20.01.25 Threat Report

AWS Patches Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) recently fixed two critical problems in its cloud services: Amazon WorkSpaces, Amazon AppStream 2.0, and Amazon DCV (Desktop Cloud Visualisation). These issues, known as CVE-2025-0500 and CVE-2025-0501, could let attackers spy on users or take over their remote sessions.

What Happened: AWS identified vulnerabilities in its remote desktop and application streaming services. CVE-2025-0500 allows attackers to intercept data sent over insecure channels in certain versions of WorkSpaces and DCV. CVE-2025-0501 impacts systems using the PCoIP protocol, which could allow hackers to access remote sessions without authorisation.

How It Was Fixed: AWS released updates for all affected versions across platforms, urging users to upgrade to the latest software versions to close these gaps.

Recommendations:

• Update to the latest client versions. AWS has released fixes for all platforms.
• For CVE-2025-0500, ensure your software is updated to version 5.21.0 or later on Windows/macOS and 2024.2 or later on Linux.
• For CVE-2025-0501, update to version 5.22.1 or later on Windows/macOS, version 2024.6 on Linux, and version 5.0.1 on Android.
• Check your cloud systems regularly for updates.

Windows Common Log File System (CLFS) Zero-Day Exploited

A dangerous weakness in Windows CLFS (CVE-2024-49138) has been actively used by hackers. This allows attackers to take control of systems, which can lead to stolen data or damaged operations.

What Happened: Hackers exploited a vulnerability in the way Windows handles log files. By crafting malicious log entries, attackers bypassed system defences and escalated privileges, giving them control over the compromised systems.

This vulnerability has been linked to attacks targeting high-profile organisations like government departments and financial institutions. Attackers typically deliver the exploit via phishing emails.

Recommendations:

• Install the latest security update from Microsoft right away.
• Teach employees how to recognise phishing emails.
• Use strong antivirus software to block harmful files.

Microsoft Configuration Manager Vulnerability

Microsoft’s Configuration Manager (ConfigMgr) has a flaw (CVE-2024-43468) that could let attackers take over a system by sending harmful requests. This flaw has been publicly shown in a proof-of-concept, increasing the risk of attack.

What Happened: Hackers exploit a weakness in how ConfigMgr handles web requests. Attackers could send specially crafted HTTP requests to execute code, potentially exposing sensitive data or disrupting operations.

Enterprises using ConfigMgr to manage IT resources are especially at risk. If exploited, attackers could disrupt business-critical applications and steal sensitive information.

Recommendations:

• Apply Microsoft’s patches immediately.
• Restrict access to the Configuration Manager’s web interface.
• Monitor system logs for any unusual activity.

TikTok Ban Enforced in the U.S.

The U.S. government has banned TikTok over worries about data security. This ban affects all current users and blocks new downloads of the app.

What Happened: The U.S. government believes TikTok’s parent company, ByteDance, might share user data with the Chinese government. TikTok denies this claim but has been removed from app stores in the U.S., and users can no longer access it.

The ban affects millions of users, including businesses that rely on TikTok for marketing. It also signals growing tensions between the U.S. and China over technology and data security.

Recommendations:

• Businesses relying on TikTok should start using other platforms for advertising.
• Review all apps on your devices for potential privacy risks.
• Be cautious about sharing personal information on social media.

U.S. Sanctions Chinese Cybersecurity Firm Over Treasury Hack

The U.S. has punished a Chinese company for helping in a cyberattack on the Treasury Department. This attack stole sensitive information and has been linked to a group called “Salt Typhoon.”

What Happened: Hackers used vulnerabilities in the Treasury’s IT systems to steal sensitive data. The Chinese firm involved is accused of developing tools and infrastructure that supported the attack.

The attack highlights the threat of state-sponsored cybercrime and emphasises the need for governments to strengthen their defences against sophisticated attackers.

Recommendations:

• Use a zero-trust security model to reduce risks from third-party providers.
• Regularly review contracts with IT vendors to ensure they meet security standards.
• Monitor networks for suspicious behaviour.

Medusa Ransomware Group Claims Attack on Gateshead Council

The Medusa ransomware gang has attacked Gateshead Council in England, demanding $600,000 to delete stolen files. Sensitive data from residents and council workers has already been leaked.

What Happened:The attackers gained access to Gateshead’s systems on January 8, 2025. They leaked a 31-page slideshow containing personal information such as names, phone numbers, job applications, and financial spreadsheets.

Residents and employees face risks such as identity theft and fraud. The council has since isolated the attack and reported it to the Information Commissioner’s Office (ICO).

Recommendations:

• Back up important data regularly and store it offline.
• Train staff to spot phishing emails that may lead to ransomware attacks.
• Use advanced security tools to detect and stop ransomware activities.

Stay Ahead with Periculo’s Weekly Threat Feed

Stay ahead of cyber threats with real-time updates from Periculo’s Weekly Threat Feed. Learn about the latest risks and how to protect your business.

Sign up now to get expert advice straight to your inbox and stay one step ahead of hackers.