Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Cisco Confirms Salt Typhoon Targeted U.S. Telecom Networks
(TLP: CLEAR) Recent intelligence reporting corroborates the identification of the Chinese state-sponsored threat group, Salt Typhoon, as the orchestrator of a large-scale intrusion campaign targeting major U.S. telecommunications companies. Detected back in late 2024 and later validated by U.S. government agencies, this campaign showcases Salt Typhoon’s highly advanced persistence techniques, with some intrusions remaining undetected for over three years. According to investigators, the threat group primarily leveraged stolen credentials and exploited the known vulnerability CVE-2018-0171 (a bug in Cisco’s Smart Install feature) in order to infiltrate and maintain access to targeted systems. Additionally, a significant aspect of Salt Typhoon’s operations is their extensive use of living-off-the-land (LotL) techniques, enabling them to persist undetected within compromised environments. The group then targeted additional network credentials by capturing SNMP, TACACS, and RADIUS traffic, targeting weakly encrypted password storage methods, and exfiltrating network configurations via TFTP/FTP. These configurations contained authentication data that granted Salt Typhoon deep visibility into network infrastructure further enabling reconnaissance and exploitation into targeted systems.
(TLP: CLEAR) Comments: To further conceal their activities, Salt Typhoon deployed a custom-built, Go-based tool called as JumbledPath, designed to execute packet captures via actor-controlled jump hosts. JumbledPath effectively masked the origin and destination of their operations, adding another layer of obfuscation to their movements within targeted networks. Cisco released additional indicators of compromise here – https://blog.talosintelligence.com/salt-typhoon-analysis/
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations.
Source: https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html
Confluence Exploit Leads to LockBit Ransomware Deployment
(TLP: CLEAR) What began as a single exposed Confluence server quickly escalated into a full-blown ransomware attack in under two hours, recent reporting reveals. In a recent cyberattack, unknown threat actors exploited a critical remote code execution vulnerability, CVE-2023-22527, in Atlassian Confluence servers to deploy LockBit ransomware within approximately two hours of initial access. According to recent reporting, the attack initiated with the compromise of an exposed Windows Confluence server vulnerable to this server-side template injection flaw, allowing unauthenticated execution of arbitrary commands via malicious Object-Graph Navigation Language (OGNL) expressions. After exploitation, the attackers executed system discovery commands such as net user and whoami to gather information about user accounts. They then attempted to download AnyDesk using curl, which initially failed. Subsequently, they employed mshta, a native Windows utility, to retrieve and execute a Metasploit stager, establishing command and control (C2) with the Metasploit server. Once C2 was established, AnyDesk was successfully installed with a preset password, providing persistent remote access. The attackers created a new local administrator account named “backup,” which was added to the local “Administrators” group, allowing remote access to the compromised host via Remote Desktop Protocol (RDP). The threat actors utilized tools like Mimikatz to extract credentials, identifying an easily crackable hash for the ‘Administrator’ account, which was reused across multiple hosts in the environment. Leveraging these credentials, the attackers moved laterally across the network, targeting critical infrastructure such as backup and file servers. On the file server, they deployed Rclone to exfiltrate data to MEGA.io cloud storage. Following data exfiltration, they cleared Windows event logs to evade detection. The attackers then accessed a domain controller, enumerated admin group memberships, and used PDQ Deploy, a legitimate enterprise deployment tool, to distribute LockBit ransomware to multiple systems via SMB shares. Investigators assess that the entire attack lifecycle, from initial exploitation to full ransomware deployment, was completed in just over two hours, demonstrating the attackers’ speed and operational efficiency.
(TLP: CLEAR) Comments: Prior to encrypting the targeted systems, the threat actors exfiltrated over 1.5 GB of data to MEGA.io using Rclone, ensuring a successful data harvest before system lockdown. According to reporting, the attacker’s infrastructure traced back to Russian IP addresses, and the Flyservers S.A., aligns with tactics commonly observed in LockBit affiliate operations. This indicator reinforces the likelihood of a broader connection to a sophisticated ransomware-as-a-service (RaaS) ecosystem.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware and phishing and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
Source: https://cyberpress.org/hackers-exploit-critical-confluence-server-flaw/?amp=1
Massive Botnet Hits Microsoft 365 Accounts
(TLP: CLEAR) Recent intelligence reporting highlights a newly discovered botnet comprised of over approximately 130,000 compromised devices has commenced a highly coordinated password-spraying attacks targeting Microsoft 365 (M365) accounts. According to recent reporting, security researchers have assessed the password-spraying campaign to be connected to China-affiliated threat actors after identifying attack infrastructure linking to CDS Global Cloud and UCLOUD HK, groups known for their operational ties to China. Bypassing the usual red flags of traditional password-spraying attacks, this advanced technique exploits Non-Interactive Sign-Ins, a mechanism intended for service-to-service authentication that operates outside the visibility of standard security controls. Unlike interactive logins, these authentication attempts do not trigger account lockouts and evade detection by Multi-Factor Authentication (MFA) and Conditional Access Policies (CAP). By targeting under-monitored authentication channels, attackers can stealthily infiltrate environments that would otherwise be well-protected, maintaining persistent access while remaining undetected for extended periods.
(TLP: CLEAR) Comments: The large-scale password-spraying attack targeting Microsoft 365 accounts showcases a critical vulnerability in noninteractive sign-in processes. A botnet comprising over 130,000 compromised devices exploited this authentication feature, conducting high-volume password-spraying attempts while remaining virtually undetected. Noninteractive sign-ins, typically used for service accounts, automated tasks, and API integrations, do not require explicit user authentication and thus bypass standard security alerts from Multi-Factor Authentication (MFA) and Conditional Access Policies (CAP).
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements.
Source: https://www.darkreading.com/cyberattacks-data-breaches/microsoft-365-accounts-sprayed-mega-botnet
New Linux Malware Grants Full Remote Access to Compromised Systems
(TLP: CLEAR) In late 2024, security investigators identified a sophisticated Linux malware variant dubbed Auto-Color, primarily targeting universities and government agencies across North America and Asia. The malware’s alias stems from its ability to rename itself upon installation, adapting its filename with each deployment in order to evade detection. Additionally, Auto-Color engages various sophisticated evasion techniques, including adopting benign-sounding filenames such as “door” or “egg,” obfuscating its command-and-control (c2) communications by hooking into standard library functions and manipulating system files that track active network connections. Auto-Color also utilizes proprietary encryption to mask its configuration details and communication data, further complicating detection efforts. After instillation, the malware grants threat actors’ full remote access to compromised systems, allowing them to execute commands, create or modify files, or use the infected machine as a proxy for further malicious activities. The precise infection vector remains undetermined, but Auto-Color requires execution on a Linux system to initiate its attack. Upon launch, it verifies whether its filename matches the expected Auto-Color designation; if not, it triggers an installation phase, deploying a stealthy library implant. When executed with root privileges, the malware installs a counterfeit library designed to impersonate the legitimate libcext.so.0 utility, effectively bypassing security mechanisms. It then modifies /etc/ld.preload, ensuring its malicious library is loaded ahead of legitimate system libraries, granting it the ability to intercept and manipulate critical system functions while maintaining persistence and evading detection. According to reporting, the malware’s persistence mechanisms and evasive capabilities make it particularly difficult to detect and remove without specialized forensic tools.
(TLP: CLEAR) Comments: A particularly stealthy feature amongst Auto-Color’s wide range of capabilities is its kill switch, which allows attackers to remotely uninstall the malware when necessary, reducing the risk of detection and forensic analysis. To further complicate detection efforts, each command issued to the malware is encrypted with a unique, one-time key, making interception and analysis significantly more challenging. These advanced capabilities, coupled with strong evasion techniques, highlight the need for continuous monitoring and proactive security measures to detect and mitigate threats posed by such sophisticated malware.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://thehackernews.com/2025/02/new-linux-malware-auto-color-grants.html
Layer 7 DDoS Attacks See Major Surge as AI Boosts Attack Power
(TLP: CLEAR) A recent analysis was conducted on the cyber threat landscape, indicating that Layer 7 DDoS attacks experienced a dramatic 550% increase compared to the previous year. According to reporting, this surge is primarily attributed to geopolitical tensions and the proliferation of Artificial Intelligence (AI) technologies, which have essentially lowered the barriers to entry for malicious actors. Hacktivist groups, leveraging AI-enhanced tools, have mounted more destructive and sophisticated attacks, enabling even novice actors to launch successful malicious campaigns. The Europe, Middle East, and Africa (EMEA) region was particularly affected, accounting for 78% of global incidents. Specific industries faced significant challenges, with the financial sector experiencing a 393% year-over-year escalation in network DDoS attack volume, and the telecommunications sector bearing 43% of the global network DDoS attack volume. These developments underscore the critical need for organizations to adopt dynamic defence strategies to counter the evolving threat landscape shaped by AI and geopolitical factors.
(TLP: CLEAR) Comments: The convergence of AI advancements and geopolitical tensions has fundamentally transformed the cyber threat landscape, making DDoS attacks more accessible and impactful to systems and networks. As AI continues to evolve, it is likely that threat actors will further refine their tactics, increasing the frequency and sophistication of attacks.
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “VOLUMETRIC DDOS AGAINST WEB SERVICES TECHNICAL GUIDANCE”: “Agencies should select a provider that has the capacity to scale and withstand large volumetric DDoS attacks. Agencies should also understand their role and the role of the provider if targeted by a DDoS attack. Note the two consumption models previously identified for DDoS mitigation services – always-on and on-call/on-demand. In an always-on model, all traffic always passes through the mitigation provider’s service (which may add latency if the distance between the customer internet circuit and mitigation service are high). Always-on can provide instant protection, but agencies should always validate time-to-mitigation of any proposed solution. The on-demand consumption model only sends traffic to scrubbing centers when directed to do so via human intervention during an attack. Agencies must communicate with their provider to understand which protections are available, the protections that are included in the existing contracts, and those offered à la carte. For services that require manual activation, agencies must understand each organization and individual’s roles, as well as develop, maintain, and test the activation procedures for best response.”
(TLP: CLEAR) Vercara: Vercara’s DDoS solution, Vercara UltraDDoS Protect, scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.
Source: https://thehackernews.com/2025/02/cisco-confirms-salt-typhoon-exploited.html