CyberSecurity Newsletter 14th April 2025
In this week’s news: PhaaS gets updates, China admits cyberattacks on US infrastructure, MSTeams phishing campaign, Fortigate vulnerable after patch, New supply chain attack names slopsquatting due to AI tools, and attacks aim at OttoKit WordPress plugin.
Phishing-as-a-service (PhaaS) platform Tycoon2FA, known for bypassing multi-factor authentication on Microsoft 365 and Gmail accounts, has received updates that improve its stealth and evasion capabilities. Tycoon2FA was discovered in October 2023 by Sekoia researchers, who later reported significant updates on the phishing kit that increased its sophistication and effectiveness.
https://www.bleepingcomputer.com/news/security/tycoon2fa-phishing-kit-targets-microsoft-365-with-new-tricks/
China reportedly admitted in a secret meeting with U.S. officials that it carried out cyberattacks on U.S. infrastructure, linked to the Volt Typhoon campaign. According to the Wall Street Journal, at a December Geneva summit, Chinese officials indirectly admitted to Volt Typhoon cyberattacks on U.S. infrastructure, reportedly linked to U.S. Taiwan support.
https://securityaffairs.com/176485/apt/china-admitted-its-role-in-volt-typhoon-cyberattacks-on-u-s-infrastructure.html
A Microsoft Teams phishing campaign, leveraging techniques commonly used in Black Basta ransomware attacks, was found to spread a unique PowerShell backdoor in recent attacks, ReliaQuest reported Friday.
https://www.scworld.com/news/black-basta-like-microsoft-teams-phishing-leads-to-novel-backdoor
Palo Alto Networks reports brute-force login attempts on PAN-OS GlobalProtect gateways. The security firm pointed out that no known vulnerability has been exploited, but monitoring and analysis continue. “Our teams are observing evidence of activity consistent with password-related attacks, such as brute-force login attempts, which does not indicate exploitation of a vulnerability,” a company spokesperson told The Hacker News.
https://securityaffairs.com/176446/hacking/brute-force-login-attempts-on-pan-os-globalprotect.html
Fortinet warns that threat actors can retain read-only access to FortiGate devices even after the original vulnerability used for the breach has been patched. The cybersecurity firm revealed that attackers exploited known FortiGate flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 to gain persistent read-only access via a symlink in SSL-VPN language folders. “A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices. This was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN.”
https://securityaffairs.com/176473/hacking/symbolic-link-trick-lets-attackers-bypass-fortigate-patches-fortinet-warns.html
Fourlis Group, the operator of IKEA stores in Greece, Cyprus, Romania, and Bulgaria, has informed that the ransomware attack it suffered just before Black Friday on November 27, 2024, caused losses estimated to €20 million ($22.8 million).
https://www.bleepingcomputer.com/news/security/ransomware-attack-cost-ikea-operator-in-eastern-europe-23-million/
Cybersecurity researchers at SOCRadar have discovered a new attack tactic used by the notorious Russian state-backed advanced persistent threat (APT), Storm-2372. According to SOCRadar’s research, shared with Hackread.com, Storm-2372 can now break into online accounts of major organizations without trying to guess passwords.
https://hackread.com/russia-storm-2372-hit-mfa-bypass-device-code-phishing/
A new class of supply chain attacks named 'slopsquatting' has emerged from the increased use of generative AI tools for coding and the model's tendency to "hallucinate" non-existent package names. The term slopsquatting was coined by security researcher Seth Larson as a spin on typosquatting, an attack method that tricks developers into installing malicious packages by using names that closely resemble popular libraries. Unlike typosquatting, slopsquatting doesn't rely on misspellings. Instead, threat actors could create malicious packages on indexes like PyPI and npm named after ones commonly made up by AI models in coding examples.
https://www.bleepingcomputer.com/news/security/ai-hallucinated-code-dependencies-become-new-supply-chain-risk/
Western Sydney University (WSU) announced two security incidents that exposed personal information belonging to members of its community.
https://www.bleepingcomputer.com/news/security/western-sydney-university-discloses-security-breaches-data-leak/
Laboratory Services Cooperative disclosed a data breach that impacted the personal and medical information of 1.6 million people. The Laboratory Services Cooperative (LSC) is a clinical laboratory based in Bremerton, Washington, providing diagnostic testing services primarily to Planned Parenthood centers across 31 U.S. states. Their services support reproductive health and other medical testing needs.
https://securityaffairs.com/176451/data-breach/laboratory-services-cooperative-data-breach.html
Google is fixing a long-standing privacy issue that, for years, enabled websites to determine users' browsing history through the previously visited links. The problem arises from allowing sites to style links as ':visited,' meaning showing them as another color instead of the default blue if a user had previously clicked on them.
https://www.bleepingcomputer.com/news/security/chrome-136-fixes-20-year-browser-history-privacy-risk/
Threat actors are exploiting a recently discovered vulnerability, tracked as CVE-2025-3102 (CVSS score of 8.1) in the OttoKit WordPress plugin (formerly SureTriggers), a few hours after public disclosure. An attacker can trigger the vulnerability to create malicious administrator users when the plugin is not configured with an API key. Exploiting the flaw lets attackers fully take over a WordPress site, upload malicious plugins, alter content, serve malware or spam, and redirect visitors to malicious websites.
https://securityaffairs.com/176461/security/ottokit-wordpress-plugin-flaw-exploitation.html