### Impact

In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster.

For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to  restart.

### Patches

This issue affects:

- Cilium v1.14 between v1.14.0 and v1.14.17 inclusive
- Cilium v1.15 between v1.15.0 and v1.15.11 inclusive
- Cilium v1.16 between v1.16.0 and v1.16.4 inclusive

This issue is fixed in:

- Cilium v1.14.18
- Cilium v1.15.12
- Cilium v1.16.5

### Workarounds

There are no known workarounds to this issue.

### Acknowledgements

The Cilium community has worked together with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare these mitigations. Special thanks to @kokelley-cisco for reporting this issue and @bimmlerd for the fix.

### For more information

If you have any questions or comments about this advisory, please reach out on [Slack](https://docs.cilium.io/en/latest/community/community/#slack).

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [security@cilium.io](mailto:security@cilium.io). This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-23028

**DoS in Cilium agent DNS proxy from crafted DNS responses**

Moderate severity GitHub Reviewed Published Jan 22, 2025 in cilium/cilium • Updated Jan 22, 2025

**Package**

gomod github.com/cilium/cilium (Go)

**Affected versions**

\>= 1.14.0, < 1.14.18

\>= 1.15.0, < 1.15.12

\>= 1.16.0, < 1.16.5

**Patched versions**

1.14.18

1.15.12

1.16.5

**Impact**

In a Kubernetes cluster where Cilium is configured to proxy DNS traffic, an attacker can crash Cilium agents by sending a crafted DNS response to workloads from outside the cluster.

For traffic that is allowed but without using DNS-based policy, the dataplane will continue to pass traffic as configured at the time of the DoS. For workloads that have DNS-based policy configured, existing connections may continue to operate, and new connections made without relying on DNS resolution may continue to be established, but new connections which rely on DNS resolution may be disrupted. Any configuration changes that affect the impacted agent may not be applied until the agent is able to restart.

**Patches**

This issue affects:

*   Cilium v1.14 between v1.14.0 and v1.14.17 inclusive
*   Cilium v1.15 between v1.15.0 and v1.15.11 inclusive
*   Cilium v1.16 between v1.16.0 and v1.16.4 inclusive

This issue is fixed in:

*   Cilium v1.14.18
*   Cilium v1.15.12
*   Cilium v1.16.5

**Workarounds**

There are no known workarounds to this issue.

**Acknowledgements**

The Cilium community has worked together with members of Isovalent and the Cisco Advanced Security Initiatives Group (ASIG) to prepare these mitigations. Special thanks to @kokelley-cisco for reporting this issue and @bimmlerd for the fix.

**For more information**

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

**References**

*   GHSA-9m5p-c77c-f9j7
*   cilium/cilium@1971bc6
*   cilium/cilium@b1948e2
*   https://nvd.nist.gov/vuln/detail/CVE-2025-23028
*   cilium/cilium#36252

Published to the GitHub Advisory Database

Jan 22, 2025

Last updated

Jan 22, 2025

GHSA-9m5p-c77c-f9j7: DoS in Cilium agent DNS proxy from crafted DNS responses

Cloudflare mitigates a record-breaking 5.6 Tbps DDoS attack, highlighting the growing threat of hyper-volumetric assaults. Learn about the…

Cloudflare mitigates a record-breaking 5.6 Tbps DDoS attack, highlighting the growing threat of hyper-volumetric assaults. Learn about the latest DDoS trends and the growing need to strengthen the security posture of your organization.

In its latest research report, Cloudflare reveals Distributed Denial-of-Service attack (DDoS attack) trends observed in the fourth quarter of 2024, drawing comparisons to previous quarters and the entire year.

The Cloudflare DDoS Threat Report for Q4 2024 highlights a significant surge in both the volume and intensity of DDoS attacks observed throughout the year. Cloudflare revealed that it successfully mitigated a record-breaking 5.6 terabits per second (Tbps) DDoS attack launched by a Mirai-variant botnet in the fourth quarter of 2024 comprising 13,000 IoT devices. The attack targeted an East Asian Internet Service Provider (ISP) on October 29th.

Previously, Cloudflare mitigated a 3.8 Tbps DDoS attack in October 2024. The latest unprecedented attack, which lasted only 80 seconds and was promptly mitigated by Cloudflare’s autonomous defence systems, highlights the escalating sophistication and scale of DDoS threats. 

Furthermore, the report reveals a dramatic increase in hyper-volumetric attacks exceeding 1 Tbps. Cloudflare’s report revealed a whopping 53% increase in the frequency of DDoS attacks throughout 2024, with the company blocking approximately 21.3 million attacks – an average of 4,870 attacks per hour. Attacks exceeding 1Tbps surged by a staggering 1,885% quarter-over-quarter, while those exceeding 100 million packets per second (pps) increased by 175%. These high-bandwidth attacks overwhelm conventional defences.

The fourth quarter also witnessed a disturbing trend: a 78% quarter-over-quarter increase in Ransom DDoS attacks. Cybercriminals are increasingly leveraging DDoS attacks as a tool for extortion, targeting businesses during peak seasons.

Cloudflare identified the prevalence of various attack types, including Layer 3/Layer 4 attacks (such as SYN floods, DNS floods, and UDP floods) and HTTP DDoS attacks. While known botnets were the primary source of HTTP attacks, Cloudflare documented attacks employing techniques such as spoofing legitimate browsers and utilizing unusual HTTP attributes.

Regarding the geographical distribution of attacks, Indonesia emerged as the leading source, followed by Hong Kong Singapore and China being the most attacked country. The analysis further identified the most impacted industries, pointing out the Telecommunications, Service Providers, and Carriers sectors as the primary target in Q4.

While the majority of attacks remained relatively small, with 63% of HTTP DDoS attacks not exceeding 50,000 requests per second and 93% of network-layer attacks not exceeding 500 Mbps, the emergence of new attack vectors presents a significant concern. Cloudflare observed a substantial increase in Memcached (314%) and BitTorrent (304%) DDoS attacks, highlighting the adaptability of threat actors in exploiting new vulnerabilities.   

Cloudflare’s report emphasises the necessity of proactive DDoS protection strategies and the need for organizations to understand the evolving nature of DDoS threats and invest in solutions to effectively mitigate unprecedented scale and complexity attacks.

1.  **The Mirai Botnet: what it is and What it has done**
2.  **Matrix Hackers Deploy New IoT Botnet for DDoS Attacks**
3.  **Mirai-Inspired Gorilla Botnet Hits Targets in 100 Countries**
4.  **Mirai-based NoaBot Botnet Hits Linux Systems with Cryptominer**
5.  **Panamorfi DDoS Attack Exploits Misconfigured Jupyter Notebooks**

Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack

The flurry of non-human identity attacks at the end of 2024 demonstrates extremely strong momentum heading into the new year. That does not bode well.

Itzik Alvas, Co-Founder & CEO, Entro Security

January 22, 2025

3 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

A look back at 2024's top non-human identity (NHI) attacks and their year-end explosion sends a worrying signal that 2025 is going to be a tough year for machine-to-machine identity theft.

One year ago, NHI burst onto the scene with a big warning flare, when Cloudflare disclosed that NHI mismanagement caused a massive breach, stemming from the failure to rotate an access token and account credentials exposed in the 2023 Okta compromise. 

While the attack was contained, the impact on Cloudflare was nonetheless significant. The company disclosed it had to rotate every production credential (more than 5,000 individual credentials), physically segment test and staging systems, perform forensic triages on 4,893 systems, and then reimage and reboot every machine in its global network.

As the year progressed, NHI breaches gained momentum.

In June, the New York Times made its own news when 270GB of its internal data and applications in 5,000 repositories were stolen from GitHub and published on the Web. 

How? The breach was executed using NHI when an exposed GitHub Personal Access Token, a machine-to-machine secret, allowed unauthorized access to the company's code repositories. The "All the News That's Fit to Print" outlet downplayed the story. Cybersecurity experts did not agree, however, arguing that source-code leaks can have wide-ranging implications.

**High-Profile Breach Disclosures**

The year ended with a spate of high-profile breach disclosures attributed to NHI during the fourth quarter. 

Thousands of online stores running Adobe Commerce (formerly Magento) software were hacked and infected with digital payment skimmers. The NHI attack used stolen cryptographic keys to generate an application programming interface (API) authorization token, enabling the attacker to access private customer data and insert payment skimmers into the checkout process.

AWS and Microsoft Azure machine-to-machine authentication keys found in Android and iOS apps used by millions were compromised, exposing user data and source code to security breaches. Exposing this type of credential can easily lead to unauthorized access to storage buckets and databases with sensitive user data. Apart from this, attackers could use them to manipulate or steal data.

Schneider Electric confirmed its development platform was breached after a hacker used exposed Jira credentials to steal data. The hacker gloated that the breach compromised critical data, including projects, issues and plug-ins, along with over 400,000 rows of user data, totaling more than 40GB of compressed data,

The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers were exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition, a migration tool that can help convert firewall configuration from Checkpoint, Cisco, and other vendors to PAN-OS. This security flaw enabled threat actors to remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

A new sophisticated phishing tool targeting GitHub users was also revealed in the fourth quarter. It posed a significant threat to developers and organizations worldwide. Here's how this relates to NHIs: Bots used a compromised secret and set of permissions associated with that credential as the ingredients to make the API calls and create comments using a script.

The comments themselves convinced developers to use insecure scripts as validated solutions.

These scripts, in turn, could lead victims to phishing pages designed to steal login credentials, malware downloads, or rogue OAuth app authorization prompts granting attackers access to private repositories and data.

Finally, and bringing the year to a dramatic close, NHI was responsible for the US Treasury hack by Chinese threat actors, who gained access to "unclassified documents" after compromising the agency's networks. The attackers were able to exploit vulnerabilities in remote tech support software by misusing a leaked API key to gain unauthorized access.

The flurry of NHI attacks at the end of the year demonstrates extremely strong momentum heading into 2025. That does not bode well. 

Chief information security officers (CISOs) and security teams need to prioritize the emerging NHI threats roaring into the new year.

**About the Author**

Co-Founder & CEO, Entro Security

Itzik Alvas is co-founder and CEO at Entro Security and former healthcare organization CISO and information technology manager at Microsoft.

A cloud and security expert with more than 17 years of experience managing and building teams of hundreds of employees for both leading global enterprise companies and early-stage startups, always at the forefront of state-of-art security solutions used by governments, top intelligence agencies, data centers, cloud providers and industrial markets. Itzik served with the IDF's elite intelligence unit.

Will 2025 See a Rise of NHI Attacks?

President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime…

President Trump pardons Silk Road founder Ross Ulbricht, slamming prosecutors as “scum.” The move reignites debates on cybercrime justice, presidential power, and fairness.

U.S. President Donald Trump has issued a full pardon to Ross Ulbricht, the founder of the infamous dark web marketplace **Silk Road**. The decision has kicked off a debate across political, legal, and cybersecurity circles while raising questions about possible pardons for other high-profile figures such as Julian Assange and Edward Snowden.

****The Silk Road Story****

Launched in February 2011, Silk Road was an online marketplace accessible through the Tor network, designed to ensure user anonymity. The platform operated much like eBay but was primarily known for facilitating the trade of illegal goods, particularly drugs. Payments on Silk Road were conducted using Bitcoin, making transactions nearly untraceable.

Ross Ulbricht, operating under the pseudonym “Dread Pirate Roberts,” positioned himself as a libertarian ideologue, claiming the marketplace was a tool to undermine government overreach and provide individuals with greater personal freedoms. However, the site soon became a hub for illegal activities, including drug trafficking, weapons sales, and hacking tools.

****The Arrest****

Ulbricht was **arrested on October 1, 2013**, in the science fiction section of a public library in San Francisco. The dramatic takedown was part of a planned operation by federal agents who had been tracking Ulbricht for months including postings on online forums, metadata from server logs, and evidence found on Ulbricht’s laptop at the time of his arrest.

When captured, Ulbricht’s laptop was open and running, providing agents with incriminating evidence, including logs of Silk Road transactions, communications with administrators, and his personal journal. Ulbricht then faced a litany of charges, including:

*   **Conspiracy to traffic narcotics.**
*   **Conspiracy to commit computer hacking.**
*   **Conspiracy to commit money laundering.**
*   **Continuing a criminal enterprise** (a charge commonly used against organized crime figures).

While the charges focused on his role in enabling large-scale drug trafficking, federal authorities also accused him of attempting to arrange hits on individuals he perceived as threats to Silk Road. Although no murders were carried out, these allegations added significant weight to the prosecution’s case.

****The Sentencing****

In 2015, Ross Ulbricht was convicted on all charges and sentenced to **two life sentences plus 40 years** without the possibility of parole. The severity of the sentence shocked many observers, who argued that it was disproportionately harsh compared to other cases involving similar offenses. Civil liberties advocates and digital rights groups questioned whether the punishment was intended to set an example for others operating in the digital underground.

Seized Silk Road market (Screenshot: Hackread.com)

****The Pardon****

Trump’s decision to pardon Ross Ulbricht was announced on January 21, 2025. In a post on Truth Social, Trump described the prosecution and conviction of Ulbricht as a “scum,” criticizing the authorities involved in the case.

> _“I just called the mother of Ross William Ulbricht to let her know that in honor of her and the Libertarian Movement, which supported me so strongly, it was my pleasure to have just signed a full and unconditional pardon of her son, Ross. The scum that worked to convict him were some of the same lunatics who were involved in the modern day weaponization of government against me. He was given two life sentences, plus 40 years. Ridiculous!”_
> 
> Donald Trump

The Ulbricht pardon raises fundamental questions about justice in the digital age. How should courts balance technological innovation, personal freedom, and the responsibility for harm caused?

1.  **Obama Pardons** **Chelsea Manning**
2.  **CIA Whistleblower Guilty of Leaking Vault 7 Docs to WikiLeaks**
3.  **Dark Web Hydra Market Mastermind Sentenced to Life by Russia**
4.  **British judge says Julian Assange will not be extradited to the US**
5.  **23-Year-Old Arrested for Running 100M Incognito Dark Web Market**

Trump Pardons Silk Road Founder Ross Ulbricht, Calls Prosecutors ‘Scum’

A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET.
"The attackers replaced the legitimate installer with one that also deployed the group's signature implant that we have named SlowStepper – a

PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack

Despite lagging in technology adoption, African and Middle Eastern organizations are catching up, driven by smartphone acceptance and national identity systems.

Source: Ground Picture via Shutterstock

National governments and companies in the Middle East and Africa continue to push for more widely available digital identity systems to allow citizens to connect and authenticate to digital government services and commercial services.

In Morocco, the government issued more than 4.6 million electronic identity cards in 2024 and expanded its digital infrastructure with a trusted third-party authentication platform in an effort to offer new services and cut cybercrime rates. More than 7.2 million people are now enrolled in the United Arab Emirates' official digital ID, known as UAE Pass, and can authenticate to websites. And the National Bank of Egypt has adopted a single sign-on infrastructure that will allow its employees to use a variety of authentication methods, and which will eventually be rolled out to its millions of customers.

The increasing use of multifactor authentication, especially efforts tied to smartphones or biometrics, have had success in the region because — in many cases — organizations have no technical debt to overcome, says Jim Sullivan, senior vice president of strategy and compliance at BIO-Key, which provided the technology for the National Bank of Egypt, as well as the largest bank in South Africa and the government of Nigeria.

"These are greenfield opportunities — it's tremendous," he says. "There's national initiatives that are well funded that are really bringing more biometrics to the fore, more awareness of the power of this technology."

Better authentication and the use of biometrics has taken off in the Middle East and Africa due to government concerns over cybercrime and fraud and international concerns over the lack of legal identities for more than 540 million people in the region. In Africa, cyber-risk is the No. 1 concern among businesses leaders, with 61% aiming to mitigate the threat in 2025, according to PwC's "2025 Digital Trust Insights: South Africa and Africa" report. In the Middle East, cyber-risk has fallen to the second greatest concern, behind digital and technology risks and tied with inflation and macroeconomic volatility, with 42% of organizations making mitigation of the cyber risks a priority, according to PwC's "2025 Digital Trust Insights: Middle East" report.

Despite that, only 19% of companies in Africa and 12% of companies in the Middle East are prioritizing investments in identity and access management (IAM) technologies, according to the PwC reports. Most companies are prioritizing the acquisition of data protection technologies, generative AI systems, and network security in the region, with the Middle East also prioritizing the addition of cyber insurance for the business.

**Biometrics Embraced by Mideast, African Markets**

A shift to biometrics, however, could change that. The significant reliance of smartphones for Internet access and digital transactions is leading many governments and organizations to adopt biometric-based identity systems and to use biometrics as a second factor of authentication for digital services.

Digital identity platforms, such as UAE Pass in the United Arab Emirates and Nafath in Saudi Arabia, integrate with existing fingerprint and facial-recognition systems and can reduce the reliance on passwords, says Chris Murphy, a managing director with the cybersecurity practice at FTI Consulting in Dubai.

"With mobile devices serving as the primary gateway to digital services, smartphone-based biometric authentication is the most widely used method in public and private sectors," he says. "Some countries, such as the UAE and Saudi Arabia, are early adopters of passwordless authentication, leveraging AI-based facial recognition and behavioral analytics for seamless and secure identity verification."

African nations have also rolled out national identity cards based on biometrics. In South Africa, for example, customers can walk into a bank and open an account by using their fingerprint and linking it to the national ID database, which acts as the root of trust, says BIO-Key's Sullivan.

"After they verify that that person is who they say they are with the Home Affairs Ministry, they can store that fingerprint \[in the system\]," he says. "From then on, anytime they want to authenticate that user, they just touch a finger. They've just now started rolling out the ability to do that without even presenting your card for subsequent business."

**An Easy Upgrade Path**

While the links to national identity systems means biometrics make sense, companies do not need to jump feet first into biometric-based authentication, BIO-Key's Sullivan says. In many cases, enterprise customers start with a single sign-on system that then transitions to biometrics for identity or as a second factor.

"The use case is typically one where you have users that are moving around, and you don't want them to carry a phone or a token — finance, retail point-of-sale, banking, and manufacturing, where you have workforces that are roving around a manufacturing shop floor," he says. "We have to accommodate the fact that a lot of companies still use traditional technologies and don't want to just make a big-bang switch, so we we allow them to sort of start with what they're doing now ... \[and\] as they start to see the power of having a biometric option, they can evolve to that."

The push for stronger authentication is not limited to the Middle East and Africa. Worldwide, Microsoft sees 600 million identity attacks per day, of which 99.9% could be blocked with strong identity protections, such as multifactor authentication. Yet adoption has been slow: At the beginning of 2023, for example, Microsoft found that only 28% of the company's Azure Active Directory customers had turned on strong identity protections, up from 22% in 2022. Starting in February, the company will require MFA for all user accounts accessing the Microsoft 365 admin center, according to the company.

Saudi Arabia has established strong identity standards through its National Cybersecurity Authority's Essential Cybersecurity Controls (ECC-1:2018), while the UAE has implemented similar requirements through the Information Assurance Regulation (IAR), FTI Consulting's Murphy says.

Next up: AI-augmented identity platforms, he says. AI-driven authentication solutions, including liveness detection and real-time facial recognition, will likely be part of the mix.

"As digital identity ecosystems expand," Murphy says, "AI-based authentication and real-time identity verification will become critical components of cybersecurity, ensuring both security and usability across industries."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Mandatory MFA, Biometrics Make Headway in Middle East, Africa

Torrance, United States / California, 22nd January 2025, CyberNewsWire

**Torrance, United States / California, January 22nd, 2025, CyberNewsWire**

AI SPERA, a leading Cyber Threat Intelligence (CTI) provider, has collaborated with OnTheHub, a global provider of software in education, to deliver its integrated cybersecurity solution, Criminal IP, to students and educational institutions. This strategic initiative aims to enhance cybersecurity awareness and protection in the education sector by offering internationally compliant solutions at affordable prices.

Criminal IP will now extend its reach to educational institutions worldwide, reinforcing its growing presence in the global security market. Since its launch, Criminal IP has gained users in over 150 countries and formed strategic alliances with more than 40 global cybersecurity companies, including Cisco, Snowflake, Tenable, and VirusTotal.

(Criminal IP Lite Plan on OnTheHub)

OnTheHub is a worldwide operating platform that provides software and learning materials at discounted rates to educational organizations and their members. Through this collaboration, Criminal IP and OnTheHub seek to strengthen the cybersecurity frameworks of educational organizations on the platform, aligning with the ongoing digital transformation (DT) in education, particularly regarding Learning Management Systems (LMS). Students and researchers can access Criminal IP by redeeming coupons purchased through OnTheHub on the Criminal IP website, enabling them to utilize a globally recognized CTI platform at an affordable cost.

Criminal IP offers real-time risk analysis and vulnerability insights for global IP addresses and domains. Utilizing AI and machine learning technologies, the solution scans for security threats across various ports and devices, quickly identifying malicious IPs and domains while categorizing threat levels into five distinct tiers. Additionally, organizations can leverage Criminal IP ASM to oversee and manage IT assets, and Criminal IP FDS to detect unauthorized network access attempts during login or payment processes, all provided through a user-friendly SaaS model.

In terms of compatibility, Criminal IP offers an intuitive user interface (UI) and an integrated API, facilitating seamless integration with a variety of software and security solutions. This enables users to comprehensively evaluate security risks, including threat scores for IT assets, exposure of IoT devices, and phishing domain identification. Consequently, students and researchers associated with OnTheHub’s partner institutions will gain access to high-quality threat intelligence data and a robust platform for academic activities such as threat hunting, development, and research.

> AI SPERA CEO Byung-tak Kang commented, “Through this partnership, we are excited to provide more students and educational institutions with a globally recognized security solution at a reasonable price. We hope that Criminal IP will help students and researchers prevent security threats in educational environments and ensure a safe digital space for learning.”

**About AI SPERA**

AI SPERA, renowned for its advanced solutions, has expanded internationally, with ‘Criminal IP’ as its flagship offering. Operating in more than 150 countries, ‘Criminal IP’ is backed by enterprise-grade security solutions like ‘Criminal IP ASM’ and ‘Criminal IP FDS’. Strategic partnerships with global leaders such as Cisco, VirusTotal, and Quad9 have significantly enhanced ‘Criminal IP’s capabilities. AI SPERA’s ‘Criminal IP’ has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data.

**Contact**

**Michael Sena**  
**\[email protected\]**

Criminal IP and OnTheHub Partner to Deliver Advanced Cybersecurity Solutions for Education

Sophos noted more than 15 attacks have been reported during the past three months.

Source: True Images via Alamy Stock Photo

NEWS BRIEF

Sophos X-Ops' Managed Detection and Response (MDR) is warning of ransomware attacks using email bombing as well as imitating tech support, otherwise known as vishing, through Microsoft Office 365.

These attacks are tied to two separate threat groups, which Microsoft began investigating in response to customer incidents in November and December 2024. The threat groups are tracked as STAC5143 and STAC5777.

STAC5777 overlaps with a group previously identified by Microsoft as Storm-1811, while STAC5143 is using tactics from an old Storm-1811 playbook.

According to Sophos MDR, there have been more than 15 incidents involving these tactics in the past three months, half of them occurring just in the last two weeks.

These tactics include using Microsoft remote control tools like Quick Assist or Teams screen sharing. From there attackers take control of a victim's device and install malware, sending Teams messages or making Teams calls from a threat actor-controlled Office 365 impersonating tech support. They also send large volumes of spam emails to overwhelm Outlook mailboxes, a strategy known as email bombing.

"We believe with high confidence that both sets of adversarial activity are parts of ransomware and data theft extortion efforts," said the Sophos researchers in their report. 

The ransomware deployed by these two groups include Black Basta and Python ransomware; the researchers note that STAC5777 in particular is highly active.

Though Sophos has deployed detections for the malware included in these campaigns, it recommends organizations take further steps to prevent attacks, such as ensuring their Microsoft 365 services restrict Teams calls from outside organizations, as well as raise employee awareness of these tactics, which are not normally covered in anti-phishing trainings.

Sophos provided a list of indicators of compromise for these campaigns available for viewing on its GitHub repository.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Email Bombing, 'Vishing' Tactics Abound in Microsoft 365 Attacks

An issue in System.Linq.Dynamic.Core Latest version v.1.4.6 allows remote access to properties on reflection types and static properties/fields.

**Property reflection in System.Linq.Dynamic.Core**

High severity GitHub Reviewed Published Jan 21, 2025 to the GitHub Advisory Database • Updated Jan 21, 2025

GHSA-4cv2-4hjh-77rx: Property reflection in System.Linq.Dynamic.Core

### Impact

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

### Patches

Will be patched in 10.8.8, 13.5.3, 14.3.2 and 15.1.2.

### Workarounds

None available.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-69cg-w8vm-h229

**XSS/HTML Injection Vulnerability in Umbraco Preview Badge**

Moderate severity GitHub Reviewed Published Jan 21, 2025 in umbraco/Umbraco-CMS • Updated Jan 21, 2025

**Package**

nuget Umbraco.Cms (NuGet)

**Affected versions**

\>= 10.8.7, < 10.8.8

\>= 11.0.0, < 13.5.3

\>= 14.0.0, < 14.3.2

\>= 15.0.0, < 15.1.2

**Patched versions**

10.8.8

13.5.3

14.3.2

15.1.2

**Impact**

Authenticated users are able to exploit an XSS vulnerability when viewing previewed content.

**Patches**

Will be patched in 10.8.8, 13.5.3, 14.3.2 and 15.1.2.

**Workarounds**

None available.

**References**

*   GHSA-69cg-w8vm-h229

Published to the GitHub Advisory Database

Jan 21, 2025

Last updated

Jan 21, 2025

Tag

#git