Microsoft has issued security updates for on-premises SharePoint servers to address active exploits by Chinese state-sponsored threat actors targeting vulnerabilities CVE-2025-49706 and CVE-2025-49704, which are being used to deploy web shells and steal machine keys. Organizations are urged to apply updates, enable AMSI and Defender Antivirus, rotate server keys, and monitor for indicators of compromise to prevent exploitation.
A new malware called Latrodectus has been discovered, distributed through email phishing campaigns and designed to retrieve payloads and execute arbitrary commands. It is linked to threat actors behind the IcedID malware and primarily used by initial access brokers to deploy other malware. Latrodectus has been employed in email threat campaigns by TA578 and comes with sandbox evasion functionality, capabilities to detect sandboxed environments, and connections to IcedID infrastructure.
OpenAI has removed accounts used by state-sponsored threat groups from Iran, North Korea, China, and Russia, that were misusing its ChatGPT AI for malicious purposes. The threat actors used the large language models to enhance their strategic and operational capabilities, including reconnaissance, social engineering, and generic information gathering. OpenAI will continue to monitor and disrupt state-backed hackers using specialized monitoring tech and information from industry partners, aiming to evolve their safeguards based on lessons learned from these actors' abuse.
Hackers linked to UNC4990 are using USB devices to initiate attacks, with payloads hosted on legitimate platforms like GitHub, Vimeo, and Ars Technica. These payloads, disguised as harmless text strings, are crucial in downloading and executing malware. The attackers have targeted users in Italy and have made over $55,000 in profit through a backdoor named QUIETBOARD, which also mines cryptocurrencies and has various capabilities. Despite being removed from the impacted platforms, the use of trusted sites and covert hosting makes it difficult to detect and remove the malicious code, highlighting the ongoing threat of USB-based malware and the challenge it poses to conventional security measures.
Ivanti has warned of two new vulnerabilities affecting its Connect Secure, Policy Secure, and ZTA gateways, including a zero-day bug (CVE-2024-21893) being actively exploited, allowing attackers to bypass authentication and access restricted resources. Another flaw (CVE-2024-21888) enables threat actors to escalate privileges to those of an administrator. Patches and mitigation measures have been released, with over 460 compromised devices discovered on January 30 alone. The vulnerabilities have been exploited in widespread attacks targeting government, military, telecom, finance, and tech organizations, with custom malware strains deployed to steal credentials and drop additional malicious payloads.
CISA has issued an alert urging organizations to follow updated guidance and software updates from Ivanti to defend against vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways. The vulnerabilities, including privilege escalation and server-side request forgery, could be exploited by threat actors to take control of affected systems. CISA recommends continuous threat hunting, monitoring of authentication and account usage, and isolation of affected systems. Organizations are advised to apply patches when available and continue network hunting to detect any compromise that may have occurred before patches were implemented. This guidance supplements previous mitigation and detection advice from CISA.
Cybersecurity researchers have observed an increase in threat actor activity exploiting a patched flaw in Apache ActiveMQ to deploy the Godzilla web shell, capable of evading security measures and enabling remote code execution. The web shell is concealed within an unknown binary format, allowing it to bypass security scanners, and is being used to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets. Users of Apache ActiveMQ are urged to update to the latest version to mitigate potential threats.
Google has released updates to address four security issues in Chrome, including an actively exploited zero-day vulnerability (CVE-2024-0519) in the V8 JavaScript and WebAssembly engine, which could allow threat actors to trigger a crash and potentially exploit heap corruption. The nature of the attacks and the threat actors involved have not been disclosed to prevent further exploitation. Users are urged to update to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to mitigate potential threats, with similar advice for users of Chromium-based browsers.
Threat actors are exploiting a patched security flaw in Microsoft Windows, CVE-2023-36025, to deploy Phemedrone Stealer, an open-source information stealer targeting web browsers, cryptocurrency wallets, and messaging apps. The flaw allows attackers to bypass Windows Defender SmartScreen by tricking users into clicking on malicious Internet Shortcut files, leading to the execution of a control panel file that ultimately downloads and executes the stealer. Despite being patched, threat actors continue to find ways to exploit the vulnerability and evade protections, highlighting the need for ongoing vigilance in cybersecurity.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. The vulnerability, CVE-2023-26360, allows for arbitrary code execution and affects outdated versions of ColdFusion 2018 and ColdFusion 2021. At least two public-facing servers were compromised, and the attackers were able to drop malware and perform reconnaissance activities. No data exfiltration has been observed, but the threat actors attempted to decrypt passwords using the seed values found in the ColdFusion seed.properties file.
Microsoft has released patch updates to address 63 security bugs in its software, including three zero-day vulnerabilities that are actively being exploited. The vulnerabilities include a Windows SmartScreen security feature bypass, elevation of privilege flaws in Windows DWM Core Library and Windows Cloud Files Mini Filter Driver, an ASP.NET Core denial of service vulnerability, and a Microsoft Office security feature bypass. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the three zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog and urges federal agencies to apply the fixes. Other vendors have also released security updates to address vulnerabilities in their software.
Google has issued a warning about threat actors sharing a proof-of-concept exploit that utilizes its Calendar service as a command-and-control (C2) infrastructure. The tool, known as Google Calendar RAT (GCR), creates a covert channel by exploiting event descriptions in Google Calendar, making it difficult for defenders to detect suspicious activity. This highlights the ongoing interest of threat actors in abusing cloud services to blend in with victim environments. Google's Threat Analysis Group has disabled the attacker-controlled Gmail accounts used by the malware.
Okta, an identity services provider, disclosed a security incident where threat actors used stolen credentials to access its support case management system, allowing them to view files uploaded by certain Okta customers. The company emphasized that its production Okta service was not impacted, but warned that the support system breach exposed sensitive data, including session tokens. Okta has worked with affected customers to revoke session tokens and prevent abuse. BeyondTrust and Cloudflare confirmed they were targeted in the attack, with Cloudflare stating that the threat actor compromised two employee accounts within the Okta platform. Okta has faced multiple security incidents in recent years due to its high-value target status.
Malicious ads are being served through Microsoft Bing's AI-powered chatbot, leading users to malware-distributing sites. Cybersecurity researchers have discovered that users can be tricked into visiting booby-trapped sites and installing malware directly from Bing Chat conversations. Threat actors are leveraging malvertising tactics to insert ads into Bing Chat conversations, redirecting users to fraudulent links before the official sites hosting the desired tools. The malware delivered through these campaigns is currently unknown. This revelation comes as other cybersecurity firms uncover multi-step campaigns targeting the hospitality sector, using social engineering attacks and phishing techniques to steal customer information and financial data. Users are advised to be cautious of unsolicited links, suspicious messages, and deceptive URLs.
Threat actors, primarily native Chinese-speaking, are exploiting a Microsoft Windows policy loophole to forge signatures on kernel-mode drivers. By altering the signing date of drivers, malicious and unverified drivers signed with expired certificates can be loaded onto systems, providing complete access and compromise. Microsoft has taken steps to block all certificates and suspend developer program accounts involved in the incident. The weakness in Windows certificate policies allows threat actors to deploy thousands of malicious, signed drivers without submitting them for verification. Open-source tools such as HookSignTool and FuckCertVerifyTimeValidity are used to forge the signatures.
