CyberSecurity updates
2025-01-19 14:25:56 Pacfic

US Treasury Hacked by Chinese APT Group - 18h

The US Treasury Department sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe, and a Shanghai-based hacker, Yin Kecheng, for their involvement in the Salt Typhoon cyberattacks. These attacks targeted major US telecom companies, compromising sensitive data and the US Treasury’s network, including systems used for sanctions and foreign investment reviews, and even impacted the computer of the outgoing Treasury Secretary Janet Yellen. This highlights the ongoing sophisticated cyber espionage campaigns from China targeting critical infrastructure and government entities within the US and globally. The sanctioned entities are directly linked to the Chinese Ministry of State Security (MSS), and used a combination of zero-day exploits and other techniques for infiltrating networks and exfiltrating data. The compromise of the Department of the Treasury’s network is considered a major breach, potentially impacting national security due to access to sensitive information.

GM Banned from Selling Driver Data - 4h

General Motors and OnStar are banned from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years. The FTC launched an investigation after reports that GM collected data about customers’ vehicle use and sold it to third-party platforms used by insurance companies without adequate consent, specifically from the OnStar Smart Driver program. GM has now stopped sharing sensitive information with data brokers and must take additional steps to increase transparency for its customers.

Russian Star Blizzard Targets WhatsApp Accounts - 2d
Russian Star Blizzard Targets WhatsApp Accounts

The Russian threat actor Star Blizzard has shifted its tactics, now targeting WhatsApp accounts via spear-phishing. The campaign involves messages that prompt victims to join a WhatsApp group, where their credentials can be harvested. This marks a departure from their previous methods, likely to evade detection. The primary targets are individuals involved in government, diplomacy, defense, and international relations, indicating an espionage-focused campaign. The use of social engineering via WhatsApp is a notable shift for this APT group.

DOJ Removes China's PlugX Malware from US Computers - 3d
DOJ Removes China

The US Department of Justice, with the FBI, conducted a multi-month operation to remove the PlugX malware from over 4,200 infected computers in the United States. PlugX is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China. This action targeted the command and control infrastructure used by these actors to compromise systems, disrupting their ability to maintain persistent access and conduct further malicious activities on affected networks. The operation underscores the US government’s proactive efforts in combating state-sponsored cyber espionage activities, aiming to neutralize threats before they can be further leveraged for malicious purposes.

UEFI Secure Boot Bypass Vulnerability Discovered. - 2d
UEFI Secure Boot Bypass Vulnerability Discovered.

A newly discovered vulnerability, CVE-2024-7344, in the UEFI Secure Boot mechanism allows attackers to bypass Secure Boot protections and execute unsigned code during the boot process. This flaw, located in a signed UEFI application, enables the deployment of malicious UEFI bootkits, potentially impacting a wide range of UEFI-based systems. This highlights the need to fix and patch UEFI bootloaders urgently.

Six vulnerabilities discovered in rsync - 3d
Six vulnerabilities discovered in rsync

Multiple vulnerabilities have been discovered in rsync, a widely used file transfer program. Six vulnerabilities have been identified, including a critical remote code execution (RCE) vulnerability (CVE-2024-12084) that allows attackers with anonymous read access to an rsync server to execute arbitrary code on the machine. Other vulnerabilities include information leaks and symlink issues. Users are advised to upgrade to rsync version 3.4.0, released on January 14th, to patch these issues and ensure system security. This highlights the importance of timely patching and update process for critical network utilities.

North Korea targets Web3 developers via LinkedIn - 2d
North Korea targets Web3 developers via LinkedIn

North Korean IT workers have been linked to a crowdfunding scam and are targeting Web3 developers with fake LinkedIn profiles in Operation 99. These workers use fraudulent schemes to generate revenue for North Korea’s government. This operation showcases how North Korea utilizes advanced cyber tactics to bypass international sanctions and fund its operations by targeting the Blockchain Industry. The United States, Japan, and the Republic of Korea have joined forces to issue a stark warning about these activities, indicating the severity of the situation.

Veeam Azure Backup SSRF Vulnerability Patched - 1d
Veeam Azure Backup SSRF Vulnerability Patched

A high-risk Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2025-23082, has been discovered in Veeam Backup for Microsoft Azure. This flaw allows attackers to send unauthorized requests from the system, leading to potential network enumeration and other attacks. Veeam has released a patch to address this vulnerability. The SSRF vulnerability underscores the risk in cloud-based backup solutions and the need for consistent patch management.

Otelier Data Breach Exposes Millions of Hotel Guests - 1d
Otelier Data Breach Exposes Millions of Hotel Guests

Otelier, a hotel management platform, suffered a significant data breach after attackers compromised its Amazon S3 cloud storage. Millions of guests’ personal information and hotel reservations were stolen. The affected hotel brands include Marriott, Hilton, and Hyatt. The stolen data could include personally identifiable information and reservation details, exposing guests to potential identity theft and fraud.

FastHTTP Used in High-Speed Microsoft 365 Attacks - 2d
FastHTTP Used in High-Speed Microsoft 365 Attacks

Hackers are utilizing the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts globally. The attacks are characterized by generating a large volume of HTTP requests, focusing on Azure Active Directory endpoints. This technique demonstrates how high-performance libraries can be exploited to conduct rapid credential-based attacks.

New Phishing Kit Bypasses Microsoft 365 2FA - 11h

A new ‘Sneaky 2FA’ phishing kit is targeting Microsoft 365 accounts, using a sophisticated Adversary-in-the-Middle technique to bypass 2FA. This kit utilizes compromised WordPress sites and other domains to host phishing pages, collecting credentials and 2FA codes. The kit has been linked to the W3LL Panel OV6 phishing kit, indicating a larger threat landscape for Microsoft 365 users. The phishing method is capable of intercepting user credentials and session cookies.

MikroTik Botnet Exploits DNS Misconfigurations. - 2d
MikroTik Botnet Exploits DNS Misconfigurations.

A sophisticated botnet is exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to bypass email protection systems and deliver malware through spam campaigns. This botnet operation leverages a simple DNS misconfiguration to send malicious emails that appear to come from legitimate domains, distributing trojan malware and other malicious content.

Fortinet Firewall Zero-Day Exploitation - 5d
Fortinet Firewall Zero-Day Exploitation

A zero-day vulnerability in Fortinet firewalls is being actively exploited by attackers. The flaw allows attackers to compromise systems with exposed interfaces. There is a mass exploitation campaign against Fortinet firewalls that peaked in December 2024. Fortinet has released a patch (CVE-2024-55591). It is suspected that the attackers may have been exploiting a zero-day vulnerability before the patch was released. Organizations using Fortinet firewalls are strongly advised to apply the patch as soon as possible.

PowerSchool Breach Exposes Student Teacher Data - 10d

A recent cyberattack on PowerSchool has resulted in the compromise of all historical student and teacher data. The breach has affected multiple US school districts, exposing highly sensitive personal information. The impacted data includes all student and teacher records stored within PowerSchool’s systems. This breach represents a significant risk to the privacy and security of student and teacher information.

W3 Total Cache Flaw Exposes Million WordPress Sites - 2d
W3 Total Cache Flaw Exposes Million WordPress Sites

A severe vulnerability in the W3 Total Cache plugin for WordPress has been identified, impacting over one million websites. This flaw enables attackers to gain unauthorized access to sensitive data, including metadata on cloud-based apps. The vulnerability, allowing subscriber-level access, poses a substantial risk to WordPress sites using the plugin, potentially exposing user data and compromising site security.