Cyber Threat Weekly – #64

The week of February 3^rd through February 9^th, around 382 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin, proactive security is a necessity in today’s threat landscape. 

The Threat Informed Defense Cycle has three dimensions:
1.    Know your Adversary – Cyber Threat Intelligence (CTI)
2.    Continuous Testing and Evaluation – Ensure Defenses are working as expected
3.    Proactive Defense – Based on Adversary Behavior, 80/20 rule

Let’s start with network edge devices under massive password brute force attack.  Cyber Threat Intelligence Annual Report 2024.  Ransomware payments in 2024 dropped significantly.  Exposed ASP.NET keys abused to deploy malware.

Social engineering and fake legitimacy continue to plague organizations.  The abuse of SVG files is on the rise.  Veeam is an attacker target, new critical bug.  Keeping up with the number of exploited vulnerabilities. 

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet. 

CISA Known Exploited Vulnerabilities – February 3^rd to February 9^th:

CVE-2018-19410 – Paessler PRTG Network Monitor Local File Inclusion Vulnerability:
Allows a remote, unauthenticated attacker to create users with read-write privileges (including administrator).

CVE-2018-9276 – Paessler PRTG Network Monitor OS Command Injection Vulnerability:
Allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console.

CVE-2024-29059 – Microsoft .NET Framework Information Disclosure Vulnerability:
Exposes the ObjRef URI to an attacker, ultimately enabling remote code execution.

CVE-2024-45195 – Apache OFBiz Forced Browsing Vulnerability:
Allows a remote attacker to obtain unauthorized access.

CVE-2024-53104 – Linux Kernel Out-of-Bounds Write Vulnerability:
An out-of-bounds write vulnerability in the uvc_parse_streaming component of the USB Video Class (UVC) driver that could allow for physical escalation of privilege.

CVE-2020-15069 – Sophos XG Firewall Buffer Overflow Vulnerability:
Allows for remote code execution via the "HTTP/S bookmark" feature.

CVE-2020-29574 – CyberoamOS (CROS) SQL Injection Vulnerability:
Allows an unauthenticated attacker to execute arbitrary SQL statements remotely.

CVE-2024-21413 – Microsoft Outlook Improper Input Validation Vulnerability:
Allows for remote code execution. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.

CVE-2022-23748 – Dante Discovery Process Control Vulnerability:
Allows for a DLL sideloading attack. A local attacker can leverage this vulnerability in the Dante Application Library to execute arbitrary code.

CVE-2025-0411 – 7-Zip Mark of the Web Bypass Vulnerability:
Allows remote attackers to bypass the Mark-of-the-Web security feature to execute arbitrary code in the context of the current user.

CVE-2025-0994 – Trimble Cityworks Deserialization Vulnerability:
Could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.

Massive Spike in Credential Brute Force Attack Detected

Network edge devices such as firewalls and VPNs have been under a brute force attack for a while now.  There has been a massive uptick in the number of IPs conducting the attack.  It appears to be a large botnet conducting the attack.  MFA and minimizing Internet exposure go a long way to minimizing impact.

https://www.bleepingcomputer.com/news/security/massive-brute-force-attack-uses-28-million-ips-to-target-vpn-devices/

https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=honeypot&tag=http-scan&dataset=unique_ips&style=stacked

Cyber Threat Intelligence Annual Report 2024

5263 known ransomware attacks in 2024.  There are a ton of unreported ransomware attacks, so this number is likely tiny in comparison.  Ransomware continues to be a dominant threat.  Typical insights and metrics are in the report.

https://www.darkreading.com/threat-intelligence/2024-breaks-records-with-highest-ever-ransomware-attacks

https://insights.nccgroup.com/l/898251/2025-01-24/31knsst/898251/1737713506BZGVGklo/TI_Annual_Report_24_digital.pdf

2024 Chainalysis Report Shows Ransomware Payments Dropped

It looks like more attacks and less victims paid, based on blockchain analysis.  Like everything ransomware, we need to take this with a grain of salt.  There were also more new data leak sites in 2024 than 2023.  Ransomware is still big business for criminals.  The only way to stop it, make it expensive for criminals to attack, minimizing profits.

https://www.securityweek.com/ransomware-payments-dropped-to-813-million-in-2024/

https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/

ViewState Code Injection Attacks via Exposed ASP.NET Keys

Machine keys designed to protect tampering and information disclosure were abused to deliver the Godzilla post-exploitation framework to IIS web servers.  The lesson here is to understand your attack surface, especially keys, tokens, and secrets.

https://www.bleepingcomputer.com/news/security/microsoft-says-attackers-use-exposed-aspnet-keys-to-deploy-malware/

https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

Social Engineering and Inherent Trust

Phishing emails lead to spoofed Active Directory Federation Services (ADFS) login pages.  The inherent trust in normal day-to-day interactions helps attackers succeed.  Users are tricked into logging in and providing the second authentication factor.  Similar attacker behavior, different lure.

https://www.bleepingcomputer.com/news/security/hackers-spoof-microsoft-adfs-login-pages-to-steal-credentials/

https://files.abnormalsecurity.com/production/files/February-2025-Threat-Intelligence-Report-Targeting-Microsoft-ADFS.pdf

Email Phishing with Scalable Vectors Graphics (SVG) files

Abuse of SVG files in phishing emails is on the rise according to researchers.  The SVG files can be abused in many ways and often abuse well known brands.  Social engineering tactics are at play, similar attacker behavior, the ability to trick victims easier.

https://news.sophos.com/en-us/2025/02/05/svg-phishing/

New Critical Bug in Veeam Backup Software

This one is for tracking purposes, Veeam is often exploited by threat actors, especially ransomware gangs.  This bug can allow arbitrary code execution. 

https://thehackernews.com/2025/02/new-veeam-flaw-allows-arbitrary-code.html

20% Increase in Exploited Vulnerabilities Compared to 2023

There were 768 CVEs exploited in 2024 vs 639 in 2023.  Researchers said 23.6% of known exploited vulnerabilities were zero-days. 

https://www.infosecurity-magazine.com/news/cves-exploited-wild-2024/

https://vulncheck.com/blog/2024-exploitation-trends