In this weekly Threat Intelligence Brief we look back at top stories and security related callouts to provide relevant and actionable insights for the information security consumer.
We reference threat intelligence gained through our position as a security provider as well as industry sources in the development of this brief.
In this edition:
CISA and FBI buffer overflow vulnerability alert
Storm-2372 device code phishing
Microsoft February 2025 Patch Tuesday
CISA KEV updates
CISA and FBI buffer overflow vulnerability alert
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a new alert titled Eliminating Buffer Overflow Vulnerabilities as part of their ongoing Secure by Design series. This initiative aims to promote security best practices that address vulnerabilities early in the product development process. The alert provides practical guidance on how to prevent or reduce buffer overflow risks by applying secure design principles.
Buffer overflow vulnerabilities are common security flaws that can compromise systems by corrupting data, exposing sensitive information, crashing applications, or enabling unauthorized code execution. Cyber attackers frequently exploit these weaknesses to gain entry into networks and move laterally within systems. Several recent examples of these exploited vulnerabilities include CVE-2025-21333, CVE-2025-0282, CVE- 2024-49138, and CVE-2024-38812.
A key recommendation for leadership of software manufacturers is to ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect. Organizations can also request a Software Bill of Materials (SBOM) and a secure development attestation for products that may already be in use.
Source: CISA | Secure by Design CISA | FBI
Storm-2372 device code phishing
Microsoft Threat Intelligence Center has uncovered an ongoing phishing campaign by the threat actor known as Storm-2372. The campaign uses fake messaging app interfaces mimicking platforms like WhatsApp, Signal, and Microsoft Teams to deceive victims. Targeted sectors include government, NGOs, IT, defense, telecommunications, healthcare, higher education, and energy across Europe, North America, Africa, and the Middle East. Microsoft assesses with moderate confidence that Storm-2372’s actions align with Russian interests and tactics.
Storm-2372 exploits the device code authentication process to steal authentication tokens, giving them unauthorized access to user accounts and potentially maintaining that access as long as the tokens are valid. This campaign uses fake Microsoft Teams meeting invitations sent via email, prompting victims to authenticate with a code generated by the attackers, allowing them to take over the authenticated session. Here's an attack flow provided by Microsoft:
Recommendations provided by Microsoft to help defender against this type of attack include:
- Only allow device code flow where necessary, configure device code flow in Conditional Access policies
- Educate users about common phishing techniques
- Implement a sign-in risk policy to automate response to risky sign-ins
Source: Microsoft Threat Intelligence
Microsoft February 2025 Patch Tuesday
67 total vulnerabilities fixed, including 3 rated as critical severity. Products affected include Microsoft Streaming Service, Windows LDAP – Lightweight Directory Access Protocol, Windows NTLM, Windows DHCP Server, Microsoft Edge (Chromium-based), Microsoft PC Manager, and more.
4 actively exploited zero-day vulnerability patched, including:
CVE-2025-21418, CVE-2025-2139, CVE-2025-21377 and CVE-2025-21194
Official Microsoft release notes with links to all the individual CVEs can be found here: https://msrc.microsoft.com/update-guide/releaseNote/2025-Feb
CISA KEV updates
CISA has added 7 new CVEs to their Known Exploited Vulnerability (KEV) catalog this week: ID
Don't know where to begin with vulnerability management?
Using CISAs KEV catalog as a risk-based approach can be a great way to help prioritize vulnerability remediation in your organization. This link provides guidance on how to implement the KEV CISA.
Source: Known Exploited Vulnerabilities Catalog | CISA
Coretek's managed SOC/SIEM customers benefit from the latest threat intelligence. If you're interested in learning more about what Coretek can offer your organization, please reach out: https://coretek.com/contact