Chinese Hackers Exploit Visual Studio Code Tunnels for Persistent Access
In Operation Digital Eye, Chinese hackers leveraged Visual Studio Code (VSCode) tunnels to maintain persistent access to compromised systems, targeting IT service providers in Southern Europe. After gaining initial access through SQL injection, they deployed a PHP-based webshell, followed by lateral movement using Remote Desktop Protocol (RDP) and a custom version of Mimikatz to extract credentials. The attackers installed a legitimate version of VSCode and configured it with tunnel parameters, turning it into a backdoor while evading detection due to its Microsoft-signed executables and Azure-based traffic routing. Security tools failed to flag this activity as malicious, enabling the threat actors to maintain remote access during working hours. Researchers advise closely monitoring VSCode processes, restricting tunnel usage, and inspecting Windows services for suspicious deployments of ‘code.exe’. Additionally, identifying unusual outbound traffic to domains like *.devtunnels.ms can help mitigate similar attacks in the future.
New Cleo Zero-Day Exploit Leads to Data Theft Attacks
Hackers are actively exploiting a zero-day vulnerability in Cleo’s managed file transfer products, including LexiCom, VLTrader, and Harmony, to facilitate data theft attacks. The flaw, a bypass of the previously patched CVE-2024-50623, allows unrestricted file uploads leading to remote code execution. Similar to previous Clop ransomware attacks, threat actors exploit the zero-day to write malicious files into Cleo directories, triggering PowerShell commands that enable remote access. The attackers steal sensitive data while attempting to cover their tracks by wiping logs and malicious files. Evidence points to exploitation in the United States, Canada, and Europe, impacting industries like consumer products and logistics. Security experts recommend moving Cleo systems behind a firewall, checking for suspicious TXT and XML files, and disabling the autorun feature. With a patch under development, immediate mitigation steps are critical to prevent further breaches and avoid the escalating risk of data theft by ransomware groups.
Senator Wyden Proposes Bill to Strengthen Telecom Security After Salt Typhoon Hacks
U.S. Senator Ron Wyden introduced the Secure American Communications Act to address vulnerabilities exploited by Chinese state-sponsored hackers, known as Salt Typhoon, in recent telecom breaches. The bill mandates the FCC to enforce binding cybersecurity rules for telecom companies, requiring annual system testing, patching, and third-party audits to document compliance and corrective measures. Wyden criticized previous leniency, arguing that foreign hackers infiltrated American networks because telecoms set their own weak security standards.
The Salt Typhoon group, active since 2019 and also known as Ghost Emperor or FamousSparrow, allegedly accessed major carriers, including T-Mobile and Verizon, for months. This prolonged breach enabled data theft and interception of internet traffic. While U.S. officials deny classified communications were compromised, the FCC and CISA urge telecoms to harden systems and encourage Americans to use encrypted messaging apps for protection. Wyden’s bill seeks to close these security gaps and safeguard national communication infrastructure.
Lynx Ransomware Behind Electrica Energy Supplier Cyberattack
The Romanian National Cybersecurity Directorate (DNSC) has identified the Lynx ransomware gang as responsible for the recent breach of Electrica Group, a major electricity provider serving over 3.8 million users across Muntenia and Transylvania. The attack, linked to the ransomware-as-a-service (RaaS) model, targeted Electrica’s IT systems but left critical SCADA infrastructure unaffected.
Lynx ransomware, active since July 2024, has claimed numerous victims, particularly in the energy, oil, and gas sectors. This ransomware variant appears to share similarities with the INC Ransom encryptor, a malware strain sold on underground forums, raising speculation about rebranding efforts to evade scrutiny. The DNSC provided a YARA script to help organizations detect compromise and urged against paying ransom demands.
As ransomware variants like Lynx grow in sophistication, entities in critical industries are urged to enhance cybersecurity defenses to mitigate future RaaS-driven attacks and protect sensitive infrastructure from disruption.
Russian Cyber Spies Exploit Other Hackers to Target Ukraine
The Russian cyber-espionage group Turla, also known as Secret Blizzard, is leveraging the infrastructure of other threat actors, such as Amadey botnet operators, to deploy malware targeting Ukrainian military systems. Turla’s use of malware-as-a-service (MaaS) like Amadey enables them to gain initial access, dropping reconnaissance tools and their custom malware families like Tavdig and KazuarV2.
Amadey, previously utilized by LockBit ransomware affiliates, is a versatile malware botnet used to deliver payloads. In Turla’s campaign, it deploys PowerShell droppers that load Tavdig, a lightweight backdoor for surveillance and persistence. Tavdig then facilitates the deployment of KazuarV2, an advanced backdoor capable of data exfiltration and long-term espionage.
By hiding behind MaaS platforms like Amadey, Turla evades detection while gathering intelligence on military devices, such as those connected to Starlink. This strategy reflects an evolving collaboration—or hijacking—of tools among Russian hacking groups, blurring the lines between actors like Turla and LockBit affiliates.
New IOCONTROL Malware Targets Critical Infrastructure Systems
Iranian threat actors, linked to the CyberAv3ngers group, are deploying a modular malware named IOCONTROL to compromise IoT and OT/SCADA systems in critical infrastructure across Israel and the U.S. This sophisticated malware affects devices such as routers, PLCs, HMIs, IP cameras, firewalls, and fuel management systems, including those from manufacturers like D-Link, Hikvision, Unitronics, and Phoenix Contact.
IOCONTROL uses advanced techniques like persistence scripts, DNS over HTTPS for stealthy C2 communication, and AES-256-CBC encryption for its configurations. Its capabilities include system reconnaissance, command execution, port scanning, and self-deletion to evade detection. The malware uses the MQTT protocol over port 8883 to communicate, blending into legitimate IoT traffic.
The CyberAv3ngers group has claimed responsibility for attacks impacting gas stations and water treatment facilities, aligning with observed infections. Security researchers emphasize the need for robust monitoring of IoT traffic, network hardening, and proactive identification of indicators of compromise (IoCs) to mitigate the malware’s impact on critical systems.
Citrix Shares Mitigations for Ongoing Netscaler Password Spray Attacks
Citrix Netscaler devices are now facing widespread password spray attacks, targeting credentials to breach corporate networks. These attacks, originating from a large range of dynamic IP addresses, overwhelm authentication systems and can cause performance issues, including potential DDoS conditions due to excessive login requests.
The attacks leverage pre-nFactor endpoints, older authentication URLs, and brute force techniques using generic usernames like “test,” “vpn,” or “finance,” along with email patterns and common first names. Citrix has released mitigations, recommending the use of multi-factor authentication (MFA), blocking unnecessary pre-nFactor endpoints, and configuring responder policies to drop authentication requests unless they match a specified FQDN.
Additionally, Citrix suggests deploying a web application firewall (WAF) to block IPs with low reputations from past malicious behavior. While customers using Gateway Service are unaffected, on-premise and cloud-based deployments must apply these updates to avoid system disruptions and mitigate the risk of a DDoS scenario caused by login floods.
Conclusion
In conclusion, the increasing prevalence of password spray attacks highlights the importance of implementing multi-factor authentication, monitoring legacy endpoints, and strengthening network defenses. Organizations must remain proactive to prevent disruptions caused by excessive authentication requests or potential DDoS incidents targeting critical infrastructure.
As experts in ransomware recovery and cybersecurity, we provide specialized services such as Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your business has been affected by a ransomware attack, our team is here to assist you in recovering data and restoring operations efficiently.