Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence, January 20, 2025

shutterstock 1361437748

Daily Threat Briefing Jan 20, 2025

In today’s evolving cyber landscape, even natural disasters are becoming fertile ground for exploitation by bad actors. Southern California’s raging wildfires have ignited a parallel wave of phishing scams targeting affected individuals and businesses. Fraudsters are leveraging themes of relief and recovery to propagate bogus donation requests, fake insurance claims, and cryptocurrency fraud schemes.

Elsewhere, PHP-based web servers in Indonesia are being hijacked to promote online gambling platforms. Targeting servers running Moodle LMS, attackers are installing rogue plugins, stealing credentials, and deploying Python-based bots to propagate the attack.

Meanwhile, a critical flaw in Moxa’s EDS-508A Series Ethernet switches has been patched, addressing vulnerabilities that could grant unauthorized access and disrupt operations. Admins are urged to apply the security patch immediately.

Top Malware Reported in the Last 24 Hours

PHP Servers Promote Gambling Platforms in Indonesia

Researchers unearthed a campaign targeting PHP-based web servers to promote gambling platforms in Indonesia. These attacks use Python-based bots and deploy GSocket to maintain communication with compromised servers. These servers, mainly running the Moodle LMS, are used to push PHP files promoting online gambling. The nefarious activities include creating unauthorized administrator accounts, installing rogue plugins, and stealing credentials. It's advised to keep plugins updated, block rogue domains, and remove suspicious admin accounts or plugins. 

Top Vulnerabilities Reported in the Last 24 Hours

Flaws in WGS-804HPT Switches Enable RCE

Three security flaws, CVE-2024-52558, CVE-2024-52320, and CVE-2024-48871, exist in Planet Technology's WGS-804HPT industrial switches. These flaws include an integer underflow (medium-risk), command injection (critical), and a buffer overflow (critical), respectively. They allow pre-authentication remote code execution (RCE) on affected devices. Adversaries can exploit these flaws to control devices and move within internal networks. Patches were released on November 15, 2024.

Critical Authorization Flaw Fixed in Moxa EDS-508A Series

Moxa revealed a critical security flaw, CVE-2024-12297, in the EDS-508A Series Ethernet switches, affecting firmware version 3. 11 and prior. Attackers can exploit this flaw to obtain unauthorized access and potentially paralyze operations. To fix this, Moxa developed a security patch, and admins should contact Moxa Technical Support for it. While waiting or applying the patch, restricting network access, limiting SSH access, deploying IDS/IPS systems, and securing device configurations is recommended.

PoC Released for High-Risk Zero-Day Flaw

Cybersecurity researcher MrAle_98 uploaded a proof-of-concept (PoC) exploit on GitHub for a high-risk zero-day flaw, CVE-2024-49138, in the Windows Common Log File System (CLFS) Driver. This flaw lets hackers obtain SYSTEM privileges on impacted devices. Microsoft confirmed it was exploited in the wild before the patch. The flaw impacts various Windows systems, particularly tested on Windows 11 23H2. This publicly available flaw increases risks for unpatched systems, urging quick action for updates. Microsoft addressed this zero-day in its December 2024 Patch Tuesday release.

Top Scams Reported in the Last 24 Hours

California Wildfires Exploited to Launch Phishing Scams

Southern California is facing severe wildfires, and cybercriminals are taking advantage of the situation by targeting affected individuals and entities. There has been a rise in phishing scams related to the disaster, including bogus insurance claims, rogue fundraising sites, and fake merchandise stores. Many scams use terms like “LA fire” and “relief” to seem authentic, while others involve cryptocurrency fraud. From January 8-13, 2025, 119 domains connected to the disaster were registered, mainly via GoDaddy. These campaigns often misuse old images and solicit donations under pretenses. Firms should monitor phishing threats and urge individuals to verify emails and URLs, using trusted sources.

Related Threat Briefings