⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [13 January]

The cyber world’s been buzzing this week, and it’s all about staying ahead of the bad guys. From sneaky software bugs to advanced hacking tricks, the risks are real, but so are the ways to protect yourself. In this recap, we’ll break down what’s happening, why it matters, and what you can do to stay secure.

Let’s turn awareness into action and keep one step ahead of the threats.

⚡ Threat of the Week

Critical Ivanti Flaw Comes Under Exploitation — A newly discovered critical security vulnerability in Ivanti Connect Secure appliances has been exploited as a zero-day since mid-December 2024. The flaw (CVE-2025-0282, CVSS score: 9.0) is a stack-based buffer overflow bug that could lead to unauthenticated remote code execution. According to Google-owned Mandiant, the flaw has been exploited to deploy the SPAWN ecosystem of malware – the SPAWNANT installer, SPAWNMOLE tunneler, and the SPAWNSNAIL SSH backdoor – as well as two other previously undocumented malware families dubbed DRYHOOK and PHASEJAM. There is a possibility that multiple threat actor groups, including the China-linked UNC5337, are behind the exploitation.

Unlock top-tier cybersecurity training at SANS with fast, focused, and expert-led courses designed to take your cyber career to the next tier in six days or less.

Find Your Course Now!

🔔 Top News

• Microsoft Pursues Legal Action Against Hacking Group — Microsoft said it’s taking legal action against an unknown foreign-based threat-actor group for abusing stolen Azure API keys and customer Entra ID authentication information to breach its systems and gain unauthorized access to the Azure OpenAI Service with the goal of generating harmful content that bypasses safety guardrails, as well as monetizing that access by offering it to other customers. It accused three unnamed individuals of creating a “hacking-as-a-service” infrastructure for this purpose.
• Exploitation Attempts Recorded Against GFI KerioControl Firewalls — Threat actors are actively attempting to exploit a recently disclosed security flaw impacting GFI KerioControl firewalls that, if successfully exploited, could allow malicious actors to achieve remote code execution (RCE). The vulnerability, CVE-2024-52875, is a carriage return line feed (CRLF) injection that could result in a cross-site scripting (XSS) attack. Attempts to exploit the vulnerability commenced around December 28, 2024.
• Updated EAGERBEE Malware Targets the Middle East — Internet service providers (ISPs) and governmental entities in the Middle East have been targeted using an updated variant of the EAGERBEE (aka Thumtais) malware framework. The new variant is capable of deploying additional payloads, enumerating file systems, and executing command shells. It can also manage processes, maintain remote connections, manage system services, and list network connections.
• Southeast Asia Comes Under Mustang Panda Attacks — Several entities in Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia have been targeted by the China-nexus Mustang Panda threat actor to deliver a customized version of the PlugX backdoor between July 2023 and December 2024. The attacks involve the use of Windows Shortcut (LNK), Windows Installer (MSI), and Microsoft Management Console (MSC) files, likely distributed via spear-phishing, as the first-stage component to trigger the infection chain, ultimately leading to the deployment of PlugX using DLL side-loading techniques.
• U.S. Government Formally Unveils Cyber Trust Mark — The U.S. government announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices that details the support period as well as the steps users can take to change the default password and configure the device securely. Eligible products that come under the purview of the Cyber Trust Mark program include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.

‎️‍🔥 Trending CVEs

Your favorite software might be hiding serious security cracks—don’t wait for trouble to find you. Update now and stay one step ahead of the threats!

This week’s list includes — CVE-2024-8474 (OpenVPN Connect), CVE-2024-46981 (Redis), CVE-2024-51919, CVE-2024-51818 (Fancy Product Designer plugin), CVE-2024-12877 (GiveWP – Donation Plugin and Fundraising Platform), CVE-2024-12847 (NETGEAR DGN1000), CVE-2025-23016 (FastCGI fcgi2), CVE-2024-10215 (WPBookit plugin), CVE-2024-11350 (AdForest theme), CVE-2024-13239 (Drupal), CVE-2024-54676 (Apache OpenMeetings) CVE-2025-0103 (Palo Alto Networks Expedition), CVE-2024-53704 (SonicWall SonicOS), CVE-2024-50603 (Aviatrix Controller), CVE-2024-9138, and CVE-2024-9140 (Moxa).

📰 Around the Cyber World

• Pastor Indicted for “Dream” Solano Fi Project — Francier Obando Pinillo, a 51-year-old pastor at a Pasco, Washington, church, has been indicted on 26 counts of fraud for allegedly operating a cryptocurrency scam that defrauded investors of millions between November 2021 and October 2023. Pinillo is said to have used his position as pastor to induce members of his congregation and others to invest their money in a cryptocurrency investment business known as Solano Fi. He claimed the idea for the scheme had “come to him in a dream.” According to the U.S. Department of Justice (DoJ), “rather than investing funds on victims’ behalf as he had promised, Pinillo defrauded victims into making cryptocurrency transfers into accounts he designated, then converted the victims’ funds to himself and his co-schemers.” Pinillo has also been accused of convincing investors to recruit other investors in exchange for additional returns for each new investor they recruited. The fraud charges carry a maximum sentence of up to 20 years in prison. The defendant is estimated to have targeted at least 1,515 customers in the U.S., netting him $5.9 million in illicit profits. The development comes as a Delaware man, Mohamed Diarra, pleaded guilty to his participation in a widespread international sextortion and money laundering scheme from May 2020 and through December 2022. “Diarra conspired with co-conspirators in Côte d’Ivoire who sextorted victims and utilized a network of Delaware-based ‘money mules,’ including Diarra, to assist with laundering the victims’ illegally obtained funds,” the DoJ said. He faces a maximum penalty of 20 years in prison. In recent months, the DoJ has also prosecuted Robert Purbeck; Kiara Graham, Cortez Tarmar Crawford, and Trevon Demar Allen; and Charles O. Parks III in connection with extortion, SIM-swapping, and cryptojacking operations, respectively.
• Washington State Sues T-Mobile Over 2021 Data Breach — The U.S. state of Washington has sued T-Mobile over allegations the phone giant failed to secure the personal data of more than 2 million state residents prior to an August 2021 data breach, which went on to affect more than 79 million customers across the country. The lawsuit asserted that “T-Mobile knew for years about certain cybersecurity vulnerabilities and did not do enough to address them” and that the company “misrepresented to consumers that the company prioritizes protecting the personal data it collects.” The complaint noted that T-Mobile “used weak credentials” on accounts for accessing its internal systems and did not implement rate-limiting on login attempts, thus allowing the attackers to brute-force the credentials without locking the employee accounts in question. A year after the incident, T-Mobile agreed to pay $350 million to settle a class-action lawsuit. John Binns, an American citizen living in Turkey, took credit for the attack. He was subsequently arrested in May 2024 for his participation in the Snowflake extortion campaign.
• Telegram Complies With More User Data Requests Following CEO Arrest — Telegram has been increasingly sharing user data at the request of law enforcement authorities following the arrest of its CEO Pavel Durov last year, according to information compiled from its periodic transparency reports. India, Germany, the U.S., France, Brazil, South Korea, Belgium, Spain, Poland, and Italy accounted for the top 10 countries with the most number of requests. Days after his arrest, Telegram promised to make significant improvements in an effort to tackle criticisms about the lack of oversight and the abuse of the platform for illicit activities. It also pledged to provide the IP addresses and phone numbers of users who violate rules in response to valid legal requests. Despite the policy changes, Telegram continues to be a major hub for cybercriminals to carry out their operations due to its “established” user base and functionality. “While Signal, Discord, and other alternative platforms are used by cybercriminals, it doesn’t appear they will fully replace Telegram in the future, and rather serve as additional methods for threat actors to perform malicious activities,” KELA said last month.
• MLOps Platforms Could Become a New Attack Target — As companies rush to leverage artificial intelligence (AI) applications, MLOps platforms used to develop, train, deploy and monitor such applications could be targeted by attackers, allowing them to not only gain unauthorized access, but also impact the confidentiality, integrity and availability of the machine learning (ML) models and the data they provide. Such actions could permit an adversary to perform a model extraction attack, poison or access training data, and bypass AI-based classification systems. “The increased usage of MLOps platforms to create, manage and deploy ML models will cause attackers to view these platforms as attractive targets,” IBM X-Force said. “As such, properly securing these MLOps platforms and understanding how an attacker could abuse them to conduct attacks such as data poisoning, data extraction and model extraction is critical.”
• Popular Windows Applications Vulnerable to WorstFit Attack — Several Windows-based applications such as curl.exe, excel.exe, openssl.exe, plink.exe, tar.exe, and wget.exe have been found susceptible to a brand-new attack surface called WorstFit, which exploits a character conversion feature built into Windows called Best-Fit. Taiwanese cybersecurity company DEVCORE said the Best-Fit conversion is designed to handle situations where the operating system needs to convert characters from UTF-16 to ANSI, but the equivalent character doesn’t exist in the target code page. That said, this “unexpected character transformation” could be harnessed to achieve path traversal and remote code execution via techniques such as filename smuggling, argument splitting, and environment variable confusion. “As for how to mitigate such attacks, unfortunately, since this is an operating system-level problem, similar issues will continue to reappear – until Microsoft chooses to enable UTF-8 by default in all of their Windows editions,” researchers Orange Tsai and Splitline Huang said. In the meantime, developers are recommended to phase out ANSI and switch to the Wide Character API.

🎥 Expert Webinar

1. Future-Ready Trust: Manage Certificates Like Never Before — Managing digital trust shouldn’t feel impossible. Join us to discover how DigiCert ONE transforms certificate management—streamlining trust operations, ensuring compliance, and future-proofing your digital strategy. Don’t let outdated systems hold you back. Reserve your spot today and see the future of trust management in action!..
2. AI in Cybersecurity—Game-Changer or Hype? — Is AI the future of cybersecurity or just another buzzword? Find out as 200 industry experts share real-world insights on AI-driven vulnerability management and how it can strengthen your defenses. Cut through the noise and gain strategies you can use right now. Secure your spot today.

🔧 Cybersecurity Tools

• MLOKit — It’s a MLOps attack toolkit that leverages REST API vulnerabilities to simulate real-world attacks on MLOps platforms. From reconnaissance to data and model extraction, this modular toolkit is built for adaptability—empowering security pros to stay ahead.
• HackSynth — It’s an AI-powered agent designed for autonomous penetration testing. With its Planner and Summarizer modules, HackSynth generates commands, processes feedback, and iterates efficiently. Tested on 200 diverse challenges from PicoCTF and OverTheWire.

🔒 Tip of the Week

Know Your Browser Extensions — Your browser is the heart of your online activity—and a prime target for cyber threats. Malicious extensions can steal sensitive data, while sneaky DOM manipulations exploit vulnerabilities to run harmful code in the background. These threats often go unnoticed until it’s too late. So, how do you stay protected? Tools like CRXaminer and DOMspy make it simple. CRXaminer scans Chrome extensions to uncover risky permissions or dangerous code before you install them. DOMspy helps you spot hidden threats by monitoring your browser’s behavior in real-time, and flagging suspicious activities like DOM clobbering or prototype pollution. Stay safe by reviewing your extensions regularly, only granting permissions when absolutely necessary, and keeping your browser and tools up to date.

Conclusion

Every click, download, and login contributes to your digital footprint, shaping how secure or vulnerable you are online. While the risks may feel overwhelming, staying informed and taking proactive steps are your best defenses.

As you finish this newsletter, take a moment to assess your online habits. A few simple actions today can save you from significant trouble tomorrow. Stay ahead, stay secure.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.