Cyber Threat Weekly – #84

The week of June 23^rd through June 29^th, roughly 381 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about social engineering and hacking the human.

Once mainly abused by nation-state threat actors, social engineering has become the go to in many attack campaigns.  Email bombing than calling as help desk, calling helpdesk as a c-suite executive for a password reset, ClickFix, typo squatting, MFA bombing, SIM swapping, and more.  Social engineering and the creative ways to abuse it continues to be prolific. 

Let’s start with a crazy Scattered Spider attack.  CitrixBleed2 bug possibly exploited.  Non-human identities and agentic AI.  Direct Send feature in Microsoft 365 abused.  ESET Threat Report H1 2025.  A sign of what’s to come with an AI bot.

Threat actors abusing Authenticode signatures in ConnectWise ScreenConnect. Researchers share Iran threat brief.  New ransomware group Dire Wolf emerges. Scanning for MOVEit Transfer spiked beginning May 27, 2025.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months.  We continue to share n-day vulnerabilities being actively exploited.  Priority #1, start with the CISA / VulnCheck known exploited vulnerability (KEV) catalogs.  If it’s in the catalog, it should be patched.

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.

CISA Known Exploited Vulnerabilities – June 23^rd to June 29^th:

CVE-2019-6693 – Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability:
Could allow an attacker to steal sensitive data in FortiOS configuration backup file via knowledge of the hard-coded key.

CVE-2024-0769 – D-Link DIR-859 Router Path Traversal Vulnerability:
Allows for the leakage of session data potentially enabling privilege escalation and unauthorized control of the device. This vulnerability affects legacy D-Link products.

CVE-2024-54085 – AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability:
A successful exploitation of this vulnerability, affecting the Redfish Host Interface, may lead to a loss of confidentiality, integrity, and/or availability.

Identity, Social Engineering, and Scattered Spider

It’s no secret Scattered Spider threat actors use social engineering to gain privileged access then laterally move to their objectives.  This 4-day attack chain was deliberate and a sign of what’s to come from them and other threat actors.  From initial access to CyberArk vaults, to Azure, and more.  Stolen identities fuel the majority of attacks today.  Out-of-band communications are a must during a security incident, you never know how much access threat actors have.

https://www.darkreading.com/cloud-security/scattered-spider-cfo-scorched-earth-attack

https://cyberscoop.com/scattered-spider-aviation-hawaiian-airlines-cyberattack/

Possible Exploitation of CitrixBleed2 Bug

Researchers observing possible exploitation of CVE-2025-5777, rated critical / CVSS 4.0 score: 9.3.  Attackers could hijack user sessions and bypass multi-factor authentication.  In addition to patching, you’ll want to end all ICA and PCoIP sessions after patching.

https://www.bleepingcomputer.com/news/security/citrix-bleed-2-flaw-now-believed-to-be-exploited-in-attacks/

https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206

https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/

Securing Non-Human Identities and Agentic AI

While not a specific threat trend or adversarial behavior, this article explores a problem of a growing attack surface.  Non-human identities often fly under the radar and are abused by threat actors.  Agentic AI adds a whole new layer of complexity.  Strong identity governance is crucial for non-human identities before moving forward with agentic AI.

https://www.darkreading.com/cybersecurity-operations/taming-agentic-ai-risks-securing-nhi

Threat Actors Abuse Microsoft 365 Direct Send Feature

Direct send is a known security risk; it doesn’t require authentication.  It allows on-prem devices such as printers to send emails via the tenant’s smart host.  The emails are internal looking messages sent from external IP addresses. 

https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/

https://www.varonis.com/blog/direct-send-exploit

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365#direct-send-send-mail-directly-from-your-device-or-application-to-microsoft-365-or-office-365

ESET Threat Report H1 2025

Sharing some trends, ESET saw ClickFix grow 517% between H2 2024 to H1 2025.  Android NFC scams grew 35x in H1 2025, although the overall numbers are relatively low.  The ransomware landscape is in constant flux, and the battle continues.

https://www.infosecurity-magazine.com/news/clickfix-attacks-surge-2025/

https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12025.pdf

Pen Tester AI Bot is Crushing it

AI technology is growing at an incredible clip.  That’s good news and bad news.  Hopefully we see AI used to augment humans and keep the human in the loop getting the most out of AI and the human.  That said, this AI bot is at the top of HackerOne with over 1,000 vulnerabilities. 

https://www.csoonline.com/article/4012801/the-top-red-teamer-in-the-us-is-an-ai-bot.html

https://www.csoonline.com/article/4012831/crowdstrike-is-cutting-jobs-in-favor-of-ai-heres-why-you-shouldnt.html

https://www.cybersecuritydive.com/news/artificial-intelligence-security-spending-reports/751685/

Authenticode Signature Settings Abused by Threat Actors

ConnectWise’s ScreenConnect remote management and monitoring software installer can be modified to include the remote server, logos, etc.  Threat actors used a technique called authenticode stuffing to insert data into the certificate table.  The modified binaries remain signed. 

https://www.bleepingcomputer.com/news/security/hackers-turn-screenconnect-into-malware-using-authenticode-stuffing/

https://www.gdatasoftware.com/blog/2025/06/38218-connectwise-abuse-malware

Iran Threat Brief – Unit 42

Researchers share an overview of observed Iranian threat activity over the last 2 years.  Espionage and disruption are the typical objectives.  There are reportedly 120 hacktivist groups active, DDoS and destructive attacks are the most reported.

https://unit42.paloaltonetworks.com/iranian-cyberattacks-2025/

New Ransomware Group Dire Wolf has 16 Victims Already

Emerging last month, this new ransomware group is on a tear.  Little is known about this group, their leak site stating they are financially motivated and hold no political stance.  Researchers analyzed a sample of their encryptor. 

https://www.darkreading.com/threat-intelligence/dire-wolf-ransomware-manufacturing-technology

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-strikes-new-ransomware-group-targeting-global-sectors/

MOVEit Transfer Possibly Targeted, Spiked Scanning Activity

GreyNoise has observed a large and continued spike in MOVEit Transfer scanning activity starting May 27, 2025.  Baseline scanning is typically less than 10 IPs a day.  The initial spike was over 100 IPs followed by 319 IPs.  Sustained scanning is between 200 to 300 IPs a day.  The pattern often corresponds to new bugs emerging.

https://www.greynoise.io/blog/surge-moveit-transfer-scanning-activity