| Patch Tuesday – 2/11/2025 |
CVE-2025-21391 – Windows Storage Elevation of Privilege Vulnerability
CVE-2025-21391 detailed an exploited elevation of privileges vulnerability that can be used to delete files.
CVE-2025-21418 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-21418 detailed an exploited vulnerability allows threat actors to gain SYSTEM privileges in Windows (the highest authority).
The following zero-day vulnerabilities have been publicly disclosed:
CVE-2025-21194 – Microsoft Surface Security Feature Bypass Vulnerability
CVE-2025-21194 details a hypervisor vulnerability that allows attacks to bypass UEFI and compromise the secure kernel.
CVE-2025-21377 – NTLM Hash Disclosure Spoofing Vulnerability
CVE-2025-21377 details a publicly disclosed bug that exposes a Window user’s NTLM hashes, allowing a remote attacker to potentially log in as the user. NTLM Hash manipulations were discussed in greater detail in our January Security Digest.
| Vendor Patch Review |
- Adobe released security updates for numerous products, including Adobe Photoshop, Substance3D, Illustrator, and Animate.
- AMD released mitigations and firmware updates to address a vulnerability that can be exploited to load malicious CPU microcode.
- Apple released a security update for a zero-day exploited in ‘extremely sophisticated’ attacks.
- Cisco released security updates for multiple products, including Cisco IOS, ISE, NX-OS, and Identity Services.
- Google fixed an actively exploited zero-day flaw in Android Kernel’s USB Video Class driver.
- Ivanti released security updates for Connect Secure, Neurons for MDM, and Cloud Service Application.
- Fortinet released security updates for numerous products, including FortiManager, FortiOS, FortiAnalyzer, and FortiSwitchManager.
- Netgear fixed two critical vulnerabilities affecting multiple WiFi router models.
- SAP releases security updates for multiple products.
| Apple Updates |
- The latest version of iOS and iPadOS is 18.3.1. Learn how to update the software on your iPhone, iPad, or iPod touch.
- The latest version of macOS is 15.3.1. Learn how to update the software on your Mac and how to allow important background updates.
- The latest version of tvOS is 18.3. Learn how to update the software on your Apple TV.
- The latest version of watchOS is 11.3.1. Learn how to update the software on your Apple Watch.
- The latest version of visionOS is 2.3.1. Learn how to update the software on your Apple Vision Pro.
Note that after a software update is installed for iOS, iPadOS, tvOS, watchOS, and visionOS, it cannot be downgraded to the previous version.
| Case Study: Transaction Callback Scams |
In this scam, threat actors email the target with details on a transaction they were not involved in. The scammer then includes a fake callback number, intended to get the user on the phone to provide banking information. One such example can be seen below:
At first glance, this appears to be a legitimate transaction receipt. Most notably the email comes from Paypal.co.uk, a legitimate sender, therefore passing through most mail filters.
The real detail of the scam lies in the information below the payment title, in the transaction details:
Note the ‘Payments For’ information. Here, we see some irregular text. An indication this was for a Microsoft 365 Subscription, followed by details about a number to call with any issues.
Calling this number connects the user to a call center claiming to be ‘Support’. The scammers will then ask the target to provide banking details and allow account access to ‘review the transaction’.
Here, the scam information has been placed in the “Organization Name” field.
In an independent review, ACT found that both of these numbers redirect to the same call center in Mumbai, India. The scammers answering phones even mistakenly identified themselves as PayPal when called on the number in the Microsoft email. After alerting them to this, the scammers hung up immediately.
In both instances, the workflow for the scam is the same:
1. Conduct a legitimate transaction through a legitimate organization (PayPal or Microsoft are by far the most common). This usually includes the threat actor sending themselves money or purchasing their own subscription to ensure the email appears legitimate and is delivered.
2. The Threat Actor elects to BCC the targeted email addresses as contacts for the transactions, delivering the legitimate receipt to the end user.
3. In the field for ‘Organization Name’ or ‘Payments For’, the threat actor enters a message with a fake number to call for subscription questions.
4. The Threat Actor completes the transaction, delivering the receipt, and the scam, to their targets.
This scam is successful for various reasons:
1. The email comes from legitimate, trusted email addresses. ( [email protected], [email protected]). These are unlikely to be blocked or flagged for malicious email, making it much more likely the email is delivered.
2. The charges often detail very high transaction costs, creating a sense of urgency.
3. Receipts from PayPal and Microsoft do not usually include support numbers, so the target is likely to call the only number they see.
ADVANCED strongly advises all staff to be on the lookout for these scams and to educate their users on potential issues.
| Current Events: Botnets Target Microsoft 365 Accounts In Widespread Campaign |
A botnet is a network of infected computers or devices that a hacker secretly controls. These devices—whether laptops, servers, or even smart home gadgets—are used to launch cyberattacks, like stealing passwords, spreading viruses, or overwhelming websites to take them down. Often owners of devices in a botnet have no idea their device is compromised. Devices will very rarely show irregular activity until called upon to conduct an attack.
Threat actors build botnets through a standard process:
Step 1: Malware Distribution
The threat actor distributes malware at a large scale. This can be done via links or attachments sent via email, or by compromising a legitimate piece of software to silently include the botnet malware.
Step 2: Connection
The threat actor establishes a connection to infected devices from a Command & Control Server (or C2). The C2 can send commands en masse to all infected devices at once.
Step 3: Control
The threat actor can use the infected network of devices, or botnet, to perform a variety of tasks. This can include conducting Distributed Denial Of Service attacks (by overloading a target or network with fake traffic), Password Spraying Attacks (attempting thousands of username/password combinations to break into accounts), or sending mass amounts of spam emails.
Step 4: Multiplication
Finally, the threat actor can expand their botnet by distributing malware to other devices. This can be done to devices on the compromised machine’s local network or by recirculating the original means of compromise.
This particular botnet is associated with CDS Global Cloud and UCLOUD HK, both with operational ties to China. This suggests involvement of a ‘ Nation-State Threat Actor’, or a government-backed organization. Nation-State Threat Actors are exceptionally dangerous, as they are often well-equipped, well-organized, and well-funded.
The primary attack method of this organization has been password-spraying. A password-spraying attack is when a hacker tries the same common password (like “Password123”) on many different accounts instead of guessing many passwords for one account. This helps them avoid getting locked out and makes it harder for security systems to detect the attack.
Typically, heavy password spraying can result in account lockouts that alert security teams. However, this campaign targets explicitly Non-Interactive Sign-Ins, which are used for service-to-service authentication and do not always generate security alerts. Some examples of service-to-service alerts include auto-login to work applications, cloud file syncing, and email apps checking for new messages.
This enables attackers to operate without triggering Multi-Factor Authentication defenses or Conditional Access Policies (CAP), even in highly secured environments.
What can be done to protect Office 365 Environments?
Security researchers have various recommendations to protect against this threat actor. The most effective can be seen below:
Ensure that ‘common passwords’ are not in use in your 365 Environments. These are easily guessed by threat actors and can lead to compromise before an account lockout can take place.
Monitor for stolen credentials linked to their organization in infostealer logs. Ensure that end user account information is not for sale on the dark web.
Implement conditional access policies that restrict non-interactive login attempts. Additional protections are necessary to ensure user account security as threat actors adjust their attack methods.
ACT offers services 365 Security Assessments + Remediation, Security Awareness Training, and Dark Web monitoring to ensure your environment is protected. Reach out to our team of experts at [email protected] for additional information!
As always, Advanced is proud to be here for all your security needs. Reach out now to determine how you can improve your security posture and keep your business running!
Regards,
The ACT Security Task Force
Sources:
https://www.helpnetsecurity.com/2025/02/24/botnet-hits-microsoft-365-accounts/
https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-february-2025/
https://msrc.microsoft.com/update-guide/releaseNote/2025-Feb
https://www.bleepingcomputer.com/news/microsoft/microsoft-february-2025-patch-tuesday-fixes-4-zero-days-55-flaws/
https://support.apple.com/en-us/100100
