DigiCert’s Open-Source Intelligence (OSINT) Report – July 25 – July 31, 2025

Post SMTP Plugin Flaw Exposes 200K WordPress Sites to Hijacking Attacks

(TLP: CLEAR) Over 200,000 WordPress websites remain vulnerable due to a critical flaw in the Post SMTP plugin, which has over 400,000 active installations. The vulnerability, tracked as CVE-2025-24000, affects all versions up to 3.2.0 and stems from broken access control in the plugin’s REST API. Specifically, the plugin only checked if a user was logged in—without verifying their privilege level—allowing low-privileged users (e.g., subscribers) to access sensitive email logs. This flaw enables an attacker to intercept admin password reset emails, gaining full control of a site’s administrator account. The vulnerability was reported to PatchStack on May 23, and a fix was incorporated into version 3.3.0, released on June 11. However, WordPress.org download stats show that only 48.5% of users have updated, leaving over 200,000 websites exposed. Additionally, more than 96,800 sites still run outdated 2.x versions, which suffer from other unpatched vulnerabilities, further increasing the attack surface. Site administrators are strongly urged to update to the latest version to prevent account takeover and unauthorized access.

(TLP: CLEAR) Comments: The CVE-2025-24000 vulnerability in the Post SMTP plugin represents a significant threat vector for mass exploitation, particularly due to its simplicity and the widespread use of the plugin. By failing to implement proper role-based access controls on REST API endpoints, the plugin exposes email logs to any authenticated user, enabling privilege escalation through intercepted password reset requests. This type of vulnerability is especially concerning because it turns low-privileged accounts—such as subscribers—into viable entry points for full administrative compromise. With over 200,000 sites still running vulnerable versions, malicious actors could automate large-scale scans and target unpatched WordPress sites to gain administrative access. Once compromised, threat actors could deploy malicious plugins, inject backdoors, or redirect site traffic to phishing infrastructure. Additionally, websites running the outdated 2.x branch are exposed to further known issues, compounding the risk of exploitation. This vulnerability also highlights a persistent issue in the WordPress ecosystem: delayed patch adoption. Despite a fix being available, less than half of affected users have updated, leaving a substantial window of opportunity for exploitation. Threat actors, particularly those running botnets or spam networks, are likely to weaponize this vulnerability for defacement, credential harvesting, or malware distribution. Proactive patch management and security monitoring are essential to mitigating risks associated with this flaw.

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. 

Source: https://www.bleepingcomputer.com/news/security/post-smtp-plugin-flaw-exposes-200k-wordpress-sites-to-hijacking-attacks/

New VOIP-Based Botnet Attacking Routers Configured with Default Password

(TLP: CLEAR) A global botnet campaign has been uncovered targeting VoIP-enabled routers and devices using default Telnet credentials. The discovery originated from an anomaly involving 90 malicious IPs linked to the Pueblo of Laguna Utility Authority in rural New Mexico. This led to the identification of over 500 compromised devices worldwide. The attackers exploited internet-facing VoIP hardware, particularly older Cambium Networks devices running outdated Linux firmware. These systems often had Telnet services enabled by default, making them easy targets for brute-force login attempts. Behavior consistent with Mirai-like botnet activity, such as high session volumes and generic scanning, was observed. GreyNoise researchers used AI-driven analysis and fingerprinting to trace the campaign’s scope. The attackers demonstrated operational awareness by adjusting behavior in response to public disclosures. This incident underscores the ongoing risk posed by unpatched and poorly secured VoIP infrastructure. Many of the affected devices may still be vulnerable to older CVEs, and the campaign illustrates how legacy weaknesses continue to be exploited. Organizations are advised to audit Telnet exposure, disable or change default credentials, and deploy dynamic defenses to reduce susceptibility to similar attacks.

(TLP: CLEAR) Comments: The exploitation of VoIP-enabled routers using default Telnet credentials, as detailed in this campaign, highlights a persistent and highly exploitable threat vector with direct implications for distributed denial-of-service (DDoS) operations. By compromising lightly monitored, internet-facing devices—often overlooked in traditional security audits—threat actors are able to assemble large-scale botnets capable of launching high-throughput DDoS attacks. The use of older firmware, such as that observed in Cambium Networks hardware, not only allows persistent access but also provides opportunities for deeper network infiltration or lateral movement. From an operational standpoint, the attackers’ use of standardized configurations and consistent traffic fingerprints suggests a level of automation and coordination akin to established botnets like Mirai. Once enslaved, these VoIP routers can be used to generate volumetric DDoS traffic, serve as proxy nodes for masking malicious activity, or facilitate reflection/amplification attacks by abusing open services. The fact that the activity ceased and resumed after being publicly mentioned implies an actively managed botnet infrastructure, possibly with command-and-control mechanisms sensitive to detection cues. This level of sophistication further supports the likelihood that the botnet is not just passively spreading but being actively curated for coordinated attack campaigns. Organizations must treat VoIP infrastructure as high-risk assets and ensure default credentials and legacy protocols like Telnet are fully eliminated from their environment.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Digicert’s UltraDDoS Protect.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds.

Source: https://cybersecuritynews.com/voip-based-botnet-attacking-routers/

Stealth Backdoor Found in WordPress mu-Plugins Folder

(TLP: CLEAR) Researchers at Sucuri have uncovered a highly persistent and stealthy backdoor embedded in the “mu-plugins” (must-use plugins) directory of compromised WordPress installations. These plugins are automatically executed and cannot be deactivated through the standard admin interface, allowing attackers to maintain long-term access without raising suspicion. The attack hinges on a malicious PHP file (wp-index.php) that loads and executes an obfuscated payload using ROT13 encoding. This payload is fetched from a remote server, base64-decoded, and stored under the _hdra_core option in the WordPress database, from where it is decoded and executed. The malware’s components include a covert file manager (pricing-table-3.php), creation of a rogue admin account (officialwp), and forced installation of a malicious plugin (wp-bot-protect.php) to restore the backdoor if removed. The malware also contains functions to reset passwords of common admin accounts, including its own, to a predefined value—effectively locking out legitimate users and regaining access if changes are made. It deletes traces of its execution, evades traditional detection mechanisms, and enables remote command execution. Once a site is compromised, attackers can leverage it for broader malicious operations, underscoring the severe risk this backdoor poses to site integrity, data confidentiality, and broader internet security.

(TLP: CLEAR) Comments: The discovery of a stealthy backdoor embedded in the WordPress “mu-plugins” directory highlights the growing sophistication and persistence of web-based threats. By exploiting the must-use plugin mechanism—which automatically executes and cannot be disabled from the admin panel—malicious actors ensure long-term, concealed access to the targeted WordPress installation. The use of ROT13 encoding and base64 obfuscation is not technically advanced but demonstrates the attackers’ intent to bypass basic detection by concealing the payload in an unconventional location—the WordPress database itself under the _hdra_core option. This threat is particularly alarming due to its multilayered persistence: it creates a rogue administrator account, resets passwords of commonly used usernames, and force-installs a secondary malicious plugin to restore itself if removed. These tactics mirror advanced persistent threat (APT) behavior, despite being used in a commodity malware campaign. Once embedded, the compromised site can serve as a platform for data exfiltration, malware delivery, or even participation in larger coordinated attacks, such as hosting phishing pages or acting as a node in a botnet. Organizations relying on WordPress should immediately audit their mu-plugins directory and monitor for unexpected admin accounts or database entries. This campaign reinforces the critical need for continuous integrity monitoring, web application firewalls, and timely updates to defend against deeply embedded web shell threats targeting content management systems.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team.

Source: https://securityaffairs.com/180311/malware/stealth-backdoor-found-in-wordpress-mu-plugins-folder.html

BlackSuit Ransomware Gang’s Darknet Websites Seized by Police

(TLP: CLEAR) The BlackSuit ransomware gang’s darknet extortion and negotiation sites were seized in a multinational law enforcement operation involving agencies from over nine countries, led by U.S. Homeland Security Investigations (HSI). A seizure notice now appears on the group’s TOR domains, also displaying logos from 17 law enforcement and cybersecurity partners, including Bitdefender. BlackSuit, active since April or May 2023, was a private ransomware operation believed to be a rebrand of the Royal ransomware group, which itself had ties to the infamous Conti gang. BlackSuit was known for not offering its tools through a ransomware-as-a-service model and is estimated to have extorted over $500 million globally. Notable victims include Kadokawa, Tampa Bay Zoo, and Octapharma, whose breach led to the temporary shutdown of nearly 200 blood plasma centers in the U.S. Post-takedown analysis by Cisco Talos suggests that some former BlackSuit members may have migrated to the Chaos ransomware group, based on similarities in encryption methods and attack tools. This evolution reflects the continued reshuffling and resilience of ransomware ecosystems, even in the wake of high-profile disruptions.

(TLP: CLEAR) Comments: The takedown of BlackSuit’s darknet infrastructure marks a significant disruption to one of the more brazen ransomware groups in recent years. While the operation dealt a blow to their external visibility, history shows that such actions rarely result in the permanent dismantling of sophisticated cybercriminal ecosystems. BlackSuit, believed to be a successor to Royal and indirectly linked to Conti—a group responsible for some of the most disruptive ransomware attacks globally—has operated with a high degree of technical maturity and operational discipline, avoiding the RaaS model in favor of tighter internal control. This suggests a more centralized leadership structure, which, if not fully compromised, could facilitate a rapid reconstitution. Following previous law enforcement disruptions, such as those targeting REvil or NetWalker, it is common to see group members splinter and either join emerging operations or launch new ones under different monikers. In BlackSuit’s case, early indicators suggest migration toward the Chaos ransomware variant, though other offshoots are likely to appear. The reuse of encryption schemes, ransom note templates, or C2 infrastructure could aid attribution but also reflects the fluid nature of cybercriminal affiliations. It is likely that BlackSuit’s operators will attempt to resurrect their leak site on alternative .onion domains, potentially with enhanced OPSEC measures to avoid future takedowns. Additionally, former affiliates or lower-tier developers may monetize their experience by joining existing ransomware collectives or forming bespoke groups targeting verticals previously exploited by BlackSuit. This underscores the cyclical resilience of ransomware operations and the need for continuous monitoring beyond infrastructure takedowns.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://therecord.media/blacksuit-ransomware-gang-website-takedown

Hackers Attacking IIS Servers With New Web Shell Script to Gain Complete Remote Control

(TLP: CLEAR) Researchers from Fortinet have uncovered a highly sophisticated web shell attack targeting Microsoft Internet Information Services (IIS) servers, posing a serious threat to enterprise and critical infrastructure environments. The malware, dubbed “UpdateChecker.aspx,” is part of a broader campaign observed in the Middle East, where attackers successfully breached systems tied to national infrastructure. Unlike traditional web shells that rely on simple scripts, UpdateChecker employs heavily obfuscated C# code embedded within an ASPX file, using Unicode encoding, encrypted constants, and randomized identifiers to evade detection. Its communication relies on HTTP POST requests with JSON-structured commands, allowing threat actors to remotely control compromised servers. The malware’s capabilities are modular, divided into three components: Base for reconnaissance, CommandShell for executing Windows commands, and FileManager for complete file system control, including search, modification, and deletion. It uses a dual-encryption scheme to obscure traffic, further complicating analysis and detection. This level of sophistication enables attackers to stealthily maintain access, mimic legitimate IIS activity, and manipulate system data without raising alarms. The campaign underscores the evolving threat landscape where advanced persistent access tools are deployed against key infrastructure targets, leveraging legitimate platforms like IIS to mask malicious intent and maintain long-term control over victim networks.

(TLP: CLEAR) Comments: The discovery of the UpdateChecker.aspx web shell highlights a concerning escalation in the use of obfuscated malware within enterprise and critical infrastructure environments. Unlike commodity web shells that are easily detected through signature-based tools, this attack leverages heavily obfuscated C# code and advanced Unicode encoding techniques to evade traditional detection. Its modular architecture—including reconnaissance, command execution, and file management—reflects the hallmarks of a well-funded, advanced threat actor likely engaged in persistent espionage or sabotage operations. The use of IIS servers as a deployment vector is strategic; they are commonly used in high-trust environments and often overlooked in security monitoring pipelines, making them ideal for covert persistence. The campaign’s targeting of Middle Eastern critical infrastructure and its seamless integration into Windows environments suggest a state-aligned adversary seeking both intelligence collection and operational disruption capabilities. The use of encrypted C2 traffic, dual encryption layers, and stealthy communications over HTTP POST with custom content types indicates a clear intent to operate undetected for extended periods. From a threat intelligence perspective, this demonstrates a shift toward living-off-the-land tactics, where legitimate platforms and administrative functions are co-opted to deliver and maintain malicious payloads. Organizations must respond by strengthening behavioral detection mechanisms, hardening IIS configurations, and monitoring for anomalous script execution to prevent future intrusions of this nature.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following: 

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
• Actively running and up to date as applicable.
• Generating audit logs.
• Configured to either block web-based attacks or generate an alert that is immediately investigated.

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats.

Source: https://cybersecuritynews.com/hackers-attacking-iis-servers-with-new-web-shell-script/

Chaos RaaS Emerges After BlackSuit Takedown, Demanding $300K from U.S. Victims

(TLP: CLEAR) The newly emerged ransomware-as-a-service (RaaS) gang Chaos has quickly gained prominence in 2025, conducting big-game hunting and double extortion attacks largely focused on U.S.-based organizations. Security researchers believe Chaos is likely composed of former BlackSuit members, following the international law enforcement seizure of BlackSuit’s infrastructure during Operation Checkmate. The Chaos group, which surfaced in February 2025, uses multi-pronged social engineering strategies—including phishing and voice phishing—to trick victims into installing remote monitoring and management (RMM) tools like Quick Assist, AnyDesk, and ScreenConnect. These tools allow for persistent access and data exfiltration via legitimate file-sharing software. Chaos’s ransomware is notable for its multi-threaded, selective encryption, anti-analysis techniques, and cross-platform compatibility (Windows, Linux, ESXi, NAS). The group demands ransoms of $300,000, offering decryptors and post-attack assessments. It is not affiliated with other malware families using the “Chaos” name, adding to attribution complexity. The FBI and DOJ also recently seized over $2.4 million in Bitcoin tied to a Chaos member, highlighting ongoing law enforcement pressure. Chaos is one of several ransomware strains rising in 2025, alongside Gunra, RedFox, and Epsilon Red, many of which employ advanced evasion and partial encryption techniques. Despite a 43% drop in overall ransomware activity in Q2 2025, analysts warn that this may reflect rebranding efforts and enhanced sophistication rather than a true decline in threat levels.

(TLP: CLEAR) Comments: The emergence of the Chaos ransomware group amid the takedown of BlackSuit illustrates the cyclical and resilient nature of the ransomware ecosystem. Drawing clear lineage from Royal and Conti, Chaos demonstrates how ransomware operators rapidly rebrand and regroup to avoid law enforcement pressure while maintaining operational continuity. Its use of voice-based social engineering and legitimate RMM tools for access and persistence reflects a shift toward more low-friction intrusion tactics, blending technical capability with human exploitation. This hybrid approach reduces the group’s reliance on exploits and increases their reach to less technically hardened environments. Chaos’s compatibility with Windows, Linux, ESXi, and NAS systems, along with its multi-threaded selective encryption, suggests a mature operation capable of targeting both enterprise and cloud infrastructures. The choice to demand high-value ransoms alongside providing a detailed penetration report mirrors tactics used by more established groups, reinforcing its strategic positioning in big-game hunting. The observed similarities in encryption methods, ransom note structures, and post-exploitation tooling to BlackSuit strongly support the hypothesis of personnel overlap or internal splintering following law enforcement disruptions. The seizure of cryptocurrency assets tied to Chaos further highlights the importance of financial tracking in dismantling ransomware operations. Yet, as Chaos and other groups like Gunra and RedFox expand, it becomes evident that rebranding, tool recycling, and shared TTPs will remain key challenges for defenders. While public-private operations like Operation Checkmate are effective, they must be sustained and globally coordinated to outpace this continuously evolving threat landscape.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
• The Categories Engine uses Digicert-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.

Source: https://thehackernews.com/2025/07/chaos-raas-emerges-after-blacksuit.html

Critical Flaws in WordPress Plugin Leave 10,000 Sites Vulnerable

(TLP: CLEAR) More than 10,000 WordPress websites are at risk of full site compromise due to three critical vulnerabilities discovered in the HT Contact Form Widget for Elementor Page Builder & Gutenberg Blocks & Form Builder plugin. These flaws—arbitrary file upload (CVE-2025-7340), arbitrary file deletion (CVE-2025-7341), and arbitrary file move (CVE-2025-7360)—can be exploited by unauthenticated attackers to execute malicious code, delete essential files like wp-config.php, or relocate them to enable remote code execution and total site takeover. The most severe flaw, CVE-2025-7340, received a CVSS score of 9.8, as it allows attackers to upload executable PHP scripts to publicly accessible directories without any validation, granting them full control over affected sites. The vulnerabilities were responsibly disclosed to Wordfence via its bug bounty program, and the plugin developer, HasTech IT, issued a patch on July 13, 2025, just five days after notification. Wordfence strongly recommends that all site administrators update to the latest version immediately and implement protective measures such as using security plugins capable of detecting file upload and directory traversal abuse. These vulnerabilities underscore the importance of maintaining plugin hygiene and timely patching to prevent high-impact attacks.

(TLP: CLEAR) Comments: The discovery of three critical vulnerabilities in the HT Contact Form Widget plugin for WordPress highlights ongoing systemic weaknesses in plugin ecosystem security, especially for widely used site-building tools like Elementor and Gutenberg. The fact that these flaws allowed unauthenticated attackers to upload, delete, or move files—including the core wp-config.php file—demonstrates a severe lapse in input validation and access control at the development level. This exposure presents a clear path to full site takeover, which could be exploited not only for defacement or data theft but also to inject malicious code, redirect traffic, or add compromised sites to larger botnet infrastructures for coordinated DDoS attacks. Given the plugin’s integration with visual builders, it likely attracts a non-technical user base, many of whom may delay updates or fail to recognize the risks posed by unpatched plugins. This increases the likelihood of long-tail exploitation, especially by automated scanning tools that identify and exploit vulnerable endpoints at scale. Moreover, this incident reflects a broader trend in WordPress threat activity where attackers capitalize on high-privilege plugin functionalities to bypass normal user-level restrictions. While the vendor’s prompt response is commendable, the fact that tens of thousands of sites remain unpatched weeks after disclosure reinforces the need for default security hardening, such as permission segmentation, file validation routines, and alerts for high-risk file operations. Ultimately, this event reinforces that plugins represent a persistent attack vector in WordPress environments and must be treated with the same level of security oversight as core application code.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”

(TLP: CLEAR) DigiCert: Digicert’s Web Application Firewall, UltraWAF, can provide you with protection in the way that you need it. UltraWAF allows security postures that assume that all traffic is allowed – except an already identified threat or an attack (negative security) – or zero trust models where all traffic is denied unless explicitly permitted (positive security).

Source: https://www.infosecurity-magazine.com/news/flaws-wordpress-plugin-expose/

Scattered Spider Hacker Arrests Halt Attacks, but Copycat Threats Sustain Security Pressure

(TLP: CLEAR) Google Cloud’s Mandiant Consulting has reported a noticeable decline in activity from the financially motivated threat group Scattered Spider (UNC3944) following the recent arrests of suspected members in the U.K. While no new intrusions have been directly attributed to the group since, Mandiant urges organizations to use this temporary lull to bolster defenses, review the group’s known tactics, and strengthen their security posture. Scattered Spider has been known for its sophisticated social engineering attacks, including phishing, push bombing, SIM-swapping, and impersonation techniques to bypass multi-factor authentication and gain access to corporate systems. They have aggressively targeted VMware ESXi hypervisors in industries such as retail, transportation, and airlines across North America. An updated joint advisory from the U.S., Canadian, and Australian governments outlines their tradecraft, which includes the use of commercial remote access tools, malware like Warzone RAT, Raccoon Stealer, and Vidar, and the Mega cloud platform for data exfiltration. They have also exploited access to Snowflake environments to run mass queries and steal large datasets. Mandiant warns that while Scattered Spider may be dormant, other threat actors like UNC6040 are employing similar techniques, emphasizing that organizations must remain vigilant despite the pause in activity.

(TLP: CLEAR) Comments: The current decline in activity from Scattered Spider presents both a temporary reprieve and a strategic inflection point for defenders. While recent arrests have disrupted the group’s operations, their sophisticated techniques—including SIM swapping, MFA bypass, and remote access tool deployment—remain viable and are already being emulated by adjacent threat groups like UNC6040. This underscores a broader trend: the commodification of advanced intrusion tactics traditionally associated with targeted ransomware and extortion campaigns. Scattered Spider’s focus on VMware ESXi hypervisors and Snowflake environments reveals a keen understanding of enterprise infrastructure and data aggregation points. Their ability to quickly query and exfiltrate mass volumes of data from cloud data warehouses signals a shift toward high-value, low-resistance targets within hybrid environments. The use of widely available tools like Warzone RAT and Vidar also suggests that effective compromise no longer requires bespoke malware development but rather operational discipline and tactical coordination. The lull in direct Scattered Spider activity should not be mistaken for resolution. Instead, it presents an opportunity for organizations to assess their exposure to cloud platforms, harden identity and access management systems, and reevaluate help desk procedures, which have repeatedly been exploited through impersonation. Moreover, the modularity and transferability of Scattered Spider’s tactics increase the risk of tactical migration, where displaced affiliates splinter into other operations or rebrand entirely—thus ensuring the threat endures even as specific identities fade.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.

Source: https://thehackernews.com/2025/07/scattered-spider-hacker-arrests-halt.html

Third of Exploited Vulnerabilities Weaponized Within a Day of Disclosure

(TLP: CLEAR) The VulnCheck mid-year 2025 report highlights a significant escalation in the speed and scale of vulnerability exploitation by threat actors. Nearly one-third (32.1%) of all vulnerabilities added to the Known Exploited Vulnerabilities (KEV) catalog were weaponized before detection or within 24 hours of public disclosure—an 8.5% increase from 2024. In total, 432 new vulnerabilities were cataloged in just the first half of 2025, surpassing half the total recorded in all of 2024. Microsoft and Cisco were the most targeted vendors, with vulnerabilities in WordPress plugins, network edge devices, server software, and operating systems leading the exploitation landscape. State-sponsored activity remained a driving force, though dynamics shifted. Chinese and North Korean threat actors showed notable declines in attributed activity, while Russian and Iranian groups surged. Russian exploitation nearly doubled, and Iranian actors overtook North Korea in volume. Additionally, vulnerabilities in hardware like DVRs, IP phones, and surveillance systems gained traction, signaling expanding attack surfaces. VulnCheck also emphasized that many exploited CVEs were weaponized before 2025, underscoring the persistent risk of older vulnerabilities. The findings reveal not only a reduction in the time from disclosure to exploitation but also an increasingly aggressive and adaptive threat actor ecosystem.

(TLP: CLEAR) Comments: The findings from VulnCheck’s 2025 mid-year report underscore a troubling shift in both the speed and intent behind vulnerability exploitation, with direct implications for the expansion of botnets and subsequent DDoS capabilities. The rapid weaponization of nearly one-third of vulnerabilities—often within 24 hours of disclosure—suggests that threat actors are increasingly automating exploitation pipelines to gain footholds in exposed infrastructure before patches can be applied. This agility significantly raises the risk of compromised assets being absorbed into botnets, particularly IoT and edge devices with weak configurations or legacy software. The sharp rise in exploited vulnerabilities targeting WordPress plugins, IP cameras, DVRs, and VoIP-enabled hardware reflects attackers’ focus on low-cost, high-volume targets ideal for botnet recruitment. Once compromised, these systems offer persistent remote access and the ability to launch or proxy high-bandwidth DDoS attacks. The increased activity by Russian and Iranian threat actors, many of whom have a history of supporting DDoS operations for disruption or retaliation, further heightens this risk. As older vulnerabilities remain actively exploited, organizations that fail to address legacy CVEs could inadvertently contribute to the growing pool of enslaved nodes fueling global DDoS campaigns. The intersection of accelerated exploitation and infrastructure compromise highlights the urgent need for real-time patch management and network segmentation to prevent devices from becoming part of adversarial DDoS infrastructure.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.infosecurity-magazine.com/news/third-kev-exploited/