Blog
/
Threat Matrix: January 2025

Threat Matrix: January 2025

Welcome to the first edition of Upfort’s Threat Matrix of 2025—and it was a busy one! In this edition, we cover a few new scams using malicious PDFs from USPS and Amazon impersonators, remote IT workers from North Korea extorting their employers, a security flaw that allows criminals to open cars just by knowing the license plate, and more! We cover it all, along with some actionable steps to keep your business safe. 

Want to help keep your company safe? It only takes two minutes to complete our interactive cybersecurity checklist to tell how prepared you are. Or take a free cyber security risk assessment, which taps Upfort’s state-of-the-art AI to surface exploitable vulnerabilities in your network. 

Super Bowl LIX is expected to be a prime target for cyberattacks

With millions of viewers and extensive digital infrastructure, Super Bowl LIX (#GoBirds!) in New Orleans is a high-risk target for cyber threats. Security experts warn of potential ransomware, phishing, and malware attacks on ticketing systems, livestreaming platforms, and in-stadium IoT devices. Hacktivists and state-sponsored attackers may also attempt to disrupt the event or exploit the high-profile nature of the game to spread misinformation.

Officials are working with cybersecurity teams to strengthen network defenses, monitor for suspicious activity, and educate attendees on phishing scams. Past major sporting events have seen similar threats, including fake ticket sales, fraudulent betting schemes, and DDoS attacks targeting critical infrastructure.

How to protect your business: Companies involved in large events should secure payment systems, enforce multi-factor authentication, and educate employees on social engineering threats. Regular penetration testing and real-time threat monitoring can help prevent disruptions.

Read more

FBI warning: North Korean IT workers extorting employers

The FBI has warned that North Korean IT workers are infiltrating companies under false identities, stealing source code, and extorting employers by threatening to leak stolen data. These workers, who often operate remotely, copy company repositories to personal cloud accounts and exfiltrate sensitive credentials to gain deeper access to corporate networks.

To mitigate risks, the FBI advises businesses to apply strict access controls, monitor network traffic for unusual activity, and verify employee identities during the hiring process. Companies should also scrutinize third-party staffing firms to prevent hiring deceptive actors.

How to protect your business: Businesses should enforce the principle of least privilege, review network logs for unauthorized access, and implement stronger identity verification measures for remote hires. Monitoring for unusual login locations and payment changes can help detect fraudulent workers.

Read more

OAuth flaw exposed millions of airline users to account takeovers

A now-patched vulnerability in a major online travel services provider exposed millions of airline customers to account takeovers. The flaw, discovered by Salt Security, allowed attackers to redirect OAuth authentication credentials to a malicious server, granting them full access to airline-linked travel accounts. This could have enabled unauthorized bookings using airline loyalty points and access to sensitive personal information.

The vulnerability stemmed from a failure to verify authentication credentials, making it possible for attackers to send phishing links that appeared legitimate. Security researchers warn that similar flaws in third-party integrations are common and highlight the need for stricter authentication security measures.

How to protect your business: Companies integrating third-party authentication should enforce strict domain verification, conduct regular security audits, and educate users on phishing risks. Implementing OAuth best practices can help prevent unauthorized access.

Read more

Subaru Starlink flaw allowed hackers to hijack vehicles using license plates

Security researchers discovered a vulnerability in Subaru’s Starlink system that allowed attackers to take control of vehicles in the U.S., Canada, and Japan using only a license plate number. The flaw in Starlink’s admin portal enabled remote access to vehicle functions such as starting and stopping the engine, locking and unlocking doors, retrieving real-time and historical location data, and accessing customer personal information.

The vulnerability stemmed from an insecure password reset API, which let attackers take over employee accounts and bypass two-factor authentication. Subaru patched the flaw within 24 hours of disclosure, and there is no evidence that it was exploited in the wild.

How to protect your business: Businesses using connected devices should enforce strict authentication measures, regularly test for API security flaws, and ensure rapid response capabilities for newly discovered vulnerabilities.

Read more

Attackers tap malicious Amazon PDFs to steal personal data

A new phishing campaign is tricking victims with malicious PDF attachments posing as Amazon Prime membership expiration notices. Users who open the PDFs are redirected to fraudulent Amazon lookalike sites that steal personal and financial information. Researchers from Palo Alto Networks Unit 42 discovered at least 31 unique PDFs used in these scams, with phishing sites hosted on subdomains of DuckDNS.

The attackers use cloaking techniques to evade detection, redirecting security scans to benign sites while leading real victims to phishing pages. This highlights the continued reliance on email-based phishing as a primary attack vector.

How to protect your business: Train employees to recognize phishing attempts, verify unexpected emails before clicking links, and implement email filtering to block suspicious attachments. Regular phishing simulations can help improve awareness and response.

Read more

PowerSchool notifies victims of massive data breach affecting K-12 schools

Education software provider PowerSchool has begun notifying individuals affected by a December 2024 cyberattack that compromised personal data from 6,505 school districts in the U.S. and Canada. The stolen data varies by district but may include names, addresses, Social Security numbers, medical records, and student grades. While PowerSchool claims only a subset of users were affected, attackers allege they stole data on over 62 million students and nearly 10 million teachers.

PowerSchool is offering free two-year identity theft protection and credit monitoring for affected individuals. Investigations into the breach, including a report from cybersecurity firm CrowdStrike, are still ongoing.

How to protect your business: Organizations handling sensitive data should implement strict access controls, monitor systems for unusual activity, and ensure incident response plans are up to date. Encrypting personally identifiable information (PII) can also limit the impact of breaches.

Read more

USPS “smishing” scam uses malicious PDFs

Cybercriminals are impersonating the U.S. Postal Service (USPS) in a large-scale “smishing” (SMS phishing) campaign designed to steal personal and payment information. Victims receive text messages claiming their package cannot be delivered due to “incomplete address information” and are instructed to open an attached PDF. The PDF contains a malicious link leading to a phishing page that harvests user credentials and payment details under the guise of a delivery fee request.

Security researchers uncovered over 630 phishing pages and 20 malicious PDFs linked to this campaign, which has the potential to impact organizations in more than 50 countries. Attackers are using advanced evasion techniques to manipulate the structure of PDFs, making it harder for security software to detect the malicious links.

How to protect your business: Educate employees about smishing threats, implement mobile security solutions, and ensure robust endpoint protection. Avoid clicking links or downloading attachments from unsolicited messages, and verify package issues directly with official carriers.

Read more

Hackers exploit SimpleHelp RMM vulnerabilities to breach networks

Cybercriminals are actively exploiting recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. These flaws allow attackers to upload and download files, escalate privileges, and gain unauthorized access to target networks. Security researchers observed attacks beginning just a week after public disclosure of the flaws, with hundreds of vulnerable SimpleHelp instances still exposed online.

How to protect your business: Organizations using SimpleHelp should immediately update to the latest patched versions. If SimpleHelp was previously installed but is no longer in use, uninstall it to minimize exposure. Regularly audit remote access tools to prevent unauthorized access.

Read more

Apple fixes first actively exploited zero-day vulnerability of 2025

Apple has released security updates to patch CVE-2025-24085, the first actively exploited zero-day of the year. The flaw, found in the Core Media framework, allows malicious applications to escalate privileges on iPhones, iPads, Macs, Apple Watches, and Apple TVs. Apple acknowledged reports that attackers exploited the vulnerability in older iOS versions before iOS 17.2.

The fix, implemented through improved memory management, is included in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3. While Apple has not disclosed attack details, users are strongly advised to update their devices immediately.

How to protect your business: Businesses using Apple devices should enable automatic updates and apply security patches as soon as they become available. Consider mobile device management (MDM) solutions to ensure enterprise-wide security compliance.

Read more

Sign up for our newsletter

Subscribe