7-Zip flaw, CERT-UA impersonation, AI EO revoked - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines: January 22, 2025 Hosted by CISO Series

In the latest episode of Cyber Security Headlines, host Rich Rafalino delves into a series of critical issues shaping the information security landscape as of January 22, 2025. From vulnerabilities in widely-used software to geopolitical cyber threats and regulatory changes, this episode provides a comprehensive overview of the current cybersecurity environment. Below is a detailed summary of the key topics discussed, enriched with notable quotes and timestamps for context.

1. 7-Zip Flaw Bypasses Windows Security Warnings

Timestamp: [00:06]

Overview: Rich begins the episode by addressing a significant vulnerability in the popular file archiver, 7-Zip. Introduced in 2022, the Mark of the Web (MOTW) was intended to flag downloaded files as potentially unsafe, prompting Windows to issue security warnings. However, Trend Micro identified that malicious actors could exploit this feature to bypass MOTW warnings using specially crafted sites and archives.

Key Points:

MOTW Functionality: Marks downloaded files to trigger Windows security warnings and protect users by opening files in a protected view.
Vulnerability Exploited: Attackers manipulate MOTW to deliver malicious content without triggering alerts.
Patch Implementation: 7-Zip developer Igor Pavlov addressed the flaw in November 2024. Despite the patch, the absence of an auto-update feature in 7-Zip means numerous installations remain at risk.

Notable Quote: Rich states, “Seven Zip developer Igor Pavlov actually patched the flaw in November 2024, but given the utility lacks an auto-update feature, a significant number of installs likely remain vulnerable” ([00:06]).

Implications: Organizations and individual users are urged to manually update their 7-Zip installations to mitigate potential risks until an auto-update feature is implemented.

2. CERT-UA Impersonation Tactics

Timestamp: [00:45]

Overview: The episode highlights alarming activities where threat actors impersonate Ukraine’s Computer Emergency Response Team (CERT-UA) to infiltrate networks using the remote desktop tool AnyDesk.

Key Points:

Method of Attack: Attackers send connection requests from compromised AnyDesk accounts, masquerading as security auditors conducting a review.
CERT-UA's Response: While CERT-UA utilizes AnyDesk for legitimate cyber incident responses, these activities are strictly coordinated over secure channels with prior agreements.
Impact: Ukraine's state Service for Special Communications and Information Protection reported a 70% increase in cyber incidents in 2024, totaling 4,300 incidents, primarily attributed to Russian state-backed groups.

Notable Quote: Rich explains, “Attackers impersonate Ukraine's CERT UA… claiming to do a security audit” ([00:45]).

Implications: This tactic underscores the importance of verifying the authenticity of security communications and reinforces the need for secure communication channels to prevent unauthorized access.

3. Revocation of AI Executive Order

Timestamp: [02:15]

Overview: In a significant policy shift, President Trump rescinded a 2023 executive order mandating AI system developers to share safety test data with the U.S. government before public release. Additionally, the administration halted the enforcement of the Protecting Americans from Foreign Adversary Controlled Applications Act for 75 days.

Key Points:

Original Executive Order: Required AI developers to provide safety test information and directed federal agencies to establish cybersecurity testing standards for new AI models.
Reason for Revocation: Aligns with the 2024 Republican Party platform, reflecting partisan policy changes.
Protecting Americans from Foreign Adversary Controlled Applications Act: The temporary halt allows for the review of intelligence and mitigation strategies concerning ByteDance, the company behind TikTok, potentially facilitating its sale to address national security concerns.

Notable Quote: Rich notes, “Revoking the order was part of the 2024 Republican Party platform, so the move is no surprise” ([02:15]).

Implications: The reversal may impact the regulation and safety standards of AI deployments in the U.S., potentially affecting both innovation and national security considerations.

4. Murdoch Botnet Targets IP Cameras and Routers

Timestamp: [03:30]

Overview: Researchers at Qualys uncovered a new variant of the notorious Mirai botnet, termed the Murdoch Botnet, which targets vulnerabilities in AvTech IP cameras and Huawei routers.

Key Points:

Infection Scope: Over 1,300 systems compromised since July 2024, predominantly in Indonesia, Malaysia, Mexico, Thailand, and Vietnam.
Exploitation Method: Leveraging known vulnerabilities to access IoT devices, followed by executing shell scripts to deploy a secondary payload.
Usage: Primarily employed to facilitate denial-of-service (DoS) attacks.

Notable Quote: Rich summarizes, “Murdoch Botnet exploits known vulnerabilities to gain access to IoT devices before running a shell script to get a next stage payload” ([03:30]).

Implications: Organizations using AvTech IP cameras and Huawei routers should apply security patches promptly and consider enhancing their IoT security measures to prevent similar breaches.

5. Decline in GDPR Fines in 2024

Timestamp: [04:20]

Overview: The European Union witnessed a notable decrease in GDPR fines for the first time since its implementation in May 2018. The total fines issued in 2024 dropped by 59%, amounting to 1.2 billion euros.

Key Points:

Major Contributors to Drop: The reduction was partly due to the absence of an exceptionally large fine in 2024. In 2023, Meta faced a 1.2 billion euros fine for data transfer violations.
Adjusted Decrease: Excluding the Meta fine, GDPR fines in 2024 still fell by 30%.
Largest Fine in 2024: The Irish Data Protection Commission imposed a 310 million euros fine on LinkedIn for improper handling of personal data in advertising.

Notable Quote: Rich observes, “GDPR fines fell in 2024 for the first time since going into effect in May 2018, the annual amount of fines issued for violations of the EU's GDPR statute fell on the year in 2024, down 59% to 1.2 billion euros” ([04:20]).

Implications: While the overall decrease is encouraging, the substantial fines against major companies like LinkedIn highlight ongoing compliance challenges and the need for robust data protection practices.

6. MicroTik Routers Exploited for Spam Botnet

Timestamp: [05:10]

Overview: Infoblox researchers identified a botnet comprising approximately 13,000 MikroTik routers utilized in spam campaigns. This botnet exploits misconfigured DNS records to bypass email protection systems, making spam emails appear legitimate.

Key Points:

Attack Vector: Misconfigured DNS records allow spam messages to pass security filters by masquerading as emails from trusted domains.
Initial Campaign: Detected in November 2024, the campaign used freight invoice lures leading to payload delivery via PowerShell scripts that contacted command-and-control (C2) servers.
Vulnerabilities: Various firmware versions of MikroTik routers remain susceptible, and the initial access method remains unidentified.

Notable Quote: Rich states, “The botnet takes advantage of misconfigured DNS records to pass email protection techniques, making its messages appear to come from legitimate domains” ([05:10]).

Implications: Organizations relying on MikroTik routers should ensure their devices are updated with the latest firmware and properly configured to prevent exploitation by such botnets.

7. Zendesk Subdomains Exploited in Phishing Attacks

Timestamp: [06:05]

Overview: Cloudsec's analysis revealed that threat actors are leveraging free trial subdomains from Zendesk to craft convincing phishing emails. These emails often mimic legitimate customer support interactions, increasing the likelihood of user engagement.

Key Points:

Phishing Strategy: Creation of fake Zendesk URLs and customized help center documentation that aligns with targeted companies’ branding.
Volume: Nearly 2,000 instances of such malicious domains detected since 2023.
Effectiveness: Zendesk-based phishing emails often bypass standard email filters, enhancing the chances of recipients clicking malicious links.

Notable Quote: Rich highlights, “These domains are used to create phishing emails under the guise of customer support tickets and other support messages” ([06:05]).

Implications: Businesses using Zendesk should educate their employees about these tactics and implement additional verification steps for support communications to mitigate phishing risks.

8. Microsoft Teams Exploited in IT Support Attacks

Timestamp: [07:00]

Overview: Sophos researchers detailed a campaign by the threat actor group Stack5143, which uses Microsoft Teams to orchestrate sophisticated IT support attacks aimed at stealing data and deploying ransomware.

Key Points:

Attack Sequence:
1. Email Bombing: Victims receive thousands of emails in a short period.
2. Fake Support Call: Attackers initiate a Microsoft Teams call posing as a help desk manager.
3. Remote Session: During the call, attackers execute a remote screen control session to deliver malicious software.
Malicious Payloads: Installation of Proton VPN executables with malicious DLLs and the deployment of Pentestool RPivot to establish C2 communication channels.
Attribution: While Associates with Fin7 due to the use of RPivot, Sophos did not confirm direct links to the group.

Notable Quote: Rich explains, “The attacks initially hammer a potential victim with up to thousands of messages over several minutes” ([07:00]).

Implications: Organizations should enforce strict verification protocols for IT support requests and limit remote access permissions to prevent unauthorized installations and data breaches.

Conclusion

The episode of Cyber Security Headlines provides a thorough examination of contemporary threats and regulatory changes affecting the cybersecurity domain. From software vulnerabilities and sophisticated phishing tactics to significant policy reversals and botnet activities, Rich Rafalino underscores the necessity for vigilant security practices and proactive measures. Staying informed about these developments is crucial for both organizations and individuals aiming to safeguard their digital assets in an increasingly complex threat landscape.

For the full stories behind these headlines, listeners are encouraged to visit cisoseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, January 22, 2025. I'm Rich Stroffelino. Seven zip flaw bypasses windows Security Warnings Mark of the Web, or motw, is a metadata identifier used in Windows that marks files downloaded from the Internet as potentially unsafe, giving a pop up warning to users when they're opening them and opening them in protected view. The popular file archiver 7 zip added MOTW support in 2022. However, Trend Micro issued an advisory noting that attackers can use maliciously crafted sites and archives without triggering typical MOTW warnings. 7 Zip developer Igor Pavlov actually patched the flaw in November 2024, but given the utility lacks an auto update feature, a significant number of installs likely remain vulnerable. Attackers impersonate Ukraine's CERT UA Ukraine's Computer Emergency Response Team, or CERT ua, released a report documenting how threat actors use the remote desktop tool AnyDesk to infiltrate their network. These attackers would send connection requests from a compromised Anydesk account claiming to do a security audit. CERT UA does use anydesk for some cyber incident response procedures, but said these always are done with prior agreement over secure communication channels. The organization did not provide details about what the campaign obtained or who operated the attacks. Ukraine's state Service for Special Communications and Information Protection said it saw Cyber incidents increase 70% on the year in 2024 to 4300 incidents, mostly from suspected Russian state backed threat groups. AI executive order revoked President Trump wasted no time to revoke a 2023 executive order that required developers of AI systems to share safety test information with the US government prior to public release. That order also directed federal agencies to set standards for testing new AI models, including for cybersecurity risks. Revoking the order was part of the 2024 Republican Party platform, so the move is no surprise. In a separate move, President Trump also signed an executive order that states the federal government will not enforce the Protecting Americans from Foreign Adversary Controlled applications Act for 75 days. This was the bill that banned mobile app stores from hosting TikTok, this time will be used to review sensitive intelligence and mitigation measures from ByteDance to assuage national security concerns. It will also give more time for ByteDance to potentially sell TikTok. Mirai variant hits IP cameras and routers Researchers at Qualys documented this new variant of the pernicious botnet, dubbed Murdoch Botnet. This targets flaws in AvTech IP cameras and Huawei routers, infecting over 1300 systems since July 2024. Most infections occurred across Indonesia, Malaysia, Mexico, Thailand and Vietnam, ultimately used to support denial of service attacks. The researchers found that Murdoch Botnet exploits known vulnerabilities to gain access to IoT devices before running a shell script to get a next stage payload. And now, thanks to today's episode sponsor Vanta, do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get started at vanta.com headlines that's V A N-T A.com headlines GDPR fines fell in 2024 for the first time since going into effect in May 2018, the annual amount of fines issued for violations of the EU's GDPR statute fell on the year in 2024, down 59% to 1.2 billion euros. Part of this decrease is from the outsize effect of a 2023 fine, which included a 1.2 billion euros fine against Meta for data transfer practices. Still, even if we exclude that large fine, 2024 fines were down 30% on the year. The Irish Data Protection Commission issued the largest GDPR fine last year, with a 310 million euros fine against LinkedIn for how it processed personal data in advertising. Microtik Routers used for spam botnet Researchers at Infoblox released a report documenting a botnet of roughly 13,000 Microtik routers used for spam campaigns. The botnet takes advantage of misconfigured DNS records to pass email protection techniques, making its messages appear to come from legitimate domains. The researchers initially spotted a campaign using the botnet in November 2024 that used lures for freight invoices to launch further payloads that used a PowerShell script to contact a C2 server for further instructions. It appears various firmware revisions remain vulnerable to the botnet, and the initial access vector is unknown. Zendesk Subdomains used in attacks an analysis by Cloudsec shows how threat actors are using free trial subdomains with the customer support SaaS provider Zendesk to create seemingly legitimate looking URLs. These domains are used to create phishing emails under the guise of customer support tickets and other support messages. Attackers can further augment these efforts by creating customized Zendesk help center documentation that matches a spoofed company. Threat actors will commonly use keywords tied to brands in these domains, and CloudSec found almost 2,000 such instances since 2023. Zendesk emails generally get past email filters, increasing the chance of click through. Cloudsec passed along a series of potential changes in the free domain structure. To better defend against this practice, Microsoft Teams used an IT support campaign. Sophos researchers documented a campaign by a threat actor, stack5143 that uses email bombing to set up a call for IT support. The attacks initially hammer a potential victim with up to thousands of messages over several minutes. Then they place an external teams call acting as a help desk manager to resolve the issue with a Remort screen control session. On this session, the attackers drop a Proton VPN executable with a malicious DLL to create a C2 communication channel, as well as install the Pentestool RPivot to create a SoC4 proxy. While Sophos researchers stopped the attack, it's believed the final goal was to steal data and deploy ransomware. The group Fin7 has used Rpivot in attacks in the past, but Sophos didn't have high confidence attaching these attacks to that larger threat group. We're thrilled to be hosting our first Super Cyber Friday event of the new year. This week, join us for an hour long conversation all about hacking platformization. We're moving the conversation beyond simple best of breed versus platform dynamic and considering how to better stitch together data, tools and processes as the basis for your security program. It's happening this Friday at 1pm Eastern, 10am Pacific. Head on over to the events page@cisoseries.com to register. We hope to see you there. Reporting for the CISO series, I'm Rich Rafalino reminding you to have a super sparkly day.
[08:19]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.

Cyber Security Headlines: January 22, 2025 Hosted by CISO Series

1. 7-Zip Flaw Bypasses Windows Security Warnings

Timestamp: [00:06]

Key Points:

MOTW Functionality: Marks downloaded files to trigger Windows security warnings and protect users by opening files in a protected view.
Vulnerability Exploited: Attackers manipulate MOTW to deliver malicious content without triggering alerts.
Patch Implementation: 7-Zip developer Igor Pavlov addressed the flaw in November 2024. Despite the patch, the absence of an auto-update feature in 7-Zip means numerous installations remain at risk.

Implications: Organizations and individual users are urged to manually update their 7-Zip installations to mitigate potential risks until an auto-update feature is implemented.

2. CERT-UA Impersonation Tactics

Timestamp: [00:45]

Key Points:

Method of Attack: Attackers send connection requests from compromised AnyDesk accounts, masquerading as security auditors conducting a review.
CERT-UA's Response: While CERT-UA utilizes AnyDesk for legitimate cyber incident responses, these activities are strictly coordinated over secure channels with prior agreements.
Impact: Ukraine's state Service for Special Communications and Information Protection reported a 70% increase in cyber incidents in 2024, totaling 4,300 incidents, primarily attributed to Russian state-backed groups.

Notable Quote: Rich explains, “Attackers impersonate Ukraine's CERT UA… claiming to do a security audit” ([00:45]).

3. Revocation of AI Executive Order

Timestamp: [02:15]

Key Points:

Original Executive Order: Required AI developers to provide safety test information and directed federal agencies to establish cybersecurity testing standards for new AI models.
Reason for Revocation: Aligns with the 2024 Republican Party platform, reflecting partisan policy changes.
Protecting Americans from Foreign Adversary Controlled Applications Act: The temporary halt allows for the review of intelligence and mitigation strategies concerning ByteDance, the company behind TikTok, potentially facilitating its sale to address national security concerns.

Notable Quote: Rich notes, “Revoking the order was part of the 2024 Republican Party platform, so the move is no surprise” ([02:15]).

Implications: The reversal may impact the regulation and safety standards of AI deployments in the U.S., potentially affecting both innovation and national security considerations.

4. Murdoch Botnet Targets IP Cameras and Routers

Timestamp: [03:30]

Overview: Researchers at Qualys uncovered a new variant of the notorious Mirai botnet, termed the Murdoch Botnet, which targets vulnerabilities in AvTech IP cameras and Huawei routers.

Key Points:

Infection Scope: Over 1,300 systems compromised since July 2024, predominantly in Indonesia, Malaysia, Mexico, Thailand, and Vietnam.
Exploitation Method: Leveraging known vulnerabilities to access IoT devices, followed by executing shell scripts to deploy a secondary payload.
Usage: Primarily employed to facilitate denial-of-service (DoS) attacks.

Notable Quote: Rich summarizes, “Murdoch Botnet exploits known vulnerabilities to gain access to IoT devices before running a shell script to get a next stage payload” ([03:30]).

Implications: Organizations using AvTech IP cameras and Huawei routers should apply security patches promptly and consider enhancing their IoT security measures to prevent similar breaches.

5. Decline in GDPR Fines in 2024

Timestamp: [04:20]

Key Points:

Major Contributors to Drop: The reduction was partly due to the absence of an exceptionally large fine in 2024. In 2023, Meta faced a 1.2 billion euros fine for data transfer violations.
Adjusted Decrease: Excluding the Meta fine, GDPR fines in 2024 still fell by 30%.
Largest Fine in 2024: The Irish Data Protection Commission imposed a 310 million euros fine on LinkedIn for improper handling of personal data in advertising.

6. MicroTik Routers Exploited for Spam Botnet

Timestamp: [05:10]

Key Points:

Attack Vector: Misconfigured DNS records allow spam messages to pass security filters by masquerading as emails from trusted domains.
Initial Campaign: Detected in November 2024, the campaign used freight invoice lures leading to payload delivery via PowerShell scripts that contacted command-and-control (C2) servers.
Vulnerabilities: Various firmware versions of MikroTik routers remain susceptible, and the initial access method remains unidentified.

Implications: Organizations relying on MikroTik routers should ensure their devices are updated with the latest firmware and properly configured to prevent exploitation by such botnets.

7. Zendesk Subdomains Exploited in Phishing Attacks

Timestamp: [06:05]

Key Points:

Phishing Strategy: Creation of fake Zendesk URLs and customized help center documentation that aligns with targeted companies’ branding.
Volume: Nearly 2,000 instances of such malicious domains detected since 2023.
Effectiveness: Zendesk-based phishing emails often bypass standard email filters, enhancing the chances of recipients clicking malicious links.

Notable Quote: Rich highlights, “These domains are used to create phishing emails under the guise of customer support tickets and other support messages” ([06:05]).

Implications: Businesses using Zendesk should educate their employees about these tactics and implement additional verification steps for support communications to mitigate phishing risks.

8. Microsoft Teams Exploited in IT Support Attacks

Timestamp: [07:00]

Key Points:

Attack Sequence:
1. Email Bombing: Victims receive thousands of emails in a short period.
2. Fake Support Call: Attackers initiate a Microsoft Teams call posing as a help desk manager.
3. Remote Session: During the call, attackers execute a remote screen control session to deliver malicious software.
Malicious Payloads: Installation of Proton VPN executables with malicious DLLs and the deployment of Pentestool RPivot to establish C2 communication channels.
Attribution: While Associates with Fin7 due to the use of RPivot, Sophos did not confirm direct links to the group.

Notable Quote: Rich explains, “The attacks initially hammer a potential victim with up to thousands of messages over several minutes” ([07:00]).

Implications: Organizations should enforce strict verification protocols for IT support requests and limit remote access permissions to prevent unauthorized installations and data breaches.

Conclusion

For the full stories behind these headlines, listeners are encouraged to visit cisoseries.com.