Weekly Top 10: 01.27.2025: 7-Zip Bug That Bypasses MoTW Now Patched; Critical Vulnerability in Cisco Meeting Management Patched; Threat Group ‘DONOT Team’ Targets Android Users in India, and More.

WEEKLY TOP TEN: January 27, 2025, 16:00 GMT

1. 7-Zip Bug That Bypasses MoTW Now
   
   Trend Micro released an advisory about a security flaw being tacked under CVE-2025-0411. This flaw allows a threat actor to bypass the Mark-of-The-Web protections added to the files contained in the 7-Zip archive.
   
   Igor Pavlov, the maintainer of 7-Zip, released a patch for this flaw in version 24.09. However, 7-Zip does not have an auto-update feature, leaving many with old, vulnerable versions.
2. Two Spinoffs of the Mirai Botnet Discovered
   
   Two separate botnet campaigns were discovered using the Mirai botnet malware; the first, dubbed ‘Murdoc_Botnet,’ was discovered by Qualys, and the other discovered by Trend Mirco has yet to be named. The Murdoc_Botnet campaign started in July of 2024 using CVE-2024-7029 and CVE-2017-17215 to initially download the payloads into Avtech cameras and Huawei routers, amassing 1,300 unique IPs across the U.S Malaysia, Thailand, Mexico, and Indonesia.
   
   The other botnet discovered by Trend Micro started its activity at the end of 2024 and has affected multiple countries around the globe, with the U.S. being the most affected. It has been seen targeting wireless routers and IP cameras from TP-Line, Zyxel, and Hikivision.
3. Threat Group ‘Belsen Group’ Leaks over 15,000 FortiGate Firewall Configurations
   
   The threat group Belsen Group has released over 15,000 Fortigate firewall configurations that contain usernames, passwords, firewall rules, and device management digital certificates. Belsen Group gathered the data in 2022 when it used the now patched zero-day CVE-2022-40684 against multiple countries, with the U.S., UK, Poland, and Belgium being the most targeted.
4. New SonicWall RCE Security Flaw Actively Exploited
   
   SonicWall warns the public about a recently discovered remote code execution vulnerability in their SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) has been seen actively exploited in the wild by threat actors. This flaw is being tracked as CVE-2025-23006, allowing an unauthenticated attacker to execute system commands on these appliances with versions up to 12.4.3-02804. SonicWall has released a hotfix patching this vulnerability in their newest release.
5. Threat Group ‘DONOT Team’ Targets Android Users in India
   
   Researchers at Cyfirma discovered two malicious Android apps, ‘Tanzeem’ and ‘Tanzeem Update,’ which are part of an intelligence-gathering campaign targeting individuals and groups in India that appear to have a national security interest in India through the popular engagement platform OneSignal. Once the malicious application is installed, it asks for permissions that allow the threat group access to inbound and outbound messages, internal storage, and GPS location data.
6. J-magic Campaign Uses 25-Year-Old Backdoor Against Juniper Routers
   
   Researchers at Black Lotus Labs discovered a ” J-magic ” campaign targeting Juniper-brand routers. The campaign has compromised multiple companies so far to deploy a payload called ‘cd00r,’ a 25-year-old backdoor that sniffs traffic and waits for 5 crafted packets to activate it. This allows a reverse shell connection for the threat actor that sent the crafted packets.
7. Threat Group Andariel uses RID Hijacking to Create Hidden Admin Accounts
   
   Researchers at the South Korean cybersecurity company AhnLab discovered that the threat group ‘Andariel,’ which has been linked to North Korea’s Lazarus nation-state threat group, is using a technique called ‘RID hijacking,’ which allows the threat group to create trick Windows into giving admirative permissions to a low-privileged account.
8. Threat Actors Still Exploiting Old Ivanti Vulnerabilities
   
   CISA and the FBI sent out a warning that threat actors are still exploiting patched vulnerabilities in Ivanti’s Cloud Service Appliance (CSA). These threat actors are using two separate attack chains: CVE-2024-8963 chained to CVE-2024-8190 and CVE-2024-9380 and CVE-2024-8963 chained to CVE-2024-9379. Both chains result in the threat actor gaining remote code execution on the Ivanti appliances.
9. Critical Vulnerability in Cisco Meeting Management Patched
   
   Cisco released a patch for a critical vulnerability found in its Meeting Management feature. This vulnerability is tracked as CVE-2025-20156 and allows an authenticated threat actor to send a crafted API request that elevates their privileges to an administrator level and gain control over all nodes managed by Cisco’s Meeting Management. This vulnerability affected version 3.9 and earlier, cisco recommends updating to version 3.9.1 or 3.10.x as these versions do not have the flaw.
10. Unpatched Privilege Escalation Vulnerabilities in WordPress Plugins Leave 32,000 Sites Exposed
    
    Security researchers at Patchstack discovered two critical vulnerabilities. The first is an unauthenticated privilege escalation vulnerability in the WordPress theme ‘RealHome’, tracked as CVE-2024-32444, and the second is another unauthenticated privilege escalation affecting the Easy Real Estate WordPress plugin, tracked as CVE-2024-32555. Both vulnerabilities have not been patched yet since their disclosure in September 2024, leaving 32,600 websites vulnerable.