Weekly Threat Landscape Digest – Week 12

1. Critical RCE Vulnerability in Apache Tomcat

A critical Remote Code Execution (RCE) flaw (CVE-2025-24813) in Apache Tomcat allows full server compromise via a malicious PUT request. The vulnerability is being actively exploited.

Key Details:

• Impact: Remote Code Execution
• Affected Versions: 
  • Tomcat 11.0.0-M1 to 11.0.2
  • Tomcat 10.1.0-M1 to 10.1.34
  • Tomcat 9.0.0.M1 to 9.0.98
• Fixed Versions: 
  • Tomcat 11.0.3+, 10.1.35+, 9.0.99+

Exploit Method:

• Attacker uploads a serialized Java session via PUT.
• A GET request with JSESSIONID triggers deserialization and code execution.

Conditions for Exploitation:

• Servlet write enabled
• File-based session persistence
• App uses deserialization libraries

Mitigation:

• Upgrade to the latest patched versions.
• Disable servlet write if not needed.
• Monitor for suspicious PUT/GET requests.

Reference:
https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq

2. Critical Vulnerability in Veeam Backup & Replication

A critical vulnerability (CVE-2025-23120) in Veeam Backup & Replication allows authenticated domain users to execute arbitrary code on affected systems.

Key Details:

• CVSS Score: 9.9 (Critical)
• Impact: RCE, data compromise, unauthorized access
• Affected Versions: 12.3.0.310 and all earlier v12 builds
• Fixed Version: 12.3.1 (build 12.3.1.1139)

Mitigation:

• Upgrade to version 12.3.1.1139 immediately.
• Monitor for suspicious activity on backup infrastructure.

Reference:
https://www.veeam.com/kb4724

3. Security Updates – Zoom

Zoom has released patches for multiple vulnerabilities affecting Zoom Workplace Apps, Zoom Rooms Client, and SDKs across Windows, macOS, Linux, iOS, and Android. These flaws range from high to medium severity, potentially enabling privilege escalation, denial-of-service, or data authenticity bypass.

Key High-Severity Vulnerabilities:

• CVE-2025-27440 – Heap-based buffer overflow (privilege escalation)
• CVE-2025-27439 – Buffer underflow (privilege escalation)
• CVE-2025-0151 – Use-after-free (privilege escalation)
• CVE-2025-0150 – Incorrect behavior order (DoS in iOS apps)

Medium-Severity:

• CVE-2025-0149 – Insufficient verification of data authenticity (DoS)

Mitigation:

• Update all Zoom applications to the latest available versions.

Reference:
https://www.zoom.com/en/trust/security-bulletin/

4. Security Updates – Google ChromeOS

Google has released a Long-Term Support (LTS) update for ChromeOS (LTS-126 / 126.0.6478.266, Platform Version: 15886.91.0). This update addresses a high-severity vulnerability and includes critical security fixes to enhance system protection.

Key Vulnerability:

• CVE-2024-7969 – Type Confusion in V8 Engine 
  • Severity: High
  • Component: V8 (JavaScript & WebAssembly engine)
  • Impact: May allow attackers to trigger memory corruption, resulting in arbitrary code execution or system/browser crashes.
  • Fix: Addressed in this release by resolving the type confusion flaw.

Additional Notes:

• The update may include other undisclosed security fixes.
• It is rolling out to most ChromeOS devices, and immediate installation is recommended to ensure system stability and security.

Recommendations:

• Update all ChromeOS devices to version 126.0.6478.266 as soon as possible.
• Enable auto-updates to ensure timely application of future patches.

Reference:
https://chromereleases.googleblog.com/2025/03/long-term-support-channel-updatefor_18.html

5. Reflected XSS Vulnerabilities in Laravel Framework

Two high-severity reflected XSS vulnerabilities have been discovered in the Laravel framework (CVE-2024-13918 & CVE-2024-13919), affecting versions 11.9.0 to 11.35.1. These flaws allow attackers to execute arbitrary JavaScript in the victim’s browser through crafted URLs when debug mode is enabled.

Vulnerability Details:

• CVE-2024-13918 & CVE-2024-13919
• Severity: High
• Impact: Session hijacking, credential theft, data exfiltration
• Exploitability: Requires user interaction (click on crafted malicious link)
• Cause: Improper encoding of request parameters in Laravel’s debug-mode error pages
• Fixed Version: Laravel 11.36.0

Attack Vector:

• Attackers craft a URL injecting malicious JavaScript in request/route parameters.
• When a user opens the link, the payload executes due to lack of sanitization in the debug error output.

Recommendations:

• Upgrade Laravel to version 11.36.0 or later.
• If upgrading is not possible, disable debug mode immediately to prevent exposure.
• Educate developers and security teams about sanitization in dev environments.

Reference:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20241209-01_Laravel_Reflected_XSS_via_Request_Parameter_in_Debug-Mode_Error_Page

6. High-Severity Authentication Bypass in ManageEngine Analytics Plus

A high-severity authentication bypass vulnerability (CVE-2025-1724, CVSS 7.4) has been discovered in ManageEngine Analytics Plus (on-premise, Windows). This flaw allows unauthorized access to Active Directory (AD)-authenticated user accounts, leading to potential account takeovers and data breaches.

Vulnerability Details:

• CVE ID: CVE-2025-1724
• Severity: High
• Affected Product: Analytics Plus on-premise (Windows)
• Impacted Versions: All builds below 6130
• Fixed Version: Build 6130
• Impact: Compromise of AD-authenticated accounts
• Scope: Affects installations using AD authentication without AD SSO configuration

Recommendations:

• Upgrade to Build 6130 or later immediately.
• Enable Active Directory SSO and enforce Multi-Factor Authentication (MFA) for AD users.

Reference:
https://www.manageengine.com/analytics-plus/CVE-2025-1724.html

7. Critical Vulnerability in Schneider Electric WebHMI Component

A critical vulnerability (CVE-2025-1960, CVSS 9.8) in Schneider Electric’s WebHMI component, used in EcoStruxure Power Automation System and EcoStruxure Microgrid Operation Large (EMO-L), may allow unauthorized access and command execution due to insecure default credentials.

Vulnerability Details:

• CVE ID: CVE-2025-1960
• Severity: Critical (CVSS 9.8)
• Vulnerability Type: Insecure Default Initialization
• Impact: Unauthorized command execution, operational disruption, and data breach
• Root Cause: Use of default credentials not changed upon deployment; username not displayed correctly in UI

Affected Products:

• WebHMI v4.1.0.0 and earlier (when deployed with EPAS UI v2.6.30.19 or earlier)
• EcoStruxure Microgrid Operation Large (EMO-L) using vulnerable EPAS version

Mitigation & Recommendations:

• Apply WebHMI_Fix_users_for_Standard.V1 hotfix from Schneider Electric
• Change default credentials immediately
• Implement product-specific hardening guidelines
• Restrict internet exposure and segment control networks behind firewalls
• Use secure remote access (VPN) and apply physical security controls
• Sanitize mobile devices and media before connecting to control networks

Reference:
https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-070-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-070-03.pdf 

8. Critical Remote Code Execution Vulnerability in graphql-ruby Gem

Critical vulnerability (CVE-2025-27407, CVSS 9.1) in the graphql-ruby gem allows remote code execution (RCE) through malicious GraphQL schema definitions. Given the gem’s wide usage (136+ million downloads), this poses a significant threat to Ruby-based applications using GraphQL.

Vulnerability Details:

• CVE ID: CVE-2025-27407
• Severity: Critical (CVSS 9.1)
• Vulnerability Type: Remote Code Execution
• Affected Versions: graphql-ruby > 1.11.5
• Fixed Versions: 
  • 1.11.11
  • 1.12.25
  • 1.13.24
  • 2.0.32
  • 2.1.15
  • 2.2.17
  • 2.3.21
  • 2.4.13

Impact: Attackers can exploit malicious schema definitions to execute arbitrary code remotely.

Recommendations:

• Immediately upgrade graphql-ruby to one of the patched versions listed above.
• Review application logs and GraphQL schemas for suspicious activity.

Reference:
https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492

9. Critical Vulnerability in Moxa PT Switches

A critical authentication bypass vulnerability (CVE-2024-12297, CVSS 9.2) affects Moxa PT Series industrial Ethernet switches. Attackers can exploit flaws in the authorization process to gain unauthorized access to device configurations, disrupt critical services, or launch brute-force and MD5 collision attacks.

Vulnerability Details:

• CVE ID: CVE-2024-12297
• Severity: Critical (CVSS 9.2)
• Vulnerability Type: Authentication Bypass
• Impact: 
  • Unauthorized access to device settings
  • Disruption of industrial control systems
  • Data exfiltration and manipulation
  • Full compromise of critical network infrastructure

Affected Products & Firmware:

• PT-508, PT-510, PT-7728, PT-7828 – Firmware ≤ 3.8/3.9/4.0
• PT-7528 – Firmware ≤ 5.0
• PT-G503 – Firmware ≤ 5.3
• PT-G510, PT-G7728, PT-G7828 – Firmware ≤ 6.5

Recommendations:

• Contact Moxa Technical Support and apply the available patches immediately.
• Replace default credentials with strong, unique passwords.
• Implement network segmentation and monitor for anomalies.
• Regularly update firmware across all affected models.

Reference:
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241408-cve-2024-12297-frontend-authorization-logic-disclosure-vulnerability-identified-in-pt-switches 

10. Exploited Vulnerability in Juniper Networks Junos OS

A privilege escalation vulnerability (CVE-2025-21590, CVSS 6.7 – Medium) in Juniper Junos OS is being actively exploited in the wild. Local attackers with shell access and high privileges can execute arbitrary code, potentially compromising device integrity.

Key Details:

• CVE ID: CVE-2025-21590
• Severity: Medium (CVSS 6.7)
• Attack Vector: Local (requires shell access; CLI access not sufficient)
• Impact: Arbitrary code execution, compromise of system integrity
• Root Cause: Improper kernel isolation in Junos OS

Affected Versions:

• Versions prior to: 
  • 21.2R3-S9*
  • 21.4R3-S10
  • 22.2R3-S6
  • 22.4R3-S6
  • 23.2R2-S3
  • 23.4R2-S4*
  • 24.2R1-S2 / 24.2R2 / 24.4R1+
• Note: Junos OS Evolved is not affected.

Mitigation & Recommendations:

• Upgrade to the fixed versions listed above.
• Temporarily restrict shell access to trusted users only.
• Note that EOE/EOL versions will not be patched.

Reference:
https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-BulletinJunos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590?language=en_US 

11. Remote Code Execution Vulnerability in Apache OFBiz

A server-side template injection vulnerability in the Apache OFBiz eCommerce plugin allows remote code execution (RCE) on systems running versions 18.12.17 to 18.12.18. The flaw arises from improper handling of special elements in the template engine, allowing attackers to execute arbitrary code.

Key Details:

• Severity: Important
• Affected Product: Apache OFBiz eCommerce Plugin
• Affected Versions: 18.12.17 – 18.12.18
• Fixed Version: 18.12.18 or later
• Impact: Remote code execution, system compromise, data exfiltration, service disruption

Recommendations:

• Upgrade immediately to version 18.12.18 or later via the official Apache website.

Reference:
https://ofbiz.apache.org/security.html

12. Critical Remote Code Execution Vulnerability in Synology Camera

A critical out-of-bounds read vulnerability (CVE-2024-11131) has been identified in Synology Camera Firmware, affecting BC500, CC400W, and TC500 models. This flaw allows unauthenticated remote attackers to execute arbitrary code via network-based vectors.

Key Details:

• CVE ID: CVE-2024-11131
• Severity: Critical
• CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Vulnerability Type: Out-of-Bounds Read
• Impact: Remote Code Execution, full system compromise, unauthorized access
• Affected Models: BC500, CC400W, TC500
• Fixed Version: 1.2.0-0525 or later

Recommendations:

• Immediately upgrade firmware to version 1.2.0-0525 or newer on all affected devices.

Reference:
https://www.synology.com/en-global/security/advisory/Synology_SA_24_24

13. Multiple Vulnerabilities in Synology Products

Multiple vulnerabilities have been identified in Synology BeeStation Manager (BSM), DiskStation Manager (DSM), and Unified Controller (DSMUC), potentially leading to remote code execution, unauthorized file access, and limited file modification.

Key Vulnerabilities:

• CVE-2024-10441 (CVSS 9.8 – Critical): Improper encoding in the system plugin daemon allows remote code execution via unspecified vectors.
• CVE-2024-50629 (CVSS 5.3 – Moderate): Improper output encoding in the webapi component allows attackers to read limited files remotely.
• CVE-2024-10445 (CVSS 4.3 – Moderate): Improper certificate validation in the update function allows remote attackers to write limited files.

Affected Products & Fixed Versions:

• BeeStation OS 1.0 and 1.1: Upgrade to version 1.1-65374 or later.
• DSM 6.2.4: Upgrade to 6.2.4-25556-8 or later.
• DSM 7.1.1: Upgrade to 7.1.1-42962-7 or later.
• DSM 7.2: Upgrade to 7.2-64570-4 or later.
• DSM 7.2.1: Upgrade to 7.2.1-69057-6 or later.
• DSM 7.2.2: Upgrade to 7.2.2-72806-1 or later.
• DSMUC 3.1.4: Upgrade to 3.1.4-23079 or later.

Recommendations: Update all affected products to their respective fixed versions to prevent exploitation. Monitor systems for unauthorized access or anomalies.

Reference:
https://www.synology.com/en-global/security/advisory/Synology_SA_24_23

14. Multiple Vulnerabilities in Atlassian Products

Atlassian has released its March 2025 Security Bulletin addressing 13 high-severity vulnerabilities across multiple products, including Bamboo, Bitbucket, Crowd, Jira Software, and Jira Service Management (Data Center and Server). These vulnerabilities may allow remote code execution, denial of service (DoS), SQL injection, and unauthorized access.

Key Affected Products & Vulnerabilities:

• Bamboo Data Center and Server
  • CVE-2025-24970: DoS via io.netty:netty-handler (CVSS 7.5)
  • Fixed Versions: 10.2.2 (LTS), 9.6.11 (LTS)
• Bitbucket Data Center and Server
  • Vulnerabilities: DoS, SQL Injection, and issues in third-party dependencies
    (CVE-2024-4367, CVE-2024-45296, CVE-2024-29857, CVE-2022-31197, CVE-2022-21724)
  • CVSS Scores: 7.0 to 8.8
  • Fixed Versions: 9.5.2, 8.19.16, 9.4.4, 8.9.26
• Crowd Data Center and Server
  • CVEs: CVE-2023-52428, CVE-2025-24970, CVE-2023-44487
  • Impact: Denial of Service (DoS)
  • Fixed Version: 6.2.2
• Jira Data Center and Server
  • CVEs: CVE-2024-38819 (Path Traversal), CVE-2024-47072 (DoS)
  • CVSS Score: 7.5
  • Fixed Versions: 10.5.0, 10.3.4 (LTS), 9.12.19 (LTS)
• Jira Service Management Data Center and Server
  • Same CVEs as Jira
  • Fixed Versions: 10.5.0, 10.3.4 (LTS), 5.12.19 (LTS)

Recommendations: Upgrade affected Atlassian products to their respective fixed versions as soon as possible. Review and monitor logs for suspicious activity if immediate patching isn’t feasible.

Reference:
https://confluence.atlassian.com/security/security-bulletin-march-18-2025-1527943363.html 

15. Critical Vulnerability in HPE Cray XD670 Servers

A critical vulnerability has been discovered in the HPE Cray XD670 servers utilizing the AMI BMC Redfish API. This flaw (CVE-2024-540385, CVSS 10.0) allows remote attackers to bypass authentication and gain full control of the Baseboard Management Controller (BMC) without valid credentials.

Vulnerability Details:

• CVE ID: CVE-2024-540385
• Severity: Critical
• CVSS Score: 10.0
• Vulnerability Type: Remote Authentication Bypass
• Attack Vector: Remote (No credentials required)
• Impact: 
  • Complete server compromise
  • Unauthorized access to BMC
  • Potential data breach, DoS, and malware deployment
  • Risk of lateral movement in HPC environments

Affected Version:

• HPE Cray XD670 servers with BMC firmware prior to version 1.19

Fixed Version:

• BMC firmware 1.19 or later

Recommendations:

• Upgrade BMC firmware to version 1.19 or later.
• Review server access logs and restrict access to the BMC interface.
• Isolate BMC interfaces from untrusted networks and enforce access control.

Reference:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbcr04828en_us&docLocale=en_US 

16. High-Severity Vulnerability in Apache Camel

A high-severity vulnerability (CVE-2025-29891) has been identified in Apache Camel, a widely-used open-source integration framework. This flaw allows attackers to inject malicious headers via HTTP request parameters, potentially manipulating application behavior and leading to code execution, denial of service, or unauthorized access.

Vulnerability Details:

• CVE ID: CVE-2025-29891
• Severity: High
• Vulnerability Type: Header Injection via HTTP
• Impact: 
  • Arbitrary code execution
  • Unauthorized access to sensitive data
  • Manipulation of application logic
  • Denial of service
• Exploit: Proof-of-concept (PoC) publicly available

Affected Components:

• camel-servlet
• camel-jetty
• camel-undertow
• camel-platform-http
• camel-netty-http

Affected Versions:

• Apache Camel 4.10.0 to 4.10.1
• Apache Camel 4.8.0 to 4.8.4
• Apache Camel 3.10.0 to 3.22.3

Fixed Versions:

• Apache Camel 3.22.4
• Apache Camel 4.8.5
• Apache Camel 4.10.2

Recommendations:

• Upgrade to the patched versions immediately.
• Implement the RemoveHeaders Enterprise Integration Pattern (EIP) to filter out potentially malicious headers.
• Specifically block headers containing ‘cAmel’, ‘cAMEL’, or those not starting with ‘Camel’, ‘camel’, or ‘org.apache.camel’.
• Monitor HTTP request logs for abnormal activity.

References:

• https://camel.apache.org/security/CVE-2025-29891.html
• https://github.com/akamai/CVE-2025-27636-Apache-Camel-PoC

17. Critical Supply Chain Compromise in GitHub Action

A critical supply chain attack has been identified in the popular GitHub Action tj-actions/changed-files, used in over 23,000 repositories. The attacker modified version tags to reference a malicious commit that exposed CI/CD secrets in GitHub workflow logs. This allowed potential access to sensitive credentials such as AWS keys, GitHub PATs, npm tokens, and RSA keys.

Vulnerability Details:

• CVE ID: CVE-2025-30066
• Severity: High (CVSS Score: 8.6)
• Component Affected: tj-actions/changed-files GitHub Action
• Attack Method: 
  • Compromise of GitHub PAT tied to @tj-actions-bot.
  • Retroactive version tag modification to a malicious commit.
  • Execution of a remote Python script that printed secrets from the CI runner into logs.
  • Logs accessible publicly in some cases, leading to possible credential leakage.

Potential Impact:

• Unauthorized access to: 
  • AWS access keys
  • GitHub Personal Access Tokens (PATs)
  • npm tokens
  • Private RSA keys
• Threat of infrastructure compromise and CI/CD supply chain poisoning.

Immediate Actions:

• Upgrade to version v46.0.1 of tj-actions/changed-files.
• Audit logs for suspicious outputs under the changed-files step (between March 14–15, 2025).
• Revoke and replace any secrets that may have been exposed.
• Restrict public access to GitHub Actions logs.
• Implement OIDC authentication instead of PATs for better security posture.
• Enforce Principle of Least Privilege (PoLP) on repositories and workflows.

Reference:

• https://nvd.nist.gov/vuln/detail/CVE-2025-30066

18. Windows Shortcut Exploit Abused in Widespread APT Campaigns

A critical vulnerability in Windows shortcut (.lnk) files, ZDI-CAN-25373, is being actively exploited by state-sponsored APTs and cybercriminal groups. Over 1,000 malicious .lnk files abusing this flaw have been observed targeting high-profile sectors.

Vulnerability Details:

• ID: ZDI-CAN-25373
• Attack Vector: Malicious .lnk files with padded whitespace in COMMAND_LINE_ARGUMENTS
• Payloads: Commodity malware and MaaS variants
• Affected Sectors: Government, Finance, Telecom, Military, Energy, NGOs
• APT Groups: 11+ involved; North Korea most active
• Motivations: Espionage (70%), Financial gain (20%)

Technical Summary:

• Exploits the MS-SHLLINK format using manipulated fields like ShellLinkHeader, LinkFlags, COMMAND_LINE_ARGUMENTS, and ICON_LOCATION
• Uses whitespace padding to hide malicious commands
• Some .lnk files exceed 70MB in size for evasion

Recommended Actions:

• Scan systems for suspicious .lnk files
• Block execution of untrusted .lnk files via Group Policy
• Restrict command-line execution in .lnk files
• Inspect .lnk files using forensic tools
• Enable SIEM rules and monitor IOCs
• Conduct regular threat hunting
• Train users to avoid interacting with unknown shortcuts
• Restrict user privileges to reduce attack surface

Reference:
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-dayexploit.html

19. ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns

A zero-day vulnerability in Windows Shortcut (.lnk) files, tracked as ZDI-CAN-25373, has been extensively abused by state-sponsored APTs and cybercriminals. The flaw allows execution of hidden commands via padded arguments in .lnk files, and has been linked to over 1,000 samples across various campaigns since 2017. Microsoft has not issued a patch, despite active exploitation.

Details:

• Type: User Interface Misrepresentation of Critical Info (CWE-451)
• Exploitation Method: 
  • Whitespace padding (e.g., Space, Tab, CRLF) in .lnk command-line arguments
  • Prevents Windows UI from displaying malicious content
  • Triggers execution via cmd.exe, powershell.exe, or LOLBins
• File Size Evasion: Some .lnk files >70MB used by APTs
• Proof-of-Concept: Publicly available
• Vendor Response: Microsoft declined to patch (marked low severity)

APT Threat Landscape:

• Active Since: 2017
• APT Origin Countries: North Korea, Iran, Russia, China
• Known Threat Groups: APT37 (Earth Manticore), Earth Imp (Konni), Evil Corp (Water Asena), and more
• APT Motives: 
  • 70% Espionage / Intelligence Theft
  • 20% Financial Gain
• Geographic Target Spread: US, Canada, Europe, Asia, South America, Africa, Australia

Reference:

https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html 

20. UNC3886 Chinese APT Targets Juniper Routers with Custom Malware Backdoors

A sophisticated espionage campaign by Chinese state-sponsored APT group UNC3886 has been observed targeting end-of-life Juniper Networks routers running Junos OS. The campaign, active since mid-2024, involves custom malware based on TinyShell, stealthy persistence mechanisms, and advanced process injection techniques to evade detection.

Threat Summary:

• APT Group: UNC3886 (China-backed)
• Targeted Devices: Juniper Networks routers (EoL hardware/software) running Junos OS
• Malware Used: 6 custom TinyShell-based backdoor variants
• Initial Access Vector: 
  • Compromised network authentication services
  • Terminal servers with router access
  • Legitimate credentials obtained for lateral movement

Technical Details:

• Backdoor Capabilities: 
  • Active and passive C2 communication
  • Logging mechanism deactivation
  • Malware tailored for Junos OS internals
• Evading Security: 
  • Circumvented Juniper’s Verified Exec (veriexec) via process injection
  • Used base64 + here document to create and execute payloads stealthily
  • Leveraged standard FreeBSD tools (dd, mkfifo, cat) to mimic legitimate behavior
• C2 Behavior: 
  • Some variants established active connections
  • Others used passive listening for commands embedded in network traffic

Recommended Actions:

• Upgrade Juniper devices to latest supported versions
• Implement multi-factor authentication (MFA) and granular access control
• Strengthen vulnerability management and patching practices
• Deploy advanced logging and behavioral monitoring
• Use threat intelligence to reassess and adapt defenses to APT TTPs

Reference:
https://www.computerweekly.com/news/366620812/Chinese-espionage-group-UNC3886-targets-Juniper-routers 

21. ClearFake’s New Variant: Web3-Enhanced Drive-By Malware Delivery

The latest ClearFake campaign leverages Web3 capabilities and blockchain storage to deliver malware through fake browser update lures. This JavaScript-based framework, active since July 2023, has evolved to exploit Binance Smart Chain smart contracts to evade detection and persist malicious payloads. The campaign uses drive-by download techniques with ClickFix social engineering tactics to deploy malware like Lumma Stealer and Vidar.

Threat Summary:

• Name: ClearFake (New Variant – Feb 2025)
• Technique: Drive-by download, Web3-enabled malware delivery
• Primary Lures: Fake Cloudflare Turnstile, Fake reCAPTCHA, Fake DNS error
• Delivery Vector: JavaScript injected into compromised WordPress sites
• Blockchain Abuse: Binance Smart Chain, Smart Contract ABI storage
• Victims: Over 200,000 unique users potentially exposed daily
• Payloads Delivered: Lumma Stealer, Vidar Stealer via Emmenhtal Loader

Technical Highlights:

• Web3 Usage: 
  • Smart contracts store JavaScript payloads, encrypted HTML, AES keys, PowerShell commands
  • Contracts retrieved via ethers.js using custom ABIs
• Malware Execution Chain: 

1. Initial JS loads external libraries and smart contracts
2. ABI returns gzip/base64 payloads → decompressed → executed with eval()
3. Fingerprinting using User-Agent to tailor payloads
4. Encrypted lure HTMLs fetched from Cloudflare Pages
5. Decrypted using AES-GCM and injected into fullscreen iframe
6. Fake prompts trick users into executing obfuscated PowerShell (ClickFix)

• PowerShell Execution: 
  1. Executes remote MSHTA scripts disguised as .mp3/.mp4/.m4a
  2. Emmenhtal Loader decrypts AES payloads to drop Lumma
  3. Uses ActiveXObject and WScript.Shell.Run for execution
• Payload Obfuscation: 
  1. Multiple layers: base64, gzip, XOR, character shifting
  2. Bypasses AMSI, mimics system processes

Recommendations:

• Block access to known ClearFake domains and wallets
• Monitor clipboard data and MSHTA execution
• Scan web servers for injected JavaScript patterns
• Use endpoint protection to detect Emmenhtal and Lumma Stealer behavior
• Raise user awareness about fake update prompts and browser errors

Reference:

https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/ 

22. Microsoft Copilot Spoofing – A New Phishing Threat

A sophisticated phishing campaign is impersonating Microsoft Copilot to trick enterprise users into revealing credentials. The multi-stage attack leverages spoofed invoices, branded login pages, and fake MFA prompts to bypass user defenses. Exploiting confusion around Microsoft Copilot’s billing processes, the attackers enhance legitimacy through deceptive branding and social engineering.

Threat Summary:

• Name: Microsoft Copilot Phishing Spoof
• Tactic: Credential harvesting via invoice spoofing and MFA deception
• Method: Phishing emails, spoofed domains, fake authentication pages
• Target Audience: Enterprise employees (esp. unfamiliar with Copilot billing)
• Impact: Account takeover, unauthorized access, potential lateral movement

Attack Chain:

1. Initial Phishing Email:
   • Poses as Microsoft Copilot billing notice (e.g., $360 charge).
   • Urgency tactic: “Overdue payment” resolution needed.
   • Spoofed sender addresses and mismatched branding.
2. Credential Harvesting:
   • Fake login pages hosted on non-Microsoft domains (e.g., ubpages.com, folacademy.com).
   • Mimics Microsoft Copilot interface and design.
   • Lacks “forgot password” option – a red flag.
3. Fake MFA Page (Bypass & Delay):
   • Redirect to spoofed Authenticator prompt after login.
   • Mimics Microsoft MFA process to delay user suspicion.
   • Grants attacker time to access accounts before detection.

Reference:

https://cofense.com/blog/microsoft-copilot-spoofing-a-new-phishing-vector