Malware Activity
A series of malicious campaigns have been identified, targeting individuals and businesses.
A series of malicious campaigns have been identified, targeting individuals and businesses through various means. A malvertising campaign has been active since mid-November 2024, targeting Google Ads users with fake ads that redirect to phishing sites hosted on Google Sites, stealing credentials and two-factor authentication codes to take over accounts and push more fake ads. Additionally, cybercriminals are using Google search ads to promote phishing sites that steal advertisers' credentials, with at least three (3) groups, including Portuguese speakers, behind the attacks. Meanwhile, a malware campaign has compromised over 5,000 WordPress sites, creating admin accounts, installing malicious plugins, and stealing sensitive data. Furthermore, threat actors are distributing information stealer malware disguised as proof-of-concept (PoC) exploit code for a recent Windows Lightweight Directory Access Protocol (LDAP) vulnerability, which can crash unpatched Windows servers. The fake PoC exploit collects system information, including process lists and network adapter information, and uploads it to an external FTP server. These campaigns highlight the ongoing threats to online security, with Google acknowledging the issues and working to address them, having already removed billions of ads and suspended millions of advertiser accounts for violating its policies. CTIX analysts will continue to report on novel malware strains and attack methods in future FLASH Update issues.
- The Hacker News: Google Ads Article
- Bleeping Computer: Hackers Use Google Search Article
- Bleeping Computer: Malware Attacks Wordpress Sites Article
- Security Week: Infostealer Masquerades As POC Article
Threat Actor Activity
More Sanctions Come Out Related to The North Korean IT Worker Scheme
The U.S. Treasury Department has sanctioned more individuals and front companies linked to North Korea's Ministry of National Defense for generating revenue through illegal remote IT work schemes (check out Ankura’s North Korean “Laptop Farm” Article from October 2024). The sanctions target North Korean front companies Korea Osong Shipping Co and Chonsurim Trading Corporation, and their leaders, as well as Liaoning China Trade, a Chinese company supplying electronics to North Korea. North Korean IT workers, dubbed "IT warriors," impersonate US-based IT staff under fake identities to secure freelance contracts globally. The revenue they generate is then funneled back to fund North Korea's military programs. These workers have also extorted former employers by threatening to leak sensitive information after gaining elevated access to the company’s networks. In 2023, the U.S. seized domains impersonating U.S. IT services to help North Korean workers conceal their identities when applying for online freelance positions. These domains that were used for the IT worker campaign were linked to additional scams, including a 2016 crowdfunding campaign that raised $21,877 but delivered nothing to backers. In addition to several companies in Laos and China, the U.S. has sanctioned two (2) North Korean nationals for facilitating these schemes. One faction of the IT worker campaign is estimated to have generated over $88 million through salaries and extortion.
- The Hacker News: North Korea IT Worker Article
- Bleeping Computer: North Korea IT Worker Article
- The Record: North Korea IT Worker Article
Vulnerabilities
Fortinet Firewalls Under Active Exploitation Due to Critical Zero-Day Vulnerability
A recent campaign exploited a critical zero-day vulnerability in Fortinet FortiOS and FortiProxy products allowing attackers to gain administrator privileges through crafted requests to the "Node.js" websocket module. The flaw, tracked as CVE-2024-55591, has been actively exploited since at least November 2024 and affects FortiOS versions 7.0.0-7.0.16 as well as FortiProxy versions 7.0.0-7.0.19 and 7.2.0-7.2.12. Cybersecurity firm Arctic Wolf identified attacks targeting FortiGate firewall devices with exposed management interfaces, involving unauthorized logins, account creation, SSL VPN tunneling, and credential extraction via DCSync for lateral movement. The campaign progressed through distinct phases, including reconnaissance and configuration changes, and appeared opportunistic rather than sector-specific. Fortinet has since released patches and indicators of compromise (IoCs) to help defenders detect and mitigate attacks. Alongside CVE-2024-55591, Fortinet addressed thirteen (13) other high-severity vulnerabilities across its products, emphasizing the importance of prioritizing prompt patching to prevent exploitation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch Agencies patch the flaw by no later than January 21, 2025. CTIX analysts recommend any organizations implementing vulnerable infrastructure restrict access to firewall management interfaces, monitor for unusual activity, and apply all updates to secure their systems.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
