January Security Roundup

In the news:

Surge in unusual UserAgents linked to account takeovers

The Kocho Security Operations Centre (SOC) has detected a rise in account takeovers involving unusual UserAgents during successful malicious logins.

We’ve identified attackers leveraging UserAgents such as Axios, a popular JavaScript HTTP client, to automate sign-in attacks like credential stuffing or brute force attempts.

Our analysts also note that these attacks are often paired with access to services like OfficeHome, advising that detection capabilities can be increased by pairing both within a KQL query.

Additional suspicious UserAgents like “curl” and “Python” have also been observed during malicious activity. Expanding detection queries to include these UserAgents can offer broader coverage and improved incident response.

Recommendations

• Use combined KQL queries to detect Axios and OfficeHome activity
• Expand UserAgent monitoring to include “curl” and “Python”
• Track unusual UserAgents to identify and mitigate threats

Critical Windows vulnerability requires immediate attention

Microsoft has disclosed a high-severity vulnerability (CVSS 7.8) impacting Windows Server 2025, Windows 10, and Windows 11, which could allow attackers to execute arbitrary code with elevated privileges.

A proof-of-concept exploit has been released, targeting a flaw in Windows Registry memory management.

Microsoft has released security updates, including KB5036980 Preview and KB5037771, to address the flaw.

We strongly urge all clients to apply these patches immediately and review their access controls, audit protocols, and user training to enhance defences.

Recommendations

• Apply patches promptly across all affected systems
• Strengthen access controls by limiting administrative privileges
• Conduct regular audits to uncover and address security gaps
• Enhance user training to combat phishing and social engineering
• Monitor and validate systems for unusual activity

Refer to Microsoft’s advisory (CVE-2024-43641) for detailed guidance.

FBI warns of North Korean IT workers extorting employers

The FBI has issued a warning about North Korean IT workers posing as remote freelancers to infiltrate businesses, steal proprietary data, and extort employers.

Refusal to pay often results in the public release of sensitive information.

A statement on the FBI websites says:

These workers, using forged identities, target organisations in the US, Europe, and East Asia. Their earnings, which fund the North Korean government, are increasing as tactics evolve to exploit remote work.

Security researchers have reported a rise in insider attacks and data exfiltration from platforms like GitHub. Recent indictments revealed that five individuals generated over $866,000 for North Korea through these schemes.

Recommendations:

• Strengthen applicant screening with identity verification
• Cross-check resumes and contact information for patterns or inconsistencies
• Raise staff awareness of these schemes
• Monitor communication accounts and data for suspicious activity
• Conduct in-person hiring where feasible to verify identities

Microsoft Outlook vulnerability

A critical vulnerability (CVSS 9.8) in Microsoft Outlook was disclosed on January 14, enabling attackers to remotely execute code on a victim’s device without user interaction.

The flaw exploits Windows Object Linking and Embedding (OLE) functionality, allowing malicious emails to trigger the vulnerability simply by being opened or previewed in Outlook.

Recommendations

Microsoft has released a patch to address the issue, but until it is applied, the following mitigations are recommended:

• Read emails in plain text to minimise risks from malicious OLE objects
• Avoid RTF attachments from unknown or untrusted sources
• Limit user permissions to critical systems to reduce damage potential

Ensure systems are updated immediately to reduce exposure to this low-effort, high-impact attack vector.

From our blog: Why SOCs need to move out of their silos

Cyber criminals are waging a new kind of war, but too many SOCs are still fighting yesterday’s battles.

Modern attackers thrive by exploiting the interconnected nature of systems, using graph-based strategies to outsmart defenders.

Yet, many SOCs are stuck in outdated, siloed approaches that leave critical gaps ripe for exploitation.

To stay ahead, they need to adopt their adversaries’ playbook. Shifting from fragmented defences, to unified, proactive strategies.

So, what’s holding them back?

Read the full article from Kocho’s Head of SOC, Anna Webb