SPEAK WITH AN EXPERT
Two individuals sit in front of multiple computer screens, analyzing data and discussing information related to Managed Detection and Response in a dimly lit room with a cityscape visible through the window.

Threat Alerts

Your place for the latest CyberProof cyber threat intelligence alerts and updates

Speak with an Expert
All

Critical Vulnerability in Ivanti Connect Secure and Other Products

13-Jan-2025
Label: Vulnerability
Threat Level: Medium

Ivanti has disclosed a critical security vulnerability in its Connect Secure, Policy Secure, and ZTA Gateway products that could allow threat actors to execute remote code without authentication (CVE-2025-0282). Successful exploitation of this vulnerability can provide attackers with unauthorized access to affected systems, enabling them to compromise sensitive data and potentially disrupt operations. Exploitation of CVE-2025-0282 has already been observed in a limited number of Ivanti Connect Secure appliances at the time of disclosure, underscoring the urgent need for patching.

The critical vulnerability, CVE-2025-0282 (CVSS 9.0), enables a remote, unauthenticated attacker to execute arbitrary code. The Integrity Checker Tool (ICT) can help detect potential exploitation of this flaw, and Ivanti recommends customers use the tool as part of their cybersecurity monitoring practices.

A second vulnerability, CVE-2025-0283 (CVSS 7.0), also affects the same products but carries a lower severity, This flaw allows local, authenticated attackers to escalate privileges via a stack-based buffer overflow. While there is no evidence of CVE-2025-0283 being actively exploited, applying the latest patches is critical to mitigate both vulnerabilities and secure affected systems.

Unveiling the Gayfemboy Botnet Threat

13-Jan-2025
Label: Malware
Threat Level: Medium

The Gayfemboy botnet, initially identified in early 2024 as a basic Mirai variant, has transformed into a formidable and sophisticated cyber threat. This botnet has evolved rapidly, leveraging a combination of known and unknown vulnerabilities to exploit a wide range of devices, including industrial routers, smart home systems, and consumer-grade routers. Its ability to execute large-scale attacks, including Distributed Denial of Service (DDoS) attacks.

Once infected, a device is grouped and managed via its Command and Control (C2) servers, which organize infected nodes for coordinated attacks. The botnet retains elements of its Mirai roots, such as command formats, but introduces modifications like enhanced self-updating mechanisms and obfuscation techniques to avoid detection. A hallmark of its evolution is its ability to exploit both known and unknown vulnerabilities, demonstrating a high level of adaptability and intent. It also retaliates with DDoS attacks when its operations are interfered with, underscoring its developers’ aggressive approach.

In conclusion, Gayfemboy highlights the persistent threat posed by evolving botnets, leveraging innovation to launch large-scale Distributed Denial of Service (DDoS) attacks and compromise devices across industries.

Enhanced Banshee Stealer Avoids Detection with Unique Encryption

13-Jan-2025
Label: Malware
Threat Level: Medium

Banshee Stealer is a highly sophisticated macOS malware that preys on the growing popularity of Apple systems, exploiting users’ misplaced confidence in their system’s security. This stealer uses advanced evasion techniques, such as string encryption and anti-analysis measures, allowing it to bypass antivirus detection for over two months. By targeting macOS users through phishing websites and malicious GitHub repositories, Banshee poses a significant threat, stealing credentials, cryptocurrency wallets, and other sensitive system data.

The malware’s infection chain begins with its distribution through disguised software installers hosted on phishing sites or repositories. Once executed, Banshee establishes persistence by creating hidden directories, terminating debuggers, and running as a background daemon to avoid detection. It retrieves sensitive information such as browser data, credentials, and wallets, using macOS-specific commands and tricks, including displaying fake system prompts to capture passwords. The malware encrypts the collected data using XOR and Base64, packs it into a JSON payload, and transmits it to command-and-control servers for retrieval by attackers.

Even after the original Banshee source code was leaked, attackers adapted the malware, incorporating updates like advanced string encryption. These enhancements, combined with a steady flow of new campaigns targeting macOS users, underline the evolving threat landscape for Apple systems.

 

Cybercriminals Leverage NonEuclid RAT to Target Windows Systems

13-Jan-2025
Label: Malware
Threat Level: Medium

Cybersecurity researchers have identified NonEuclid, a newly developed remote access trojan (RAT) written in C#. This malware offers attackers unauthorized access to compromised Windows systems and boasts an array of advanced capabilities, including antivirus bypass, privilege escalation, anti-detection features, and ransomware functionality. Upon execution, the malware initializes a client application configured with security measures, delays startup, and ensures administrative privileges for critical tasks. If it passes mutex and anti-detection checks, it establishes a client socket for communication, implementing continuous reconnection protocols if the link is disrupted.

NonEuclid also incorporates logging, anti-process blocking, and other mechanisms to maintain persistence and functionality. The RAT is widely promoted across underground forums, Discord servers, and tutorial platforms, making it a valuable tool for cybercriminals. Its combination of privilege escalation, anti-security module integration (ASMI) bypass, and stealth tactics underscores the increasing sophistication of modern malware. Addressing threats like NonEuclid demands proactive defensive measures, robust monitoring, and constant vigilance to counteract evolving attacker strategies effectively.

AI-Powered Ransomware Group FunkSec Gains Momentum

13-Jan-2025
Label: Ransomware
Threat Level: Medium

FunkSec, a ransomware group first identified in late 2024, has quickly become a major player in the cybercrime landscape. Claiming over 85 victims in December alone, the group operates as a Ransomware-as-a-Service (RaaS) platform. FunkSec’s infrastructure and methods are distinct, with no direct links to previously established ransomware groups, highlighting their independent and sophisticated approach.

The group’s operations leverage AI-assisted tools to streamline malware development, enabling even inexperienced actors to produce functional ransomware. Their custom encryptor, believed to have been developed with AI assistance, is key to their operations. FunkSec employs a typical double-extortion attack model: first infiltrating networks through vulnerabilities or phishing, then encrypting critical files and exfiltrating sensitive data to coerce victims into paying ransoms under the threat of public disclosure.

Notably, FunkSec’s activities challenge traditional categorization, blending elements of hacktivism and cybercrime. While they publicize stolen datasets, many are recycled from prior hacktivist campaigns, raising questions about their legitimacy. This blending of tactics complicates attribution and makes it more challenging to assess the true scope and intent of their operations, highlighting the evolving nature of ransomware threats as they adopt increasingly advanced methodologies.

The Rise of FlowerStorm in the Phishing as a Service Market

06-Jan-2025
Label: Trends
Threat Level: Medium

A growing trend in the cybercrime landscape is the rise of “FlowerStorm,” a Microsoft 365 phishing-as-a-service (PhaaS) platform that has gained popularity following the sudden collapse of Rockstar2FA in November 2024. Rockstar2FA previously facilitated large-scale adversary-in-the-middle (AiTM) phishing attacks, targeting Microsoft 365 credentials with advanced evasion techniques and user-friendly features. However, after a partial infrastructure failure rendered much of Rockstar2FA’s platform inaccessible, FlowerStorm quickly emerged as a prominent alternative, filling the gap in the PhaaS market.

Researchers highlight similarities between Rockstar2FA and FlowerStorm, including their use of phishing portals mimicking Microsoft login pages, shared backend infrastructure patterns, and synchronized activity trends. While the platforms may share a common operational ancestry, the rise of FlowerStorm underscores a sustained demand for sophisticated phishing kits that can bypass multi-factor authentication (MFA) and harvest credentials at scale.

NEWS AND RESOURCES

What’s on at CyberProof

Speak with a cybersecurity expert

Speak with an expert

Explore how CyberProof can help you anticipate, prevent, and mitigate ever-evolving cyberattacks in hybrid and cloud-native environments.

SPEAK WITH AN EXPERT