Cyber Threat Weekly – #81
The week of June 2nd through June 8th, about 378 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about identity and access management.
The trend continues to point to valid credentials as a major attack vector. Whether for initial access or lateral movement, credentials are heavily targeted. Are we doing everything we can to protect identities from the adversary?
Let’s start with, another week, more NPM / PyPI packages targeted. Prolific ClickFix social engineering attacks continue. The NCSC shares some culture principles we all can apply. The Cyble Ransomware Report January to April 2025.
CISA updates Play Ransomware advisory. Salesforce targeted by cybercriminals. Rapid7 Q1 2025 Incident Response Findings.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – June 2nd to June 8th:
CVE-2021-32030 – ASUS Routers Improper Authentication Vulnerability:
Allows an attacker to gain unauthorized access to the administrative interface. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS).
CVE-2025-3935 – ConnectWise ScreenConnect Improper Authentication Vulnerability:
Could allow a ViewState code injection attack, which could allow remote code execution if machine keys are compromised.
CVE-2025-35939 – Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability:
Could allow an unauthenticated client to introduce arbitrary values, such as PHP code, to a known local file location on the server. This vulnerability could be chained with CVE-2024-58136.
CVE-2024-56145 – Craft CMS Code Injection Vulnerability:
Affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled.
CVE-2023-39780 – ASUS RT-AX55 Routers OS Command Injection Vulnerability:
Could allow a remote, authenticated attacker to execute arbitrary commands.
CVE-2025-21479 – Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability:
Allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
CVE-2025-21480 – Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability:
Allows for memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
CVE-2025-27038 – Qualcomm Multiple Chipsets Use-After-Free Vulnerability:
Allows for memory corruption while rendering graphics using Adreno GPU drivers in Chrome.
CVE-2025-5419 – Google Chromium V8 Out-of-Bounds Read and Write Vulnerability:
Could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium.
Supply Chain Attacks on NPM / PyPI Ecosystems
These attacks have been ongoing and will most likely continue for the long term. Plain and simple, they work and are hard to detect. Threat actors are going to keep doing what works and iterate on those concepts.
https://thehackernews.com/2025/06/new-supply-chain-malware-operation-hits.html
https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem
https://socket.dev/blog/destructive-npm-packages-enable-remote-system-wipe
https://socket.dev/blog/pypi-package-disguised-as-instagram-growth-tool-harvests-user-credentials
https://thehackernews.com/2025/06/malicious-pypi-npm-and-ruby-packages.html
ClickFix Social Engineering Continues to Work
Most every week ClickFix campaigns are shared. Several campaigns are being tracked, the lures and payloads vary, but the tactic is basically the same. The velocity of these campaigns is increasing as well as the variations.
https://www.darkreading.com/remote-workforce/cutting-edge-clickfix-snowball-phishing
https://slashnext.com/blog/decoding-clickfix-lessons-from-the-latest-browser-based-phish/
https://cofense.com/blog/clickfix-campaign-spoofs-booking-com-for-malware-delivery
https://thehackernews.com/2025/06/new-atomic-macos-stealer-campaign.html
National Cyber Security Centre (NCSC) Cybersecurity Culture Principles
Some security culture principles everyone should consider. Minimizing financial risk is huge and a good security culture can go a long way towards that goal. While not threat related, this is some practical guidance that can go a long way towards defending.
https://thecyberexpress.com/ncscs-announces-six-principles/
https://www.ncsc.gov.uk/collection/cyber-security-culture-principles
Cyble Ransomware Report January to April 2025
Correlating reports is a good way to keep up with the threat landscape, similar findings from multiple vendors tells the real story. This report provides a good overview of observations for the first four months of this year.
https://hs-21289959.f.hubspotemail.net/hub/21289959/hubfs/Ransomware%20Report%20JAN-APR%203.pdf
Play Ransomware Advisory – FBI / CISA / ASD’s ACSC
This is an update to an existing advisory. This gang is becoming very prolific and was among the most active ransomware groups in 2024, with around 900 victim organizations. New TTPs and IoCs are shared in the advisory.
https://therecord.media/play-ransomware-gang-fbi-update-900-attacks
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
Cybercriminals Going After Salesforce Data
The loose knit group of native English speakers known as ‘The Com’ have been using social engineering to gain access to victims Salesforce data. This group focuses on the Data Loader tool, once access is gained, data is stolen and the victim extorted.
https://therecord.media/google-warns-cybercriminals-targeting-salesforce-apps
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
https://www.salesforce.com/blog/protect-against-social-engineering/
Rapid7 Q1 2025 Incident Response Findings
No real surprise, valid accounts / no MFA topped the initial access at 56%. Next up for initial access software bugs and brute forcing at 13% each. Top malware observed was BunnyLoader and top industry targeted, manufacturing.
https://www.rapid7.com/blog/post/2025/06/04/rapid7-q1-2025-incident-response-findings/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
