This week’s briefing covers:

00:00 - Intro and Situational Awareness

KTA080 (CL0P) Update
Around January 28, 2025, KTA080 (CL0P) updated its data leak site with a new victim list of approximately 49 organizations. The organizations are likely from the previous redacted list that was reported on listings and are possibly associated with the Cleo zero-day vulnerability, but cannot be confirmed since the group does not indicate it in their post.

DeepSeek AI
On January 20, 2025, Chinese AI company DeepSeek released a new generative AI model named DeepSeek-R1 which was trained using innovative strategies for improving its performance. Concerns have been raised regarding the accuracy of training details provided by DeepSeek, as well as security risks, and censorship of outputs by the model.

3:07 – Proof of Concept Exploit Released for FortiNet RCE Vulnerability (CVE-2024-55591)
Key Takeaways

• A proof of concept (POC) exploit for CVE-2024-55591 has been released by watchTowr.
• The POC is available on GitHub.
• Kroll Threat Intelligence (TI) expects that this POC will soon be weaponized and used to attack FortiOS devices in the near term. Ensuring devices are patched is critical.

4:48 – ESXi Used for C2 Tunnelling
Key Takeaways

• Threat actors are using compromised VMWare ESXi servers as command and control (C2) traffic gateways.
• ESXi Servers are often targeted for ransomware attacks. This behavior is notable as threat actors are now leveraging them to tunnel C2 SSH traffic and blend into normal activity on the network.

6:11 – Fake CAPTCHA Attack Targets macOS Users
Key Takeaways

• A novel phishing campaign employs fake CAPTCHA prompts to deliver info stealer malware targeting macOS systems.
• The malware gathers system information and exfiltrates data using unencrypted protocols.
• A similar tactic, the "Fake Safeguard Scam" on Telegram, deceives users into providing sensitive information under the guise of security verification.
• Users are advised to exercise caution when encountering unexpected prompts or messages requesting personal information and to implement security best practices to mitigate such threats.

4:46 – Malware Spotlight: PNGPLUG

• A new loader named PNGPlug has been seen delivering ValleyRAT in attacks suspected to be performed by KTA405 (aka “Silver Fox”).

Ransomware Roundup

9:13 – LYNX Structured Operations
LYNX ransomware group has been identified as having a structured and organized platform as well as an affiliate program. Researchers were able to gain access to the platform and affiliate panel to ascertain the structure of the group’s organization.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats