors continue to scan for vulnerable devices for ransomware attacks and add to botnets for DDoS attacks and crypto mining."
https://cyble.com/blog/cyble-sensors-detect-attacks-on-palo-alto-networks/
Breaches/Hacks/Leaks
- GrubHub Data Breach Impacts Customers, Drivers, And Merchants
"Food delivery company GrubHub disclosed a data breach impacting the personal information of an undisclosed number of customers, merchants, and drivers after attackers breached its systems using a service provider account. "Our investigation found that the intrusion originated with an account belonging to a third-party service provider that provided support services to Grubhub," the company said on Monday. "We immediately terminated the account’s access and removed the service provider from our systems altogether.""
https://www.bleepingcomputer.com/news/security/grubhub-data-breach-impacts-customers-drivers-and-merchants/
https://therecord.media/grubhub-says-third-party-hack-exposed-campus-customers
https://www.securityweek.com/personal-information-compromised-in-grubhub-data-breach/
https://www.theregister.com/2025/02/04/grubhub_data_incident/
https://securityaffairs.com/173848/data-breach/grubhub-suffered-a-data-breach.html - Valley News Live Exposed More Than a Million Job Seeker’s Resumes
"Making your own bad news is not what Valley News Live had in mind, but negligence comes at a price. Cybernews researchers found an unprotected AWS S3 bucket that belongs to Take Valley News Live, a North Dakota-based television station. Gray Television, the owner of Valley News Live, makes for the third largest broadcasting company in the US. An S3 bucket is like a virtual file folder in the cloud where you can store various types of data, such as text files, images, videos, and more. There is no limit to the amount of data you can store in an S3 bucket, and individual instances can be up to 5 TB in size."
https://www.malwarebytes.com/blog/news/2025/02/valley-news-live-exposed-more-than-a-million-job-seekers-resumes
General News
- Aim For Crypto-Agility, Prepare For The Long Haul
"While organizations have long experimented with various facets of digital transformation, the journey toward crypto-agility is one of the most significant technological transitions of our time. Success in the emerging quantum era will require technical expertise, strategic foresight, careful planning, and an unwavering commitment to security."
https://www.helpnetsecurity.com/2025/02/04/crypto-agility-journey/ - What You Can Do To Prevent Workforce Fraud
"In this Help Net Security interview, Benjamin Racenberg, Senior Intelligence Services Manager at Nisos, discusses the threat of workforce fraud, particularly DPRK-affiliated IT workers infiltrating remote roles. With HR teams and recruiters often unprepared to detect these sophisticated schemes, businesses face significant cybersecurity and employment risks. Racenberg also discusses the tactics used by these threat actors and offers strategies to strengthen hiring practices and mitigate workplace fraud."
https://www.helpnetsecurity.com/2025/02/04/benjamin-racenberg-nisos-workplace-fraud/ - CISA Partners With ASD’s ACSC, CCCS, NCSC-UK, And Other International And US Organizations To Release Guidance On Edge Devices
"CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems."
https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-partners-asds-acsc-cccs-ncsc-uk-and-other-international-and-us-organizations-release-guidance
https://www.cisa.gov/resources-tools/resources/guidance-and-strategies-protect-network-edge-devices
https://www.bleepingcomputer.com/news/security/cyber-agencies-share-security-guidance-for-network-edge-devices/ - Credential Theft Becomes Cybercriminals' Favorite Target
"After analyzing more than a million pieces of malware collected in 2024, researchers have found that 25% of them target user credentials. That's three times the number from 2023 and has bumped stealing credentials from password stores into the top 10 techniques listed in the MITRE ATT&CK framework, which accounted for 93% of all malicious cyber activity in 2024. In "The Red Report 2025" conducted by Picus Security, researchers observed that the attackers are prioritizing "complex, prolonged, multi-stage attacks that require a new generation of malware to succeed." In what the researchers dubbed "SneakThief," threat actors are looking to revolutionize info-stealing malware, focusing on increased stealth, persistence, and automation."
https://www.darkreading.com/threat-intelligence/credential-theft-cybercriminals-favorite-target - Managing Software Risk In a World Of Exploding Vulnerabilities
"It's a perfect storm: The cost of a data breach is rising, known cyberattacks are becoming more frequent, security expertise is in short supply, and the demand for connectedness — to deliver and act on even the most sensitive of data across all devices, and all the way to the network edge — is unyielding. A recent example that affects anyone who texts between Android and iPhone devices is the Salt Typhoon attack. Meanwhile, industry and government regulations are tightening, demanding stricter proof of security measures and faster reporting of breaches, raising the stakes for "getting it wrong.""
https://www.darkreading.com/vulnerabilities-threats/managing-software-risk-world-exploding-vulnerabilities - Threefold Increase In Malware Targeting Credential Stores
"Infostealers continued to grow in popularity on the cybercrime underground last year, with credentials from password stores appearing in 29% of malware samples analyzed by Picus Security. The security vendor’s Red Report 2025 examined over one million malware samples and mapped more than 14 million malicious actions and 11 million instances of MITRE ATT&CK techniques, in order to better illuminate the threat landscape. It revealed a three-fold increase in the share of malware strains targeting credential stores – reflecting the growing market for compromised logins."
https://www.infosecurity-magazine.com/news/threefold-increase-malware/ - Surge In Infostealer Attacks Threatens EMEA Organizations' Data Security
"Organizations in Europe, the Middle East and Africa (EMEA) are facing a dramatic increase in infostealer attacks, according to Check Point. In its latest EMEA Cyber Threat Intelligence report, launched on February 4 during its CPX 2025 Vienna conference, Check Point Research observed a 58% increase in infostealer attacks targeting organizations in the region over the past year. The firm added that it saw over 10 million stolen credentials associated with EMEA organizations available for sale in underground cybercrime markets."
https://www.infosecurity-magazine.com/news/surge-in-infostealer-attacks-emea/ - New AI “agents” Could Hold People For Ransom In 2025
"A paradigm shift in technology is hurtling towards us, and it could change everything we know about cybersecurity. Uhh, again, that is. When ChatGPT was unveiled to the public in late 2022, security experts looked on with cautious optimism, excited about the new technology but concerned about its use in cyberattacks. But two years on, much of what ChatGPT and other generative AI chat tools offer attackers is a way to improve what already works, not new ways to deliver attacks themselves. And yet, if artificial intelligence achieves what is called an “agentic” model in 2025, novel and boundless attacks could be within reach, as AI tools take on the roles of “agents” that independently discover vulnerabilities, steal logins, and pry into accounts."
https://www.malwarebytes.com/blog/news/2025/02/new-ai-agents-could-hold-people-for-ransom-in-2025 - Cyber Insights 2025: The CISO Outlook
"SecurityWeek’s Cyber Insights 2025 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we discuss the CISO Outlook for 2025. The CISO is the figurehead, and often the scapegoat, for cybersecurity, and business continuity, and regulatory compliance, and data science, and artificial intelligence, and… and so it goes on. But quo vadis? And can you stay the course?"
https://www.securityweek.com/cyber-insights-2025-the-ciso-outlook/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - 8 Steps To Secure GenAI Integration In Financial Services