CyberSecurity Newsletter February 17th, 2025
In this week’s news: Golang-based backdoor that uses Telegram for C2, exploits released for Github vuln, Hackers deface DOGE site, Zacks Investment Research breached 12M records accounts at risk, Chinese hackers continue their attacks on telecom providers, cyber threat campaign targeting the release of declassified JFK, new malware called FinalDraft has been using Outlook email drafts for command-and-control and Sonicwall and Palo firewalls are actively exploited.
Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. "The malware is compiled in Golang and once executed it acts like a backdoor," security researcher Leandro Fróes said in an analysis published last week. "Although the malware seems to still be under development it is completely functional."
https://thehackernews.com/2025/02/new-golang-based-backdoor-uses-telegram.html
CVE-2025-23369 - An improper verification of cryptographic signature vulnerability was identified in GitHub Enterprise Server that allowed signature spoofing for unauthorized internal users. Instances not utilizing SAML single sign-on or where the attacker is not already an existing user were not impacted. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0. This vulnerability was reported via the GitHub Bug Bounty program.
https://github.com/hakivvi/CVE-2025-23369
Hackers wasted no time in infiltrating the Department of Government Efficiency’s website. After its hasty launch this week, at least two pages of the site were defaced by critics who seemingly accessed a database the page draws from. Two messages appeared on two separate pages of the site, reading “this is a joke of a .gov site” and “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN—roro.”
https://fortune.com/2025/02/14/elon-musk-doge-website-hacked-hackers/
Zacks Investment Research (Zacks) last year reportedly suffered another data breach that exposed sensitive information related to roughly 12 million accounts. Zacks is an American investment research company that provides its customers data-driven insights through a proprietary stock performance assessment tool called ‘Zacks Rank’, to help with making informed financial decisions.
https://www.bleepingcomputer.com/news/security/hacker-leaks-account-data-of-12-million-zacks-investment-users/
BleepingComputer reports that attacks leveraging old critical ThinkPHP Framework and ownCloud file sharing and syncing platform vulnerabilities to facilitate arbitrary operating system command execution and data compromise have surged in recent days. After being exploited in Chinese cyberattacks since October 2023, the ThinkPHP Framework local file inclusion flaw, tracked as CVE-2022-47945, has been targeted by 572 unique IP addresses, according to an analysis from GreyNoise.
https://www.scworld.com/brief/active-exploitation-of-years-old-thinkphp-owncloud-bugs-spike
Chinese hackers, specifically the Salt Typhoon group (also known as RedMike), continue their attacks on telecom providers globally. Their latest campaign has compromised several US telecommunications companies by exploiting vulnerabilities in unpatched Cisco IOS XE network devices. The attacks leveraged two known vulnerabilities: CVE-2023-20198 (privilege escalation) and CVE-2023-20273 (Web UI command injection). These vulnerabilities allowed the Chinese hackers breach access to networks.
https://dailysecurityreview.com/security-spotlight/chinese-hackers-breach-more-us-telecoms-via-unpatched-cisco-routers-despite-sanctions/
Attackers are now targeting an authentication bypass vulnerability affecting SonicWall firewalls shortly after the release of proof-of-concept (PoC) exploit code.This security flaw (CVE-2024-53704), tagged by CISA as critical severity and found in the SSLVPN authentication mechanism, impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used by multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices.
https://www.bleepingcomputer.com/news/security/sonicwall-firewall-bug-leveraged-in-attacks-after-poc-exploit-release/
Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia.
https://blog.talosintelligence.com/clearml-and-nvidia-vulns/
Cybersecurity researchers at Veriti have discovered a cyber threat campaign targeting the release of declassified JFK (John F. Kennedy), RFK (Robert F. Kennedy Jr.), and MLK (Martin Luther King Jr.) files. Cybercriminals are, reportedly, exploiting public fascination with these historical documents to conduct various malicious activities, including malware distribution, phishing schemes, and vulnerability exploits. As media attention on the files increased, Veriti Research noted the rapid creation of potentially malicious online infrastructure.
https://hackread.com/scammers-exploit-jfk-files-release-malware-phishing/
Rapid7's vulnerability research team says attackers exploited a PostgreSQL security flaw as a zero-day to breach the network of privileged access management company BeyondTrust in December.
BeyondTrust revealed that attackers breached its systems and 17 Remote Support SaaS instances in early December using two zero-day bugs (CVE-2024-12356 and CVE-2024-12686) and a stolen API key.
https://www.bleepingcomputer.com/news/security/postgresql-flaw-exploited-as-zero-day-in-beyondtrust-breach/
Microsoft as fixed a known issue causing "boot device inaccessible" errors during startup on some Windows Server 2025 systems using iSCSI. "This is observed on servers operating under NDIS Poll Mode booting from an iSCSI LUN," the company explained when it acknowledged the bug in late October.
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bug-causing-windows-server-2025-boot-errors/
Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster. The Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform. Earlier this week, the authorities in the United States, Australia, and the United Kingdom, announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. Specifically, the operators of Zservers were accused of facilitating LockBit ransomware attacks and supporting the cybercriminals efforts to launder illegally obtained money.
https://www.bleepingcomputer.com/news/legal/dutch-police-seizes-127-xhost-servers-dismantles-bulletproof-hoster/
A hacking group with links to Russian intelligence has been silently compromising computer networks worldwide, including those in the United States and the United Kingdom, by taking advantage of known security vulnerabilities in widely used software.
https://hackread.com/microsoft-badpilot-campaign-seashell-blizzard-usa-uk/
A recent RA World ransomware attack utilized a tool set that took researchers by surprise, given that it has been associated with China-based espionage actors in the past. According to Symantec, the attack occurred in late 2024. The tool set includes a legitimate Toshiba executable named toshdpdb.exe that deploys on a victim's device. It then connects to a malicious dynamic link library (DLL) that deploys a payload containing a PlugX backdoor.
https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-emperor-dragonfly-ransomware-attack
A notorious state-sponsored Chinese hacking crew has set it its sights on U.S. telecommunications companies. Known as RedMike, the well-known group has defied law enforcement efforts to cripple its back-end and halt its cyberattacks. This latest round of attacks target known flaws in Cisco devices.
https://www.scworld.com/news/chinas-redmike-hackers-taking-aim-at-telcos-via-flaws-in-cisco-gear
A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. Elastic Security Labs discovered the attacks and rely on a complete toolset that includes a custom malware loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. The abuse of Outlook, in this case, aims to achieve covert communications, allowing the attackers to perform data exfiltration, proxying, process injection, and lateral movement while leaving minimal possible traces.
https://www.bleepingcomputer.com/news/security/new-finaldraft-malware-abuses-outlook-mail-service-for-stealthy-comms/
A free-to-play game named PirateFi in the Steam store has been distributing the Vidar infostealing malware to unsuspecting users. The title was present in the Steam catalog for almost a week, between February 6th and February 12th, and was downloaded by up to 1,500 users. The distribution service is sending notices to potentially impacted users, advising them to reinstall Windows out of an abundance of caution.
https://www.bleepingcomputer.com/news/security/piratefi-game-on-steam-caught-installing-password-stealing-malware/
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple iOS and iPadOS and Mitel SIP Phones vulnerabilities to its Known Exploited Vulnerabilities catalog.
https://securityaffairs.com/174246/security/u-s-cisa-adds-apple-ios-and-ipados-and-mitel-sip-phones-flaws-to-its-known-exploited-vulnerabilities-catalog.html
Threat actors are exploiting a recently disclosed vulnerability, tracked as CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls. Researchers warn that threat actors are exploiting a recently disclosed vulnerability, tracked as CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls.
https://securityaffairs.com/174237/hacking/exploitation-palo-alto-networks-pan-os-firewalls-bug.html
An active campaign from a threat actor potentially linked to Russia is targeting Microsoft 365 accounts of individuals at organizations of interest using device code phishing. The targets are in the government, NGO, IT services and technology, defense, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East. Microsoft Threat Intelligence Center tracks the threat actors behind the device code phishing campaign as 'Storm-237', Based on interests, victimology, and tradecraft, the researchers have medium confidence that the activity is associated with a nation-state operation that aligns with Russia's interests.
https://www.bleepingcomputer.com/news/security/microsoft-hackers-steal-emails-in-device-code-phishing-attacks/