Cyber 332 Weekly Blog

  A stealthy, large-scale campaign, discovered in June 2025, utilized malicious ads and built-in SEO poisoning to distribute the Oyster (also known as Broomstick or CleanUpLoader) backdoor. The attackers trojanized legitimate IT tools, specifically PuTTY and WinSCP, to deliver malware through seemingly trusted installers. These deceptive sites mimicked official download pages, luring IT professionals and system admins searching online into running compromised installers. Once executed, the malware establishes persistence by installing a DLL (twain_96.dll) and registering scheduled tasks that run every three minutes via rundll32.exe using DLL registration tricks for stealth. With Oyster onboard, actors gain remote access, steal credentials, execute code, and deploy further malicious payloads, posing a heightened risk within enterprise environments. Security teams are urged to avoid downloading administrative tools from search engine results or sponsored ads. Instead, download only f...

 The evolving threat landscape that grows from day to day demands more than traditional, reactive cybersecurity approaches. To stay ahead, organizations should adopt and implement these three strategies: Vulnerability Management (VM), Attack Surface Management (ASM), and Continuous Threat Exposure Management (CTEM). Vulnerability Management (VM) focuses on routine identification, evaluation, and remediation of known software bugs before attackers can exploit them. The Attack Surface Management (ASM) takes a broader view by discovering all potential entry points, both known and hidden, in your systems, and assessing each based on exposure and risk. The last one is Continuous Threat Exposure Management (CTEM), which combines the strengths of both VM and ASM, adding real-world threat simulations, ongoing monitoring, and proactive response based on actual risks and business priorities. In conclusion, the key takeaway is that no single solution is sufficient on its own. ...

 Cloudflare's Q2 DDoS report reveals an alarming surge in hyper-volumetric attacks that exceeding 1Tbps or 1 Bpps with a record shattering peak of 7.3 Tbps and 4.8 billion pps floods just in seconds. Despite the total number of DDoS attempts dropping from 20.5 million in Q1 to 7.3 million Q2, these massive assaults have become 71 per day on average, which is a staggering rise in both volume and intensity. Specifically, HTTP based DDoS attacks increased by 9% to 4.1 million, while Layer 3/4 attacks declined by 81%, that implies attackers are shifting toward application layer techniques. These threats mostly targeting telecom providers, internet services, gaming platforms and critical infrastructure. Alarmingly, random driven DDoS extortion incidents jumped 68% with attackers demanding payment to prevent the attacks. A new botnet variant called DemonBot is actively recruiting vulnerable IoT devices via default credentials or open ports that enabling more intense UDP, TCP and applicat...

 CISA has raised urgent concern alarms over persistent use of default passwords in manufacturing systems like "1111" that used in U.S. water facility breach via Iranian hackers which allowed attackers easy access to critical infrastructure. Despite widespread awareness of the risk posted by out of the box credentials, manufactures often leave them unchanged for convinced or legacy compatibility, enabling cyber criminals to initiate botnet attacks, install ransomware, or infiltrate supply chains. To combat these threats,  CISA is calling for manufactures to eliminate default passwords entirely and adopt secure by design practices like s\assigning unique credential per device, and incorporating credential rotation APIs. Meanwhile, IT teams are urged to proactively audit as update any remaining default setting in their environments, as ignoring this simple yet but critical step can undermine all other security defenses.  https://thehackernews.com/2025/07/manufacturing-securi...

 Over 40 fake Firefox extensions mimicking popular crypto wallets like MetaMask, Trust Wallet, and Coinbase have been caught stealing users private keys, seed phrases and IP addresses. Since April 2025 these add-ons used stolen branding, fake 5 star reviews from bots and hidden malicious code to appear legitimate. Unlike phishing sites, these browser-based attacks are harder to detect. Mozilla Firefox has removed most of the extensions and added warning systems to catch similar threats in the future. Users are advised to install only verified extensions, review permission carefully, and regularly audit their browser add-ons when handling crypto. Security experts urges users to install add-ons from verified publishers. They also advised to regularly audit installed extensions that handle sensitive financial operations.  https://thehackernews.com/2025/07/over-40-malicious-firefox-extensions.html 

CISA issued a stern warning after ransomware gangs exploited vulnerabilities in the SimpleHelp remote support tool used by a utility billing provider to breach vendor and downstream customers. The affected version of the tool, which was 5.5.7 and earlier, contained a critical path traversal flaw (CVE-2024-57727) that allowed attackers to quickly gain unauthorized access. Even after SimpleHelp released patches in January, multiple service providers and clients remain vulnerable well into June. CISA advised all affected organizations and end users to isolate vulnerable systems, update immediately, and conduct threat hunting scans. This incident highlights the potential for widespread risk when a single vulnerability in a software supply chain cascades into a broader issue. It underscores the importance of rigorous auditing and proper patching of even remote management tools.   https://www.cybersecuritydive.com/news/simplehelp-vulnerabilities-cisa-warning/750676/