Microsoft release security patches, Fortinet under attack, Google Ads stealing credentials and GoDaddy sued in the US...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.
Vulnerabilities and Patches
Cloudflare CDN Vulnerability Exposes User Locations on Signal and Discord
A flaw in Cloudflare’s CDN allows attackers to infer user locations within a 250-mile radius by exploiting the caching mechanism on platforms like Signal and Discord. This can compromise anonymity, particularly for vulnerable groups. The attack uses malicious images delivered via zero-click or one-click methods, requiring no user awareness.
CISA Warns of Chained Exploitation of Ivanti Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint advisory highlighting that threat actors are chaining multiple vulnerabilities in Ivanti’s Cloud Service Appliance (CSA) to gain unauthorized access, execute remote code, steal credentials, and install web shells on victim networks.
Affected Vulnerabilities:
- CVE-2024-8963: Administrative bypass vulnerability.
- CVE-2024-9379: SQL injection vulnerability.
- CVE-2024-8190 and CVE-2024-9380: Remote code execution vulnerabilities.
These vulnerabilities affect Ivanti CSA version 4.6x prior to build 519. Additionally, CVE-2024-9379 and CVE-2024-9380 impact CSA versions 5.0.1 and earlier; however, Ivanti reports that these CVEs have not been exploited in version 5.0.
Cisco Patches Critical Vulnerability in Meeting Management
Cisco has released a patch for a critical vulnerability in its Meeting Management software, identified as CVE-2025-20156 with a CVSS score of 9.9. This flaw affects the REST API and allows remote attackers to escalate privileges to administrator level due to improper authorization enforcement. Exploiting this vulnerability could grant attackers full control over edge nodes managed by the software.
Cyber Attacks
AT&T Data Breach Poses Risk to FBI Informants
In April 2024, AT&T experienced a data breach that compromised call and text logs of approximately 100 million customers, including FBI agents. While the content of communications was not exposed, the metadata—such as phone numbers contacted—was accessed. This exposure raises concerns that threat actors could analyse these logs to identify confidential informants, potentially jeopardizing ongoing investigations and informant safety.
13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks
A botnet of approximately 13,000 compromised MikroTik routers has been hijacked for cyberattacks, including malware distribution and spam campaigns. The attackers likely exploited CVE-2023-30799, a critical privilege escalation vulnerability, turning the routers into SOCKS proxies to disguise malicious traffic. The botnet was also used in a malspam campaign, where freight invoice-themed emails with ZIP file attachments delivered malware via PowerShell scripts, establishing connections to a command-and-control server. Additionally, the attackers took advantage of misconfigured Sender Policy Framework (SPF) records in around 20,000 domains, using overly permissive “+all” settings to spoof email addresses and bypass security measures. To mitigate this, organizations should ensure MikroTik routers are updated to the latest firmware, change default router credentials, and correct SPF record configurations.
In Other News...
Hackers Earn $129,000 for Tesla Charger Exploits at Pwn2Own Automotive 2025
During the Pwn2Own Automotive 2025 hacking competition in Tokyo, researchers were awarded $129,000 for successfully exploiting vulnerabilities in Tesla’s Wall Connector chargers. The event, organized by Trend Micro’s Zero Day Initiative (ZDI), saw a total of $718,250 distributed over the first two days for various exploits targeting electric vehicle (EV) chargers and infotainment systems.
Notable Tesla Charger Exploits:
- $50,000 Award: A team achieved the maximum reward by taking over a Tesla Wall Connector and causing it to crash.
- $45,000 Award: Another team received this sum for an inventive exploit leveraging the charging connector.
- Additional Awards: Two teams earned $22,500 and $12,500 respectively for their Tesla charger exploits, though these involved previously known vulnerabilities.
The competition continues, with further attempts to exploit Tesla’s Wall Connector scheduled, potentially increasing the total rewards. Notably, no attempts to hack Tesla vehicles themselves are planned for this year’s event, despite significant incentives offered for such exploits. These findings underscore the importance of ongoing security assessments in EV infrastructure to ensure user safety and system integrity.
Top 5 Malware Threats to Prepare Against in 2025
As cyber threats continue to evolve, it’s crucial for organizations to stay informed about prevalent malware families. Here are five significant threats identified for 2025:
- Lumma Stealer: Active since 2022, Lumma is an information-stealing malware that targets login credentials, financial data, and personal information. It spreads through fake CAPTCHA pages, torrents, and phishing emails. Regular updates have enhanced its capabilities, making it a persistent threat.
- XWorm: Emerging in July 2022, XWorm grants attackers remote control over infected systems. It can capture keystrokes, webcam images, audio, and clipboard data, posing risks to financial and personal information. In 2024, it was linked to large-scale attacks exploiting CloudFlare tunnels and legitimate digital certificates.
- LockBit Ransomware: Primarily targeting Windows devices, LockBit has become a major ransomware threat, accounting for a substantial portion of Ransomware-as-a-Service (RaaS) attacks. In 2024, it compromised high-profile organizations, including the UK’s Royal Mail and India’s National Aerospace Laboratories.
- Remcos: Distributed via phishing emails with malicious attachments, Remcos allows attackers to execute commands, access files, and monitor user activities. It often uses password-protected .zip files to evade detection.
- PlugX: A malware variant that the FBI recently removed from over 4,250 infected computers. PlugX is known to spread via USB devices and can compromise system security.