Malware Activity
Cybersecurity Under Siege: Navigating the Rising Tide of Malware Threats
Researchers have revealed that a Microsoft trusted signing service has been exploited to sign malware, enabling harmful software to masquerade as legitimate applications and deceive security systems reliant on trusted signatures. This exploitation raises significant concerns about online safety, as it enables attackers to bypass security systems that trust software signed by well-known entities. In a related effort to bolster platform integrity, the VSCode Marketplace took decisive action against two malicious extensions. "Code Helper" and another similarly detrimental tool were created to covertly gather sensitive information from developers. This prompted Microsoft to warn users about the importance of caution in coding environments. Concurrently, the FBI has begun alerting the public regarding fake file conversion websites that mimic reputable services while surreptitiously infecting user devices with malware. The criminals, often under the guise of free file conversion, use these fake conversion tools to load malware that potentially leads to ransomware events. Adding to the complexities of modern cybersecurity threats is a new ransomware variant known as Medusa. Medusa employs a malicious kernel driver to enhance its stealth and maximize system compromise potential. This sophisticated technique enhances its detection evasion and allows it to execute attacks that can compromise systems. Collectively, the above revelations serve as a stark reminder that vigilance and skepticism are essential in navigating today’s digital landscape. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Microsoft Trusted Signing Service Abused article
- TheHackerNews: VSCode Marketplace Removes Two Extensions article
- BleepingComputer: FBI Warnings are True article
- TheHackerNews: Medusa Ransomware Uses Malicious Driver article
Threat Actor Activity
Former College Football Coach Charged for Hacking into Athlete Databases
Federal prosecutors have charged former University of Michigan assistant football coach Matthew Weiss with hacking into student athlete databases across more than one hundred (100) colleges and universities, accessing the personal and medical data of approximately 150,000 individuals. Weiss, who served as the co-offensive coordinator for the University of Michigan's football team and formerly worked with the NFL's Baltimore Ravens, was indicted on twenty-four (24) counts, including unauthorized computer access and aggravated identity theft. The alleged unauthorized access occurred from 2015 to January 2023, targeting databases maintained by Keffer Development Services, also known as Athletic Trainer System. Weiss is accused of downloading personal information and medical records of athletes, hacking into over 2,000 athletes' social media, email, and cloud storage accounts, and accessing additional accounts of students and alumni nationwide. Prosecutors highlight that Weiss primarily targeted female college athletes, selecting them based on school affiliation, athletic history, and physical characteristics, with the intent to obtain private photos and videos. He reportedly maintained notes on these individuals and revisited breached accounts over time. Weiss allegedly cracked password encryptions and exploited authentication vulnerabilities to gain elevated access typically reserved for trainers and athletic directors. The indictment reveals that Weiss used internet research to crack passwords and leveraged data breaches to find athletes' login information. Weiss faces significant legal consequences, with potential sentences of five years for each hacking charge and two years for each identity theft charge. The University of Michigan, which terminated Weiss's employment following a review, has directed inquiries to the Justice Department. The FBI Detroit Cyber Task Force and the University of Michigan Police collaborated closely on the investigation.
Vulnerabilities
Middleware Authorization Check Bypass Vulnerability Identified in Next.js
A critical security vulnerability has been identified in the Next.js React framework, potentially allowing attackers to bypass authorization checks under specific conditions. The vulnerability, tracked as CVE-2025-29927 (rated 9.1/10), arises from the misuse of the internal x-middleware-subrequest header, which could enable requests to skip essential security checks. Next.js has patched the issue in versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, urging users to update immediately. Security researcher Rachid Allam, who discovered the flaw, has released technical details, increasing the urgency of applying fixes. Websites relying solely on middleware for authorization without additional checks are particularly vulnerable, potentially exposing sensitive admin pages to unauthorized users. If patching is not possible, blocking external requests containing the x-middleware-subrequest header is advised. CTIX analysts urge any affected readers to ensure that they upgrade to the latest security patch or implement the manual workaround if the patch can't immediately be applied.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
