Cyber Threat Weekly – #63
The week of January 27th through February 2nd, around 416 cyber news articles were reviewed. A moderate amount of cyber threat trends and adversarial behavior news to share. Been thinkin, complexity is the enemy of security.
How do we take a step back, consolidate, automate, and simplify our security programs? It feels like technology is driving our security programs instead of engineering and architecture. Are we focused on the critical things that will minimize business impact?
Let’s start with malvertising Bing and Microsoft ads on Google. Possible backdoor in popular medical equipment. Researchers find what appears to be split testing of ‘download’ vs ‘ClickFix’ in DarkGate campaign.
New pro-Russian hacktivist group hacking oil and gas facility control panels. Adversaries stayed on target for two months. Google AI abused by nation state threat actors. Multi-stage browser syncjacking attack can lead to device takeover.
Cisco Talos shares incident response trends for Q4 2024. Multi-layered traffic distribution system (TDS) is used by multiple threat actors. Hidden Lazarus group admin layer for C2 servers found. Researchers observe SimpleHelp RMM software exploitation.
Attacker velocity is increasing, breakout times shrink. Recorded Future 2024 Annual Report.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – January 27th to February 2nd:
CVE-2025-24085 – Apple Multiple Products Use-After-Free Vulnerability:
Apple iOS, macOS, and other Apple products affected - could allow a malicious application to elevate privileges.
Google Ads Malvertising Bing Ads / Microsoft Ads
New target, new lure, Microsoft Ads accounts. Google was abused in a similar malvertising campaign we have covered in the past, utilizing the same redirects that hide the malicious websites. We are seeing similar behavior with different lures and targets consistently.
Popular Medical Equipment has Backdoor
FDA and CISA warn that the Contec CMS8000 and Epismed MN-120 patient monitors could put patients at risk. There is a backdoor in the firmware that reports back to a hardcoded IP address. Multiple versions of firmware were tested, all containing the backdoor code. The onus is on IT / security departments to ensure proper operation of IoT, IoMT, OT, and other devices on the network.
DarkGate Campaign Testing ‘Download’ vs ‘ClickFix’
Split-testing ads, landing pages, and other portions of a campaign are popular for marketers optimizing their campaigns. Apparently, cybercriminals are taking notice and testing their malvertising campaigns to see what works best.
Pro-Russian Hackivists ‘Sector 16’, Breaching Critical Infrastructure
This group, like Z-Pentest is hacking into supervisory control and data acquisition (SCADA) systems. Both groups are posting screen recordings on the dark web showing the groups tampering with critical control panels. Securing critical OT systems should be a high priority.
https://thecyberexpress.com/new-russian-threat-group-hacks-u-s-energy/
Data Pilfered Over Two Months
Mizuno USA detected suspicious activity in its network environment in November. An investigation found that systems were accessed, and files stolen by unauthorized personnel over a two-month period. The lesson here is that most attacks are persistent threats, both cybercriminals and nation states use similar techniques and behavior. Yesterday’s nation state attack is tomorrow’s commodity attack.
Nation States Use Google AI to Enable Operations
The good news is that nation states are not using AI to create novel capabilities. They are using it to bolster multiple aspects of attack campaigns. Productivity gains are being made, but currently that’s as far as the abuse goes.
https://thehackernews.com/2025/01/google-over-57-nation-state-threat.html
https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
Browser Syncjacking using Chrome Extensions
Researchers discovered a multi-stage attack vector that can lead to device take over. Using malicious user profiles, a Chrome extension, and social engineering to install an enrollment token, attackers can compromise a device.
https://labs.sqrx.com/browser-syncjacking-cc602ea0cbd0
Talos Incident Response Trends Q4 2024
A sharp uptick in publicly available web shell usage against vulnerable or unpatched web applications. Ransomware dwell times were quite high this quarter, from 17 to 44 days. Ransomware actors utilized compromised valid accounts in 75% of engagements this quarter. Persistent threats continue as nations state and criminal threat actor behavior continues to blur.
https://blog.talosintelligence.com/talos-ir-trends-q4-2024/
Researchers Share Multi-Layer TDS Infrastructure Findings
Various threat actors use the multi-layer TDS tracked as TAG-124. Compromised WordPress sites, payload servers, a possible management server, central server, an additional panel, and other components make up this TDS.
https://www.recordedfuture.com/research/tag-124-multi-layered-tds-infrastructure-extensive-user-base
https://go.recordedfuture.com/hubfs/reports/cta-2025-0130.pdf
Lazarus Group Using Hidden Admin Layer to Manage C2 Servers
Newly discovered infrastructure has been tied to Lazarus Group. It’s used to manage compromised systems, control payload delivery, and manage exfiltrated data. While conducting operations, Astrill VPNs and proxies were used to conceal access to C2 servers.
Simple Help RMM Tool Actively Exploited
Researchers have observed initial access to victim devices through an unapproved SimpleHelp server. A session is used to enumerate accounts and domain info. Recent bugs fixed could be the culprit but that’s not confirmed.
https://www.securityweek.com/simplehelp-remote-access-software-exploited-in-attacks/
Adversaries Attack Speed Increases, Breakout Times Drop
Researchers share observations on attack velocity and drivers contributing to attacker’s speed. Infostealer data and initial access brokers listings grow. Social engineering is a big contributor to speedy attacks.
https://www.infosecurity-magazine.com/news/breakout-time-accelerates-22/
https://www.reliaquest.com/blog/racing-the-clock-outpacing-accelerating-attacks/
Recorded Future 2024 Annual Report
Personal devices are increasingly targeted by infostealer malware. New ransomware families continue to grow in numbers. RMM tool usage is growing significantly in attack campaigns. Defense evasion, fastest growing behavior.
https://www.recordedfuture.com/research/2024-annual-report
https://go.recordedfuture.com/hubfs/reports/cta-2025-0128.pdf
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
