Cyber Threat Intelligence 25 February 2025
-
Industrial Sector
- IT/OT Convergence Fuels Manufacturing Cyber Incidents
"Converged IT and operational technology (OT) systems were targeted in 75% of cyber incidents impacting manufacturing firms in the past 12 months. A new report by Telstra International and Omdia highlighted the significant cyber risks from IT/OT convergence and a lack of preparedness from manufacturers to deal with this threat. The process of using IT systems to communicate and control OT – programmable systems that interact with industrial equipment – can significantly enhance efficiency in sectors like manufacturing and energy."
https://www.infosecurity-magazine.com/news/itot-fuels-manufacturing-cyber/
https://www.telstrainternational.com/en/news-research/research/secure-manufacturing-the-challenges-of-IT-OT-convergence
Government/Law/Policy
- Apple Pulls Data Protection Tool After UK Government Security Row
"Apple is taking the unprecedented step of removing its highest level data security tool from customers in the UK, after the government demanded access to user data. Advanced Data Protection (ADP) means only account holders can view items such as photos or documents they have stored online through a process known as end-to-end encryption. But earlier this month the UK government asked for the right to see the data, which currently not even Apple can access. Apple did not comment at the time but has consistently opposed creating a "backdoor" in its encryption service, arguing that if it did so, it would only be a matter of time before bad actors also found a way in."
https://www.bbc.com/news/articles/cgj54eq4vejo
https://techcrunch.com/2025/02/21/apple-pulls-icloud-end-to-end-encryption-feature-for-uk-users-after-government-demanded-backdoor/
https://securityaffairs.com/174500/security/apple-removes-icloud-encryption-in-uk.html
https://www.infosecurity-magazine.com/news/experts-government-disastrous/
New Tooling
- Misconfig Mapper: Open-Source Tool To Uncover Security Misconfigurations
"Misconfig Mapper is an open-source CLI tool built in Golang that discovers and enumerates instances of services used within your organization. It performs large-scale detection and misconfiguration assessments, leveraging customizable templates with detection and misconfiguration fingerprints to identify potential security risks in widely used third-party software and services."
https://www.helpnetsecurity.com/2025/02/24/misconfig-mapper-open-source-tool-uncover-security-misconfigurations/
https://github.com/intigriti/misconfig-mapper
Vulnerabilities
- Dropping a 0 Day: Parallels Desktop Repack Root Privilege Escalation
"Today, I am disclosing a 0-day vulnerability that bypasses the patch for CVE-2024-34331. I have identified two distinct methods to circumvent the fix. Both bypasses were reported separately to the Zero Day Initiative (ZDI) and the affected vendor Parallels. Unfortunately, their responses have been deeply unsatisfactory. Given that the vendor has left this vulnerability unaddressed for over seven months—despite prior disclosure—I have chosen to publicly disclose this 0-day exploit. My goal is to raise awareness and urge users to mitigate risks proactively, as attackers could leverage this flaw in the wild."
https://jhftss.github.io/Parallels-0-day/
https://www.bleepingcomputer.com/news/security/exploits-for-unpatched-parallels-desktop-flaw-give-root-on-macs/
https://www.darkreading.com/application-security/zero-day-bug-parallels-desktop-mac - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2017-3066 Adobe ColdFusion Deserialization Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/02/24/cisa-adds-two-known-exploited-vulnerabilities-catalog - Reflected XSS Patched In Essential Addons For Elementor Affecting 2+ Million Sites
"This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re an Essential Addons for Elementor user, please update the plugin to at least version 6.0.15."
https://patchstack.com/articles/reflected-xss-patched-in-essential-addons-for-elementor-affecting-2-million-sites/
https://www.infosecurity-magazine.com/news/elementor-plugin-vulnerability-2m/ - Exim < 4.98.1 SQL Injection
"Exim 4.98 before 4.98.1, when SQLite hints and ETRN serialization are used, allows remote SQL injection. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."
https://www.tenable.com/plugins/nessus/216608
https://exim.org/static/doc/security/CVE-2025-26794.txt
Malware
- Botnet Targets Basic Auth In Microsoft 365 Password Spray Attacks
"A massive botnet of over 130,000 compromised devices is conducting password-spray attacks against Microsoft 365 (M365) accounts worldwide, targeting basic authentication to evade multi-factor authentication. According to a report by SecurityScorecard, the attackers are leveraging credentials stolen by infostealer malware to target the accounts at a large scale. The attacks rely on non-interactive sign-ins using Basic Authentication (Basic Auth) to bypass Multi-Factor Authentication (MFA) protections and gain unauthorized access without triggering security alerts."
https://www.bleepingcomputer.com/news/security/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks/
https://securityscorecard.com/research/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks/
https://therecord.media/botnet-credentials-microsoft-spraying-attack
https://securityaffairs.com/174595/cyber-crime/large-botnet-targets-m365-password-spraying-attacks.html
https://hackread.com/botnet-devices-microsoft-365-password-spraying-attack/
https://www.helpnetsecurity.com/2025/02/24/botnet-hits-microsoft-365-accounts/ - How Hunting For Vulnerable Drivers Unraveled a Widespread Attack
"In the increasingly complex world of Windows security, attackers find it harder to execute malicious code undetected. Consequently, they are now focusing on exploiting vulnerabilities in drivers—software components that run in the kernel mode with the highest permissions. When these drivers are compromised, they provide attackers with a pathway to bypass security measures and prepare for further infections."
https://blog.checkpoint.com/research/how-hunting-for-vulnerable-drivers-unraveled-a-widespread-attack/ - The GitVenom Campaign: Cryptocurrency Theft Using GitHub
"In our modern world, it’s difficult to underestimate the impact that open-source code has on software development. Over the years, the global community has managed to publish a tremendous number of projects with freely accessible code that can be viewed and enhanced by anyone on the planet. Very frequently, code published on the Internet serves as a source of inspiration for software developers – whenever they need to implement a project feature, they often check whether the code they need is already available online. This way, they avoid reinventing the wheel and thus save their precious time."
https://securelist.com/gitvenom-campaign/115694/ - Auto-Color: An Emerging And Evasive Linux Backdoor
"Between early November and December 2024, Palo Alto Networks researchers discovered new Linux malware called Auto-color. We chose this name based on the file name the initial payload renames itself after installation."
https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/ - FatalRAT Attacks In APAC
"A Kaspersky ICS CERT investigation uncovered a cyberthreat specifically targeting various industrial organizations in the Asia-Pacific region. The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure. The attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion of detection. Their techniques included the use of a native file hosting CDN, publicly available packers for sample encryption, dynamic changes in command and control (C2) addresses, a CDN hosting the payload, and the use of DLL sideloading."
https://ics-cert.kaspersky.com/publications/reports/2025/02/24/fatalrat-attacks-in-apac-backdoor-delivered-via-an-overly-long-infection-chain-to-chinese-speaking-targets/
Breaches/Hacks/Leaks
- Russia Warns Financial Sector Of Major IT Service Provider Hack
"Russia's National Coordination Center for Computer Incidents (NKTsKI) is warning organizations in the country's credit and financial sector about a breach at LANIT, a major Russian IT service and software provider. According to the bulletin, which was also published on the website of GosSOPKA (State System for Detection, Prevention, and Elimination of Consequences of Computer Attacks), the attack took place on February 21, 2025, and potentially impacted LLC LANTER and LLC LAN ATMservice, both part of the LANIT Group of Companies. LANIT Group is a significant and influential company in Russia's information technology sector, considered the country's largest system integrator."
https://www.bleepingcomputer.com/news/security/russia-warns-financial-sector-of-major-it-service-provider-hack/ - North Korean Hackers Linked To $1.5 Billion ByBit Crypto Heist
"Over the weekend, blockchain security companies and experts have linked North Korea's Lazarus hacking group to the theft of over $1.5 billion from cryptocurrency exchange Bybit. In what is now considered the largest crypto heist in history, the attackers intercepted a planned transfer of funds from one of Bybit's cold wallets into a hot wallet, redirecting the crypto assets to a blockchain address under their control."
https://www.bleepingcomputer.com/news/security/north-korean-hackers-linked-to-15-billion-bybit-crypto-heist/
https://therecord.media/lazarus-hackers-behind-bybit-crypto-heist
https://hackread.com/investigators-link-bybit-hack-north-korea-lazarus-group/
https://securityaffairs.com/174514/cyber-crime/lazarus-stole-1-5b-from-bybit-cryptocurrency-heist.html
https://www.securityweek.com/1-5-billion-bybit-heist-linked-to-north-korean-hackers/
General News
- Could The Plot Of Netflix's 'Zero Day' Occur IRL?
"What would a 9/11-style cyberattack on America look like? On Thursday, Netflix released a miniseries called Zero Day that imagines such an event. As Wolf Blitzer so helpfully describes nine minutes into the pilot, the attack is comprised "not only of widespread outages impacting multiple regional power grids, but of computer systems that control transportation, communications, and other infrastructure that are completely hijacked, with safety systems somehow overridden.""
https://www.darkreading.com/cyber-risk/netflix-zero-day-irl - How APT Naming Conventions Make Us Less Safe
"It's no secret within the information security industry that advanced persistent threat (APT) naming conventions have gotten out of control. They're also a growing source of frustration. Every group has a list of increasingly outlandish names that make it hard enough to track a single group across multiple campaigns, let alone from one vendor report to the next. It's a practice that has grown out of the desire for vendors to identify specific threat actors and/or campaigns while simultaneously linking the discovery to subtle company branding."
https://www.darkreading.com/cyber-risk/how-apt-naming-conventions-make-us-less-safe - Proofpoint Research: 2024 Account Takeover Statistics
"Have you ever wondered what the most prevalent cyberattack type is? It is a hard question to answer. Attacks operate at so many different levels and are often chained together to complete the malicious mission. Some readers are probably thinking of ransomware, others phishing, and others malicious URLs. All are certainly common elements of an attack, whether endgames or steps along the way. And all are also very prevalent. I would like to add account takeovers (ATOs) or account compromises to the mix. Consider how useful it is for a threat actor to gain control over a legitimate user account as they try to penetrate an organization for any number of malicious endgames. A perfect, very public example of this was last year’s Snowflake breach."
https://www.proofpoint.com/us/blog/threat-insight/account-takeover-statistics
https://www.helpnetsecurity.com/2025/02/24/account-takeover-detection-theres-no-single-tell/ - EU Sanctions North Korean Tied To Lazarus Group Over Involvement In Ukraine War
"The European Union on Monday adopted a new package of sanctions against Russia, targeting individuals allegedly involved in cyberwarfare and information operations against Ukraine. Among those sanctioned is Lee Chang Ho, a 58-year-old identified as the head of North Korea’s Reconnaissance General Bureau (RGB), the country’s intelligence agency. According to the European Council, Lee was involved in deploying North Korean personnel to support Russia’s war against Ukraine and has overseen cyberattack units, including those known in the West as Lazarus and Kimsuky. He also coordinated North Korean soldiers deployed on the battlefield in Ukraine, “who may have been given tasks related to irregular guerrilla warfare,” the EU said."
https://therecord.media/eu-sanctions-north-korea-ukraine-war-lazarus-group
อ้างอิง
Electronic Transactions Development Agency(ETDA) - IT/OT Convergence Fuels Manufacturing Cyber Incidents