For the latest discoveries in cyber research for the week of January 6, download our Threat Intelligence Bulletin.
Main attacks and breaches
The International Civil Aviation Organization (ICAO), part of the United Nations, has confirmed that its recruitment database has been compromised and 42,000 recruitment applications have been exposed. The data includes records from April 2016 to July 2024, and includes recruitment-related information such as name, email address, date of birth, and employment history. Argentina’s Airport Security Police (PSA) was compromised by a threat actor who gained access to its payroll system. The attack occurred through a vulnerability in Banco Nation’s system, which processes PSA’s payroll. The attackers obtained personal and financial data of government employees and civilians. Slovakia’s Geodetic, Mapping and Land Registration Authority (UGKK) has been compromised, affecting the availability of land ownership databases. Media outlets have reported that UGKK has fallen victim to an undisclosed ransomware group. Spanish telecommunications company Telefónica has been targeted by Hellcat ransomware. The attackers gained access to Telefónica’s ticketing system and extracted 2.3 GB of documents, ticket data, and internal files. The database was leaked on a hacking forum. The Everest ransomware group compromised a popular cannabis vendor named STIIIZY through a third-party POS processing service. The breach occurred between October 10, 2024 and November 10, 2024, and the personal data and identities of 422,075 customers were extracted. BayMark Health Services was compromised by the RansomHub ransomware group, which also exposed 1.5 TB of data. The attack occurred between September 24, 2024 and October 14, 2024, and allowed the attackers to gain access to personally identifiable information such as social security numbers, dates of birth, insurance information, and other details. It has become.
Check Point Harmony Endpoint provides protection against this threat (Ransomware.Win.RansomHub; Ransomware.Wins.RansomHub.ta.*)
A Russian Internet Service Provider (ISP) named Nodex has been shut down by the Ukrainian hacktivist group Ukraine Cyber Alliance. The attack destroyed the company’s network, reducing global traffic from Nodex’s AS29329 autonomous system to zero. The Green Bay Packers’ official online store suffered a security breach that resulted in the theft of payment card information from more than 8,500 customers. Attackers injected malicious code into checkout pages between September and October 2024 to capture personal information and payment details. Gift card, PayPal, and Amazon Pay payments were not affected.
Vulnerabilities and patches
Mozilla has released version 134 of its Firefox browser, addressing 11 security vulnerabilities. The three patched vulnerabilities, CVE-2025-0242, CVE-2025-0244, and CVE-2025-0247, are considered high severity because they allow memory corruption and address bar spoofing. Masu. SonicWall has published an advisory that addresses the high severity authentication bypass vulnerability CVE-2024-53704, along with three other moderate security vulnerabilities. The company is sending emails to customers urging them to update their firmware, as the vulnerability is likely to be exploited. Mediatek has issued advisories addressing 13 security vulnerabilities affecting its products. Among the vulnerabilities is critical vulnerability CVE-2024-20154, which could allow remote code execution by exploiting an out-of-bounds write.
Threat intelligence report
Check Point Research has discovered Banshee, a macOS infostealer that mimics Apple’s XProtect antivirus engine to evade detection. Operating as Stealer-as-a-Service, Banshee is distributed via phishing websites and malicious GitHub repositories and targets macOS users to steal browser credentials, cryptocurrency wallets, and sensitive file data. . Attackers continue to distribute information-stealing programs even though the operation was halted following the source code leak. Check Point Research analyzed the FunkSec ransomware group, which emerged in late 2024 and claimed more than 85 victims in December, outpacing other ransomware groups during the same period. FunkSec appears to utilize AI-assisted malware development, allowing even inexperienced attackers to quickly create and refine sophisticated tools. The group’s activities blur the line between hacktivism and cybercrime, with some leaked datasets being reused from past hacktivist campaigns, raising questions about the authenticity of their disclosures.
Check Point Harmony Endpoint provides protection against this threat (Ransomware.Wins.Funksec.A).
Check Point identified a phishing campaign targeting 7,300 businesses and 40,000 individuals worldwide. The majority of targets were the United States. The campaign uses a compromised account from travel agency Riya to deliver malware and collect credentials. Researchers have identified a China-linked spy group exploiting a newly disclosed vulnerability, CVE-2025-0282, in Ivanti’s Connect Secure VPN appliance. Mandiant first observed exploitation in mid-December by malware families such as SPAWN, which were previously associated with Chinese threat actors such as UNC5221. Because this vulnerability is being actively exploited, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) requires federal agencies to fix this vulnerability by January 15, 2025.
Source link
