CyberSecurity Newsletter January 13th, 2025
In this week’s news: Crowdstrike warns of fake job offers, Fake PoC targets hackers, AI assisted ransomware FuncSec claims more than 85 victims, Sonicwall has an authentication bypass vuln, Ivanti has a remote code execution vuln and PoC, Wordpress plugin Fancy Product Designer has two critical vulns and Microsoft fixes a OneDrive bug that causes havoc with MacOS.
CrowdStrike is warning that a phishing campaign is impersonating the cybersecurity company in fake job offer emails to trick targets into infecting themselves with a Monero cryptocurrency miner (XMRig). The company discovered the malicious campaign on January 7, 2025, and based on the phishing email's content, it likely didn't start much earlier. The attack starts with a phishing email sent to job seekers, supposedly from a CrowdStrike employment agent, thanking them for applying for a developer position at the company.
https://www.bleepingcomputer.com/news/security/fake-crowdstrike-job-offer-emails-target-devs-with-crypto-miners/
Threat actors have created a fake proof-of-concept (PoC) exploit for a critical Microsoft vulnerability, designed to lure security researchers into downloading and executing information-stealing malware, Trend Micro has reported. The fake PoC relates to a critical vulnerability in Microsoft's Windows Lightweight Directory Access Protocol (LDAP), of which a fix was released in the tech giant’s December 2024 Patch Tuesday release.
https://www.infosecurity-magazine.com/news/fake-poc-exploit-researchers/
Indian cryptocurrency exchange WazirX, which suffered a $235 million cyberattack in July 2024, has announced a restructuring plan aimed at compensating affected users. The exchange, reportedly targeted by North Korea’s Lazarus Group, has developed the plan under the supervision of Singapore’s legal system.:
https://cointelegraph.com/news/indian-crypto-exchange-wazir-x-charts-recovery-path-after-235-m-cyberattack
Cybersecurity researchers have shed light on a nascent artificial intelligence (AI) assisted ransomware family called FunkSec that sprang forth in late 2024, and has claimed more than 85 victims to date. The group uses double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms," Check Point Research said in a new report shared with The Hacker News. "Notably, FunkSec demanded unusually low ransoms, sometimes as little as $10,000, and sold stolen data to third parties at reduced prices."
https://thehackernews.com/2025/01/ai-driven-ransomware-funksec-targets-85.html
The Chinese threat actor group known as "Silk Typhoon" has been linked to the December 2024 hack on an agency that's part of the US Department of the Treasury. In the breach, the threat actors were able to use a stolen Remote Support SaaS API key through third-party cybersecurity vendor BeyondTrust to steal data from workstations in the Office of Foreign Assets Control (OFAC). Silk Typhoon, also known as Hafnium, is well known for hitting targets in education, healthcare, defense, and non-governmental organizations.
https://www.darkreading.com/cyberattacks-data-breaches/hacking-group-silk-typhoon-linked-us-treasury-breach
SonicWall warns customers to address an authentication bypass vulnerability in its firewall’s SonicOS that is “susceptible to actual exploitation.” SonicWall is urging customers to upgrade the SonicOS firmware of their firewalls to patch an authentication bypass vulnerability tracked as CVE-2024-53704 (CVSS score of 8.2). The vulnerability resides in SSL VPN and SSH management and according to the vendor is “susceptible to actual exploitation.”
https://securityaffairs.com/172823/security/sonicwall-sonicos-authentication-bypass-flaw.html
Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282):
https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
https://github.com/securexploit1/CVE-2025-0282
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version.With more than 20,000 sales, the plugin allows customization of product designs (e.g. clothing, mugs, phone cases) on WooCommerce sites by changing colors, transforming text, or modifying the size.
https://www.bleepingcomputer.com/news/security/unpatched-critical-flaws-impact-fancy-product-designer-wordpress-plugin/
Play ransomware, also known as Balloonfly or PlayCrypt, has become a significant cybersecurity threat since its emergence in June 2022. Responsible for over 300 global attacks, this ransomware employs a double extortion model — stealing sensitive data before encrypting files and appending them with the ".PLAY" extension. Victims are pressured to pay ransoms to recover their data and prevent its public release, making Play ransomware particularly dangerous for organizations worldwide.:
https://www.cysecurity.news/2025/01/play-ransomware-rising-global.html
Technische Universiteit Eindhoven (TU/e) took its internal network offline Sunday after detecting a cyberattack. As a result, students and staff are unable to access network-dependent services, including email, Wi-Fi, Canvas, and Teams, the university reported in a statement. With the network disabled, no educational activities will take place at least until Monday. The university had planned "limited education" this week, such as makeup sessions and exam preparation.
https://nltimes.nl/2025/01/12/cyberattack-disrupts-classes-tu-eindhoven
A recent Harvard study reveals a chilling milestone in the evolution of cyber threats: AI-driven phishing campaigns are now as effective as human experts. This marks a significant escalation in the sophistication, scalability, and success rates of online scams.
https://hackernoon.com/ai-powered-phishing-the-perfect-storm-of-persuasion
A leading education software maker has admitted its IT environment was compromised in a cyberattack, with students and teachers' personal data – including some Social Security Numbers and medical info – stolen. PowerSchool says its cloud-based student information system is used by 18,000 customers around the globe, including the US and Canada, to handle grading, attendance records, and personal information of more than 60 million K-12 students and teachers.
https://www.theregister.com/2025/01/09/powerschool_school_data/
Google must face a class action privacy lawsuit alleging it collected users’ mobile device data without consent after a judge refused to dismiss the case in a ruling Tuesday. The case, Rodriguez v. Google LLC, which was first filed in 2020, is now scheduled for a federal jury trial on Aug. 18,. Chief Judge Richard Seeborg of the U.S. District Court for the Northern District of California in San Fransisco said in his ruling it was unclear “from the perspective of a reasonable user” that the plaintiffs were consenting to the data that was collected.
https://www.scworld.com/news/google-class-action-privacy-lawsuit-to-go-forward-after-judges-ruling
Microsoft has fixed a known issue causing macOS applications to freeze when opening or saving files in OneDrive. As Redmond explained when it first acknowledged the bug in November, it affects only systems running the company's latest operating system release, macOS 15 Sequoia. "Opening or saving files within Desktop or Documents folders can cause the file's app to freeze. This occurs on macOS 15," the company said in a support document tracking the recent issues in OneDrive.
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-onedrive-bug-causing-macos-app-freezes/
A new version of the Banshee macOS stealer was observed — the malware steals browser credentials, cryptocurrency wallets, and other sensitive data. Check Point Research said in a Jan. 9 blog post that it was monitoring the Banshee infostealer since last September. The researchers said in being undetected for two months, the latest version of Banshee introduced string encryption taken from Apple’s XProtect, likely causing antivirus systems to overlook the macOS malware.
https://www.scworld.com/news/new-banshee-stealer-variant-continues-attacks-on-macos-devices
Cybersecurity threat predictions for 2025: Insights from the dark web:
https://www.ept.ca/2024/12/cybersecurity-threat-predictions-for-2025-insights-from-the-dark-web/
BayMark Health Services, North America's largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients that attackers stole their personal and health information in a September 2024 breach. The Texas-based organization provides medication-assisted treatment (MAT) services targeting both substance use and mental health disorders to more than 75,000 patients daily in over 400 service sites across 35 U.S. states and three Canadian provinces.
https://www.bleepingcomputer.com/news/security/largest-us-addiction-treatment-provider-notifies-patients-of-data-breach/
Medusind, a medical billing provider, disclosed a data breach that occurred in December 2023 and affected over 360,000 individuals. Medusind is a company that provides medical billing, coding, and revenue cycle management (RCM) services to healthcare organizations, including medical practices, dental practices, and other providers. The company disclosed a data breach discovered on December 29, 2023, that impacted 360,934 individuals.
https://securityaffairs.com/172870/data-breach/medusind-data-breach.html
The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity warned Japanese organizations of a sophisticated Chinese state-backed cyber-espionage effort called "MirrorFace" to steal technology and national security secrets. Japanese authorities said the advanced persistent threat group (APT) MirrorFace has been operating since 2019.
https://www.darkreading.com/cyberattacks-data-breaches/chinese-apt-group-ransacking-japans-secrets