News Week: January 12th to January 18th, 2025

Unbounded Filename Handling Exposes Memory Corruption Risk

A newly identified vulnerability highlights a serious weakness in how the untgz utility within zlib handles user input. In affected builds, a specially crafted command-line argument can trigger a global buffer overflow before any archive content is even processed. The issue originates from copying an archive name directly into a fixed-size memory buffer without validating its length, allowing oversized inputs to overwrite adjacent memory regions. Because this operation occurs immediately when the program starts, attackers do not need to bypass parsing logic or craft complex payloads to cause failure. Security testing has shown that excessively long filenames reliably lead to memory corruption, potentially resulting in crashes or unpredictable behavior. Depending on compilation settings and system architecture, this flaw could extend beyond denial-of-service scenarios and open the door to more severe exploitation. The use of unsanitized argv input and unsafe string operations makes this zlib issue particularly concerning for affected environments.

Active Exploitation Raises Urgency for Self-Hosted Git Servers

US authorities are warning of an actively abused high-severity flaw in the self-hosted Git platform Gogs, now formally listed in CISA’s Known Exploited Vulnerabilities catalog. The issue, tracked as CVE-2025-8110, affects how the application processes symbolic links via its PutContents API. By abusing this behavior, authenticated users can write beyond repository boundaries and overwrite sensitive files on the host system. In real-world attacks, this capability has been leveraged to manipulate Git configuration files in ways that enable remote code execution. Researchers observed the vulnerability being exploited as a zero-day, even bypassing earlier protections added for similar weaknesses. Large-scale compromise has already been confirmed, with hundreds of exposed servers affected worldwide. Although a fix is in development, no official patch has been released yet, leaving unprotected Gogs instances vulnerable to ongoing exploitation and malicious payload deployment.

Innovative Infrastructure Helps a New Ransomware Strain Stay Hidden

Cybersecurity researchers are warning about a low-profile but technically advanced ransomware family that has begun appearing in real-world attacks. Known as DeadLock, the malware stands out for its unusual reliance on blockchain technology, specifically by abusing Polygon smart contracts to store and rotate proxy server addresses. This method allows DeadLock to evade traditional takedown efforts and bypass many network-based defenses. Multiple DeadLock variants have already been observed, enabling attackers to frequently change infrastructure without relying on conventional command-and-control setups. Unlike established ransomware operations, DeadLock is not linked to affiliate programs and does not operate a data leak site, which has helped it avoid broader attention. Analysis shows that DeadLock removes recovery options, encrypts files, and pressures victims through system modifications. Although current victim numbers appear limited, researchers caution that DeadLock’s evolving techniques could pose a growing threat if ignored.

Banking Malware Campaigns Exploit Trust in Mobile Applications

A recently identified Android threat highlights how mobile malware continues to evolve through blended attack techniques. Known as deVixor, the malware has been observed in targeted campaigns aimed primarily at users in Iran, where attackers distribute malicious APK files through phishing websites impersonating legitimate automotive companies. Once installed, deVixor focuses heavily on harvesting sensitive financial data by monitoring SMS messages, enabling it to intercept one-time passwords, login credentials, account information, and banking or cryptocurrency notifications. Beyond data theft, deVixor also incorporates ransomware-like capabilities, allowing operators to remotely lock infected devices and present payment demands. Victims are instructed to pay the ransom in Tron cryptocurrency to regain access. The combination of credential interception and device locking significantly raises the risk to affected users, demonstrating how deVixor blends traditional banking malware behavior with extortion techniques to maximize pressure and potential financial gain.

Major Conglomerate Investigates Scope of Cyber Incident

South Korean conglomerate Kyowon Group has confirmed that a ransomware attack disrupted its internal systems and resulted in the exfiltration of data. The incident occurred in January and led to widespread service outages, with a large portion of the company’s server infrastructure reportedly affected. Kyowon stated that an external data leak has been verified, but investigations are still ongoing to determine whether customer information was included. The company has notified national cybersecurity authorities and is working with external security experts to assess the full impact. Restoration of online services is said to be in its final stages, while no ransomware group has publicly claimed responsibility for the attack. The Kyowon incident follows a series of major cyber incidents affecting South Korean organizations, reinforcing concerns around ransomware activity, operational disruption, and the potential exposure of sensitive personal and corporate data.

Accidental Email Leads to Widespread Partner Data Exposure

Cloud commerce distributor Pax8 has acknowledged an internal error that resulted in the unintended disclosure of sensitive business data linked to around 1,800 managed service provider partners. The incident occurred when a spreadsheet was mistakenly shared via email with a limited number of UK-based recipients. While no personally identifiable information was involved, the exposed data included extensive commercial and operational details such as customer and partner identifiers, Microsoft licensing information, product SKUs, quantities, renewal timelines, and financial booking metrics. The dataset reportedly contained tens of thousands of records, offering a detailed view into customer environments and licensing footprints that would normally remain restricted. Pax8 acted quickly to recall the message, request confirmation of deletion, and initiate direct follow-ups with recipients. The company also launched an internal review to prevent similar incidents, as concerns grow that such datasets could be misused for competitive intelligence or targeted cybercrime.

Conclusion

The accidental exposure of sensitive partner and licensing data highlights how even internal operational mistakes can create serious security and business risks. Incidents like this underscore the importance of strong data handling processes, rapid incident response, and awareness of how leaked information can be leveraged by competitors or cybercriminals.

As ransomware and cybersecurity experts, we support organizations before, during, and after security incidents through services such as Ransomware Recovery Services, Ransomware Negotiation Services, and an Incident Response Retainer. If your organization needs professional support following a cyber incident or wants to strengthen its preparedness, reach out to our team to discuss how we can help.