Welcome to the weekly digest about the Cybersecurity & Threats in the wild.
Below you will find a very subjective summary of Cybersecurity events for the prior week.
1.Boramae Ransomware by @CyfirmaR
- encrypts files, appending the “.boramae” extension
- ransom note pressures to pay, claiming that only attackers can decrypt files
- also promise a 50% discount if paid within 12 hours
https://www.cyfirma.com/research/boramae-ransomware/
2.GO Language Based Ebyte Ransomware – A Brief Analysis by @CyfirmaR
- new ransomware variant, written in Go
- employs ChaCha20 for encryption and ECIES for secure key transmission
- developed by EvilByteCode, who has history of creating multiple offensive security tools
- publicly available on GitHub
https://www.cyfirma.com/research/go-language-based-ebyte-ransomware-a-brief-analysis/
3. LithiumWare Ransomware by @CyfirmaR
- newly identified “LithiumWareV2.exe” found on surface web
- it monitors clipboard & exfils data
- malware spreads publicly, increasing infection risks
https://www.cyfirma.com/research/lithiumware-ransomware/
4. Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal by @TrendMicro
- attackers utilized social engineering to lure victims into giving them initial access
- abused Microsoft Teams for impersonation & privilege escalation
- abused OneDriveStandaloneUpdater.exe (responsible for updating OneDrive) to side-load malicious DLLs, which provided attackers access to internal networks
- utilized the BACKCONNECT malware to control the compromised machine persistently
https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html
5. Exploiting DeepSeek-R1: Breaking Down Chain of Thought Security by @TrendMicro
- prompt attacks can exploit transparency of CoT reasoning to achieve malicious objectives, similar to phishing tactics, and can vary in impact depending on context
- used tools like NVIDIA’s Garak to test various attack techniques on DeepSeek-R
- discovered that insecure output generation and sensitive data theft had higher success rates due to the CoT exposure
https://www.trendmicro.com/en_us/research/25/c/exploiting-deepseek-r1.html
6.The Next Level: Typo DGAs Used in Malicious Redirection Chains by #PaloAlto’s #Unit42
- new campaign in which an attacker leverages newly registered domains (NRDs) and introduces new variant of domain generation algorithms (DGAs) potentially designed to avoid detection
- campaign used over 6,000 NRDs that redirected to similar paths on domains resembling those generated by dictionary-based DGAs
- NRDs redirected users to URLs that lead to advertisements of potentially unwanted Android apps
https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/
7. Multiple Vulnerabilities Discovered in a SCADA System by #PaloAlto’s #Unit42
- in early 2024 conducted a security assessment of a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite was conducted and identified 5 vulns in v10.97.2 and earlier for Microsoft Windows
- ICONICS security team released multiple security patches in 2024 to resolve some of these issues and published timely security advisories with workarounds for the rest
- CVE-2024-1182 DLL Hijacking in Memory Master Config leading to Elevation of privileges
- CVE-2024-7587 Incorrect Default Permissions
- CVE-2024-8299 Uncontrolled Search Path Element
- CVE-2024-8300 Dead Code
- CVE-2024-9852 Uncontrolled Search Path Element
https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-suite/
8. Initial Takeaways from the Black Basta Chat Leaks by @esthreat
- The Black Basta ransomware group’s internal chat logs, leaked on Feb 11, 2025, consist of nearly 200,000 Russian-language messages spanning Sep 18, 2023 – Sep 28, 2024 l
- ogs (exposed by “ExploitWhispers”) provide detailed look into group’s operations, internal dynamics & eventual decline
https://www.esentire.com/blog/initial-takeaways-from-the-black-basta-chat-leaks
9. Highway Robbery 2.0: How Attackers Are Exploiting Toll Systems in Phishing Scams by @censysio
- scam isn’t limited to E-ZPas, there are fake alerts for SunPass, TxTag, Peach Pass, and even generic toll roads
- most messages came through iMessage, not regular SMS.sendes: +44 (UK) & +63 (Philippines) are both known for cheap, disposable SIMs used in fraud campaigns
- all part of a massive, ongoing scam affecting thousands of drivers across the U.S.
https://censys.com/highway-robbery-2-0/
Thank you for reading.
Please add interesting items you came across during the week in the comments below.
