Cyber Threat Intelligence 07 February 2025
-
Healthcare Sector
- Orthanc Server
"Successful exploitation of this vulnerability could allow an attacker to disclose sensitive information, modify records, or cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-02 - MicroDicom DICOM Viewer
"Successful exploitation of this vulnerability could allow an attacker to alter network traffic and perform a machine-in-the-middle (MITM) attack."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-037-01
Industrial Sector
- Schneider Electric EcoStruxure Power Monitoring Expert (PME)
"Successful exploitation of this vulnerability allows for local privilege escalation, which could lead to the execution of a malicious Dynamic-Link Library (DLL)."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-02 - ABB Drive Composer
"Successful exploitation of this vulnerability could allow attackers unauthorized access to the file system on the host machine. An attacker can exploit this flaw to run malicious code, which could lead to the compromise of the affected system."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-03 - Trimble Cityworks
"Successful exploitation of this vulnerability could allow an authenticated user to perform a remote code execution."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04 - Schneider Electric EcoStruxure Power Monitoring Expert (PME)
"Successful exploitation of this vulnerability could allow an attacker to remotely execute code."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-01
Vulnerabilities
- Critical Cisco ISE Bug Can Let Attackers Run Commands As Root
"Cisco has released patches to fix two critical vulnerabilities in its Identity Services Engine (ISE) security policy management platform. Enterprise administrators use Cisco ISE as an identity and access management (IAM) solution that combines authentication, authorization, and accounting into a single appliance. The two security flaws (CVE-2025-20124 and CVE-2025-20125) can be exploited by authenticated remote attackers with read-only admin privileges to execute arbitrary commands as root and bypass authorization on unpatched devices."
https://www.bleepingcomputer.com/news/security/critical-cisco-ise-bug-can-let-attackers-run-commands-as-root/
https://thehackernews.com/2025/02/cisco-patches-critical-ise.html
https://www.securityweek.com/cisco-patches-critical-vulnerabilities-in-enterprise-management-product/
https://securityaffairs.com/173946/security/cisco-addressed-critical-flaws-in-identity-services-engine.html - CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
CVE-2022-23748 Dante Discovery Process Control Vulnerability
CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-microsoft-outlook-now-exploited-in-attacks/
https://securityaffairs.com/173949/hacking/u-s-cisa-adds-microsoft-outlook-sophos-xg-firewall-and-other-flaws-to-its-known-exploited-vulnerabilities-catalog.html - Google Cloud Platform Data Destruction Via Cloud Build
"Google Cloud Platform (GCP) Cloud Build is a Continuous Integration/Continuous Deployment (CI/CD) service offered by Google that is utilized to automate the building, testing and deployment of applications. Orca Security published an article describing certain aspects of the threat surface posed by this service, including a supply chain attack vector they have termed “Bad.Build”. One specific issue they identified, that Cloud Build pipelines with the default Service Account (SA) could be utilized to discover all other permissions assignments in a GCP project, was resolved by Google after Orca reported it."
https://blog.talosintelligence.com/gcp-data-destruction-via-cloud-build/ - Researcher Outsmarts, Jailbreaks OpenAI's New o3-Mini
"A prompt engineer has challenged the ethical and safety protections in OpenAI's latest o3-mini model, just days after its release to the public. OpenAI unveiled o3 and its lightweight counterpart, o3-mini, on Dec. 20. That same day, it also introduced a brand new security feature: "deliberative alignment." Deliberative alignment "achieves highly precise adherence to OpenAI's safety policies," the company said, overcoming the ways in which its models were previously vulnerable to jailbreaks. Less than a week after its public debut, however, CyberArk principal vulnerability researcher Eran Shimony got o3-mini to teach him how to write an exploit of the Local Security Authority Subsystem Service (lsass.exe), a critical Windows security process."
https://www.darkreading.com/application-security/researcher-jailbreaks-openai-o3-mini - WordPress Admin And Site Enhancements (ASE) Pro Plugin <= 7.6.2.1 Is Vulnerable To Privilege Escalation
"This could allow a malicious actor to escalate their low privileged account to something with higher privileges. After this they could take full control of the website if high privileges are gained."
https://patchstack.com/database/wordpress/plugin/admin-site-enhancements-pro/vulnerability/wordpress-admin-and-site-enhancements-ase-pro-plugin-7-6-2-1-privilege-escalation-vulnerability
https://www.infosecurity-magazine.com/news/wordpress-ase-plugin-flaw/
Malware
- University Site Cloned To Evade Ad Detection Distributes Fake Cisco Installer
"There is a constant “cat and mouse” game between defenders and attackers, the latter trying to outsmart and get a head start on the former. In the context of online advertising, this involves creating fake identities or using stolen ones to push out malicious ads. An attacker not only needs to evade detection but also create a lure that will be convincing to most people. In this blog post, we focus on what malvertisers use in almost all of their campaigns, namely decoys also known as “white pages” in order to fool the advertising entity."
https://www.malwarebytes.com/blog/news/2025/02/university-site-cloned-to-evade-ad-detection-distributes-fake-cisco-installer - Code Injection Attacks Using Publicly Disclosed ASP.NET Machine Keys
"In December 2024, Microsoft Threat Intelligence observed limited activity by an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. In the course of investigating, remediating, and building protections against this activity, we observed an insecure practice whereby developers have incorporated various publicly disclosed ASP.NET machine keys from publicly accessible resources, such as code documentation and repositories, which threat actors have used to perform malicious actions on target servers."
https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/
https://www.bleepingcomputer.com/news/security/microsoft-says-attackers-use-exposed-aspnet-keys-to-deploy-malware/ - Not-So-SimpleHelp Exploits Enabling Deployment Of Sliver Backdoor
"Field Effect recently identified and thwarted a sophisticated breach where threat actors exploited newly uncovered vulnerabilities in SimpleHelp’s Remote Monitoring and Management (RMM) client as an entry point to infiltrate and establish unauthorized access within a targeted network. The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware had Field Effect MDR not prevented the attack."
https://fieldeffect.com/blog/field-effect-mitigates-not-so-simplehelp-exploits-enabling-deployment-of-backdoors
https://www.bleepingcomputer.com/news/security/hackers-exploit-simplehelp-rmm-flaws-to-deploy-sliver-malware/ - DDoS Attacks Reportedly Behind DayZ And Arma Network Outages
"An ongoing distributed denial of service (DDoS) attack targets Bohemia Interactive's infrastructure, preventing players of DayZ and Arma Reforger from playing the games online. Bohemia Interactive is a Czech video game developer and publisher known for its popular Arma Series tactical shooters and DayZ, a standalone survival game from an Arma 2 mod. Starting last Friday, players of Bohemia's games started experiencing server connectivity issues that prevented them from playing online."
https://www.bleepingcomputer.com/news/security/ddos-attacks-reportedly-behind-dayz-and-arma-network-outages/ - New Facebook Copyright Infringement Phishing Campaign
"Facebook is the most popular social network worldwide, outperforming every other competitor for reach and active users, according to Statista. Further, according to Sprout Social, Facebook is the third-most visited website following Google and YouTube. Thus, when a phishing campaign leverages the Facebook brand, the implications are particularly consequential. Email researchers at Check Point have recently discovered a new Facebook-focused phishing campaign, which has been sent to more than 12,279 email addresses and targets hundreds of companies."
https://blog.checkpoint.com/security/new-facebook-copyright-infringement-phishing-campaign/ - Malicious ML Models Discovered On Hugging Face Platform
"In the last few months, artificial intelligence (AI) is popping up in all kinds of headlines, ranging from technical software developer websites to the Sunday comics. There’s no secret why. Given the recent explosion in the capabilities of large language models (LLMs) and generative AI, organizations are trying to find ways to incorporate AI technologies into their business models — and to make use of its capabilities."
https://www.reversinglabs.com/blog/rl-identifies-malware-ml-model-hosted-on-hugging-face
https://cyberscoop.com/hugging-face-platform-continues-to-be-plagued-by-vulnerable-pickles/ - DeepSeek Phishing Sites Pursue User Data, Crypto Wallets
"More than two weeks after China's DeepSeek garnered worldwide attention with its low-cost AI model, threat actors have been busy capitalizing on the news by setting up phishing sites impersonating the company. The fraudulent sites aim to deceive users into downloading malicious software or providing credentials and other sensitive information. Researchers at Israel-based Memcyco spotted at least 16 such sites actively impersonating DeepSeek earlier this week and believe the activity represents a coordinated attack campaign among threat actors."
https://www.darkreading.com/cyber-risk/deepseek-phishing-sites-pursue-user-data-crypto-wallets
https://www.securityweek.com/fake-deepseek-sites-used-for-credential-phishing-crypto-theft-scams/
Breaches/Hacks/Leaks
- British Engineering Firm IMI Discloses Breach, Shares No Details
"British-based engineering firm IMI plc has disclosed a security breach after unknown attackers hacked into the company's systems. IMI is a global engineering group with manufacturing facilities in 18 countries, focused on precision fluid engineering and providing services in the process and industrial automation, climate control, life science, and transport sectors. Listed on the London Stock Exchange since 1966, it is included in the FTSE100 Index (the United Kingdom's best-known stock market index) and employs around 10,000 people in over 50 countries across three divisions (IMI Hydronic, Norgren, and IMI Critical)."
https://www.bleepingcomputer.com/news/security/british-engineering-firm-imi-discloses-breach-shares-no-details/
https://therecord.media/imi-uk-engineering-company-reports-cyber-incident - S. Korea’s Notorious Sex Crime Hub Ya-Moon Hacked, User Data Leaked
"A hacker using the alias “Valerie” is claiming to have hacked Ya-moon, a notorious South Korean private pornography website and forum. According to the hacker, the hack took place in June 2024 using a zero-day vulnerability, but the details of it have only been shared earlier today. The site, which has been operating since 1990, is infamous for hosting illicit content, including Child Sexual Abuse Material, also known as CSAM, hidden camera footage, revenge porn, and videos depicting rape. Its users often brag about gang rapes, the sexual exploitation of minors, and the intimidation of women into sexual acts."
https://hackread.com/s-koreas-crime-hub-ya-moon-hacked-user-data-leak/
General News
- The Overlooked Risks Of Poor Data Hygiene In AI-Driven Organizations
"In this Help Net Security interview, Oliver Friedrichs, CEO at Pangea, discusses why strong data hygiene is more important than ever as companies integrate AI into their operations. With AI-driven applications handling sensitive enterprise data, poor access controls and outdated security practices can lead to serious risks. Friedrichs shares key best practices to mitigate risks, ensure data reliability, and adapt security strategies for the AI landscape."
https://www.helpnetsecurity.com/2025/02/06/oliver-friedrichs-pangea-data-hygiene/ - Enterprises Invest Heavily In AI-Powered Solutions
"AI is driving significant changes in attack sources, with 88% of enterprises observing an increase in AI-powered bot attacks in the last two years, according to Arkose Labs. 53% said they have lost between $10 million to over $500 million during the past two years due to negative consequences related to cyberattacks."
https://www.helpnetsecurity.com/2025/02/06/enterprises-ai-powered-attacks/ - Changing The Tide: Reflections On Threat Data From 2024
"“Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past. In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes. As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years."
https://blog.talosintelligence.com/changing-the-tide-reflections-on-threat-data-from-2024/ - The Cyber Savanna: A Rigged Race You Can't Win, But Must Run Anyway
"Cybersecurity is a relentless, brutal, and unwinnable race. It's a savanna where organizations are gazelles and threat actors are cheetahs. There's no prize for coming first, no trophies for the fastest. It's actually simple: Run or be eaten. Harsh? Yes. But ignoring this reality won't save you. It'll make you the slowest gazelle."
https://www.darkreading.com/vulnerabilities-threats/cyber-savanna-rigged-race-you-cant-win-must-run-anyway - Security Teams Pay The Price: The Unfair Reality Of Cyber Incidents
"Recently, a wonderful co-worker of mine was injured quite badly during his winter ski vacation. If I understood him correctly, another skier came barreling into him while he was on the slopes. This inflicted serious injury upon my co-worker, unfortunately, and he has a long recovery ahead of him. I wish him well and a speedy recovery. Naturally, the other skier is at fault here, but my co-worker is the one left with the injury and the long recovery. You may be asking yourself what this has to do with information security. It is a fair question, of course, though I believe that there is an important security lesson we can learn here. Sometimes, regardless of who is at fault for a given issue, the security team is left with the consequences."
https://www.securityweek.com/security-teams-pay-the-price-the-unfair-reality-of-cyber-incidents/ - Patch Or Perish: How Organizations Can Master Vulnerability Management
"Vulnerability exploitation has long been a popular tactic for threat actors. But it’s becoming increasingly so – a fact that should alarm every network defender. Observed cases of vulnerability exploitation resulting in data breaches surged three-fold annually in 2023, according to one estimate. And attacks targeting security loopholes remain one of the top three ways threat actors start ransomware attacks. As the number of CVEs continues to hit new record highs, organizations are struggling to cope. They need a more consistent, automated and risk-based approach to mitigating vulnerability-related threats."
https://www.welivesecurity.com/en/cybersecurity/patch-perish-organizations-vulnerability-management/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Orthanc Server