Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 25 - 31 January
Apple fixes multiple vulnerabilities, including one actively exploited 0-day
Apple has released security updates to fix several vulnerabilities in visionOS, iOS, iPadOS, macOS (Sequoia, Sonoma, Ventura), watchOS, tvOS and Safari. Among the fixed flaws is a 0-day, identified as CVE-2025-24085, actively exploited in targeted attacks. This flaw, located in the Core Media framework, allows privilege escalation through malicious applications.
According to Apple, versions prior to iOS 17.2 are the most affected. The vulnerability has been mitigated through memory management improvements in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3 and tvOS 18.3. Impacted devices include iPhone XS and later, several generations of iPad, Apple Watch Series 6 and newer models, as well as Apple TV.
Apple recommends installing the updates as soon as possible to reduce potential risks.
WAF bypass and API failures lead to full administrative access
Critical flaws were detected in one organization, gaining access to 3,000 subsidiary companies. Exploiting API flaws exposed sensitive employee and customer data. The researchers attempted to use the traversal method but were initially blocked from access by a Web Application Firewall (WAF).
However, a production domain allowed them to bypass it. In addition, through fuzzing, they identified a critical endpoint linked to payment microservices, extracting PII and financial data. They also gained access to an administrative panel through user enumeration and brute force, bypassing KYC checks and facilitating identity theft.
In addition, a flaw in request normalization allowed them to bypass backend authentications.
Identified a malicious TorNet distribution campaign
Cisco Talos has identified a campaign active since mid-2024 that is financially motivated and aimed at deploying the TorNet backdoor. The attacks primarily target users in Poland and Germany via phishing emails with malicious attachments pretending to be logistical or financial communications, employing the PureCrypter malware as the delivery mechanism.
Once executed, PureCrypter decrypts and loads TorNet directly into memory, bypassing traditional detection systems and including additional payloads, such as Agent Tesla and Snake Keylogger. In addition, attackers disconnect the victim's machine from the network during payload deployment.
TorNet establishes connections to C2 servers via the TOR network, while PureCrypter modifies system settings, creates scheduled tasks and takes into account the device's power limitations.
Rockwell Automation fixes bugs in some of its products
Rockwell Automation issued security advisories on six critical and major flaws in its FactoryTalk and DataMosaix products. In FactoryTalk, it fixed bugs in View Machine Edition and View Site Edition, some remotely exploitable for command execution. These include CVE-2025-24480, CVSSv3 9.8 according to the vendor, which occurred due to a lack of input sanitization and could allow a remote attacker to execute commands or code with high privileges.
DataMosaix Private Cloud had a critical flaw in SQLite (CVE-2020-11656, CVSSv3 9.8) and a path traversal that exposed sensitive information (CVE-2025-0659). A DoS vulnerability in KEPServer, discovered in Pwn2Own 2023, was also fixed. The vendor states that there is no evidence of exploitation, but urges patching due to the risk in industrial systems.
In addition, CISA has issued recommendations for some of these vulnerabilities.
Lazarus Group uses management dashboard to monitor global cyberattacks
SecurityScorecard researchers have observed that Lazarus Group is reportedly using a web-based administrative platform to centrally monitor its command and control (C2) infrastructure and all aspects of its campaigns.
Each C2 server hosted a platform built with a React application and a Node.js API. It would thus be an end-to-end system that allows the group to organize and manage exfiltrated data, maintain monitoring of compromised hosts and handle payload delivery.
The finding has come in connection with a supply chain attack campaign dubbed Operation Phantom Circuit targeting the cryptocurrency sector and developers around the world with Trojanized versions of legitimate software packages harboring backdoors.
The campaign, active between September 2024 and January 2025, had 1 639 victims in total, mostly in Brazil, France and India. The platform is suspected to have been used in all campaigns of the “IT Worker” threat.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
