Ransomware/Malware Activity
Rising Cyber Threats: A Call to Fortify Your Digital Defenses
Malicious actors are exploiting a fake security alert issue on GitHub to hijack user accounts by leveraging OAuth applications, which are designed to authorize third-party services without the need for passwords. The attack involves sending deceptive messages that mimic legitimate security notifications, tricking users into authorizing a malicious application. Once granted access, these attackers can manipulate users' accounts without their knowledge. Meanwhile, a wave of attacks are targeting Microsoft 365 accounts through sophisticated malware exploits particularly those related to Adobe and DocuSign. Cybercriminals are employing tactics that involve spoofing these popular work applications to create deceptive OAuth apps, tricking users into granting malicious actors access to their accounts. This allows attackers to gain unauthorized control, potentially leading to data breaches or financial losses. Black Basta ransomware has developed an automated tool designed to brute-force virtual private networks (VPNs), significantly enhancing their cyberattack capabilities. This tool targets vulnerable VPN services, exploiting weak or compromised credentials to gain unauthorized access to networks. Once within, attackers can install ransomware, steal sensitive data, or further infiltrate organizations. The emergence of such a tool underscores the increasing sophistication of cybercriminals, necessitating that companies strengthen their VPN security measures, adopt multi-factor authentication, and promote robust password policies to mitigate potential threats. With cybercriminals continually evolving their strategies, vigilance and proactive defenses are more crucial than ever to safeguard sensitive information against these emerging threats. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Fake Security Alert Issues on Github article
- BleepingComputer: Malicious Adobe Docusign Oauth Apps article
- Techradar: Microsoft 365 Accounts Are Under Attack article
- BleepingComputer: Black Basta Ransomware Creates Automated Tool article
Threat Actor Activity
Volt Typhoon Stayed in Massachusetts Utility's Systems for 10 Months before Initial Discovery
Chinese hackers associated with the Volt Typhoon campaign infiltrated the systems of the Littleton Electric Light & Water Department in Massachusetts for nearly a year. This attack was part of a larger Chinese government effort to embed hackers within U.S. critical infrastructure, potentially for destructive actions during a conflict. The breach was discovered just before Thanksgiving in 2023, prompted by an FBI alert to the utility’s assistant general manager, David Ketchen. FBI and CISA representatives quickly responded to the situation. Investigation revealed Volt Typhoon's presence since February 2023, with evidence of lateral movement and data exfiltration. However, no customer-sensitive data was compromised, and the utility managed to alter its network architecture to mitigate further threats. The attack underscores the adversary’s intent to maintain prolonged access and exfiltrate data concerning OT operating procedures and spatial layouts, crucial for potential destructive attacks. While China denies involvement, CISA and the FBI have repeatedly warned about Volt Typhoon’s activities aimed at positioning themselves within IT networks for disruptive attacks against U.S. infrastructure amid tensions with Taiwan. Evidence of Volt Typhoon’s presence has previously been found in U.S. infrastructure in Guam and near military bases, likely to impede mobilization efforts. The number of victims remains unknown, with U.S. officials suggesting estimates are underestimated. The Volt Typhoon campaign has prompted U.S. governmental efforts to strengthen infrastructure security. Researchers have emphasized tracking Volt Typhoon as a critical threat group, noting their theft of geographic data, network diagrams, and operational instructions from victims. They typically exploit vulnerabilities in internet-facing VPNs or firewalls for initial access. CTIX analysts advise utilities to enhance patch management and system integrity.
Vulnerabilities
Critical Apache Tomcat Vulnerability Under Active Exploitation
Researchers have identified a critical remote code execution (RCE) vulnerability, tracked as CVE-2025-24813, in Apache Tomcat that is being actively exploited, allowing attackers to take control of vulnerable Tomcat servers using a simple PUT API request. Hackers have leveraged proof-of-concept (PoC) exploits published on GitHub shortly after disclosure. The attack involves sending a base64-encoded serialized Java payload via a PUT request, allowing the exploit to bypass most traditional security filters. Apache Tomcat then deserializes and executes the payload, granting the attacker full system control without authentication. Traditional security tools struggle to detect the exploit due to base64 obfuscation. The flaw affects Tomcat versions 9, 10, and 11, and Apache has advised upgrading to patched versions or disabling partial PUT support and enforcing stricter file handling. Security researchers warn that this vulnerability may signal further RCE exploits related to Tomcat’s handling of partial PUT requests. CTIX analysts urge any administrators running Apache Tomcat ensure that their servers are patched and secure to prevent future exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
