Threat Briefing: January 24, 2025

Cyber threat actors don’t always focus on creating new malware. Instead, they often repurpose existing threats, enhance them with new capabilities, or even revive older malware—even if it was previously shut down.

While these actors continuously seek ways to compromise systems, security researchers are actively working to uncover vulnerabilities. This week, critical flaws were identified in both the UEFI process and cellular communication protocols, posing risks such as disrupting a computer’s boot process or interfering with communication networks.

In addition, the U.S. government announced further actions to disrupt North Korea’s efforts to infiltrate U.S. companies with fake IT workers, aiming to cut off a key revenue stream that funds the North Korean government.

• Lumma Infostealer Distributed Through Fake Reddit Pages and WeTransfer Service – Cyber threat actors have created approximately 1,000 fake Reddit pages, posing as users seeking help with various online tools and applications. These fake users share a link claiming to direct to the WeTransfer service, but when clicked, it leads to a malicious website designed to impersonate a legitimate brand. Once on the site, victims unknowingly download a file containing the Lumma stealer malware. Bleeping Computer
• BackConnect Malware Enhanced to Collect to System Information, Links to QakBot Identified – Researchers have discovered that BackConnect (BC) infrastructure is also being used to distribute the ZLoader malware. Analyzed BC modules revealed references to QakBot and demonstrated the ability to collect system information. QakBot’s infrastructure was seized in 2023 during a law enforcement operation, which significantly reduced the number of campaigns leveraging QakBot. The Hacker News
• Multiple System Recovery Programs Contain Vulnerability Impacting UEFI Process – The vulnerability could enable a cyber threat actor to inject malware into the system startup process of UEFI devices. Researchers identified seven recovery products that utilize a file permitting UEFI to load unsigned binaries during the boot process, effectively bypassing the UEFI Secure Boot check. However, exploiting this vulnerability requires administrator privileges. Initially discovered in July 2024, Microsoft addressed the issue by revoking the vulnerable binaries in the January 2025 Patch Tuesday update. Dark Reading
• Security Researchers Find Over 100 Vulnerabilities Impacting 5G and LTE Implementations – The vulnerabilities affect seven LTE implementations and three 5G implementations, potentially allowing cyber threat actors to disrupt services and gain unauthorized access to cellular networks. Exploiting these vulnerabilities could enable attackers to interfere with cellular messaging, phone calls, and data connections. Threat actors could take advantage of these flaws either through access to a compromised base station or from an unauthenticated mobile device. The Hacker News
• Multiple Individuals Indicted for Supporting North Korea’s Information Technology Worker Scheme – Two U.S. nationals, a Mexican national, and two North Korean nationals have been indicted for their involvement in a scheme to help the North Korean government generate revenue. Between April 2018 and August 2024, the individuals secured employment with over 60 U.S. companies, funneling more than $800,000 to the North Korean government. Two individuals were arrested in the U.S. for their roles in the operation, with one found in possession of victim company laptops at his home, where he had installed remote access software to facilitate unauthorized work by North Korean operatives for U.S. firms. U.S. Department of Justice