Microsoft release security patches, Fortinet under attack, Google Ads stealing credentials and GoDaddy sued in the US...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Microsoft Releases January 2025 Security Updates
Microsoft has released security updates to address 159 vulnerabilities in Microsoft products. Six vulnerabilities are outlined below, of which three are critical severity and three others that are actively exploited.
- CVE-2025-21298 – Windows OLE Remote Code Execution Vulnerability with a CVSSv3 score of 9.8. Successful exploitation would allow a remote, unauthenticated attacker to perform remote code execution (RCE).
- CVE-2025-21307 – Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability with a CVSSv3 score of 9.8. Successful exploitation would allow a remote, unauthenticated attacker to perform RCE.
- CVE-2025-21311 – Windows NTLM V1 Elevation of Privilege Vulnerability with a CVSSv3 score of 9.8. Successful exploitation would allow a remote unauthenticated attacker to escalate privileges.
- CVE-2025-21333 – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability with a CVSSv3 score of 7.8. Successful exploitation would allow an attacker to gain SYSTEM privileges. This vulnerability is under active exploitation.
- CVE-2025-21334 – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability with a CVSSv3 score of 7.8. Successful exploitation would allow an attacker to gain SYSTEM privileges. This vulnerability is under active exploitation.
- CVE-2025-21335 – Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability with a CVSSv3 score of 7.8. Successful exploitation would allow an attacker to gain SYSTEM privileges. This vulnerability is under active exploitation.
Affected organisations are encouraged to review Microsoft’s January 2025 Security Updates and apply the relevant updates as soon as practicable.
Active Exploitation of Zero-Day Vulnerability CVE-2024-55591 in FortiOS and FortiProxy
Fortinet has released a security advisory to address a critical vulnerability in FortiOS and FortiProxy. FortiOS is the operating system for Fortinet products, including Fortinet SSLVPNs and ‘Next-Gen’ Firewalls (NGFW). and FortiProxy is a secure web gateway that includes advanced filtering and inspection. CVE-2024-55591 is an ‘authentication bypass’ vulnerability with a CVSSv3 score of 9.6. A remote, unauthenticated attacker could send crafted requests to the Node.js websocket module to gain super-admin privileges. Fortinet has advised CVE-2024-55591 has been observed being exploited in the wild. Fortinet products are often internet-facing and have been frequently targeted by attackers within days of disclosure. The NHS England National CSOC assesses further exploitation as highly likely. The following platforms are known to be affected:
- Fortinet FortiOS 7.0.0 to 7.0.16
- Fotinet FortiProxy 7.0.0 to 7.0.19 and 7.2.0 to 7.2.12
Affected organisations must review Fortinet PSIRT Advisory FG-IR-24-535 and apply the relevant security updates as soon as practicable. In addition to the mandatory security update, NHS England National CSOC highly recommends organisations perform a compromise assessment using the indicators of compromise (IoCs) provided in Fortinet’s advisory. If malicious activity is found, organisations must contact the National CSOC as a matter of urgency on 0300 303 5222 or by emailing cybersecurity@nhs.net.
Cyber Attacks
Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes
Cybersecurity researchers have alerted to a new malvertising campaign that’s targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. “The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages,” Jérôme Segura, senior director of threat intelligence at Malwarebytes. It’s suspected the end goal of the campaign is to reuse the stolen credentials to further perpetuate the campaigns, while also selling them to other criminal actors on underground forums. Based on posts shared on Reddit, Bluesky, and Google’s own support forums, the threat has been active since at least mid-November 2024. The activity cluster is a lot like campaigns that leverage stealer malware to steal data related to Facebook advertising and business accounts to hijack them and use the accounts for push-out malvertising campaigns that further propagate the malware. The newly identified campaign specifically singles out users who search for Google Ads on Google’s own search engine to serve bogus ads for Google Ads that, when clicked, redirect users to fraudulent sites hosted on Google Sites. These sites then serve as landing pages to lead the visitors to external phishing sites that are designed to capture their credentials and two-factor authentication (2FA) codes via a WebSocket and exfiltrated to a remote server under the attacker’s control. “The fake ads for Google Ads come from a variety of individuals and businesses (including a regional airport), in various locations,” Segura said. “Some of those accounts already had hundreds of other legitimate ads running.”
New Hacking Group Leaks Configuration of 15,000 Fortinet Firewalls
A new threat actor has leaked configuration files and virtual private network (VPN) information for 15,000 firewall devices provided by security vendor Fortinet. On 15th January, Kevin Beaumont, an independent security researcher, revealed on Mastodon that sensitive information from the FortiGate devices had been made available for free on the dark web. Beaumont said a new hacking group dubbed ‘Belsen Group’ was responsible for the leak. Security provider CloudSEK confirmed Beaumont’s findings in a new report published on 16th January. The firm said the data dump included FortiGate usernames, passwords (some in plain text), device management digital certificates and firewall rules. Beaumont and CloudSEK researcher, Koushik Pal, said most exposed devices run Fortigate 7.0.x and 7.2.x versions. Belsen Group, which first appeared on social media and cybercrime forums in January 2025, has leaked the data on a Tor website. A CloudSEK spokesperson told Infosecurity that the threat group has likely been around for a couple of years and the exploitation campaign probably occurred in 2022. “Belsen Group may seem new to the forums, but based on the data leaked by them, we can ascertain with high confidence that they’ve been around for at least three years now. They were likely part of a threat group that exploited a zero-day in 2022, although direct affiliations have not been established yet,” CloudSEK noted in its report. Beaumont came to the same conclusions in a blog post he published on 16th January. “The data appears to have been assembled in October 2022, as a zero-day vulnerability. For some reason, the data dump of config has been released today, just over two years later,” Beaumont said.
In Other News...
Cisco Unveils New AI Application Security Solution
Cisco this week unveiled AI Defense, a new solution designed to help enterprises secure the development and use of AI applications. Cisco AI Defense focuses on two main areas: accessing AI applications and building and running AI applications. The first is related to the use of third-party AI apps, which can boost productivity, but they can also introduce risks, such as potential data leakage and malicious downloads. Cisco AI Defense aims to address this by providing full visibility into AI app usage, by offering access control capabilities to restrict access to unsanctioned AI tools, and by providing protection against threats and confidential data loss. As for building and running AI applications, the new solution aims to help enterprises by giving them the tools to discover shadow and sanctioned AI applications, by providing automated testing to validate AI models and identify vulnerabilities, and by providing runtime protection against threats such as prompt injection, DoS attacks, and sensitive data leakage. “Cisco AI Defense is a single, end-to-end solution that helps your organisation understand and mitigate risk on both the user and application levels. To accomplish this, it comprises four main components: AI Access, AI Cloud Visibility, AI Model & Application Validation, and AI Runtime Protection,” Sampath added. Cisco says its AI Defense solution is expected to become available for enterprises in March.
FTC sues GoDaddy for years of poor hosting security practices
The US Federal Trade Commission (FTC) will require web hosting giant GoDaddy to implement basic security protections, including HTTPS APIs and mandatory multi-factor authentication, to settle charges that it failed to secure its hosting services against attacks since 2018. FTC says the Arizona-based company’s claims of reasonable security practices also misled millions of web-hosting customers because GoDaddy was instead “blind to vulnerabilities and threats in its hosting environment” due to its failings to implement standard security tools and practices. “Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe”. According to the FTC’s complaint, GoDaddy’s unreasonable security practices included failing to use multi-factor authentication (MFA), manage software updates, log security-related events, segment its network, monitor for security threats (including by failing to use software that could actively detect threats from its many logs), and use file integrity monitoring. The company also failed to inventory and manage assets, assess risks to its website hosting services, and secure connections to services that provide access to consumer data.