Cyber News Roundup for January 24, 2025
This week in cybersecurity, we cover a range of emerging stories on threats and vulnerabilities that highlight the ongoing challenges in the industry. From the rise of AI tools like GhostGPT fueling cybercrime to critical flaws in popular software platforms like SonicWall and Ivanti, attackers continue to exploit new entry points for malicious activity. Additionally, we dive into high-stakes incidents such as the Lazarus Group’s latest malware campaign and the growing risks associated with IoT botnets. Stay informed about the latest vulnerabilities, malware campaigns, and the tools cybercriminals are using to target organizations worldwide.
GhostGPT facilitates cyberattacks
Abnormal Security has published a report on GhostGPT, an uncensored AI chatbot designed for cybercriminals. The tool can be used to automate malware creation and exploit development, as well as create phishing emails for use in business email compromise (BEC) attacks. GhostGPT is sold as a Telegram bot. The researchers note that the tool “likely uses a wrapper to connect to a jailbroken version of ChatGPT or an open-source large language model (LLM), effectively removing any ethical safeguards.” Abnormal adds that the tool has grown very popular since it surfaced late last year, indicating a increased interest in cybercrime-focused AI tools. (Abnormal)
Critical SonicWall vulnerability may be under exploitation
SonicWall has disclosed a critical remote code execution vulnerability (CVE-2025-23006) affecting its Secure Mobile Access (SMA) 1000 series products. The company warns that the flaw may be under active exploitation, and strongly advises users to upgrade to the hotfix release version of the SMA1000 product. SonicWall added, “To minimize the potential impact of the vulnerability, please ensure that you restrict access to trusted sources for the Appliance Management Console (AMC) and Central Management Console (CMC).” The flaw has been assigned a CVSS score of 9.8. (Sonicwall)
CISA and the FBI issue advisory on Ivanti CSA exploit chains
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory outlining two exploit chains used by threat actors to compromise Ivanti Cloud Service Appliances (CSAs), SecurityWeek reports. The advisory states, “According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks. The actors’ primary exploit paths were two vulnerability chains. One exploit chain leveraged CVE-2024-8963 in conjunction with CVE-2024-8190 and CVE-2024-9380 and the other exploited CVE-2024-8963 and CVE-2024-9379.” (CISA, SecurityWeek)
Cisco Fixes vulnerability in Meeting Management
This warning focuses on a new privilege escalation vulnerability in Cisco’s Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances. The vulnerability, which has a CVE number (CVE-2025-20156), has a CVSS score of 9.9, was disclosed by Cisco on Wednesday. Cisco has released a fix, as Cisco Meeting Management version 3.9.1. The company says, “there are no workarounds address this vulnerability and urged customers to update to this version.” (InfoSecurity Magazine)
ChatGPT’s API could have been used in DDoS attacks
Described as an example of “bad programming,” a now-fixed vulnerability, discovered by German researcher Benjamin Flesch allows an attacker to send unlimited connection requests through ChatGPT’s API. He said the bug occurs when the API is processing HTTP POST requests to the back-end server and is due to the fact that manufacturer OpenAI “did not have a limit on the number of URLs that can be included in a single request. That error allows an attacker to cram thousands of URLs within a single request, something that could overload traffic to a targeted website. The vulnerability was assigned a CVSS score of 8.6 because it’s a network-based, low-complexity flaw that doesn’t require elevated privileges or user interaction to exploit. (Cyberscoop)
‘Magic’ backdoor targets enterprise Juniper Routers
A new campaign discovered by Black Lotus Labs and named J-magic, focuses in on “Juniper-brand routers at the edge of high-value networks.” According to Nate Nelson, writing in DarkReading, “such routers typically lack endpoint detection and response protection, are in front of a firewall, and don’t run monitoring software, making the attacks harder to detect. In this instance, exposed enterprise routers are tapped with a variant of a 25-year-old backdoor named cd00r, “which stays dormant until it receives an activation phrase, also known as a “magic packet.” At this point it grants access to a reverse shell, from which its attackers can steal data, manipulate configurations, and spread to more devices. (Dark Reading)
Pwn2Own Automotive awards over $382,000 on its first day
Trend Micro’s Zero Day Initiative (ZDI) launched Pwn2Own Automotive 2025 in Tokyo, awarding $382,750 on the first day for 16 zero-day exploits targeting infotainment systems, EV chargers, and automotive operating systems. Top rewards included $50,000 each for exploits on Autel and Ubiquiti chargers, while a ChargePoint charger exploit earned $47,500. Participants also received $20,000 for hacking Alpine, Kenwood, and Sony infotainment systems. Nearly two dozen more attempts are planned. (SecurityWeek)
North Korea’s Lazarus group uses fake job interviews to deploy malware
The North Korean APT Lazarus group has launched a sophisticated campaign, “Contagious Interview” or “DevPopper,” targeting technology, financial, and cryptocurrency sectors. Using fake job interviews, they deploy malware like BeaverTail and InvisibleFerret to compromise systems and exfiltrate sensitive data. InvisibleFerret, a Python-based malware, steals cryptocurrency wallets, source code, credentials, and more, using FTP, encrypted connections, and Telegram for data exfiltration. The campaign exploits social engineering and malicious coding challenges to lure software developers, demonstrating advanced tactics in cyber espionage. (Cyber Security News)
Major Cybersecurity Vendors’ Credentials Found on Dark Web
Researchers at threat intelligence firm Cyble have discovered thousands of leaked credentials for at least 14 major cybersecurity vendors on the dark web since the start of 2025, including CrowdStrike, Palo Alto Networks, and McAfee. In a report published January 22nd, Cyble says these credentials were likely extracted from infostealer logs and include access to internal accounts and customer platforms. While many accounts may have additional security layers like MFA, the findings highlight the importance of dark web monitoring to prevent potential cyberattacks. (Infosecurity)
The Internet is (once again) awash with IoT botnets delivering record DDoSes
IoT-driven DDoS attacks are on the rise, along with a surge in botnets using infected home routers, cameras, and other devices. Notably, Cloudflare reported a record 5.6 terabit-per-second DDoS attack from 13,000 IoT devices, while other security firms like Qualys and Trend Micro have tracked multiple botnets leveraging Mirai variants. Experts warn that IoT devices remain vulnerable to compromise due to outdated security, and are urging users to update passwords, disable remote management, and install patches promptly. (CloudFlare, Ars Technica)
Critical zero-days impact premium WordPress real estate plugins
Two critical flaws in the RealHome theme and Easy Real Estate plugins for WordPress allow unauthenticated attackers to gain admin privileges, leaving 32,600 websites vulnerable. Despite the discovery in September 2024, no patches have been released by InspiryThemes, and both flaws remain exploitable. Administrators should immediately disable the affected plugins, restrict user registration, and apply mitigations to prevent potential exploitation. (Bleeping Computer)
7-Zip flaw bypasses Windows security warnings
Mark of the Web, or MotW, is a metadata identifier used in Windows that marks files downloaded from the Internet as potentially unsafe, giving a pop-up warning to users and opening files in Protected View. The popular file archiver 7-Zip added MotW support in 2022. However, Trend Micro issued an advisory noting that attackers can use maliciously crafted sites and archives without triggering typical MotW warnings. 7-Zip developer Igor Pavlov actually patched the flaw in November 2024. However, given the utility lacks an auto-update feature, a significant number of installs likely remain vulnerable. (Bleeping Computer)
Mirai variant hits IP cameras and routers
Researchers at Qualys documented this new variant of the pernicious botnet, dubbed Murdoc_Botnet. This targets flaws in AVTECH IP cameras and Huawei routers, infecting over 1,300 systems since July 2024. Most infections occurred across Indonesia, Malaysia, Mexico, Thailand, and Vietnam, ultimately used to support denial-of-service attacks. The researchers found that Murdoc_Botnet exploits known vulnerabilities to gain access to IoT devices before running a shell script to get a next-stage payload. (The Hacker News)
Microsoft Teams used in IT support campaign
Sophos researchers documented a campaign by a threat actor, STAC5143, that used email bombing to set up a call from IT support. The attacks initially hammer a potential victim with up to thousands of messages over several minutes. Then, they place an external Teams call acting as a “Help Desk Manager” to resolve the issue with a remote screen control session. In this session, the attackers drop a ProtonVPN executable with a malicious DLL to create a C2 communication channel and install the pentest tool RPivot to create a SOCKS4 proxy. While Sophos researchers stopped the attack, it’s believed the final goal was to steal data and deploy ransomware. The group FIN7 has used RPivot in attacks in the past, but Sophos didn’t have high confidence in attaching these attacks to the more significant threat group. (Bleeping Computer)
HPE investigates breach claims
Last Thursday, well-known hacker, IntelBroker, alleged they are selling stolen from the systems of Hewlett Packard Enterprise (HPE). IntelBroker claims the compromised data includes source code for Zerto and iLO products, private GitHub repositories, digital certificates, Docker builds, and personal info from old user deliveries. IntelBroker also says they’re offering access to some HPE services, including APIs, WePay, GitHub and GitLab. The company confirmed it is investigating the claims and says, so far, they have not experienced any operational impacts. (SecurityWeek and Bleeping Computer)
Have questions? Reach out to RedSeal today to chat with one of our cybersecurity experts or schedule a demo today.
