Vercara’s Open-Source Intelligence (OSINT) Report – February 7 – February 13, 2025

Hackers Exploit Cityworks RCE Bug to Breach Microsoft IIS Servers 

(TLP: CLEAR) The article from BleepingComputer details the exploitation of a remote code execution (RCE) vulnerability in Trimble’s Cityworks software, which is used for asset management, work order management, and related municipal services. The vulnerability, tracked as CVE-2025-0994, affects Cityworks versions prior to 15.8.9 (released in January 2025). This flaw allows attackers with authenticated access to execute arbitrary code on vulnerable systems, potentially leading to server compromise.  

(TLP: CLEAR) Comments: The exploitation of the CVE-2025-0994 vulnerability in Cityworks represents a significant risk to municipalities and organizations using this software, particularly those relying on IIS servers for operation. Due to the critical nature of this flaw, swift application of the security patches and proactive monitoring of affected systems is essential to safeguard against attacks. The use of tools like Cobalt Strike in exploitation attempts also highlights the advanced nature of the threat actors involved. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:  

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 
• Actively running and up to date as applicable.  
• Generating audit logs.  
• Configured to either block web-based attacks or generate an alert that is immediately investigated. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can provide you with protection in the way that you need it. UltraWAF allows security postures that assume that all traffic is allowed – except an already identified threat or an attack (negative security) – or zero trust models where all traffic is denied unless explicitly permitted (positive security). 
Source: https://www.bleepingcomputer.com/news/security/hackers-exploit-cityworks-rce-bug-to-breach-microsoft-iis-servers/  

North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks 

(TLP: CLEAR) A North Korean threat group, identified as APT43 (also known as Kimsuky), has been linked to a campaign targeting South Korean organizations in the business, government, and cryptocurrency sectors. This operation, dubbed DEEP#DRIVE, utilizes phishing emails containing deceptive documents to gain access to victim networks. The attackers rely heavily on PowerShell scripts for payload delivery, system reconnaissance, and execution. They use Dropbox as a covert infrastructure for payload hosting, exfiltration, and communication, leveraging OAuth token-based authentication to ensure stealth. 

(TLP: CLEAR) Comments: The attack chain begins with a ZIP archive containing a Windows shortcut file. Once executed, this file runs a PowerShell script to retrieve a lure document from Dropbox, further establishing persistence through a scheduled task. Subsequent PowerShell scripts gather system information and drop additional malicious components, including a .NET assembly. The attackers have utilized dynamic, short-lived infrastructure to evade detection, deleting key links shortly after the initial phases of the attack. The campaign, which may have started in September 2024, showcases sophisticated techniques to evade traditional security measures and detection. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. 
Source: https://thehackernews.com/2025/02/north-korean-apt43-uses-powershell-and.html   

DeepSeek App Transmits Sensitive User and Device Data Without Encryption 

(TLP: CLEAR) The DeepSeek mobile app has been found to transmit sensitive user and device data without encryption, exposing it to potential interception and manipulation. The app’s security audit, conducted by NowSecure, revealed significant vulnerabilities, including: 

• Unencrypted Data Transmission: DeepSeek sends mobile app registration and device data over the internet without any encryption, putting it at risk of passive and active attacks. 
• Weak Encryption Practices: The app uses an insecure symmetric encryption algorithm (3DES) with a hard-coded key and reused initialization vectors, weakening its ability to protect sensitive data. 
• Bypassing iOS Security: DeepSeek disables App Transport Security (ATS), a built-in iOS feature designed to enforce encrypted communications, enabling data to be sent over unprotected channels. 
• Insecure Cloud Infrastructure: Data is transmitted to servers managed by Volcano Engine, a platform owned by ByteDance (the parent company of TikTok). 

(TLP: CLEAR) Comments: These security flaws highlight concerns over data privacy, especially since DeepSeek’s app has been scrutinized for excessive data collection and its links to China. The app has faced calls for bans from several countries, including the U.S. and South Korea. Moreover, the Android version also shows vulnerabilities like hard-coded encryption keys, weak cryptography, and SQL injection risks. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”: 

• The mitigation planning should be done in two layers: 
• Business – identify the business flows that might harm the business if they are excessively used. 
• Engineering – choose the right protection mechanisms to mitigate the business risk. 
• Some of the protection mechanisms are more simple while others are more difficult to implement. The following methods are used to slow down automated threats: 
• Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them 
• Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns) 
• Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second) 
• Consider blocking IP addresses of Tor exit nodes and well-known proxies 
• Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.” 

(TLP: CLEAR) Vercara: Vercara UltraAPI Bot Manager detects and prevents sophisticated automated API attacks and business logic abuse using hundreds of ML rules that leverage an API threat database with billions of malicious behaviors, IP addresses, and organizations. Native, policy-based response options ensure that detected attacks are blocked in real time, without reliance on a third-party WAF or other security components. 
Source: https://thehackernews.com/2025/02/deepseek-app-transmits-sensitive-user.html  

Massive Brute Force Attack Uses 2.8 million IPs to Target VPN Devices 

(TLP: CLEAR) A large-scale brute force attack targeted VPN devices and firewalls from companies like Palo Alto Networks, Ivanti, and SonicWall. The attack, ongoing since January 2025, used nearly 2.8 million IP addresses, primarily from countries like Brazil, Turkey, and Russia. The attackers attempted to guess login credentials for security appliances, including firewalls and VPNs, which are often exposed to the internet for remote access. 

(TLP: CLEAR) Comments: The attack involves compromised routers, such as MikroTik, Huawei, and Cisco, and is likely driven by botnets or residential proxy networks. These proxies, which route malicious traffic through consumer internet connections, make it harder to detect the attacks. To protect against such threats, experts recommend changing default passwords, using multi-factor authentication, and applying the latest security updates. 

(TLP: CLEAR) Recommended best practices/regulations:  

OWASP API Top 10, API6:2023, “Unrestricted Access to Sensitive Business Flows”: 

• The mitigation planning should be done in two layers:
• Business – identify the business flows that might harm the business if they are excessively used.
• Engineering – choose the right protection mechanisms to mitigate the business risk.
• Some of the protection mechanisms are more simple while others are more difficult to implement. The following methods are used to slow down automated threats:
• Device fingerprinting: denying service to unexpected client devices (e.g headless browsers) tends to make threat actors use more sophisticated solutions, thus more costly for them
• Human detection: using either captcha or more advanced biometric solutions (e.g. typing patterns)
• Non-human patterns: analyze the user flow to detect non-human patterns (e.g. the user accessed the ‘add to cart’ and ‘complete purchase’ functions in less than one second)
• Consider blocking IP addresses of Tor exit nodes and well-known proxies
• Secure and limit access to APIs that are consumed directly by machines (such as developer and B2B APIs). They tend to be an easy target for attackers because they often don’t implement all the required protection mechanisms.”

(TLP: CLEAR) Vercara: Vercara UltraAPI Bot Manager detects and prevents sophisticated automated API attacks and business logic abuse using hundreds of ML rules that leverage an API threat database with billions of malicious behaviors, IP addresses, and organizations. Native, policy-based response options ensure that detected attacks are blocked in real time, without reliance on a third-party WAF or other security components. 
Source: https://www.bleepingcomputer.com/news/security/massive-brute-force-attack-uses-28-million-ips-to-target-vpn-devices/