This Weeks Headlines
- Microsoft Patches Three Actively Exploited Zero-Day Vulnerabilities in January Update
- Google OAuth Vulnerability Exposes User Accounts via Abandoned Domains
- Fortinet Warns of Zero-Day Exploit Targeting Exposed Firewall Interfaces
- Expired Domains Enable Control Over Thousands of Compromised Systems
- Phishing Scam Impersonates CrowdStrike to Deploy XMRig Cryptominer
- Stealthy Credit Card Skimmer Targets WordPress E-commerce Sites via Database Injection
- AI-Driven Ransomware Group FunkSec Targets Over 85 Victims Using Double Extortion Tactics
- Microsoft MFA Outage Blocks Access to Microsoft 365 Apps
- Hackers Exploit Critical Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners
- Codefinger Ransomware Group Exploits Compromised AWS Credentials in Extortion Attacks
Microsoft Patches Three Actively Exploited Zero-Day Vulnerabilities in January Update
Microsoft’s January 2025 security update addresses 161 vulnerabilities, including three zero-day flaws in Windows Hyper-V NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335) that have been actively exploited. These privilege escalation vulnerabilities could allow attackers to gain SYSTEM privileges.
Administrators are strongly advised to apply these updates promptly to mitigate potential security risks.
View SourceGoogle OAuth Vulnerability Exposes User Accounts via Abandoned Domains
A recently disclosed vulnerability in Google’s “Sign in with Google” OAuth implementation allows attackers to gain unauthorised access to user accounts by acquiring domains of defunct startups.
By recreating former employee email addresses associated with these domains, malicious actors can exploit the OAuth flow to access various services, including Slack, Notion, and Zoom, potentially compromising sensitive data.
Google has acknowledged the issue and recommends that organisations properly close out domains and delete associated user data when ceasing operations. Additionally, third-party applications are advised to utilise unique account identifiers, such as the ‘sub’ field, to enhance security and mitigate this risk.
View SourceFortinet Warns of Zero-Day Exploit Targeting Exposed Firewall Interfaces
Fortinet has issued an alert regarding a campaign exploiting a zero-day vulnerability in FortiGate firewall devices with publicly exposed management interfaces.
Beginning in mid-November 2024, attackers gained unauthorised administrative access, created new accounts, and altered configurations to establish SSL VPN tunnels.
The firmware versions affected range from 7.0.14 to 7.0.16, released between February and October 2024. Organisations are advised to restrict firewall management interface access to trusted users and avoid exposing these interfaces to the internet.
View SourceExpired Domains Enable Control Over Thousands of Compromised Systems
Cybersecurity firm watchTowr Labs has revealed that by acquiring over 40 expired domains for as little as $20 each, they gained control over more than 4,000 web backdoors previously deployed by various threat actors. These backdoors, often web shells like c99shell, r57shell, and China Chopper, were designed to provide persistent remote access to compromised networks.
By registering the abandoned domains used for command-and-control (C2) communications, watchTowr Labs could monitor and potentially commandeer the compromised hosts.
The affected systems included government entities from countries such as Bangladesh, China, and Nigeria, as well as academic institutions across China, South Korea, and Thailand.
View SourcePhishing Scam Impersonates CrowdStrike to Deploy XMRig Cryptominer
Cybersecurity firm CrowdStrike has identified a phishing campaign in which attackers impersonate CrowdStrike recruiters to distribute the XMRig cryptocurrency miner.
Victims receive emails claiming they’ve advanced in a hiring process and are directed to download a fake CRM application.
This malicious software conducts system checks to evade detection before installing the cryptominer, which then operates covertly on the infected machine.
CrowdStrike advises individuals to verify the authenticity of recruitment communications and avoid downloading unsolicited applications.
View SourceStealthy Credit Card Skimmer Targets WordPress E-commerce Sites via Database Injection
A sophisticated credit card skimmer malware has been discovered targeting WordPress e-commerce websites by injecting malicious JavaScript directly into the site’s database, specifically the wp_options table. This method allows the malware to evade traditional file-based detection mechanisms.
The skimmer activates on checkout pages, either by hijacking existing payment fields or injecting fake credit card forms that mimic legitimate processors like Stripe. It captures sensitive payment information, including credit card numbers, CVV codes, expiration dates, and billing addresses, which is then obfuscated using Base64 encoding and AES-CBC encryption before being transmitted to attacker-controlled domains such as valhafather[.]xyz and fqbe23[.]xyz.
Website administrators are advised to regularly audit their databases and monitor for unauthorised changes to detect and mitigate such threats.
View SourceAI-Driven Ransomware Group FunkSec Targets Over 85 Victims Using Double Extortion Tactics
A new ransomware group named FunkSec has emerged, claiming over 85 victims since its inception in late 2024.
Utilising artificial intelligence-assisted malware development, FunkSec employs double extortion tactics, combining data theft with encryption to pressure victims into paying ransoms.
Notably, the group demands relatively low ransoms, sometimes as little as $10,000, and sells stolen data to third parties at reduced prices. FunkSec’s operations straddle the line between hacktivism and cybercrime, with many of their leaked datasets recycled from previous hacktivist campaigns, raising doubts about the authenticity of their disclosures.
View SourceMicrosoft MFA Outage Blocks Access to Microsoft 365 Apps
On January 13, 2025, Microsoft experienced a Multi-Factor Authentication (MFA) outage that prevented users from accessing Microsoft 365 applications.
The issue primarily affected users authenticating via MFA, with some also reporting problems with MFA registration and reset processes.
Microsoft addressed the situation by redirecting traffic to alternative infrastructure and confirmed that service availability was restored as of 05:51 AM EST on January 13, 2025.
View SourceHackers Exploit Critical Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners
A critical vulnerability in the Aviatrix Controller cloud networking platform, tracked as CVE-2024-50603, has been actively exploited to deploy backdoors and cryptocurrency miners.
This flaw allows unauthenticated attackers to execute arbitrary code by exploiting improperly sanitised API endpoints. Successful exploitation can lead to unauthorised access and control over cloud environments, posing significant security risks.
Aviatrix has addressed the issue in versions 7.1.4191 and 7.2.4996. Users are strongly advised to apply these patches promptly and restrict public access to the Aviatrix Controller to mitigate potential threats.
View SourceCodefinger Ransomware Group Exploits Compromised AWS Credentials in Extortion Attacks
The ransomware group known as Codefinger has been exploiting compromised AWS credentials to conduct extortion attacks. By leveraging these credentials, Codefinger gains unauthorised access to Amazon S3 buckets, encrypts the data using AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C), and demands ransom payments for decryption.
This method allows the attackers to utilise AWS’s native encryption features to lock victims out of their own data, making recovery without the decryption key impossible.
Organisations are advised to secure their AWS credentials, restrict the use of SSE-C, and implement robust monitoring to detect and prevent such attacks.
View SourceIf you’re ready to learn how we can help protect your business from cyber threats, contact us using the form below 👇.
