This week
- AI misinformation can stems from minor source changes (Interesting Reads)
- Chrome Web Store index shared across languages (Interesting Reads)
- Ivanti zero-day vulnerability (This Week)
- US DoD lists Tencent as ‘Chinese military company’ (Policy & Regulation)
- Treasury foreign investment committee targeted (This Week)
Ivanti zero-day exploitation; UK domain registry amongst those affected
- Ivanti says actors are actively exploiting vulnerabilities in its Connect Secure, Policy Secure and ZTA Gateway products. These devices typically sit on the edge of an organisation’s networks and provide an attractive target to gain unauthorised access. NCSC is encouraging organisations to “take immediate action”.
- CVE-2025-0282 (9.0/10) and CVE-2025-0283 (7.0/10) are buffer overflow vulnerabilities that Google’s Mandiant says that a Chinese group it tracks as UNC5337 are exploiting to deploy Dryhook and Phasejam malware deployed on compromised devices.
- The UK’s domain name registry, Nominet, which also delivers NCSC’s Protective Domain Name System for government bodies, confirmed an “unauthorised intrusion” via their VPN solution.
- LINK, ADVISORY, NCSC, MANDIANT, NOMINET
US Treasury breach targeted foreign investment committee
- CISA says there is “no indication” that a December breach of US Treasury systems affected other federal agencies.
- The target within the Treasury Department is reportedly the Committee of Foreign Investment in the United States (CFIUS), which approves or denies business takeovers and real estate transactions near military bases on national security grounds
- LINK, CFIUS
Three telcos named as victims in the Salt Typhoon campaign
- Charter, Consolidated Communications, and Windstream have been added to the list of telcos caught up in the Salt Typhoon campaign.
- Previous reporting focussed on AT&T, Verizon, and Lumen Technologies. The China-affiliated threat group targeted wiretap systems for espionage purposes.
- The FCC boss has called for a wireless spectrum auction to fund the shortfall in the US rip and replace programme for Chinese telco equipment. (Selling spectrum to telcos to give them the money back specifically for replacing equipment seems a little circular.)
- LINK, FCC, Salt Typhoon
Interesting stats
$494 million worth of cryptocurrency stolen from 300,000 wallets in wallet drainer attacks in 2024, according to Scam Sniffer. LINK
$9.5 billion was invested in cyber startups in 2024, +9% from 2023, according to Pinpoint Search Group, though the number of transactions fell 304 (-42) funding rounds and 79 (-12) mergers and acquisitions. LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Poisoning The Pile: Just a 0.001% change in source information is needed to make AI less accurate and spit out medical misinformation. LINK
- Google’s Chrome Web Store shares a search index across all languages, and scammers are loading up less popular languages with keywords to promote their extensions to target audiences. LINK
⚠️ Incidents:
- The International Civil Aviation Organisation (ICAO) has confirmed a cyber security incident. ICAO is a United Nations agency responsible for international aviation standards. A forum post earlier this month claimed to have stolen over 40,000 documents. ICAO says the claims made by ‘Natohub’ are accurate and that the documents are recruitment records ranging from August 2016 to July 2024. LINK
- Nodex, a Russian ISP, says its infrastructure was “destroyed” in a “planned” attack. The Ukraine Cyber Alliance claimed responsibility for the attack, saying on Telegram that “the empty equipment without backups was left to them”. LINK
- Medical billing provider Medusind, who works with 6,000 US healthcare providers, is sending breach notifications to 360,000 people. The incident exposed health, insurance, payment, and government ID data. LINK
- Slovakia official says there are “strong indications” that an attack against the country’s land registry originated in Ukraine. A deal to transit Russian gas into Europe via Ukraine and Slovakia ended on 1st January, with Slovakia accusing Kyiv of economic “sabotage” due to the lost transit fees it would receive. It seems a bit odd that Ukraine would target an EU member’s land registry, though; presumably, the attack was via a proxy to make it appear to originate from Ukraine and stir up tension. LINK
- Holiday purchases of 8,514 Cheeseheads were compromised in a breach of the checkout pages of the Green Bay Packers Pro Shop website. LINK
- Proton, the company behind privacy-centric Proton Mail, suffered an outage this week caused by a Kubernetes migration. LINK
- Cybercriminals have reportedly gained access to payroll data of Argentina’s airport security police. LINK
🕵️ Threat Intel:
- Lapsed or abandoned command and control (C&C) domains present an opportunity to hijack infected machines, says new research from watchTowr. LINK
- Check Point says that a new ransomware group called FunkSec is a group of technically inexperienced individuals potentially using AI to generate their malware. LINK
- A fake LDAPNightmare proof of concept on GitHub infects users with infostealer malware. LINK
🪲 Vulnerabilities:
- SonicWall has patched an authentication bypass vulnerability in its SonicOS SSL VPN and SSH management interfaces. CVE-2024-53704 (8.2/10) has now been patched. LINK, ADVISORY
- Mitel says there is a zero-day being exploited in its MiCollab solution. CVE-2024-41713 (9.8/10) is a path traversal issue. LINK, ADVISORY
- MediaTek is warning of a ‘critical’ remote code execution vulnerability amongst a slew affecting 51 of its chips used in a variety of networking, IoT, and other devices like Chromebooks. CVE-2024-20154 (unscored) was notified to device manufacturers two months ago to give time for updates to be rolled out. LINK, ADVISORY
🧑💻 End user and consumer:
- Date for your diary: Windows 10 reaches ‘end of support’ on 14th October 2025. Windows 10 installs are roughly double that of Windows 11, despite the latter being released over three years ago, in part due to numerous additional hardware requirements, making upgrade processes difficult or impossible. If you’re still running Win 10 in a business context, your IT team needs to take a look at your options or consider paying for Microsoft’s Extended Security Updates (ESU) programme. LINK, WIN10
- US taxpayers are being urged to enrol in the IRS’ Identity Protection Personal Identification Number (IP PIN) for added fraud protection. A new PIN is assigned each year, preventing scammers from filing a fraudulent return using a known Social Security Number and personal data. LINK
🧰 Guidance and tools:
- CISA’s guidance on corporate cyber governance: empower CISOs, ensure senior executives are educated on cyber, anddetermine and measure exposure to cyber risk, among the things that board directors should be prioritising. LINK
🏭 Operational technology:
- The US is set to launch is labelling programme for IoT devices in 2025. The US Cyber Trust Mark is intended as a form of ‘security nutrition label’ to allow consumers to make more informed buying decisions, and certification guarantees certain secure defaults. LINK
🧿 Privacy:
- Matt Brown has been researching automatic number plate recognition devices and found a load of publicly accessible video and binary data feeds for readers across the US. VIDEO
- Google will face trial in a class action suit alleging the ad giant misappropriated data and misled users who opted out of tracking via Google’s Web & App Activity settings. While search data wasn’t tracked, user actions collected through Google Analytics were; Google says its collection was lawful. However, the judge says the firm’s disclosures are “ambiguous” and that the settings could reasonably be expected to cover all of Google’s services. LINK
📜 Policy & Regulation:
- The US has designated Chinese company Tencent as a “Chinese military company”. The addition to the ‘Section 1260’ list prohibits the Department of Defense from working with the company; there’s no other impact on civilian agencies, and it’s not an outright ban. Tencent is a huge tech and gaming company, and its WeChat messaging app is one of its most widely known products. LINK
👮 Law Enforcement:
- Three Russian nationals have been indicted, with two being arrested in December for allegedly running two cryptocurrency mixers. Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynikn, and Anton Vyachlavovich Tarasov allegedly ran the Blender[.]io and Sinbad[.io] services, which US authorities say have been advertised to cybercriminals and used by North Korea to launder cryptocurrency. LINK
💰 Investments, mergers and acquisitions:
- Quorum Cyber has acquired US-based incident response provider Kivu Consulting as part of North American expansion plans. Terms of the deal were not disclosed. LINK
🗞️ Industry news:
- Regional cyber security skills are the focus of 30 projects in England and Northern Ireland set to receive a share of £1.9 million funding. LINK
And finally
- The EU General Court has ordered the European Commission to pay its first-ever GDPR fine. The €400 penalty is the result of a German citizen who claimed their rights were violated when they registered for a European Commission conference using the “Sign in with Facebook” option, which resulted in their IP address and browser information being transferred to the United States. LINK
- And a new tongue twister about hacking duck? Quincy the Quirky Quacker… LINK