Triaging the Week 091
SonicWall VPN, F5, Harvard, Cisco, and Oracle come under fire, Capita fined record-breaking amount by ICO, and even more malicious coding extensions
Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week's top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top News Stories
Widespread SonicWall VPN Compromise Underway
A significant and ongoing attack is targeting SonicWall SSL VPN devices, with a single IP address linked to the compromise of over 100 accounts. While a direct link has not been established, this activity follows a recent breach of SonicWall’s cloud backup service, which may have exposed sensitive configuration data.
Key takeaways:
🔒 Credential-Based Attacks: The attackers appear to be using valid credentials, suggesting they were obtained from a previous breach or leak.
🛡️ Rapid & Widespread: The attacks are happening quickly, with one IP address responsible for a large number of breaches in a short period.
💡 Ransomware on the Horizon: This activity is occurring amidst a rise in ransomware attacks targeting SonicWall devices, increasing the risk for compromised organizations.
🌐 Reset, Restrict, Revoke: All SonicWall users are urged to reset credentials, restrict remote access, and revoke any external API keys.
Critical Oracle E-Business Suite Flaw Could Expose Sensitive Data
A new high-severity vulnerability (CVE-2025-61884) has been discovered in Oracle’s E-Business Suite, which could allow an unauthenticated attacker to gain remote access to sensitive data. The flaw affects the Oracle Configurator module and has a CVSS score of 7.5.
Key takeaways:
🔒 Remote & Unauthenticated: The vulnerability can be exploited remotely without requiring any user credentials, making it particularly dangerous.
🛡️ Data at Risk: A successful attack could lead to unauthorized access to critical data or even a complete compromise of the Oracle Configurator.
💡 No Active Exploits (Yet): While the flaw is critical, Oracle has not yet seen any evidence of it being actively exploited in the wild.
🌐 Patch Immediately: All users of affected Oracle E-Business Suite versions (12.2.3 through 12.2.14) are urged to apply the security update immediately.
Massive Botnet Targets U.S. RDP Services
A huge, ongoing botnet attack is targeting Remote Desktop Protocol (RDP) services across the United States. The attack, which originates from over 100,000 IP addresses in more than 100 countries, is using sophisticated methods to identify and enumerate user accounts.
Key takeaways:
🔒 Global Scale: The attack is being launched by a massive, geographically diverse botnet, making it difficult to block.
🛡️ Targeted Reconnaissance: The attackers are using specific techniques to infer valid usernames and identify user accounts on RDP web clients.
💡 Secure Your RDP: It is critical to avoid exposing RDP services directly to the internet. Use a VPN and multi-factor authentication to secure your connections.
🌐 Block Malicious IPs: Administrators should monitor logs for suspicious RDP activity and block the IP addresses associated with this campaign.
Harvard Investigating Breach Linked to Oracle Zero-Day
Harvard University is investigating a data breach potentially linked to a zero-day vulnerability in Oracle’s E-Business Suite. The incident, claimed by the Clop ransomware gang, highlights the ongoing threat of zero-day exploits targeting widely used enterprise software.
Key takeaways:
🔒 Zero-Day Exploit: The breach is likely the result of a recently disclosed, critical vulnerability in Oracle E-Business Suite, which has impacted numerous Oracle customers.
🛡️ Clop’s Modus Operandi: The Clop ransomware gang is notorious for exploiting zero-day flaws in large-scale data theft and extortion campaigns.
💡 Limited but Significant Impact: While Harvard believes the impact is limited, any breach at a high-profile institution is a serious concern.
🌐 Patch and Pray: Harvard has applied the necessary patch, but this incident is a stark reminder for all organizations to prioritize rapid patching and proactive threat hunting.
Astaroth Banking Trojan Abuses GitHub as a Backup
The Astaroth banking trojan has been updated to use GitHub as a resilient backup for its command-and-control infrastructure. This allows the malware to remain operational even if its primary C2 servers are taken down.
Key takeaways:
🔒 Resilient Infrastructure: By hosting its configurations on GitHub, Astaroth ensures it can continue its malicious activities even after a partial takedown.
🛡️ Targeted Attacks: The campaign is primarily focused on Brazil and other Latin American countries.
💡 Phishing as the Entry Point: The attack begins with a phishing email that tricks users into downloading a malicious file.
🌐 Credential Theft: The malware uses keylogging to steal credentials from banking and cryptocurrency websites.
Malicious VS Code Extensions Steal Crypto and Source Code
A persistent threat actor known as “TigerJack” is publishing malicious extensions on the Visual Studio Code and OpenVSX marketplaces, designed to steal cryptocurrency, exfiltrate source code, and create backdoors on developers’ systems.
Key takeaways:
🔒 Deceptive Tactics: The attacker uses multiple accounts and creates convincing but fake developer profiles to lure users into downloading the malicious extensions.
🛡️ Broad Capabilities: The malware can steal source code in real-time, inject crypto miners, and execute arbitrary code on the compromised machine.
💡 Ongoing Threat: Even when the malicious extensions are removed, the attacker republishes them under new names, making this an ongoing threat.
🌐 Open Source at Risk: The incident highlights the security challenges facing open-source marketplaces and the need for developers to be vigilant.
U.S. Seizes $1.5 Billion in Crypto from “Pig Butchering” Kingpin
In a monumental crackdown on cybercrime, the U.S. government has seized $1.5 billion in cryptocurrency from the “Prince Group,” a notorious syndicate behind a massive “pig butchering” scam. The operation, which used trafficked and forced labor, defrauded countless victims through sophisticated romance and investment schemes.
Key takeaways:
🔒 Record-Breaking Seizure: The $1.5 billion seizure is one of the largest in history, dealing a significant blow to the cybercriminal underworld.
💔 Human Cost: The syndicate used trafficked individuals, forcing them to carry out scams under the threat of violence.
🐷 “Pig Butchering” Tactics: The criminals used social media and dating apps to build trust with their victims before luring them into fraudulent crypto investments.
💸 Sophisticated Laundering: The group used advanced techniques to launder the stolen funds, converting them into luxury assets and real estate.
Secure Boot Bypass Risk for Linux Framework Laptops
A critical Secure Boot bypass vulnerability is threatening nearly 200,000 Linux Framework laptops. The flaw could allow an attacker with physical access to disable UEFI security measures and load a malicious bootkit, such as BlackLotus, which can persist even after an OS reinstall.
Key takeaways:
🔒 Memory Modification: The vulnerability stems from a “memory modify” command in signed UEFI shells, which can be used to disable signature verification.
🛡️ Bootkit Threat: A successful exploit could allow for the installation of a bootkit, giving attackers deep and persistent access to the system.
💡 Physical Access Required: It is important to note that an attacker would need physical access to the device to exploit this vulnerability.
🌐 Update Immediately: All users of affected Framework laptops are urged to apply the latest security updates to mitigate this risk.
Chinese Hackers Abuse Legitimate Geo-Mapping Tool for Year-Long Persistence
A sophisticated cyber-espionage campaign, attributed to the Chinese hacking group “Flax Typhoon,” has been discovered using a legitimate geo-mapping tool, ArcGIS, to maintain stealthy and persistent access to a target’s network for over a year. This novel attack vector highlights the growing trend of threat actors “living off the land” to evade detection.
Key takeaways:
🔒 Novel Exploit: This is the first known instance of an ArcGIS server object extension (SOE) being used to create a web shell, allowing for remote command execution.
🛡️ Stealth and Persistence: By abusing a legitimate tool, the attackers remained undetected for over a year and established a backup VPN connection for persistent access.
💡 Espionage Focused: The campaign was focused on espionage, with the attackers attempting to dump sensitive credentials to move laterally within the network.
🌐 Living Off the Land: The use of legitimate software is a hallmark of the Flax Typhoon group, making their activities incredibly difficult to distinguish from normal network traffic.
F5 Breach: Nation-State Hackers Steal BIG-IP Source Code & Zero-Day Flaws
In a major security breach, F5 has confirmed that suspected nation-state hackers gained long-term access to its systems, stealing undisclosed BIG-IP security vulnerabilities and source code. This incident raises significant concerns about the potential for future attacks leveraging this stolen information.
Key takeaways:
🔒 Prolonged Intrusion: The attackers maintained persistent access to F5’s BIG-IP product development environment, allowing for a deep and thorough exfiltration of sensitive data.
🛡️ Zero-Days in the Wild: The stolen data includes information about unpatched vulnerabilities, creating a significant risk of future zero-day attacks.
💡 Customer Data at Risk: While F5 claims the impact is limited, some customer configuration and implementation data was also stolen.
🌐 No Evidence of Exploitation (Yet): F5 has stated that there is currently no evidence of the stolen vulnerabilities being actively exploited, but the threat remains high.
Capita Fined £14 Million for Massive Data Breach
Capita has been hit with a £14 million fine from the UK’s Information Commissioner’s Office (ICO) following a 2023 data breach that exposed the personal information of 6.6 million people. The breach, which was the result of a ransomware attack, highlights a series of significant security failures.
Key takeaways:
🔒 Employee Error was the Entry Point: The entire incident began with a single employee downloading a malicious file.
🛡️ Slow Response: Attackers had access to the network for 58 hours before the infected device was isolated.
💡 Security Gaps: The ICO identified numerous security shortcomings, including poor access controls, an understaffed Security Operations Center, and a lack of regular penetration testing.
💸 Reduced Fine: The initial fine was reduced from £45 million due to Capita’s cooperation and remediation efforts.
Fake Password Manager Breach Alerts Lead to PC Hijacks!
A new phishing campaign is targeting users of LastPass and Bitwarden with convincing fake data breach alerts. The emails trick users into downloading what they believe is a secure desktop app, but is actually remote access software that gives attackers full control of their PCs.
Key takeaways:
🔒 Deceptive Lures: The attack uses well-crafted emails that create a sense of urgency, claiming a security breach has occurred.
🛡️ Remote Takeover: The goal is to install legitimate remote management tools (Syncro and ScreenConnect) to gain complete control over the victim’s computer.
💡 Data at Risk: Once they have access, attackers can steal data, deploy additional malware, and potentially access your password vault.
🌐 Verify, Don’t Trust: Never click on links in unsolicited security alerts. Go directly to the official website of your password manager to verify any claims.
Prosper Data Breach Impacts 17.6 Million Accounts
Financial services company Prosper has suffered a massive data breach, exposing the personal and financial information of 17.6 million individuals. The breach was added to the Have I Been Pwned database, which has begun notifying affected users.
Key takeaways:
🔒 Vast Scope of Data Theft: The stolen data is extensive, including Social Security numbers, government-issued IDs, employment and credit status, income levels, and other sensitive personal information.
🛡️ Company Response: Prosper has reported the breach to authorities and is offering free credit monitoring to affected customers.
💡 Individual Action Required: If you’re a Prosper customer or have ever applied for a loan through them, it’s crucial to be vigilant. Monitor your credit reports, consider placing a fraud alert, and be wary of any phishing attempts.
🌐 Constant Threat: This breach is another stark reminder of the persistent and evolving threat of data theft in the digital age.
Microsoft Report: Extortion & Ransomware Fuel Over Half of All Cyberattacks
Microsoft’s latest Digital Defense Report reveals a stark reality: financial gain is the primary motive for over 50% of cyberattacks, with extortion and ransomware leading the charge. While nation-state threats persist, the digital landscape is dominated by opportunistic criminals targeting critical services and leveraging AI to enhance their attacks.
Key takeaways:
🔒 Identity is the New Perimeter: A staggering 97% of identity-based attacks are simple password attacks, making phishing-resistant MFA more critical than ever.
🤖 AI Arms Race: Attackers are using AI to automate and improve their campaigns, while defenders are leveraging it for enhanced threat detection.
💸 Financial Motives Dominate: The vast majority of cybercrime is driven by financial greed, not just espionage.
🌐 Infostealers on the Rise: There has been a significant increase in the use of “infostealer” malware designed to steal credentials and facilitate further attacks.
Cisco Devices Under Attack: Hackers Deploy Linux Rootkits
A new hacking campaign, “Operation Zero Disco,” is exploiting a vulnerability in Cisco IOS and IOS XE software to install stealthy Linux rootkits on older, unprotected systems. The attack leverages a known SNMP vulnerability to gain access and deploy malware that can execute code remotely and maintain persistent access.
Key takeaways:
🔒 SNMP Vulnerability: The attack exploits CVE-2025-20352, a stack overflow vulnerability in Cisco’s SNMP subsystem.
🛡️ Targeting Older Systems: The campaign primarily targets older Cisco devices that lack modern endpoint detection and response (EDR) solutions.
💡 Fileless & Stealthy: The rootkit uses fileless components that disappear after a reboot, making it incredibly difficult to detect.
🌐 Patch and Protect: All users of affected Cisco devices are urged to apply the latest security patches and implement robust EDR solutions to mitigate this threat.
Top Tips of the Week
Threat Intelligence
Integrate CTI into threat intelligence sharing platforms. Facilitate seamless sharing and dissemination of threat intelligence within and beyond the organization.
Consider the dark web in CTI research. Monitor underground forums for insights into potential threats.
Threat Hunting
Foster threat hunting skills in-house. Develop a culture of continuous learning to adapt to the evolving threat landscape.
Conduct cyber threat intelligence exercises. Simulate scenarios to test readiness and identify areas for improvement.
Develop hypotheses for threat hunting. Form educated guesses about potential threats and use them as guides.
Educate your team on cyber threat hunting techniques. A knowledgeable team is your first line of defense. Train regularly for threat awareness.
Custom Tooling
Optimize custom tools for performance across different devices. Ensure compatibility and optimal user experience on various platforms.
Feature Video
Are you ready to level up your cyber security career?
🚀 Becoming a CTI Analyst is more than just tech skills – it’s about strategic thinking, proactive defense, and continuous learning!
Here is how you can become one:
1️⃣ Learn what CTI analysts do, their roles and responsibilities, and what their day-to-day tasks look like.
2️⃣ Discover the skills required to fulfill this work.
3️⃣ Learn the skills and apply the skills to showcase your capabilities.
4️⃣ Land a CTI analyst position!
This video walks you through how to progress through each of these steps so you can begin leveling up your cyber security career today!
Feature Course
What Will You Learn?
How to use Structured Analytical Techniques (SATs) to perform intelligence analysis.
What intelligence analysis technique to use and when.
Common challenges and how to overcome them.
How to practically apply analysis techniques.
Learning Resources
Cyber Training
Zero-Point Security: Advanced training in red team operations, adversary simulation, and offensive development. They equip you with the latest tactics and techniques to succeed in security and defence strategies.
TCM Academy: A comprehensive suite of courses including everything from penetration testing to malware analysis. Their hands-on, practical approach to training is designed to equip students with the real-world skills needed to succeed in cyber.
Blue Cape Security: A specialist in Digital Forensics and Incident Response (DFIR) training, offering courses to take you from complete beginner to expert. Learn to defend like a pro.
Tools
Octoparse: A no-code solution that will save you time, energy, and money. Let me show you how to use it to build your custom cyber threat intelligence web scraping tool!