Weekly Cybersecurity Roundup: Jan 6, 2025— Jan 12, 2025

Here’s a detailed roundup of key events from this week:

Proton Mail still down as Proton recovers from worldwide outage

Proton, the privacy-focused service provider, experienced a significant worldwide outage on January 9, 2025, affecting multiple services, including Proton Mail and Proton Calendar. The disruption began around 10:00 AM ET, with users unable to access their accounts due to intermittent network issues.

The outage was primarily attributed to a sudden surge in database connections, which overwhelmed the system. This issue was exacerbated by an ongoing infrastructure migration to a Kubernetes-based system, which introduced limitations in scaling capacity to handle the increased load. Proton’s engineering team identified a software change that contributed to the initial load spike; after rolling back this change, database load returned to normal.

By 12:37 PM ET, Proton reported that connectivity to Proton Mail had been restored, and by 1:27 PM ET, all services, including Proton Calendar, were fully operational.

As of now, all Proton services are functioning normally. Users experiencing any issues are advised to check Proton’s official status page for real-time updates.

New zero-day exploit targets Ivanti VPN product

Ivanti, a prominent IT software company, has recently addressed two critical vulnerabilities in its Connect Secure VPN appliances:

• CVE-2025–0282: A critical stack-based buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code on the target device. This flaw has been actively exploited in the wild against a limited number of customers.
• CVE-2025–0283: A stack-based buffer overflow that enables local authenticated attackers to escalate privileges on the device.

Investigations by Mandiant have linked the exploitation of CVE-2025–0282 to Chinese state-sponsored threat actors, specifically the group identified as UNC5337. The attackers have deployed custom malware, including the “Spawn” family, to maintain persistence and evade detection.

Ivanti has released patches to address these vulnerabilities and urges all users of Connect Secure, Policy Secure, and Neurons for ZTA gateways to apply the updates promptly. The company has also provided a security update with detailed information on the vulnerabilities and mitigation steps.

Given the active exploitation of these vulnerabilities, it is crucial for organizations using Ivanti’s VPN products to:

• Apply Patches Immediately: Ensure all systems are updated with the latest security patches provided by Ivanti.
• Monitor Network Activity: Implement enhanced monitoring to detect any unusual or unauthorized access attempts.
• Review Security Configurations: Assess and strengthen security settings to prevent potential exploitation.

For more detailed information and guidance, refer to Ivanti’s official security update.

Banshee stealer evades detection using Apple XProtect encryption algo

The Banshee macOS Stealer is a sophisticated malware that has been targeting Apple users since mid-2024. This malware is designed to steal sensitive information, including browser credentials, cryptocurrency wallets, user passwords, and other personal data.

In recent months, Banshee has adopted advanced evasion techniques to avoid detection by macOS’s built-in security features. Notably, it utilizes string encryption methods similar to those employed by Apple’s XProtect, the native antivirus system in macOS. By mimicking XProtect’s encryption, Banshee can blend in with normal system processes, making it challenging for both users and security professionals to identify its presence.

The malware is primarily distributed through deceptive GitHub repositories and phishing sites that impersonate popular software applications like Chrome and Telegram. Unsuspecting users who download and install these fake applications inadvertently introduce Banshee into their systems.

To protect against Banshee and similar threats, macOS users are advised to:

• Verify Software Sources: Only download software from official and reputable sources. Be cautious of links provided in unsolicited emails or messages.
• Enhance Security Measures: While macOS includes robust security features like Gatekeeper and XProtect, consider supplementing them with reputable third-party antivirus solutions, VPNs, and password managers.
• Stay Informed: Keep abreast of the latest cybersecurity threats targeting macOS. Regularly update your knowledge and tools to defend against emerging malware.

Largest US addiction treatment provider notifies patients of data breach

BayMark Health Services, the largest addiction treatment provider in the United States, has notified patients of a data breach resulting from a ransomware attack. Between September 24 and October 14, 2024, unauthorized individuals accessed files containing sensitive patient information, including names, dates of birth, driver’s license numbers, Social Security numbers, insurance details, and medical records.

The company has begun mailing notification letters to affected patients and is offering complimentary credit monitoring services to assist in protecting against potential identity theft. BayMark has also reported the incident to law enforcement agencies and is collaborating with cybersecurity experts to investigate and mitigate the breach.

Medusind, a medical billing provider, disclosed a data breach

Medusind, a leading medical and dental billing provider, has disclosed a data breach affecting over 360,000 individuals. The breach, identified on December 29, 2023, involved unauthorized access to sensitive personal and health information, including names, dates of birth, Social Security numbers, health insurance details, and medical records.

Affected individuals are being offered two years of complimentary credit monitoring services. Medusind has also implemented enhanced security measures to prevent future incidents.

This incident underscores the critical need for robust cybersecurity practices within the healthcare sector to protect patient data from unauthorized access.

Chinese APT Group Is Ransacking Japan’s Secrets

Since 2019, the Chinese state-sponsored hacking group known as MirrorFace has been systematically targeting Japanese organizations to steal sensitive information related to national security and advanced technology. The National Police Agency of Japan has linked over 200 cyberattacks to this group, focusing on entities such as the Foreign and Defense ministries, the Japan Aerospace Exploration Agency (JAXA), politicians, journalists, private companies, and think tanks.

Tactics Employed by MirrorFace:

• Spear-Phishing Campaigns: MirrorFace has conducted elaborate phishing campaigns, sending emails with malware-laden attachments to targeted organizations and individuals. These emails often used subjects like “Japan-U.S. alliance,” “Taiwan Strait,” and “Russia-Ukraine war” to entice recipients.
• Exploitation of Vulnerabilities: The group has exploited vulnerabilities in virtual private networks (VPNs) to gain unauthorized access to information. Notably, they targeted VPNs from vendors like Fortinet and Citrix.
• Advanced Malware Deployment: MirrorFace has utilized sophisticated malware, including the “Spawn” family, to maintain persistence and evade detection.

STIIIZY data breach exposes cannabis buyers’ IDs and purchases

In November 2024, STIIIZY, a prominent California-based cannabis dispensary, experienced a data breach compromising the personal information of customers who made purchases at specific locations. The breach exposed sensitive data, including driver’s license numbers, passport numbers, photographs, medical cannabis cards, and other personal details such as names, ages, and addresses.

Affected Locations:

The breach impacted customers who made purchases at the following STIIIZY retail locations:

• STIIIZY Union Square: 180 O’Farrell Street, San Francisco, CA
• STIIIZY Mission: 3326 Mission Street, San Francisco, CA
• STIIIZY Alameda: 1528 Webster St., Alameda, CA
• STIIIZY Modesto: 426 McHenry Ave., Modesto, CA

The breach was identified on November 20, 2024, when STIIIZY was notified by its point-of-sale processing services vendor about a compromise by an organized cybercrime group. An investigation revealed that personal information of certain customers was acquired by the threat actors between October 10 and November 10, 2024.

In response, STIIIZY has offered affected customers complimentary credit monitoring services and is collaborating with cybersecurity experts to enhance security measures and prevent future incidents.

Researchers disclosed details of a now-patched Samsung zero-click flaw

Researchers from Google Project Zero have disclosed a now-patched zero-click vulnerability, tracked as CVE-2024–49415, affecting Samsung devices running Android versions 12, 13, and 14. This high-severity flaw, with a CVSS score of 8.1, resides in the Monkey’s Audio (APE) decoder within the libsaped.so library. It allows remote attackers to execute arbitrary code without user interaction.

Technical Details:

The vulnerability stems from an out-of-bounds write in the saped_rec function of the libsaped.so library. This function writes to a DMA buffer allocated by the C2 media service, which has a fixed size of 0x120000. However, the blocksperframe value extracted by libsapedextractor is also limited to 0x120000. The saped_rec function can write up to 3 times the blocksperframe bytes if the bytes per sample of the input is 24. This discrepancy allows for substantial buffer overflow, leading to potential arbitrary code execution.

Impact and Exploitation:

The flaw is particularly critical when Google Messages is configured for Rich Communication Services (RCS), the default setting on Samsung Galaxy S23 and S24 devices. In this configuration, the transcription service decodes incoming audio messages locally before user interaction. An attacker could exploit this vulnerability by sending a specially crafted audio message via Google Messages, causing the media codec process to crash and potentially leading to arbitrary code execution.

Mitigation:

Samsung addressed this vulnerability in its December 2024 security updates by adding proper input validation to the affected function. Users are advised to update their devices to the latest security patches to mitigate this risk.

This incident underscores the importance of timely software updates and robust security measures to protect against sophisticated zero-click vulnerabilities.

Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens

A critical vulnerability, tracked as CVE-2024–52875, has been identified in GFI KerioControl, a network security solution designed for small and medium-sized businesses. This flaw allows attackers to exploit improper sanitization of line feed (LF) characters in the ‘dest’ parameter, leading to HTTP header and response manipulation. Exploiting this vulnerability can result in the execution of malicious JavaScript in the victim’s browser, enabling the theft of cookies or Cross-Site Request Forgery (CSRF) tokens. An attacker could then use a stolen CSRF token to upload a malicious .IMG file containing a root-level shell script, leveraging the Kerio upgrade functionality to open a reverse shell for the attacker.

Affected Versions:

• KerioControl versions 9.2.5 through 9.4.5 are impacted by this vulnerability.

Mitigation Steps:

GFI Software released KerioControl version 9.4.5 Patch 1 on December 19, 2024, addressing this vulnerability. Users are strongly advised to update to this version promptly. If immediate patching is not feasible, consider the following mitigations:

• Restrict Access: Limit access to KerioControl’s web management interface to trusted IP addresses and disable public access to the ‘/admin’ and ‘/noauth’ pages via firewall rules.
• Monitor Exploitation Attempts: Regularly monitor for exploitation attempts targeting the ‘dest’ parameters and configure shorter session expiration times to reduce the window of opportunity for attackers.

For detailed information and guidance, refer to the official advisory from GFI Software.

Medical billing firm Medusind discloses breach affecting 360,000 people

Medusind, a medical billing provider, has disclosed a data breach that affects 360,000 individuals. The breach, which was identified in December 2023, involved unauthorized access to sensitive personal and health information, including names, dates of birth, Social Security numbers, health insurance details, and medical records.

Medusind has taken steps to mitigate the impact of the breach, including offering affected individuals two years of complimentary credit monitoring services. The company has also implemented enhanced security measures to prevent future incidents.

This breach highlights the critical need for robust cybersecurity measures in the healthcare sector, where personal and medical data is often a prime target for cybercriminals.

Telegram Shared Data of Thousands of Users After CEO’s Arrest

Following the arrest of Telegram CEO Pavel Durov in August 2024, the company has significantly increased its cooperation with law enforcement agencies, leading to a substantial rise in user data disclosures. Prior to Durov’s arrest, Telegram had acceded to 14 U.S. government requests for user data. However, after his detention, this number surged to 900 requests, affecting approximately 2,253 users.

This shift in policy has raised concerns among users about the platform’s commitment to privacy and its potential role in facilitating criminal activities. The United Nations Office on Drugs and Crime reported that Telegram’s minimally moderated channels have become hubs for illicit activities, including the trade of hacked data, cybercrime tools, and money laundering services.

In response to these developments, Durov has defended the changes to Telegram’s privacy policies, emphasizing the platform’s commitment to freedom and privacy. He attributed the increase in legal requests to authorities using the correct contact address and reassured users that the core principles of the platform remain unchanged.

These events underscore the delicate balance between user privacy and the need for cooperation with law enforcement in combating criminal activities. Telegram’s evolving stance on data sharing highlights the challenges faced by encrypted messaging platforms in navigating legal and ethical considerations.

Thousands of credit cards stolen in Green Bay Packers store breach

In September and October 2024, the Green Bay Packers’ official Pro Shop online store experienced a data breach compromising the personal and financial information of approximately 8,500 customers.

Details of the Breach:

• Malicious Code Injection: Cybercriminals inserted malicious code into the Pro Shop’s checkout page, enabling unauthorized access to customer data.
• Compromised Information: The exposed data included names, billing and shipping addresses, email addresses, credit card types, numbers, expiration dates, and CVVs.
• Payment Methods Affected: Transactions made using credit cards were impacted. Payments via gift cards, Pro Shop accounts, PayPal, or Amazon Pay were not compromised.

Response and Mitigation:

• Immediate Action: Upon discovery of the breach on October 23, 2024, the Packers disabled all checkout and payment capabilities on the Pro Shop website.
• Investigation and Remediation: The team, in collaboration with cybersecurity experts and the website’s hosting vendor, removed the malicious code and implemented enhanced security measures.
• Customer Notification: Affected individuals were notified and offered three years of complimentary credit monitoring and identity theft protection services.

Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques

Researchers have identified a sophisticated Remote Access Trojan (RAT) named NonEuclid, developed in C#, that enables unauthorized remote control of Windows systems. This malware employs advanced evasion techniques, including User Account Control (UAC) bypass and Antimalware Scan Interface (AMSI) evasion, to evade detection and maintain persistence.

Key Features of NonEuclid RAT:

• UAC Bypass: NonEuclid circumvents UAC protections, allowing it to execute commands with elevated privileges without user consent.
• AMSI Evasion: The malware employs techniques to bypass AMSI, which is designed to detect and block malicious scripts, thereby evading security measures.
• Antivirus Evasion: It configures Microsoft Defender Antivirus exclusions to prevent detection of its artifacts.
• Process Monitoring: NonEuclid monitors processes like “taskmgr.exe,” “processhacker.exe,” and “procexp.exe,” which are commonly used for analysis and process management, to avoid detection.
• Ransomware Capabilities: The malware can encrypt files with specific extensions (e.g., .CSV, .TXT, .PHP) and rename them with a “.NonEuclid” extension, effectively turning into ransomware.

CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities in Mitel MiCollab to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild.

Vulnerabilities Identified:

1. CVE-2024–41713: A critical path traversal vulnerability in Mitel MiCollab’s NuPoint Unified Messaging (NPM) component. Exploitation could allow unauthenticated attackers to gain unauthorized access to provisioning information and perform unauthorized administrative actions on the server. This vulnerability has a CVSS score of 9.8.
2. CVE-2024–55550: A path traversal vulnerability that requires authenticated administrative privileges to exploit. Successful exploitation could allow attackers to read arbitrary files on the server, though the impact is limited to non-sensitive system information. This vulnerability has a CVSS score of 4.4.

Recommendations:

• Immediate Action: Organizations using Mitel MiCollab versions 9.8 SP1 FP2 (9.8.1.201) and earlier should upgrade to version 9.8 SP2 (9.8.2.12) or later to mitigate these vulnerabilities.
• Federal Agencies: Under Binding Operational Directive (BOD) 22–01, federal agencies are required to remediate these vulnerabilities by January 28, 2025.
• General Guidance: All organizations are advised to identify vulnerable Mitel MiCollab instances within their environments and apply the necessary updates or remove them as soon as possible to mitigate the risk of compromise.

FCC Launches ‘Cyber Trust Mark’ for IoT Devices to Certify Security Compliance

The U.S. government has introduced the U.S. Cyber Trust Mark, a voluntary cybersecurity labeling program designed to help consumers identify Internet of Things (IoT) devices that meet robust security standards. This initiative aims to enhance consumer confidence in connected products and encourage manufacturers to adopt stronger cybersecurity practices.

Key Features of the U.S. Cyber Trust Mark:

• Eligibility: The program applies to consumer wireless IoT products, including smart home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors. It excludes wired devices, products primarily used for manufacturing or industrial control, and certain equipment related to national security.
• Certification Process: Manufacturers can apply for the Cyber Trust Mark by having their products tested by accredited laboratories recognized by the Federal Communications Commission (FCC). These labs assess whether the products meet cybersecurity criteria developed by the U.S. National Institute of Standards and Technology (NIST).
• Labeling: Certified products will display the Cyber Trust Mark — a distinctive shield logo — accompanied by a QR code. Scanning the QR code will provide consumers with detailed information about the product’s security features, such as support periods and automatic software updates.

Industry Support:

Major electronics, appliance, and consumer product manufacturers, as well as retailers and trade associations, have expressed support for the initiative. Companies like Amazon, Best Buy, Google, LG Electronics USA, Logitech, and Samsung are collaborating to enhance cybersecurity for the products they sell.

DoJ charged three Russian citizens with operating crypto-mixing services

The U.S. Department of Justice (DoJ) has charged three Russian nationals — Roman Vitalyevich Ostapenko, Alexander Evgenievich Oleynik, and Anton Vyachlavovich Tarasov — with operating cryptocurrency mixing services Blender.io and Sinbad.io. These services allegedly facilitated the laundering of illicit cryptocurrency funds, including proceeds from ransomware attacks and cyber thefts.

Details of the Charges:

• Blender.io and Sinbad.io: These platforms are accused of enabling users to obscure the origins of their cryptocurrency transactions, thereby assisting cybercriminals in legitimizing illicit gains.
• Indictment and Arrests: A federal grand jury in the Northern District of Georgia returned an indictment on January 7, 2025. Ostapenko and Oleynik were arrested on December 1, 2024, in coordination with international law enforcement agencies, while Tarasov remains at large.

Phishers abuse CrowdStrike brand targeting job seekers with cryptominer

Cybercriminals are exploiting the CrowdStrike brand to target job seekers with a phishing campaign that distributes cryptomining malware. This deceptive scheme involves impersonating CrowdStrike’s recruitment process to lure victims into downloading malicious software.

Details of the Phishing Campaign:

• Phishing Emails: The attack begins with emails that appear to be part of CrowdStrike’s recruitment process, inviting recipients to schedule interviews for junior developer positions. These emails contain links directing victims to a fraudulent website.
• Malicious Website: The deceptive site offers downloads for a fake “CRM application” compatible with both Windows and macOS. Regardless of the chosen platform, downloading the application triggers the installation of a Windows executable written in Rust. This executable then downloads and installs the XMRig cryptominer, which uses the victim’s system resources to mine Monero cryptocurrency.
• Evasion Techniques: The malware employs various methods to evade detection, including limiting CPU usage to 10% to avoid suspicion, scanning for security tools, and adding a batch script to the startup directory to ensure persistence.

Akamai to quit its CDN in China, seemingly not due to trouble from Beijing

Akamai Technologies has announced plans to discontinue its Content Delivery Network (CDN) services in China, effective June 30, 2026. This decision is part of the company’s strategic shift to focus on its core cybersecurity and cloud computing offerings.

Key Details:

• Transition Plan: To ensure a seamless transition for its clients, Akamai has partnered with Tencent Cloud and Wangsu Science & Technology. These partnerships aim to provide alternative CDN solutions within China, allowing customers to migrate their services smoothly.
• Customer Impact: Akamai has communicated to its clients that all current China CDN customers must complete the transition to the new partners’ solutions by June 30, 2026, to maintain uninterrupted service.

Casio says data of 8,500 people exposed in October ransomware attack

In October 2024, Casio Computer Co., Ltd. experienced a ransomware attack that compromised the personal data of approximately 8,500 individuals, including employees, business partners, and customers.

Details of the Data Breach:

Affected Individuals:

• Employees (6,456 individuals): Personal information such as names, employee numbers, email addresses, affiliations, genders, dates of birth, family details, addresses, phone numbers, taxpayer ID numbers, and headquarters system account information were exposed.
• Business Partners (1,931 individuals): Data including names, email addresses, phone numbers, company names, company addresses, and, for some, ID card information were compromised.
• Customers (91 individuals): Information such as delivery addresses, names, phone numbers, dates of purchase, and product names for items requiring delivery and installation were exposed.

Attack Details:

• The cyberattack occurred on October 5, 2024, when ransomware actors employing phishing tactics compromised Casio’s network, leading to an IT systems outage.
• The Underground ransomware group claimed responsibility for the attack, threatening to disclose confidential documents, financial files, project information, and employee data unless a ransom was paid.

Company Response:

• Casio did not negotiate with the cybercriminals and consulted with law enforcement agencies, outside counsel, and security experts.
• The company has been working to restore affected services, with most returning to normal operational status, though some services have not been recovered yet.