Welcome to the latest edition of CyberDudeBivash ThreatWire, your trusted source for real-time cyber threat updates. In the last 12 hours, multiple advanced threat campaigns have surfaced across the globe — from critical infrastructure to cloud supply chains. Let’s break down the key incidents with technical insights.
⚠️ [CVE-2025-23847] – MOVEit Zero-Day Re-exploitation Detected
๐ Target: US-based logistics & transportation networks
๐ ️ Severity: Critical (CVSS 9.8)
A previously patched MOVEit Transfer vulnerability is being actively re-exploited in new variants using encoded SQL payloads via multipart file upload.
๐ง Technical Analysis:
-
Payloads use multipart/form-data with embedded
base64-encoded SQL injections. -
Attackers exploit improper input validation in MOVEit’s upload handler to access backend SQL databases.
-
Remote unauthenticated RCE achieved via chained logic in file sanitization bypass.
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell)
๐ก️ Defense Tips:
-
Apply the updated patch immediately.
-
Isolate vulnerable endpoints behind WAF rules.
-
Monitor POST requests with encoded payload patterns.
๐ฐ Lazarus Group Targets Korean Banks via SWIFT PDF Phishing
๐ Threat Actor: Lazarus APT (North Korea)
๐งช Technique: PDF Embedded Stealer + DLL Sideload
A new wave of phishing PDFs disguised as SWIFT transfer details are weaponized with embedded loaders that sideload DLLs via signed Windows binaries.
๐ Technical Breakdown:
-
PDF launches
mshta.exewith a remote HTA payload. -
HTA downloads encrypted DLL (AES-256) posing as a legit tax module.
-
DLL injects into
explorer.exe, harvesting banking tokens & session cookies.
MITRE ATT&CK: T1204 (User Execution), T1055 (Process Injection), T1071 (Application Layer Protocol)
๐ก️ Countermeasures:
-
Disable automatic handling of external links in Adobe Reader.
-
Use EDRs capable of scriptable behavior analysis (e.g., HTA execution).
-
Segment banking infra from standard office endpoints.
๐ต️♂️ EvilProxy Surge – Hijacking Developer GitHub Cookies
๐ Target: Software devs in GitHub & Azure DevOps ecosystems
☠️ Campaign: Session cookie theft post-2FA using EvilProxy
The EvilProxy phishing framework is back — this time targeting devs via fake login pages for GitHub & Azure DevOps to steal OAuth tokens and session cookies, bypassing 2FA.
๐งฌ Analysis:
-
Reverse proxy sits between victim and GitHub.
-
Steals
_octo,user_session, andlogged_incookies post-login. -
Tokens reused to perform Git commits, exfiltrate private repo data.
MITRE ATT&CK: T1556.004 (Credential Phishing with Proxy), T1539 (Steal Web Session Cookie)
๐จ Real Impact: One San Francisco-based startup reported source code leaks and CI/CD pipeline tampering due to cookie theft.
๐ก️ What to Do:
-
Implement GitHub’s optional OAuth app restrictions.
-
Enable browser extension–based cookie protection like SessionShield (stay tuned from CyberDudeBivash!).
-
Monitor GitHub OAuth app logs for unusual IP usage.
๐งจ Bonus: Log4Shell Variant Detected in IoT DVR Systems
Devices: Hikvision & generic DVRs
Exploited Protocol: ONVIF / RTSP
Log4j 2.x instances in some outdated firmware-based DVRs are still vulnerable due to legacy log handlers. Attackers use RTSP stream parameters to inject jndi:ldap:// lookups — leading to RCE on edge surveillance devices.
⚔️ Recommended:
-
Disable external RTSP exposure.
-
Scan all IP camera firmware for embedded Java libraries.
-
Block outbound LDAP/SR protocol requests from edge networks.
Final Words from CyberDudeBivash
In the age of cookie hijacking, MFA bypass, and supply chain compromise, staying reactive isn't enough. Threat anticipation is the real game. Follow CyberDudeBivash ThreatWire for daily red-hot breakdowns that go beyond headlines.
๐ง If you're a SOC analyst, dev, or infosec leader, use this intelligence to tune detection rules, educate users, and update asset controls now.
๐ Published on:
๐ https://www.cyberdudebivash.com
๐ฐ CyberDudeBivash ThreatWire on LinkedIn
#cyberdudebivash #ThreatIntel #Cybersecurity #MOVEit #EvilProxy #Lazarus #GitHubSecurity #RedTeam #SOC