Cyber Security Monthly roundup – January 2025

January 2025 saw a mix of cybersecurity advancements and emerging threats. From critical Oracle patches and a 7-Zip vulnerability fix to CISA's cloud fortification push and the takedown of DDoS platforms, there's a lot to cover. However, new malware using Windows accessibility features and an Android banking trojan targeting cryptocurrency exchanges paint a less rosy picture. This month's roundup breaks down the top vulnerabilities, security updates, and emerging threats you need to know to stay protected in the ever-evolving cyber landscape.

Top Vulnerabilities Reported

Oracle January 2025 patch
Oracle released a Critical Patch Update to address 318 new security vulnerabilities, including a high-severity flaw (CVE-2025-21556) in the Oracle Agile Product Lifecycle Management Framework, which could allow attackers to take control. Other critical vulnerabilities affect products such as JD Edwards EnterpriseOne Tools, Oracle Agile Engineering Data Management, Oracle Communications Diameter Signaling Router, and more. The CISA had flagged one of the vulnerabilities (CVE-2020-2883) as actively exploited.

Bug in 7-Zip file software
Attackers can exploit a vulnerability (CVE-2025-0411) in 7-Zip to bypass the MotW security feature in Windows. The flaw allows attackers to execute malicious code on users' computers by extracting specially crafted files from nested archives or visiting harmful websites. 7-Zip does not properly handle the MotW when files are extracted, meaning users can unknowingly run malicious code. This issue has been fixed in version 24.09.

The Good News

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defence. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos.

The NIST released two updates to help organizations evaluate their cybersecurity programs. The guidance is divided into two volumes. Volume 1 discusses technical issues in measuring information security, comparing qualitative assessments with data analysis and introducing various assessment types. Volume 2 involves leadership in applying the qualitative findings and stresses the importance of strong management support. The updates aim to broaden the audience to all organizations concerned with cybersecurity.

Global law enforcement agencies seized 27 platforms used for launching DDoS attacks, leading to the arrest of three administrators in France and Germany and the identification of over 300 users. The operation, known as PowerOFF, aimed to disrupt cybercriminals' attempts to create chaos during the festive season. The platforms disrupted were used for illegal traffic flooding, causing financial loss and reputational damage.

The Bad News

A new malware technique uses a Windows accessibility system called UI Automation (UIA) to perform rogue actions without being detected by security software. Users can be tricked into running a UIA program, which can execute commands, access sensitive data, and redirect browsers to phishing sites. This method can also affect messaging apps and manipulate UI elements over a network. It can be abused to read messages, steal data, and execute harmful redirects.

A new Android banking malware called DroidBot targets over 77 cryptocurrency exchanges and banking apps. Despite its lack of unique features, DroidBot's botnets show 776 unique infections across the U.K, Italy, France, Spain, and Portugal. The malware has been active since June 2024 and operates as a MaaS platform, with affiliates customizing the tool for specific targets. DroidBot uses keylogging, overlaying, SMS interception, and VNC capabilities to steal sensitive information. It also abuses Android's Accessibility Services. Cleafy has identified at least 17 groups using this malware to customize attacks for specific targets.

A new phishing campaign has been discovered, distributing a malware variant known as AppLite Banker. This campaign mainly targets Android devices, using advanced social engineering techniques to steal personal and corporate credentials. The current attacks exploit mobile vulnerabilities through fake job application pages and banking trojans. The attackers impersonate recruiters from reputable companies, sending phishing emails that lead users to fake websites. These sites trick users into downloading a fake CRM app, which then installs the AppLite malware.