Cyber Threat Weekly – #115
The week of January 2nd through February 8th, about 350 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about the velocity of AI deployment and the consequences.
We are entering a new era of attacker capability. With the volume of agentic AI deployed, most of it without guardrails, or governance, it’s only a matter of time before attackers take advantage. A report showcased that AI-enabled fraud has skyrocketed in 2025, no surprise there. The onslaught is going to be immense. Are we sure that the speed to deploy AI is worth the consequences? Later always sucks worse.
Let’s start with a cool paper on the CISA KEV. Newly discovered post-compromise framework. Around 500 high-severity software bugs found by Claude AI. An interesting take on the next evolution of attacker tradecraft. A deep dive into Moltbot AI agent.
Researchers share an attack utilizing an EDR killer that was thwarted. Another ClickFix variant, CrashFix. Researchers share details on AI-enabled fraud. A Q4 2025 ransomware report.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
VPN gateways from all vendors are under constant attack.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – February 2nd to February 8th:
CVE-2021-39935 – GitLab Community and Enterprise Editions Server-Side Request Forgery (SSRF) Vulnerability:
Could allow unauthorized external users to perform Server Side Requests via the CI Lint API.
CVE-2025-64328 – Sangoma FreePBX OS Command Injection Vulnerability:
Could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function. An attacker can leverage this vulnerability to potentially obtain remote access to the system as an asterisk user.
CVE-2019-19006 – Sangoma FreePBX Improper Authentication Vulnerability:
Potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX admin.
CVE-2025-40551 – SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability:
Could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
CVE-2025-11953 – React Native Community CLI OS Command Injection Vulnerability:
Could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.
CVE-2026-24423 – SmarterTools SmarterMail Missing Authentication for Critical Function Vulnerability:
Could allow the attacker to point the SmarterMail instance to a malicious HTTP server which serves the malicious OS command and could lead to command execution. Known to be used in ransomware campaigns.
KEVology, an Analysis of the CISA KEV
So, this is cool. The good folks at runZero have created a tool that can help you analyze CISA known exploited bugs. It can take various scores and filters such as EPSS into account so you can look for bugs meet specific criteria. This can help you filter down to just a few hundred bugs to prioritize patching. This one is worth a look.
https://thecyberexpress.com/what-is-cisa-kev-tool-to-guide-security-teams/
https://www.runzero.com/resources/kevology/
https://www.runzero.com/kev-collider/
DKnife, ELF Based Linux Post-Compromise Framework
The framework serves as a traffic-monitoring and adversary-in-the-middle toolkit. It’s designed to intercept traffic for deep packet inspection, traffic manipulation, malware delivery, and credential harvesting.
https://blog.talosintelligence.com/knife-cutting-the-edge/
Double Edge Sword – 500 Software Bugs found by Claude AI
After human verification, Anthropic is sharing the bugs with developers. While releasing its latest model, Claude Opus 4.6, Anthropic also shared it had identified zero-day bugs in open-source software. The double edge sword, while it is a good thing in general, it works for both defenders and attackers. Let the arms race begin.
https://red.anthropic.com/2026/zero-days/
The Next Evolution: Living Off the AI
Definitely agree with this take on the next evolution of attacker tradecraft. The bummer, many organizations have deployed AI without guardrails, observability, or governance. We are already seeing evidence of these types of attacks or the ability of the attacks to happen via researchers sharing their testing.
https://www.securityweek.com/living-off-the-ai-the-next-evolution-of-attacker-tradecraft/
Moltbot AI Agent Deep Dive
An open-source autonomous AI agent that took off in popularity. The AI assistant can work with most any AI model (Think: Open AI, Claude, etc.). Designed to be easy to deploy but flexible. It includes an externally accessible gateway, plus a security vulnerability breakdown is shared.
https://opensourcemalware.com/blog/clawdbot-skills-ganked-your-crypto
Forensic Tool Driver Used to Attempt to Disable EDR
There is a weakness in driver signatures that attackers are abusing. No easy answer is currently available thanks to tech debt. Threat actors are looking for signed drivers issued before July 29, 2015 to take advantage. The attack is called bring your own vulnerable driver and continues to plague defenders.
https://www.darkreading.com/threat-intelligence/encase-driver-weaponized-edr-killers-persist
https://www.huntress.com/blog/encase-byovd-edr-killer
CrashFix, the Latest ClickFix Variant
Using a combination of malvertising, malicious browser extension, crashing the browser, and social engineering leading to CrashFix. Once the victim runs the command, the script enumerates process for anti-analysis and domain-joined devices. If the machine is domain joined, a backdoor is downloaded.
AI-Enabled Fraud Skyrocketed in 2025
No real surprise, it was only a matter of time. This is the first report we’ve seen so far, we’ll correlate with others as they become available. The big number, 1,210% increase in AI-enabled fraud, even traditional fraud soared 195%.
https://www.infosecurity-magazine.com/news/ai-voice-virtual-meeting-fraud/
https://www.pindrop.com/ai-fraud-spike/
Coveware Q4 2025 Ransomware Report
These folks are ransomware incident responders; they have a unique view of the ransomware landscape. The most telling statistic in the report is the continued shift to smaller organizations with limited resources. The median size fell to 200 employees, but the largest was 11 to 100 employees at nearly 38%, next was 101 to 1,000 employees at nearly 31%. All told, from 1 to 1,000 employees, total nearly 73% of victims. The ransomware landscape is shifting away from big game hunting.
https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
