Tracking Threats, Incidents, and Vulnerabilities
Tracking Threats, Incidents, and Vulnerabilities
Extreme TLDR: Criminals are phishing Google Ads accounts by creating fake Google ads leading to counterfeit login pages on Google Sites. They steal credentials to resell accounts and finance other scams, targeting ads' profitability. Major phishing operations linked to Brazilian and Asian groups have been identified, exploiting vulnerabilities in Google's ad ecosystem.
Legitimate Chrome extensions are stealing Facebook passwords via a sophisticated multi-stage attack. Cybercriminals compromised popular extensions, resulting in trojan updates that harvested user data and credentials for Meta services, allowing attackers to misuse business accounts for ad placements. Developers were tricked into authorizing malicious updates through phishing attempts disguised as Google alerts. Users with infected extensions were at risk of losing sensitive information, prompting urgent advice to uninstall compromised updates and reset passwords. This incident highlights the dangers of supply-chain attacks and the need for stronger security measures in extension management.
https://www.kaspersky.com/blog/chrome-extension-malicious-updates-and-mitigations/52871/
Cybersecurity market complexity: WEF's “Global Cybersecurity Outlook 2025” reveals escalating challenges due to tech advancements, geopolitical tensions, regulatory fragmentation, supply chain risks, and workforce shortages. Key issues include supply chain vulnerabilities, geopolitical risks, AI impact, advanced cyber threats, regulatory compliance burdens, and talent gaps. Emphasizes need for resilience over traditional defense approaches and collaboration between sectors for effective cybersecurity leadership and readiness in a volatile digital landscape.
Rsync has six vulnerabilities (CVE-2024-12084 to CVE-2024-12747) affecting versions 3.3.0 and earlier, enabling heap-buffer overflow, information leak, file leak, directory write bypass, and privilege escalation. These flaws pose risks like arbitrary code execution, file access, and data extraction. Users should apply patches promptly.
Microsoft's January 2025 Patch Tuesday addresses 159 vulnerabilities, including 8 zero-days, with 3 actively exploited. Key fixes include 12 critical vulnerabilities affecting remote code execution, information disclosure, and privilege elevation. Notable vulnerabilities include flaws in Windows Hyper-V and Microsoft Access, which could lead to serious security risks. The total comprises 40 elevation of privilege vulnerabilities, 58 remote code execution vulnerabilities, and others across various categories. Other vendors like Adobe, Cisco, and Fortinet also released updates this month.
SaaS attack surfaces increasingly threaten organizations due to sprawl, making identity, data, and third-party risks worse. Reasons to prioritize SaaS security in 2025 include: 1) Dominance of SaaS in work leading to frequent new account creation, 2) Vulnerability of SaaS to attacks, 3) GenAI reliance on SaaS requiring governance, and 4) Legal repercussions linked to inadequate SaaS security. Discovery and management tools are essential to mitigate risks and comply with evolving regulations.
https://thehackernews.com/2025/01/4-reasons-your-saas-attack-surface-can.html
Google's OAuth Flaw Risks Millions of Accounts: A security issue allows anyone purchasing domains of defunct startups to access former employee accounts across various SaaS platforms, compromising sensitive data. Despite the risk affecting potentially over 10 million accounts, Google marks it as “won't fix” initially but later reopens the issue after a researcher’s talk. Proposed solutions include adding immutable identifiers to improve user security. Until addressed, many remain vulnerable to misuse of their accounts.
https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw
Hackers are using the FastHTTP Go library to execute high-speed brute-force password attacks on Microsoft 365 accounts globally, with a 10% success rate. The campaign began on January 6, 2025, targeting Azure Active Directory. Most attacks originate from Brazil, and they involve overwhelming multi-factor authentication (MFA) attempts. Microsoft warns that these takeovers can lead to data breaches. Administrators can use a provided PowerShell script to identify affected accounts and are advised to take immediate security measures if malicious activity is detected.
TLDR: In 2025, key cyber security trends include: 1) AI's role in cyber warfare and disinformation, 2) ransomware evolving into data exfiltration, 3) increased threats from infostealers targeting sensitive data, 4) vulnerabilities in edge devices as entry points for attacks, and 5) cloud security challenges due to misconfigurations. Organizations must adopt proactive risk management and unified security strategies to combat advanced threats.
https://blog.checkpoint.com/research/5-key-cyber-security-trends-for-2025/
CVE-2024-44243, found by Microsoft Threat Intelligence, is a serious macOS vulnerability that allows attackers to bypass System Integrity Protection (SIP) by loading unauthorized kernel extensions. This compromise could lead to the installation of rootkits and other malicious activities by enhancing the attack surface. Microsoft collaborated with Apple for a fix included in December 2024 security updates. The importance of monitoring specially entitled processes is emphasized due to their potential in bypassing security measures. The research underlines the necessity of proactive monitoring and cooperative efforts in enhancing cybersecurity across platforms.
Gravy Analytics suffered a data breach, exposing millions' location data from various smartphone apps. The hacker leaked samples on a cybercrime forum, revealing over 30 million location points, which can track users' movements and even identify vulnerable individuals, such as those in LGBTQ+ communities. Unacast, Gravy's parent company, reported the breach to data authorities after discovering unauthorized access to its cloud data. Gravy Analytics' website is down as investigations continue, raising significant privacy concerns amid existing FTC bans on their data practices.
Ransomware activity in December 2024 fell by 12.38% from November, with notable groups like Cl0p and Funksec emerging. The manufacturing sector faced the most attacks, while the U.S. was the top target. New tactics, including exploiting vulnerabilities and advanced social engineering, underline the evolving threat landscape. Organizations are urged to enhance cybersecurity measures, employee training, incident response planning, and patch management to combat these risks effectively. Ransomware attacks continue to significantly impact businesses, necessitating proactive defense strategies.
https://www.cyfirma.com/research/tracking-ransomware-december-2024/
Ransomware targeting VMware ESXi servers surged in 2024, with average demands hitting $5 million, exploiting around 8,000 internet-exposed hosts. Attackers use Babuk variants, circumventing security through accessible entry points. They target critical file types, employing hybrid encryption to complicate recovery. Key strategies for risk mitigation include updating vCenter, implementing MFA, deploying detection tools, and network segmentation. Regular security assessments are vital to safeguard against ransomware threats that can jeopardize organizations reliant on ESXi servers.
https://thehackernews.com/2025/01/ransomware-on-esxi-mechanization-of.html
Ransomware called “Codefinger” is exploiting AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt Amazon S3 buckets, demanding ransoms for decryption keys. Victims lose access to data since AWS doesn't store encryption keys. Attackers use compromised credentials to encrypt data and threaten deletion if victims alter files. Amazon advises customers to implement strict security measures, including disabling unnecessary SSE-C, rotating keys, and minimizing account permissions.
Phishing texts are tricking Apple iMessage users into disabling phishing protection by prompting them to reply to messages. Users who respond to these texts inadvertently enable links, making them vulnerable to attacks. Cybercriminals exploit this tactic, especially targeting individuals who may be less aware of such scams. It's advised not to respond to unknown messages with disabled links and to verify their legitimacy directly with the sender.
