Cybersec Feeds Overview, Feb 10 - Feb 16, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Gov Feeds #

• Multiple vulnerabilities found in Google Chrome, Fortinet products, and Adobe products could allow arbitrary or remote code execution. These vulnerabilities pose risks such as data manipulation and full user rights acquisition, especially affecting users with administrative privileges (Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution, Multiple Vulnerabilities in Fortinet Products Could Allow for Remote Code Execution, Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution).

• Microsoft released critical patches to fix vulnerabilities that could result in remote code execution, underlining the importance of patch management. Attackers could gain access to install programs or create new user accounts (Critical Patches Issued for Microsoft Products, February 11, 2025).

• The Auto-ISAC released an SBOM informational report emphasizing the need for transparency and cooperation in managing software risks in the automotive supply chain. Future expansions could include machine-readable alerts (Auto-ISAC Issues “Software Bill of Materials” Informational Report).

• Siemens SIPROTEC 5 devices have multiple vulnerabilities, including cleartext storage of sensitive information and use of default credentials, highlighting the need for securing networked industrial systems (Siemens SIPROTEC 5, Siemens SIPROTEC 5 Devices).

• FS-ISAC released guidance for mitigating quantum computing risks in the payment card industry, highlighting future challenges in protecting financial sectors (FS-ISAC Releases Guidance to Help the Payment Card Industry Mitigate Risks of Quantum Computing).

• CISA and FBI warned of malicious actors exploiting buffer overflow vulnerabilities, which can be used to compromise entire systems, urging developers to adopt Secure by Design principles (CISA and FBI Warn of Malicious Cyber Actors Using Buffer Overflow Vulnerabilities to Compromise Software).

• CISA added several known exploited vulnerabilities to its catalog, identifying them as significant risks to federal enterprise networks, encouraging proactive remediation (CISA Adds Two Known Exploited Vulnerabilities to Catalog, CISA Adds Four Known Exploited Vulnerabilities to Catalog).

• The ransomware threat in the healthcare sector saw a decline in payment demands, yet the sector remains under significant threat, as demonstrated by the high-profile Change Healthcare attack (Change Healthcare Attack a Wake-up Call for the Industry, Health-ISAC Hacking Healthcare 2-11-2025).

Vendor Feeds #

• CVE-2024-38213 “copy2pwn” vulnerability in Microsoft Windows may allow files copied from WebDAV shared folders to bypass certain security protections. This issue, supposedly patched by Microsoft, remains exploitable due to flaws in the patch, affecting versions prior to Windows 11 and Server 2022 (Analysis of a Flaw in Microsoft’s Patch for “copy2pwn”).

• CVE-2025-21357 in Microsoft Outlook presents a remote code execution vulnerability allowing attackers to exploit Exchange server access. Microsoft and 0patch have released patches, with the flaw linked to the simple misinitialization of a variable (Micropatches Released for Microsoft Outlook RCE Vulnerability).

• A new ransomware group called Kraken Group has emerged, and more than 500,000 user records from South Korean art education institutions were leaked on BreachForums. The ransomware landscape remains dynamic, with Operation Phobos Aetor impacting the 8Base ransomware group (Ransom & Dark Web Issues). Additionally, Lynx ransomware is emerging as a successor of INC ransomware, posing threats across 90 organizations globally (Ransomware Roundup – Lynx).

• China-linked espionage tools are being repurposed for ransomware attacks, emphasizing the blurring lines between state-sponsored cyberespionage and cybercrime (China-linked Espionage Tools Used in Ransomware Attacks).

• Threats and operations from ransomware groups including Akira and LockBit continue to manifest globally, with significant attacks impacting organizations like Yazoo Valley Electric and McKinney city, Texas. These attacks are often characterized by data breaches and information exposure (10th February – Threat Intelligence Report).

• Cisco’s continued investment in cloud security is illustrated through its collaboration with Wiz to address AI-generated threats, portraying a push toward fortifying cloud infrastructures (Cisco and Wiz Collaborate to Enhance Cloud Security).

• Sweden’s Prime Minister has commented on suspected sabotage of the submarine cables, indicating possible Russian involvement without direct attribution, highlighting tensions in the Baltic Sea region (Sweden’s PM on Submarine Cable Sabotage).

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has highlighted risks associated with buffer overflow vulnerabilities and called for manufacturers to strengthen development practices to prevent these flaws (Cyberscurity Snapshot, Cybersecurity Snapshot).

News Feeds #

• Researchers uncovered a device code phishing campaign perpetrated by Russian-aligned groups, allowing them to access Microsoft accounts and capture authentication tokens. This attack involves duping users through messaging apps under the guise of important meetings (Microsoft: Hackers steal emails in device code phishing attacks, Threat researchers spot ‘device code’ phishing attacks targeting Microsoft accounts).

• New phishing threats include the Astaroth kit, which bypasses two-factor authentication across multiple platforms. It uses session hijacking and reverse proxy techniques to intercept user credentials (Astaroth 2FA Phishing Kit Targets Gmail, Yahoo, Office 365, and Third-Party Logins, Astaroth Phishing Kit Bypasses 2FA to Hijack Gmail and Microsoft Accounts).

• SonicWall and Palo Alto Networks have disclosed critical vulnerabilities being actively exploited. Attackers are targeting recently fixed flaws in these systems, leading to unauthorized access and potentially severe breaches. Admins are advised to patch immediately (Hackers exploit authentication bypass in Palo Alto Networks PAN-OS, SonicWall firewall bug leveraged in attacks after PoC exploit release).

• Microsoft patched 63 vulnerabilities in its latest update, including two zero-day flaws under active exploitation. The updates focus on high-severity vulnerabilities across several Windows and Office components (Microsoft fixes 63 vulnerabilities, including 2 zero-days, Microsoft Patch Tuesday for February Includes Two Zero Days Under Attack).

• Salt Typhoon, a Chinese nation-state threat actor, continues to exploit vulnerabilities in Cisco network devices, affecting telecom providers and educational institutions globally. Authorities urge addressing Cisco’s security advisories immediately (Chinese hackers breach more US telecoms via unpatched Cisco routers, Salt Typhoon Exploits Cisco Devices in Telco Infrastructure).

• Emerging malware threats include a Go-based backdoor using Telegram as a C2 channel, allowing attackers to maintain persistent access to compromised systems (New Go-Based Malware Exploits Telegram and Use It as C2 Channel).

• Cybercrime operations continue to exploit hosting providers and unpatched routers, as seen in the sanctions against Zservers for supporting ransomware operations like LockBit (U.S. sanctions bulletproof hosting provider for supplying LockBit infrastructure, Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster).

• North Korean IT workers have been infiltrating international firms under false identities, compromising corporate networks by planting backdoors and stealing sensitive intellectual property (North Korean IT Workers Infiltrate International Companies To Plant Backdoors on Systems, North Korean IT Workers Penetrate Global Firms to Install System Backdoors).

• Australia imposed sanctions after the Medibank Private cyberattack traced back to Russian infrastructure providers, reflecting increasing global emphasis on cyber retaliation against nation-state actions (Australia Imposes New Cyber Sanctions in Response to Medibank Private Cyberattack).

Personal Feeds #

• Lumma Stealer and StrelaStealer infections are active, using ClickFix and malspam techniques, respectively. These activities involve password-protected zip files with new password schemes on the attack vectors that lead to credential theft (Quick post: ClickFix style infection for Lumma Stealer, StrelaStealer infection).

• Russian and North Korean threat actors are exploiting new vulnerabilities in widely-used systems. A buffer overflow vulnerability in Windows (CVE-2025-21418) is actively exploited, and a phishing campaign by Storm-2372 using device code phishing targets government and private sectors globally. Meanwhile, DEEP#DRIVE malware is used by North Korean actors targeting trusted platforms (Microsoft Patch Tuesday, February 2025 Edition, Storm-2372 used the device code phishing technique since August 2024, Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks).

• Vulnerabilities in major technology platforms continue to emerge and are being actively exploited. Notably, Palo Alto Networks PAN-OS and PostgreSQL have recently disclosed vulnerabilities (CVE-2025-0108 and CVE-2025-1094) that threat actors are exploiting for unauthorized system access and remote code execution (Attackers exploit recently disclosed Palo Alto Networks PAN-OS firewalls bug, Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks).

• CISA has upgraded its Known Exploited Vulnerabilities catalog with new entries, including flaws related to Apple iOS, iPadOS, SimpleHelp software, and Mitel SIP phones, necessitating urgent patching to prevent exploitation (U.S. CISA adds Apple iOS and iPadOS and Mitel SIP Phones flaws to its Known Exploited Vulnerabilities catalog, U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog).

• Chinese APT group Salt Typhoon exploits unpatched Cisco IOS XE vulnerabilities to infiltrate telecom networks globally, emphasizing the persistent threat to critical infrastructure from state-sponsored actors (China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws).

• Ransomware remains a top threat, with US charging two Russian individuals for $16 million in extortions and the UK government sanctions targeting a Russian cybercriminal network facilitating LockBit attacks. Investigative focus remains on ransomware operation takedowns and infrastructure (US charges two Russian men in connection with Phobos ransomware operation, Investigating Anonymous VPS services used by Ransomware Gangs).

• Elevation of privilege vulnerabilities in Windows Storage and components could allow attackers to delete files remotely, showcasing risks in OS components that may otherwise seem secure (Microsoft Patch Tuesday, February 2025 Edition).

Community Feeds #

• PandasAI, an open-source project by SinaptikAI, is vulnerable to prompt injection attacks, leading to potential remote code execution (RCE) through crafted malicious inputs in Python. The vulnerability, tracked as CVE-2024-12366, allows bypassing restrictions and security controls of the AI agent. SinaptikAI addressed this issue by introducing configuration parameters for security customization (VU#148244: PandasAI interactive prompt function can be exploited to run arbitrary Python code through prompt injection, which can lead to remote code execution (RCE)).

• Millions of internet systems are vulnerable to unauthenticated IPIP, GRE, 4in6, or 6in4 traffic, potentially allowing one-way proxies, spoofing, and network access control bypass. The vulnerabilities, similar to CVE-2020-10136, affect tunneling protocols leading to amplified Denial-of-Service (DoS) and Economic Denial of Sustainability (EDoS) attacks. Affected systems can enable traffic looping between systems with significant amplification (VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4)).

• The Rsync file-synchronization tool contains six vulnerabilities in version 3.3.0 and below, including heap-buffer overflow and symbolic-link race condition that could result in arbitrary code execution and privilege escalation. Affected systems can lead to sensitive data exposure and unauthorized file operations, necessitating immediate application of available patches (VU#952657: Rsync contains six vulnerabilities).

• A PostgreSQL zero-day vulnerability was exploited in a breach of BeyondTrust, highlighting critical gaps in database security management and the need for stringent patching practices (PostgreSQL flaw exploited as zero-day in BeyondTrust breach).

• Microsoft has released patches for 141 vulnerabilities, including four classified as critical. Notably, two vulnerabilities are currently being exploited in the wild, and one zero-day vulnerability has been disclosed, emphasizing the urgency of applying these updates (Microsoft February 2025 Patch Tuesday).

• Security flaws in various tunneling and encapsulation protocols have been reported, with specific CVEs indicating the lack of proper source validation. This exposes affected systems to spoofing and access control bypass vulnerabilities, necessitating updated security configurations (VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4)).

• A new malware, FinalDraft, uses Outlook for stealthy communications, indicating a trend towards abusing legitimate services for command-and-control channels, requiring monitoring of authorized services for unusual patterns (New FinalDraft malware abuses Outlook mail service for stealthy comms).

Disclaimer #

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created with BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.