Weekly Top 10: 01.06.2025: Brain Cipher Ransomware Gang Leaked Data from Rhode Island’s RIBrides Platform; Salt Typhoon Targets U.S. Treasury Department OFAC; Microsoft Issues Warning to .NET Developers, and More.

WEEKLY TOP TEN: January 06, 2025, 16:00 GMT

1. Brain Cipher Ransomware Gang Leaked Data from Rhode Island’s RIBrides Platform
   
   The ransomware gang Brain Cipher released data belonging to the RIBridges platform, which Rhode Island uses to manage and deliver social assistance programs. The data released contained PII for approximately 650,000 adults and minors.
2. New DoubleClickjacking Attack Discovered
   
   The cybersecurity expert Paulos Yibelo discovered and showcased a new form of clickjacking he calls DoubleClickjacking. This new attack exploits the timing of mouse double-clicks or double-taps on mobile devices to trick a user into performing sensitive actions such as authorizing an installation/download, connecting to Oauth applications, or approving an MFA prompt. The way this works is similar to a standard Clickjacking attack but uses an overlay to trick the user into performing the double-click action; Paulos Yibelo’s example is using a captcha prompt that tells a user to double-click an image.
3. Salt Typhoon Targets U.S. Treasury Department OFAC
   
   The Chinese state hackers known as ‘Salt Typhoon’ have breached the United States Treasury’s Office of Foreign Assets Control (OFAC). This breach occurred through the third party Beyond Trust’s remote support SaaS platform. Salt Typhoon accessed text messages, voicemails, and phone calls of targeted individuals and wiretapped information of those under investigation by U.S. law enforcement.
4. Microsoft Issues Warning to .NET Developers
   
   Microsoft warned .NET to update their apps and pipelines that use the ‘azureedge.net’ domain to install .NET components as soon as possible since this domain will soon be taken down due to bankruptcy and the imminent shutdown of CDN provider Edgio. The new domains that Microsoft will be using for .NET components are ‘builds.dotnet.microsoft.com’ and ‘ci.dot.net’. Microsoft’s Scott Hanselman confirmed that the soon-to-be deprecated domains will still be owned by Microsoft, preventing their reuse by malicious actors.
5. ‘Ficora’ and ‘Capsaicin’ Botnets target D-Link Routers
   
   The botnets ‘Ficora’ and ‘Capsaicin’ have had an increase in attacks against D-Link routers that have known exploits against them; the exploits that have been seen in use are CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112 to gain initial access. After gaining initial access, each botnet drops a payload into the infected device with DDOS capabilities, with the ‘Capsaicin’ botnet expanding its capabilities with info gathering and exfiltration features for tracking purposes.
6. Active Directory Flaw Can Crash Any Microsoft Server
   
   The security firm SafeBreach released an analysis of the two recently patched critical vulnerabilities, CVE-2024-49113, a DoS bug, and CVE-2024-49112, an RCE bug, both affecting Microsoft Active Directory Domain Controllers. Their analysis showed that using these bugs, they could crash multiple domain controllers at once if the controller had a DNS server connected to the Internet. They did say they are unaware of these bugs being used in the wild but pointed out that PatchPoint released an exploit code for CVE-2024-49112.
7. New MacOS backdoor discovered
   
   The security researcher Greg Lesnewich discovered a backdoor called SpectralBlur that targets Apple MacOS. This malware shows similarities to the malware family KandyKorn (aka SockRacket), which is attributed to the North Korean state hacking group Lazarus, specifically the sub-group Bluenoroff (aka TA444). This new malware has features that allow it to upload/download files, run a shell, update configurations, delete files, and hibernate or sleep.
8. Misconfigured Kubernetes RBAC in Azure Airflow Exposes Cluster for Exploitation
   
   Cybersecurity researchers discovered three security weaknesses in Microsoft’s Azure Data Factory Apache Airflow integration that would allow an attacker to gain the ability to exfiltrate data and deploy malware. These weaknesses are ‘misconfigured Kubernetes RBAC in Airflow cluster’, ‘misconfigured secret handling of Azure’s internal Genava service’, and ‘weak authentication for Geneva’.  Using these weaknesses, an attacker could gain initial access via a crafted directed acyclic graph (DAG) file and upload it to a private GitHub repository connected to the Airflow cluster or by altering an existing DAG file.
9. Around 3.3 Million Mail Servers Lack TLS Encryption
   
   Researchers at ShadowServer scanned the Internet for hosts running POP3/IMAP services without TLS enabled and reported that around 3.3 million POP3 and IMAP mail servers lacked TLS encryption. This lack of encryption exposes these servers to network sniffing attacks, which would allow an attacker to intercept passwords used to access the mail service.
10. Malicious NPM Package Disguised as an Ethereum Tool
    
    Socket security researcher Kirill Boychenko discovered a malicious NPM package disguised as a library for detecting vulnerabilities in Ethereum Smart contracts. Upon installation, it retrieves a malicious script from a remote server and silently deploys a Quasar RAT.