Weekly Threat Landscape Digest – Week 4

1. Security Updates – Google Chrome
   Google has released security updates for Chrome, addressing vulnerabilities that could allow attackers to execute arbitrary code, install programs, or manipulate data. The flaws involve object corruption and out-of-bounds memory access in the V8 JavaScript engine.

• Key Vulnerabilities:
  • CVE-2025-0611: Object corruption in V8 (High).
  • CVE-2025-0612: Out-of-bounds memory access in V8 (High).
• Fixed Versions:
  • Chrome 132.0.6834.110/111 for Windows, Mac, and Linux.
  • Chrome 131 (132.0.6834.122) for Android.
• Actions:
  Update Google Chrome to the latest stable version immediately.
• References:
  • https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html
  • https://chromereleases.googleblog.com/

2. Security Updates – Jenkins Plugins
   Several vulnerabilities have been identified in Jenkins plugins, exposing systems to risks such as unauthorized credential access and privilege escalation.

• Key Vulnerabilities:
  • GitLab Plugin (CVE-2025-24397): Incorrect permission checks allow credential enumeration (Medium).
  • Bitbucket Server Integration Plugin (CVE-2025-24398): CSRF bypass enables URL manipulation (High).
  • OpenId Connect Authentication Plugin (CVE-2025-24399): Case sensitivity flaw enables user impersonation (High).
  • Zoom Plugin (CVE-2025-0142): Tokens stored in plain text and exposed in configuration forms (Medium and Low).
  • Eiffel Broadcaster Plugin (CVE-2025-24400): Cache confusion vulnerability impacts credential integrity (Medium).
  • Folder-based Authorization Strategy Plugin (CVE-2025-24401): Permission granting flaw enables unauthorized access (Medium).
  • Azure Service Fabric Plugin (CVE-2025-24402, CVE-2025-24403): CSRF and missing permission checks allow manipulation of service configurations (Medium).
• Affected Plugins and Versions:
  • Azure Service Fabric Plugin: Up to version 1.6.
  • Bitbucket Server Integration Plugin: Up to version 4.1.3.
  • Eiffel Broadcaster Plugin: Up to version 2.10.2.
  • Folder-based Authorization Strategy Plugin: Up to version 217.vd5b18537403e.
  • GitLab Plugin: Up to version 1.9.6.
  • OpenId Connect Authentication Plugin: Up to version 4.452.v2849b3945fa.
  • Zoom Plugin: Up to versions 1.3 and 1.5.
• Fix Versions:
  • Bitbucket Server Integration Plugin: 4.1.4.
  • Eiffel Broadcaster Plugin: 2.10.3.
  • GitLab Plugin: 1.9.7.
  • OpenId Connect Authentication Plugin: 4.453.v4d7765c854f4.
  • Zoom Plugin: 1.4 and 1.6.
• Actions:
  Update affected plugins to the latest fixed versions immediately. For plugins without fixes, monitor for updates and implement additional security measures.
• References:
  • https://www.jenkins.io/security/advisory/2025-01-22/

3. RADIUS Protocol Vulnerability in HP Products
   A critical vulnerability (CVE-2024-3596) in the RADIUS protocol has been identified, allowing attackers to bypass authentication and gain unauthorized access to sensitive network resources by exploiting a forgery vulnerability.

• Key Details:
  • CVE ID: CVE-2024-3596
  • Severity: Critical (CVSS 9.0)
  • Attack Method: Man-in-the-middle attackers forge valid Access-Accept responses to bypass authentication.
• Affected Products:
  • EdgeConnect SD-WAN Gateways: All supported software releases.
  • Switches running AOS-CX: All supported software releases.
  • ClearPass Policy Manager: Versions 6.12.1 and below, 6.11.8 and below.
  • AirWave Management Platform: Version 8.3.0.2 and below.
  • Networking Instant On: Switches (1930, 1960) and Access Points with firmware ≤ 3.0.0.0.
  • Refer to the full list of impacted products in the advisory.
• Fixed Versions:
  • ClearPass Policy Manager: 6.12.2+ and 6.11.9+.
  • Switches running AOS-CX: 10.14.1010+ and 10.13.1040+.
  • AirWave Management Platform: Version 8.3.0.3+.
  • Refer to vendor documentation for updates on other products.
• Mitigation Recommendations:
  • Use EAP-TLS or RadSec: Enhance RADIUS security by transitioning to secure protocol versions.
  • Enable Message-Authenticator: Configure in ClearPass Policy Manager to add message protection.
  • Secure Communications: Isolate RADIUS traffic and use VPN tunnels to protect against untrusted access.
• References:
  • https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04662en_us

4. Critical Vulnerability in Cisco Meeting Management REST API
   A critical vulnerability (CVE-2025-20156) in the REST API of Cisco Meeting Management allows remote, authenticated attackers with low privileges to escalate to administrator-level control on affected systems.

• Key Details:
  • CVE ID: CVE-2025-20156
  • Severity: Critical (CVSS 9.9)
  • Cause: Improper authorization enforcement for REST API users.
  • Impact: Exploiting the vulnerability grants administrator control over edge nodes managed by Cisco Meeting Management.
• Affected Products:
  • Cisco Meeting Management: All versions up to 3.9, including versions 3.8 and earlier.
• Not Affected:
  • Cisco Meeting Management version 3.10 and later.
• Fixed Versions:
  • Version 3.8 and earlier: Migrate to a fixed release.
  • Version 3.9: Update to version 3.9.1 or later.
• Mitigation Recommendations:
  • Update to the fixed versions as specified above to mitigate this vulnerability.
• Reference:
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sacmm-privesc-uy2Vf8pc

5. Critical Vulnerability in Cisco Meeting Management REST API
   A critical vulnerability (CVE-2025-20156) in Cisco Meeting Management’s REST API allows a remote, authenticated attacker with low privileges to escalate their privileges to administrator-level control on affected systems.

• Key Details:
  • CVE ID: CVE-2025-20156
  • Severity: Critical (CVSS 9.9)
  • Cause: Insufficient authorization enforcement for REST API users.
  • Impact: Exploitation grants administrative control over edge nodes managed by Cisco Meeting Management.
• Affected Products:
  • Cisco Meeting Management: All versions up to 3.9, including versions 3.8 and earlier.
• Not Affected:
  • Cisco Meeting Management version 3.10 and later.
• Fixed Versions:
  • Version 3.8 and earlier: Migrate to a fixed release.
  • Version 3.9: Update to version 3.9.1 or later.
• Mitigation Recommendations:
  • Update to the fixed versions as outlined above to secure systems against this vulnerability.
• Reference:
  • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sacmm-privesc-uy2Vf8pc

6. Security Updates – Oracle
   Oracle’s January 2025 Critical Patch Update addresses 320 security vulnerabilities across multiple products and services, with many being remotely exploitable.

• Key Highlights:
  • Oracle Database Server:
    • 5 patches (2 remotely exploitable).
    • Highest CVSS Score: 7.5.
    • Affects versions: 19.x, 21.x, 23.x.
  • Oracle Communications:
    • 86 patches (59 remotely exploitable).
    • Highest CVSS Score: 9.8.
    • Affects Cloud Native Core, Unified Data Repository, and Session Border Controller.
  • Oracle MySQL:
    • 39 patches (4 remotely exploitable).
    • Highest CVSS Score: 9.1.
    • Affects MySQL Server versions 8.0.40 and prior.
  • Oracle Financial Services Applications:
    • 32 patches (24 remotely exploitable).
    • Highest CVSS Score: 9.8.
    • Affects Oracle Banking and Compliance Studio.
  • Oracle Fusion Middleware:
    • 22 patches (18 remotely exploitable).
    • Highest CVSS Score: 9.8.
    • Impacts WebLogic Server and Identity Manager.
• Recommendations:
  • Apply the updates released in the Oracle January 2025 Critical Patch Update to mitigate identified vulnerabilities.
• Reference:
  • https://www.oracle.com/securityalerts/cpujan2025.html

7. Security Updates – Node.js
   The Node.js project has released updates addressing one high-severity and two medium-severity vulnerabilities, along with highlighting risks in End-of-Life (EOL) versions.

• Key Vulnerabilities:
  1. CVE-2025-23083 – Worker Permission Bypass (High Severity):
     • Affected Versions: Node.js v20.x, v22.x, v23.x.
     • Exploits in diagnostics_channel utility can allow unauthorized access to worker threads, bypassing permissions and accessing sensitive data.
  2. CVE-2025-23084 – Path Traversal in Windows (Medium Severity):
     • Affected Versions: Node.js v18.x, v20.x, v22.x, v23.x.
     • Improper handling of drive names in paths can lead to unauthorized file access.
  3. CVE-2025-23085 – Memory Leak in HTTP/2 Servers (Medium Severity):
     • Affected Versions: Node.js v18.x, v20.x, v22.x, v23.x.
     • Vulnerability in HTTP/2 server implementation can cause resource exhaustion, resulting in denial-of-service (DoS) conditions.
  4. EOL Versions:
     • Vulnerabilities exist in Node.js v17.x and earlier, v19.x, and v21.x. These versions are unsupported and no longer receive patches, leaving users vulnerable.
• Fixed Versions:

• Node.js v18.20.6.
• Node.js v20.18.2.
• Node.js v22.13.1.
• Node.js v23.6.1.

• Recommendations:

• Update to the fixed versions immediately.
• Upgrade from End-of-Life (EOL) versions to supported releases to ensure continued security.

• Reference:

• https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

8. Critical Vulnerability in AdForest WordPress Theme
   A critical vulnerability has been identified in the AdForest WordPress theme, allowing unauthenticated attackers to bypass authentication and gain complete control over affected websites.

• Key Details:
  • CVE: CVE-2024-12857.
  • CVSS Score: 9.8 (Critical).
  • Impact: Authentication bypass via improper OTP verification during login by phone number.
  • Potential Exploits:
    • Full site compromise (e.g., content modification, malicious code injection).
    • Administrative abuse (e.g., new admin accounts, legitimate user lockouts).
    • Phishing and malware distribution campaigns using compromised sites.
• Affected Versions:
  • AdForest theme versions up to and including 5.1.8.
• Fixed Version:
  • AdForest theme version 5.1.9 or later.
• Recommendations:
  • Update to AdForest theme version 5.1.9 or higher.
  • Keep WordPress core files, plugins, and themes updated.
  • Enable multi-factor authentication (MFA) for all accounts.
  • Conduct regular security audits and monitor activity logs.
  • Regularly back up website files and databases.
• Reference:
  • https://www.wordfence.com/threat-intel/vulnerabilities/wordpressthemes/adforest/adforest-518-authentication-bypass

9. Security Updates – Atlassian Products
   Atlassian has disclosed five high-severity vulnerabilities impacting multiple products, including Bitbucket, Confluence, Crowd, Jira, and Jira Service Management. Exploitation could result in remote code execution, denial of service, or unauthorized access to sensitive data.

• Affected Products and Vulnerabilities:
  1. Bitbucket Data Center and Server
     • CVE-2024-38819: Remote code execution (CVSS 7.5).
     • CVE-2024-47072: Denial of service (CVSS 7.5).
  2. Confluence Data Center and Server
     • CVE-2024-38819: Unauthorized access (CVSS 7.5).
     • CVE-2024-47561: Remote code execution (CVSS 7.3).
  3. Crowd Data Center and Server
     • CVE-2024-39338: Server-side request forgery (CVSS 8.6).
  4. Jira Data Center and Server & Jira Service Management
     • CVE-2024-47561: Remote code execution (CVSS 7.3).
• Fixed Versions:

• Bitbucket Data Center and Server: 9.5.0, 9.4.2, 8.19.14, 8.9.24 (LTS).
• Confluence Data Center and Server: 9.2.0 (LTS), 8.5.18 (LTS), 7.19.30 (LTS).
• Crowd Data Center and Server: 6.2.0, 6.1.3, 6.0.6.
• Jira Data Center and Server: 10.3.1 to 10.3.2 (LTS), 9.17.5, 9.12.17 (LTS).
• Jira Service Management Data Center and Server: 10.3.1 to 10.3.2 (LTS), 5.17.5, 5.12.15 (LTS).

• Recommendations:

• Update affected Atlassian products to their respective fixed versions immediately.

• Reference:

• https://confluence.atlassian.com/security/security-bulletin-january-21-2025-1489803942.html 

10. Critical Vulnerabilities in IBM Sterling Secure Proxy
    IBM has disclosed multiple critical vulnerabilities in Sterling Secure Proxy (SSP), potentially enabling attackers to execute malicious code, access sensitive data, or disrupt services.

• Key Vulnerabilities:
  • CVE-2024-41783 (CVSS 9.1):
    • Exploitable by authenticated privileged users to inject commands into the underlying OS.
    • Root Cause: Improper input validation.
  • CVE-2024-38337 (CVSS 9.1):
    • Enables unauthorized access or alteration of sensitive information.
    • Root Cause: Incorrect permission assignments.
  • CVE-2024-25016 (CVSS 7.5):
    • Allows remote unauthenticated attackers to initiate denial-of-service attacks on IBM MQ and IBM MQ Appliance.
    • Root Cause: Incorrect buffering logic.
• Affected Versions and Fixes:
  • CVE-2024-41783 & CVE-2024-38337:
    • 6.0.0.0–6.0.3.0: Update to 6.0.3.1 (Fixpack GA).
    • 6.1.0.0: Update to 6.1.0.1 (Fixpack GA).
    • 6.2.0.0: Update to 6.2.0.0 iFix 01.
  • CVE-2024-25016:
    • Update IBM MQ and IBM MQ Appliance via IBM Fix Central.
• Recommendations:
  • Apply IBM’s recommended fixes and updates immediately.
  • Monitor systems for unauthorized access or unusual behavior.
• References:
  • https://www.ibm.com/support/pages/node/7179166
  • https://www.ibm.com/support/pages/node/7176189

11. 7-Zip Mark-of-the-Web Bypass Vulnerability
    A high-severity vulnerability (CVE-2025-0411) in 7-Zip, a popular file archiver, allows attackers to bypass Windows’ Mark-of-the-Web (MotW) security feature, enabling the execution of malicious code without triggering standard security warnings.

• Key Details:
  • CVE Identifier: CVE-2025-0411
  • CVSS Score: 7.0 (High)
  • Vulnerability Type: Code Execution, Security Feature Bypass
  • Affected Versions: 7-Zip versions prior to 24.09
• Impact:
  • Execution of arbitrary code with user privileges.
  • Bypass of Windows security features for untrusted files.
  • Potential malware delivery and execution without security prompts.
• Fixed Version:
  • 7-Zip version 24.09
• Recommendations:
  • Update all systems to 7-Zip version 24.09 or later.
  • Avoid opening untrusted archives with outdated versions of 7-Zip.
• Reference:
  • https://www.zerodayinitiative.com/advisories/ZDI-25-045/

12. Critical Vulnerability in F5 Traffix SDC

A critical vulnerability (CVE-2024-52316) in Apache Tomcat affects F5 Traffix SDC, allowing authentication bypass under specific configurations.

• Details:
  • CVE ID: CVE-2024-52316
  • CVSS Score: 9.8 (Critical)
  • Impact: Unauthorized access, system compromise, privilege escalation.
  • Affected Products:
    • Apache Tomcat: 11.0.0-M1 through 11.0.0-M26, 10.1.0-M1 through 10.1.30, 9.0.0-M1 through 9.0.95.
    • F5 Traffix SDC: Version 5.2.0.
• Mitigation:
  • Update Apache Tomcat to versions 11.0.0, 10.1.31, or 9.0.96 or later.
  • Monitor F5 for updates to Traffix SDC.
• References:
  • https://my.f5.com/manage/s/article/K000149333?utm_source=f5support&utm_medium=R

13. CERT-UA Impersonation via AnyDesk

Attackers impersonate CERT-UA using AnyDesk to gain unauthorized remote access under the guise of conducting security audits.

• Details:
  • Threat Name: CERT-UA AnyDesk Impersonation
  • Impact: Unauthorized access, data theft, exploitation of trust.
• Mitigation:
  • Verify remote access requests via approved channels.
  • Educate users on social engineering tactics.
  • Monitor and restrict remote access tool usage.
• References:
  • https://www.helpnetsecurity.com/2025/01/20/cert-ua-warns-against-security-audit-requests-via-anydesk/

14. Sneaky 2FA: Exposing a New AiTM Phishing-as-a-Service

Sekoia’s Threat Detection & Research identified “Sneaky 2FA,” an AiTM phishing kit targeting Microsoft 365 accounts through Phishing-as-a-Service (PhaaS).

• Details:
  • Impact: MFA bypass, unauthorized data access, potential BEC attacks.
  • Key Features: Obfuscated phishing pages, anti-analysis measures, Telegram integration for support.
• Mitigation:
  • Enhance email filtering to block phishing attempts.
  • Conduct user awareness training.
• References:
  • https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

15.Malicious npm and PyPI Packages Targeting Solana Wallets and Developers

Researchers uncovered malicious npm and PyPI packages targeting Solana wallet keys, exfiltrating data, and deleting files.

• Details:
  • Threat Name: Malicious npm and PyPI Packages
  • Impact: Wallet theft, data exfiltration, persistent backdoors.
• Indicators of Compromise (IoCs):
  • npm: @async-mutex/mutex, solana-transaction-toolkit, dexscreener, etc.
  • PyPI: pycord-self.
• Mitigation:
  • Audit dependencies for typosquatting or malicious activity.
  • Monitor for unexpected SMTP traffic and file deletions.
• References:
  • https://thehackernews.com/2025/01/hackers-deploy-malicious-npm-packages.html

16.Vulnerability in Kubernetes Windows Nodes | CVE-2024-9042 | CVSS: 5.9 (Medium)
A vulnerability in Kubernetes clusters with Windows worker nodes allows attackers to exploit the /logs endpoint to execute arbitrary commands on the host.

• Impact:
  • Host command execution.
  • Compromise of Kubernetes Windows nodes.
  • Increased risk of lateral movement within clusters.
• Mitigation:
  • Upgrade to fixed versions (v1.32.1, v1.31.5, v1.30.9, v1.29.13).
  • Restrict access to the /logs endpoint.
  • Apply network security controls.
• References:
  https://github.com/kubernetes/kubernetes/issues/129654

17.Star Blizzard Spear-Phishing Campaign Targets WhatsApp Accounts
Microsoft Threat Intelligence identified a new Star Blizzard campaign targeting WhatsApp accounts via spear-phishing emails. This marks a significant shift in the group’s tactics, moving from traditional email-based phishing to leveraging WhatsApp’s QR code login process. Victims are lured into scanning malicious QR codes, granting attackers unauthorized access to WhatsApp accounts and their data.
Tactics: Spear-phishing, social engineering
Targets: Government officials, diplomats, researchers, and NGOs involved with Ukraine-related initiatives.

• Key Findings:
  • Initial emails impersonated US government officials and contained broken QR codes to engage targets.
  • A second email contained malicious links redirecting victims to phishing pages mimicking WhatsApp login.
  • Attackers used this method to gain access to sensitive WhatsApp messages.
• Mitigation Recommendations:
  • Be cautious of unsolicited emails, especially those containing QR codes or links.
  • Verify the sender using known contact details.
  • Use Microsoft Defender for Endpoint on mobile devices for anti-phishing capabilities.
  • Enable Safe Links and Safe Attachments in Microsoft Defender for Office 365.
  • Train users on phishing tactics and the risks associated with scanning QR codes.
• References:
  https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/
  https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-341a

18.IoT Botnet Targets Global Organizations with Large-Scale DDoS Attacks

An IoT botnet utilizing malware variants derived from Mirai and Bashlite targets wireless routers and IP cameras, exploiting RCE vulnerabilities and weak credentials to launch DDoS attacks.

• Impact:
  • Large-scale Distributed Denial-of-Service (DDoS) attacks
  • Exploitation of IoT devices in critical sectors like finance, communications, and information technology
• Mitigation:
  • Change default device credentials immediately.
  • Regularly update device firmware.
  • Segment IoT devices into isolated networks.
  • Review router settings and restrict access to minimum necessary functions.
  • Collaborate with service providers to mitigate DDoS traffic at the network level.
• References:
  • https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddosattacks.html

19.New ‘Sneaky 2FA’ Phishing Kit Targets Microsoft 365 Accounts

A new Adversary-in-the-Middle (AiTM) phishing kit named Sneaky 2FA has emerged, targeting Microsoft 365 accounts to steal credentials and bypass two-factor authentication (2FA) codes.

• Details:
  • Distributed as Phishing-as-a-Service (PhaaS) under the brand “Sneaky Log,” using a Telegram bot for licensing and support.
  • Hosted on compromised infrastructure, including WordPress websites.
  • Employs Cloudflare Turnstile challenges, anti-analysis measures, and fake Microsoft authentication pages with blurred backgrounds to deceive victims.
  • Sends phishing emails containing payment receipt PDFs with QR codes, leading to credential harvesting pages.
  • Centralized licensing ensures usage by paying customers.
  • Similarities with other phishing kits like W3LL Panel and Evilginx2 suggest code reuse.
• Impact:
  • Theft of Microsoft 365 credentials and 2FA codes.
  • Unauthorized access to sensitive data and systems.
  • Potential for large-scale Business Email Compromise (BEC) campaigns.
• Mitigation:
  • Enable advanced email filtering to block phishing emails with suspicious QR codes.
  • Use multi-factor authentication apps resistant to AiTM attacks.
  • Educate users to recognize phishing attempts.
  • Monitor for unusual User-Agent sequences, a unique behavior of Sneaky 2FA.
• References:
  • https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html
  • https://blog.sekoia.io/sneaky-2fa-exposing-a-new-aitm-phishing-as-a-service/

20.Two Ransomware Campaigns Leverage Email Bombing and Teams Vishing

Sophos MDR identified two threat clusters utilizing Microsoft Office 365 services for targeted attacks. These include spam email bombing and Microsoft Teams vishing (voice phishing), aiming to deploy ransomware and exfiltrate data.

STAC5143:

• Techniques:
  • Email bombing (3,000+ spam emails within an hour).
  • Teams-based remote screen control via Java-based backdoors.
  • Malware dropped from SharePoint links and deployed via PowerShell and Python.
• Attribution: Likely linked to FIN7/Sangria Tempest, using modified tactics.

STAC5777:

• Techniques:
  • Teams vishing to trick users into installing Microsoft Quick Assist for remote access.
  • Deployment of malware using side-loaded DLLs via legitimate Microsoft executables.
  • Black Basta ransomware deployment attempt (blocked by Sophos endpoint protection).

Impact:

• Unauthorized access to networks and devices.
• Credential theft, lateral movement, and potential ransomware execution.

Mitigation:

• Restrict Teams communications from external domains.
• Block or limit Quick Assist and other remote tools unless necessary.
• Educate employees on phishing tactics and social engineering.
• References:
  • https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/

21.Malicious VS Code Extension Impersonating Zoom

A fake VS Code extension, pretending to be from “Zoom Communications Inc.,” was found stealing Google Chrome cookies by exploiting Microsoft’s CDN.

• Threat Details:
  • Targets Chrome’s cookie storage and Windows system registry.
  • Fetches commands from api.storagehb[.]cn (China-hosted server).
  • Malicious functionality introduced in version 0.2.2 after earlier benign versions.
• Impact:
  • Exfiltration of Chrome cookies and sensitive data.
  • Potential for further system compromise via exploited IDEs.
• Mitigation:
  • Audit and vet extensions thoroughly.
  • Limit extension permissions to essential functions.
  • Train developers to identify suspicious plugins.
• References:
  • https://thehackernews.com/2025/01/new-sneaky-2fa-phishing-kit-targets.html