Malware Activity
Rising Tide of Sophisticated Cyber Threats Targeting WordPress and Beyond
Recent cybersecurity reports highlight a surge in complex cyberattacks exploiting trusted digital channels, notably within the WordPress ecosystem. A developer of Gravity Forms was targeted in a high-level breach. Leading to the distribution of malicious plugin versions that compromised numerous websites. Simultaneously, attackers are leveraging legitimate software like FileFix to spread advanced malware variants. Interlock Rat, a remote access trojan that grants cybercriminals extensive control over infected systems. The emergence of interconnected threats like AstraLocker ransomware further complicates defenses. With threat actors combining ransomware and RAT functionalities to maximize damage. These incidents underscore the importance for developers and organizations to adopt rigorous security practices, timely patching, and continuous monitoring to stay ahead of evolving cybercriminal tactics that threaten digital assets globally. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Wordpress Gravity Forms Developer Hacked To Push Backdoored article
- SecurityWeek: Hackers Inject Malware Into Gravity Forms Wordpress article
- SecurityWeek: New Interlock RAT Variant Distributed Via FileFix Attacks article
- InfosecurityMagazine: Interlock Ransomware New RAT article
Threat Actor Activity
Four Individuals Arrested in Connection to Cyber Attacks on Major Retailers, M&S and Co-op
The U.K. National Crime Agency (NCA) arrested four (4) individuals in connection with cyberattacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The suspects, aged between seventeen (17) and twenty (20), were apprehended in London and the West Midlands on charges including Computer Misuse Act offenses, blackmail, money laundering, and participation in organized crime activities. Their electronic devices were seized for forensic analysis. The attacks, which began in mid-April, caused significant disruption, with M&S estimating anywhere between £270 million ($363 million) and £440 million ($592 million) in lost profits. The cybercriminals deployed ransomware, encrypting IT networks and demanding payment. The Co-op managed to disconnect its internet in time to prevent further damage, while Harrods also disconnected systems to thwart the attackers. The cybercrime group Scattered Spider, known for social engineering and ransomware, is believed to be involved. The group targets industries based on visibility and payout potential, often using phishing domains that mimic legitimate corporate portals. The arrests are seen as a significant step in combating the e-crime syndicate, illustrating the importance of international collaboration. CTIX recommends that organizations train staff on identity verification and implement phishing-resistant multi-factor authentication (MFA) to defend against such intrusions.
Vulnerabilities
Critical FortiWeb SQL Injection Vulnerability Enables Pre-Auth Remote Code Execution
A critical SQL injection vulnerability in Fortinet’s FortiWeb web application firewall allows unauthenticated attackers to execute arbitrary SQL commands and potentially achieve remote code execution (RCE). With a CVSS score as high as 9.8/10, the flaw, tracked as CVE-2025-25257, exists in the get_fabric_user_by_token function within the Fabric Connector, which improperly sanitizes user input passed via the Authorization header. This allows maliciously crafted HTTP/HTTPS requests to inject SQL into backend queries. Exploitation can be extended to RCE by using MySQL’s SELECT ... INTO OUTFILE command to write a malicious .pth Python file into FortiWeb’s environment, which is then automatically executed through existing CGI Python scripts. The vulnerability affects FortiWeb versions 7.0.0 through 7.6.3 and has been patched in updates 7.0.11, 7.2.11, 7.4.8, and 7.6.4. While there is no evidence of active exploitation yet, public proof-of-concept (PoC) exploits have been released, significantly increasing the risk. CTIX analysts strongly advise any affected organizations to patch immediately to prevent exploitation or disable the HTTP/HTTPS administrator interface as a temporary workaround.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
