CybersecurityHQ News Roundup - January 27, 2025

News By Daniel Michan Published on January 27


TalkTalk Confirms Major Data Breach After Hacker Boasts on Forum

TalkTalk, the UK telecom giant, has confirmed a significant data breach after a threat actor named 'b0nd' claimed to have stolen data from 18.8 million customers. While TalkTalk disputes this number (given their actual customer base is around 2.4 million), the incident involved unauthorized access to a third-party platform, reportedly CSG's Ascendon platform. The stolen data includes names, email addresses, phone numbers, and IP addresses. CSG confirmed the incident but maintains their systems weren't directly compromised, suggesting the attackers may have used stolen credentials. This marks TalkTalk's second major breach, following a 2015 incident that resulted in prison sentences for two individuals.

Read more at The Hacker News



Severe LTE/5G Vulnerabilities Could Disrupt Entire Cities' Cellular Networks

Security researchers have uncovered 119 vulnerabilities in LTE and 5G implementations that could allow attackers to cause widespread cellular network disruptions. The flaws, discovered by researchers from the Florida Institute for Cybersecurity Research and North Carolina State University, affect seven LTE and three 5G implementations. The most concerning aspect is that attackers could potentially disrupt cellular communications across entire metropolitan areas using just a single malformed packet. The vulnerabilities are particularly dangerous as they can be exploited through Wi-Fi Calling services, meaning attackers don't need physical proximity or specialized equipment. The researchers found issues in popular implementations including Open5GS, Magma, and OpenAirInterface.

Read more at BleepingComputer



Endor Labs Launches Opengrep in Response to Semgrep's Shift Away from Open Source

In a significant move for the open-source security community, Endor Labs has launched Opengrep, a consortium-backed fork of Semgrep's SAST tool. This initiative comes after Semgrep rebranded its OSS tool to "Community Edition" and moved key features behind its commercial offerings. Opengrep has garnered support from over ten application security vendors, including Aikido Security, Amplify, and Orca Security. The project aims to maintain a truly open-source SAST tool, drawing parallels to similar community responses when Elasticsearch and Hashicorp made similar commercial shifts. The new platform promises improved scanning capabilities, better community rules, and vendor-independent rule portability.

Read more at SC Media



Building Automation Systems Increasingly Targeted in OT Attacks, Forescout Reports

Forescout's 2024 Threat Roundup reveals a significant shift in operational technology (OT) attack patterns, with building automation systems seeing a dramatic increase in targeting. While industrial automation protocols remain the primary target (79% of attacks, up from 71%), building automation attacks jumped from 1% to 9%. Modbus continues to be the most targeted protocol, accounting for 40% of attacks, followed by Ethernet/IP at 28%. The report highlights that 73% of exploited vulnerabilities were not listed in CISA's Known Exploited Vulnerabilities catalog, indicating attackers are increasingly leveraging lesser-known security flaws.

Read more at Dark Reading



Git Vulnerabilities Exposed User Credentials Through Protocol Flaws

Security researcher RyotaK has uncovered serious vulnerabilities in Git's credential handling system that could allow attackers to steal user credentials. The issues, including CVE-2025-23040 in GitHub Desktop and CVE-2024-50338 in Git Credential Manager, stem from improper handling of carriage return characters in the credential retrieval protocol. Dubbed "Clone2Leak," these vulnerabilities could allow malicious repositories to extract login credentials from unsuspecting users. Git has released version 2.48.1 to address these issues, along with CVE-2024-50349, which prevents attackers from crafting misleading credential prompts using ANSI escape sequences.

Read more at Threatpost



Change Healthcare Data Breach Impact Grows to 190 Million Individuals

In a dramatic update to one of 2024's biggest healthcare data breaches, UnitedHealth Group has revealed that the Change Healthcare incident impacted approximately 190 million individuals, nearly double the initial estimate of 100 million. The breach, which occurred in February when BlackCat ransomware affiliates exploited an unprotected remote access portal, lasted nine days before encryption. Despite UnitedHealth paying a $22 million ransom, the incident led to subsequent extortion attempts by RansomHub. The breach's financial impact is expected to exceed $2.9 billion, making it the largest healthcare data breach of 2024.

Read more at InfoSecurity Magazine



Subaru Starlink Vulnerability Exposed Cars to Remote Hacking

Security researcher Sam Curry discovered a critical vulnerability in Subaru's Starlink connected vehicle service that could have allowed unauthorized access to customer accounts across the US, Canada, and Japan. The flaw in the admin panel enabled attackers to bypass two-factor authentication, view vehicle information including historical location data, and even remotely control vehicles by adding themselves as authorized users. Most concerningly, car owners would receive no notification of these unauthorized additions. Subaru addressed the vulnerability within 24 hours of receiving the report on November 20, 2024.

Read more at Ars Technica



North Korean IT Workers Turn to Aggressive Extortion Tactics

The FBI and Mandiant have warned that North Korean fake IT workers are escalating their tactics, now actively extorting organizations that unknowingly hire them. These workers are infiltrating corporate networks to steal sensitive data and demanding six-figure ransoms to prevent data leaks. The shift in tactics comes as a response to increased law enforcement action and media coverage. Mandiant warns that companies using virtual desktop infrastructure (VDI) are particularly vulnerable to these operations, as it makes it easier for malicious actors to hide their activities.

Read more at CyberScoop



Record-Breaking 5.6 Tbps DDoS Attack Targets Asian ISP

Cloudflare reported blocking a massive 5.6 terabit per second (Tbps) DDoS attack against an internet service provider in Eastern Asia, setting a new record for DDoS attack volume. The 80-second assault, launched by a Mirai-variant botnet, originated from 13,000 unique IP addresses. The attack represents a significant escalation from the previous record of 3.8 Tbps. Overall, Cloudflare blocked 21.3 million DDoS attacks in 2024, a 53% increase from 2023, with HTTP DDoS attacks surpassing Layer 3/Layer 4 attacks in Q4.

Read more at BleepingComputer



PowerSchool Data Breach Impacts Millions of Students and Educators

A massive data breach at PowerSchool, affecting their Student Information System (SIS) service, has potentially exposed sensitive data of students and educators dating back decades. The breach, discovered on December 28, 2024, impacts school districts across 40 US states and multiple Canadian school boards. The compromised data includes names, contact information, medical information, and various academic records. With PowerSchool serving over 16,000 K12 schools worldwide, early estimates suggest the breach could affect up to 72 million individuals, leading to multiple lawsuits against the company.

Read more at The Hacker News



Pwn2Own Automotive 2025 Hackers Earn $886,000 for Various Exploits

The Pwn2Own Automotive 2025 competition concluded with participants earning $886,250 for demonstrating vulnerabilities in EV chargers, operating systems, and infotainment units. Notable exploits included successful attacks on Tesla Wall Connector chargers, which alone earned hackers $129,500. The Summoning Team emerged as the top performers, earning $222,250. Interestingly, no attempts were made to hack Tesla vehicles despite the significant prizes offered, suggesting improved vehicle security. The competition revealed vulnerabilities in products from Kenwood, Sony, Alpine, ChargePoint, Phoenix Contact, Autel, Ubiquiti, and WolfBox.

Read more at ZDNet



DHS Disbands Cyber Safety Review Board in Controversial Move

In a significant shift in US cybersecurity policy, the Trump administration has dissolved the Cyber Safety Review Board (CSRB), one of CISA's most effective initiatives. The board, established under Biden's Executive Order 14028, had conducted three major investigations, including the high-profile Microsoft Exchange Online breach. The CSRB gained respect for its frank assessments and was in the midst of investigating Chinese Salt Typhoon hacks when disbanded. The move comes amid broader changes at CISA, including the departures of director Jen Easterly and deputy Nitin Nataranjan, with Coast Guard veteran Sean Plankey proposed as the new director.

Read more at CyberScoop



Oracle's January 2025 CPU Patches 200+ Vulnerabilities

Oracle's first Critical Patch Update (CPU) of 2025 addresses approximately 220 unique CVEs, with 180 of them being remotely exploitable without authentication. The update includes roughly 30 critical-severity fixes, with Oracle Communications receiving the highest number of patches (85). MySQL received 39 new security patches, while other significant updates were released for Financial Services Applications, Communications Applications, and Analytics. Oracle emphasizes the importance of timely patch application, noting that attackers frequently target previously patched vulnerabilities that haven't been updated.

Read more at SC Magazine



Murdoc Botnet Targets Avtech Cameras and Huawei Routers

A new Mirai variant dubbed Murdoc Botnet has been actively targeting Avtech cameras and Huawei routers for the past six months. The botnet exploits CVE-2024-7029 in Avtech AVM1203 IP cameras and CVE-2017-17215 in Huawei HG532 routers. Qualys reports that over 1,300 IPs have been involved in the campaign, with most infections concentrated in Malaysia, Thailand, Mexico, and Indonesia. The botnet operates through more than 100 command-and-control servers and is primarily used for launching DDoS attacks.

Read more at BleepingComputer



DryRun Security Raises $8.7M for AI-Powered Application Security

DryRun Security has secured $8.7 million in seed funding from LiveOak Ventures, Work-Bench, and Cannage Capital. The company, which emerged from stealth in 2023, has developed Contextual Security Analysis (CSA) technology that uses AI to help developers identify code security issues. Along with the funding announcement, DryRun launched Natural Language Code Policies (NLCP), allowing teams to define security policies using conversational language, aimed at making security risk assessment more accessible to development teams.

Read more at TechCrunch



Doti AI Secures $7M Seed Round for Enterprise Knowledge Platform

Tel Aviv-based startup Doti AI has raised $7 million in seed funding led by F2 Venture Capital, with participation from notable angel investors. The company's Work AI platform revolutionizes how enterprises access and utilize internal data, offering deployment in under an hour. The platform uses AI to monitor conversations and automatically deliver relevant information before questions are even asked. Security is a key focus, with authenticated access and a ‘spaces’ concept preventing unauthorized data access. The solution addresses the common problem of employees struggling to quickly access company information, while maintaining strict security controls through read-only permissions and segmented access.

Read more at VentureBeat



SonicWall Patches Critical Zero-Day After Microsoft's Alert

SonicWall has addressed a critical zero-day vulnerability (CVE-2025-23006) in its SMA 1000 series products after receiving notification from Microsoft's Threat Intelligence Center. The flaw, affecting the Appliance Management Console and Central Management Console, could allow unauthorized remote command execution. While SonicWall confirmed possible active exploitation by threat actors, specific details about the attacks remain undisclosed. The vulnerability affects version 12.4.3-02804 and earlier, with patches available in version 12.4.3-02854.

Read more at Threatpost



Conduent Confirms Cyberattack Following Government Service Disruptions

Business process services provider Conduent has acknowledged a cyberattack following reports of service outages affecting government agencies across multiple US states. The incident caused disruptions to payment processing in Wisconsin and customer service lines in Oklahoma. While details are limited, the company confirmed system restoration following the cybersecurity incident. Conduent, which serves over 600 government entities across 46 US states and numerous major corporations, previously suffered a ransomware attack by the Maze group in 2020.

Read more at Dark Reading



Homebrew macOS Users Targeted by Sophisticated Malvertising Campaign

A malicious advertising campaign has been discovered targeting macOS users through fake Google ads for the popular package manager Homebrew. The campaign redirects users from legitimate-looking ads to a fraudulent website (brewe.sh instead of brew.sh) that delivers the Amos Stealer malware. This sophisticated attack leverages Google's advertising platform to appear legitimate while distributing information-stealing malware capable of extracting passwords, system information, and cryptocurrency wallet data. Google has suspended the associated advertiser accounts and is investigating the incident.

Read more at The Hacker News



FBI/CISA Release Technical Details on Ivanti Exploit Chains

The US cybersecurity and law enforcement agencies have disclosed technical information about exploit chains used by Chinese hackers to compromise Ivanti Cloud Service Appliances (CSA). The agencies identified two main exploit chains combining multiple CVEs (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380). The attacks, linked to Chinese APT group UNC5221, involved custom malware including Zipline backdoor, Thinspool dropper, and Lightwire webshell. The agencies provided detailed IOCs and urged network defenders to treat credentials stored on affected appliances as compromised.

Read more at GovInfoSecurity



CISA Adds Old jQuery Vulnerability to KEV Catalog

CISA has added CVE-2020-11023, a medium-severity XSS vulnerability in jQuery, to its Known Exploited Vulnerabilities (KEV) catalog. While the vulnerability was originally disclosed in April 2020, historical reports indicate it was exploited by the Chinese APT1 group. The flaw affects multiple major organizations' products, including Linux distributions, F5, IBM, and Atlassian. Federal agencies have been instructed to address the vulnerability by February 13.

Read more at SC Media



Axoflow Raises $7M for Security Data Curation Platform

Security data curation platform Axoflow has secured $7 million in seed funding led by EBRD Venture Capital, with participation from Credo Ventures and e2vc. The Hungarian-founded, US-based startup offers an automated pipeline for security data collection, management, and ingestion. The platform promises to reduce data volume by over 50% while improving detection and response capabilities. The funding will accelerate platform development with general availability targeted for August 2024.

Read more at TechCrunch