⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [13 Jan]

Cybersecurity Recap

The cyber world’s been buzzing this week, and it’s all about staying ahead of the bad guys. From sneaky software bugs to advanced hacking tricks, the risks are real, but so are the ways to protect yourself. In this recap, we’ll break down what’s happening, why it matters, and what you can do to stay secure.


Let’s turn awareness into action and keep one step ahead of the threats.


⚡ Threat of the Week


Critical Ivanti Flaw Comes Under Exploitation — A newly discovered critical security vulnerability in Ivanti Connect Secure appliances has been exploited as a zero-day since mid-December 2024. The flaw (CVE-2025-0282, CVSS score: 9.0) is a stack-based buffer overflow bug that could lead to unauthenticated remote code execution. According to Google-owned Mandiant, the flaw has been exploited to deploy the SPAWN ecosystem of malware – the SPAWNANT installer, SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor – as well as two other previously undocumented malware families dubbed DRYHOOK and PHASEJAM. There is a possibility that multiple threat actor groups, including the China-linked UNC5337, are behind the exploitation.


Advance Your Cybersecurity Career


🔔 Top News

  • Microsoft Pursues Legal Action Against Hacking Group — Microsoft said it's taking legal action against an unknown foreign-based threat-actor group for abusing stolen Azure API keys and customer Entra ID authentication information to breach its systems and gain unauthorized access to the Azure OpenAI Service with the goal of generating harmful content that bypasses safety guardrails, as well as monetizing that access by offering it to other customers. It accused three unnamed individuals of creating a "hacking-as-a-service" infrastructure for this purpose.

  • Exploitation Attempts Recorded Against GFI KerioControl Firewalls — Threat actors are actively attempting to exploit a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE). The vulnerability, CVE-2024-52875, is a carriage return line feed (CRLF) injection that could result in a cross-site scripting (XSS) attack. Attempts to exploit the vulnerability commenced around December 28, 2024.

  • Updated EAGERBEE Malware Targets the Middle East — Internet service providers (ISPs) and governmental entities in the Middle East have been targeted using an updated variant of the EAGERBEE (aka Thumtais) malware framework. The new variant is capable of deploying additional payloads, enumerating file systems, and executing command shells. It can also manage processes, maintain remote connections, manage system services, and list network connections.

  • Southeast Asia Comes Under Mustang Panda Attacks — Several entities in Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus Mustang Panda threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024. The attacks involve the use of Windows Shortcut (LNK), Windows Installer (MSI), and Microsoft Management Console (MSC) files, likely distributed via spear-phishing, as the first-stage component to trigger the infection chain, ultimately leading to the deployment of PlugX using DLL side-loading techniques.

  • U.S. Government Formally Unveils Cyber Trust Mark — The U.S. government announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices that details the support period as well as the steps users can take to change the default password and configure the device securely. Eligible products that come under the purview of the Cyber Trust Mark program include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.


️🔥 Trending CVEs


Your favorite software might be hiding serious security cracks—don’t wait for trouble to find you. Update now and stay one step ahead of the threats!


This week’s list includes — CVE-2024-8474 (OpenVPN Connect), CVE-2024-46981 (Redis), CVE-2024-51919, CVE-2024-51818 (Fancy Product Designer plugin), CVE-2024-12877 (GiveWP – Donation Plugin and Fundraising Platform), CVE-2024-12847 (NETGEAR DGN1000), CVE-2025-23016 (FastCGI fcgi2), CVE-2024-10215 (WPBookit plugin), CVE-2024-11350 (AdForest theme), CVE-2024-13239 (Drupal), CVE-2024-54676 (Apache OpenMeetings) CVE-2025-0103 (Palo Alto Networks Expedition), CVE-2024-53704 (SonicWall SonicOS), CVE-2024-50603 (Aviatrix Controller), CVE-2024-9138, and CVE-2024-9140 (Moxa).


📰 Around the Cyber World

  • Pastor Indicted for "Dream" Solano Fi Project — Francier Obando Pinillo, a 51-year-old pastor at a Pasco, Washington, church, has been indicted on 26 counts of fraud for allegedly operating a cryptocurrency scam that defrauded investors of millions between November 2021 and October 2023. Pinillo is said to have used his position as pastor to induce members of his congregation and others to invest their money in a cryptocurrency investment business known as Solano Fi. He claimed the idea for the scheme had "come to him in a dream." According to the U.S. Department of Justice (DoJ), "rather than investing funds on victims' behalf as he had promised, Pinillo defrauded victims into making cryptocurrency transfers into accounts he designated, then converted the victims' funds to himself and his co-schemers." Pinillo has also been accused of convincing investors to recruit other investors in exchange for additional returns for each new investor they recruited. The fraud charges carry a maximum sentence of up to 20 years in prison. The defendant is estimated to have targeted at least 1,515 customers in the U.S., netting him $5.9 million in illicit profits. The development comes as a Delaware man, Mohamed Diarra, pleaded guilty to his participation in a widespread international sextortion and money laundering scheme from May 2020 and through December 2022. "Diarra conspired with co-conspirators in Côte d'Ivoire who sextorted victims and utilized a network of Delaware-based 'money mules,' including Diarra, to assist with laundering the victims' illegally obtained funds," the DoJ said. He faces a maximum penalty of 20 years in prison. In recent months, the DoJ has also prosecuted Robert Purbeck; Kiara Graham, Cortez Tarmar Crawford, and Trevon Demar Allen; and Charles O. Parks III in connection with extortion, SIM-swapping, and cryptojacking operations, respectively.

  • Washington State Sues T-Mobile Over 2021 Data Breach — The U.S. state of Washington has sued T-Mobile over allegations the phone giant failed to secure the personal data of more than 2 million state residents prior to an August 2021 data breach, which went on to affect more than 79 million customers across the country. The lawsuit asserted that "T-Mobile knew for years about certain cybersecurity vulnerabilities and did not do enough to address them" and that the company "misrepresented to consumers that the company prioritizes protecting the personal data it collects." The complaint noted that T-Mobile "used weak credentials" on accounts for accessing its internal systems and did not implement rate-limiting on login attempts, thus allowing the attackers to brute-force the credentials without locking the employee accounts in question. A year after the incident, T-Mobile agreed to pay $350 million to settle a class-action lawsuit. John Binns, an American citizen living in Turkey, took credit for the attack. He was subsequently arrested in May 2024 for his participation in the Snowflake extortion campaign.

  • Telegram Complies With More User Data Requests Following CEO Arrest — Telegram has been increasingly sharing user data at the request of law enforcement authorities following the arrest of its CEO Pavel Durov last year, according to information compiled from its periodic transparency reports. India, Germany, the U.S., France, Brazil, South Korea, Belgium, Spain, Poland, and Italy accounted for the top 10 countries with the most number of requests. Days after his arrest, Telegram promised to make significant improvements in an effort to tackle criticisms about the lack of oversight and the abuse of the platform for illicit activities. It also pledged to provide the IP addresses and phone numbers of users who violate rules in response to valid legal requests. Despite the policy changes, Telegram continues to be a major hub for cybercriminals to carry out their operations due to its "established" user base and functionality. "While Signal, Discord, and other alternative platforms are used by cybercriminals, it doesn’t appear they will fully replace Telegram in the future, and rather serve as additional methods for threat actors to perform malicious activities," KELA said last month.

  • MLOps Platforms Could Become a New Attack Target — As companies rush to leverage artificial intelligence (AI) applications, MLOps platforms used to develop, train, deploy and monitor such applications could be targeted by attackers, allowing them to not only gain unauthorized access, but also impact the confidentiality, integrity and availability of the machine learning (ML) models and the data they provide. Such actions could permit an adversary to perform a model extraction attack, poison or access training data, and bypass AI-based classification systems. "The increased usage of MLOps platforms to create, manage and deploy ML models will cause attackers to view these platforms as attractive targets," IBM X-Force said. "As such, properly securing these MLOps platforms and understanding how an attacker could abuse them to conduct attacks such as data poisoning, data extraction and model extraction is critical."

  • Popular Windows Applications Vulnerable to WorstFit Attack — Several Windows-based applications such as curl.exe, excel.exe, openssl.exe, plink.exe, tar.exe, and wget.exe have been found susceptible to a brand-new attack surface called WorstFit, which exploits a character conversion feature built into Windows called Best-Fit. Taiwanese cybersecurity company DEVCORE said the Best-Fit conversion is designed to handle situations where the operating system needs to convert characters from UTF-16 to ANSI, but the equivalent character doesn't exist in the target code page. That said, this "unexpected character transformation" could be harnessed to achieve path traversal and remote code execution via techniques such as filename smuggling, argument splitting, and environment variable confusion. "As for how to mitigate such attacks, unfortunately, since this is an operating system-level problem, similar issues will continue to reappear – until Microsoft chooses to enable UTF-8 by default in all of their Windows editions," researchers Orange Tsai and Splitline Huang said. In the meantime, developers are recommended to phase out ANSI and switch to the Wide Character API.


🎥 Expert Webinar

  1. Future-Ready Trust: Manage Certificates Like Never Before — Managing digital trust shouldn’t feel impossible. Join us to discover how DigiCert ONE transforms certificate management—streamlining trust operations, ensuring compliance, and future-proofing your digital strategy. Don’t let outdated systems hold you back. Reserve your spot today and see the future of trust management in action!..

  2. AI in Cybersecurity—Game-Changer or Hype? — Is AI the future of cybersecurity or just another buzzword? Find out as 200 industry experts share real-world insights on AI-driven vulnerability management and how it can strengthen your defenses. Cut through the noise and gain strategies you can use right now. Secure your spot today.


🔧 Cybersecurity Tools

  • MLOKit — It’s a MLOps attack toolkit that leverages REST API vulnerabilities to simulate real-world attacks on MLOps platforms. From reconnaissance to data and model extraction, this modular toolkit is built for adaptability—empowering security pros to stay ahead.

  • HackSynth — It's an AI-powered agent designed for autonomous penetration testing. With its Planner and Summarizer modules, HackSynth generates commands, processes feedback, and iterates efficiently. Tested on 200 diverse challenges from PicoCTF and OverTheWire.


🔒 Tip of the Week


Know Your Browser Extensions — Your browser is the heart of your online activity—and a prime target for cyber threats. Malicious extensions can steal sensitive data, while sneaky DOM manipulations exploit vulnerabilities to run harmful code in the background. These threats often go unnoticed until it’s too late. So, how do you stay protected? Tools like CRXaminer and DOMspy make it simple. CRXaminer scans Chrome extensions to uncover risky permissions or dangerous code before you install them. DOMspy helps you spot hidden threats by monitoring your browser’s behavior in real-time, and flagging suspicious activities like DOM clobbering or prototype pollution. Stay safe by reviewing your extensions regularly, only granting permissions when absolutely necessary, and keeping your browser and tools up to date.


Conclusion


Every click, download, and login contributes to your digital footprint, shaping how secure or vulnerable you are online. While the risks may feel overwhelming, staying informed and taking proactive steps are your best defenses.


As you finish this newsletter, take a moment to assess your online habits. A few simple actions today can save you from significant trouble tomorrow. Stay ahead, stay secure.



Older messages

Expired Domains Allowed Control Over 4,000 Backdoors on Compromised Systems

Monday, January 13, 2025

THN Daily Updates Newsletter cover The Kubernetes Book: Navigate the world of Kubernetes with expertise , Second Edition ($39.99 Value) FREE for a Limited Time Containers transformed how we package and

Google Researcher Uncovers Zero-Click Exploit Targeting Android Devices

Saturday, January 11, 2025

THN Daily Updates Newsletter cover The Kubernetes Book: Navigate the world of Kubernetes with expertise , Second Edition ($39.99 Value) FREE for a Limited Time Containers transformed how we package and

ALERT: Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure

Friday, January 10, 2025

THN Daily Updates Newsletter cover Deep Learning For Dummies ($21.00 Value) FREE for a Limited Time Take a deep dive into deep learning Download Now Sponsored LATEST NEWS Jan 10, 2025 Taking the Pain

ALERT: Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure

Thursday, January 9, 2025

THN Daily Updates Newsletter cover The Kubernetes Book: Navigate the world of Kubernetes with expertise , Second Edition ($39.99 Value) FREE for a Limited Time Containers transformed how we package and

[Guide] AWS Security Essentials in Two Steps

Wednesday, January 8, 2025

Download the quick guide and take control of your AWS security now! The Hacker News The best AWS environments benefit from layered security and smart automation. Securing AWS environments is crucial

You Might Also Like

BetterDev #273 - Operating System in 1,000 Lines

Monday, January 13, 2025

Better Dev #273 Jan 12, 2025 Hi all, Happy new year. Welcome to the first issue of 2025. I'm trying to become more regular this year. Looking forward to a new year and hope everyone continue to

Daily Coding Problem: Problem #1667 [Hard]

Monday, January 13, 2025

Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Airbnb. We're given a hashmap associating each courseId key with a list of courseIds

🧠 Are Supercomputers Dead? — This 90s Tech Is Perfect for Smart TVs

Monday, January 13, 2025

Also: How to Make Sense of Linux Ping Stats, and More! How-To Geek Logo January 13, 2025 Did You Know The original name of the iconic SR-71 Blackbird was actually the RS-71 Blackbird, but Lyndon

Consistency means nothing & Bluesky is reportedly valued at $700

Monday, January 13, 2025

Sill Beta Update #3, Miro AI starts storing AI interactions from free users, Mastodon transfers to a new non-profit organization, and a lot more in this week's issue of Creativerly. Creativerly

Ranked | The AI Models With the Lowest Hallucination Rates 🤖

Monday, January 13, 2025

Hallucination rate is the frequency that an LLM generates false or unsupported information in its outputs. Which models have the lowest rates? View Online | Subscribe | Download Our App FEATURED STORY

GCP Newsletter #433

Monday, January 13, 2025

Welcome to issue #433 January 13th, 2025 News Official Blog Vertex AI Introducing Vertex AI RAG Engine: Scale your Vertex AI RAG pipeline with confidence - Vertex AI RAG Engine is a fully managed

Spyglass Dispatch: It's Political & Personal

Monday, January 13, 2025

On Meta's Moderation Changes • Inside DOGE • Zuck Slams Apple (Again) • Apple's Muted 2025 • CES 2025 Recap The Spyglass Dispatch is a newsletter sent on weekdays featuring links and commentary

$200 to invest today... (USA Only)

Monday, January 13, 2025

Join me in investing in blue chip art on Masterworks, and you will receive $200 to invest on the platform. Not kidding. Founder interview coming soon! ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

The Sequence Knowledge #468: A New Series About RAG

Monday, January 13, 2025

Exploring key concepts of one of the most popular methods in generative AI solutions. ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏

How a Kafka-Like Producer Writes to Disk

Monday, January 13, 2025

We take a Kafka client, call the producer, send the message, and boom, expect it to be delivered on the other end. And that's actually how it goes. But wouldn't it be nice to understand better