Svoboda Cybersecurity Brief April 22, 2025
Apr 22, 2025WordPress Ad-Fraud Operation Generates 14 Billion Daily Requests
A large-scale ad fraud operation called ‘Scallywag’ uses custom WordPress plugins (Soralink, Yu Idea, WPSafeLink, Droplink) to monetize piracy and URL-shortening sites, generating 1.4 billion fraudulent ad requests per day. The operation was disrupted by HUMAN, reducing traffic by 95%, but threat actors persist with domain rotation.
Source: BleepingComputer
North Korean Kimsuky Exploits BlueKeep RDP Vulnerability
Kimsuky, a North Korean state-sponsored group, exploited CVE-2019-0708 (BlueKeep) and CVE-2017-11882 to breach systems in South Korea and Japan. The attack chain involves phishing, RDP exploitation, and deployment of keyloggers (KimaLogger, RandomQuery) and RDPWrap for persistence.
Impact: Remote code execution, credential theft, and lateral movement.
Mitigation: Patch CVE-2019-0708 and CVE-2017-11882, disable unnecessary RDP access, and monitor for suspicious RDP activity.
Source: The Hacker News
SuperCard X Android Malware Enables NFC Relay Attacks
A new Android malware-as-a-service (MaaS), SuperCard X, facilitates NFC relay attacks to steal payment card data via malicious apps (Verifica Carta, SuperCard X, KingCard NFC). Threat actors use social engineering (smishing, TOAD) to trick victims into installing the malware, which relays card details to attacker-controlled devices.
Impact: Unauthorized ATM/PoS transactions and financial fraud.
Mitigation: Disable NFC for payments when unused, scrutinize app permissions, and enable Google Play Protect.
Source: The Hacker News
Proton66 Bulletproof Hosting Used for Global Attacks
Russian bulletproof hosting provider Proton66 is linked to mass scanning, brute-forcing, and exploitation of recent vulnerabilities (CVE-2025-0108, CVE-2024-41713, CVE-2024-10914, CVE-2024-55591, CVE-2025-24472). The infrastructure also distributes malware like XWorm, StrelaStealer, and WeaXor ransomware.
Impact: Initial access, credential theft, and ransomware deployment.
Mitigation: Block Proton66 CIDR ranges (45.135.232.0/24, 45.140.17.0/24), patch vulnerabilities, and monitor for suspicious traffic.
Source: The Hacker News
Microsoft Hardens Azure After Nation-State Key Theft
Microsoft mitigated a 2023 nation-state breach by migrating all Entra ID and Microsoft Account token-signing keys to hardware security modules (HSMs) and Azure confidential VMs. The company also purged 6.3 million dormant Azure tenants and segmented 4.4 million managed identities.
Impact: Mitigates token-forging attacks like those used by Chinese APTs.
Mitigation: Enable automatic key rotation and enforce phishing-resistant MFA.
Source: SecurityWeek
North Korean Hackers Hijack Zoom Remote Control for Infostealers
North Korean group Elusive Comet repurposes Zoom’s Remote Control feature to deploy infostealers (e.g., RN Loader) on crypto traders’ devices. Attackers pose as podcast hosts, requesting screen control during calls to install malware.
Impact: Data theft (browser sessions, password managers, seed phrases).
Mitigation: Disable Zoom Remote Control in enterprise settings, verify caller identities, and restrict accessibility permissions.
Source: SecurityWeek
Lantronix XPort Vulnerability Exposes Critical Infrastructure
CISA warned of a missing authentication flaw in Lantronix XPort devices, used in energy, water, and transportation systems. Over 1,400 exposed instances were found, including gas station fuel management systems.
Impact: Unauthorized device control and potential safety hazards.
Mitigation: Migrate to XPort Edge or restrict network access to XPort devices.
Source: SecurityWeek
Bot Traffic Surpasses Humans, Driven by AI
51% of internet traffic is bots, with 37% classified as malicious. AI enables polymorphic evasion techniques, scaling attacks like API scraping (31%) and payment fraud (26%). ByteSpider Bot (54% of AI attacks) mimics legitimate crawlers.
Impact: Increased ATO, data theft, and fraud.
Mitigation: Deploy advanced bot detection, rate limiting, and API security controls.
Source: SecurityWeek
Share this brief: https://svo.bz/CG94