Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 11-17 January
Microsoft patches more than 150 vulnerabilities, including three actively exploited 0-days
In the context of the January Patch Tuesday, Microsoft has released new updates patching 159 vulnerabilities, of which 12 would be critical, 8 would be considered 0-day and 3 of them would have been actively exploited in attacks.
Specifically, CVE-2025-21333 (CVSSv3 7.8 according to Microsoft), CVE-2025-21334 (CVSSv3 7.8 according to Microsoft) and CVE-2025-21335 (CVSSv3 7.8 according to Microsoft) would be the three elevation of privilege flaws used in attacks and would affect Windows Hyper-V NT VSP kernel integration. Microsoft has not provided further details about the exploitation of the three 0-days.
This Patch Tuesday also reportedly patched a number of security feature circumvention, RCE, information disclosure, DoS and spoofing flaws. On the other hand, Citrix has released a new security bulletin in which it reports that some of the new Windows updates may fail if Citrix Session Recording Agent (SRA) version 2411 is installed on the device, so they have offered a temporary mitigation while they resolve the problem.
SAP Addresses Critical Vulnerabilities in NetWeaver and Other Platforms During January Patch Day
SAP has published 14 security notes as part of its January 2025 Patch Day, highlighting two critical vulnerabilities in NetWeaver AS for ABAP and ABAP Platform (CVE-2025-0070 and CVE-2025-0066), both with a CVSSv3 score of 9.9 according to the vendor. CVE-2025-0070 describes an authentication flaw that could allow attackers to steal credentials via internal RFC communication, compromising confidentiality, integrity, and availability.
Meanwhile, CVE-2025-0066 exposes decrypted credentials in plaintext, making attacks easier to execute. Additionally, SAP addressed a high-severity SQL injection vulnerability in NetWeaver (CVE-2025-0063, CVSSv3 score of 8.8), which could allow access to the Informix database. Severe bugs in BusinessObjects and a DLL hijacking issue in SAPSetup were also resolved.
The remaining fixes cover medium- and low-severity vulnerabilities in Business Workflow, NetWeaver, and other platforms. While there is no evidence of active exploitation, SAP strongly recommends applying the patches promptly.
Data of More Than 15,000 FortiGate Devices Leaked on the Dark Web
A new hacking group, known as Belsen Group, has leaked sensitive information from over 15,000 FortiGate devices, including configuration files, IP addresses, and VPN credentials, onto the dark web. The 1.6 GB data dump is organized by country and reveals details such as passwords (some in plain text), private keys, and firewall rules.
This group, which emerged this month, used the leak as its first official operation to gain notoriety, releasing the data on a prominent Tor website. According to cybersecurity researcher Kevin Beaumont, the leaked information is linked to the 0-day exploit CVE-2022-40684 (CVSSv3 9.8), which was exploited in attacks during 2022 before a patch was made available. Beaumont confirmed that the passwords and configurations correspond to compromised devices and noted that the data was collected in October 2022.
Most of the affected devices were running FortiOS firmware versions between 7.0.0 and 7.2.2, although the latter version patched the vulnerability. However, it remains unclear how devices running the patched version were breached. Despite the time since the data was gathered, the leak continues to expose critical details about the security defenses of the impacted networks.
FBI forces PlugX malware to use self-delete command
The U.S. Department of Justice and the FBI have announced an international operation that has removed the China-linked PlugX malware from 4258 infected devices in the United States. The operation was conducted in cooperation with international partners, including the French police and cybersecurity firm Sekoia.
The operation was completed thanks to the discovery that PlugX contains a native self-delete command and can be executed from the C2 server. PlugX, developed by threat actor Mustang Panda, was used to infiltrate, control and steal information from victims ranging from European or Asian governments, in addition to the U.S. government systems mentioned above, to European shipping companies.
Ransomware attacks through AWS buckets
Researchers from the Halcyon RISE team have warned that a threat actor called Codefinger has found a way to use an Amazon Web Services (AWS) feature to encrypt data in its victims' S3 buckets. AWS offers an encryption option called Server-Side Encryption with Customer Provided Keys (SSE-C), which allows customers to use their own encryption keys to protect their data.
However, Codefinger exploited this feature to encrypt victims' data and then demand a ransom for the decryption key. Attackers obtain victims' AWS credentials, typically through compromised networks or phishing attacks, and use them to access S3 buckets and apply encryption with an AES-256 key that they generate and store locally. The attackers mark the files for deletion in seven days, putting pressure on victims to pay the ransom.
