CybersecurityHQ News Roundup - January 14, 2025

News By Daniel Michan Published on January 14


Adobe Patches Critical Code Execution Flaws in Multiple Products

Adobe has released security updates addressing multiple critical vulnerabilities across its creative suite products, including Photoshop, Substance 3D Stager, Illustrator for iPad, and more. The most concerning fixes target two arbitrary code execution bugs in Photoshop (CVE-2025-21127 and CVE-2025-21122) that could let attackers run malicious code through booby-trapped files. Substance 3D Stager received patches for five critical memory safety flaws with a CVSS score of 7.8/10, while iPad users of Illustrator should update immediately to fix two critical vulnerabilities. Adobe states no active exploits have been detected, but users should apply the patches ASAP given the severity of these security holes.

Read more at Security Week

Microsoft's First Patch Tuesday of 2025 Fixes Three Actively Exploited Zero-Days

In what could signal a challenging year ahead for Windows security, Microsoft's January 2025 Patch Tuesday addresses a whopping 160 security flaws, including three actively exploited zero-day vulnerabilities in Windows Hyper-V. The trio of bugs (CVE-2025-21334, CVE-2025-21333, and CVE-2025-21335) affect the Hyper-V NT Kernel Integration VSP, potentially allowing attackers to gain SYSTEM privileges. Most notably, this marks the largest number of CVEs addressed in any single month since 2017, with 12 bulletins tagged as critical. The massive update batch suggests Microsoft is grappling with an expanding attack surface as Windows complexity grows.

Read more at Bleeping Computer

Biden Signs Executive Order to Boost AI Infrastructure Development

President Biden has signed an ambitious executive order aimed at accelerating the development of AI infrastructure in the United States. The order directs federal agencies to speed up large-scale AI infrastructure development at government sites while imposing safeguards on developers. Key measures include identifying at least three sites each at the Departments of Defense and Energy where private companies can build AI data centers, requiring developers to match facilities with clean power generation, and mandating public labor agreements for construction. The move comes as AI's electricity demands are projected to consume up to 12% of U.S. power by 2028, highlighting the administration's push to maintain American leadership in AI while balancing environmental concerns.

Read more at The White House

 UK Proposes Ban on Ransomware Payments for Public Sector

The UK government has launched a groundbreaking consultation process running until April 2025 that could make ransomware payments illegal for public sector organizations and critical national infrastructure (CNI) operators. The proposal couples the payment ban with stricter reporting requirements, requiring organizations outside the ban to report intended ransom payments before making them. This approach mirrors the US blueprint of regulating where easier to enforce and allowing voluntary adoption elsewhere. The consultation notably leaves questions about healthcare sectors, which as CNI would be unable to pay ransoms even if patient lives were at risk, highlighting the complex balance between security policy and practical necessities.

Read more at NCSC

WEF Report Reveals Growing Cyber Resilience Gap

The World Economic Forum's Global Cybersecurity Outlook 2025 has uncovered a widening disparity in cyber resilience between public and private sectors. The report found that 38% of public sector respondents reported insufficient resilience, compared to just 10% of medium to large private firms. Small companies have seen a sevenfold increase in inadequate resilience since 2022. The skills gap remains a critical issue, with 47% of public sector organizations citing it as a primary challenge. The report also highlights how geopolitical tensions, AI adoption, and supply chain complexities are reshaping the threat landscape, with 72% of respondents noting increased cyber risks over the past year.

Read more at World Economic Forum

BforeAI Raises $10M for Predictive Attack Intelligence

Cybersecurity startup BforeAI has secured $10 million in Series B funding to advance its predictive attack intelligence platform. The round, led by Titanium Ventures with participation from SYN Ventures, Karista, and Addendum Capital, brings the company's total funding to $30 million. BforeAI's platform leverages behavioral AI to predict and block malicious campaigns before they impact organizations, creating preemptive blocklists of potentially dangerous domains rather than relying on traditional reactive approaches. The company plans to use the funding to accelerate growth into new industry sectors and enhance its prediction capabilities.

Read more at TechCrunch

Chinese Hackers Target US Treasury Foreign Investment Offices

Reports have emerged revealing that Chinese state-sponsored hackers specifically targeted offices handling foreign investments and sanctions in the recent US Treasury Department breach. The attackers, identified as the Silk Typhoon group, accessed systems associated with the Committee on Foreign Investment in the US (CFIUS) and the Office of Foreign Assets Control (OFAC). The breach, which occurred through a compromised BeyondTrust API key, allowed access to unclassified information but raises concerns about China's ability to piece together intelligence from various data sources. The timing is particularly notable as it follows recent US sanctions against Chinese cybersecurity companies.

Read more at Reuters

New Codefinger Ransomware Targets Amazon S3 Buckets

Cybersecurity firm Halcyon has uncovered a novel ransomware campaign dubbed "Codefinger" targeting Amazon Web Services users. The attack leverages AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in S3 buckets, making recovery impossible without the attacker's key. Unlike traditional ransomware, this attack doesn't exploit AWS vulnerabilities but relies on stolen credentials. The attackers use AWS's infrastructure for encryption and employ lifecycle management to mark files for deletion within seven days, pressuring victims to pay. Organizations are advised to configure IAM policies to prevent unauthorized SSE-C usage and regularly review AWS key permissions.

Read more at Halcyon Security

Snyk Clarifies NPM Packages Were Part of Research Project

Developer security firm Snyk has addressed concerns over seemingly malicious NPM packages linked to their company, confirming they were part of a legitimate research project focused on dependency confusion. The packages, which initially raised alarms when spotted by researcher Paul McCarty, were designed to study vulnerability patterns in AI code editor Cursor. Snyk CTO Danny Allan emphasized that the research included proper contact information and followed responsible disclosure policies. While the packages have been removed from the NPM Registry, the incident highlights the fine line between security research and potentially harmful practices.

Read more at SecurityWeek

Orchid Security Raises $36M Seed Round for Identity Security Platform

New York-based startup Orchid Security has secured an unusually large $36 million seed round, co-led by Team8 and Intel Capital. The company is leveraging Large Language Models (LLMs) to address the complexity of managing fragmented identity systems in large enterprises. Their platform automatically discovers applications and evaluates authentication flows without requiring manual code access or application owner input. Already partnering with Fortune 500 companies like Costco and Repsol, Orchid Security aims to simplify identity and access management for organizations struggling with fragmented ecosystems of over 1,200 applications.

Read more at VentureBeat

SAP's January 2025 Patch Tuesday Addresses Critical NetWeaver Flaws

SAP has released 14 new security notes in its January 2025 Patch Day, including fixes for two critical vulnerabilities in NetWeaver AS for ABAP and ABAP Platform, both with CVSS scores of 9.9. The first flaw (CVE-2025-0070) is an improper authentication bug that could allow credential theft from internal RFC communication. The second critical issue (CVE-2025-0066) could expose decrypted credential information. Additional fixes address high-severity SQL injection vulnerabilities and DLL hijacking flaws. While no active exploits have been reported, organizations are urged to apply patches immediately.

Read more at SAP Security Notes

Western Security Agencies Release OT Product Selection Guide

CISA and several other Western security agencies have published comprehensive guidance for operational technology (OT) owners on selecting secure products. The guide outlines 12 essential security elements that manufacturers should prioritize, including configuration management, logging capabilities, open standards, and secure communications. The agencies warn that many OT products lack basic security features, making them vulnerable to exploitation across multiple victims. The guidance emphasizes the importance of secure-by-default configurations and strong authentication, providing specific questions buyers should ask before acquiring OT products.

Read more at CISA

Codefinger AWS Keys Ransomware Attack

A newly discovered ransomware operation dubbed "Codefinger" is targeting AWS S3 buckets by abusing compromised AWS keys and Server-Side Encryption (SSE-C). The attack uses AWS's own infrastructure to encrypt data, making recovery impossible without the attacker's key. The operation marks data for deletion within seven days to pressure victims. Security firm Halcyon recommends organizations implement strict IAM policies to prevent unauthorized SSE-C usage and enable comprehensive logging for S3 operations.

Read more at Halcyon Security

Zero-Day Vulnerability Suspected in Fortinet Firewall Attacks

Arctic Wolf researchers have identified a campaign targeting Fortinet FortiGate firewalls with exposed management interfaces. The attacks, which began in mid-November 2024, involve unauthorized administrative logins and creation of new accounts for SSL VPN access. The campaign appears to exploit a zero-day vulnerability, affecting firmware versions 7.0.14 through 7.0.16. Attackers have been observed using the jsconsole interface to make configuration changes and establish SSL VPN tunnels for lateral movement.

Read more at Arctic Wolf

Consumer Cyber Incident Apathy Growing Despite Increased Attacks

A December Vercara report reveals growing consumer apathy toward cyber incidents, with only 58% saying breaches impacted their trust in 2024, down from 62% in 2023. Nearly one-third of consumers reported being affected by security incidents while shopping online. The study shows generational differences, with baby boomers more likely to change shopping habits after breaches than Gen Z. Despite the apparent apathy, 70% of consumers said they would stop shopping with a brand following a security incident.

Read more at Vercara

Critical Aviatrix Controller Vulnerability Under Active Exploitation

Security firm Wiz has reported active exploitation of a critical remote code execution vulnerability (CVE-2024-50603) in Aviatrix Controller. The flaw, which carries a CVSS score of 10/10, allows unauthenticated attackers to inject arbitrary code with high privileges. Threat actors are actively exploiting the vulnerability to deploy cryptocurrency miners and backdoors in AWS cloud environments. The bug affects versions 7.x before 7.1.4191 and 7.2.4996, with organizations urged to update immediately.

Read more at Wiz Security

Let me continue with more news summaries:

Raspberry Pi RP2350 Security Research Reveals Hardware Vulnerability

Security researchers from IOActive have successfully circumvented the signed boot process of the Raspberry Pi RP2350 microcontroller's A2 revision. The team, led by Dr. Andrew Zonenberg, discovered a unique attack vector for reading data from antifuse memory, which could compromise the device's secure boot keys and configuration data. The research challenges the security of Synopsys antifuse memory technology, widely used in various applications. Raspberry Pi CEO Eben Upton acknowledged the innovative approach and its implications for semiconductor security.

Read more at IOActive

Telefonica Breach Linked to Infostealer Malware

The Hellcat ransomware group has claimed responsibility for a breach at telecommunications giant Telefonica, accessing the company's internal Jira ticketing system. Hudson Rock reports that the attackers used custom infostealer malware to compromise credentials of over 15 Telefonica employees. The breach resulted in the theft of 24,000 employee emails, 500,000 internal Jira issues, and 5,000 internal documents. The attack highlights the risks of infostealer infections, with 531 employee computers reportedly infected throughout 2024.

Read more at Hudson Rock

Microsoft's AI Red Team Emphasizes Human Element in Security Testing

Microsoft has published research emphasizing the crucial role of human expertise in AI red-team testing. After testing over 100 generative AI products, the company concluded that while tools like PyRIT can streamline testing, human judgment remains irreplaceable for identifying nuanced risks and cultural sensitivities. The research particularly highlights the importance of human operators in assessing "psycho-social harms" and evaluating AI responses in different cultural contexts.

Read more at Microsoft Security

CISA Adds Second BeyondTrust Vulnerability to KEV Catalog

CISA has added a medium-severity command injection vulnerability (CVE-2024-12686) in BeyondTrust Remote Support and Privileged Access Products to its known exploited vulnerabilities catalog. The flaw, with a CVSS score of 6.6, allows attackers with administrative privileges to inject commands. This is the second BeyondTrust vulnerability related to the December attack spree that impacted the U.S. Treasury Department and other customers.

Read more at CISA

Juniper Networks Patches Multiple High-Severity Flaws

Juniper Networks has released security updates addressing multiple high-severity vulnerabilities in Junos OS and Junos OS Evolved. Key fixes include patches for CVE-2025-21598, an out-of-bounds read flaw in the routing protocol daemon, and CVE-2025-21599, affecting the Juniper Tunnel Driver. The company also addressed critical issues in OpenSSH and released Junos Space 24.1R2 with patches for nearly 60 third-party component vulnerabilities.

Italy's PM Meloni Addresses SpaceX Telecoms Security Discussions

Italian Premier Giorgia Meloni has clarified reports about potential deals with SpaceX regarding the country's telecoms security system. While confirming talks with various private companies including SpaceX, Meloni denied having private discussions with Elon Musk. The proposed project, reportedly worth 1.5 billion euros over five years, would involve SpaceX providing encryption services and communications infrastructure for military and emergency services. Meloni emphasized that national interest is the primary consideration in such decisions.

Read more at Reuters

SAP Addresses Critical NetWeaver Vulnerabilities

SAP's January 2025 Patch Day included fixes for 14 security issues, most notably two critical vulnerabilities in NetWeaver AS for ABAP and ABAP Platform, both with CVSS scores of 9.9. CVE-2025-0070 could allow credential theft from internal RFC communication, while CVE-2025-0066 risks exposing decrypted credential information. Additional patches address high-severity SQL injection vulnerabilities in NetWeaver and security issues in BusinessObjects Business Intelligence platform.

Read more at SecurityWeek

US Charges Russian Nationals for Cryptocurrency Mixer Operations

The US Department of Justice has charged three Russian nationals for operating cryptocurrency mixing services Blender.io and Sinbad.io, used for money laundering by ransomware groups. Two suspects, Roman Ostapenko and Alexander Oleynik, were arrested on December 1, while Anton Tarasov remains at large. The services, operating between 2018 and 2023, were allegedly used to launder funds from criminal activities, including North Korean hackers.

Read more at Justice Department

Critical Aviatrix Controller Vulnerability Exploited in Cloud Environments

Cybersecurity firm Wiz reports active exploitation of CVE-2024-50603, a critical vulnerability in Aviatrix Controller with a CVSS score of 10/10. The flaw allows unauthenticated attackers to inject arbitrary code with high privileges. Threat actors are using the vulnerability to deploy cryptocurrency miners and backdoors in AWS environments. The bug affects multiple versions and poses risks for lateral movement in cloud environments.

Read more at Wiz

Many Ivanti VPNs Still Vulnerable as UK Domain Registry Reveals Breach

A significant number of Ivanti VPN appliances remain exposed to CVE-2025-0282 exploitation, with Nominet, the UK domain registry, emerging as a victim. The vulnerability allows remote, unauthenticated attackers to execute arbitrary code. Shadowserver Foundation reported approximately 800 exposed systems, down from 2,000, while Censys identified over 12,000 potentially vulnerable instances. Nominet confirmed the breach occurred in early January through an Ivanti VPN exploit.

Read more at Bleeping Computer

How to Eliminate "Shadow AI" in Software Development

A recent analysis reveals that 92% of US-based developers are using AI coding tools both at work and privately, leading to "shadow AI" usage without IT department approval. The report outlines key risks including security blind spots, vulnerable code introduction, and compliance issues. To address these concerns, organizations are advised to follow a three-point plan: identify AI implementations throughout the software development lifecycle, cultivate a security-first culture, and incentivize proper AI tool adoption through career advancement opportunities.

Read more at Dark Reading

Infostealer Masquerades as PoC Code for LDAP Vulnerability

Threat actors are distributing infostealer malware disguised as proof-of-concept exploit code for CVE-2024-49113, a recent Windows LDAP vulnerability. The fake PoC, distributed through a forked repository, contains an executable that deploys PowerShell scripts to collect system information and exfiltrate data to an FTP server. The original vulnerability, dubbed LDAPNightmare, could allow attackers to crash unpatched Windows servers through DNS manipulation.

Read more at Trend Micro

Microsoft Says Human Ingenuity Crucial to AI Red-Teaming

Microsoft's research on AI red-teaming emphasizes that effective security testing still requires human expertise, despite AI advancements. After testing over 100 generative AI products, the company concluded that human involvement remains essential for addressing nuanced risks, cultural awareness, and emotional intelligence aspects that machines cannot replicate. The research also highlights the importance of protecting red-team operators' mental health when exposed to disturbing AI-generated content.

Read more at Microsoft Security

Hellcat Ransomware Group Claims Telefonica Data Theft

The Hellcat ransomware group has claimed responsibility for breaching Telefonica's internal ticketing system, leveraging infostealer malware to compromise multiple employee credentials. The attack resulted in the theft of 24,000 employee emails, 500,000 Jira tickets, and 5,000 internal documents. Hudson Rock's investigation revealed that 531 employee computers were infected with infostealers throughout 2024, exposing various corporate credentials including those for Fortinet, Office 365, and Salesforce.

Read more at Security Week

UK Domain Registry Nominet Confirms Ivanti VPN Breach

Nominet, the official registry for .uk domain names, has emerged as a victim of the recently disclosed Ivanti VPN vulnerability exploitation. The organization discovered suspicious activity in early January, traced back to an Ivanti VPN zero-day exploit used by their staff for remote access. While Nominet claims no evidence of data breach or leakage, the incident coincides with broader concerns about Ivanti Connect Secure vulnerabilities. Shadowserver Foundation reports approximately 800 vulnerable systems remain exposed, though Censys suggests the number could be over 12,000.

Read more at ISPreview

Zero-Day Vulnerability Targeting Fortinet FortiGate Firewalls

Arctic Wolf has identified a campaign targeting Fortinet FortiGate firewalls with exposed management interfaces. The attacks, beginning in mid-November 2024, appear to exploit a zero-day vulnerability affecting firmware versions 7.0.14 through 7.0.16. Attackers have been observed using jsconsole interfaces to create new admin accounts, modify configurations, and establish SSL VPN tunnels. The campaign shows signs of being opportunistic rather than targeted, affecting organizations across various sectors.

Read more at Arctic Wolf

Infostealer Infections Lead to Major Telefonica Breach

Members of the Hellcat ransomware group have compromised Telefonica's internal ticketing system using custom infostealer malware. The attackers gained access to credentials from over 15 employees and successfully targeted administrative privileges. The breach resulted in the theft of 24,000 employee emails, 500,000 internal Jira issues, and 5,000 internal documents. Hudson Rock's investigation revealed that 531 Telefonica employee computers were infected with infostealers in 2024, highlighting the company's cybersecurity challenges.

Read more at Hudson Rock

Consumer Cyber Incident Apathy Growing Despite Increased Attacks

Vercara's December report reveals a concerning trend of growing consumer apathy toward cybersecurity incidents. Despite an increase in breaches, only 58% of consumers said incidents impacted their trust in 2024, down from 62% in 2023. The study shows notable generational differences, with baby boomers more likely to alter shopping habits after breaches compared to Gen Z. Despite the apparent apathy, 70% of consumers indicated they would stop shopping with a brand following a security incident.

Read more at Vercara