MSP cybersecurity news digest, January 21, 2025

8 zero days, 159 security vulnerabilities fixed in Microsoft’s January 2025 Patch Tuesday

Microsoft’s January 2025 Patch Tuesday includes fixes for 159 security vulnerabilities, among them eight zero-day flaws, three of which are actively exploited.

Twelve of the patched flaws are deemed "Critical," addressing remote code execution, privilege escalation, and information disclosure risks. The update covers 40 privilege escalation flaws, 58 remote code execution issues, and 24 information disclosure vulnerabilities. Three actively exploited zero-day flaws (CVE-2025-21333, CVE-2025-21334, CVE-2025-21335) relate to Windows Hyper-V and allow attackers to gain system privilege.

Another zero day (CVE-2025-21275) affects the Windows App Package Installer and could grant attackers elevated privileges. Additionally, a Windows Themes spoofing flaw (CVE-2025-21308) allows credential theft via malicious theme files. Microsoft also patched three Microsoft Access vulnerabilities that could be exploited via specially crafted documents, blocking certain file types sent via email.

Black Basta admits responsibility in breaching Mortgage Investors Group’s customer data

Mortgage Investors Group (MIG), a major mortgage lender in the U.S. Southeast with a revenue of $32.2 million, suffered a cyberattack in December 2024 that exposed sensitive customer data. The breach was discovered the day after the attack, which compromised financial and personal information.

The Black Basta ransomware gang has taken credit for the attack, continuing its streak of targeting financial institutions and critical infrastructure. The group has been linked to over 500 cyberattacks globally and has previously hit organizations like Dish Network and the American Dental Association.

MIG has not confirmed whether the attack involved ransomware but has acknowledged unauthorized access to its network. The company has hired a third-party firm to assess the full impact and will notify affected customers in the coming weeks.

PlugX malware deployed by RedDelta; FBI deletes PlugX malware from 4,250 hacked computers

The China-linked RedDelta group launched a series of cyber espionage campaigns, targeting Mongolia, Taiwan and other Southeast Asian nations.

Using a customized version of the PlugX backdoor, they employed spear-phishing tactics, luring victims with documents related to political events, national holidays and regional meetings, including one involving a Taiwanese presidential candidate. Notably, they compromised the Mongolian Ministry of Defense and the Communist Party of Vietnam, along with several other global entities.  They also have targeted various victims in Malaysia, Japan, the U.S., Ethiopia, Brazil, Australia and India from September to December 2024.

RedDelta's tactics have evolved over time, incorporating advanced techniques like Visual Studio Code tunnels and DLL side-loading to deploy malware and avoid detection. They also began using the Cloudflare CDN to proxy command-and-control traffic, making it harder to trace their operations. As part of a multi-month operation, the FBI recently deleted PlugX malware from over 4,250 compromised systems, targeting victims worldwide, including in the U.S., Europe and Asia.

Italian retailer Conad has HR and customer data stolen by Lynx ransomware gang

The Lynx ransomware gang has claimed responsibility for a cyberattack against the Italian retail giant Conad, posting details on its dark web leak site. Conad operates one of the largest supermarket chains in Italy, and had a turnover of €21.1 billion for its 2024 financial year.

According to the attackers, they had stolen HR and customer data from Conad’s IT infrastructure and planned to release it in three days. Conad stated that it neutralized the attack in November, and claimed that only a limited amount of unstructured and noncritical data, which could not be traced back to customers, may have been copied. The company notified the authorities and filed an official complaint with the public prosecutor’s office in Bologna.

The cybercriminals shared samples of stolen data, a common tactic to pressure victims into paying ransom. If Conad does not negotiate, the gang may publicly release the compromised information.

Avery Products Corp. website is hacked for customer credit card details and personal data

Avery Products Corporation has reported a data breach after discovering its website was hacked to steal customer credit card details and personal data.

The American label and printing company detected the attack during an internal forensic investigation. Attackers had planted a card skimmer on avery.com, capturing sensitive payment information for nearly five months.

Stolen data includes names, billing and shipping addresses, email addresses, phone numbers and full payment card details. Though Social Security numbers and government-issued IDs were not compromised, the leaked financial information is enough to allow criminals to conduct fraud. The breach impacted 61,193 customers, prompting Avery to offer a year of free credit monitoring.

Given the sensitive nature of the breach, affected individuals are advised to monitor their credit cards for any signs of fraudulent activity and stay alert for phishing attempts.