Cyber Threat Weekly – #82
The week of June 9th through June 15th, about 361 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about threat exposure management, the new vulnerability management.
Let’s define vulnerable: open to attack or damage. For decades vulnerabilities have been thought of as software bugs. The last ten or so years we have seen attackers take advantage of misconfigurations, legit software and services, human error, lack of visibility, credentials, and a ton more. We have more vulnerabilities than just software bugs.
Let’s start with Internet-facing Grafana instances exposed to account takeover flaw. SimpleHelp RMM targeted in ransomware attacks since January. A unique abuse of expired Discord invites leads to ClickFix social engineering attacks.
Researchers observe massive JavaScript malware injection campaign. Brute-force attacks continue targeting Internet exposed services. Social engineering, impersonating job seekers targeting recruiters and HR departments.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – June 9th to June 15th:
CVE-2024-42009 – RoundCube Webmail Cross-Site Scripting Vulnerability:
Could allow a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
CVE-2025-32433 – Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability:
Could allow an attacker to execute arbitrary commands without valid credentials, potentially leading to unauthenticated remote code execution (RCE). This vulnerability could affect various products that implement Erlang/OTP SSH server, including—but not limited to—Cisco, NetApp, and SUSE.
CVE-2025-33053 – Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability:
Could allow an unauthorized attacker to execute code over a network. This vulnerability could affect various products that implement WebDAV, including but not limited to Microsoft Windows.
CVE-2025-24016 – Wazuh Server Deserialization of Untrusted Data Vulnerability:
Allows for remote code execution on Wazuh servers.
Account Takeover Flaw in Internet-Facing Grafana Instances
The big question, why are these instances exposed to the Internet? There is very little that needs direct Internet access anymore. With architecture, DMZ’s, extranets, and zero-trust network access, minimizing exposed assets is very doable.
CISA – Ransomware Attacks Against SimpleHelp RMM Tool
A new advisory on ransomware threat actors exploiting CVE-2024-57727, a bug in SimpleHelp remote monitoring and management (RMM) tool. The bug was released and fixed in early January 2025. This activity stresses the importance of patching actively exploited bugs as quickly as possible.
https://www.darkreading.com/cyberattacks-data-breaches/cisa-ransomware-attacks-simplehelp-rmm
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-163a
Threat Actors Find Certain Discord Invites are Reusable
A Discord bug allows threat actors to reuse older and deleted ‘level 3’ invites in a behavior similar to vendor email compromise. Sending these old invites to victims leads to a verification process and finally a ClickFix style attack. Using legitimate services adds legitimacy to the campaign.
JavaScript Malware Injection Campaign, over 269,000 Websites
The campaign is called JSFireTruck in reference to JSFuck, a programming style that uses only six characters to write and execute code. The code is heavily obfuscated, making the malware stealthy. The malware is delivered through HelloTDS, a traffic distribution service.
https://thehackernews.com/2025/06/over-269000-websites-infected-with.html
https://unit42.paloaltonetworks.com/malicious-javascript-using-jsfiretruck-as-obfuscation/
Brute-Force Attacks Continue Against Internet Facing Targets
Starting with Apache Tomcat Manager interfaces, that should not be exposed online, a coordinated brute-force campaign was observed. Another campaign abusing a pentest framework to password-spray Entra ID accounts was observed. Opportunistic brute-force targeting Internet exposed systems is on-going. Question everything you have exposed to the Internet; does it really need to be exposed?
https://www.greynoise.io/blog/coordinated-brute-force-activity-targeting-apache-tomcat-manager
Fake Job Seekers Target Recruiter’s and HR Departments
In a social engineering attack, FIN6, a notorious financially motivated threat group, contacts recruiters and builds rapport. The use of fake job seeker personas keeps them stealthy. An email is sent to the recruiter with non-clickable links to fly-under the radar, victims must type them in.
https://dti.domaintools.com/Skeleton-Spider-Trusted-Cloud-Malware-Delivery/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
