Microsoft Patch Tuesday; 8Base Ransomware Suspects Arrested; Salt Typhoon Exploited Cisco Devices

Microsoft's Patch Tuesday for February 11, 2025, includes fixes for 63 CVEs, including four rated critical severity and four zero-day flaws. Two of the zero-days are currently being actively exploited, and involve low-complexity attacks requiring no user interaction: CVE-2025-21418, CVSS score 7.8, is a "Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability," which could allow an attacker to gain SYSTEM privileges; and CVE-2025-21391, CVSS score 7.1, is a "Windows Storage Elevation of Privilege Vulnerability," which would allow an attacker to "delete targeted files." The two zero-days not known to be exploited are CVE-2025-21194, CVSS score 7.1, a high-complexity "Microsoft Surface Security Feature Bypass Vulnerability"; and CVE-2025-21377, CVSS score 6.5, an "NTLM Hash Disclosure Spoofing Vulnerability" which could result in "total loss of confidentiality" with minimal user interaction.

A collaborative operation by law enforcement from 14 countries has led to Thai authorities arresting four Russian nationals alleged to lead an extortion gang known as 8Base, who are known to employ double-extortion (both data encryption and threat of publication) using a variant of Phobos ransomware-as-a-service (RaaS). The group's laptops, phones, and cryptocurrency wallets were also confiscated, and the 8Base dark web leak site has been replaced with a banner announcing its seizure by Bavarian authorities. 8Base is suspected of extorting over 1,000 global victims, accumulating about $16 million in ransoms. If extradited to the US, the arrested individuals specifically face charges including wire fraud and "conspiracy to commit an offense against the United States." Switzerland has also requested extradition, as those arrested are also accused of "attacking 17 Swiss companies and using cryptocurrency mixing services to launder the funds received through ransom demands." Europol reports that "as a result of this operation, law enforcement was also able to warn more than 400 companies worldwide of ongoing or imminent ransomware attacks."

'Between December 2024 and January 2025, Recorded Future's Insikt Group identified a campaign exploiting unpatched internet-facing Cisco network devices primarily associated with global telecommunications providers.' The attacks appear to be the work the cyberthreat actors with ties to China's government, RedMike, also known as Salt Typhoon. This recent round of attacks exploited a pair of vulnerabilities in Cisco network devices to gain elevated privileges and alter configuration settings. The threat actors may also have targeted university systems.

Ivanti has published a security update announcing patches for 11 vulnerabilities in their products, four of which are rated critical and involve a remote unauthenticated attacker. CVE-2025-22467, CVSS score 9.9, is a stack-based buffer overflow in Ivanti Connect Secure (ICS) that allows remote code execution; CVE-2024-38657, CVSS score 9.1, allows an attacker with admin privileges to write arbitrary files via external control of a file name in ICS and Ivanti Policy Secure (IPS); CVE-2024-10644, CVSS score 9.1, is a code injection vulnerability in ICS and IPS allowing remote code execution; and CVE-2024-47908, CVSS score 9.1, allows remote code execution via "OS command injection in the admin web console" of Ivanti Cloud Services Application (CSA). Ivanti has not found evidence of any of the announced vulnerabilities being exploited, and all of them are resolved by updating to ICS 22.7R2.6, IPS 22.7R1.3, CSA 5.0.5, Ivanti Secure Access Client (ISAC) 22.8R1, and Ivanti Neurons for MDM (N-MDM) R110.

An Arizona woman has pleaded guilty to multiple charges related to her running a laptop farm that allowed North Korean nationals to pose as US citizens and obtain remote IT jobs at US companies. In all, the scheme funneled $17 million in fraudulently acquired funds through the woman's bank accounts. Some of the illegally-obtained income was reported to the US Social Security Administration and Internal Revenue Service under identities stolen from US citizens. Christina Marie Chapman pleaded guilty to conspiracy to commit wire fraud, aggravated identity theft, and conspiracy to launder monetary instruments; she faces between eight and nine years in prison.

In a Facebook post, the Sault Ste. Marie Tribe of Chippewa Indians writes that their IT systems suffered a ransomware attack on Sunday morning, February 9. 'This attack impacted multiple computer and phone systems across tribal administration, including the casinos, health centers and various businesses. In response, the Sault Tribe has had to temporarily close many departments and businesses.' The Sault Tribe's Health Division has cancelled scheduled appointments, but is accepting walk-in emergency patients.

Intel, AMD, and Nvidia each released security advisories on Tuesday, February 11, notifying customers of flaws and fixes in their products. Intel's only critical flaw, INTEL-SA-00990, comprises five CVEs that allow privilege escalation, information disclosure, or denial of service through vulnerabilities in Server Board BMC Firmware. AMD published 11 advisories, some of which are high severity and may result in arbitrary code execution, and in one case denial of service. Nvidia released four advisories, and two are high severity: CVE-2024-0112 is a flaw in NVIDIA Jetson AGX Orin and NVIDIA IGX Orin software that could lead to "code execution, denial of service, data corruption, information disclosure, or escalation of privilege" through improper input validation and privilege escalation; and CVE-2025-23359 is a flaw in NVIDIA Container Toolkit for Linux that could lead to "code execution, denial of service, escalation of privileges, information disclosure, and data tampering" via a crafted container image gaining access to the host file system due to a Time-of-Check Time-of-Use (TOCTOU) vulnerability.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a Secure by Design fact sheet offering guidance for preventing the introduction of buffer overflow vulnerabilities into products. CISA and the FBI have 'designate[d] buffer overflow vulnerabilities as unforgivable defects,' given that 'many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist ... despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities.' The fact sheet lists secure by design practices, including using memory-safe languages and 'conduct[ing] aggressive adversarial product testing,' as well as secure by design principles, including 'tak[ing] ownership of customer security outcomes..., embrac[ing] radical transparency and accountability, ...[and] build[ing] organizational structure and leadership to achieve these goals.'

According to a report from the US Government Accountability Office (GAO), the Maritime Transportation System (MTS) is facing cyberthreats from international threat actors and IT vulnerabilities; these threats pose risks to port operations. GAO writes that ÓAs part of its broader mission, the Coast Guard, within the Department of Homeland Security (DHS), is responsible for assessing risks to the MTS, establishing and implementing programs for addressing those risks, and facilitating the exchange of threat information with MTS owners and operators.' GAO found issues with the Coast Guard's current strategy to address MTS risks and recommends that 'the Commandant of the Coast Guard É develop and implement documented procedures to ensure the accuracy of cybersecurity incident information that the service identifies and tracks; ensure that its case management system for facility and vessel security inspections provides ready access to complete data on specific cybersecurity deficiencies identified during those inspections; ensure its cybersecurity strategy and plans address the key characteristics of an effective national strategy, including a full assessment of cybersecurity risks to the MTS; develop future competency needs for all of the service's personnel with MTS cyber responsibilities for mitigating cyber risks to the MTS and analyze the gaps between current competencies and future needs; and, using the gap analysis of current and future competency needs for personnel with MTS cyber risk mitigation responsibilities, address any gaps in competencies, such as through training.'

A free-to-play game called PirateFi, released in beta on February 6, 2025, was removed from Valve's Steam platform five days later after the company discovered its builds contained Windows malware. While Valve has not stated the type of malware involved, affected users have reported malicious takeovers of various accounts via the theft of browser cookies. TechCrunch reports "The Steam app, as well as video games themselves, typically have deep access to gamers' devices, making malware targeting gamers particularly appealing to hackers." SteamDB, a site that displays Steam metadata, estimates between 800 and 1,500 people may have acquired the game, though no more than five players were active at one time. Valve notified users who had opened the game's infected builds, and recommended running antivirus software, checking for unexpected installations, or simply reformatting the machine's operating system.