Cyber Threat Weekly – #65
The week of February 10th through February 16th, around 380 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about proactive defense with deception technology.
Low / no buck deception pays huge dividends. As an industry, we struggle to detect an intrusion early. Deception technology can give every organization, regardless of size, an early warning system. It doesn’t have to be complex or costly.
Let’s start with threat actors using device code lures in social engineering attacks. Palo Alto Networks bug, exploit available. After proof-of-concept exploit released, SonicWall firewalls targeted with authentication bypass flaw.
Unpatched Cisco edge devices are being exploited by Chinese nation state group. RansomHub Deep Dive, a significant ransomware player. Nation backed opportunistic initial access threat group. The evolving national security threat, cybercrime.
North Korean threat actors adopting Click-Fix like tactics. Multiple Ivanti bugs patched, including three critical. New Btmob RAT Android malware. Huntress 2025 Cyber Threat Report.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – February 10th to February 16th:
CVE-2024-40891 – Zyxel DSL CPE OS Command Injection Vulnerability:
Could allow an authenticated attacker to execute OS commands via Telnet.
CVE-2024-40890 – Zyxel DSL CPE OS Command Injection Vulnerability:
Could allow an authenticated attacker to execute OS commands via a crafted HTTP request.
CVE-2025-21418 – Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability:
Allows privilege escalation, enabling a local attacker to gain SYSTEM privileges.
CVE-2025-21391 – Microsoft Windows Storage Link Following Vulnerability:
Could allow for privilege escalation and could allow an attacker to delete data including data that results in the service being unavailable.
CVE-2025-24200 – Apple iOS and iPadOS Incorrect Authorization Vulnerability:
Allows a physical attacker to disable USB Restricted Mode on a locked device.
CVE-2024-41710 – Mitel SIP Phones Argument Injection Vulnerability:
Affecting Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit. Successful exploitation may allow an attacker to execute arbitrary commands within the context of the system.
CVE-2024-57727 – SimpleHelp Path Traversal Vulnerability:
Could allow an unauthenticated remote attacker to download arbitrary files from the SimpleHelp host via crafted HTTP requests. These files may include server configuration files and hashed user passwords.
Social Engineering via Device Code Phishing
Pre-texting and social engineering are the hallmarks of this campaign. First building rapport via messaging apps, then the trap is sprung. An invitation is sent luring the victim into a device code authentication emulating the messaging service login.
https://cyberscoop.com/russia-threat-groups-device-code-phishing-microsoft-accounts/
Palo Alto Networks Bug Proof of Concept Code Released
Researchers published complete exploit details after CVE-2025-0108 fix was released. Of course, soon after, scanning activity began. This is an authentication bypass flaw which requires network access to the management interface.
https://security.paloaltonetworks.com/CVE-2025-0108
https://www.assetnote.io/resources/research/nginx-apache-path-confusion-to-auth-bypass-in-pan-os
SonicWall Flaw Fixed, but Exploit Code Released
Yet another flaw with exploit code released by researchers, and active exploitation soon after. This time SonicWall firewalls are under attack. The flaw is tracked as CVE-2024-53704, is an authentication bypass bug.
https://arcticwolf.com/resources/blog/cve-2024-53704/
https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
Older Cisco Bugs Exploited by Chinese Threat Actors
A global campaign targeting telcos and universities is being tracked by researchers. Salt Typhoon, the notorious Chinese threat actors, are exploiting Cisco devices using older 2023 bugs. Once exploited, generic routing encapsulation (GRE) tunnels are configured for stealthy persistence and data exfiltration.
https://www.recordedfuture.com/research/redmike-salt-typhoon-exploits-vulnerable-devices
https://go.recordedfuture.com/hubfs/reports/cta-cn-2025-0213.pdf
Prolific RansomHub Ransomware-as-a-Service (RaaS) Player
Researchers dive deep into RansomHub RaaS operations. The gang emerged in early February 2024 and has made a significant impact. Victimology, tactics, techniques, and procedures as well as tools used are shared.
https://www.group-ib.com/blog/ransomhub-never-sleeps-episode-1/
Specialized Initial Access Nations State Threat Group
A subgroup of Seashell Blizzard has been observed utilizing opportunistic initial access techniques. Active since at least August 2021, the group is focused on critical infrastructure at a near-global scale. Stealthy tactics allow the group to maintain persistence at high-value targets.
Cybercrime is a National Security Threat
The volume and velocity of cybercrime is immense. Nation states continue to blur the lines using cybercriminal infrastructure and resources to facilitate operations. The methodologies are the same, motivations separate the two groups. Using cybercrime resources makes attribution difficult and nation-state activities more cost effective.
https://services.google.com/fh/files/misc/cybercrime-multifaceted-national-security-threat.pdf
ClickFix Like Tactic Adopted by North Korean State Actors
The social engineering tactic involves deceptive error messages providing the victims directions on executing code. Kimsuky uses a variation starting with pre-texting the victim. Once some trust is established, a spear-phishing email with PDF attachment is sent to the victim. Opening the PDF directs the victim to a fake registration page.
Three Critical and Several Other Ivanti Bugs Fixed
So far, no reports of active exploitation. That said, Ivanti products are highly targeted by nation-state backed actors and cybercriminals. The critical issues require authentication, but with stolen legitimate credentials are the norm today.
Phishing Sites Distribute Android Malware Btmob RAT
The malware exploits Androids Accessibility Services allowing remote control of the device, stealing credentials, and exfiltrating data. The command and control is WebSocket based, the malware can even unlock the device.
https://thecyberexpress.com/btmob-rat/
https://cyble.com/blog/btmob-rat-newly-discovered-android-malware/
Huntress 2025 Cyber Threat Report
This report covers the threat landscape in 2024, ransomware activities, attacker tools and techniques, MITRE tactics, and more. It’s good to see hands-on-keyboard activity, time frames, and identity threats.
https://www.infosecurity-magazine.com/news/ransomware-gangs-prioritize-speed/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
