This is a monthly newsletter that I share internally with our Cybersecurity team. Feel free to take and use for your own team. Created with the help of ChatGPT.

Exploring Q4 2024 Brand Phishing Trends: Microsoft Remains the Top Target as LinkedIn Makes a Comeback

In the final quarter of 2024, Microsoft continued to be the most targeted brand in phishing campaigns, but LinkedIn made a significant comeback, appearing as a top target for the first time in years. Phishing actors are increasingly leveraging trusted brands to deceive users, with attacks designed to steal sensitive credentials and install malware. Organizations must continue to strengthen defenses against these brand impersonation attacks to protect their users and data.

Key Insights:

Microsoft remains the primary target in brand phishing campaigns, with attackers frequently using its name to trick users into disclosing credentials.

LinkedIn’s resurgence as a phishing target highlights the shifting tactics of cybercriminals, who are capitalizing on platforms that users trust.

Organizations need to implement strong anti-phishing measures, including employee training and advanced detection tools, to defend against these evolving threats.

Further Reading: Checkpoint Blog

Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks

Cybercriminals are continuing to exploit the legitimate remote monitoring and management (RMM) tool, ScreenConnect, to maintain persistence in cyberattacks. Threat actors are using social engineering to lure victims into installing altered versions of ScreenConnect, which gives them control over victims’ systems. This tool is particularly used to target sensitive data, with specific campaigns focused on Social Security recipients. The attacks are facilitated through bulletproof hosting providers, making it challenging to trace and mitigate these threats.

Key Insights:

ScreenConnect is being used by threat actors to gain persistent access to victims’ systems.

Malicious versions of the software are being disguised as legitimate files, such as eStatements from the Social Security Administration.

Social engineering tactics are employed to trick users into installing compromised software.

Bulletproof hosting providers are being used to shelter malicious activities, making them harder to disrupt.

Further Reading: Silent Push

Hackers Spoof Microsoft ADFS Login Pages to Steal Credentials

Hackers are spoofing Microsoft Active Directory Federation Services (ADFS) login pages to steal user credentials. This attack leverages the trust users have in Microsoft’s secure login page by creating fake versions that closely resemble the original. Once victims enter their credentials, the attackers steal the information for malicious purposes. This highlights the importance of verifying login pages and using multi-factor authentication to protect against such credential theft.

Key Insights:

Hackers are creating fake versions of Microsoft ADFS login pages to capture user credentials.

These attacks rely on users trusting the Microsoft login page, making them difficult to detect.

Multi-factor authentication (MFA) and vigilant scrutiny of login pages can help prevent successful credential theft.

Further Reading: BleepingComputer

Racing the Clock: Outpacing Accelerating Attacks

In 2024, cyberattack speeds surged, with the average breakout time dropping to just 48 minutes, a 22% reduction from the previous year. Key factors behind this acceleration include more efficient Ransomware-as-a-Service (RaaS) operations, a rise in infostealers, and the use of AI-powered penetration testing tools. As attacks become faster, organizations must enhance their security measures to match the pace of threat actors, leveraging automation and AI to reduce response times and contain attacks before they spread.

Key Insights:

Breakout time—the time from initial access to lateral movement—has decreased to 48 minutes, making it crucial to respond quickly.

Infostealers and IABs (Initial Access Brokers) are driving faster breaches by providing quick access to compromised systems.

Automation and AI-driven tools are essential for organizations to respond to attacks more efficiently and minimize damage.

Further Reading: ReliaQuest

VidSpam: A New Threat Emerges as Bitcoin Scams Evolve from Images to Video

Bitcoin scams targeting mobile users are evolving with attackers now using video-based spam (VidSpam) to deceive victims. These scammers are sending small video file attachments to lure individuals into fraudulent schemes. The videos often direct recipients to high-pressure WhatsApp groups where personal information or money is extracted. This evolution from image-based scams to video content marks a troubling trend in mobile security.

Key Insights:

Attackers are using small video files (e.g., 14KB .3gp files) to promote Bitcoin scams through multimedia messages.

The video attachments encourage victims to join WhatsApp groups where scammers use pressure tactics to steal money or data.

As scammers refine their tactics, VidSpam is expected to increase, targeting unsuspecting mobile users.

Further Reading: Proofpoint

January 2025’s Most Wanted Malware: FakeUpdates Continues to Dominate

FakeUpdates malware remains the top threat in January 2025, continuing its dominance in the malware landscape. This malware is primarily distributed through fake software updates that users are tricked into downloading. Once installed, it can enable attackers to take control of the system and steal sensitive information. The persistence of FakeUpdates emphasizes the need for cautious behavior when downloading updates and a heightened focus on secure software practices.

Key Insights:

FakeUpdates continues to lead as one of the most used malware types, delivered through fake update prompts.

This malware is often disguised as legitimate updates, compromising systems and exfiltrating data.

Users should avoid downloading updates from unverified sources and ensure they only install software from trusted vendors.

Further Reading: Checkpoint Blog

Using Genuine Business Domains and Legitimate Services to Harvest Credentials

Cybercriminals are increasingly using legitimate business domains and services to conduct credential harvesting attacks. By spoofing well-known companies and mimicking their email communications, attackers deceive users into providing their login information. These tactics often involve using business-looking email addresses and phishing links that lead to fake login pages. This trend underscores the need for businesses and consumers to be cautious when interacting with unsolicited messages.

Key Insights:

Phishing attacks are increasingly using trusted business domains and services to trick users into disclosing credentials.

Attackers mimic legitimate emails to create fake login pages that steal sensitive information.

Users should be cautious of unsolicited messages and verify the authenticity of any login requests by visiting official websites directly.

Further Reading: KnowBe4 Blog

Protect Your Data: Russian Spear-Phishing Targets Microsoft 365 Accounts

A new spear-phishing campaign linked to Russian threat actors is targeting Microsoft 365 users. The attackers use highly customized phishing emails that appear legitimate, aiming to steal login credentials and gain unauthorized access to sensitive information. With Microsoft 365 being a prime target, organizations should enhance their security by training users to recognize phishing attempts and implementing advanced security measures, including multi-factor authentication.

Key Insights:

Russian threat actors are targeting Microsoft 365 accounts using personalized spear-phishing emails.

These attacks aim to steal credentials, putting sensitive data at risk.

Organizations should deploy multi-factor authentication and conduct regular security awareness training to protect against these threats.

Further Reading: KnowBe4 Blog

New Xerox Printer Flaws Could Let Attackers Capture Windows Active Directory Credentials

Critical vulnerabilities have been found in Xerox VersaLink printers, allowing attackers to potentially capture Windows Active Directory credentials via pass-back attacks. These flaws, affecting firmware versions 57.69.91 and earlier, enable attackers to manipulate printer configurations and redirect authentication credentials. Successful exploitation could allow lateral movement within an organization's network, compromising servers and file systems. Immediate patching and enhanced security measures, such as strong admin passwords and disabling remote access, are advised.

Key Insights:

Xerox VersaLink printers are vulnerable to attacks that can capture Windows Active Directory credentials.

Exploiting these vulnerabilities requires physical or remote access to the printer's control interface.

Organizations should patch printers immediately, enforce strong passwords, and limit access to vulnerable settings.

Further Reading: The Hacker News

ClickFix vs. Traditional Download in New DarkGate Campaign

A new malvertising campaign has been observed using two different methods to deliver the DarkGate malware: the ClickFix technique and traditional file downloads. The ClickFix method involves a fake CAPTCHA-like page that tricks users into executing a malicious command, while the traditional approach uses a fake software download disguised as a legitimate app. Both methods ultimately deliver the DarkGate malware, highlighting the adaptability of threat actors in refining delivery techniques.

Key Insights:

The ClickFix method tricks users into running malicious code by mimicking a CAPTCHA process.

The traditional download method uses fake installers to distribute malware.

Both methods successfully deliver DarkGate, with the ClickFix technique possibly yielding higher success rates.

Further Reading: Malwarebytes

Russian Phishing Campaigns Exploit Signal's Device-Linking Feature

Russian phishing campaigns are exploiting the device-linking feature of the Signal messaging app to compromise user accounts. Attackers use malicious QR codes to trick targets into linking their Signal account to an attacker-controlled device, allowing them to monitor private conversations without fully compromising the target's device. This method has been observed in both large-scale campaigns and targeted attacks, especially against military personnel and high-value targets.

Key Insights:

Attackers use malicious QR codes to link Signal accounts to their devices, enabling undetected access to encrypted communications.

These phishing techniques often involve impersonating legitimate resources, such as group invitations or app instructions.

Signal users are advised to update the app, check linked devices regularly, and enable two-factor authentication for added protection.

Further Reading: BleepingComputer

Phishing Attack Hides JavaScript Using Invisible Unicode Trick

A new phishing attack technique is using invisible Unicode characters to hide malicious JavaScript. This approach involves obfuscating binary values within JavaScript payloads by replacing them with invisible Hangul characters, making the script appear empty. When executed, a proxy retrieves and reconstructs the original code. The attack is particularly difficult to detect, as it uses anti-debugging techniques and avoids triggering security scanners by exploiting whitespace. The campaign targets affiliates of a political action committee, employing highly personalized tactics.

Key Insights:

The phishing attack uses invisible Unicode characters to obfuscate JavaScript payloads, making detection more challenging.

Anti-debugging techniques are employed to avoid analysis and redirect attackers if they detect delays in execution.

The attack is highly personalized and can evade security scanners by using empty spaces and encoding methods.

Further Reading: BleepingComputer

New Facebook Copyright Infringement Phishing Campaign

A new phishing campaign has been detected targeting Facebook users with fake copyright infringement notices. The attackers use deceptive emails that appear to come from Facebook, claiming that users have violated copyright laws. The emails contain links to fake Facebook pages that prompt users to enter personal information, including passwords. This campaign highlights the ongoing threat of phishing attacks that impersonate trusted platforms like Facebook.

Key Insights:

The phishing emails mimic Facebook's notifications about copyright violations to trick users into sharing sensitive data.

Victims are directed to fake pages designed to capture their credentials.

Users should be cautious about unsolicited emails and verify the authenticity of any official communications by visiting Facebook directly.

Further Reading: Check Point Blog

University Site Cloned to Evade Ad Detection, Distributes Fake Cisco Installer

A recent malicious campaign involved cloning a German university website to evade ad detection, distributing a fake Cisco AnyConnect installer. The attackers leveraged a Google ad to direct users to a fraudulent site designed to mimic a legitimate university page, with the goal of deploying the NetSupport RAT. The malware, disguised as a Cisco update, was signed with a valid certificate and allowed attackers to remotely access infected systems.

Key Insights:

Attackers cloned a university website to evade detection, delivering a fake Cisco installer via a Google ad.

The malware, NetSupport RAT, was hidden in a digitally signed installer and granted remote access to attackers.

Users should exercise caution when downloading software, especially from sponsored ads, and verify the authenticity of the source.

Further Reading: Malwarebytes

How Hunting for Vulnerable Drivers Unraveled a Widespread Attack

An investigation into vulnerable drivers revealed a widespread attack exploiting these weaknesses to gain unauthorized access. Attackers used outdated or unpatched drivers to deploy malware and maintain persistence within compromised systems, bypassing traditional security measures. This emphasizes the need for regular updates and comprehensive vulnerability management to safeguard against such threats.

Key Insights:

Attackers exploited outdated drivers to gain system access and deploy malware.

The attack allowed persistent control over systems, evading detection.

Regular driver updates and vulnerability assessments are crucial for preventing similar attacks.

Further Reading: Check Point Blog

2024 Account Takeover Statistics

Proofpoint’s latest research highlights the alarming prevalence of account takeover (ATO) attacks, which are now among the most common cyberattack types. These attacks involve threat actors gaining control of legitimate user accounts to execute malicious activities, including data breaches and fraud. The findings underscore the importance of strong authentication and continuous monitoring to prevent unauthorized access and protect sensitive data.

Key Insights:

ATO attacks remain a leading threat, with significant consequences for organizations and users.

Gaining access to legitimate accounts allows attackers to bypass security measures and execute more damaging attacks.

Organizations should prioritize multi-factor authentication and robust monitoring to mitigate ATO risks.

Further Reading: Proofpoint

DeepSeek Lure Used to Spread Malware

A new DeepSeek campaign uses CAPTCHA-like pages to distribute malware. Attackers use fake CAPTCHA challenges to lure users into executing malicious code, evading detection by appearing harmless. The campaign primarily targets users who are tricked into downloading and running the malware. This attack illustrates how cybercriminals are exploiting popular web features to deliver malicious payloads.

Key Insights:

The malware is delivered through fake CAPTCHA-like pages, making it seem legitimate.

Attackers use this method to bypass security filters and trick users into downloading harmful software.

Regular security updates and cautious behavior when interacting with unfamiliar websites can help mitigate such threats.

Further Reading: Zscaler Blog

Botnet Targets Basic Auth in Microsoft 365 Password Spray Attacks

A large botnet, consisting of over 130,000 compromised devices, is conducting password-spray attacks against Microsoft 365 accounts. The attackers are using Basic Authentication to evade Multi-Factor Authentication (MFA) protections, exploiting plaintext credentials to access accounts without triggering alerts. This method targets accounts with weak or leaked passwords and bypasses security measures that typically protect interactive sign-ins. Organizations are urged to disable Basic Auth, enforce MFA, and implement Conditional Access Policies (CAP) to protect against these attacks.

Key Insights:

The botnet targets Basic Authentication to bypass MFA and gain unauthorized access.

Attackers use stolen credentials to conduct widespread password-spray attacks on Microsoft 365 accounts.

Disabling Basic Auth and enabling MFA are critical defenses against this type of attack.

Further Reading: BleepingComputer

New Undetectable Batch Script Uses PowerShell and Visual Basic to Install XWorm

A new undetectable malware campaign uses a highly obfuscated Batch script to deliver the XWorm RAT or AsyncRAT. The script employs PowerShell and Visual Basic Script (VBS) to bypass security tools and download the malware. Once executed, the script establishes persistence and exfiltrates data via Telegram’s API. This campaign marks a significant evolution in fileless attacks, leveraging AI-generated code and cloud-based C2 to evade detection.

Key Insights:

The malware uses a Batch script, PowerShell, and VBS to download XWorm or AsyncRAT.

Obfuscation and environmental checks make the attack difficult to detect by security tools.

Telegram’s API is used to exfiltrate system data, blending malicious traffic with legitimate communications.

AI tools may have assisted in generating the code, increasing sophistication and evasion tactics.

Further Reading: GBHackers

Chinese Hackers Target Hospitals by Spoofing Medical Software

A new phishing campaign has been discovered where Chinese hackers are targeting hospitals by spoofing medical software, including fake updates for health-related applications. The hackers use these fake updates to deliver malware, gaining access to sensitive healthcare data. Hospitals and healthcare organizations are urged to be cautious of unsolicited software updates and to ensure they are obtaining updates from official sources.

Key Insights:

Attackers are spoofing medical software updates to distribute malware in healthcare organizations.

The campaign targets sensitive healthcare data, with phishing emails disguised as software updates.

Healthcare organizations should verify software updates and ensure they come from trusted sources.

Further Reading: KnowBe4 Blog

GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready?

The 2025 Mass Internet Exploitation Report reveals a dramatic increase in the speed and scale of cyberattacks, with attackers exploiting vulnerabilities faster than security teams can respond. In 2024, automated exploitation of known vulnerabilities was rampant, with legacy flaws from as far back as the 1990s being targeted alongside new threats. The most commonly exploited vulnerabilities were in home routers and IoT devices, which are often overlooked in traditional security strategies. To stay ahead of this rapidly evolving threat, executives must prioritize real-time intelligence and adapt patching and defense strategies to address both old and new vulnerabilities.

Key Insights:

Attackers are automating vulnerability exploitation, surpassing traditional patching strategies.

Legacy vulnerabilities are still prime targets, with some dating back decades.

Ransomware groups are using mass exploitation to gain access, making real-time threat intelligence a necessity for effective defense.

Further Reading: GreyNoise

Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLock

BlackLock, a rapidly rising ransomware-as-a-service (RaaS) operator, has gained prominence for its custom malware and unique data-leak tactics. By Q4 2024, it had become the seventh most active ransomware group, using double extortion to encrypt data and steal sensitive information. BlackLock’s sophisticated leak site and the rapid expansion of its affiliate network via the Russian-language RAMP forum highlight its threat to organizations globally. Executives should prioritize enhancing defense strategies against evolving ransomware threats, including securing third-party access and increasing employee awareness about spear-phishing tactics.

Key Insights:

Custom malware and bespoke ransomware distinguish BlackLock from competitors, making it harder for security tools to detect and defend against.

The data-leak site uses unique tricks to pressure victims into paying ransoms before assessing the full scope of the breach.

BlackLock’s growing influence on the RAMP forum indicates a well-established network that supports its global ransomware activities.

Further Reading: ReliaQuest

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

Black Basta and Cactus ransomware groups have expanded their attack methods by incorporating BackConnect malware. This malware creates an outbound connection, which enables attackers to remotely control compromised systems, bypassing security measures designed to block inbound attacks. By integrating BackConnect into their operations, these groups can maintain access to systems even after initial detection, facilitating long-term exploitation. Organizations must strengthen defenses to detect and block this new tactic and limit the potential damage.

Key Insights:

BackConnect malware allows attackers to maintain persistent access through outbound connections.

This technique enables ransomware groups to bypass detection and continue exploiting compromised systems.

Organizations should improve detection capabilities to identify and block BackConnect traffic.

Further Reading: Trend Micro

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware

A new scam has emerged where fraudsters are mailing fake ransom letters to businesses, posing as the notorious BianLian ransomware group. The letters, claiming to be from BianLian, demand large Bitcoin ransoms, threatening to release sensitive data if payment is not made within 10 days. However, cybersecurity experts quickly identified multiple red flags: inconsistencies in the language, uncharacteristic delivery via physical mail, and no evidence of data breaches. This scheme aims to exploit the fear and reputation of a known ransomware group for financial gain.

Key Insights:

Scammers are impersonating BianLian ransomware to demand Bitcoin payments via physical mail.

The letters use fear tactics, mimicking legitimate ransomware practices, but with numerous inconsistencies.

Organizations should educate employees on recognizing such scams and ensure cybersecurity defenses are up to date.

Further Reading: HackRead