Daily Brief

Microsoft's January 2025 Patch Tuesday included updates for 159 vulnerabilities, with 8 critical zero-day flaws, three of which were actively exploited. Critical issues addressed included elevation of privilege, information disclosure, and remote code execution vulnerabilities. Three zero-day vulnerabilities in Windows Hyper-V NT Kernel allowed attackers to gain SYSTEM privileges and were patched this cycle. Another patched zero-day involved a Windows App Package Installer flaw that also allowed elevation to SYSTEM privileges. A security weakness in Windows Themes was corrected; this could exploit NTLM credentials via specially crafted Theme files. Microsoft also patched three remote code execution vulnerabilities in Microsoft Access triggered by opening specially crafted documents. Additional security updates covered various Microsoft products, aiming to enhance system defenses against potential cyber threats. Other tech companies similarly released updates or advisories as part of their January 2025 security measures.

North Korean state-backed hackers stole over $659 million in cryptocurrencies last year through multiple heists. The United States, South Korea, and Japan issued a warning about ongoing threats from DPRK-affiliated groups targeting the crypto industry. Recent breaches include a significant attack on India's largest Bitcoin exchange, WazirX, resulting in a $235 million loss. 2024 saw a drastic increase in thefts by DPRK, with stolen amounts totaling $1.34 billion across 47 incidents. North Korean IT workers, posing as U.S.-based staff, have infiltrated numerous international firms, deploying malware and stealing sensitive data. The U.S. State Department is offering rewards up to $5 million for information on DPRK front companies involved in illegal IT operations. Governments of the U.S., Japan, and South Korea urge companies, especially in blockchain and freelance sectors, to heed advisories and enhance cyber defenses against DPRK threats.

Over 5,000 WordPress sites have been compromised by a new malware campaign that adds rogue admin accounts. The malware deploys a malicious script and plugin from the domain wp3[.]xyz to steal sensitive data like administrator credentials. The rogue admin accounts created by the malware are named wpx_admin and are equipped with preset credentials embedded in the malware code. Once active, the malicious plugin functions to obfuscate data exfiltration attempts as legitimate image requests. Security researchers discovered this campaign during an incident response for a client, but the initial infection vector remains unidentified. Recommendations for website owners include blocking the wp3[.]xyz domain and strengthening CSRF protections with unique, regularly regenerated tokens. Implementing multi-factor authentication is advised to secure accounts potentially already compromised.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities catalog to include a new flaw in BeyondTrust products due to active exploitation. The flaw, identified as CVE-2024-12686 with a CVSS score of 6.6, allows command injection by an attacker with administrative privileges. This vulnerability follows the discovery of another severe bug, CVE-2024-12356, affecting the same BeyondTrust software, which also could lead to arbitrary command execution. These flaws were discovered following a security breach involving a compromised Remote Support SaaS API key, which was used to infiltrate some instances and manipulate account passwords. The compromised API key was also utilized in a significant cybersecurity breach of the U.S. Treasury Department, attributed to the Chinese state-sponsored group Silk Typhoon, targeting key financial regulatory bodies. The hack of the Treasury implicated the Offices of Foreign Assets Control, Financial Research, and the Committee on Foreign Investment in the United States. Another critical vulnerability, CVE-2023-48365 associated with Qlik Sense software, was also added to the KEV catalog; historically exploited by the Cactus ransomware group. CISA mandates federal agencies to patch these vulnerabilities by February 3, 2024, to protect against these identified and ongoing threats.

Security researchers at Arctic Wolf Labs observed a mass exploitation campaign targeting Fortinet firewalls, potentially using an unpatched zero-day vulnerability. The attacks, primarily concentrated in early December, involved unauthorized access and manipulation of firewall configurations across multiple organizations. Attackers gained access through internet-exposed FortiGate firewall management interfaces, altering configurations and using SSL VPN tunnels for persistent access. The campaign impacted firmware versions from 7.0.14 to 7.0.16, with Fortinet yet to confirm the specific vulnerability used by the attackers. Notable tactics included the extensive use of web-based CLI logged under a 'jsconsole' label, with evidence suggesting the use of spoofed IP addresses. Attackers made significant configuration changes in early December, including the creation of new admin accounts and modification of existing ones to facilitate SSL VPN access. Arctic Wolf provided detailed information to Fortinet on December 12, with Fortinet confirming an ongoing investigation as of December 17, but no confirmation on the vulnerability's existence or patch. While the attackers were expelled from the affected networks before further actions, ransomware deployment remains a plausible motive, with connections to known ransomware affiliate tactics observed.

OneBlood, a not-for-profit blood donation organization, confirmed a ransomware attack occurred on July 14, 2024, compromising donors' personal data. The cyberattack encrypted the organization’s virtual machines, leading to a switch to manual processes and delays in blood collection and distribution. The data stolen included names and Social Security numbers; however, other personal information such as contact details and medical history was not affected. OneBlood completed its investigation on December 12, 2024, and began notifying affected individuals last week, advising them of free one-year credit monitoring services available until April 9, 2025. The organization had discovered the breach on July 29, 2024, but the threat actor retained unauthorized access until that date. Impacted individuals have been advised to consider further protective measures such as credit freezes and fraud alerts to mitigate potential identity theft and financial fraud risks. The total number of individuals affected by the breach has not been disclosed by OneBlood.

A critical vulnerability (CVE-2024-50603) exists in Aviatrix Controller, leading to remote code execution and potential privilege escalation in AWS cloud environments. Public exposure of a proof-of-concept (PoC) exploit just a day after initial vulnerability disclosure has facilitated active exploitation and left inadequate time for patch application. Researchers have observed successful attacks involving the deployment of Silver backdoors and cryptojacking activities, particularly using XMRig, which financially burdens victims through high compute costs. Despite the relatively low usage of Aviatrix Controller among AWS customers (3%), 65% of those deployments have configurations that allow for lateral movement and elevated cloud privileges. Researchers estimate attackers are currently collecting cloud permissions to potentially engage in data theft and possible extortion in the future. The attacks have been confirmed on internet-exposed environments already patched against a prior Aviatrix Controller vulnerability, indicating the recency and potency of the new exploit. Aviatrix has issued a new patch for affected versions; however, the patch may need reapplication in certain upgrade scenarios due to its non-persistent nature across versions.

CISA has identified active exploitation of vulnerabilities in BeyondTrust's software, specifically CVE-2024-12686 and CVE-2024-12356. U.S. federal agencies are required to patch these vulnerabilities by February 3, following a Binding Operational Directive. The vulnerabilities were discovered following a security breach involving stolen API keys from BeyondTrust's Remote Support SaaS. The breach and subsequent vulnerability exploitation have been attributed to the Chinese state-backed hacker group Silk Typhoon. Silk Typhoon used the stolen API keys to infiltrate the U.S. Treasury Department, compromising sensitive information related to U.S. economic sanctions. BeyondTrust has patched the vulnerabilities for its cloud services, but self-hosted instances require manual patch application. The impact of the breach on the Treasury's Office of Foreign Assets Control and other departments is still under assessment.

Path of Exile 2 suffered a security breach where an old Steam-linked admin account was hacked, enabling attackers to access and alter at least 66 player accounts. The attackers used partial credit card details to reset the credentials for the admin account, which then allowed them to change passwords and steal items from player accounts. Impacted players lost valuable in-game items, with the game’s support team unable to offer rollback or item restoration, rendering the losses permanent. A bug was identified where password changes were incorrectly logged as editable notes rather than uneditable audit entries, which further compromised account security. The breach's full extent remains uncertain due to a log retention policy which resulted in the deletion of some logs from the time the admin account was compromised. Game developers admitted to significant errors and have introduced new security measures, including disconnecting the ability to link Steam accounts to administrative accounts. Grinding Gear Games, the developers, have not announced any compensation plans for affected players concerning the irreversible loss of in-game assets.

Microsoft filed a lawsuit against unnamed criminals for exploiting its AI tools, leading to the creation and sale of harmful content. Defendants used stolen API keys from Microsoft customers to access Azure Open AI services and engaged in hacking services. The lawsuit was lodged in a US District Court in December, focusing on charges under several federal laws, including the Computer Fraud and Abuse Act and RICO. Court documents revealed Microsoft's actions to seize web domains involved in the illegal activities, aiming to disrupt the criminal infrastructure. The criminals' operation allowed users to generate images using AI models via custom-built software and web applications, in violation of Microsoft's policies. Microsoft has implemented enhanced safety measures to prevent similar security breaches, although specific details of these measures were not disclosed. The legal action underscores Microsoft's ongoing efforts to protect its technology and customer assets from cyber exploitation.

Apple fixed a macOS security flaw (CVE-2024-44243) that let hackers install kernel drivers by bypassing System Integrity Protection. Attackers could exploit this vulnerability locally with root access, needing user interaction but not physical access. The flaw resided in the Storage Kit daemon responsible for maintaining disk states. System Integrity Protection (SIP) generally prevents alterations to critical system files and requires a system restart from macOS Recovery for deactivation. The loophole could enable the installation of rootkits and persistent malware without physical device access. Patch updates for macOS Sequoia 15.2 were released in December 2024 to address this vulnerability. Microsoft has previously identified multiple SIP bypass vulnerabilities in macOS, indicating a pattern of similar security issues.

Microsoft's multi-factor authentication (MFA) services for Azure and Microsoft 365 experienced a four-hour outage affecting European users. The outage began around 10:33 UTC and primarily impacted users in Norway, Spain, the Netherlands, and the UK. Microsoft identified the issue in their service telemetry and redirected traffic to mitigate the problem, restoring normal service. After resolving the outage, Microsoft initiated an extended monitoring phase to prevent further issues. This incident follows another recent disruption in Azure's East US 2 region, caused by a networking service configuration change. Some users in Chile and the US also experienced access issues during the European outage. Microsoft continues to investigate the root cause of the MFA outage and has promised further updates on the situation.

The Aviatrix Controller vulnerability, designated as CVE-2024-50603, permits unauthorized remote command execution. Discovered by Jakub Korepta, the flaw arises from insufficient input sanitization in API actions, enabling command injection. Threat actors exploit this critical security gap to install Sliver backdoors and conduct unauthorized cryptocurrency mining. A recent Proof of Concept (PoC) exploit shared on GitHub has accelerated the exploitation activities targeting the Aviatrix Controller. Despite a small percentage of cloud environments using Aviatrix Controller, 65% of these pose risks for network intrusion and administrative escalation. Aviatrix has released patches for vulnerable versions and recommends updating to versions 7.1.4191 or 7.2.4996 to mitigate risks. Users are advised to restrict internet exposure of critical ports and adhere to Aviatrix's recommended IP access guidelines to enhance security.

Sweden responds to suspected sabotage of Baltic Sea cables by deploying three warships and a surveillance airplane. Swedish Prime Minister Ulf Kristersson emphasizes the shift from passive idealism to active realism in national defense strategy. The damage involved cables owned by Finnish telecom Elisa and the Finnish-Estonian Estlink 2 power line, with Estlink expected to face extended downtime. Suspicions point towards the Russian "shadow fleet" oil tanker, Eagle S, for intentionally causing the cable damages. Finnish authorities have seized the tanker Eagle S, and investigations are ongoing to confirm the intent behind the damages. Kristersson highlights recurrent suspicious incidents in the Baltic Sea, suggesting potential hostile activities. The Swedish PM reaffirms Sweden’s commitment to protecting the Baltic Sea region, in collaboration with neighbors and allies. Kristersson warns of a long-term Russian threat, stressing the need for sustained defensive measures.

Nominet, the administrator of .UK domains, confirmed a network breach via an Ivanti VPN zero-day vulnerability. The breach occurred two weeks ago, impacting the management of over 11 million .uk and related domain names. Despite the breach, Nominet has not found evidence of data leakage or backdoors on its systems. Suspicious activities were detected, leading to the restriction of VPN system accesses and notification of the NCSC. Ivanti acknowledged a critical vulnerability tracked as CVE-2025-0282 exploited by attackers using the custom Spawn malware toolkit. Mandiant associates this attack with a China-linked espionage group known as UNC5337, deploying malware types previously unlinked to any group. While operational systems like domain registration remain unaffected, Nominet has heightened its security measures in response to the incident.