Sign up to save your podcasts
Or
Share Cyber Bites - 14th March 2025
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cyber Bites - 14th March 2025
* Critical PHP Vulnerability Under Mass Exploitation Worldwide
* Hacktivist Group Claims Responsibility for X Outages, Musk Blames "Massive Cyberattack"
* Cybercriminals Use Bogus Copyright Claims to Spread Malware on YouTube
* Former Software Developer Found Guilty of Sabotaging Employer's Systems
* Melbourne Man Charged in Mobile Number Porting Scam
Critical PHP Vulnerability Under Mass Exploitation Worldwide
https://www.bleepingcomputer.com/news/security/critical-php-rce-vulnerability-mass-exploited-in-new-attacks/
A critical PHP remote code execution vulnerability, CVE-2024-4577, is being actively exploited in widespread attacks targeting Windows systems globally.
The vulnerability, patched in June 2024, allows unauthenticated attackers to execute arbitrary code, leading to complete system compromise.
While initial reports indicated targeted attacks against Japanese organizations, new data reveals a significant increase in exploitation attempts worldwide, including the United States, Singapore, Germany, and China.
Threat intelligence firm GreyNoise reports observing a surge in exploitation attempts since January 2025, with numerous exploit codes available online.
The attacks involve attempts to steal credentials, establish persistence, elevate privileges, and deploy adversarial tools. This vulnerability has also been previously exploited by ransomware groups and to deploy new malware.
Hacktivist Group Claims Responsibility for X Outages, Musk Blames "Massive Cyberattack"
https://www.bleepingcomputer.com/news/security/x-hit-by-massive-cyberattack-amid-dark-storms-ddos-claims/
https://www.abc.net.au/news/2025-03-11/elon-musk-says-x-outages-result-of-cyber-attack/105035078
The hacktivist group Dark Storm has claimed responsibility for distributed denial-of-service (DDoS) attacks that caused multiple worldwide outages on the X platform. X owner Elon Musk confirmed a "massive cyberattack" against the platform, stating it was conducted with significant resources and potentially involved a large, coordinated group or a nation-state.
Dark Storm, a pro-Palestinian group active since 2023, posted evidence of their attacks on Telegram, including screenshots and links to website availability monitoring tools. X has since implemented DDoS protection from Cloudflare, displaying captchas to users connecting from suspicious IP addresses.
Musk later stated that the cyberattack involved IP addresses originating from Ukraine, but Dark Storm denied any connection to Ukraine. DDoS attacks often utilize botnets and compromised devices from various global locations to generate overwhelming traffic, disrupting targeted websites.
Cybercriminals Use Bogus Copyright Claims to Spread Malware on YouTube
https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/
Cybercriminals are exploiting YouTube's copyright claim system to coerce creators into promoting malware and cryptocurrency miners. They are targeting YouTubers who publish tutorials on Windows Packet Divert (WPD) tools, which are popular in Russia for bypassing internet censorship.
The attackers pose as copyright holders of these tools, filing false copyright claims and then contacting creators with a "resolution" that involves adding download links to trojanized versions of the software. These malicious versions, hosted on GitHub, contain a cryptominer downloader.
Creators, fearing channel bans, often comply. Kaspersky reports that one such video, with over 400,000 views, led to 40,000 malicious downloads before the link was removed. A Telegram channel with 340,000 subscribers also promoted the malware.
The malware uses a multi-stage loader, including a Python-based loader and a bloated second-stage executable to evade detection. It disables Microsoft Defender, establishes persistence, and downloads SilentCryptoMiner, a modified XMRig miner. The miner uses process hollowing and pauses activity when monitoring tools are active.
While currently targeting Russian users, this tactic could be used to distribute other malware, such as info-stealers or ransomware, on a broader scale. Users are advised to avoid downloading software from links provided in YouTube videos, especially from smaller channels.
Former Software Developer Found Guilty of Sabotaging Employer's Systems
https://www.justice.gov/opa/pr/texas-man-convicted-sabotaging-his-employers-computer-systems-and-deleting-data
A federal jury in Cleveland has convicted a senior software developer, Davis Lu, of sabotaging his former employer, Eaton Corporation's, computer systems. Lu, 55, faces up to ten years in prison.
Lu, who worked at Eaton from 2007 to 2019, began deploying malicious code after a demotion in 2019. He created a Java program that crashed production systems by generating infinite resource-consuming threads. He also developed a "kill switch" that locked out thousands of employees worldwide when his employment was terminated. The “kill switch” code was named “IsDLEnabledinAD”, abbreviating “Is Davis Lu enabled in Active Directory”.
Investigators found Lu's malware and related code on internal development servers, linking his user account to the sabotage. He attempted to delete data and wipe his company laptop before returning it. Lu confessed to federal investigators in 2019 but pleaded not guilty, leading to the jury trial and his subsequent conviction.
Melbourne Man Charged in Mobile Number Porting Scam
https://www.afp.gov.au/news-centre/media-release/victorian-man-charged-over-alleged-bulk-phone-porting-scam
A Melbourne man is facing court after allegedly attempting to steal mobile numbers from identity theft victims. The man, 34, is accused of making 193 unauthorized "port-in" attempts, successfully transferring 44 mobile numbers to his control.
The Australian Federal Police (AFP) began investigating in July 2024 after a telecommunications company reported suspicious porting activity. Porting scams allow criminals to bypass multi-factor authentication and access victims' bank accounts.
A search warrant executed at the man's residence resulted in the seizure of mobile phones, a computer, SIM cards, and suspected drug items. He has been charged with unauthorized modification of data, which carries a maximum penalty of 10 years imprisonment.
The AFP urges individuals to be vigilant for unexpected text messages or service disruptions, as these could indicate an unauthorized porting attempt. Victims are advised to contact their mobile provider and bank immediately, and report the incident to ReportCyber.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
View all episodes
By Edwin Kwan* Critical PHP Vulnerability Under Mass Exploitation Worldwide
* Hacktivist Group Claims Responsibility for X Outages, Musk Blames "Massive Cyberattack"
* Cybercriminals Use Bogus Copyright Claims to Spread Malware on YouTube
* Former Software Developer Found Guilty of Sabotaging Employer's Systems
* Melbourne Man Charged in Mobile Number Porting Scam
Critical PHP Vulnerability Under Mass Exploitation Worldwide
https://www.bleepingcomputer.com/news/security/critical-php-rce-vulnerability-mass-exploited-in-new-attacks/
A critical PHP remote code execution vulnerability, CVE-2024-4577, is being actively exploited in widespread attacks targeting Windows systems globally.
The vulnerability, patched in June 2024, allows unauthenticated attackers to execute arbitrary code, leading to complete system compromise.
While initial reports indicated targeted attacks against Japanese organizations, new data reveals a significant increase in exploitation attempts worldwide, including the United States, Singapore, Germany, and China.
Threat intelligence firm GreyNoise reports observing a surge in exploitation attempts since January 2025, with numerous exploit codes available online.
The attacks involve attempts to steal credentials, establish persistence, elevate privileges, and deploy adversarial tools. This vulnerability has also been previously exploited by ransomware groups and to deploy new malware.
Hacktivist Group Claims Responsibility for X Outages, Musk Blames "Massive Cyberattack"
https://www.bleepingcomputer.com/news/security/x-hit-by-massive-cyberattack-amid-dark-storms-ddos-claims/
https://www.abc.net.au/news/2025-03-11/elon-musk-says-x-outages-result-of-cyber-attack/105035078
The hacktivist group Dark Storm has claimed responsibility for distributed denial-of-service (DDoS) attacks that caused multiple worldwide outages on the X platform. X owner Elon Musk confirmed a "massive cyberattack" against the platform, stating it was conducted with significant resources and potentially involved a large, coordinated group or a nation-state.
Dark Storm, a pro-Palestinian group active since 2023, posted evidence of their attacks on Telegram, including screenshots and links to website availability monitoring tools. X has since implemented DDoS protection from Cloudflare, displaying captchas to users connecting from suspicious IP addresses.
Musk later stated that the cyberattack involved IP addresses originating from Ukraine, but Dark Storm denied any connection to Ukraine. DDoS attacks often utilize botnets and compromised devices from various global locations to generate overwhelming traffic, disrupting targeted websites.
Cybercriminals Use Bogus Copyright Claims to Spread Malware on YouTube
https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtube/115788/
Cybercriminals are exploiting YouTube's copyright claim system to coerce creators into promoting malware and cryptocurrency miners. They are targeting YouTubers who publish tutorials on Windows Packet Divert (WPD) tools, which are popular in Russia for bypassing internet censorship.
The attackers pose as copyright holders of these tools, filing false copyright claims and then contacting creators with a "resolution" that involves adding download links to trojanized versions of the software. These malicious versions, hosted on GitHub, contain a cryptominer downloader.
Creators, fearing channel bans, often comply. Kaspersky reports that one such video, with over 400,000 views, led to 40,000 malicious downloads before the link was removed. A Telegram channel with 340,000 subscribers also promoted the malware.
The malware uses a multi-stage loader, including a Python-based loader and a bloated second-stage executable to evade detection. It disables Microsoft Defender, establishes persistence, and downloads SilentCryptoMiner, a modified XMRig miner. The miner uses process hollowing and pauses activity when monitoring tools are active.
While currently targeting Russian users, this tactic could be used to distribute other malware, such as info-stealers or ransomware, on a broader scale. Users are advised to avoid downloading software from links provided in YouTube videos, especially from smaller channels.
Former Software Developer Found Guilty of Sabotaging Employer's Systems
https://www.justice.gov/opa/pr/texas-man-convicted-sabotaging-his-employers-computer-systems-and-deleting-data
A federal jury in Cleveland has convicted a senior software developer, Davis Lu, of sabotaging his former employer, Eaton Corporation's, computer systems. Lu, 55, faces up to ten years in prison.
Lu, who worked at Eaton from 2007 to 2019, began deploying malicious code after a demotion in 2019. He created a Java program that crashed production systems by generating infinite resource-consuming threads. He also developed a "kill switch" that locked out thousands of employees worldwide when his employment was terminated. The “kill switch” code was named “IsDLEnabledinAD”, abbreviating “Is Davis Lu enabled in Active Directory”.
Investigators found Lu's malware and related code on internal development servers, linking his user account to the sabotage. He attempted to delete data and wipe his company laptop before returning it. Lu confessed to federal investigators in 2019 but pleaded not guilty, leading to the jury trial and his subsequent conviction.
Melbourne Man Charged in Mobile Number Porting Scam
https://www.afp.gov.au/news-centre/media-release/victorian-man-charged-over-alleged-bulk-phone-porting-scam
A Melbourne man is facing court after allegedly attempting to steal mobile numbers from identity theft victims. The man, 34, is accused of making 193 unauthorized "port-in" attempts, successfully transferring 44 mobile numbers to his control.
The Australian Federal Police (AFP) began investigating in July 2024 after a telecommunications company reported suspicious porting activity. Porting scams allow criminals to bypass multi-factor authentication and access victims' bank accounts.
A search warrant executed at the man's residence resulted in the seizure of mobile phones, a computer, SIM cards, and suspected drug items. He has been charged with unauthorized modification of data, which carries a maximum penalty of 10 years imprisonment.
The AFP urges individuals to be vigilant for unexpected text messages or service disruptions, as these could indicate an unauthorized porting attempt. Victims are advised to contact their mobile provider and bank immediately, and report the incident to ReportCyber.
This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com