This week’s briefing covers:

00:00 - Intro and Situational Awareness

CL0P Update
CL0P has released an additional list of 50 possible Cleo victims. The list is similar to its previous tactics of redacting the company names before fully disclosing each organization.

7-Zip Mark-of-the-Web Bypass Vulnerability CVE-2025-0411 actively exploited in Ukraine
A 7-zip Mark-of-the-Web bypass vulnerability Kroll reported on two weeks ago has been seen by researchers being exploited in the wild to deploy SMOKELOADER malware.

KTA252 uses new SSH backdoor in network device hacks
Researchers at Fortinet have documented the infection chain of a new malware attack suite that has been attributed to Chinese Threat Actor KTA252, aka Evasive Panda.

4:07 – “Abandoned” S3 Buckets Pose Supply Chain Risk
Key Takeaways

• watchTowr research revealed that legitimate software pipelines, device deployments, and updates depend on external URLs (S3 buckets) that can be easily re-registered by attackers as many processes don’t verify signatures, skip checks, or just assume trust.
• An attacker could exploit these dormant S3 buckets by simply registering a bucket name in their own AWS account.

5:48 – Browser Syncjacking - A Stealthy Chrome Extension Attack
Key Takeaways

• A newly discovered attack method, “browser syncjacking,” leverages seemingly benign Chrome extensions to hijack a victim's device.
• Security researchers at SquareX identified the attack, which involves hijacking Google profiles, browsers and ultimately the victim's device.
• The method requires minimal permissions and little victim interaction beyond installing a seemingly legitimate Chrome extension.
• Once a victim enables Chrome Sync, attackers gain full access to their stored credentials, browsing history, and sensitive data.
• The attack utilizes the Chrome Native Messaging API, allowing direct interaction with the victim’s operating system.

7:15 – MALWARE SPOTLIGHT - SALITY
SALITY is a botnet malware that can perform malicious tasks and run other malware. It has been used for various purposes from sending spam and distributed denial of service (DDoS) attacks to stealing password data and recording keystrokes. It often communicates over a peer-to-peer (P2P) network to download additional payloads and updates.

8:51 – FLEXIBLEFERRET identified as part of "Contagious Interview" campaign
Key Takeaways

• A malware family has been linked to a “Contagious Interview” campaign targeting job applicants and developers, via Github.
• The social engineering techniques involved getting the user to run a curl command, similar to previous “ClickFix” campaigns that used PowerShell.
• The campaign was largely targeting cryptocurrency wallets for financial gain.

Ransomware Roundup

11:25 – Ransomware Group Solicits Insider Information via Ransom Note
SARCOMA and DONEX ransomware groups have been observed by researchers for utilizing an unseen tactic that solicits the victims to provide insider information by posting advertisements in their ransom notes.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats