Weekly Threat Landscape Digest – Week 5

1. Critical eBPF Vulnerabilities in Linux Kernel

High-severity vulnerabilities in the Linux kernel’s eBPF framework could allow attackers to gain unauthorized access, execute arbitrary code, and achieve system compromise.

Key Details:

• CVE-2024-56614 & CVE-2024-56615 (CVSS 7.8, High)
• Affect AF_XDP sockets (high-performance packet processing) and DEVMAP functions.
• Root cause: Integer overflow errors lead to out-of-bounds writes and memory corruption.
• Exploitation could result in root privilege escalation and full system control.
• Public proof-of-concept (PoC) exploit code is available, increasing exploitation risk.

Affected Versions:

• Linux Kernel v4.18 and later.

Mitigation:

• Upgrade to the latest patched versions as soon as possible.

References:

https://github.com/google/security-research/security/advisories/GHSA-cqc2-6j63-6qrx 

 https://github.com/google/security-research/security/advisories/GHSA-fphp-6498-x998 

2. Critical Vulnerabilities in Drupal alogin and Admin LTE

Security flaws in the Drupal Authenticator Login Module and the Admin LTE Theme could allow unauthorized access and security bypass.

Key Details:

• Authenticator Login Module (CVE Pending)
  • Impact: Access bypass vulnerability allows unauthorized users to access two-factor authentication configurations.
  • Affected Versions: < 2.0.6
  • Fix: Upgrade to Authenticator Login 2.0.6 or later.
• Drupal Admin LTE Theme
  • Impact: Unsupported due to unresolved security risks.
  • Affected Versions: All versions
  • Fix: Uninstall the theme immediately.

Mitigation:

• Upgrade Authenticator Login module to 2.0.6+.
• Remove the Admin LTE theme from Drupal installations.

References:

https://www.drupal.org/sa-contrib-2025-009 

 https://www.drupal.org/sa-contrib-2025-010 

3. Critical Vulnerabilities in Canon Laser Printers and Multifunction Printers

Multiple buffer overflow vulnerabilities in Canon Laser Printers and Small Office Multifunction Printers could allow attackers to execute arbitrary code or launch Denial-of-Service (DoS) attacks.

Key Details:

• CVE-2024-12647, CVE-2024-12648, CVE-2024-12649 (CVSS 9.8, Critical)
• Affected devices include Canon Laser Printers and Small Office Multifunction Printers in Japan, the US, and Europe.
• Vulnerabilities stem from buffer overflow issues, which could lead to unauthorized control or system crashes.
• Exploitation risks include device takeover, execution of arbitrary code, and system disruption.

Affected Models:

• Japan: Satera MF656Cdw/Satera MF654Cdw (firmware v05.04 and earlier).
• US: Color imageCLASS MF656Cdw, MF654Cdw, MF653Cdw, MF652Cdw, LBP633Cdw, LBP632Cdw (firmware v05.04 and earlier).
• Europe: i-SENSYS MF657Cdw, MF655Cdw, MF651Cdw, LBP633Cdw, LBP631Cdw (firmware v05.04 and earlier).
• Additional affected models may be disclosed by Canon in future updates.

Mitigation:

• Update Firmware Immediately: Install the latest firmware version available for your device.
• Network Segmentation: Isolate printers from critical systems to minimize security risks.
• Configure a Private Network:
  • Assign a private IP address to the printer.
  • Use a firewall or router to restrict access.
• Secure Remote Access: Use VPNs or other secure methods when accessing devices remotely.
• Monitor for Updates: Regularly check Canon’s security advisories and apply patches.
• Disable Unnecessary Features: Turn off remote access or cloud printing to reduce the attack surface.

References:

• Canon Security Advisory:
  https://www.usa.canon.com/support/canon-product-advisories/service-notice-regarding-vulnerability-measure-against-buffer-overflow-for-laser-printers-and-small-office-multifunctional-printers 

4. Critical Vulnerabilities in ABB FLXeon Controllers

ABB FLXeon controllers contain multiple critical vulnerabilities that could lead to remote code execution, authentication bypass, and information disclosure.

Key Details:

• CVE-2024-48841 (CVSS 10.0): Remote Code Execution (RCE) due to improper file handling. Attackers can gain full system control.
• CVE-2024-48849 (CVSS 9.4): Authentication bypass allows unauthorized HTTPS requests.
• CVE-2024-48852 (CVSS 9.4): Information disclosure due to insecure logging.

Affected Versions:

• FLXeon firmware 9.3.4 and older.

Mitigation:

• Upgrade to firmware version 9.3.5 or later.
• Restrict internet exposure and place controllers behind firewalls.
• Enforce multi-factor authentication (MFA).

Reference:

• https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5684&LanguageCode=en&DocumentPartId=PDF&Action=Launch

5. High-Severity Vulnerability in TeamViewer Clients

A high-severity vulnerability in TeamViewer for Windows could allow local attackers to exploit command injection flaws.

Key Details:

• CVE-2025-0065 (CVSS 7.8, High)
• Vulnerability Type: Argument Injection (CWE-88)
• Affected Versions:
  • TeamViewer Full Client (Windows) versions < 15.62, < 14.7.48799, < 13.2.36226, < 12.0.259319, < 11.0.259318
  • TeamViewer Host (Windows) versions < 15.62, < 14.7.48799, < 13.2.36226, < 12.0.259319, < 11.0.259318
• Exploitation Requirement: Local unprivileged access is needed.
• Exploitation Status: No active exploitation detected.

Mitigation:

• Update TeamViewer to version 15.62 or the latest available version immediately.

Reference:

• https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv2025-1001/

6. Critical Linux Kernel SMB Server Vulnerabilities

Critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux, could allow attackers to gain full control over affected systems.

Key Details:

• CVE-2024-56626 (CVSS 9.8, Critical)
  • Impact: Out-of-bounds write in ksmbd_vfs_stream_write can lead to kernel takeover.
• CVE-2024-56627 (CVSS 9.1, Critical)
  • Impact: Out-of-bounds read in ksmbd_vfs_stream_read may expose sensitive memory data.
• Exploitation Risks:
  • Remote Code Execution (RCE)
  • Information Disclosure
  • Full System Compromise

Affected Versions:

• Linux Kernel > 5.15

Mitigation:

• Upgrade to Linux Kernel 6.13-rc2 or later.

References:

• https://github.com/google/security-research/security/advisories/GHSA-qmm2-xfcw-4r29
• https://github.com/google/security-research/security/advisories/GHSA-gqrv-6fcf-hvv8

7. Critical SQL Injection Vulnerabilities in Centreon Web

Two critical SQL injection vulnerabilities in Centreon Web could allow attackers to execute arbitrary SQL queries, compromise systems, and exfiltrate sensitive data.

Key Details:

• CVE-2024-55573: Exploits a flaw in the virtual metrics creation form.
• CVE-2024-53923: Targets the media upload functionality in Centreon Web.
• CVSS Score: 9.1 (Critical)
• Impact:
  • Remote execution of SQL queries.
  • Unauthorized access to sensitive data.
  • Potential disruption of IT monitoring systems.

Affected Versions:

• Centreon Web < 24.10.3
• Centreon Web < 24.04.9
• Centreon Web < 23.10.19
• Centreon Web < 23.04.24

Mitigation:

• Upgrade to Centreon Web 24.10.3, 24.04.9, 23.10.19, or 23.04.24.

Reference:

• https://docs.centreon.com/docs/update/update-centreon-platform/

8. Critical Vulnerabilities in Coolify

Multiple critical vulnerabilities in Coolify could allow remote attackers to execute arbitrary code, escalate privileges, and compromise sensitive data.

Key Details:

• CVE-2025-22612 (CVSS 10.0): Unauthorized access to private keys in plaintext and Remote Code Execution (RCE).
• CVE-2025-22609 (CVSS 10.0): Private key hijacking enabling unauthorized command execution.
• CVE-2025-22611 (CVSS 9.9): Privilege escalation allowing attackers to gain full administrative control.

Impact:

• Complete system compromise via unauthorized RCE.
• Theft of sensitive data (private keys, credentials, databases).
• Potential deployment of ransomware or service disruption.

Affected Versions:

• All Coolify releases prior to v4.0.0-beta.374.

Mitigation:

• Upgrade to Coolify v4.0.0-beta.374 or later.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-22612
• https://nvd.nist.gov/vuln/detail/CVE-2025-22611
• https://nvd.nist.gov/vuln/detail/CVE-2025-22609

9. SQL Injection Vulnerability in VMware Avi Load Balancer

A high-severity unauthenticated blind SQL injection vulnerability in VMware Avi Load Balancer could allow attackers to execute malicious SQL queries and gain unauthorized access to sensitive data.

Key Details:

• CVE-2025-22217 (CVSS 8.6, High)
• Vulnerability Type: Unauthenticated Blind SQL Injection
• Impacted Product: VMware Avi Load Balancer
• Impact: Potential unauthorized access to sensitive database information

Affected Versions:

• 30.1.1
• 30.1.2
• 30.2.1
• 30.2.2

Mitigation:

• Upgrade to the following patched versions:
  • 30.1.1 / 30.1.2 → 30.1.2-2p2
  • 30.2.1 → 30.2.1-2p5
  • 30.2.2 → 30.2.2-2p2

Reference:

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346 

10. Multiple Vulnerabilities in GitHub Desktop and Git-Related Projects

Several vulnerabilities in GitHub Desktop and other Git-related projects could expose user credentials and authentication tokens.

Key Details:

• CVE-2024-53263 (CVSS 8.5): Git LFS flaw allows credential leaks via crafted HTTP URLs.
• CVE-2024-50338 (CVSS 7.4): Malformed remote URLs can leak credentials in Git Credential Manager.
• CVE-2025-23040 (CVSS 6.6): GitHub Desktop can leak credentials through malicious URLs.
• CVE-2024-53858 (CVSS 6.5): Recursive cloning in GitHub CLI could expose authentication tokens.

Affected Versions:

• GitHub Desktop < 3.4.12
• Git Credential Manager < 2.6.1
• Git LFS < 3.6.1
• GitHub CLI < 2.63.0
• Git versions v2.48.0 to v2.40.3

Mitigation:

• Upgrade to fixed versions:
  • GitHub Desktop: 3.4.12+
  • Git Credential Manager: 2.6.1+
  • Git LFS: 3.6.1+
  • GitHub CLI: 2.63.0+
  • Git: v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, v2.40.4

References:

• https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
• https://github.com/git-ecosystem/git-credential-manager/security/advisories/GHSA-86c2-4×57-wc8g
• https://github.com/desktop/desktop/security/advisories/GHSA-36mm-rh9q-cpqq
• https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw
• https://github.com/git/git/security/advisories/GHSA-r5ph-xg7q-xfrp
• https://github.com/git/git/security/advisories/GHSA-hmg8-h7qf-7cxr

11. Critical Vulnerability in One Identity Manager

A critical Insecure Direct Object Reference (IDOR) vulnerability in One Identity Manager could allow privilege escalation and unauthorized access to sensitive systems.

Key Details:

• CVE-2024-56404 (CVSS 9.9, Critical)
• Impact: Privilege escalation and unauthorized access to sensitive data.

Affected Versions:

• One Identity Manager 9.0.x to 9.2.1 (On-Premise)
• Not Affected: Cloud-based “On Demand” versions

Mitigation:

• Apply hotfixes for affected versions:
  • 9.0.x LTS CU3
  • 9.1x
  • 9.2.x
• Upgrade to One Identity Manager 9.3, which is not vulnerable.

Reference:

• https://support.oneidentity.com/product-notification/noti-00001678

12. Multiple Vulnerabilities in Apache Solr

Critical vulnerabilities in Apache Solr could allow attackers to execute malicious code, escalate privileges, and modify system files.

Key Details:

• CVE-2024-52012 (Relative Path Traversal, Windows-Specific)
  • Attackers can exploit the configset upload API with crafted ZIP files to gain arbitrary file write access.
  • Impact: Unauthorized file modification and potential system compromise.
• CVE-2025-24814 (Privilege Escalation via Core Creation)
  • Attackers can replace trusted configset files to execute arbitrary code.
  • Impact: Elevated privileges and system takeover.

Affected Versions:

• Apache Solr 6.6 through 9.7

Mitigation:

• Upgrade to Apache Solr 9.8.0 or later.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-52012
• https://nvd.nist.gov/vuln/detail/CVE-2025-24814

13. Zero-Day Vulnerability in Apple Devices

Apple has released security updates to address CVE-2025-24085, a zero-day vulnerability in the Core Media framework, which is actively exploited in targeted attacks.

Key Details:

• CVE-2025-24085 (Privilege Escalation)
• Impact: Allows malicious applications to gain elevated privileges, leading to unauthorized access to sensitive data.
• Exploitation: Actively used in targeted attacks against devices running iOS versions prior to iOS 17.2.

Affected Devices & Update Versions:

• visionOS 2.3
• iOS 18.3 & iPadOS 18.3
• iPadOS 17.7.4
• macOS Sequoia 15.3
• macOS Sonoma 14.7.3
• macOS Ventura 13.7.3
• watchOS 11.3
• tvOS 18.3
• Safari 18.3

Mitigation:

• Apply security updates immediately to mitigate the risk of exploitation.

Reference:

• https://support.apple.com/en-ae/100100

14. Critical Application Signature Issue in Zyxel USG FLEX & ATP Firewalls

A faulty Application Signature Update (version 1.0.0.20250123.0) has caused severe operational disruptions in Zyxel USG FLEX and ATP Series firewalls with active security licenses.

Key Details:

• Affected Devices: USG FLEX & ATP Series firewalls (Standalone Mode) with active security licenses
• Unaffected Devices: Nebula platform, USG FLEX H (uOS) series, and devices without active security licenses
• Issue: Reboot loops, ZySH daemon failures, high CPU usage, and login access issues.

Current Status & Mitigation:

• Zyxel has removed the faulty signature update (V1.0.0.20250123.03).
• Application signing has been disabled on company servers to prevent further issues.
• Firmware update released for affected devices.
• On-site recovery required using a console cable (remote recovery not recommended).

Immediate Actions:

• Check if your device has the problematic App-Patrol signature version.
• Follow Zyxel’s recovery steps for on-site resolution.

Reference:

• http://support.zyxel.eu/hc/en-us/articles/24159250192658-USG-FLEX-ATP-Series-Recovery-Steps-for-Application-Signature-Issue-on-January-24th 

15. Multiple Vulnerabilities in phpMyAdmin

Several vulnerabilities in phpMyAdmin could allow attackers to inject malicious scripts, leading to session hijacking, data theft, and account compromise.

Key Details:

• CVE-2025-24530 (XSS in “Check Tables”)
  • Attackers can inject malicious scripts via specially crafted table names.
• CVE-2025-24529 (XSS in “Insert”)
  • Exploiting the Insert function could trigger unauthorized script execution.
• CVE-2024-2961 (glibc/iconv Library Vulnerability)
  • Potential risk of arbitrary code execution under specific conditions.

Affected Versions:

• phpMyAdmin 5.x prior to 5.2.2

Mitigation:

• Upgrade to phpMyAdmin 5.2.2 or later.

References:

• https://www.phpmyadmin.net/security/PMASA-2025-1/
• https://www.phpmyadmin.net/security/PMASA-2025-2/
• https://www.phpmyadmin.net/security/PMASA-2025-3/

16. Critical RCE Vulnerability in Cacti

A critical Remote Code Execution (RCE) vulnerability in Cacti allows authenticated users to execute arbitrary system commands on the server.

Key Details:

• CVE-2025-22604 (CVSS 9.1, Critical)
• Vulnerability Type: Improper handling of multi-line SNMP responses enables malicious code execution.
• Affected Versions: Cacti <= 1.2.8
• Patched Version: Cacti 1.2.29 and above

Mitigation:

• Upgrade to Cacti 1.2.29 or later.
• Implement network segmentation to restrict access.
• Enforce strong authentication and apply the principle of least privilege.
• Monitor systems for unauthorized changes or suspicious activity.

Reference:

• https://github.com/Cacti/cacti/security/advisories/GHSA-c5j8-jxj3-hh36

17. CRLF Injection Vulnerabilities in RestSharp and Refit

Critical CRLF Injection vulnerabilities in the widely used .NET libraries RestSharp and Refit could allow attackers to manipulate HTTP headers and execute request splitting.

Key Details:

• CVE-2024-45302 (RestSharp)
  • Issue: Unsafe handling of user-supplied headers via .TryAddWithoutValidation.
  • Impact: Attackers can inject malicious headers and manipulate HTTP requests.
• CVE-2024-51501 (Refit)
  • Issue: Similar vulnerability in [Header] and [Authorize] attributes.
  • Impact: Potential for HTTP request splitting and cache poisoning.

Affected APIs:

• RestSharp:
  • AddHeader(), AddOrUpdateHeader(), AddDefaultHeader()
• Refit:
  • [Header], [Authorize], [Headers]

Mitigation:

• Update to patched versions once available.
• Avoid using .TryAddWithoutValidation for HTTP headers.
• Validate all user input before inserting into headers.
• Monitor logs for unusual HTTP request patterns.

Reference:

• https://gbhackers.com/crlf-injection-vulnerabilities/

18. New RDP Exploit Allows Attackers to Take Over Windows and Browser Sessions

A newly discovered Remote Desktop Protocol (RDP) exploit enables attackers to hijack Windows sessions and browser activity by leveraging bitmap cache file vulnerabilities.

Key Details:

• Attack Method: Exploits persistent bitmap caching in RDP, allowing attackers to reconstruct session data.
• Risk: Attackers can extract terminal commands, login pages, credentials, and file system activities.
• Exploitation Tools: BMC-Tools (ANSSI) and RdpCacheStitcher can reconstruct graphical session fragments.

Potential Impact:

• Reconstructions of RDP sessions expose sensitive user activities.
• Enterprise environments at high risk due to multiple managed RDP connections.
• Attackers can escalate privileges, spread malware, and exfiltrate credentials.

Mitigation Measures:

• Disable Persistent Bitmap Caching in RDP clients (e.g., mstsc.exe).
• Strengthen Network Security by using VPNs and firewalls to protect RDP sessions.
• Monitor RDP Logs for unusual outgoing connections or file movements.
• Apply Least Privilege Principles to limit RDP access.
• Update Windows systems and security patches regularly.

Reference:

• https://gbhackers.com/new-rdp-exploit/

19. Hackers Abusing GitHub Infrastructure to Deliver Lumma Stealer

Cybercriminals are leveraging GitHub’s release infrastructure to distribute Lumma Stealer, an information-stealing malware capable of exfiltrating sensitive data and deploying additional malicious payloads.

Key Details:

• Attack Method: Hosting malware-laden files (e.g., Pictore.exe, App_aelGCY3g.exe) on GitHub repositories.
• Signed with revoked certificates from ConsolHQ LTD and Verandah Green Limited to bypass initial security checks.
• Uses pre-signed links with short expiration (X-Amz-Expires=300) to evade detection.

Malware Capabilities:

• Data Exfiltration: Steals credentials, cryptocurrency wallets, browser cookies, and system configurations.
• Persistence Mechanisms: Uses PowerShell scripts and shell commands to remain undetected.
• Payload Deployment: Drops additional malware, including SectopRAT and Vidar.
• File Extraction: Extracts files using nsis7z.dll from Electron-based applications.

Indicators of Compromise (IoCs):

• Malicious File Names: Pictore.exe, App_aelGCY3g.exe
• Command-and-Control (C2) IPs:
  • 192[.]142[.]10[.]246
  • 84[.]200[.]24[.]26

Mitigation Measures:

• Validate URLs and digital certificates before downloading files.
• Use endpoint security solutions to detect unauthorized shell commands.
• Block known malicious IPs to prevent communication with C2 servers.
• Enable MFA and patch systems regularly to mitigate risks.

Reference:

https://cybersecuritynews.com/hackers-abusing-github-infrastructure/ 

20. TAG-124 Hacked 1000+ WordPress Sites to Embed Payloads

The TAG-124 threat group has compromised over 1,000 WordPress websites to deliver malware via fake software updates, leveraging a Traffic Distribution System (TDS) to evade detection.

Key Details:

• Attack Method: Malicious JavaScript injections redirect visitors to attacker-controlled payload servers.
• Payloads: Fake Google Chrome update pages deliver REMCOS RAT via malicious ZIP files.
• Infrastructure:
  • Dynamic URL updates to evade detection.
  • ClickFix technique to trick users into executing commands.
  • Conditional logic in TDS to optimize infections based on user attributes.

Indicators of Compromise (IoCs):

• Domains: vicrin[.]com, update-chronne[.]com
• IPs: 146.70.41[.]191, 45.61.136[.]67
• Compromised Sites:
  • www[.]ecowas[.]int
  • www[.]reloadinternet[.]com

Mitigation Measures:

• Update WordPress core, plugins, and themes to prevent exploits.
• Scan for unauthorized JavaScript injections on web pages.
• Use Web Application Firewalls (WAFs) to block malicious traffic.
• Educate users to avoid downloading software from unverified sources.

Reference:

• https://cybersecuritynews.com/tag-124-hacked-1000-wordpress-sites/

21. Critical D-Link Router Flaw Allows Attackers to Take Full Remote Control

A critical unauthenticated Remote Code Execution (RCE) vulnerability in D-Link DSL-3788 routers allows attackers to gain full remote control, posing severe security risks.

Key Details:

• Affected Model: D-Link DSL-3788 (Hardware Revisions Ax/Bx)
• Affected Firmware Version: v1.01R1B036_EU_EN and below
• Vulnerability Source: Buffer overflow in the COMM_MakeCustomMsg function of libssap due to improper input validation.
• Reported On: November 25, 2024
• Patched Version: v1.01R1B037 (Released: January 27, 2025)

Mitigation Steps:

1. Update Firmware: Download and install v1.01R1B037 
2. Verify the Firmware Version: Ensure the updated firmware is correctly installed.
3. Check Hardware Revision: Confirm compatibility before upgrading.
4. Enable Automatic Updates: To receive future security patches promptly.

Reference:

• https://gbhackers.com/critical-d-link-router-flaw/

22. HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code

Ransomware-as-a-Service (RaaS) operations HellCat and Morpheus are deploying nearly identical ransomware payloads, indicating shared code or builder applications among affiliates.

Key Details:

• HellCat Ransomware (emerged mid-2024): Operated by BreachForums members targeting high-value enterprises and government entities.
• Morpheus Ransomware (active since September 2024): Focused on pharmaceutical & manufacturing industries and ESXi environments.
• Shared Affiliate Activity: Identical ransomware payloads for both HellCat and Morpheus were uploaded to VirusTotal in December 2024.

Payload Characteristics:

• 64-bit PE files (~18KB size) requiring command-line arguments for execution.
• Ransomware excludes .dll, .sys, .exe, .drv, .com, .cat file types from encryption.
• Does not alter file extensions after encryption.
• Uses Windows Cryptographic API (BCrypt) for encryption.
• Drops a ransom note _README_.txt in C:\Users\Public\ and opens it via Notepad.

Indicators of Compromise (IoCs):

• Files (SHA1):
  • b834d9dbe2aed69e0b1545890f0be6f89b2a53c7 (HellCat)
  • f62d2038d00cb44c7cbd979355a9d060c10c9051 (er.bat, Morpheus)
  • f86324f889d078c00c2d071d6035072a0abb1f73 (Morpheus)
• Ransomware Network Infrastructure:
  • HellCat: hellcakbszllztlyqbjzwcbdhfrodx55wq77kmftp4bhnhsnn5r3odad[.]onion
  • Morpheus: izsp6ipui4ctgxfugbgtu65kzefrucltyfpbxplmfybl5swiadpljmyd[.]onion
  • File Services: hellcat[.]locker
• Contact Emails:
  • h3llr4ns[@]onionmail[.]com
  • morpheus[@]onionmail[.]com

Mitigation Strategies:

• Monitor and block IoCs, including .onion domains and known SHA1 hashes.
• Harden ESXi environments, as Morpheus specifically targets virtualized infrastructures.
• Implement EDR/XDR solutions capable of detecting HellCat & Morpheus ransomware behaviors.
• Restrict RDP access, as RaaS affiliates frequently exploit it for initial access.

Reference:

• https://www.sentinelone.com/blog/hellcat-and-morpheus-two-brands-one-payload-as-ransomware-affiliates-drop-identical-code/

23. E-Signature Phishing Nearly Sparks Disaster for an Electric Company

A sophisticated e-signature phishing attack bypassed Microsoft’s email security and nearly compromised a major electric company’s C-suite executive, but was detected in time by Proofpoint.

Key Attack Methods:

• Brand Impersonation: Attackers spoofed DocuSign to trick the victim into downloading a fake document.
• Adversary-in-the-Middle (AitM): A proxy phishing site intercepted login credentials, MFA codes, and session cookies.
• Geofencing: Restricted access to the phishing page by location, evading automated security scans.
• Multi-Step Redirection Chains: URLs hosted on Google infrastructure concealed the attack path from basic email security tools.

Attack Flow:

1. Spoofed DocuSign email directed the user to a malicious link.
2. The URL redirected through trusted domains to evade detection.
3. The user landed on a fake DocuSign login page hosted on an attacker-controlled proxy site.
4. Attackers stole credentials, MFA codes, and session cookies, gaining full account access.

Reference:

• https://www.proofpoint.com/uk/blog/email-and-cloud-threats/esignature-phishing-attack-near-crisis-at-electric-company

24. TorNet Backdoor Detection: Phishing Campaign Uses PureCrypter to Drop Malware

A financially motivated phishing campaign is using PureCrypter malware to deploy TorNet Backdoor, Agent Tesla, and Snake Keylogger, targeting users in Poland and Germany.

Key Attack Methods:

• Phishing Emails: Fake money transfer confirmations and order receipts lure victims into opening malicious attachments.
• Malicious Attachments: .tgz files containing compressed .NET loaders execute PureCrypter in system memory.
• TorNet Backdoor Deployment:
  • Connects infected machines to the TOR network for stealthy C2 communication.
  • Fetches & executes arbitrary .NET assemblies remotely.

Reference:

• https://socprime.com/blog/tornet-backdoor-detection/

25. DeepSeek Exposes Database with Over 1 Million Chat Records

A critical security breach at DeepSeek, a Chinese AI startup, exposed over 1 million chat records, API keys, and backend details due to unsecured ClickHouse databases.

Key Details:

• Publicly accessible databases:
  • oauth2callback.deepseek.com:9000
  • dev.deepseek.com:9000
• Exposed Data:
  • Plaintext chat logs from DeepSeek’s AI chatbot.
  • Backend API keys used for authentication.
  • Internal infrastructure details (e.g., services & metadata).
  • Operational logs from January 6, 2025.

Security Risks:

• Privacy Breach: Users’ private conversations exposed.
• Privilege Escalation: Attackers could exploit API keys to infiltrate DeepSeek’s internal network.
• Data Theft: Misconfiguration allowed arbitrary SQL queries, potentially enabling password and file extraction.
• Ongoing Attacks: DeepSeek suspended new user registrations due to persistent cyberattacks.

DeepSeek’s Response:

• Database access revoked after Wiz Research notified DeepSeek.
• No confirmation on whether malicious actors accessed the data before remediation.

Reference:

• https://www.bleepingcomputer.com/news/security/deepseek-exposes-database-with-over-1-million-chat-records/