THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [20 January]
thehackernews.com
As the digital world becomes more complicated, the lines between national security and cybersecurity are starting to fade. Recent cyber sanctions and intelligence moves show a reality where malware and fake news are used as tools in global politics. Every cyberattack now seems to have deeper political consequences. Governments are facing new, unpredictable threats that can't be fought with old-school methods.To stay ahead, we need to understand how cybersecurity is now tied to diplomacy, where the safety of networks is just as important as the power of words. Threat of the WeekU.S. Treasury Sanctions Chinese and North Korean Entities The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) leveled sanctions against a Chinese cybersecurity company (Sichuan Juxinhe Network Technology Co., LTD.) and a Shanghai-based cyber actor (Yin Kecheng) over their alleged links to Salt Typhoon and Silk Typhoon threat clusters. Kecheng was associated with the breach of the Treasury's own network that came to light earlier this month. The department has also sanctioned two individuals and four organizations in connection with the North Korean fraudulent IT worker scheme that aims to generate revenue for the country by dispatching its citizens to China and Russia to obtain employment at various companies across the world using false identities. Top NewsSneaky 2FA Phishing Kit Targets Microsoft 365 Accounts A new adversary-in-the-middle (AitM) phishing kit called Sneaky 2FA has seen moderate adoption among malicious actors for its ability to steal credentials and two-factor authentication (2FA) codes from Microsoft 365 accounts since at least October 2024. The phishing kit is also called WikiKit owing to the fact that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page. Sneaky 2FA also shares some code overlaps with another phishing kit maintained by the W3LL Store.FBI Deletes PlugX Malware from Over 4,250 Computers The U.S. Department of Justice (DoJ) disclosed that a court-authorized operation allowed the Federal Bureau of Investigation (FBI) to delete a variant of the PlugX malware from over 4,250 infected computers as part of a "multi-month law enforcement operation." The malware, attributed to the China-nexus Mustang Panda threat actor, is known to spread to other systems via attached USB devices. The disruption is part of a larger effort led by the Paris Prosecutor's Office and cybersecurity firm Sekoia that has resulted in the disinfection payload being sent to 5,539 IP addresses across 10 countries.Russian Hackers Target Kazakhstan With HATVIBE Malware The Russian threat actor known as UAC-0063 has been attributed to an ongoing cyber espionage campaign targeting Kazakhstan as part of the Kremlin's efforts to gather economic and political intelligence in Central Asia. The spear-phishing attacks leverage lures related to the Ministry of Foreign Affairs to drop a malware loader named HATVIBE that's then used to deploy a backdoor called CHERRYSPY.Python Backdoor Leads to RansomHub Ransomware Cybersecurity researchers have detailed an attack that started with a SocGholish infection, which then paved the way for a Python backdoor responsible for deploying RansomHub encryptors throughout the entire impacted network. The Python script is essentially a reverse proxy that connects to a hard-coded IP address and allows the threat actor to move laterally in the compromised network using the victim system as a proxy.Google Ads Users Targeted by Malicious Google Ads In an ironic twist, a new malvertising campaign has been found targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. The brazen tactic is being used to hijack advertiser accounts and push more ads to perpetuate the campaign further. Google said the activity violates its policies and it's taking active measures to disrupt it. Trending CVEsYour go-to software could be hiding dangerous security flawsdon't wait until it's too late! Update now and stay ahead of the threats before they catch you off guard.This week's list includes CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (Windows Hyper-V NT Kernel Integration VSP), CVE-2024-55591 (Fortinet), CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159 (Ivanti Endpoint Manager), CVE-2024-7344 (Howyar Taiwan), CVE-2024-52320, CVE-2024-48871 (Planet Technology WGS-804HPT industrial switch), CVE-2024-12084 (Rsync), CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 (SimpleHelp), CVE-2024-44243 (Apple macOS), CVE-2024-9042 (Kubernetes), CVE-2024-12365 (W3 Total Cache plugin), CVE-2025-23013 (Yubico), CVE-2024-57579, CVE-2024-57580, CVE-2024-57581, CVE-2024-57582 (Tenda AC18), CVE-2024-57011, CVE-2024-57012, CVE-2024-57013, CVE-2024-57014, CVE-2024-57015, CVE-2024-57016, CVE-2024-57017, CVE-2024-57018, CVE-2024-57019, CVE-2024-57020, CVE-2024-57021, CVE-2024-57022, CVE-2024-57023, CVE-2024-57024, CVE-2024-57025 (TOTOLINK X5000R), CVE-2025-22785 (ComMotion Course Booking System plugin), and 44 vulnerabilities in Wavlink AC3000 routers. Around the Cyber WorldThreat Actors Advertise Insider Threat Operations Bad actors have been identified advertising services on Telegram and dark web forums that aim to connect prospective customers with insiders as well as recruit people working at various companies for malicious purposes. According to Nisos, some of the messages posted on Telegram request for insider access to Amazon in order to remove negative product reviews. Others offer insider services to process refunds. "In one example, the threat actors posted that they would connect buyers to an insider working at Amazon, who could perform services for a fee," Nisos said. "The threat actors clarified that they were not the insider, but had access to one."U.K. Proposes Banning Ransom Payments by Government Entities The U.K. government is proposing that all public sector bodies and critical national infrastructure, including the NHS, local councils, and schools, refrain from making ransomware payments in an attempt to hit where it hurts and disrupt the financial motivation behind such attacks. "This is an expansion of the current ban on payments by government departments," the government said. "This is in addition to making it mandatory to report ransomware incidents, to boost intelligence available to law enforcement and help them disrupt more incidents."Gravy Analytics Breach Leaks Sensitive Location Data Gravy Analytics, a bulk location data provider that has offered its services to government agencies and law enforcement through its Venntel subsidiary, revealed that it suffered a hack and data breach, thereby threatening the privacy of millions of people around the world who had their location information revealed by thousands of Android and iOS apps to the data broker. It's believed that the threat actors gained access to the AWS environment through a "misappropriated" key. Gravy Analytics said it was informed of the hack through communication from the threat actors on January 4, 2025. A small sample data set has since been published in a Russian forum containing data for "tens of millions of data points worldwide," Predicta Lab CEO Baptiste Robert said. Much of the data collection is occurring through the advertising ecosystem, specifically a process called real-time bidding (RTB), suggesting that even app developers' may not be aware of the practice. That said, it's currently unclear how Gravy Analytics put together the massive trove of location data, and whether the company collected the data itself or from other data brokers. News of the breach comes weeks after the Federal Trade Commission banned Gravy Analytics and Venntel from collecting and selling Americans' location data without consumers' consent.CISA Issues a Series of Security Guidance The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging Operational Technology (OT) owners and operators to integrate secure-by-design elements into their procurement process by selecting manufacturers who prioritize security and meet various compliance standards. It's also advising companies to better detect and defend against advanced intrusion techniques by making use of Microsoft's newly introduced expanded cloud logs in Purview Audit (Standard). Separately, the agency has updated its Product Security Bad Practices guide to include three new bad practices on the use of known insecure or deprecated cryptographic functions, hard-coded credentials, and product support periods. "Software manufacturers should clearly communicate the period of support for their products at the time of sale," CISA said. "Software manufacturers should provide security updates through the entire support period." Lastly, it called on the U.S. government to take the necessary steps to bolster cybersecurity by closing the software understanding gap that, combined with the lack of secure-by-design software, can lead to the exploitation of vulnerabilities. The guidance comes as the European Union's Digital Operational Resilience Act, or DORA, entered into effect on January 17, 2025, requiring both financial services firms and their technology suppliers to improve their cybersecurity posture.Researchers Demonstrate Antifuse-based OTP Memory Attack A new study has found that data bits stored in an off-the-shelf Synopsys antifuse memory block used in Raspberry Pi's RP2350 microcontroller for storing secure boot keys and other sensitive configuration data can be extracted, thereby compromising secrets. The method relies on a "well-known semiconductor failure analysis technique: passive voltage contrast (PVC) with a focused ion beam (FIB)," IOActive said, adding the "the simple form of the attack demonstrated here recovers the bitwise OR of two physically adjacent memory bitcell rows sharing common metal 1 contacts." In a hypothetical physical cyber attack, an adversary in possession of an RP2350 device, as well as access to semiconductor deprocessing equipment and a focused ion beam (FIB) system, could extract the contents of the antifuse bit cells as plaintext in a matter of days.Biden Administration Issues Executive Order to Improve U.S. Cybersecurity Outgoing U.S. President Joe Biden signed a sweeping executive order that calls for securing federal communications networks against foreign adversaries; issuing tougher sanctions for ransomware gangs; requiring software and cloud providers to develop more secure products and follow secure software development practices; enabling encryption by default across email, instant messaging, and internet-based voice and video conferencing; adopting quantum-resistant encryption within existing networks; and using artificial intelligence (AI) to boost America's cyber defense capabilities. In a related development, the Commerce Department finalized a rule banning the sale or import of connected passenger vehicles that integrate certain software or hardware components from China or Russia. "Connected vehicles yield many benefits, but software and hardware sources from the PRC and other countries of concern pose grave national security risks," said National Security Advisor Jake Sullivan, noting the rule aims to protect its critical infrastructure and automotive supply chain. The White House said the move will help the U.S. defend itself against Chinese cyber espionage and intrusion operations. Over the past week, the Biden administration has also released an Interim Final Rule on Artificial Intelligence Diffusion that seeks to prevent the misuse of advanced AI technology by countries of concern. Expert WebinarSimplify, Automate, Secure: Digital Trust for EnterprisesManaging digital trust isn't just a challengeit's mission-critical. Hybrid systems, DevOps workflows, and compliance demands have outgrown traditional tools. DigiCert ONE is here to change the game.In this webinar, you'll discover how to:Simplify: Centralized certificate management to reduce complexity and risk.Automate: Streamline trust operations across systems.Secure: Meet compliance demands with advanced tools.Modernize: Keep up with DevOps with smarter software signing.From IoT to enterprise IT, DigiCert ONE equips you to secure every stage of digital trust. Watch NowP.S. Know someone who could use this? Share it. Cybersecurity ToolsAD-ThreatHunting: Detect and stop threats like password sprays, brute force attacks, and admin misuse with real-time alerts, pattern recognition, and smart analysis tools. With features like customizable thresholds, off-hours monitoring, and multi-format reporting, staying secure has never been easier. Plus, test your defenses with built-in attack simulations to ensure your system is always ready.OSV-SCALIBR: It is a powerful open-source library that builds on Google's expertise in vulnerability management, offering tools to secure your software at scale. It supports scanning installed packages, binaries, and source code across Linux, Windows, and Mac, while also generating SBOMs in SPDX and CycloneDX formats. With advanced features like container scanning, weak credential detection, and optimization for resource-constrained environments, OSV-SCALIBR makes it easier than ever to identify and manage vulnerabilities. Tip of the WeekMonitor, Detect, and Control Access with Free Solutions In today's complex threat landscape, advanced, cost-effective solutions like Wazuh and LAPS offer powerful defenses for small-to-medium enterprises. Wazuh, an open-source SIEM platform, integrates with the Elastic Stack for real-time threat detection, anomaly monitoring, and log analysis, enabling you to spot malicious activities early. Meanwhile, LAPS (Local Administrator Password Solution) automates the rotation and management of local admin passwords, reducing the risk of privilege escalation and ensuring that only authorized users can access critical systems. Together, these tools provide a robust, multi-layered defense strategy, giving you the ability to detect, respond to, and mitigate threats efficiently without the high cost of enterprise solutions.ConclusionThe digital world is full of challenges that need more than just staying alertthey need new ideas, teamwork, and toughness. With threats coming from governments, hackers, and even people inside organizations, the key is to be proactive and work together. This recap's events show us that cybersecurity is about more than defense; it's about creating a safe and trustworthy future for technology.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
0 Yorumlar
·0 hisse senetleri
·48 Views