Cyber Threats Surge: Highlights of the Week by Jet CSIRT

Today’s top five highlights include the rising number of exploits and attacks leveraging zero-day vulnerabilities in Q1 2025, a covert backdoor campaign targeting ASUS routers, vulnerabilities in Safari, new Silent Werewolf loaders used in attacks against organizations in Russia and Moldova, and a scam involving fake invoices for Microsoft 365 purchases.

Increase in exploits and zero-day vulnerability attacks in Q1 2025

Kaspersky analysts have reported a significant uptick in the number of exploits during the first quarter of 2025, notably in Microsoft products, networking equipment, and IoT devices. There has been a marked rise in attacks that utilize zero-day vulnerabilities, indicating increased activity from cybercriminals. Particular emphasis is placed on vulnerabilities in cloud services and corporate VPNs, which are becoming primary targets. There is also a rise in the use of exploits in widely-used office applications and database management systems. These trends underscore the urgent need to enhance security measures in these areas.

Covert backdoor campaign affecting ASUS routers

Experts from GreyNoise have uncovered a large-scale campaign where attackers have gained persistent unauthorized access to thousands of ASUS routers. This attack is characterized by its stealthy nature and takes advantage of built-in system functionalities to maintain a continuous presence, even after device reboots. It is believed that the goal of this campaign is to establish a distributed network of infected devices for future attacks. Despite patches being provided by ASUS, users are advised to check their devices for SSH access (TCP/53282), examine the authorized_keys file for illegitimate entries, block suspicious IP addresses, and perform a complete reset if compromise is suspected.

Safari vulnerability enables credential theft

A vulnerability has been discovered in the Safari browser allowing attackers to exploit the fullscreen API to conduct browser-in-the-middle (bitm) attacks. One characteristic of Safari is that it does not show any explicit warnings when entering fullscreen mode, making these attacks particularly effective. When Safari is switched to fullscreen, its own user interface (address bar, tabs, etc.) is completely hidden. Using a VNC client directly within the browser (like noVNC), attackers can stream a session of a legitimate browser running on their remote server to the user. This creates a complete illusion of operating in a normal window, while in fact, the user is interacting with a browser controlled by the attackers.

Silent Werewolf uses new loaders in attacks against organizations in Russia and Moldova

Experts from BI.ZONE have reported new campaigns by the Silent Werewolf group targeting organizations in Russia and Moldova. These attacks focus on governmental and commercial entities with the aim of stealing sensitive information and establishing persistent access to their systems. For each wave of attacks, Silent Werewolf has developed a unique new loader, which is distributed through phishing emails. BI.ZONE notes that the malware utilizes legitimate Windows tools for privilege escalation and persistence on the system. The attackers employ sophisticated obfuscation methods to bypass traditional security measures, allowing them to remain undetected in the system for extended periods to achieve their objectives.

Fraud involving fake invoices for Microsoft 365

Kaspersky has issued warnings about a new wave of phishing attacks where criminals are sending fraudulent payment emails for Microsoft 365 subscriptions from the actual address of the company microsoft-noreply@microsoft.com. In the Billing information section, where customer billing details are typically included, scammers replace this information with their contact number and an offer for assistance. When users call this number to clarify payment issues for subscriptions they did not purchase, they are persuaded to install an executable file (presumably containing a RAT) and to log into online banking under the pretext of requesting a refund. The installed software could potentially allow the attackers to capture banking credentials. This social engineering strategy aims to create panic over an «expensive» subscription to prompt hasty actions from the user. Experts recommend training employees to recognize such schemes and using endpoint protection solutions.