Cyber Threat Intelligence 17 February 2025
-
Financial Sector
- How Banks Can Adapt To The Rising Threat Of Financial Crime
"Banking executives have a lot to consider when it comes to financial crime. With new technologies at their disposal, fraudsters are becoming more sophisticated, underscoring the importance of staying vigilant in protecting against these emerging threats. In the near future, synthetic identity fraud and account takeovers will increasingly be leveraged to maximize gains, and AI and machine learning will rapidly adapt to a bank's detection methods. While most banks recognize the importance of fraud prevention, having a clear strategy and best practices is essential to mitigate the rising risks posed by these evolving technologies."
https://www.darkreading.com/cyber-risk/how-banks-adapt-rising-threat-financial-crime - January 2025 Security Issues In Korean & Global Financial Sector
"This report comprehensively covers actual cyber threats and security issues that have occurred in the financial industry in South Korea and abroad. This includes the analysis of malware and phishing cases distributed to the financial sector, the Top 10 malware targeting the financial sector, and statistics on the industries of leaked South Korean accounts. A case of phishing emails distributed to the financial sector is also covered in detail."
https://asec.ahnlab.com/en/86335/
Vulnerabilities
- ClearML And Nvidia Vulns
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website."
https://blog.talosintelligence.com/clearml-and-nvidia-vulns/ - New Windows Zero-Day Exploited By Chinese APT: Security Firm
"Israeli threat intelligence firm ClearSky Cyber Security on Thursday revealed that it has seen an APT linked to China exploiting a new Windows vulnerability. ClearSky has promised to share additional details in an upcoming blog post, but a post on X suggests that the Windows vulnerability has been exploited as a zero-day as no CVE appears to have been assigned yet. The company said Microsoft is aware of the flaw, but classified it as ‘low severity’. ClearSky described the issue as a ‘UI vulnerability’ and found evidence of exploitation by the notorious Chinese APT named Mustang Panda."
https://www.securityweek.com/new-windows-zero-day-exploited-by-chinese-apt-security-firm/
Malware
- Arctic Wolf Observes Authentication Bypass Exploitation Attempts Targeting SonicWall Firewalls (CVE-2024-53704)
"On February 10, 2025, Bishop Fox published technical details and proof-of-concept (PoC) exploit code for CVE-2024-53704, a high-severity authentication bypass vulnerability caused by a flaw in the SSLVPN authentication mechanism in SonicOS, the operating system used by SonicWall firewalls. Shortly after the PoC was made public, Arctic Wolf began observing exploitation attempts of this vulnerability in the threat landscape."
https://arcticwolf.com/resources/blog/cve-2024-53704/
https://www.bleepingcomputer.com/news/security/sonicwall-firewall-bug-leveraged-in-attacks-after-poc-exploit-release/
https://www.securityweek.com/sonicwall-firewall-vulnerability-exploited-after-poc-publication/
https://www.theregister.com/2025/02/14/sonicwall_firewalls_under_attack_patch/ - PirateFi Game On Steam Caught Installing Password-Stealing Malware
"A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users. The title was present in the Steam catalog for almost a week, between February 6th and February 12th, and was downloaded by up to 1,500 users. The distribution service is sending notices to potentially impacted users, advising them to reinstall Windows out of an abundance of caution."
https://www.bleepingcomputer.com/news/security/piratefi-game-on-steam-caught-installing-password-stealing-malware/
https://securityaffairs.com/174205/malware/valve-removed-a-game-from-steam.html - Detecting Akira Ransomware Attack Using AhnLab EDR
"Akira is a relatively new ransomware threat actor that has been active since March 2023. Like other ransomware threat actors, they breach organizations and not only encrypt their files but also exfiltrate sensitive information to use in negotiations. As shown in the following 2024 statistics, the number of companies affected by Akira ransomware is still high."
https://asec.ahnlab.com/en/86310/ - OAuth Phishing Alert: Fake 'Adobe Drive X' App Abusing Microsoft Login
"Threat actors have taken phishing to the next level by weaponizing custom Microsoft 365 applications to request sensitive information from users. This sneaky attempt from threat actors utilized a fake Microsoft password request email with an embedded link that presented the victim with a legitimate Microsoft 365 login page, but that’s just the bait. The legitimate login page grants permissions to access a custom Microsoft 365 application that the threat actor controls. Once the user accesses the custom application, they are redirected to the actual credential phishing page."
https://cofense.com/blog/oauth-phishing-alert-fake-adobe-drive-x-app-abusing-microsoft-login - Storm-2372 Conducts Device Code Phishing Campaign
"Today we’re sharing that Microsoft discovered cyberattacks being launched by a group we call Storm-2372, who we assess with medium confidence aligns with Russia’s interests and tradecraft. The attacks appear to have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries in multiple regions. The attacks use a specific phishing technique called “device code phishing” that tricks users to log into productivity apps while Storm-2372 actors capture the information from the log in (tokens) that they can use to then access compromised accounts. These tokens are part of an industry standard and, while these phishing lures used Microsoft and other apps to trick users, they do not reflect an attack unique to Microsoft nor have we found any vulnerabilities in our code base enabling this activity."
https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/
https://thehackernews.com/2025/02/microsoft-russian-linked-hackers-using.html
https://www.bleepingcomputer.com/news/security/microsoft-hackers-steal-emails-in-device-code-phishing-attacks/
https://cyberscoop.com/russia-threat-groups-device-code-phishing-microsoft-accounts/
https://www.theregister.com/2025/02/15/russia_spies_spoofing_teams/
https://securityaffairs.com/174270/apt/storm-2372-used-device-code-phishing-technique.html - Ransomware Roundup – Lynx
"FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants."
https://www.fortinet.com/blog/threat-research/ransomware-roundup-lynx - RansomHub Never Sleeps Episode 1: The Evolution Of Modern Ransomware
"The cybersecurity threat landscape is a constant arms race between attackers and defenders. As organizations strengthen their defenses, adversaries evolve their tactics, techniques and procedures (TTPs) to exploit emerging vulnerabilities. Among these threats, ransomware operations have become increasingly sophisticated and prominent. In its early days, ransomware targeted individuals with relatively small demands. However, with growing digital interconnectivity and exposed system vulnerabilities, attackers have shifted to larger targets including healthcare, finance, critical infrastructure, and government sectors. The advent of Ransomware-as-a-Service (RaaS) platforms has further lowered barriers for aspiring cybercriminals, enabling them to access advanced tools in exchange for a share of the profits."
https://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/
https://thehackernews.com/2025/02/ransomhub-becomes-2024s-top-ransomware.html
https://hackread.com/ransomhub-king-of-ransomware-600-firms-2024/ - Hackers Hijack JFK File Release: Malware & Phishing Surge
"Veriti Research has uncovered a potentially growing cyber threat campaign surrounding the release of the declassified JFK, RFK, and MLK files. Attackers are capitalizing on public interest in these historical documents to launch potential malware campaigns, phishing schemes, and exploit attempts. Our research indicates that cybercriminals are quick to react to major public events, and this case is no exception. As the files gain media attention, attackers are starting to create potential infrastructure for their upcoming attacks."
https://veriti.ai/blog/hackers-hijack-jfk-file-release-malware-phishing-surge/
https://hackread.com/scammers-exploit-jfk-files-release-malware-phishing/ - Technical Analysis Of Xloader Versions 6 And 7 | Part 2
"In Part 2 of this blog series, we examine how Xloader obfuscates the command-and-control (C2) code and data to complicate analysis. We will also delve into the network communication protocol for the latest versions of Xloader with multi-layer encryption and fake servers to evade detection."
https://threatlabz.zscaler.com/blogs/security-research/technical-analysis-xloader-versions-6-and-7-part-2
Breaches/Hacks/Leaks
- Virginia Attorney General’s Office Struck By Cyberattack Targeting Attorneys’ Computer Systems
"The Virginia Attorney General’s office, the state’s top prosecutorial agency led by Jason Miyares, was struck by a cyberattack this week that forced officials off the office’s computer systems. According to the Richmond Times-Dispatch, the chief deputy attorney general of the agency sent an email on Wednesday that said nearly all of is computer systems were offline, and that Virginia State Police and other law enforcement officials were investigating the attack. “Nearly all systems are offline, including but not limited to Net Docs, Outlook, Teams, OAG Fileshare, our VPN access, and internet connectivity via the OAG network,” Chief Deputy Attorney General Steven Popps said in an email to staff, according to the Times-Dispatch."
https://www.securityweek.com/virginia-attorney-generals-office-struck-by-cyberattack-targeting-attorneys-computer-systems/ - Pennsylvania Utility Says MOVEit Breach At Vendor Exposed Some Customer Data
"A Pennsylvania utility company says that basic customer data stolen from one of its vendors in 2023 was recently exposed online, but the incident did not affect its core systems. PPL Electric Utilities said in an emailed statement that the vendor notified it in June 2023 of a breach through a widespread bug in the MOVEit file transfer software, which affected hundreds of organizations and exposed the data of tens of millions of people. A PPL spokesperson confirmed that the stolen data was published online in December 2024."
https://therecord.media/pennsylvania-utility-says-moveit-vendor-breach-exposed-some-data
General News
- Open Source AI Models: Perfect Storm For Malicious Code, Vulnerabilities
"Attackers are finding more and more ways to post malicious projects to Hugging Face and other repositories for open source artificial intelligence (AI) models, while dodging the sites' security checks. The escalating problem underscores the need for companies pursuing internal AI projects to have robust mechanisms to detect security flaws and malicious code within their supply chains."
https://www.darkreading.com/cyber-risk/open-source-ai-models-pose-risks-of-malicious-code-vulnerabilities - vCISOs Are In High Demand
"Regardless of job title, 92% of executives stated they had some degree of confidence in their organization’s ability to meet compliance requirements and tackle advanced threats with current staff and tools, but confidence levels differed across leadership roles, according to Cyber Defense Group."
https://www.helpnetsecurity.com/2025/02/14/ceos-security-strategies-confidence/ - New GRC And Cyber Risk Strategies Emphasize Risk Adaptability
"MetricStream has unveiled its annual forecast of key trends shaping the future of GRC and Cyber GRC. These 2025 predictions offer a roadmap for building resilience strategies, addressing emerging risks, and seizing new opportunities. The rise of AI continues to revolutionize GRC for organizations with agentic automation, recommendations, and intelligent insights while amplifying the demand for governance to safeguard data, maintain trust, and ensure the ethical use of AI."
https://www.helpnetsecurity.com/2025/02/14/grc-predictions/ - Pig Butchering Scams Are Exploding
"2024 is set to be a record year for scammers who received at least US$9.9 billion in crypto revenues from their illicit activities, according to Chainalysis. This figure is projected to rise to an all-time high of $12.4 billion as ongoing analysis uncovers more fraudulent activity."
https://www.helpnetsecurity.com/2025/02/14/pig-butchering-scams-fraud-growth/ - Inconsistent Security Strategies Fuel Third-Party Threats
"47% of organizations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network, according to Imprivata and the Ponemon Institute. Notably, 64% of respondents say these types of third-party data breaches will either increase or remain at alarmingly high levels over the next 12-24 months, indicating the problem is here to stay."
https://www.helpnetsecurity.com/2025/02/14/third-party-data-breach-risks/ - AI-Powered Social Engineering: Ancillary Tools And Techniques
"Social engineering is advancing fast, at the speed of generative AI. This is offering bad actors multiple new tools and techniques for researching, scoping, and exploiting organizations. In a recent communication, the FBI pointed out: 'As technology continues to evolve, so do cybercriminals' tactics.' This article explores some of the impacts of this GenAI-fueled acceleration. And examines what it means for IT leaders responsible for managing defenses and mitigating vulnerabilities."
https://thehackernews.com/2025/02/ai-powered-social-engineering-ancillary.html - Ukraine Warns Of Growing AI Use In Russian Cyber-Espionage Operations
"Russia is increasingly using artificial intelligence to analyze data stolen in cyberattacks, making its operations more precise and effective, according to Ukrainian cyber officials. For years, Russian hackers have exfiltrated vast amounts of data from Ukrainian government agencies, military personnel, and ordinary citizens. However, analyzing and utilizing these large datasets has posed a challenge. Now, AI is helping to bridge that gap, according to Ihor Malchenyuk, director of the cyberdefense department at Ukraine’s State Service of Special Communications and Information Protection (SSCIP)."
https://therecord.media/russia-ukraine-cyber-espionage-artificial-intelligence - Nearly 10 Years After Data And Goliath, Bruce Schneier Says: Privacy’s Still Screwed
"It has been nearly a decade since famed cryptographer and privacy expert Bruce Schneier released the book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World - an examination of how government agencies and tech giants exploit personal data. Today, his predictions feel eerily accurate. At stake, he argued then, was a possibly irreversible loss of privacy, and the archiving of everything. As he wrote, science fiction author Charlie Stross described the situation as the "end of prehistory," in that every facet of our lives would be on a computer somewhere and available to anyone who knew how to find them."
https://www.theregister.com/2025/02/15/interview_bruce_schneier/ - January 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during January 2025. Below is a summary of the report’s content."
https://asec.ahnlab.com/en/86342/ - January 2025 Deep Web And Dark Web Trend Report
"This trend report on the deep web and dark web of January 2025 is sectioned into Ransomware, DarkWeb Forums, and Markets. We would like to state beforehand that some of the content has yet to be confirmed to be true."
https://asec.ahnlab.com/en/86340/ - January 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in January 2025, as well as major Korean and international ransomware issues worth noting. Below are the summarized details."
https://asec.ahnlab.com/en/86339/ - January 2025 APT Group Trends
"The following are the main APT groups and their cases based on the analysis reports released by security companies and organizations in January 2025."
https://asec.ahnlab.com/en/86336/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - How Banks Can Adapt To The Rising Threat Of Financial Crime