Cyber Security Headlines: January 22, 2025 Hosted by CISO Series

In the latest episode of Cyber Security Headlines, host Rich Rafalino delves into a series of critical issues shaping the information security landscape as of January 22, 2025. From vulnerabilities in widely-used software to geopolitical cyber threats and regulatory changes, this episode provides a comprehensive overview of the current cybersecurity environment. Below is a detailed summary of the key topics discussed, enriched with notable quotes and timestamps for context.

1. 7-Zip Flaw Bypasses Windows Security Warnings

Timestamp: [00:06]

Overview: Rich begins the episode by addressing a significant vulnerability in the popular file archiver, 7-Zip. Introduced in 2022, the Mark of the Web (MOTW) was intended to flag downloaded files as potentially unsafe, prompting Windows to issue security warnings. However, Trend Micro identified that malicious actors could exploit this feature to bypass MOTW warnings using specially crafted sites and archives.

Key Points:

• MOTW Functionality: Marks downloaded files to trigger Windows security warnings and protect users by opening files in a protected view.
• Vulnerability Exploited: Attackers manipulate MOTW to deliver malicious content without triggering alerts.
• Patch Implementation: 7-Zip developer Igor Pavlov addressed the flaw in November 2024. Despite the patch, the absence of an auto-update feature in 7-Zip means numerous installations remain at risk.

Notable Quote: Rich states, “Seven Zip developer Igor Pavlov actually patched the flaw in November 2024, but given the utility lacks an auto-update feature, a significant number of installs likely remain vulnerable” ([00:06]).

Implications: Organizations and individual users are urged to manually update their 7-Zip installations to mitigate potential risks until an auto-update feature is implemented.

2. CERT-UA Impersonation Tactics

Timestamp: [00:45]

Overview: The episode highlights alarming activities where threat actors impersonate Ukraine’s Computer Emergency Response Team (CERT-UA) to infiltrate networks using the remote desktop tool AnyDesk.

Key Points:

• Method of Attack: Attackers send connection requests from compromised AnyDesk accounts, masquerading as security auditors conducting a review.
• CERT-UA's Response: While CERT-UA utilizes AnyDesk for legitimate cyber incident responses, these activities are strictly coordinated over secure channels with prior agreements.
• Impact: Ukraine's state Service for Special Communications and Information Protection reported a 70% increase in cyber incidents in 2024, totaling 4,300 incidents, primarily attributed to Russian state-backed groups.

Notable Quote: Rich explains, “Attackers impersonate Ukraine's CERT UA… claiming to do a security audit” ([00:45]).

Implications: This tactic underscores the importance of verifying the authenticity of security communications and reinforces the need for secure communication channels to prevent unauthorized access.

3. Revocation of AI Executive Order

Timestamp: [02:15]

Overview: In a significant policy shift, President Trump rescinded a 2023 executive order mandating AI system developers to share safety test data with the U.S. government before public release. Additionally, the administration halted the enforcement of the Protecting Americans from Foreign Adversary Controlled Applications Act for 75 days.

Key Points:

• Original Executive Order: Required AI developers to provide safety test information and directed federal agencies to establish cybersecurity testing standards for new AI models.
• Reason for Revocation: Aligns with the 2024 Republican Party platform, reflecting partisan policy changes.
• Protecting Americans from Foreign Adversary Controlled Applications Act: The temporary halt allows for the review of intelligence and mitigation strategies concerning ByteDance, the company behind TikTok, potentially facilitating its sale to address national security concerns.

Notable Quote: Rich notes, “Revoking the order was part of the 2024 Republican Party platform, so the move is no surprise” ([02:15]).

Implications: The reversal may impact the regulation and safety standards of AI deployments in the U.S., potentially affecting both innovation and national security considerations.

4. Murdoch Botnet Targets IP Cameras and Routers

Timestamp: [03:30]

Overview: Researchers at Qualys uncovered a new variant of the notorious Mirai botnet, termed the Murdoch Botnet, which targets vulnerabilities in AvTech IP cameras and Huawei routers.

Key Points:

• Infection Scope: Over 1,300 systems compromised since July 2024, predominantly in Indonesia, Malaysia, Mexico, Thailand, and Vietnam.
• Exploitation Method: Leveraging known vulnerabilities to access IoT devices, followed by executing shell scripts to deploy a secondary payload.
• Usage: Primarily employed to facilitate denial-of-service (DoS) attacks.

Notable Quote: Rich summarizes, “Murdoch Botnet exploits known vulnerabilities to gain access to IoT devices before running a shell script to get a next stage payload” ([03:30]).

Implications: Organizations using AvTech IP cameras and Huawei routers should apply security patches promptly and consider enhancing their IoT security measures to prevent similar breaches.

5. Decline in GDPR Fines in 2024

Timestamp: [04:20]

Overview: The European Union witnessed a notable decrease in GDPR fines for the first time since its implementation in May 2018. The total fines issued in 2024 dropped by 59%, amounting to 1.2 billion euros.

Key Points:

• Major Contributors to Drop: The reduction was partly due to the absence of an exceptionally large fine in 2024. In 2023, Meta faced a 1.2 billion euros fine for data transfer violations.
• Adjusted Decrease: Excluding the Meta fine, GDPR fines in 2024 still fell by 30%.
• Largest Fine in 2024: The Irish Data Protection Commission imposed a 310 million euros fine on LinkedIn for improper handling of personal data in advertising.

Notable Quote: Rich observes, “GDPR fines fell in 2024 for the first time since going into effect in May 2018, the annual amount of fines issued for violations of the EU's GDPR statute fell on the year in 2024, down 59% to 1.2 billion euros” ([04:20]).

Implications: While the overall decrease is encouraging, the substantial fines against major companies like LinkedIn highlight ongoing compliance challenges and the need for robust data protection practices.

6. MicroTik Routers Exploited for Spam Botnet

Timestamp: [05:10]

Overview: Infoblox researchers identified a botnet comprising approximately 13,000 MikroTik routers utilized in spam campaigns. This botnet exploits misconfigured DNS records to bypass email protection systems, making spam emails appear legitimate.

Key Points:

• Attack Vector: Misconfigured DNS records allow spam messages to pass security filters by masquerading as emails from trusted domains.
• Initial Campaign: Detected in November 2024, the campaign used freight invoice lures leading to payload delivery via PowerShell scripts that contacted command-and-control (C2) servers.
• Vulnerabilities: Various firmware versions of MikroTik routers remain susceptible, and the initial access method remains unidentified.

Notable Quote: Rich states, “The botnet takes advantage of misconfigured DNS records to pass email protection techniques, making its messages appear to come from legitimate domains” ([05:10]).

Implications: Organizations relying on MikroTik routers should ensure their devices are updated with the latest firmware and properly configured to prevent exploitation by such botnets.

7. Zendesk Subdomains Exploited in Phishing Attacks

Timestamp: [06:05]

Overview: Cloudsec's analysis revealed that threat actors are leveraging free trial subdomains from Zendesk to craft convincing phishing emails. These emails often mimic legitimate customer support interactions, increasing the likelihood of user engagement.

Key Points:

• Phishing Strategy: Creation of fake Zendesk URLs and customized help center documentation that aligns with targeted companies’ branding.
• Volume: Nearly 2,000 instances of such malicious domains detected since 2023.
• Effectiveness: Zendesk-based phishing emails often bypass standard email filters, enhancing the chances of recipients clicking malicious links.

Notable Quote: Rich highlights, “These domains are used to create phishing emails under the guise of customer support tickets and other support messages” ([06:05]).

Implications: Businesses using Zendesk should educate their employees about these tactics and implement additional verification steps for support communications to mitigate phishing risks.

8. Microsoft Teams Exploited in IT Support Attacks

Timestamp: [07:00]

Overview: Sophos researchers detailed a campaign by the threat actor group Stack5143, which uses Microsoft Teams to orchestrate sophisticated IT support attacks aimed at stealing data and deploying ransomware.

Key Points:

• Attack Sequence:
  1. Email Bombing: Victims receive thousands of emails in a short period.
  2. Fake Support Call: Attackers initiate a Microsoft Teams call posing as a help desk manager.
  3. Remote Session: During the call, attackers execute a remote screen control session to deliver malicious software.
• Malicious Payloads: Installation of Proton VPN executables with malicious DLLs and the deployment of Pentestool RPivot to establish C2 communication channels.
• Attribution: While Associates with Fin7 due to the use of RPivot, Sophos did not confirm direct links to the group.

Notable Quote: Rich explains, “The attacks initially hammer a potential victim with up to thousands of messages over several minutes” ([07:00]).

Implications: Organizations should enforce strict verification protocols for IT support requests and limit remote access permissions to prevent unauthorized installations and data breaches.

Conclusion

The episode of Cyber Security Headlines provides a thorough examination of contemporary threats and regulatory changes affecting the cybersecurity domain. From software vulnerabilities and sophisticated phishing tactics to significant policy reversals and botnet activities, Rich Rafalino underscores the necessity for vigilant security practices and proactive measures. Staying informed about these developments is crucial for both organizations and individuals aiming to safeguard their digital assets in an increasingly complex threat landscape.

For the full stories behind these headlines, listeners are encouraged to visit cisoseries.com.