Cyber Threat Weekly – #60

The week of January 6th through January 12th, roughly 358 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  This week it looks like it’s mostly social engineering behavior to report. 

Let’s start with taking advantage of the familiar, tricking users into disabling protection in Apple iMessage.  Fake exploit on GitHub pushes infostealer malware.  Another actively exploited Ivanti flaw, plus second flaw as well.

The latest phishing lure, fake Crowdstrike job interviews.  An interesting PayPal phishing lure and abuse of legit infrastructure.  Scammers attempt to reset the victim’s password, and then call the victim spoofing Google or Apple.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities for January 6^th to January 12^th

CVE-2020-2883 – Oracle WebLogic Server Unspecified Vulnerability:
Contains an unspecified vulnerability exploitable by an unauthenticated attacker with network access via IIOP or T3.

CVE-2024-55550 – Mitel MiCollab Path Traversal Vulnerability:
Could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization. This vulnerability can be chained with CVE-2024-41713, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

CVE-2024-41713 – Mitel MiCollab Path Traversal Vulnerability:
Could allow an attacker to gain unauthorized and unauthenticated access. This vulnerability can be chained with CVE-2024-55550, which allows an unauthenticated, remote attacker to read arbitrary files on the server.

CVE-2025-0282 – Ivanti Connect Secure, Policy Secure, and ZTA Gateways Stack-Based Buffer Overflow Vulnerability:
This bug can lead to unauthenticated remote code execution.

SMS Phishing Apple iMessage Users

The adversary is using common lures and abusing an activity that is familiar.  If a user replies to a SMS text or adds the sender to contacts, web links are automagically enabled.  The worst part, if the victim responds they become bigger target.

https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-imessage-users-into-disabling-protection/

Infostealer Disguised as Legit LDAPNightmare PoC Exploit

Deception and faking legitimacy continue to be a common social engineering tactic.  The lures change, but the activity remains the same.  In this case, the threat actor faked SafeBreach Labs legit exploit for CVE-2024-49113.

https://www.bleepingcomputer.com/news/security/fake-ldapnightmware-exploit-on-github-spreads-infostealer-malware/

https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html

Critical Ivanti RCE Zero-Day Flaw Actively Exploited

Here we go again.  The behavior, a continued assault on network edge devices.  This one appears to be the work of an APT, similar to last year.  A bug walk-through and CVE-2025-0282 mitigation guidance are available. 

https://www.darkreading.com/vulnerabilities-threats/critical-ivanti-rce-bug

https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/

https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day

https://www.ivanti.com/blog/security-update-ivanti-connect-secure-policy-secure-and-neurons-for-zta-gateways

https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282

Another Take on Fake Interviews, this Time Crowdstrike

The lure is a Crowdstrike interview.  The goal, trick the victim into installing malware disguised as a “employee CRM application”.  The good news is that it’s only XMRig cryptominer, it could be much worse.  A similar social engineering tactic, different lure. 

https://www.darkreading.com/threat-intelligence/crowdstrike-job-interviews-hacker-tactic

https://www.crowdstrike.com/en-us/blog/recruitment-phishing-scam-imitates-crowdstrike-hiring-process/

Phishing Campaign Abusing PayPal and Microsoft

Abusing a legitimate feature in Microsoft 365, the attacker creates a test domain.  From there, the threat actors can create an email distribution list that appears to come from PayPal.  If the bait is taken, when the victim logs into PayPal, the threat actor is linked to your account.

https://www.darkreading.com/threat-intelligence/unconventional-cyberattacks-take-over-paypal-accounts

https://www.fortinet.com/blog/threat-research/phish-free-paypal-phishing

Scammers Calling Victims After Attempting Password Resets

This is a voice phishing scam targeting cryptocurrency, that looks legitimate.  The threat actors are able to use Apple automation to make it appear that the victim is talking to Apple.  It is a similar scam faking Google too.

https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-phishing-crew/