Cyber Threat Weekly – #107

The week of December 8^th through December 14^th, roughly 374 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the complexity of zero trust and the effect on small businesses.

We’ve made zero trust overly complex, even larger shops are struggling to realize zero trust.  All the things we should’ve done 20+ years ago, principle-based security, like the principle of simplicity, principle of least privilege, network segmentation, know your crown jewels, etc., are what we really need.  Foundational security that stands the test of time.  Small and medium businesses can work with principles.  Our industry is only as strong as our weakest link.

Let’s start with legit infrastructure used to send scam emails.  Android malware can lock the device and wipe data.  Top 25 Common Weakness Enumeration (CWE) list released.  A new variant of the ClickFix social engineering technique. 

Open-source repository attack stories.  New malware abuses Google Drive API.  It appears numerous threat actors maybe exploiting React2Shell.  New initial access broker abuses ClickFix and brings its own EDR to weaponize.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – December 8^th to December 14^th:

CVE-2022-37055 – D-Link Routers Buffer Overflow Vulnerability:
The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

CVE-2025-66644 – Array Networks ArrayOS AG OS Command Injection Vulnerability:
Could allow an attacker to execute arbitrary commands.

CVE-2025-6218 – RARLAB WinRAR Path Traversal Vulnerability:
Allowing an attacker to execute code in the context of the current user.

CVE-2025-62221 – Microsoft Windows Use After Free Vulnerability:
Microsoft Windows Cloud Files Mini Filter Driver contains a use after free vulnerability that can allow an authorized attacker to elevate privileges locally.

CVE-2025-58360 – OSGeo GeoServer Improper Restriction of XML External Entity Reference Vulnerability:
Could allow an attacker to define external entities within the XML request.

CVE-2018-4063 – Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability:
A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

CVE-2025-14174 – Google Chromium Out of Bounds Memory Access Vulnerability:
Could allow a remote attacker to perform out of bounds memory access via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

PayPal’s Email Address Abused to Send Scam Messages

Another example of legit resources abused.  The emails came from PayPal, pass spam filters, and are very hard to tell if real or fake.  This has been mitigated, but the lesson is the same.  Never click a link or call a phone number from an email.  Log into your account and verify.

https://www.bleepingcomputer.com/news/security/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails/

DroidLock Malware can Lock Android Devices and Delete Data

Spain is the current target, but that can change.  The malware displays a full screen overlay, can lock the device, and perform a factory reset effectively wiping the device.  SMS one-time passwords (OTP) have long been obsolete, but the latest mobile malware can now intercept SMS OTP making a new MFA factor mandatory. 

https://thecyberexpress.com/android-malware-locks-device-demands-ransom/

https://zimperium.com/blog/total-takeover-droidlock-hijacks-your-device

Top 25 Common Weakness Enumeration (CWE) list released

MITRE updated the Top 25 CWE list, the most dangerous software weaknesses, cross-site scripting (XSS) tops the list.   Four of six new CWEs added this year were not previously ranked.

https://www.securityweek.com/mitre-releases-2025-list-of-top-25-most-dangerous-software-vulnerabilities/

https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html

https://cwe.mitre.org/top25/archive/2025/2025_methodology.html

https://www.cisa.gov/news-events/alerts/2025/12/11/2025-cwe-top-25-most-dangerous-software-weaknesses

ClickFix Social Engineering Morphs into ConsentFix

 Threat actors are innovators, this new ClickFix variant allows attackers to grab your Microsoft OAuth authentication token.  If a user is logged into their Microsoft account, the attacker doesn’t need a password or MFA.  It’s a combo ClickFix. AiTM, and OAuth consent phishing attack.  It all happens in the browser, making it difficult to detect.  Dig into this one.

https://www.bleepingcomputer.com/news/security/new-consentfix-attack-hijacks-microsoft-accounts-via-azure-cli/

https://pushsecurity.com/blog/consentfix/

Open-Source Repository Attack Stories

A VSCode Marketplace story with fake .png file.

https://www.bleepingcomputer.com/news/security/malicious-vscode-marketplace-extensions-hid-trojan-in-fake-png-file/

https://www.infosecurity-magazine.com/news/malicious-vs-code-extensions/

https://www.koi.ai/blog/the-vs-code-malware-that-captures-your-screen

Google Drive API Abused by NANOREMOTE Malware

This backdoor malware uses the Google Drive API for command-and-control (C2), data transfer, and payload staging.  Abuse of legit infrastructure is a constant from threat actors, malicious campaigns become very difficult to detect.

https://thehackernews.com/2025/12/nanoremote-malware-uses-google-drive.html

https://www.elastic.co/security-labs/nanoremote

Multiple Payloads Observed in React2Shell Attacks

Researchers observing various malicious payloads deployed after successful attacks.  A wide range of malware including Cobalt Strike, droppers, webshells, RATs, and trojans.  Credential threat from cloud services and developer services has also been seen.

https://www.securityweek.com/wide-range-of-malware-delivered-in-react2shell-attacks/

Stealthy Storm-0249 Weaponizes EDR via DLL Sideloading

Initial access starts with Clickfix social engineering.  A trojanized DLL and legit Sentinel One are dropped into a protected directory.  Once Sentinel One executes, threat actors can execute malicious code.  This technique will work with other EDR platforms.  Hiding in plain sight and abusing trust is the norm we have been seeing for years.

https://www.darkreading.com/cyberattacks-data-breaches/storm-0249-edr-processes-stealthy-attacks

https://reliaquest.com/blog/threat-spotlight-storm-0249-precision-endpoint-exploitation/