This Weeks Headlines
- Phishing Campaign Exploits Microsoft ADFS to Bypass MFA and Hijack Accounts
- Chrome 133 and Firefox 135 Release Patches for High-Severity Vulnerabilities
- AsyncRAT Malware Campaign Leverages Python Payloads and Cloudflare Tunnels for Stealthy Attacks
- Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- Malvertising Campaign Targets Microsoft Advertisers via Fake Google Ads
- Zyxel Declines to Patch Exploited Zero-Day Vulnerabilities in Legacy DSL Devices
- Critical Veeam Vulnerability Allows Remote Code Execution via Man-in-the-Middle Attacks
- California Man Sentenced to Seven Years for $50 Million Financial Fraud Scheme
Phishing Campaign Exploits Microsoft ADFS to Bypass MFA and Hijack Accounts
A sophisticated phishing campaign is targeting Microsoft Active Directory Federation Services (ADFS) to bypass multifactor authentication (MFA) and take over user accounts. Researchers from Abnormal Security discovered the attack, which has affected around 150 organisations, primarily in the education sector.
Threat actors are sending spoofed emails posing as IT help desk notifications, tricking users into clicking malicious links that lead to fake ADFS login pages. These pages closely mimic legitimate authentication portals, allowing attackers to harvest credentials and MFA codes. Once compromised, attackers gain access to single sign-on (SSO) services, enabling them to move laterally across networks, conduct reconnaissance, intercept emails, and launch further phishing attacks.
Experts warn that legacy ADFS implementations, originally designed for on-premises environments, are now more vulnerable due to widespread cloud adoption. Security professionals recommend transitioning to Microsoft’s modern identity platform, Entra, using phishing-resistant MFA, and implementing advanced email filtering and behavior monitoring to detect and prevent these attacks.
View SourceChrome 133 and Firefox 135 Release Patches for High-Severity Vulnerabilities
Google and Mozilla have issued updates for their browsers, Chrome 133 and Firefox 135, addressing multiple high-severity memory safety vulnerabilities.
In Chrome 133, two significant use-after-free flaws were patched: one in the Skia 2D graphics library (CVE-2025-0444) and another in the V8 JavaScript engine (CVE-2025-0445). Mozilla’s Firefox 135 update fixed similar high-severity issues, including use-after-free vulnerabilities in the Custom Highlight API and the Extensible Stylesheet Language Transformations (XSLT) language.
Users are strongly advised to update their browsers promptly to mitigate potential security risks.
View SourceAsyncRAT Malware Campaign Leverages Python Payloads and Cloudflare Tunnels for Stealthy Attacks
A recent malware campaign has been identified utilising phishing emails to distribute the AsyncRAT remote access trojan.
Attackers employ Python-based payloads and abuse Cloudflare’s TryCloudflare service to establish covert tunnels, facilitating unauthorised access and data exfiltration.
The attack sequence begins with a phishing email containing a Dropbox link that downloads a ZIP archive. This archive includes an internet shortcut leading to a Windows LNK file, which, when executed, initiates a series of scripts culminating in the deployment of AsyncRAT and other malware such as Venom RAT and XWorm.
View SourceMalicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
A malicious Go package named github.com/boltdb-go/bolt has been identified as a typosquat of the legitimate BoltDB module (github.com/boltdb/bolt).
Published in November 2021, this backdoored package grants attackers remote access to infected systems, enabling arbitrary command execution. The threat actor manipulated Git tags in the source repository to redirect them to a benign version, while the Go Module Mirror’s indefinite caching retained the malicious version, allowing the attack to persist.
Developers are advised to verify package authenticity and monitor for such deceptive practices to mitigate supply chain risks.
View SourceMalvertising Campaign Targets Microsoft Advertisers via Fake Google Ads
Cybersecurity researchers have uncovered a malvertising campaign that targets Microsoft advertisers through fraudulent Google ads. When users search for terms like “Microsoft Ads” on Google, they are presented with sponsored ads that lead to phishing pages mimicking Microsoft’s advertising platform.
These deceptive pages are designed to harvest login credentials and two-factor authentication codes, enabling attackers to hijack accounts.
The threat actors employ evasion techniques, such as redirecting traffic from VPNs to fake marketing sites and using Cloudflare challenges to filter out bots.
This campaign shares similarities with previous attacks targeting Google Ads users and highlights the ongoing risks associated with malvertising.
View SourceZyxel Declines to Patch Exploited Zero-Day Vulnerabilities in Legacy DSL Devices
Zyxel has announced that it will not release patches for two actively exploited zero-day vulnerabilities, identified as CVE-2024-40890 and CVE-2024-40891, affecting multiple legacy DSL CPE models.
These command injection flaws can be exploited by attackers to execute arbitrary commands, potentially leading to full device takeover and data exfiltration. The impacted models include:
- VMG1312-B10A
- VMG1312-B10B
- VMG1312-B10E
- VMG3312-B10A
- VMG3313-B10A
- VMG3926-B10B
- VMG4325-B10A
- VMG4380-B10A
- VMG8324-B10A
- VMG8924-B10A
- SBG3300
- SBG3500
Zyxel cites the end-of-life status of these devices as the reason for not providing security updates and advises users to replace them with newer equipment to ensure optimal protection.
View SourceCritical Veeam Vulnerability Allows Remote Code Execution via Man-in-the-Middle Attacks
Veeam has released patches for a critical security flaw, identified as CVE-2025-23114, affecting multiple products including Veeam Backup for Salesforce, Nutanix AHV, AWS, Microsoft Azure, Google Cloud, and Oracle Linux Virtualization Manager and Red Hat Virtualization.
The vulnerability, with a CVSS score of 9.0, resides in the Veeam Updater component and permits attackers to execute arbitrary code on affected servers through man-in-the-middle attacks, potentially gaining root-level permissions.
Users are strongly advised to update to the latest versions of the affected products to mitigate this risk.
View SourceCalifornia Man Sentenced to Seven Years for $50 Million Financial Fraud Scheme
Allen Giltman, a 59-year-old from Irvine, California, has been sentenced to 7 years and 3 months in prison for orchestrating a massive financial fraud scheme that stole approximately $50 million from over 70 victims.
Between 2012 and 2020, Giltman and his co-conspirators created at least 150 fake websites mimicking legitimate financial institutions, luring investors with promises of high returns. Victims, many of them retirees, were deceived into believing they were investing in private lending opportunities, but their funds were instead funneled to offshore accounts in Russia, Georgia, Hong Kong, and Turkey.
Giltman attempted to evade detection using VPNs, encrypted messaging apps, and prepaid cell phones. Despite these efforts, he was convicted and ordered to forfeit assets, including $100,000 in cash and luxury watches.
View SourceIf you’re ready to learn how we can help protect your business from cyber threats, contact us using the form below 👇.
