Cyber Threat Weekly – #61
The week of January 13th through January 19th, roughly 408 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Let’s start with researchers find a NTLMv1 bypass tactic.
Fortinet auth bypass bug and threat actors dump Fortinet config data. Typosquatting abused targeting Discord developers. Researchers share a deep dive into Gootloader. New bug in UEFI Secure Boot, could allow bootkit installs.
Google Ads abused to target Google Ads advertisers. Bruteforce campaign targeting Azure Active Directory Graph API. Social engineering, phishing, legit apps and websites, and generative AI are top trends in 2024.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – January 13th to January 20th:
CVE-2023-48365 – Qlik Sense HTTP Tunneling Vulnerability:
Allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software.
CVE-2024-12686 – BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) OS Command Injection Vulnerability:
Can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.
CVE-2025-21335 – Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability:
Allows a local attacker to gain SYSTEM privileges.
CVE-2025-21334 – Microsoft Windows Hyper-V NT Kernel Integration VSP Use-After-Free Vulnerability:
Allows a local attacker to gain SYSTEM privileges.
CVE-2025-21333 – Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability:
Allows a local attacker to gain SYSTEM privileges.
CVE-2024-55591 – Fortinet FortiOS Authorization Bypass Vulnerability:
Allow an unauthenticated remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module.
CVE-2024-50603 – Aviatrix Controllers OS Command Injection Vulnerability:
Could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
Bypass Group Policy Object to Block NTLMv1 Authentication
There is a flag in the protocol that non-Windows devices and malicious applications can use to bypass a NTLMv1 GPO. Authentication is consistently abused, auditing your systems can help in minimizing abuse of weak authentication.
https://gbhackers.com/hackers-bypass-active-directory-group-policy/
https://www.silverfort.com/blog/ntlmv1-bypass-in-active-directory-technical-deep-dive/
New Fortinet Authentication Bypass Bug
The same day CVE-2024-55591 was announced, data was dumped from a similar bug in 2022. The dump included IP addresses, credentials, device management certificates, and all the victims firewall rules. This type of bug can lead to a really bad day, please prioritize patching.
https://www.darkreading.com/endpoint-security/15k-fortinet-device-configs-leaked-dark-web
https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-data-posting
https://www.fortiguard.com/psirt/FG-IR-24-535
Discord Developers Targeted by Typosquatting
Typosquatting behavior is still prevalent and abused consistently. In this case, a malicious package on the Python package index (PyPI) named ‘pycord-self’ mimicking the popular ‘discord.py-self’. This malicious package steals authentication tokens and sets up a backdoor.
Gootloader Operations Deep Dive Revealed
From hijacked legit WordPress sites to malicious SEO practices, researcher’s breakdown Gootloader operations. Using open-source intelligence, including other researchers’ information, the puzzle pieces are connected.
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
Researchers Discover UEFI Secure Boot Bug
There is a list of affected products and versions but be on the lookout for more. The apps don’t have to be installed on the system, the adversary can use the ‘reloader.efi’ binary from the apps to perform the attack.
Ironically, Google Ads Abused to Target Google Advertisers
Fake ads target individuals and businesses who want to advertise on Google or already do. Malvertising is a common method for threat actors. The goal for this campaign is to gather Google ads credentials. The ads look legit.
Azure Active Directory Graph API Bruteforce Campaign
Researchers discovered a campaign abusing the fasthttp library to gain unauthorized access to Azure Active Directory Graph API. MFA fatigue is part of the attack campaign. Observed activity finds 9.68% of attempts are successful.
https://www.speartip.com/fasthttp-used-in-new-bruteforce-campaign/
Researchers Share Observations from 2024
A report covering four areas of cybersecurity; social engineering and phishing, legit apps and websites, GenAI, and adversarial risks. People are at the center of cybersecurity both users and adversaries. This is an interesting look at some stats on certain activities.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
