Friday, Jan 24, 2025 // (IG): BB // GITHUB // SGM Jarrell
ProxyLogon Vulnerability Remains Unpatched on 91% of Exchange Servers
Bottom Line Up Front (BLUF): Despite nearly four years since Microsoft patched the critical ProxyLogon vulnerability (CVE-2021-26855), 91% of public-facing Microsoft Exchange servers remain unpatched, leaving them open to exploitation. The flaw, heavily used by China's Salt Typhoon group for breaching US telecoms and government networks, continues to pose a significant cybersecurity threat due to its ease of exploitation and attackers’ persistence.
Analyst Comments: The high percentage of unpatched Exchange servers highlights systemic issues in vulnerability management, particularly for legacy systems critical to enterprise and government operations. Salt Typhoon’s use of ProxyLogon demonstrates the ongoing value of targeting unpatched, well-known vulnerabilities for initial access. Organizations must prioritize patch management and threat detection to defend against nation-state actors. Failure to act not only exposes systems to data theft but also risks enabling adversaries to maintain long-term, stealthy access to critical networks. Enhanced regulatory pressure and awareness campaigns may be necessary to ensure better compliance.
FROM THE MEDIA: According to a new report from Tenable, 91% of nearly 30,000 publicly exposed Exchange servers vulnerable to CVE-2021-26855 (ProxyLogon) remain unpatched. The vulnerability was disclosed in March 2021 and has been used by China's Salt Typhoon group for espionage campaigns targeting US telecommunications and government entities. Salt Typhoon exploits ProxyLogon and other vulnerabilities to achieve remote code execution and persistence on victim networks. The group uses custom malware such as GhostSpider, SnappyBee, and Masol RAT to maintain stealthy access and extract sensitive data. Tenable’s findings come as US lawmakers continue to investigate Salt Typhoon’s cyber espionage campaigns, alongside other Chinese state-backed hacking groups like Volt Typhoon and Flax Typhoon. Experts testified before Congress, warning that China’s cyber activities aim to disrupt critical infrastructure and prepare for conflict scenarios by exploiting unpatched systems.
READ THE STORY: The Register
Rising Tensions Over Undersea Data Cables Amid Russian Activity
Bottom Line Up Front (BLUF): The Russian spy ship Yantar was tracked in British waters this week, raising renewed concerns about the vulnerability of undersea data cables vital to the global economy. NATO has intensified its surveillance and deterrence efforts, reflecting the strategic importance of these cables, which transmit 99% of the world’s data and facilitate $10 trillion in daily transactions.
Analyst Comments: Undersea cables are increasingly becoming a focal point in hybrid warfare, as their disruption could lead to significant economic and communication breakdowns. The Yantar’s movements and other alleged sabotage incidents underscore the geopolitical competition over these critical assets. NATO's response to bolster security highlights the perceived risks and challenges of protecting these cables in vast, remote oceanic regions. Looking forward, more sophisticated monitoring and counter-sabotage measures, alongside international cooperation, may be required to mitigate the risks.
FROM THE MEDIA: This week, Royal Navy vessels tracked the Russian spy ship Yantar in British waters, prompting a direct response from U.K. Defense Secretary John Healey. Healey emphasized that the encounter was meant to send a message to Russia about the West’s vigilance over undersea cable security. The Yantar, equipped with mini-submarines and advanced sensors, is suspected of mapping and potentially targeting critical undersea data and energy cables. NATO, which estimates that these cables carry most of global data and financial transactions, has escalated its monitoring efforts in the Baltic and North Atlantic. Recent incidents, including a Russian tanker severing a power cable between Finland and Estonia and a Chinese ship cutting two data cables, further underscore the threats posed by state and non-state actors.
READ THE STORY: WSJ
Cybersecurity Experts Strategize Taiwan's Defense in Simulated Cyberwar with China
Bottom Line Up Front (BLUF): Cybersecurity experts conducted a war game to prepare Taiwan for a potential cyber and physical attack from China. The exercise emphasized defending critical communications and power infrastructure, inspired by Ukraine's strategies for maintaining connectivity during the conflict. Participants proposed diverse solutions, from low-tech backups like ham radios to infrastructure decentralization, to improve resilience against advanced Chinese cyber capabilities.
Analyst Comments: Taiwan's geographic isolation and heavy reliance on imported energy and undersea cables make it uniquely vulnerable to physical and cyber blockades. Unlike Ukraine, which benefits from diversified connectivity through neighboring countries, Taiwan faces challenges maintaining continuity during a conflict. Focusing on civilian preparedness, such as public training programs and decentralized infrastructure, reflects the growing recognition of non-military actors' roles in modern warfare. These strategies, while practical, underscore the urgent need for Taiwan to balance cost-effective, immediate defenses with long-term investments in robust, distributed systems.
FROM THE MEDIA: At Black Hat and DEF CON, experts were tasked with envisioning Taiwan's defensive strategies in the face of a simulated Chinese invasion in 2030. The scenario focused on China's attempts to disrupt Taiwan’s power and communications through cyberattacks and physical strikes, including severing undersea cables and targeting command-and-control systems. Participants presented 65 strategies, with 70% of recommendations emphasizing infrastructure resilience, such as decentralizing power systems and stockpiling resources. Suggestions ranged from installing modular nuclear reactors to adopting Bluetooth-based mesh networks as backups to cellular systems. Most of the exercise also focused on civilian involvement, including public messaging campaigns and training programs to create a technically skilled, resilient population capable of maintaining communications during a prolonged conflict.
READ THE STORY: DR
OpenAI Launches "Operator" AI Agent for Web-Based Tasks
Bottom Line Up Front (BLUF): OpenAI has introduced "Operator," an AI-driven agent capable of performing multi-step online tasks such as booking reservations, ordering groceries, or filling out forms. Available to ChatGPT Pro subscribers, Operator leverages GPT-4o's capabilities, combining browser automation with text and computer vision models. While promising, the tool has an inconsistent success rate and raises potential privacy concerns over data handling.
Analyst Comments: The launch of Operator signals the advent of AI agents designed to perform complex, repetitive online tasks autonomously, a trend aligned with the "agentic era" in AI. While OpenAI's focus on security mechanisms such as prompt injection defense and anomaly detection is commendable, privacy concerns about its screenshot-based data processing may hinder widespread adoption. Moreover, its reported performance variability highlights the challenges of creating reliable AI for complex workflows. As this technology matures, its applications could disrupt industries reliant on web-based human interactions, such as e-commerce and customer service.
FROM THE MEDIA: OpenAI's new "Operator" AI agent allows users to automate online tasks via a browser interface. The tool combines browser automation (similar to Selenium) with GPT-4o’s text, reasoning, and computer vision capabilities. OpenAI claims Operator can handle tasks such as booking reservations, ordering from online platforms, and completing forms, though current success rates range from 38% to 87% depending on the task. Operator stores screenshots to navigate graphical interfaces, raising privacy concerns. Designed to partner with companies like DoorDash, OpenTable, and Uber, Operator may encounter compatibility challenges with uncooperative platforms. OpenAI has implemented safeguards to prevent malicious use, including content moderation and defenses against adversarial attacks. Despite these measures, the system remains in a "research preview" phase, with OpenAI acknowledging room for improvement.
READ THE STORY: The Register
Hacking Group Mimics Kremlin-Linked Gamaredon to Target Russian Entities
Bottom Line Up Front (BLUF): A hacking group, dubbed GamaCopy, has been imitating the tactics of the Kremlin-linked threat actor Gamaredon to target Russian-speaking victims. Researchers have identified GamaCopy deploying phishing documents and remote access software like UltraVNC in a campaign that mimics Gamaredon but uses Russian-language lures, likely as part of a false-flag operation.
Analyst Comments: The emergence of GamaCopy highlights how lesser-known threat actors are adopting false-flag tactics to exploit geopolitical tensions. By imitating Gamaredon, GamaCopy not only conceals its true identity but also seeks to divert blame, likely sowing discord between Russia and its adversaries. This campaign demonstrates the increasing sophistication of attribution manipulation in the cyber threat landscape. If linked to Core Werewolf, as researchers suggest, it also points to a broader strategy targeting Russia’s defense and critical infrastructure sectors. This trend of mimicking state-backed groups could complicate attribution for security analysts and heighten tensions among already strained international relations.
FROM THE MEDIA: The Chinese cybersecurity firm Knownsec reported that GamaCopy has been targeting Russian-speaking victims using phishing documents disguised as reports about Russian military facilities in Ukraine. The group also utilized the self-opening 7-Zip file archiver (7zSFX) to deliver malware payloads and deployed UltraVNC for remote access. While these techniques are commonly associated with the Kremlin-linked group Gamaredon, GamaCopy’s campaigns diverge by focusing on Russian-language lures rather than Ukrainian ones. Knownsec believes GamaCopy is linked to the state-sponsored group Core Werewolf, which has previously targeted Russia’s defense sector. Discovered in June 2023, GamaCopy has likely been active since at least 2021. This operation follows other campaigns against Russian infrastructure, including attacks by Sticky Werewolf and Sapphire Werewolf, further underscoring the increased cyber-espionage activity aimed at Russia.
READ THE STORY: The Record
Custom Backdoor Targets Juniper Routers Using "Magic Packet" Vulnerability
Bottom Line Up Front (BLUF): A new campaign, dubbed "J-magic," is exploiting a vulnerability in enterprise-grade Juniper Networks routers, leveraging a custom backdoor that uses "magic packets" for covert access. The malware targets Junos OS-based devices, focusing on critical sectors like energy, IT, and manufacturing across multiple regions.
Analyst Comments: The J-magic campaign underscores the growing trend of targeting network edge infrastructure, such as routers, which often lack robust endpoint detection and response (EDR) solutions. This demonstrates how attackers are evolving their methods to exploit enterprise-grade hardware while remaining stealthy. Using a challenge-response mechanism to secure control of the backdoor indicates a level of sophistication aimed at preventing hijacking by other threat actors. This campaign may lead to heightened scrutiny of Juniper routers and similar infrastructure and increased urgency for the adoption of stronger security measures in edge devices.
FROM THE MEDIA: The backdoor listens for specially crafted "magic packets" sent over TCP traffic, which trigger a reverse shell connection to the attacker's specified IP address and port. Impacted sectors include semiconductor, energy, and manufacturing industries in countries like the U.S., U.K., Argentina, and Indonesia. The malware is a modified version of the 25-year-old cd00r backdoor, which allows it to operate outside traditional detection methods. Many affected routers function as VPN gateways or have exposed NETCONF ports, making them attractive targets for attackers aiming to automate router configurations. The findings emphasize the continued targeting of unsecured edge infrastructure by threat actors preparing for more significant follow-on attacks.
READ THE STORY: THN
DOJ Charges Two Americans in North Korean IT Worker Scheme
Bottom Line Up Front (BLUF): The U.S. Department of Justice has indicted five individuals, including two Americans, for facilitating a scheme where North Korean IT workers posed as U.S.-based employees to earn funds for the Pyongyang regime. The operation utilized a "laptop farm" to obscure the workers' true locations, impacting at least 64 U.S. companies and generating over $866,000 in illicit revenue.
Analyst Comments: This indictment sheds light on the sophisticated tactics used by North Korea to circumvent sanctions and generate income for the regime, often funding weapons programs. By infiltrating U.S. companies, these IT workers stole wages and gained access to sensitive corporate information, raising concerns about insider threats. The revelation of "laptop farms" underscores the necessity for stronger identity verification processes and network monitoring, especially for remote employees. With North Korean IT schemes growing more aggressive, including extortion attempts, organizations must remain vigilant against such threats.
FROM THE MEDIA: The DOJ's indictment charges two Americans, Erick Ntekereze Prince and Emanuel Ashtor, alongside three others, for aiding North Korean IT workers in securing jobs with U.S. companies. The scheme involved using forged documents, stolen identities, and a "laptop farm" discovered at Ashtor's home. These laptops were equipped with remote access software like AnyDesk and TeamViewer, enabling North Koreans to work covertly while appearing U.S.-based. From April 2018 to August 2024, the scheme funneled IT salaries through Chinese bank accounts, earning over $866,000. The accused used IT staffing companies as fronts to help North Koreans gain employment in industries including finance, tech, and retail. While two accused were arrested in the U.S., another was apprehended in the Netherlands, and two remain in China.
READ THE STORY: The Record
Chinese APT Targets VPN Users with Malicious Installer in Stealthy Supply-Chain Attack
Bottom Line Up Front (BLUF): A Chinese-aligned Advanced Persistent Threat (APT) group, codenamed PlushDaemon, conducted a supply-chain attack on South Korean company IPany VPN. The attackers replaced legitimate VPN installation files with malicious installers containing the "SlowStepper" backdoor, enabling espionage and data theft. The campaign, identified in May 2024, affected users downloading VPN software between 2019 and 2023.
Analyst Comments: This incident highlights the growing threat of supply-chain attacks, particularly against VPN providers, which serve as critical infrastructure for cybersecurity. The use of SlowStepper underscores the APT group’s sophistication, leveraging malware capable of audio and video surveillance to maximize intelligence-gathering. Such tactics align with broader patterns of China-linked espionage targeting sensitive entities across Asia-Pacific and the West. VPN providers must enhance their software integrity controls and adopt robust threat-detection mechanisms to prevent similar compromises.
FROM THE MEDIA: ESET researchers revealed that PlushDaemon, an APT group active since 2019, conducted a supply-chain attack on South Korean VPN software company IPany VPN. Between 2019 and 2023, the attackers distributed a tampered NSIS installer via the official VPN website, embedding the SlowStepper backdoor. Victims manually downloaded this ZIP file, unaware it redirected update traffic to attacker-controlled servers. SlowStepper, written in Python and Go, enabled access to audio and video surveillance user systems. Targeting individuals and organizations in China, Taiwan, Hong Kong, South Korea, the US, and New Zealand, the campaign’s full scope remains unclear. IPany VPN has since removed the malicious installer.
READ THE STORY: Cybernews
Cisco Patches Critical 9.9-Rated Vulnerability in Meeting Management Tool
Bottom Line Up Front (BLUF): Cisco has patched a critical vulnerability (CVE-2025-20156) in its Meeting Management tool, rated 9.9/10 on the CVSS scale. The flaw allows remote, authenticated attackers with low privileges to escalate to administrators, potentially compromising video conferencing infrastructure. No in-the-wild exploits have been reported yet, but organizations should apply the patch immediately.
Analyst Comments: This vulnerability underscores the importance of securing management tools for enterprise collaboration systems, as they are attractive targets for attackers seeking high-value administrative access. The lack of workarounds and the ease of exploitation raise the urgency for prompt patching. With PoC exploits likely to emerge soon, delayed remediation could expose organizations to unauthorized control over critical infrastructure. Cisco’s proactive disclosure and the credited researcher highlight the role of coordinated vulnerability handling in mitigating risks.
FROM THE MEDIA: Cisco disclosed CVE-2025-20156, a critical vulnerability in its Meeting Management software, which manages on-premises video conferencing platforms. The flaw arises from improper authorization checks in the REST API, enabling low-privilege attackers to escalate to administrator rights by sending specific API requests. The vulnerability affects most versions of Cisco Meeting Management up to release 3.8.
READ THE STORY: The Register
Chinese Start-Up DeepSeek Challenges Global AI Leaders Amid Export Restrictions
Bottom Line Up Front (BLUF): Chinese AI start-up DeepSeek has introduced groundbreaking AI models that rival those of major U.S. companies like OpenAI. Leveraging innovative techniques to overcome restrictions on advanced chips, DeepSeek has demonstrated how software ingenuity and cost efficiency can offset hardware limitations, signaling a shift in global AI competition.
Analyst Comments: Sources in China are preaching DeepSeek’s alleged success, highlighting how U.S. export restrictions inadvertently accelerate China’s technological self-reliance and innovation. By focusing on smaller, more efficient AI models, Chinese companies are challenging the prevailing belief that massive computational resources are required for cutting-edge AI development. This development could reshape global AI competition, particularly in cost-sensitive markets, and further undermine the effectiveness of U.S. sanctions aimed at slowing China's AI advancements.
FROM THE MEDIA: DeepSeek recently unveiled its latest AI model, DeepSeek-V3, which delivers performance on par with U.S.-based giants like OpenAI at a fraction of the cost. Using Nvidia H800 GPUs—a less advanced option compared to the most recent chips—DeepSeek trained the model in two months for $5.5 million. This week, it released "R1," an AI reasoning model that has further impressed industry observers. The company's focus on smaller, highly specialized models exemplifies China's growing emphasis on algorithmic and architectural efficiency. Export controls from the U.S. have limited access to advanced chips. Still, these restrictions have spurred Chinese companies like DeepSeek to innovate alternative solutions, challenging global assumptions about AI development's resource intensity.
READ THE STORY: FT
Items of interest
Texas Investigates Automakers Over Data Collection and Sales Practices
Bottom Line Up Front (BLUF): The Texas Attorney General’s Office is investigating Ford, Hyundai, Toyota, and Fiat Chrysler for potential deceptive trade practices related to the collection, sharing, and sale of consumer data. This expands on a lawsuit filed against General Motors (GM) in 2024 over similar allegations as scrutiny grows over automakers’ handling of personal and vehicle data.
Analyst Comments: The auto industry’s shift toward connected vehicles has introduced significant data privacy challenges. This probe underscores the growing regulatory pressure on automakers to establish transparent data practices, especially as geolocation and telematics data become key assets. The ongoing investigation in Texas could have broader implications for the automotive sector, potentially leading to stricter privacy standards nationwide. Automakers must act proactively to address privacy concerns or risk legal consequences and loss of consumer trust.
FROM THE MEDIA: Texas Attorney General Ken Paxton is investigating Ford, Hyundai, Toyota, and Fiat Chrysler Automobiles for alleged deceptive practices in collecting and selling consumer data. This inquiry follows a 2024 lawsuit against GM, which accused the company of misleading drivers into enrolling in services that collected and sold their data. The automakers must disclose their data collection practices, third-party partnerships, and consumer consent mechanisms. Toyota was questioned explicitly about its data-sharing relationship with Connected Analytic Services (CAS), which aggregates telematics data for insurance purposes. The investigation also builds on Paxton’s January 2025 lawsuit against Allstate, which alleged that insurers purchased data from carmakers, including Toyota, Mazda, and Chrysler, to price insurance premiums. Ford discontinued data-sharing practices with insurers last year and is cooperating with the inquiry.
READ THE STORY: The Record
Where People Go When They Want to Hack You (Video)
FROM THE MEDIA: What do you need to hack any system on the planet? Whatever it is, you can certainly find it on the Zero-day market: a network that consists of the world’s best hackers trading vulnerabilities with governments, cybercriminals and megacorporations. How does this market appear, how does it work and why nobody talks about it?
The Yandex Leak: How a Russian Search Giant Uses Consumer Data (Video)
FROM THE MEDIA: In late January 2023, almost 45 GB of source code from the Russian search giant Yandex was leaked on BreachForums by a former Yandex employee. While the leak itself did not contain user data, it reportedly contained the source code for all major Yandex services, including Metrika, which collects user analytics through a widely used SDK, and Crypta, Yandex's behavioral analytics technology.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.