Cyber Threat Weekly – #66
The week of February 17th through February 23rd, about 334 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about data loss prevention and data protection complexity.
Data Loss Prevention (DLP) has not really lived up to its promise. The complexity comes from discovering your data, classifying your data, and controlling data access (data governance). Organizations struggle to operationalize DLP, how can we do a better job?
Let’s start with PayPal email scam. Ghost ransomware, FBI and CISA joint advisory. Darcula Phishing-as-a-Service (PHaaS) v3, clone any website. Black Basta chat logs leaked. LNK files and endpoint protection bypass equals AsyncRAT.
The prevalence of legit credentials and account takeovers. Proof-of-concept exploit code released for four Ivanti bugs. Cisco shares analysis of Salt Typhoon attacks. The State of Cybercrime 2024. Hiding JavaScript in plain sight.
New players in macOS malware in FakeUpdate campaigns. Palo Alto firewalls attacked via chained flaws.
Broken Record Alert: Please patch N-day bugs!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – February 17th to February 23rd:
CVE-2025-0108 – Palo Alto Networks PAN-OS Authentication Bypass Vulnerability:
Allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.
CVE-2024-53704 – SonicWall SonicOS SSLVPN Improper Authentication Vulnerability:
Allows a remote attacker to bypass authentication.
CVE-2025-0111 – Palo Alto Networks PAN-OS File Read Vulnerability:
Enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.
CVE-2025-23209 – Craft CMS Code Injection Vulnerability:
Can enable remote code execution.
CVE-2025-24989 – Microsoft Power Pages Improper Access Control Vulnerability:
Allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control.
Scammers Abusing Legit PayPal “New Address” Feature
In typical social engineering fashion, using legitimate infrastructure and scare techniques to get victims to install software. The emails are sent from PayPal via the ‘service@paypal.com’ address. The message includes an “888” number to call the scammers.
Chinese Ransomware Group – Ghost
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory about Ghost ransomware group. Ghost activities began in early 2021, focused mainly on encryption, and take advantage of known bugs. Once on target, typical tools include web shells, cobalt strike, and open-source tools.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
New Version 3 of Darcula Suite Phishing-as-a-Service
This update proclaims an on-demand feature to clone any brand’s website and tweak it for phishing. The ability to create a phishing kit for any brand can make defending against phishing websites way more difficult.
https://thehackernews.com/2025/02/cybercriminals-can-now-clone-any-brands.html
https://www.netcraft.com/blog/darcula-v3-phishing-kits-targeting-any-brand/
Black Basta Ransomware Internal Chat Logs Leaked
Apparent controversy over targeting Russian “domestic banks” lead to the release of internal chat logs. Black Basta has been on a tear, using social engineering to persuade employees to install software at target companies. One of the most prolific gangs in 2024 seems to have gone quiet.
https://therecord.media/black-basta-ransomware-group-chat-logs-leaked
AsyncRAT Delivered via Phishing with LNK Files
The use of malicious LNK files in email phishing campaigns is nothing new. But malware injected directly into memory and endpoint protection software bypass via open-source tool Null-AMSI adds a new twist. Other threat actors are sure to follow suit.
https://thecyberexpress.com/asyncrat-attack/
Researchers Share 2024 Account Takeover Stats
We’ve been talking about the use of legitimate credentials in attack campaigns for a long time. Proofpoint is sharing some observed account takeover numbers, and they are not pleasant. Having a large world-wide customer base makes these numbers even more scary. Let’s start with 99% of organizations were targeted and 62% successful. Even 65% of accounts with multi-factor authentication were successful.
https://www.proofpoint.com/us/blog/threat-insight/account-takeover-statistics
Researchers Release Exploit Code for Four Ivanti Bugs
While not observed to be exploited, proof-of-concept code has been released for previously fixed bugs CVE-2024-10811, CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161. Ivanti products are a favorite threat actor target, with exploit code and technical details released, there is a good chance exploitation will commence.
Salt Typhoon Telcom Attack Analysis - Cisco
From custom malware, legitimate credentials to living off the land methodology, details are shared around the Salt Typhoon attack on Telcom’s around the world. Cisco devices were targeted in these attacks, but it appears legit credentials were used for initial access.
https://blog.talosintelligence.com/salt-typhoon-analysis/
Kela Releases "The State of Cybercrime 2024"
Infostealers drove the abuse of legitimate credentials, there was an increase of ransomware victims and ransomware groups, and exploited vulnerabilities abused for initial access. The lines between nation states and criminals continue to blur.
https://www.infosecurity-magazine.com/news/330-million-credentials/
https://info.ke-la.com/hubfs/Reports/KELA%20Report%20-%20The%20State%20of%20Cybercrime%202024.pdf
Hidden JavaScript via Invisible Unicode
A new JavaScript obfuscation technique was shared in October 2024 and is already being abused by threat actors. The JavaScript is tough to detect due to the hidden characters. Two of the domains used in the campaign were linked to Tycoon 2FA phishing kit. This tactic is likely to grow in popularity like ‘clickfix’.
https://blogs.juniper.net/en-us/threat-research/invisible-obfuscation-technique-used-in-pac-attack
FakeUpdate Campaigns Now Include macOS Malware
Threat actors are taking note of the success of FakeUpdate campaigns. FakeUpdate campaigns compromise legit websites, inject malicious JavaScript that displays fake browser update messages. The new macOS FridgedStealer is being distributed.
Chained Palo Alto Flaws Abusing Unsecured Management Interfaces
The same day a fix was released for CVE-2025-0108, researchers released proof of concept code demonstrating CVE-2025-0108 and CVE-2024-9474 chained. A day later exploit attempts began. Now CVE-2025-0111 is being added to the chain.
https://securityadvisories.paloaltonetworks.com/CVE-2025-0108
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
