Cyber Threat Weekly – #79

The week of May 19^th through May 25^th, around 396 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about how cybersecurity is like good insurance coverage.

No one wants to pay for it, but you sure are glad you have it when it hits fan.  The goal of each, minimize financial risk.  The cost of good insurance keeps going up, just like cyber security.  How do we get the most out of what we spend on cyber security?

Let’s start with attacker’s target IT staff using SEO poisoning.  CISA released an advisory around adversaries targeting SaaS companies.  Another week, another set of tainted NPM and / or PyPI packages, in this case NPM.

Instagram and TikTok APIs exploited by PyPI packages.  TikTok Videos and ClickFix technique delivers malware.  Extortion gang using social engineering for initial access.  Researchers share top 10 threats seen across their clients.

Another ransomware group adopting email bombing / vishing combo.  Popular samlify package critical bug. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – May 19^th to May 25^th:

CVE-2023-38950 – ZKTeco BioTime Path Traversal Vulnerability:
Allows an unauthenticated attacker to read arbitrary files via supplying a crafted payload.

CVE-2024-27443 – Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability:
An attacker can exploit this vulnerability via an email message containing a crafted calendar header, leading to the execution of arbitrary JavaScript code.

CVE-2025-27920 – Srimax Output Messenger Directory Traversal Vulnerability:
Allows an attacker to access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

CVE-2024-11182 – MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability:
Allows a remote attacker to load arbitrary JavaScript code via an HTML e-mail message.

CVE-2025-4428 – Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability:
Allows an authenticated attacker to remotely execute arbitrary code via crafted API requests.

CVE-2025-4427 – Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability:
Allows an attacker to access protected resources without proper credentials via crafted API requests.

CVE-2025-4632 – Samsung MagicINFO 9 Server Path Traversal Vulnerability:
Allows an attacker to write arbitrary files as system authority.

IT Staff Targeted in SEO Poisoning Campaigns

Fake websites abusing Zenmap and WinMRT via SEO poisoning were discovered.  Also, RVTools was possibly trojanized and abused with typo-squatting domains, likely promoted through SEO poisoning or malvertising.  IT staff typically have admin privileges and are always a target.

https://www.bleepingcomputer.com/news/security/bumblebee-malware-distributed-via-zenmap-winmrt-seo-poisoning/

https://www.bleepingcomputer.com/news/security/trojanized-rvtools-push-bumblebee-malware-in-seo-poisoning-campaign/

Adversaries Targeting SaaS Companies, CISA Believes

The cloud is heavily targeted by cybercriminals and nation states.  This one is a bit more specific; CISA believes nation states are targeting SaaS applications with default configurations and elevated permissions.  Let’s hope the criminals don’t follow suit.  Yesterday’s nation state attack is tomorrow’s commodity attack. 

https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic

Sensitive Host and Network Data Collected by Malicious NPM Packages

Using names similar to legit packages, the threat actor tricked developers into downloading the malicious packages.  There was a total of 60 packages exhibiting this behavior.  We see malicious packages found on NPM virtually every week.

https://www.bleepingcomputer.com/news/security/dozens-of-malicious-packages-on-npm-collect-host-and-network-data/

https://socket.dev/blog/60-malicious-npm-packages-leak-network-and-host-data

Instagram and TikTok APIs Exploited via PyPI Packages

The packages acted as checker tools to validate if an email is associated with TikTok and Instagram via their APIs.  Malicious packages are found virtually every week on PyPI.  Due diligence is important if you download PyPI or NPM packages.

https://thehackernews.com/2025/05/malicious-pypi-packages-exploit.html

https://socket.dev/blog/malicious-checker-packages-on-pypi-probe-tiktok-and-instagram

https://www.reversinglabs.com/blog/backdoor-implant-discovered-on-pypi-posing-as-debugging-utility

Malware Delivered via TikTiok Videos and ClickFix Technique

The popularity of social media combined with social engineering techniques like ClickFix is a potent combination.  Attempting to bypass corporate controls is becoming a normal occurrence.  The malware of choice in this campaign, Vidar and StealC.

https://thehackernews.com/2025/05/hackers-use-tiktok-videos-to-distribute.html

https://expel.com/blog/following-the-spiders-investigating-lactrodectus-malware/

https://www.trendmicro.com/en_us/research/25/e/tiktok-videos-infostealers.html

Social Engineering Used to Gain Initial Access

Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753 impersonates IT support via email, fake sites, and phone calls to gain initial access.  The group leads the employee to join a remote access session.  This is popular technique used by several threat groups.

https://www.bleepingcomputer.com/news/security/fbi-warns-of-luna-moth-extortion-attacks-targeting-law-firms/

https://www.ic3.gov/CSA/2025/250523.pdf

April Top 10 Threats Observed by Researchers

The Red Canary Team saw SocGholish drop out of the top 10, first time since November 2023.  Some notables, LummaC2, Latrodectus, and Mimikatz are all in the top 10.  Lesser-known Amber Albatross is first, and Scarlet Goldfinch second.

https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/

Email Bombing / Vishing Combo Used by 3AM Ransomware Affiliates

Another threat group, in this case ransomware affiliates tied to 3AM ransomware abusing social engineering for initial access.  This technique is becoming contagious.  If it works, it will continue to be abused by threat actors.

https://www.darkreading.com/threat-intelligence/3am-ransomware-adopts-email-bombing-vishing

Samlify Designed to Simplify SAML Implementation, Critical Bug

Researchers find bug in the popular samlify library tracked as CVE-2025-47949, CVSS 9.9 out of 10.  The samlify library is designed to simplify implementation of SAML 2.0 for single sign-on.  An attacker could bypass authentication through user impersonation.

https://www.csoonline.com/article/3993262/samlify-bug-lets-attackers-bypass-single-sign-on.html

https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass