DJBSEC's CyberNews 2025-07-07
1. Scattered Spider Upgrades Tactics to Abuse Legitimate Tools
The Scattered Spider hacking group has upgraded its tactics by increasingly abusing legitimate IT management tools in its attacks. Researchers report they are using tools like remote management software to maintain persistence and avoid detection by security products. This approach makes their malicious activities blend in with normal administrative operations. Organizations are urged to monitor legitimate tool usage closely for signs of misuse.
2. Ingram Micro Outage Caused by SafePay Ransomware Attack
IT distribution giant Ingram Micro has confirmed that a recent outage was caused by a ransomware attack from the SafePay group. The attack disrupted operations, preventing customers from accessing systems and placing orders. Ingram Micro is working with cybersecurity experts to restore services and investigate the extent of the breach. This incident highlights the growing trend of ransomware attacks on supply chain companies.
3. CitrixBleed 2 Proof-of-Concept Released
Researchers have released a proof-of-concept (PoC) exploit for CitrixBleed 2, a newly discovered vulnerability affecting Citrix appliances. The flaw could allow attackers to bypass authentication or gain elevated privileges if exploited. Security experts warn that public release of the PoC increases the likelihood of widespread attacks. Organizations using Citrix products are urged to apply patches immediately to mitigate this critical risk.
4. Instagram Starts Using 1-Week Validity TLS Certificates
Instagram has begun deploying TLS certificates with only one-week validity to enhance security and reduce risks from compromised certificates. Short-lived certificates minimize the impact of private key leaks and align with modern security best practices. However, this approach requires robust automated certificate renewal processes to avoid service disruptions. Other major platforms may adopt similar strategies in the future.
5. Surge in Phishing Attacks Using .es Spanish Domains
Security researchers report a surge in phishing attacks using Spanish (.es) domains to target European users. The campaigns often impersonate banks and government services to steal credentials and financial information. Attackers register legitimate-looking .es domains to evade detection and build user trust. Users are urged to verify domain authenticity before entering sensitive information.
6. Writable File Found in Lenovo’s Windows Directory
A security researcher has discovered a writable file in Lenovo’s Windows directory that could allow privilege escalation. Malicious actors could replace the file with a trojanized version to execute code with higher privileges. Lenovo has been notified and is working on a fix to address this vulnerability. Users are advised to monitor for security updates to protect their systems.
7. XWorm Becomes Most Active RAT with New Stagers
XWorm has become the most active remote access trojan (RAT) in recent campaigns, leveraging new stager payloads for stealthy deployment. The malware is being used to steal credentials, monitor user activity, and deploy additional tools in compromised environments. Its modular design allows threat actors to adapt tactics based on victim environments. Security experts recommend monitoring for XWorm indicators of compromise in enterprise networks.
8. Threat Actors Abusing AV and EDR Evasion Frameworks
Researchers have observed threat actors widely abusing security evasion frameworks designed to bypass antivirus (AV) and endpoint detection and response (EDR) solutions. These frameworks allow attackers to package and deliver malware without triggering security alerts. The increasing use of such tools lowers the barrier for less sophisticated attackers to conduct successful intrusions. Organizations are urged to implement behavioral detection techniques to counter these threats.
9. Hackers Exploit Legitimate Inno Setup Installer for Malware Delivery
Cybercriminals are exploiting the Inno Setup installer, a legitimate software packaging tool, to deliver malware. By embedding malicious payloads within seemingly legitimate installers, attackers evade detection and gain initial access to victim systems. Security experts warn that such attacks often bypass antivirus scans due to the trust placed in known installer frameworks. Users should verify software sources before installation to mitigate these risks.
10. Taiwan NSB Alerts Public on Data Risks from Chinese Apps
Taiwan’s National Security Bureau (NSB) has issued a public alert warning about data security risks posed by Chinese-developed applications. Officials highlight that apps developed in China may collect sensitive personal data accessible by Chinese authorities under national security laws. The NSB urges citizens to avoid installing such apps to protect personal and national security. This warning comes amid rising geopolitical tensions in the region.
Enjoy Reading This Article?
Here are some more articles you might like to read next: