This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 3 minute read

Ankura CTIX FLASH Update - June 24, 2025

Malware Activity

 

Evolving nature of cyber threats targeting both the cryptocurrency sphere and mobile devices. 

CoinMarketCap experienced a brief security breach when malicious Web3 popups were injected into its platform. The breach occurred by deceiving users into unwittingly granting access to their private keys. Although they swiftly remediated the problem, the incident highlights the critical need for vigilance and continuous security enhancements in crypto platforms. Simultaneously, the emergence of the "Godfather" Android Trojan reveals sophisticated malware capable of establishing stealthy, sandboxed environments within infected devices. Enabling persistent control and covert malicious activities. Together, these events emphasize the importance of rigorous security protocols, user awareness, and proactive defenses to safeguard digital assets and personal data amid a landscape fraught with cunning cyber adversaries.  CTIX analysts will continue to report on the latest malware strains and attack methodologies.

 

Threat Actor Activity

 

Russian Hackers Takeover Gmail Accounts and Bypass MFA in Targeted Phishing Campaign

Russian-affiliated threat actors, identified as UNC6293 and likely associated with the state-sponsored group APT29, have been conducting sophisticated social engineering attacks to bypass multi-factor authentication (MFA) and access Gmail accounts. These attacks leverage Google account features known as application-specific passwords (ASPs), which are typically used to allow third-party apps access to accounts even when MFA is enabled. The campaign, active from April through early June 2025, targeted prominent academics and critics of Russia, employing meticulous rapport-building and tailored lures to convince targets to create and share ASPs. The attackers posed as U.S. Department of State officials, sending phishing emails disguised as meeting invitations with fictitious "@state.gov" addresses in the CC line to enhance credibility. This tactic is designed to avoid suspicion by appearing legitimate and bypassing MFA protections. Keir Giles, a British expert on Russian information operations, was among those targeted. The attackers used a slow-paced phishing approach, involving multiple email exchanges before sending a PDF with instructions to create an ASP, under the guise of enabling secure communication on a fake State Department platform. By sharing the ASP, victims unknowingly provided the attackers with full access to their email accounts. Researchers have highlighted the novelty and effectiveness of this attack method, noting its potential to spread as threat actors seek more sophisticated techniques to circumvent improved security measures. Researchers also emphasized the importance of enrolling in Google's Advanced Protection Program, which enhances security measures and prevents the creation of ASPs. The campaigns utilized residential proxies and VPS servers to maintain anonymity while accessing compromised accounts, further complicating detection efforts. The attackers demonstrated patience and skill, crafting credible phishing messages without rushing targets or using overtly malicious content.

 

Vulnerabilities

 

Widespread Exploitation of WordPress "Motors" Theme Vulnerability Enables Full Site Takeover

Hackers are actively exploiting a critical privilege escalation vulnerability in the popular WordPress "Motors" theme to gain unauthorized administrative access and take full control of targeted websites. Discovered on May 2, 2025, and patched in version 5.6.68 released on May 14, the flaw, tracked as CVE-2025-4322, affects all versions up to 5.6.67 and stems from improper user identity validation in the themeโ€™s โ€œLogin Registerโ€ widget. The exploit allows unauthenticated attackers to reset administrator passwords using maliciously crafted POST requests with malformed UTF-8 characters, allowing for the bypassing of hash verification. Despite warnings from WordFence, many users failed to update in time, and mass exploitation began shortly after the public disclosure on May 19, 2025. By June 7, 2025, over 23,000 attack attempts had been blocked, with attackers creating persistent admin accounts and locking out legitimate users. CTIX analysts urge any users to patch this vulnerability immediately and block known malicious IPs listed in the WordFence report.

 

๐Ÿ“ง Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.

Tags

report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Letโ€™s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

Iโ€™m interested in

I need help with