May 24, 2025

Hello all,

It was a busy news week with a nice smattering of good news of indictments and takedowns of threat actors and their infrastructure. Pwn2Own Berlin concluded with 29 zero-days being utilized. Some have already been patched, others are now under a 90-day clock for vendors to patch before the results are made public.

As usual, the RedDotSecurity.news website contains this commentary and a plethora of links to other items that are not in this introduction and that are worth skimming to see if they interest you or pertain to your particular environment or of those you support. There is a lot more than just what is in this video.

Headline NEWS:

  • Microsoft abruptly announced the end of granting up to 10 free Microsoft Business Premium and Office 365 E1 Licenses to non-profit organizations. Instead, they will offer up to 300 Business Basic licenses at no cost, which are online only and don’t include desktop applications. And they are also offering discounts of up to 75% on Business Premium and other licensing. I guess if local applications are needed, and there aren’t funds for Microsoft’s new money-grab, organizations could utilize free office suites such as LibreOffice and then still obtain the free Microsoft Business Basic license to get 1TB of OneDrive storage for each user. When current licenses come up for renewal, that’s when the change must be made. If you’re a non-profit, or support one, make sure you stay on top of this so that it doesn’t catch you by surprise.
  • Microsoft OneDrive is going to enable the unbelievable bone-headed move of offering to add personal accounts to OneDrive on corporate workstations. This has been universally decried by Security Professionals as a massive vulnerability, compliance, and security nightmare as there will be little to no tracking or control over what a user simply drags from protected locations to their own personal accounts. Administrators are highly encouraged to disable this new functionality, that will be on by default, as soon as possible.
  • Palo Alto Global Protect Gateway Portal has a Cross Site Scripting (XSS) vulnerability that can allow a malicious actor to create look-alike sites to convince users into giving up their credentials. Upgrade to the latest versions of Cloud NGFW and PanOS when those updates become available to patch this defect. In the meanwhile, follow the vendor’s recommended mitigation actions.
  • TikTok is the Chinese gift that keeps on giving. Dirtbags have figured out that if you offer hacks to steal activation codes for paid software via TikTok instructional videos, unsuspecting wanna-be-thieves will follow those directions, like sheep to the slaughter, and self-infect with malware and infostealers. Somehow, I have a hard time feeling sorry for them. Stealing software is a crime. In the words of the hacktivist named, xoxo from Prague, “Don’t do crime CRIME IS BAD”.
  • VMware ESXi, vCenter, VMware Cloud Foundation and more have had critical vulnerabilities disclosed by Broadcom that can enable XSS, arbitrary command execution, and Denial of Service. These defects are present in ESXi, vCenter Server, Workstation 17.x, Fusion 13.x, VMware Cloud Foundation, Telco Cloud Platform, and Telco Cloud Infrastructure. Patches are available if you have support with Broadcom. If you’re not going to pay for support, it may be time to switch to a different hypervisor technology, or else your compromise risk will continue to increase.

In Ransomware, Malware, and Vulnerabilities News:

  • Wins by the good guys this week include at least one miscreant responsible for hacking PowerSchool pleading guilty in court to cyber extortion conspiracy, cyber extortion, unauthorized access to protected computers, and aggravated identity theft. 16 Russian nationals have been criminally charged with operating the DanaBot net, which had its infrastructure taken down at the same time in an international police action. Charges were filed against the leader of the group responsible for Qakbot malware, which has experienced some very public takedowns recently. Along with the charges it was announced that over $24 million worth of funds have been seized from various accounts, which will ultimately be returned to the victims of this evil organization. In coordination with international authorities, the LummaC2 (or command and control) malware infrastructure was dealt a devastating blow when much of it was seized and taken offline. And finally, Microsoft filed suit to take down 2,300 domains being used by the Lumma stealer group, which it found had infected nearly 400,000 Windows computers worldwide.

In Other News Events of Note and Interest:

  • Quantum Computers are rapidly developing and increasing in capacity. D-Wave announced general availability of their Advantage2 Quantum Computer with 4,400 qubits of computational capacity. Even this relatively low number of qubits can be effectively leveraged to perform complex modeling that classic computers would choke on. However, as another article writes, it is estimated that it will take around 1 million qubits for a quantum computer to crack the RSA-2048 bit encryption algorithm, and based on current growth projections, that number is between 2 and 7 years away.

Musings:

I’ve personally witnessed a stark uptick in the number of successful attacks against organizations this past week. And the unfortunate reality is that most were preventable. I regularly see things like firewalls with outdated firmware that have known vulnerabilities, virtual private networks that do not follow best practices such as multifactor authentication and limiting access to only those that need it, vs everyone in the entire enterprise. I see email accounts without multifactor authentication, users that have elevated permissions for their online accounts and on local accounts on their workstations, the same administrative account with the same password on all devices in the network – all of which make a threat actors’ job infinitely simpler. On the infrastructure side I see hypervisor hosts that are joined to the same domain as the guest machines, meaning that if administrator credentials are compromised, the hypervisor host will be too, and that goes for backup servers as well. And don’t get me started on network segmentation. All of the digital eggs should not be in the same basket. If you or someone’s network that you are responsible for have these preventable issues in place, now is the time to schedule a conversation with your virtual Chief Information Officer, or Strategic Account Advisor to determine how to shore up your network against the waves of assault by the hordes of threat actors hell-bent on giving you a very bad day.

Visc. Jan Broucinek

Keep the shields up!

Viscount Jan Broucinek
Red Dot Security News

Headline NEWS

Ransomware, Malware, and Vulnerabilities News

Other News Events of Note and Interest

 

Tags
Share this with: