In the ever-evolving landscape of cybersecurity, staying informed is crucial. Here’s a concise recap of the top cybersecurity threats, tools, and tips as of January 27, 2025.
Threat of the Week: J-magic Backdoor Targets Juniper Networks Routers
A recent campaign has been identified targeting enterprise-grade Juniper Networks routers between mid-2023 and mid-2024. Attackers deployed a backdoor known as “J-magic,” a variant of the 25-year-old “cd00r” backdoor. This malware establishes a reverse shell to an attacker-controlled IP address and port. Industries such as semiconductor, energy, manufacturing, and information technology were primarily targeted.
Top News
Palo Alto Firewalls Vulnerable to Firmware Exploits: An analysis of Palo Alto Networks firewall models PA-3260, PA-1410, and PA-415 revealed vulnerabilities that could be exploited to bypass Secure Boot and modify device firmware. Exploiting these flaws requires prior compromise of the PAN-OS software and elevated privileges. Palo Alto Networks is collaborating with third-party vendors to develop firmware updates.
PlushDaemon Linked to Supply Chain Attack on South Korean VPN Provider: A newly identified China-aligned hacking group, dubbed “PlushDaemon,” conducted a supply chain attack targeting a South Korean VPN provider in 2023. They delivered malware known as “SlowStepper,” a fully-featured backdoor capable of extensive information gathering. The group also exploited an unknown vulnerability in Apache HTTP servers and performed adversary-in-the-middle attacks to breach other targets.
Mirai Botnet Launches Record 5.6 Tbps DDoS Attack: Cloudflare reported that a Mirai botnet comprising over 13,000 IoT devices was responsible for a record-breaking 5.6 Terabit per second distributed denial-of-service attack targeting an unnamed internet service provider in Eastern Asia. The attack lasted approximately 80 seconds.
Over 100 Flaws in LTE and 5G Implementations: Academics disclosed 119 security vulnerabilities affecting LTE and 5G implementations, including Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, and srsRAN. Some vulnerabilities could be exploited to disrupt service access and potentially breach the cellular core network, allowing attackers to monitor cellphone locations and more.
Security Tips
Regular Firmware Updates: Ensure all network devices, especially routers and firewalls, are updated with the latest firmware to mitigate known vulnerabilities.
Monitor Network Traffic: Implement intrusion detection systems to monitor for unusual traffic patterns indicative of DDoS attacks or unauthorized access.
Supply Chain Vigilance: Regularly audit and monitor third-party software and services to detect potential supply chain compromises.
Stay Informed: Keep abreast of the latest research and disclosures regarding vulnerabilities in critical infrastructure, such as LTE and 5G networks.
By staying informed and implementing proactive security measures, organizations can better protect themselves against emerging threats in the cybersecurity landscape.
Microsoft closed out its Patch Tuesday updates for 2024 with fixes for a total of 72 security flaws spanning its software portfolio, including one that it said has been exploited in the wild.
Of the 72 flaws, 17 are rated Critical, 54 are rated Important, and one is rated Moderate in severity. Thirty-one of the vulnerabilities are remote code execution flaws, and 27 of them allow for the elevation of privileges.
This is in addition to 13 vulnerabilities the company has addressed in its Chromium-based Edge browser since the release of last month’s security update. In total, Microsoft has resolved as many as 1,088 vulnerabilities in 2024 alone, per Fortra.
The vulnerability that Microsoft has acknowledged as having been actively exploited is CVE-2024-49138 (CVSS score: 7.8), a privilege escalation flaw in the Windows Common Log File System (CLFS) Driver.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory, crediting cybersecurity company CrowdStrike for discovering and reporting the flaw.
It’s worth noting that CVE-2024-49138 is the fifth actively exploited CLFS privilege escalation flaw since 2022 after CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 (CVSS scores: 7.8). It’s also the ninth vulnerability in the same component to be patched this year.
“Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years,” Satnam Narang, senior staff research engineer at Tenable, told The Hacker News.
“Unlike advanced persistent threat groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash and grab tactics by any means necessary. By using elevation of privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims.”
The fact that CLFS has become an attractive attack pathway for malicious actors has not gone unnoticed by Microsoft, which said it’s working to add a new verification step when parsing such log files.
“Instead of trying to validate individual values in logfile data structures, this security mitigation provides CLFS the ability to detect when log files have been modified by anything other than the CLFS driver itself,” Microsoft noted in late August 2024. “This has been accomplished by adding Hash-based Message Authentication Codes (HMAC) to the end of the log file.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply necessary remediations by December 31, 2024.
The bug with the highest severity in this month’s release is a remote code execution flaw impacting Windows Lightweight Directory Access Protocol (LDAP). It’s tracked as CVE-2024-49112 (CVSS score: 9.8).
“An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service,” Microsoft said.
Also of note are two other remote code execution flaws impacting Windows Hyper-V (CVE-2024-49117, CVSS score: 8.8), Remote Desktop Client (CVE-2024-49105, CVSS score: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS score: 8.4).
The development comes as 0patch released unofficial fixes for a Windows zero-day vulnerability that allows attackers to capture NT LAN Manager (NTLM) credentials. Additional details about the flaw have been withheld until an official patch becomes available.
“The vulnerability allows an attacker to obtain user’s NTLM credentials by simply having the user view a malicious file in Windows Explorer – e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker’s web page,” Mitja Kolsek said.
In late October, free unofficial patches were also made available to address a Windows Themes zero-day vulnerability that allows attackers to steal a target’s NTLM credentials remotely.
0patch has also issued micropatches for another previously unknown vulnerability on Windows Server 2012 and Server 2012 R2 that allows an attacker to bypass Mark-of-the-Web (MotW) protections on certain types of files. The issue is believed to have been introduced over two years ago.
With NTLM coming under extensive exploitation via relay and pass-the-hash attacks, Microsoft has announced plans to deprecate the legacy authentication protocol in favor of Kerberos. Furthermore, it has taken the step of enabling Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019.
Microsoft said it has rolled out a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default with the release of Windows Server 2025, which also removes support for NTLM v1 and deprecates NTLM v2. These changes also apply to Windows 11 24H2.
“Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default,” Redmond’s security team said earlier this week. “These security enhancements mitigate risk of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.”
“As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS, and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks.”
A Russian cybercriminal wanted in the U.S. in connection with LockBit and Hive ransomware operations has been arrested by law enforcement authorities in the country.
According to a news report from Russian media outlet RIA Novosti, Mikhail Pavlovich Matveev has been accused of developing a malicious program designed to encrypt files and seek ransom in return for a decryption key.
“At present, the investigator has collected sufficient evidence, the criminal case with the indictment signed by the prosecutor has been sent to the Central District Court of the city of Kaliningrad for consideration on the merits,” the Russian Ministry of Internal Affairs said in a statement.
Matveev has been charged under Part 1 of Article 273 of the Criminal Code of the Russian Federation, which relates to the creation, use, and distribution of computer programs that can cause “destruction, blocking, modification or copying of computer information.”
He was charged and indicted by the U.S. government in May 2023 for launching ransomware attacks against “thousands of victims” in the country and across the world. He is also known by various online aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, and Orange.
Matveev has also gone public about his criminal activities, stating that “his illicit activities will be tolerated by local authorities provided that he remains loyal to Russia.” He was sanctioned by the U.S. Treasury and has been the subject of a reward of up to $10 million for any information that could lead to his arrest or conviction.
A subsequent report from Swiss cybersecurity firm PRODAFT revealed that Matveev has been leading a team of six penetration testers to carry out the ransomware attacks.
Besides working as an affiliate for Conti, LockBit, Hive, Trigona, and NoEscape ransomware groups, he is said to have had a management-level role with the Babuk ransomware group up until early 2022. Furthermore, he is believed to have deeper ties with the Russian cybercrime group known as Evil Corp.
The development comes a little over a month after four members of the now-defunct REvil ransomware operation were sentenced to several years in prison in Russia after they were convicted of hacking and money laundering charges.
Found this article interesting? Follow us on Twitter to read more exclusive content we post.
Microsoft-backed artificial intelligence (AI) startup OpenAI’s popular chatbot ChatGPT is facing a strange bug. The AI language model is unable to say the name “David Mayer.” Users on Reddit discovered this peculiar issue, which prevents ChatGPT from generating any response when asked to say the name. Despite numerous attempts and creative prompts, users have been unable to make ChatGPT say the name “David Mayer.” Various tactics, including separating the words, using spaces, riddles, and even claiming the name as their own, have failed to fetch the desired response from the chatbot. Users added that the chat invariably ends abruptly before ChatGPT can utter the name. We at TimesofIndia-Gadgets Now also tried making ChatGPT say that name but that didn’t happen.
A user named Justin Moore also shared the issue on social media platform X (earlier Twitter). Moore wrote: “ChatGPT refuses to say the name “David Mayer,” and no one knows why. If you try to get it to write the name, the chat immediately ends. People have attempted all sorts of things – ciphers, riddles, tricks – and nothing works.
When asked indirectly about its inability to say D@vid M@yer ChatGPT responded: "The reason I cannot generate the full response when you request ‘d@vid m@yer’ (or its standard form) is that the name closely matches a sensitive or flagged entity associated with potential public figures, brands, or specific content policies. These safeguards are designed to prevent misuse, ensure privacy, and maintain compliance with legal and ethical considerations.
Conclusion
What do you think about this glitch? Have you experienced something similar? Share your thoughts in the comments below!
