CyberSecurity Newsletter: February 10, 2025
In this week’s news: Anonymous releases video launching campaign against Trump, John Loucaides explains the significance of Google’s PoC microcode patch, Cloudflare's R2 object storage platform backfired, triggering a widespread outage, template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE, NSA’s Research Directorate released version 11.3 of Ghidra and Cybercriminals ramp up using image payloads.
Anonymous releases video launching campaign against Trump and Musk:
https://bsky.app/profile/youranoncentral.bsky.social/post/3lhmgd353ue2q
John Loucaides explains the significance of Google’s PoC microcode patch. Google researchers recently cracked one of the holy grails. They made a proof of concept microcode patch that passes the signature checks and works. The PoC changes the x86 random number generator instruction (RDRAND) to return a constant (4) instead of cryptographically random numbers.
https://www.linkedin.com/feed/update/urn:li:activity:7294207871926317057/
https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w
An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired, triggering a widespread outage that brought down multiple services for nearly an hour. Cloudflare R2 is an object storage service similar to Amazon S3, designed for scalable, durable, and low-cost data storage. It offers cost-free data retrievals, S3 compatibility, data replication across multiple locations, and Cloudflare service integration.
https://www.bleepingcomputer.com/news/security/cloudflare-outage-caused-by-botched-blocking-of-phishing-url/
Major UK-based engineering company IMI has confirmed having its systems breached just over a week after a similar network compromise was reported by British multinational engineering firm Smiths Group, reports The Record, a news site by cybersecurity firm Recorded Future.
https://www.scworld.com/brief/cyberattack-impacts-british-engineering-firm-imi
Hospital Sisters Health System notified over 882,000 patients that an August 2023 cyberattack led to a data breach that exposed their personal and health information. Established in 1875, HSHS works with over 2,200 physicians and has around 12,000 employees. It also operates a network of physician practices and 15 local hospitals across Illinois and Wisconsin, including two children's hospitals.
https://www.bleepingcomputer.com/news/security/us-health-system-notifies-882-000-patients-of-august-2023-breach/
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE
https://github.com/Avento/CVE-2023-22527_Confluence_RCE
A five-count criminal indictment was unsealed today in federal court in New York charging a Canadian man with exploiting vulnerabilities in two decentralized finance protocols to fraudulently obtain about $65 million from the protocols’ investors.
https://www.darkreading.com/cyberattacks-data-breaches/canadian-man-charged-in-65m-cryptocurrency-hacking-schemes
Members of the U.K. Parliament and House of Lords are set to investigate the vulnerabilities of undersea cables through a new inquiry initiated by the Joint Committee on the National Security Strategy (JCNSS). Despite the government’s efforts to enhance maritime security with international allies, there is growing concern about the capabilities and intentions of hostile states like Russia and China to threaten undersea infrastructure, particularly during heightened tensions or conflicts. The JCNSS inquiry will assess the U.K.’s capacity to safeguard undersea cable infrastructure, including shore-based connections, and evaluate the robustness of national resilience in the face of significant and protracted disruptions.
https://industrialcyber.co/critical-infrastructure/uk-launches-jcnss-inquiry-into-undersea-cable-vulnerabilities-amid-rising-cybersecurity-concerns/
Microsoft is warning of an insecure practice wherein software developers are incorporating publicly disclosed ASP.NET machine keys from publicly accessible resources, thereby putting their applications in attackers' pathway. The tech giant's threat intelligence team said it observed limited activity in December 2024 that involved an unknown threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework.
https://thehackernews.com/2025/02/microsoft-identifies-3000-publicly.html
Windows 11's January 28 optional update has fixed a long-standing issue in Windows 11 24H2 that prevents non-admin users from changing their time zone in Date & Time Settings. Windows 11 24H2 has a bug that prevents regular users from accessing the Date & Time page of the Settings. The issue was first confirmed by Microsoft in November 2024, and Microsoft has finally patched it for everyone with KB5050094.
https://www.bleepingcomputer.com/news/microsoft/microsoft-has-finally-fixed-date-and-time-bug-in-windows-11/
An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users.
https://github.com/hakivvi/CVE-2025-23369
NSA’s Research Directorate released version 11.3 of Ghidra, an open-source software reverse engineering (SRE) framework. It offers advanced analysis tools, enabling users to dissect and examine compiled code across multiple platforms, including Windows, macOS, and Linux.
https://www.helpnetsecurity.com/2025/02/07/ghidra-11-3-released-new-features-performance-improvements-bug-fixes/
The North Korean threat group Kimsuky recently shifted tactics away from traditional backdoors to leveraging the remote desktop protocol (RDP) and proxy tools to control compromised systems, AhnLab’s Security intelligence Center (ASEC) reported Tuesday.
https://www.scworld.com/news/kimsuky-shifts-tactics-from-traditional-backdoors-to-rdp-proxies
A hacker using the alias “Valerie” is claiming to have hacked Ya-moon, a notorious South Korean private pornography website and forum. According to the hacker, the hack took place in June 2024 using a zero-day vulnerability, but the details of it have only been shared earlier today.
https://hackread.com/s-koreas-crime-hub-ya-moon-hacked-user-data-leak/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
CVE-2025-0411 7-Zip Mark of the Web Bypass Vulnerability
CVE-2022-23748 Dante Discovery Process Control Vulnerability
CVE-2024-21413 Microsoft Outlook Improper Input Validation Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2020-15069 Sophos XG Firewall Buffer Overflow Vulnerability
U.S. CISA adds Microsoft Outlook, Sophos XG Firewall, and other flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Outlook, Sophos XG Firewall, and other flaws to its Known Exploited Vulnerabilities catalog.
Threat actors have been observed exploiting recently disclosed security flaws in SimpleHelp's Remote Monitoring and Management (RMM) software as a precursor for what appears to be a ransomware attack. The intrusion leveraged the now-patched vulnerabilities to gain initial access and maintain persistent remote access to an unspecified target network, cybersecurity company Field Effect said in a report shared with The Hacker News.
https://thehackernews.com/2025/02/hackers-exploit-simplehelp-rmm-flaws.html
Cybercriminals have ramped up their use of graphics files to spread malicious links and malware during email phishing attacks, according to new research by Sophos. The tactic is designed to bypass conventional endpoint or mail protection tools. Attackers have been observed using the graphics file format scalable vector graphics (SVG) for this purpose. SVGs contain Extensible Markup Language (XML)-like text instructions to draw resizable, vector-based images on a computer.
https://www.infosecurity-magazine.com/news/cybercriminals-graphics-files/
Cybersecurity researchers at third-party risk management firm UpGuard have identified a vulnerability surrounding exposed Ollama APIs, which provide access to running AI models. These exposed APIs not only pose security risks for model owners but also offer a unique opportunity to gauge the adoption rate and geographic distribution of specific AI models, such as DeepSeek.
https://hackread.com/exposed-ollama-apis-leave-deepseek-ai-models-attack/
A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks. The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and device data.
https://thehackernews.com/2025/02/deepseek-app-transmits-sensitive-user.html