Cyber Threat Weekly – #77
The week of May 5th through May 11th, about 375 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. There was a lot of the same behavior as in past weeks, so limited the coverage.
Let’s start with another example of social engineering and ClickFix. More social engineering with an AI website lure. LockBit gang hacked again. Massive account takeover and a financial system. Proxy botnet, roughly 7,000 devices, taken down.
Attackers will find a way to bypass EDR. Russia state backed threat actors use ClickFix to deploy malware. What are you up against, an insurance company view.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – May 5th to May 11th:
CVE-2025-3248 – Langflow Missing Authentication Vulnerability:
Allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.
CVE-2025-27363 – FreeType Out-of-Bounds Write Vulnerability:
When attempting to parse font subglyph structures related to TrueType GX and variable font files, may allow for arbitrary code execution.
CVE-2024-11120 – GeoVision Devices OS Command Injection Vulnerability:
Allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2024-6047 – GeoVision Devices OS Command Injection Vulnerability:
Allows a remote, unauthenticated attacker to inject and execute arbitrary system commands. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Macmillian Subsidiary iClicker Targeted with ClickFix Attack
Social engineering is one of our biggest threats today, yet another example of the ClickFix technique. Hacking the human is a nightmare to defend against. If it works, threat actors will continue to use it and iterate on the theme.
Taking Advantage of AI Content Creation
Creating enticing websites, threat actors are using AI content creation as a social engineering lure to deliver malware. The concept is not new, but continues. In this case, a new infostealer malware has been identified, Noodlophile.
https://www.morphisec.com/blog/new-noodlophile-stealer-fake-ai-video-generation-platforms/
Japanese Financial Accounts Abused for Stock Market Trades
A story of massive account takeovers to game the financial system. Typically, the accounts were used to raise the price of smaller stocks. This is interesting behavior and a way for criminals to make money buying small stocks than abusing account to inflate the prices.
https://therecord.media/hackers-hijack-japan-finance-accounts
LockBit Gang Data Leaked, Hacked Again
Their data leak site defaced. Data from December 19th 2024 to April 29th 2025 was leaked. We always learn a ton from these. More than 70 administrators and affiliates, 59,975 unique bitcoin addresses, and 4,442 negotiation messages and more in the data leak.
https://www.darkreading.com/threat-intelligence/lockbit-ransomware-gang-hacked-data-leaked
Proxy Botnet Allegedly Operating Since 2004 Taken Down
Edge routers are used to hide malicious traffic and the threat actors behind it. Thousands of end-of-life devices are compromised all the time, used for proxies or DDoS botnets. We shared multiple warnings form CISA, FBI, etc.
https://thehackernews.com/2025/05/breaking-7000-device-proxy-botnet-using.html
https://blog.lumen.com/black-lotus-labs-helps-demolish-major-criminal-proxy-network/
https://www.ic3.gov/CSA/2025/250507.pdf
https://www.ic3.gov/PSA/2025/PSA250507
Theat Actor’s New EDR Bypass Technique
There are ways around everything, there is no silver bullet in security. An attacker used local admin access to upgrade of the EDR agent, services are stopped during upgrades, they used taskkill to kill the msiexec.exe process, disabling the EDR agent.
https://www.infosecurity-magazine.com/news/new-technique-bypass-sentinelone/
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
ClickFix Technique Abused by Nation State Threat Actors
Social engineering in general is heavily abused, hacking the human never seems to go out of style. The popularity of ClickFix continues to grow. In this case to deploy LOSTKEYS custom malware to facilitate espionage.
https://thehackernews.com/2025/05/russian-hackers-using-clickfix-fake.html
2025 Cyber Claims Report – Coalition
Some highlights from the report, BEC and funds transfer fraud made up 60% of claims, ransomware severity down 7%, and the average ransomware loss was $292k.
https://www.cybersecuritydive.com/news/ransomware-cyber-insurance-coalition-report/747474/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
