Cyber Threat Weekly – #80
The week of May 26th through June 1st, around 310 cyber news articles were reviewed. A light ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about AI technology and the security headache.
Do you have an AI policy? Do you know if your employees are using AI within your organization? You can’t block your way out of shadow AI usage. It’s important to know where you stand currently so you can put the proper guardrails in place. AI is very useful tech, whether you like it or not, it’s probably being used in your organization.
Let’s start with Cisco WLC bug public write up. Known bugs being exploited by nation state threat actors. New infostealer malware deployed via ClickFix technique. Linux botnet brute forces SSH credentials for initial access to IoT devices.
An example of legitimate services being abused by threat actors. Yet another example of legit services abused. Ransomware gang likely deploying new RAT. Researchers find over-privileged access to Microsoft One Drive via OAuth.
CISA shares SIEM and SOAR guidance. GreyNoise observes a coordinated scanning event.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
Researchers Share Some Exploit Info on Cisco WLC Bug
A write-up made public by Horizon3 doesn’t share a complete exploit, but close enough for the gaps to be filled in. The bug tracked as CVE-2025-20188 allows an adversary to take over devices. We’ll see if this one gets exploited.
Nation State Actors Abusing Known Bugs for Initial Access
A Chinese backed threat group Earth Lamia is going after known bugs, dropping a backdoor, and exfiltrating data. In addition, typical lateral movement is employed. The lesson here, attack surface and threat exposure management minimize impact from this behavior. Yesterday’s nation state attack is tomorrow’s commodity attack.
https://www.darkreading.com/threat-intelligence/earth-lamia-exploits-sql-rce-bugs-asia
https://www.trendmicro.com/en_us/research/25/e/earth-lamia.html
ClickFix Technique Used to Deploy EDDIESTEALER
Designed to bypass Chrome’s App-Bound encryption to steal browser data, this is one of a growing line of infostealers. The malware is Rust-based and a commodity stealer. Social engineering via ClickFix is still growing in adoption.
https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html
https://www.elastic.co/security-labs/eddiestealer
PumaBot Targets SSH Credentials on IoT Devices
It goes after Internet exposed devices such as IP cameras and network-based video recorders. Do we really need to expose these devices to the Internet? Architecture and zero trust network access would go a long way to minimize this attack vector.
https://www.csoonline.com/article/3999154/novel-pumabot-slips-into-iot-surveillance-with-stealthy-ssh-break-ins.html
https://www.darktrace.com/blog/pumabot-novel-botnet-targeting-iot-surveillance-devices
Google App Scripts Abused by Threat Actors
This is typical behavior anymore, the use of trusted brands to appear legitimate. Since the website is hosted on Google, the threat actor is betting the target will trust the content in the phishing email. It is more difficult to detect as well.
https://cofense.com/blog/behind-the-script-unmasking-phishing-attacks-using-google-apps-script
Stealthy Communications via Google Calendar
Chinese nation state threat actors used encrypted messages within hard coded calendar events for command and control. Again, legit services used for malicious purposes. Stealthy, very tough to detect. We will see more of this type of activity, it works.
https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics/
New NodeSnake RAT Deployed by Interlock Ransomware Gang
Interlock doesn’t appear to use the as-a-Service model. This is a new and looks to be actively developed tool. It’s interesting to see ransomware gangs creating their own tools and buying zero-days exploits. Many long running ransomware gangs and affiliates have resources approaching that of nation states after years of extortion payouts.
https://www.quorumcyber.com/wp-content/uploads/2025/04/20250416-Higher-Education-Sector-RAT-MP.pdf
Over-privileged OAuth Permissions Could Lead to One Drive Access
Researcher’s find Microsoft’s File Picker tool used for OneDrive access from various applications via OAuth uses over-privileged permissions. This is one to keep an eye on, even spot check some of your applications and permissions.
https://www.oasis.security/blog/onedrive-file-picker-security-flaw-oasis-research
https://pages.oasis.security/rs/106-PZV-596/images/onedrive-file-access-warning.pdf
CISA Shares SIEM and SOAR Guidance
It’s always nice to have some guidance on implementing security controls. Hopefully you can get a few nuggets from this guidance.
https://www.cisa.gov/resources-tools/resources/guidance-siem-and-soar-implementation
Coordinated Scanning Event Observed by GreyNoise
This one is interesting and often a precursor to attacks. There were 251 malicious IPs hosted by Amazon used in this coordinated scan which happened in one day. GreyNoise observed 75 behaviors including older bug exploits, recon and enumeration, and misconfiguration probes.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.