WEEKLY TOP TEN: January 20, 2025, 16:00 GMT
- Information Stealer Masquerades as LDAPNightmare PoC Exploit
Critical vulnerabilities often lead to proof-of-concepts (PoC) posted publicly for security researchers. In the case of LDAPNightare, a malicious PoC was released on GitHub intending to infect researchers with malware. A repo named CVE-2024-49113 contains malware masquerading as the PoC; once downloaded and executed, information is stolen and sent to a threat actor’s FTP server. The GitHub repo has since been taken down. - fasthttp Used in New Bruteforce Campaign
Cybercriminals have been using FastHTTP to brute-force the Azure Active Directory Graph API by spamming MFA requests. FastHTTP is an optimized HTTP server for Go, excelling at concurrent and low-latency requests. Researchers at SpearTip have reported that while ~90% of attempts failed, 10% successfully authenticated into Azure accounts; regarding account compromise, that is a significant percentage. Environments can be kept secure by applying brute-force lockout protection and geo-location restrictions. - Millions of Accounts Vulnerable Due to Google’s OAuth Flaw
Researchers at Trufflesecurity have uncovered a flaw in Google’s OAuth flow. Google allows you to purchase expired domains, allowing someone to obtain domains previously used by companies and re-create email accounts for those former employees. Using these recreated emails allows authentication access to anything that contains an OAuth link with the past email: Slack, Zoom, and HR systems for example. While Google initially closed the issue as “Won’t fix,” they changed their minds, and a fix is in progress. As of now, past employees of failed startups are still vulnerable. - Over 660,000 Rsync Servers Exposed to Code Execution Attacks
Rsync, a popular file synchronization tool, has discovered six new vulnerabilities in over 660,000 exposed servers. The most severe flaw is a critical heap buffer overflow vulnerability that allows attackers to execute code remotely with only anonymous read access. When combined with an information leak vulnerability, attackers can fully compromise devices on the Rsync. BleepingComputer has determined there are over 666,000 IP addresses with exposed servers. It is strongly recommended to update to version 3.4.0 to avoid exposure. - The Great Google Ads Heist
Threat actors have been phishing advertisers looking to buy spots from Google. They are accomplishing this by buying advertisements from Google and branding their ads as “Google Ads”, tricking advertisers into clicking on the fake “Google Ads” instead of Google’s actual Google Ads. The fake site brings you to a “sites.google.com” domain, further masquerading as Google. This aims to steal Google Ads accounts and scam advertisers into paying for Google Ads spots. With each stolen Google Ad account, the threat actor can proliferate even more Google Ads using funds from the stolen accounts. Google has responded and addressed the issue. - Label Giant Avery Says Website Hacked to Steal Credit Cards
Avery, an American company selling self-adhesive labels and printing services, disclosed a data breach after discovering a skimmer on their payment page. The skimmer was planted on July 18, 2024, and extracted sensitive customer information for six months before being detected. Over 60,000 customers have been impacted, and Avery has already received emails from customers to explain fraudulent charges after using Avery’s site. It’s recommended to freeze and change your credit card information if you were impacted. - One Mikro Typo: How a Simple DNS Misconfiguration Enables Malware Delivery by a Russian Botnet
A botnet of 13,000 compromised MikroTik routers has been observed sending malware through email. The threat actors utilized A DNS misconfiguration in SPF records that allowed any address to send emails from those domains, which led to bypassing spam filters. Additionally, all the infected MikroTik routers were configured as SOCKS proxies, allowing other threat actors to route traffic anonymously. The malware being sent through email is a trojan masquerading as a DHL shipping invoice. - SAP Fixes Critical Vulnerabilities in Netweaver Application Servers
SAP has released its January security patch, fixing two critical vulnerabilities in NetWeaver with CVSS scores ranging from 8.7 to 9.9. CVE-2025-0070 and CVE-2025-0066, both with scores of 9.9, are privilege escalation and access vulnerabilities, respectively. Combining these vulnerabilities can result in deeper exploitation, potentially achieving full system compromise. SAP recommends updating to the latest security patches. - W3 Total Cache Plugin Flaw Exposes 1 Million WordPress Sites to Attacks
WordPress plugin W3 Total Cache is vulnerable to “Unauthorized access of data due to a missing capability check on the is_w3tc_admin_page” (CVE-2024-12365). This vulnerability is exploitable with an authenticated subscriber-level session. It was fixed in version 2.8.2, but according to WordPress statistics, only 43% of users have updated to the latest version. - Under the Cloak of UEFI Secure Boot: Introducing CVE-2024-7344
Researchers from ESET have discovered a critical vulnerability allowing for a unified extensible firmware interface (UEFI) secure boot bypass. UEFI is responsible for booting the OS and running pre-boot operations. The vulnerability (CVE-2024-7344) was found in a Microsoft-signed application. The application is a part of several real-time recovery software suites developed by a multitude of vendors. Upon boot, the UEFI loads code from a file named “cloak.dat” instead of using secure boot functions, allowing for any unsigned executable to be loaded. Microsoft has revoked the vulnerable binaries in the last Patch Tuesday.S
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: