Cyber Threat Weekly – #80

The week of May 26^th through June 1^st, around 310 cyber news articles were reviewed.  A light ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about AI technology and the security headache.

Do you have an AI policy?  Do you know if your employees are using AI within your organization?  You can’t block your way out of shadow AI usage.  It’s important to know where you stand currently so you can put the proper guardrails in place.  AI is very useful tech, whether you like it or not, it’s probably being used in your organization.

Let’s start with Cisco WLC bug public write up.  Known bugs being exploited by nation state threat actors.  New infostealer malware deployed via ClickFix technique.  Linux botnet brute forces SSH credentials for initial access to IoT devices.

An example of legitimate services being abused by threat actors.  Yet another example of legit services abused.  Ransomware gang likely deploying new RAT.  Researchers find over-privileged access to Microsoft One Drive via OAuth.                                                                                            

CISA shares SIEM and SOAR guidance.  GreyNoise observes a coordinated scanning event.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

Researchers Share Some Exploit Info on Cisco WLC Bug

A write-up made public by Horizon3 doesn’t share a complete exploit, but close enough for the gaps to be filled in.  The bug tracked as CVE-2025-20188 allows an adversary to take over devices.  We’ll see if this one gets exploited.

https://www.bleepingcomputer.com/news/security/exploit-details-for-max-severity-cisco-ios-xe-flaw-now-public/

https://horizon3.ai/attack-research/attack-blogs/cisco-ios-xe-wlc-arbitrary-file-upload-vulnerability-cve-2025-20188-analysis/

Nation State Actors Abusing Known Bugs for Initial Access

A Chinese backed threat group Earth Lamia is going after known bugs, dropping a backdoor, and exfiltrating data.  In addition, typical lateral movement is employed.  The lesson here, attack surface and threat exposure management minimize impact from this behavior.  Yesterday’s nation state attack is tomorrow’s commodity attack.

https://www.darkreading.com/threat-intelligence/earth-lamia-exploits-sql-rce-bugs-asia

https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html

ClickFix Technique Used to Deploy EDDIESTEALER

Designed to bypass Chrome’s App-Bound encryption to steal browser data, this is one of a growing line of infostealers.  The malware is Rust-based and a commodity stealer.  Social engineering via ClickFix is still growing in adoption. 

https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html

https://www.elastic.co/security-labs/eddiestealer

PumaBot Targets SSH Credentials on IoT Devices

It goes after Internet exposed devices such as IP cameras and network-based video recorders.  Do we really need to expose these devices to the Internet?  Architecture and zero trust network access would go a long way to minimize this attack vector.
https://www.csoonline.com/article/3999154/novel-pumabot-slips-into-iot-surveillance-with-stealthy-ssh-break-ins.html

https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices

Google App Scripts Abused by Threat Actors

This is typical behavior anymore, the use of trusted brands to appear legitimate.  Since the website is hosted on Google, the threat actor is betting the target will trust the content in the phishing email.  It is more difficult to detect as well.

https://www.csoonline.com/article/3998296/warning-threat-actors-now-abusing-google-apps-script-in-phishing-attacks.html

https://cofense.com/blog/behind-the-script-unmasking-phishing-attacks-using-google-apps-script

Stealthy Communications via Google Calendar

Chinese nation state threat actors used encrypted messages within hard coded calendar events for command and control.  Again, legit services used for malicious purposes.  Stealthy, very tough to detect.  We will see more of this type of activity, it works.

https://www.bleepingcomputer.com/news/security/apt41-malware-abuses-google-calendar-for-stealthy-c2-communication/

https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics/

New NodeSnake RAT Deployed by Interlock Ransomware Gang

Interlock doesn’t appear to use the as-a-Service model.  This is a new and looks to be actively developed tool.  It’s interesting to see ransomware gangs creating their own tools and buying zero-days exploits.  Many long running ransomware gangs and affiliates have resources approaching that of nation states after years of extortion payouts.

https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-deploys-new-nodesnake-rat-on-universities/

https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf

Over-privileged OAuth Permissions Could Lead to One Drive Access

Researcher’s find Microsoft’s File Picker tool used for OneDrive access from various applications via OAuth uses over-privileged permissions.  This is one to keep an eye on, even spot check some of your applications and permissions.

https://www.csoonline.com/article/3997051/if-you-use-onedrive-to-upload-files-to-chatgpt-or-zoom-dont.html

https://www.oasis.security/blog/onedrive-file-picker-security-flaw-oasis-research

https://pages.oasis.security/rs/106-PZV-596/images/onedrive-file-access-warning.pdf

CISA Shares SIEM and SOAR Guidance

It’s always nice to have some guidance on implementing security controls.  Hopefully you can get a few nuggets from this guidance. 

https://www.cisa.gov/resources-tools/resources/guidance-siem-and-soar-implementation

Coordinated Scanning Event Observed by GreyNoise

This one is interesting and often a precursor to attacks.  There were 251 malicious IPs hosted by Amazon used in this coordinated scan which happened in one day.  GreyNoise observed 75 behaviors including older bug exploits, recon and enumeration, and misconfiguration probes.

https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points