Cybersec Feeds Overview, Jan 13 - Jan 19, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Gov Feeds #

• Multiple vulnerabilities in Rsync, Fortinet products, Adobe products, and Microsoft products could allow for remote or arbitrary code execution. Exploitation in each case could lead to installation of programs or data alteration, particularly affecting systems where users have administrative rights (Multiple Vulnerabilities in Rsync Could Allow for Remote Code Execution, Multiple Vulnerabilities in Fortinet Products Could Allow for Remote Code Execution, Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution, Critical Patches Issued for Microsoft Products, January 14, 2025).

• CISA and FBI released updated guidance on product security bad practices highlighting the importance of memory-safe languages and timely patching for Known Exploited Vulnerabilities (CISA and FBI Release Updated Guidance on Product Security Bad Practices).

• The Siemens Mendix LDAP and Siemens Industrial Edge Management systems have been reported vulnerable to LDAP Injection and Cross-Site Scripting vulnerabilities, respectively, allowing attackers to extract sensitive information (Siemens Mendix LDAP, Siemens Industrial Edge Management).

• New HIPAA cybersecurity rules proposed for 2025 are set to hold healthcare organizations to stricter cybersecurity standards, potentially incurring high compliance costs (New HIPAA Cybersecurity Rules Pull No Punches, What’s in HHS’ Proposed HIPAA Security Rule Overhaul?).

• CISA has added multiple vulnerabilities to the Known Exploited Vulnerabilities Catalog, including those affecting Aviatrix Controllers and Microsoft Hyper-V, indicating active exploitation risks (CISA Adds Two Known Exploited Vulnerabilities to Catalog, CISA Adds Four Known Exploited Vulnerabilities to Catalog).

• Notable vulnerabilities have been found in ICS components including Hitachi FOX61x, Fuji Electric Alpha5 SMART, and Siemens SIPROTEC systems, affecting critical infrastructure industries with risks ranging from code execution to credential exposure (Fuji Electric Alpha5 SMART, Siemens Siveillance Video Camera, Siemens SIPROTEC 5 Products).

• CISA’s release of the Microsoft Expanded Cloud Logs Implementation Playbook provides methodologies for utilizing new logs in threat detection and response (CISA Releases Microsoft Expanded Cloud Logs Implementation Playbook).

• Multiple Industrial Control Systems advisories were issued by CISA, updating on security vulnerabilities impacting numerous ICS products, urging review for mitigations (CISA Releases Twelve Industrial Control Systems Advisories, CISA Releases Four Industrial Control Systems Advisories).

Vendor Feeds #

• A Windows denial of service vulnerability, CVE-2024-49113, has been addressed. It was known as “LDAPNightmare” and could crash critical services like lsass.exe, forcing a system reboot. Mitigations include micropatches for legacy Windows versions (Micropatches Released for Windows “LDAPNightmare”).

• Attackers have initiated a spear-phishing campaign targeting WhatsApp accounts using QR codes. This campaign, linked to Russian actors (Star Blizzard), impersonates officials to gain access to high-profile targets like journalists and NGOs (Warning Against ModiLoader (DBatLoader) Spreading via MS Windows CAB Header Batch File (*.cmd), New Star Blizzard spear-phishing campaign targets WhatsApp accounts).

• New vulnerabilities CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products, allowing remote code execution and privilege escalation. Attack details point to active exploits and require immediate attention (Threat Brief: CVE-2025-0282 and CVE-2025-0283).

• Recent cyberattacks include ransomware groups targeting International Civil Aviation Organization (ICAO), Argentina’s airport security police, and Slovakia’s land registry with compromised payroll systems and ransomware attacks (13th January– Threat Intelligence Report).

• Malwarebytes reports a sophisticated campaign involving the takeover of Google advertiser accounts using fake ads. It’s a significant malvertising operation targeting Google’s core business (The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads).

• A macOS vulnerability, CVE-2024-44243, allows bypassing System Integrity Protection (SIP) via kernel extensions. Successful exploits could lead to rootkits and bypass several security protocols (Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass).

• The Zero Day Initiative highlights security issues with the Autel MaxiCharger, focusing on attack surfaces in mobile applications and hardware. This includes examining components for potential vulnerabilities (Reviewing the Attack Surface of the Autel MaxiCharger: Part Two).

• Microsoft released patches for 157 CVEs, addressing vulnerabilities across products like Windows, Hyper-V, and Office, marking it the largest Patch Tuesday update ever with active exploits for three CVEs (Microsoft’s January 2025 Patch Tuesday).

• A new data breach incident reports multiple cases where UpGuard identified exposed confidential data by vendors for firms including HCL and Accenture, affecting employee passwords and internal business information (Open Enrollment: How HCL Exposed Employee Passwords and Project Data).

News Feeds #

• Russian state-sponsored hackers, identified as Star Blizzard, have shifted their tactics to target WhatsApp accounts. This involves phishing campaigns impersonating U.S. government officials to gain unauthorized access to WhatsApp messages, potentially compromising sensitive communications. (Star Blizzard hackers abuse WhatsApp to target high-value diplomats, Russian Star Blizzard is Now After Your WhatsApp Data)

• A critical vulnerability exists in improperly wound-down Google Apps domains, which can be exploited by new owners to access Google accounts of former employees. This flaw affects numerous defunct tech startups that used Google Workspace and OAuth services. (Startup necromancy: Dead Google Apps domains can be compromised by new owners)

• The U.S. Treasury Department has sanctioned a Chinese cybersecurity company and a hacker involved in extensive breaches, including the Salt Typhoon campaign which impacted U.S. telecoms and the Treasury. This move marks the first formal attribution for these attacks. (Treasury sanctions Chinese cybersecurity company, affiliate for Salt Typhoon hacks, US Sanctions Chinese Hacker & Firm for Treasury, Critical Infrastructure Breaches)

• CISA and Microsoft have released a new guide that allows organizations to enhance their threat detection capabilities using expanded cloud logs. This new guidance focuses on utilizing Microsoft Purview Audit logs to strengthen cybersecurity operations and improve incident response. (New CISA-Microsoft Guide Enables Organizations to Leverage Expanded Cloud Logs for Threat Detection)

• The U.S. Federal Trade Commission has ordered GoDaddy to address its inadequate security practices following multiple significant data breaches resulting from these vulnerabilities. This reflects a broader regulatory trend to hold companies accountable for cybersecurity lapses. (FTC Orders GoDaddy to Fix Inadequate Security Practices)

• The Biden Administration issued an extensive cybersecurity executive order emphasizing software security, secure cloud practices, and advanced logging to protect federal infrastructure. This order sets a framework for future cyber policy under the incoming administration. (Biden Cybersecurity Order Lays Out Ambitious Plan for Government Security, Biden’s Cybersecurity EO Leaves Trump a Comprehensive Blueprint for Defense)

• Northeastern United States is seeing scammers exploiting regional natural disasters, such as the California wildfires, to launch phishing attacks. These scams trick victims with fake domains posing as legitimate charities. (Scammers Exploit California Wildfires, Posing as Fire Relief Services)

• A significant Active Directory vulnerability allows attackers to bypass NTLMv1 authentication Group Policy settings, exposing networks to potential attacks due to outdated authentication protocols. Organizations need to address this misconfiguration urgently. (Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol, Researchers Warn of NTLMv1 Bypass in Active Directory Policy)

Personal Feeds #

• The U.S. Treasury sanctioned a Chinese cybersecurity firm and a cyber actor linked to a federal agency breach, escalating tensions with China over cyber espionage (U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon).
• Microsoft addressed 161 security vulnerabilities, including three active “zero-day” exploits affecting Windows Hyper-V, underscoring ongoing threats to enterprise environments (Microsoft: Happy 2025. Here’s 161 Security Updates).
• A vulnerability in the WordPress W3 Total Cache plugin allows exploitation by authenticated attackers to access sensitive internal services, affecting over one million sites. The vulnerability has been patched in version 2.8.2 (A flaw in the W3 Total Cache plugin exposes hundreds of thousands of WordPress sites to attacks).
• A Chinese phishing kit innovation has led to an increase in SMS “toll phishing” attacks across multiple U.S. states, using mobile-friendly tactics to steal payment card information (Chinese Innovations Spawn Wave of Toll Phishing Via SMS).
• New malware and ransomware tactics surface, including the use of backdoors and cryptominers exploiting an unpatched Aviatrix Controllers vulnerability. CISA added this to its Known Exploited Vulnerabilities catalog (U.S. CISA adds Aviatrix Controllers vulnerability to its Known Exploited Vulnerabilities catalog).
• The FBI successfully executed a takedown operation against the PlugX malware on thousands of U.S. systems, demonstrating international cooperation in cybersecurity defense (FBI Deletes PlugX Malware from Thousands of Computers).
• Ghostwriter APT continues targeting Ukraine with Cobalt Strike through Excel documents, illustrating ongoing geopolitical cyber threats (Tracking Adversaries: Ghostwriter APT Infrastructure).
• Email addresses found in stealer logs can now be queried in Have I Been Pwned to help individuals discover which websites had their credentials exposed, enhancing user security awareness (Experimenting with Stealer Logs in Have I Been Pwned).

Community Feeds #

• Hackers are using malware hidden in website images to deliver various infostealers through a shared infection chain (Hackers hide malware into website images to go unnoticed).

• The DOJ has linked hacks on AT&T and Verizon to a US Army soldier, highlighting insider threats and the risk they present to infrastructure security (AT&T and Verizon hacks linked to US Army soldier: DOJ).

• A security breach at Otelier has exposed sensitive booking and client information from major hotel chains like Marriot and Hilton, underscoring vulnerabilities in third-party systems (Otelier Breach Exposes Marriot, Hilton Bookings and Client Info).

• Chinese hackers accessed the US Treasury Secretary’s PC along with over 400 others, indicating ongoing, sophisticated cyber espionage activities targeting government entities (Chinese hackers infiltrated US Treasury Secretary’s PC).

• Multiple groups are exploiting a probable zero-day vulnerability in Fortinet FortiGate firewalls, pointing to possible weaknesses in exposed management consoles (Threat actors exploit a probable 0-day in exposed management consoles of Fortinet FortiGate firewalls).

• Microsoft has issued a Patch Tuesday update addressing 209 vulnerabilities, including several zero-day exploits, recommending immediate attention to prevent privilege escalation and remote code execution (Microsoft January 2025 Patch Tuesday).

• New vulnerabilities discovered in Microsoft Configuration Manager allow unauthenticated attackers to perform SQL injections, impacting system integrity (Microsoft Configuration Manager (ConfigMgr / SCCM) 2403 Unauthenticated SQL injections).

• Millions of Google accounts are at risk due to an OAuth flaw, which could enable unauthorized access and highlight the need for strengthened authentication mechanisms (Millions of Accounts Vulnerable due to Google’s OAuth Flaw, Google OAuth 2.0).

• A previously unreported CVE impacting Netgear routers has been documented after 12 years, showing the potential neglect of structured reporting in legacy systems (The Curious Case of a 12-Year-Old Netgear Router Vulnerability).

Disclaimer #

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created with BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.