The Chinese state-backed hackers that breached the Treasury Department in late 2024 also gained access to the Committee on Foreign Investment in the United States (CFIUS) systems, according to a report by CNN, citing U.S. officials familiar with the matter.

The CFIUS is a government office and interagency committee authorized to review foreign investment and real estate transactions to determine their effect on U.S. national security.

The Treasury Department disclosed on December 30 that Chinese government hackers breached its network after compromising a BeyondTrust instance used by the federal agency using a stolen Remote Support SaaS API key. Silk Typhoon, the threat actor behind the attack, specifically targeted the Office of Foreign Assets Control (OFAC), which administers and enforces trade and economic sanctions programs.

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that the Treasury Department was the only federal agency impacted by the breach.

“A Treasury spokesperson did not respond to questions about the hackers targeting of CFIUS,” according to CNN.

TA new attack technique called transaction simulation spoofing is being used by threat actors to steal cryptocurrency, with one attack successfully stealing approximately $460,000.

First spotted by ScamSniffer researchers, the attack relates to a flaw in transaction simulation mechanisms used in modern Web3 wallets, which are meant to protect users from fraudulent and malicious transactions.

Transaction simulation allows users to preview the expected outcome of a blockchain transaction before signing and executing it. In a transaction simulation spoofing attack, a threat actor lures a victim to a malicious website that mimics a legitimate platform, which initiates what is made to appear as a “Claim” function. The transaction simulation shows that the user will receive a small amount in ETH.

Due to a time delay between the simulation and the execution, the attacker can alter the on-chain contract state to change what the transaction will actually do if approved. The victim, trusting the wallet’s transaction simulation result, signs the transaction, allowing the malicious website to drain their wallet of all cryptocurrency and send it to the attacker’s wallet.

“This new attack vector represents a significant evolution in phishing techniques.” warns ScamSniffer. The researchers suggest that Web3 wallets reduce the simulation refresh rates to match blockchain block times, force refresh simulation results before critical operations, and add expiration warnings to warn users about the risk.

Spanish telecommunications company Telefónica confirmed its internal ticketing system was breached after stolen data was leaked on a hacking forum.

Telefónica, which is the largest telecommunications firm in Spain, said it became aware of “an unauthorized access to an internal ticketing system” and that it is “currently investigating the extent of the incident and have taken the necessary steps to block any unauthorized access to the system.”

The disclosure comes after a Telefónica Jira database was leaked on a hacking forum by four individuals using the handles DNA, Grep, Pryx, and Rey. One of the individuals said that the “internal ticketing system” is an internal Jira development and ticketing server used by the company to report and resolve internal issues. The system was allegedly breached using compromised employee credentials. The attackers claim to have scraped approximately 2.3 GB of documents, tickets, and various data from the system before they lost access due to Telefónica performing password resets on impacted accounts.

Three of the attackers (Grep, Pryx, and Rey) are members of the ransomware operation known as Hellcat Ransomware.

The attacker known as Pryx said they did not contact the company or attempt to extort them before leaking the data online.

Researchers have observed recent waves of what is described as “mass exploitation” campaigns against Fortinet firewalls. In these incidents, the attackers are suspected of targeting an unknown zero-day vulnerability in the devices. This is due to observations of successful attacks since December 2024 against tens of Fortinet FortiGate installations running different firmware versions, with the attacks mostly occurring within just a three-day time window.

Attacks are said to be targeted at installations with internet-exposed management interfaces, which are often a target for exploitation and entry for attackers. Tell-tale signs of attempted attacks include connection attempts from spoofed IP addresses to TCP ports 8023 and 9980.

Once they successfully compromise a device, the attackers set about changing its configurations and setting up SSL VPN tunnels to enable remote access. They were also seen creating new accounts and attempting to harvest credentials, likely to enable them to pivot to other assets within the network.

The exact purpose of the attacks is unclear but researchers believe that these tactics are not dissimilar to typical ransomware attacks. In the meantime, the researchers have shared their findings with Fortinet, who is said to be looking into the matter.

Recently, researchers have seen what they say is a new development where attackers use the AWS feature called server-side encryption with customer-provided keys (SSE-C) to encrypt the files in the storage buckets for extortion attacks. The feature encrypts files using an AES-256 symmetric key provided by the customer (or attacker in this case) and then, once completed, the key is discarded by the server.

In the new attacks, attackers are gaining initial access to the AWS bucket by way of hacked or leaked credentials or access keys. Once inside, the attackers generate a new key which they then use for the encryption process using SSE-C. Once the relevant files are successfully encrypted, the attackers mark the files for deletion after seven days using the AWS object lifecycle management API.

Similar to standard ransomware tactics, ransom notes are left within directories where files are encrypted. The ransom note includes a client ID and a Bitcoin address for payment.

While this type of attack is reported to have only hit two organizations so far, this technique may gain traction in the future if it proves to be successful for attackers. It presents yet another alternative technique in the ever-growing ransom attack playbook for attackers. AWS users are advised to restrict the use of SSE-C and regularly monitor and audit AWS keys to reduce the risk of attacks.

The UK internet domain registry Nominet has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability.

Nominet disclosed the incident to customers on January 8. “We became aware of suspicious activity on our network late last week. The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely,” the company said in the email. “The unauthorized intrusion into our network exploited a zero-day vulnerability,” Nominet added.

Ivanti on January 8 warned of a vulnerability in its Connect Secure enterprise VPN product that was being actively exploited in the wild. CVE-2025-0282 (CVSS score: 9.0) is described as a stack-based buffer overflow that allows unauthenticated remote attackers to execute arbitrary code.

Nominet said it currently has “no evidence of data breach or leakage.” The company said it has restricted access to the VPN software while it investigates the incident.

Microsoft’s first Patch Tuesday of 2025 sees the software giant issue updates to address 159 vulnerabilities, including eight zero-days, three of which are actively exploited.

January’s update addresses twelve critical vulnerabilities, including information disclosure, privileges elevation, and remote code execution flaws.

The number of bugs in each vulnerability category is as follows:

• 40 elevation of privilege vulnerabilities

• 14 security feature bypass vulnerabilities

• 58 remote code execution vulnerabilities

• 24 information disclosure vulnerabilities

• 20 denial of service vulnerabilities

• 5 spoofing vulnerabilities

Attackers are using the FastHTTP Go library to carry out brute-force password attacks against Microsoft 365 accounts.

The attacks are said to have begun in early January 2024, with the bulk of the attacks targeted at users of the Azure Active Directory Graph API. The attackers use the library to help them automate the brute force attempts to log into accounts that trigger multifactor authentication (MFA) challenges, hoping that victims may succumb to a situation known as MFA fatigue.

The majority of the attack traffic comes from Brazil (65%), followed by Turkey, Argentina, Uzbekistan, Pakistan, and Iraq.

According to the researchers, the success rate for account takeovers from the campaign stands at around 10%, while 41.5% of the attempts lead to failure, 21% result in account lockouts, and 17.7% are rejected due to policy violations.

Microsoft 365 administrators are advised to check audit logs for attacks that show up with the FastHTTP user agent and take action if any suspicious activity is detected.

Attackers are reported to be stealing the credentials of Google Ad users by leveraging Google’s own infrastructure. They do this by creating fake Google Ad login pages using Google’s free website creation service called Google Sites to host pages. These fake pages are designed to look like official Google Ads pages. However, when users try to sign in, they are sent to another site with a non-Google domain, that still maintains the official Google Ads branding but is hosted elsewhere.

The fake login page hosts a form to steal the victim’s login credentials and send them to the attacker. The attacker can then use the stolen credentials to log into the Google account and abuse it for malicious purposes.

To further enhance the effectiveness of the campaign and gather victims, the attackers place ads via Google Ads for “Google Ads” itself. When a user searches for “Google Ads” on Google Search, the malicious websites are returned even above Google’s own site because the paid ads are displayed first in the “Sponsored” section. Distracted users may inadvertently click on the Sponsored links because they are at the top of the results and end up at the phishing site instead.

Once the credentials are stolen and access is gained, the attackers could potentially leverage any services the account has for malicious use. This may include using the stolen accounts to further their malicious campaigns by buying new ads to further the reach and duration of the campaign.

Researchers have discovered six vulnerabilities in the popular Rsync file-synchronizing tool for Unix systems, some of which can be used to execute arbitrary code on a client.

“Attackers can take control of a malicious server and read/write arbitrary files of any connected client,” the CERT Coordination Center (CERT/CC) explained in an advisory. “Sensitive data, such as SSH keys, can be extracted, and malicious code can be executed by overwriting files such as ~/.bashrc or ~/.popt.”

According to CERT/CC, an attacker could combine CVE-2024-12084 and CVE-2024-12085 to achieve arbitrary code execution on a client that has a Rsync server running.

A Shodan search revealed that there are over 660,000 IP addresses with exposed Rsync servers, most of which are located in China (551,000), with smaller numbers located in the U.S., Hong Kong, Korea, and Germany.

Patches for the vulnerabilities have been issued in Rsync version 3.4.0, released January 15.

Users of NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux-based systems are advised to apply recently released patches for their products to protect against possible exploits from two vulnerabilities that could enable an attacker to perform a wide range of activities including code execution, denial of service, privilege escalation, and data tampering.

The vulnerabilities tracked as CVE-2024-0135 and CVE-2024-0136 are both rated as high severity with a CVSS score of 7.6.  Another less severe issue tracked as CVE-2024-0137 that could allow for denial of service and privilege escalation was also fixed as part of the January 2025 batch of updates. All of these vulnerabilities can be exploited through the use of a specially crafted container image.

The vulnerabilities affect versions of NVIDIA Container Toolkit prior to 1.17.1 and NVIDIA GPU Operator prior to 24.9.1.