eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
TAG-124’s Multi-Layered TDS
Bottom Line: TAG-124's sophisticated Traffic Distribution System (TDS) infrastructure, used by multiple cybercriminal groups to distribute malware via compromised sites and fake updates, necessitates increased organizational vigilance in user education and deployment of detection and blocking solutions.
On January 30th, Recorded Future released a report on TAG-124, a sophisticated Traffic Distribution System (TDS) infrastructure used by multiple cybercriminal groups. TDSs were initially created to enable the management of incoming traffic from various sources. TDS infrastructure has been adopted by cybercriminals to direct web traffic of unsuspecting users from online advertisements to the final malicious website.
According to Recorded Future, TAG-124’s TDS is made up of a large number of compromised WordPress websites. When an unsuspecting user visits a compromised site, an embedded script loads additional resources from the attacker-controlled domain, and if the user meets the listed requirements, such as geolocation or browser type, they are redirected to a fake browser update page or a fake CAPTCHA authentication request (ClickFix). Interaction with these pages will result in the distribution of malware.
Various threat actor groups pay to have the TAG-124 TDS redirect users to their specific payloads. A central management panel allows threat actors to perform actions such as updating the URLs and changing the logic and infection tactics. This TDS has led to users being infected with both malware and ransomware, including Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, SocGholish, D3F@CK Loader, and TA582, among others.
eSentire Threat Intelligence Analysis:
TAG-124’s TDS is highly complex and regularly updated. Its use enables the widespread distribution of malware by multiple threat actor groups and increases the difficulty of investigations. Barring significant law-enforcement actions, use of TAG-124 TDS is expected to continue and grow throughout 2025.
Cybercriminal services, such as traffic distribution or renting malware from Malware-as-a-Service (MaaS) offerings, show the complexity of the current threat landscape. Threat actors rarely work in full isolation, as they can purchase access to both tools and infrastructure. This reduces the technical requirements and development time to carry out a campaign, enabling less skilled actors to conduct attacks and high skilled actors to hone specific aspects of their campaigns.
To combat this activity, organizations are strongly encouraged to conduct user awareness training for popular web-based malware delivery tactics, such as fake browser updates and the ClickFix initial access vector; for more information on ClickFix, specifically its use to deliver Lumma Stealer malware, see the eSentire TRU Intelligence Briefing for December 2024. Additionally, organizations can implement DNS and web-filtering solutions to prevent users from accessing malicious websites. Lastly, ensuring that an Endpoint Detection and Response (EDR) product is deployed across all workstations and servers will greatly assist in the prevention and detection of malware when a user is successfully compromised. The eSentire Threat Intelligence team is actively tracking this topic and performing threat hunts for customers based on observed Indicators of Compromise (IoCs). Additionally, the eSentire product suite includes a variety of detections for malware and ransomware known to be delivered via the TAG-124 TDS.
CVE-2024-40891: Zyxel CPE Devices Exploited
Bottom Line: A critical vulnerability in Zyxel CPE devices tracked as CVE-2024-40891 is being actively exploited by threat actors. As there are currently no security patches available from Zyxel, it is advised to apply recommended mitigation actions to reduce the likelihood of exploitation and enhance monitoring of Zyxel devices.
On January 28th, researchers from GreyNoise published information on an actively exploited vulnerability in Zyxel CPE Series devices. The vulnerability was initially reported to Zyxel in June 2024, and VulnCheck publicly disclosed it in August of 2024. At the time of writing, Zyxel has not acknowledged the issue or released security patches.
The vulnerability, tracked as CVE-2024-40891 (CVSS: N/A), is a command injection vulnerability due to improper input validation in the telnet management interface of Zyxel CPE devices. Successful exploitation of the vulnerability would enable threat actors to execute arbitrary commands on impacted devices, leading to data exfiltration, network infiltration, or system compromise. According to Censys data, roughly 1,500 Zyxel CPE Series devices are currently at risk of exploitation, with the majority being located in the Philippines, Turkey, the United Kingdom, France, and Italy.
GreyNoise chose to share information on attacks due to recent high volumes of malicious activity exploiting CVE-2024-40891. According to the report, an exploit for the vulnerability has been added to the Mirai botnet. Mirai is a malware first discovered in late 2016. It is utilized to conduct Distributed Denial of Service (DDoS) attacks. In the past, Miria was responsible for DDoS attacks against online platforms such as Twitter, Reddit, and Spotify. The malware targets Linux-based devices running on ARC processors through scans on the internet. It attempts to exploit any vulnerabilities present on the device or utilize default credentials for access. Once a device is infected it is added to the botnet as a zombie and is available for the threat actors to utilize.
eSentire Threat Intelligence Analysis:
As security patches to address CVE-2024-40891 are not currently available, and exploitation is ongoing, this is a highly concerning situation. Organizations are strongly encouraged to restrict access to the Zyxel administrative interface, disable unused remote management features, and monitor for unusual telnet requests targeting Zyxel CPE management interfaces. When security patches are released, they should be applied immediately.
Currently, most attacks targeting this vulnerability have been observed originating from Taiwan, however this is likely to change due to the publication of this successful campaign and the lack of security patches. The eSentire product suite maintains detections for known Miria botnet activity, and the eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
DeepSeek R1: Chinese AI Model
Bottom Line: The Chinese AI model, DeepSeek R1, has created major concerns regarding data privacy and potential abuse by cybercriminals. At this time, organizations are recommended to prevent the use of DeepSeek R1 on corporate devices.
On January 27th, KELA released a report on the vulnerabilities of DeepSeek R1, a Chinese AI model with advanced reasoning capabilities. DeepSeek R1 is trained on the DeepSeek-V3 base model, with large-scale reinforcement learning (RL) applied during post-training. However, the model lacks robust safety guardrails, making it vulnerable to jailbreaking techniques that were disclosed and patched in other models over two years ago. The "Evil Jailbreak," a method initially used against ChatGPT 3.5, was successfully applied to DeepSeek R1. The test results revealed that DeepSeek R1 provided detailed instructions for creating infostealer malware and included additional suggestions for purchasing stolen data from underground marketplaces. Unlike newer AI models such as GPT-4 and GPT-4o, which have patched such vulnerabilities, DeepSeek R1 remains susceptible to outdated jailbreak methods. KELA’s Red Team demonstrated that DeepSeek R1 fabricated information about OpenAI employees, generating false details such as email addresses, phone numbers, and salaries, violating privacy and confidentiality considerations.
In a separate post, a security researcher revealed a new cyberattack campaign, dubbed the “Fake DeepSeek Campaign,” in which threat actors target macOS users by leveraging fake applications and malicious payloads to distribute Poseidon Stealer. Additionally, Wiz Research discovered a publicly accessible ClickHouse database associated with DeepSeek, which granted full control over database operations and exposed over a million lines of log streams. These logs contained chat history, secret keys, backend details, API secrets, and other highly sensitive information. Further investigations conducted by Unit42 revealed that DeepSeek models are vulnerable to multiple jailbreaking techniques, including Deceptive Delight, Bad Likert Judge, and Crescendo. Researchers found that these jailbreaks could generate detailed instructions for keylogger creation, data exfiltration, and even incendiary devices (creating dangerous items like Molotov cocktails).
eSentire Threat Intelligence Analysis:
As highlighted in the report by KELA, DeepSeek R1, operates under China’s strict data regulations, which mandate data sharing with authorities. Chinese tech companies, from Huawei to TikTok, have consistently faced allegations of being linked to the Chinese state, raising concerns that this connection could result in the harvesting of people's data for intelligence purposes. DeepSeek's privacy policy reveals that the platform collects a wide range of personal information from users, including email addresses, phone numbers, dates of birth, chat histories, and even technical data like IP addresses and keystroke patterns. This data is stored on servers in China and used to improve the platform's safety, security, and stability. However, the policy also states that user data may be shared with third parties, including service providers, advertising partners, and corporate groups. The potential for mandatory data sharing with the Chinese government raises significant concerns about user privacy and security. Italy's Data Protection Authority recently released a press release stating that it will be blocking access to DeepSeek over privacy concerns.
The vulnerabilities highlighted for DeepSeek R1 are concerning as in real-world scenarios, it could be exploited to facilitate the creation of malicious scripts, steal sensitive data, or aid in the development of weapons. The model’s transparency in reasoning (e.g., showing step-by-step logic) inadvertently opens doors for adversarial attacks, making it easier for attackers to manipulate the AI to serve harmful purposes. As demonstrated by KELA’s Red Team, such AI models must undergo extensive testing to ensure vulnerabilities are identified before widespread adoption. Regular updates and patches to address emerging threats will also be vital.
According to the Wiz Research team “much of the attention around AI security is focused on futuristic threats, the real dangers often come from basic risks—like accidental external exposure of databases. These risks, which are fundamental to security, should remain a top priority for security teams”. eSentire MDR for GenAI provides metric-driven, visibility into your company’s Generative AI (GenAI) workforce insights and application usage allowing you to monitor risks before they become business critical events. It eliminates blind spots and provides workforce insights so you can monitor employee GenAI usage – including applications, prompts, file share, trends and more. This enables you to have comprehensive visibility to inform your governance framework, understand potential risks, and ensure policy adherence.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
