Cyber Threat Intelligence 06 May 2025
-
New Tooling
- Vuls: Open-Source Agentless Vulnerability Scanner
"Vuls is an open-source tool that helps users find and manage security vulnerabilities. It was created to solve the daily problems admins face when trying to keep servers secure. Many administrators choose not to use automatic software updates because they want to avoid downtime in production. Instead, they update systems manually. This creates challenges. Admins must watch databases like the National Vulnerability Database (NVD) for new threats. When there are many packages installed, tracking all of them becomes almost impossible. Analyzing which servers are affected takes time and costs money. It’s also easy to miss something by accident."
https://www.helpnetsecurity.com/2025/05/05/vuls-open-source-agentless-vulnerability-scanner/
https://github.com/future-architect/vuls
Vulnerabilities
- Google Addresses 1 Actively Exploited Vulnerability In May’s Android Security Update
"Google addressed 47 vulnerabilities affecting Android devices in its May security update, including an actively exploited software defect that was first disclosed in March. Google said the high-severity vulnerability, CVE-2025-27363, “may be under limited, targeted exploitation.” The out-of-bounds write defect in FreeType versions 2.13.0 and below may result in arbitrary code execution, Facebook said in March when it disclosed the vulnerability in a security advisory acting in its capacity as a CVE numbering authority. The vulnerability has a base score of 8.1 on the CVSS scale and is still awaiting further assessment by the National Institute of Standards and Technology’s National Vulnerability Database program."
https://cyberscoop.com/android-security-update-may-2025/
https://source.android.com/docs/security/bulletin/2025-05-01 - CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-3248 Langflow Missing Authentication Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/05/05/cisa-adds-one-known-exploited-vulnerability-catalog - The Risk Of Default Configuration: How Out-Of-The-Box Helm Charts Can Breach Your Cluster
"Have you ever used pre-made deployment templates to quickly spin up applications in Kubernetes environments? While these “plug-and-play” options greatly simplify the setup process, they often prioritize ease of use over security. As a result, a large number of applications end up being deployed in a misconfigured state by default, exposing sensitive data, cloud resources, or even the entire environment to attackers. Cloud-native applications are software systems designed to fully leverage the flexibility and scalability of the cloud. These applications are broken into small services called microservices. Usually, each service is packaged in a container with all its dependences, making it easy to deploy across different environments. Kubernetes then orchestrates these services, automatically handling their deployment, scaling, and health checks."
https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/the-risk-of-default-configuration-how-out-of-the-box-helm-charts-can-breach-your/4409560
https://www.bleepingcomputer.com/news/security/microsoft-finds-default-kubernetes-helm-charts-can-expose-data/
Malware
- From Callback Phishing To Extortion: Luna Moth Abuse Reamaze Helpdesk And RMM Tools Against U.S. Legal And Financial Sectors
"EclecticIQ analysts observed that as of March 2025, the financially motivated threat actor group Luna Moth [1] (also known as Silent Ransom Group, UNC3753, and Storm-0252) is very likely conducting high-tempo callback phishing campaigns targeting legal and financial organizations based in the United States. Luna Moth campaigns typically begin with phishing emails that lure victims into calling fake helpdesk numbers. Once connected, live operators posing as IT staff deceive victims into installing legitimate remote monitoring and management (RMM) tools. The attackers also registered typosquatted domains via GoDaddy, impersonating U.S. firms to collect contact details and enable targeted social engineering."
https://blog.eclecticiq.com/from-callback-phishing-to-extortion-luna-moth-abuse-reamaze-helpdesk-and-rmm-tools-against-u.s.-legal-and-financial-sectors?hs_preview=uuwiUNbk-189553948704
https://www.bleepingcomputer.com/news/security/luna-moth-extortion-hackers-pose-as-it-help-desks-to-breach-us-firms/ - Bring Your Own Installer: Bypassing SentinelOne Through Agent Version Change Interruption
"Aon’s Stroz Friedberg Incident Response Services (“Stroz Friedberg”) observed a method used by a threat actor to bypass SentinelOne Endpoint Detection and Response (“EDR”). This method circumvents SentinelOne’s anti-tamper feature by exploiting a flaw within the upgrade/downgrade process of the SentinelOne agent, resulting in an unprotected endpoint. In response to this attack pattern, SentinelOne provided mitigation steps to their clients and assisted Stroz Friedberg with a disclosure of this attack pattern to other EDR vendors. Customers of SentinelOne should review the remediation guidance to ensure they are protected."
https://www.aon.com/en/insights/cyber-labs/bring-your-own-installer-bypassing-sentinelone
https://www.bleepingcomputer.com/news/security/new-bring-your-own-installer-edr-bypass-used-in-ransomware-attack/ - Darcula PhaaS Steals 884,000 Credit Cards Via Phishing Texts
"The Darcula phishing-as-a-service (PhaaS) platform stole 884,000 credit cards from 13 million clicks on malicious links sent via text messages to targets worldwide. The cyber heist was done over seven months between 2023 and 2024, so it does not reflect the total amount the cybercrime platform has helped to steal. These numbers come from coordinated research by investigators from NRK, Bayerischer Rundfunk, Le Monde, and Norwegian security firm Mnemonic, who identified 600 operators (cybercrime clients) and the platform's main creator and seller."
https://www.bleepingcomputer.com/news/security/darcula-phaas-steals-884-000-credit-cards-via-phishing-texts/
https://www.mnemonic.io/resources/blog/exposing-darcula-a-rare-look-behind-the-scenes-of-a-global-phishing-as-a-service-operation - Venom Spider Uses Server-Side Polymorphism To Weave a Web Around Victims
"As part of our ongoing tracking of the threat actor TA4557 (also known as Venom Spider), the Arctic WolfLabs team discovered a new campaign targeting corporate human resources departments and recruiters. The threat group uses phishing techniques to drop an enhanced version of a potent backdoor called More_eggs onto victim devices. The group has historically targeted industry sectors that use online payment portals or e-commerce sites to do business, which in the past has included the retail, entertainment and pharmacy industries. This change is a tactical step up in terms of targeting, as it puts almost every industry and organization in the group’s crosshairs due to the one thing they all have in common: the need to hire new employees."
https://arcticwolf.com/resources/blog/venom-spider-uses-server-side-polymorphism-to-weave-a-web-around-victims/
https://www.darkreading.com/cyber-risk/venom-spider-phishing-scheme - Russian Hackers Target Romanian State Websites On Election Day
"A Russian-linked hacktivist group known as NoName057(16) claimed responsibility for cyberattacks on several Romanian websites over the weekend, as voters headed to the polls to elect a new president. Among the targets of the distributed denial-of-service (DDoS) attacks were the official websites of the Ministry of Foreign Affairs, the Romanian government, the Constitutional Court and several presidential candidates. Romania’s National Directorate for Cyber Security (DNSC) confirmed the attacks, saying the affected websites had been restored. DDoS attacks typically flood targeted sites with traffic, making them unreachable."
https://therecord.media/hackers-target-romanian-websites-election - Azerbaijan Blames Russian State Hackers For Cyberattacks On Local Media
"Azerbaijani officials claimed that the Russian state-sponsored hacker group APT29 was behind a cyberattack on several local media outlets earlier this year. The likely motive, according to Ramid Namazov, head of the Azerbaijani parliament's commission on countering hybrid threats, was retaliation for the closure of the Russian House state-funded cultural center in Baku and significant staff cuts at the Azerbaijani branch of Sputnik radio."
https://therecord.media/azerbaijan-blames-media-cyberattacks-russia-apt29 - PDFast Freeware Compromise Used To Distribute Malware
"Lumifi Cyber regularly issues notifications regarding emerging and critical security vulnerabilities that could pose a risk to your organization's network and assets. Staying up to date with these vulnerabilities is a key part of maintaining a strong security posture. This is an advisory only and is not indicative of activity seen in your network."
https://www.lumificyber.com/threat-library/pdfast-freeware-compromise-used-to-distribute-malware/ - Gunra Ransomware – A Brief Analysis
"At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. This report provides a concise analysis of Gunra Ransomware, highlighting its techniques, impact, and potential risks. Gunra ransomware targets various industries globally, including real estate, pharmaceuticals, and manufacturing. It employs a double-extortion technique by threatening to leak stolen data on its Tor-hosted extortion. The malware exhibits several malicious behaviours such as enumerating running processes, deleting shadow copies via Windows Management Instrumentation (WMI), and retrieving system information. Gunra’s sample exhibits capabilities to detect debuggers and enumerate files. Victims of this ransomware group include companies from Japan, Egypt, Panama, Italy, and Argentina. Organizations should bolster phishing defences, monitor internal movement, and ensure robust backup strategies."
https://www.cyfirma.com/research/gunra-ransomware-a-brief-analysis/
Breaches/Hacks/Leaks
- Unofficial Signal App Used By Trump Officials Investigates Hack
"TeleMessage, an Israeli company that sells an unofficial Signal message archiving tool used by some U.S. government officials, has suspended all services after reportedly being hacked. Smarsh, the parent company of TeleMessage, confirmed that all TeleMessage services have been suspended while it's investigating what it described as "a potential security incident." "TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation," a company spokesperson told BleepingComputer."
https://www.bleepingcomputer.com/news/security/unofficial-signal-app-used-by-trump-officials-investigates-hack/
https://www.bankinfosecurity.com/telemessage-goes-dark-after-trump-adviser-photo-fallout-a-28291
https://securityaffairs.com/177458/hacking/a-hacker-stole-data-from-telemessage-the-firm-that-sells-modified-versions-of-signal-to-the-u-s-gov.html
https://hackread.com/telemessage-hack-exposes-modified-signal-app-data/
https://www.theregister.com/2025/05/05/telemessage_investigating/ - Hackers Launch ‘serious’ Attacks Against Georgia School District, New Mexico University
"Multiple school districts and a university in New Mexico are currently suffering from cyberattacks causing operational issues for thousands of students. In a statement on Sunday, Georgia’s Coweta County School System said it experienced a cyberattack on Friday evening that will impact its 23,000 students across 29 K-12 schools. “Some school system network processes will be hampered in the coming days, and school system employees have been advised not to access desktop devices, while the matter is being investigated,” the school district said."
https://therecord.media/hackers-serious-georgia-new-mexico - Kelly Benefits Data Breach Impact Grows To 400,000 Individuals
"Benefits and payroll solutions firm Kelly & Associates Insurance Group (dba Kelly Benefits) has revealed that the impact of a recently disclosed data breach is significantly bigger than initially believed. Kelly Benefits provides benefits administration, broker, and payroll solutions in Maryland and surrounding states. The company revealed last month that it was targeted by hackers in December 2024. An investigation showed that the attackers managed to exfiltrate personal information during a five-day period, including name, SSN, date of birth, tax ID number, health insurance and medical information, as well as financial account information."
https://www.securityweek.com/kelly-benefits-data-breach-impact-grows-to-400000-individuals/
https://securityaffairs.com/177476/data-breach/kelly-benefits-december-data-breach-impacted-over-400000-individuals.html
General News
- Ransomware Spike Exposes Cracks In Cloud Security
"90% of IT and security leaders said their organization experienced a cyberattack within the last year, according to a report by Rubrik. “Many organizations that move to the cloud assume their providers will handle security,” said Joe Hladik, Head of Rubrik Zero Labs. “The persistence of ransomware attacks, coupled with the exploitation of hybrid cloud vulnerabilities, shows that threat actors are always one step ahead. Companies must take action and adopt an attacker’s mindset by identifying – and protecting – the most valuable data before it’s too late. The need for a data-centric security strategy that prioritizes visibility, control, and quick recovery has never been more urgent.”"
https://www.helpnetsecurity.com/2025/05/05/cloud-ransomware-attacks-rubrik/ - How To Avoid Critical Integration Mistakes In Your Cybersecurity Stack
"Building unbeatable defenses against ever-evolving cyber threats often puts organizations in a tough spot. Today, most organizations rely on a vast portfolio of cybersecurity tools implemented across different layers to address diverse needs—ranging from firewalls (FWs) and cloud infrastructures with built-in and third-party security solutions to email protection, endpoint detection, and response (EDR) platforms, and threat intelligence feeds—both public and private. However, end-to-end protection cannot be built on fragmented defenses. Yet many security teams and leaders adopt tools without considering integration from the outset. What is the aftermath?"
https://www.group-ib.com/blog/cyber-integration-mistakes/ - How CISOs Can Talk Cybersecurity So It Makes Sense To Executives
"CISOs know cyber risk is business risk. Boards don’t always see it that way. For years, CISOs have struggled to get boards to understand security beyond buzzwords. Many feel they’re either ignored or misunderstood. But with threats growing and regulations tightening, that’s changing. Boards now expect CISOs to speak their language: risk, dollars, impact. Here’s how security leaders can get through, with real-world tips on making cybersecurity resonate in the boardroom."
https://www.helpnetsecurity.com/2025/05/05/ciso-talk-cybersecurity-executives/ - How OSINT Supports Financial Crime Investigations
"In this Help Net Security interview, Stuart Clarke, CEO at Blackdot Solutions, discusses the strategic use of open-source intelligence (OSINT) in tackling financial crime. He outlines its application in areas such as fraud, sanctions evasion, and money laundering, and addresses the legal, ethical, and operational challenges involved. Clarke also provides case studies illustrating how OSINT has been used to uncover criminal networks."
https://www.helpnetsecurity.com/2025/05/05/stuart-clarke-blackdot-solutions-financial-crime-osint/ - Ransomware Attacks Fall In April Amid RansomHub Outage
"Ransomware attacks declined significantly in April, partly as a result of the RansomHub gang experiencing infrastructure outages, according to a new analysis by Comparitech. The consumer awareness company logged a total of 479 ransomware attacks throughout the month. This marked a notable drop compared to the first three months of 2025 in which Comparitech recorded 530 in January, 973 in February and 713 in March. Of the 479 logged attacks, 39 were confirmed by the targeted entity, such as through data breach notifications or press releases."
https://www.infosecurity-magazine.com/news/ransomware-fall-april-ransomhub/ - AI In Cybersecurity: How CISOs Can Achieve Board Alignment
"Companies are embracing AI far faster than any other emerging technology. Many companies started with experimentation but quickly realized that AI can completely transform how work gets done, especially in cybersecurity. I’ve witnessed this shift unfold rapidly and now see CISOs and security leaders struggling with a critical communication challenge: They must brief their boards clearly and confidently on cyber defense AI use cases and the risks, regulations, and governance challenges associated with them."
https://intezer.com/blog/ai-in-cybersecurity-how-cisos-can-achieve-board-alignment/ - How Do Data Brokers Affect The Threat Ecosystem?
"In today’s interconnected world, data is considered the blood of companies, and data brokers are the main suppliers of customers’ personal information to different entities around the world. A data broker is a company that collects and aggregates customer personal information from a wide range of sources. They group this information meaningfully, such as creating a profile for each user, and sell it to interested entities, such as commercial organizations and even government agencies."
https://blog.barracuda.com/2025/05/02/how-do-data-brokers-affect-the-threat-ecosystem- - Treasury Sanctions Burma Warlord And Militia Tied To Cyber Scam Operations
"Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned the Karen National Army (KNA), a militia group in Burma, as a transnational criminal organization, along with the group’s leader Saw Chit Thu, and his two sons, Saw Htoo Eh Moo and Saw Chit Chit, for their role in facilitating cyber scams that harm U.S. citizens, human trafficking, and cross-border smuggling. The KNA-controlled region, located on the Thai-Burmese border, is home to multiple cyber scam syndicates, and the KNA has benefitted from its connection to Burma’s military in its criminal operations. Although statistics vary, American victims of cyber scams like the ones emanating from Burma have collectively lost billions of dollars over the last three years."
https://home.treasury.gov/news/press-releases/sb0129
https://therecord.media/myanmar-militia-leader-us-sanctions-cyber-scam-industry
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Vuls: Open-Source Agentless Vulnerability Scanner