The US Treasury Department sanctioned a Chinese cybersecurity firm, Sichuan Juxinhe, and a Shanghai-based hacker, Yin Kecheng, for their involvement in the Salt Typhoon cyberattacks. These attacks targeted major US telecom companies, compromising sensitive data and the US Treasury’s network, including systems used for sanctions and foreign investment reviews, and even impacted the computer of the outgoing Treasury Secretary Janet Yellen. This highlights the ongoing sophisticated cyber espionage campaigns from China targeting critical infrastructure and government entities within the US and globally. The sanctioned entities are directly linked to the Chinese Ministry of State Security (MSS), and used a combination of zero-day exploits and other techniques for infiltrating networks and exfiltrating data. The compromise of the Department of the Treasury’s network is considered a major breach, potentially impacting national security due to access to sensitive information.
General Motors and OnStar are banned from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years. The FTC launched an investigation after reports that GM collected data about customers’ vehicle use and sold it to third-party platforms used by insurance companies without adequate consent, specifically from the OnStar Smart Driver program. GM has now stopped sharing sensitive information with data brokers and must take additional steps to increase transparency for its customers.
The Russian threat actor Star Blizzard has shifted its tactics, now targeting WhatsApp accounts via spear-phishing. The campaign involves messages that prompt victims to join a WhatsApp group, where their credentials can be harvested. This marks a departure from their previous methods, likely to evade detection. The primary targets are individuals involved in government, diplomacy, defense, and international relations, indicating an espionage-focused campaign. The use of social engineering via WhatsApp is a notable shift for this APT group.
The US Department of Justice, with the FBI, conducted a multi-month operation to remove the PlugX malware from over 4,200 infected computers in the United States. PlugX is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China. This action targeted the command and control infrastructure used by these actors to compromise systems, disrupting their ability to maintain persistent access and conduct further malicious activities on affected networks. The operation underscores the US government’s proactive efforts in combating state-sponsored cyber espionage activities, aiming to neutralize threats before they can be further leveraged for malicious purposes.
A newly discovered vulnerability, CVE-2024-7344, in the UEFI Secure Boot mechanism allows attackers to bypass Secure Boot protections and execute unsigned code during the boot process. This flaw, located in a signed UEFI application, enables the deployment of malicious UEFI bootkits, potentially impacting a wide range of UEFI-based systems. This highlights the need to fix and patch UEFI bootloaders urgently.
Multiple vulnerabilities have been discovered in rsync, a widely used file transfer program. Six vulnerabilities have been identified, including a critical remote code execution (RCE) vulnerability (CVE-2024-12084) that allows attackers with anonymous read access to an rsync server to execute arbitrary code on the machine. Other vulnerabilities include information leaks and symlink issues. Users are advised to upgrade to rsync version 3.4.0, released on January 14th, to patch these issues and ensure system security. This highlights the importance of timely patching and update process for critical network utilities.
North Korean IT workers have been linked to a crowdfunding scam and are targeting Web3 developers with fake LinkedIn profiles in Operation 99. These workers use fraudulent schemes to generate revenue for North Korea’s government. This operation showcases how North Korea utilizes advanced cyber tactics to bypass international sanctions and fund its operations by targeting the Blockchain Industry. The United States, Japan, and the Republic of Korea have joined forces to issue a stark warning about these activities, indicating the severity of the situation.
A high-risk Server-Side Request Forgery (SSRF) vulnerability, identified as CVE-2025-23082, has been discovered in Veeam Backup for Microsoft Azure. This flaw allows attackers to send unauthorized requests from the system, leading to potential network enumeration and other attacks. Veeam has released a patch to address this vulnerability. The SSRF vulnerability underscores the risk in cloud-based backup solutions and the need for consistent patch management.
Otelier, a hotel management platform, suffered a significant data breach after attackers compromised its Amazon S3 cloud storage. Millions of guests’ personal information and hotel reservations were stolen. The affected hotel brands include Marriott, Hilton, and Hyatt. The stolen data could include personally identifiable information and reservation details, exposing guests to potential identity theft and fraud.
Hackers are utilizing the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts globally. The attacks are characterized by generating a large volume of HTTP requests, focusing on Azure Active Directory endpoints. This technique demonstrates how high-performance libraries can be exploited to conduct rapid credential-based attacks.
A new ‘Sneaky 2FA’ phishing kit is targeting Microsoft 365 accounts, using a sophisticated Adversary-in-the-Middle technique to bypass 2FA. This kit utilizes compromised WordPress sites and other domains to host phishing pages, collecting credentials and 2FA codes. The kit has been linked to the W3LL Panel OV6 phishing kit, indicating a larger threat landscape for Microsoft 365 users. The phishing method is capable of intercepting user credentials and session cookies.
A sophisticated botnet is exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to bypass email protection systems and deliver malware through spam campaigns. This botnet operation leverages a simple DNS misconfiguration to send malicious emails that appear to come from legitimate domains, distributing trojan malware and other malicious content.
A zero-day vulnerability in Fortinet firewalls is being actively exploited by attackers. The flaw allows attackers to compromise systems with exposed interfaces. There is a mass exploitation campaign against Fortinet firewalls that peaked in December 2024. Fortinet has released a patch (CVE-2024-55591). It is suspected that the attackers may have been exploiting a zero-day vulnerability before the patch was released. Organizations using Fortinet firewalls are strongly advised to apply the patch as soon as possible.
A recent cyberattack on PowerSchool has resulted in the compromise of all historical student and teacher data. The breach has affected multiple US school districts, exposing highly sensitive personal information. The impacted data includes all student and teacher records stored within PowerSchool’s systems. This breach represents a significant risk to the privacy and security of student and teacher information.
A severe vulnerability in the W3 Total Cache plugin for WordPress has been identified, impacting over one million websites. This flaw enables attackers to gain unauthorized access to sensitive data, including metadata on cloud-based apps. The vulnerability, allowing subscriber-level access, poses a substantial risk to WordPress sites using the plugin, potentially exposing user data and compromising site security.