Author: Cybernoz

Life, Friendship, and Ambition | Daniel Miessler
22
Apr
2025

Life, Friendship, and Ambition | Daniel Miessler

They say you are a composite of your closest friends, and given my ambition I often grapple with a balance…

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks
22
Apr
2025

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious npm packages that are nefariously exploiting…

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, targeted attacks using XWorm and Strela Stealer, and potential connections to Chang Way Technologies. Cybersecurity experts at Trustwave's SpiderLabs have discovered an increase in malicious online activities originating from a Russian "bulletproof" hosting provider known as Proton66. These services, often favoured by cybercriminals due to their relaxed policies, have been linked to a wave of attacks targeting organizations worldwide since January 8, 2025. Researchers have detailed their findings in a two-part series. The first part highlights a major increase in "mass scanning, credential brute-forcing, and exploitation attempts" coming from Proton66's network (ASN 198953). This means attackers were actively probing for weaknesses in systems and trying to guess login details on a large scale. SpiderLabs has also noticed an increase in scanning and exploiting traffic from Proton66's network from January 8, 2025, with a sharp decline in February. The attacks targeted specific network blocks, the most active being 45.135.232.0/24 and 45.140.17.0/24, while some had been inactive for a significant period, with the last reported malicious activity dating back to July and November 2021. Traffic Volume Analysis (Source: SpiderLabs) Notably, the address 193.143.1.65, was observed connected to the operators of a new ransomware strain called SuperBlack, and its operators were distributing "some of the latest critical priority exploits,” researchers noted in the blog post. The second part discusses malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android users to fake Google Play Store pages likely to steal their information or install malicious apps. The domain naming conventions used suggest targets speaking English ("us-playmarket.com"), French ("playstors-france.com"), Spanish ("updatestore-spain.com"), and Greek ("playstors-gr.com"). SpiderLabs also discovered operators deploying Strela Stealer, an information-stealing tool that extracts email login credentials from targeted systems, between January and February 2025. Another campaign involved XWorm malware targeting users of Korean-speaking chat rooms. Additionally, connections to WeaXor ransomware, a modified version of Mallox that encrypts files and demands a ransom for recovery, were detected. At the time of the report, the WeaXor group was asking for "$2,000, transferred in BTC or USDT." Sample Ransom Note (Source: SpiderLabs) Interestingly, SpiderLabs' investigation reveals a potential rebranding or connection between Proton66 and Hong Kong-based company, Chang Way Technologies Co. Limited. In November 2024, security firm Intrinsec linked Proton66 and PROSPERO to bulletproof hosting services advertised on underground forums as UNDERGROUND and BEARHOST. SpiderLabs’s investigation revealed that while the Russian control panel for UNDERGROUND/BEARHOST customers remained at my.31337.ru, the my.31337.hk page was updated with a "CHANGWAY / HOSTWAY" theme. Still, technical connections between the infrastructures remained, suggesting an underlying link. Technology and financial organizations are the prime targets of this campaign. However, the SuperBlack ransomware group preferred targeting non-profit, engineering, and financial sectors. Research by Forescout linked this IP address to the Mora_001 threat actor who exploited vulnerabilities in Fortinet FortiOS devices, leading to the deployment of the SuperBlack ransomware. It is worth noting that hackers have exploited vulnerabilities in Palo Alto Networks' PAN-OS software (CVE-2025-0108), Mitel MiCollab (CVE-2024-41713), and D-Link NAS devices (CVE-2024-10914). D-Link has announced that the affected devices have reached their end-of-life, therefore, no security updates will be provided. Nevertheless, researchers strongly recommend that organizations block all the internet address ranges associated with both Proton66 and Chang Way Technologies to protect themselves from potential compromise. Trey Ford, Chief Information Security Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity, commented on the development, stating that while IPs aren’t reliable indicators of threat actors, since changing scan sources is cheap, patterns like consistent brute-force attempts still matter. “It’s a reminder to monitor login velocity, harden exposed services, and make attacks costly for low-effort actors,” he said.
22
Apr
2025

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution…

PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433)
22
Apr
2025

PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433)

There are now several public proof-of-concept (PoC) exploits for a maximum-severity vulnerability in the Erlang/OTP SSH server (CVE-2025-32433) unveiled last…

Phishers Exploit Google Sites and DKIM Replay
22
Apr
2025

Phishers Exploit Google Sites and DKIM Replay to Send Signed Emails, Steal Credentials

In what has been described as an “extremely sophisticated phishing attack,” threat actors have leveraged an uncommon approach that allowed…

3-Phased Information Processing: The IT Meta-skill
22
Apr
2025

3-Phased Information Processing: The IT Meta-skill

Having worked in IT for a good bit of time I have thought a lot about various information technology skillsets…

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation
22
Apr
2025

Latest Lumma InfoStealer Variant Found Using Code Flow Obfuscation

Researchers have uncovered a sophisticated new variant of the notorious Lumma InfoStealer malware, employing advanced code flow obfuscation techniques to…

Entra ID Users Locked Out After MACE App Flags Legitimate Accounts
22
Apr
2025

Microsoft Entra ID Lockouts After MACE App Flags Legit Users

Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new MACE Credential…

5 Major Concerns With Employees Using The Browser
22
Apr
2025

5 Major Concerns With Employees Using The Browser

As SaaS and cloud-native work reshape the enterprise, the web browser has emerged as the new endpoint. However, unlike endpoints,…

A Brilliant Commercial Sadly Misunderstood
22
Apr
2025

A Brilliant Commercial Sadly Misunderstood

Few terms are so misused as “racist”. People use it to describe everything from Jim Crow to fashion magazines with…

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands
22
Apr
2025

New Rust-Based Botnet Hijacks Routers to Inject Remote Commands

A new malware named “RustoBot” has been discovered exploiting vulnerabilities in various router models to gain unauthorized access and initiate…

AI Ethics, Cybersecurity and Finance: Navigating the Intersection
22
Apr
2025

AI Ethics, Cybersecurity and Finance: Navigating the Intersection

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated financial sector….