Cyber Threat Weekly – #104
The week of November 17th through November 23rd, roughly 384 cyber news articles were reviewed. A light ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about threat intelligence led security.
There is simplicity in threat informed defense. Understand the threat, defend against the threat. Strategic threat intel (trends) delivers an understanding of prolific adversary behavior that can help minimize financial risk and business impact. It provides focus amongst all the noise, which tactics, techniques, and procedures matter most to you.
Let’s start with new Android malware Sturnus, real-time screen streaming. Browser notifications, a new criminal tool. Researchers share how ransomware actors can and do go after AWS cloud resources.
Third-party SaaS integrations increasingly under attack. Q3 2025 Threat Report – Beazley Security. Spike in scanning for GlobalProtect VPN portals. Browser-in-the-browser (BitB) attack part of Sneaky2FA phishing kit.
Coming soon, ShinySp1d3r Ransomware-as-a-Service (RaaS). An interesting use of Adspect within the npm repository.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – November 17th to November 23rd:
CVE-2025-58034 – Fortinet FortiWeb OS Command Injection Vulnerability:
May allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.
CVE-2025-13223 – Google Chromium V8 Type Confusion Vulnerability:
Allows for heap corruption.
CVE-2025-61757 – Oracle Fusion Middleware Missing Authentication for Critical Function Vulnerability:
Allows unauthenticated remote attackers to take over Identity Manager.
Sturnus Android Banking Trojan Packs a Punch
In addition to typical Android banking trojan features, Sturnus employs real-time screen streaming that essentially bypasses end-to-end encryption. The malware can harvest credentials via overlay attacks, keylogging, Push/SMS interception, and screen capture.
https://thecyberexpress.com/android-malware-records-encrypted-messages/
https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal
Browser Notifications via Matrix Push C2 Platform
Social engineering tricks victims into excepting browser notifications. Once the victim subscribes, threat actors can push legit looking error messages and security alerts. The platform provides real-time victim information. The threat is browser based, no OS targeting required. We will most likely see more tools like this from the cyber criminals.
https://www.infosecurity-magazine.com/news/browser-push-notifications-deliver/
https://www.blackfog.com/new-matrix-push-c2-deliver-malware/
AWS Cloud Resources Abused in Ransomware Attacks
Researchers share some proof-of-concept attacks and threat actor activity abusing AWS resources and S3 buckets. Proactive strategies to defend S3 buckets are also shared. Cloud resources are often targeted by threat actors.
https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html
Third Party OAuth Tokens Targeted in SaaS Integrations
Salesforce is in the news again, this time it’s Gainsight OAuth tokens that were abused for unauthorized Salesforce access. Trust is increasingly under attack and threat actors are going after trusted third-party OAuth tokens in SaaS applications.
https://www.securityweek.com/salesforce-instances-hacked-via-gainsight-integrations/
Q3 2025 Threat Report – Beazley Security
A notable observation, compromised credentials accessing VPNs was the number one initial access vector. Phishing resistant multi-factor authentication would mitigate that risk. Akira, Qilin, and INC were most active accounting for 65% of attacks.
https://thecyberexpress.com/stolen-vpn-credentials-most-common-ransomware-attack-vector/
https://beazley.security/insights/quarterly-threat-report-third-quarter-2025
Palo Alto Global Protect VPN Scanning Surge
Researchers share a massive spike in scanning activity on PA Global Protect VPN portals. This could indicate a zero-day exploit is coming. The scanning activity spiked 40x over the typical baseline over about a week starting November 14th.
https://www.greynoise.io/blog/palo-alto-scanning-surges-90-day-high
Phishing Kit Sneaky2FA Adds Browser-in-the-Browser Attack
While not a new technique, the commoditization and automation of the browser-in-the- browser technique makes it an effective way to trick the victim into providing credentials. It’s very difficult to tell the (BitB) vs a real page.
https://pushsecurity.com/blog/analyzing-the-latest-sneaky2fa-phishing-page/
Currently in Development, ShinySp1d3r Ransomware
ShinyHunters is creating a new from scratch Ransomware-as-a-Service (RaaS) operation with encryptors for Windows, Linux, ESXi, and a separate lightning version for Windows. This is one to keep an eye on, we might see a lot more of Scattered Spider soon.
Adspect Abused in npm to Identify Reserchers
As a cloaking service, Adspect is usually abused in malvertising and fake affiliate operations. To use it in npm to evade researchers is a bit unique. We can expect more cloaking and proxy infrastructure in open-source packages that are browser-executed.
https://www.darkreading.com/application-security/malicious-npm-packages-adspect-cloaking-crypto-scam
https://socket.dev/blog/npm-malware-campaign-uses-adspect-cloaking-to-deliver-malicious-redirects
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
