Security Community

Security Brief: Phishing Campaigns Use Real-Time Validation for Credential Theft

Who: Threat actors employing advanced phishing techniques, tracked by Cofense and Ontinue. Related activity linked to clusters Storm-1811 and STAC5777.

What: A new tactic dubbed “precision-validating phishing” uses real-time email validation to display fake login pages only to verified, high-value email accounts. This approach improves success rates and evades detection by security tools. Additional phishing lures use file deletion notices to deliver malware or direct users to bogus Microsoft login pages. In a separate campaign, attackers used Microsoft Teams messages and Quick Assist for remote access and multi-stage compromise.

Impact:

• Credential theft from real, active accounts with higher resale/exploitation value.

• Malware delivery via fake OneDrive installers using ScreenConnect remote access.

• Extended phishing campaign lifespans due to evasion of automated analysis.

• Persistence and remote access achieved using legitimate tools (e.g., TeamViewer, Node.js).

Action Needed:

• Educate users on new phishing tactics and suspicious file deletion lures.

• Disable unused collaboration tools like Quick Assist.

• Monitor for abnormal remote access activity and unauthorized use of tools like TeamViewer.

  
  

Read the full article HERE

Who: A threat actor tracked as Storm-2460 exploited a Windows zero-day (CVE-2025-29824) using the PipeMagic trojan to deploy ransomware. Victims include IT, real estate, financial, software, and retail sectors across the U.S., Venezuela, Spain, and Saudi Arabia.

What: The vulnerability, a privilege escalation flaw in Windows Common Log File System (CLFS), was used to gain SYSTEM privileges. Attackers delivered encrypted ransomware payloads via a malicious MSBuild file and certutil, leveraging compromised third-party sites.

Impact: Systems were compromised to steal credentials (via LSASS dump) and encrypt files with ransomware linked to the RansomEXX family. Windows 11 version 24H2 is not affected. Microsoft has patched the flaw and urges immediate updates.

Action Needed:

• Apply April 2025 Patch Tuesday updates.

• Monitor for PipeMagic and related activity.

• Restrict certutil use and implement credential protection strategies.

Read the full article HERE

Who: A Breach Forums user, “rose87168,” claims to have stolen six million records from Oracle Cloud’s SSO and LDAP services, potentially affecting 140,000 organizations. Oracle denies the breach, but cybersecurity firm CloudSEK suggests a compromised production SSO endpoint may have been exploited.

What: The stolen data allegedly includes encrypted SSO and LDAP passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys. The attacker claims they exploited a known Oracle Cloud vulnerability, though no public proof-of-concept (PoC) exists.

Impact: If confirmed, the breach could expose sensitive authentication data, affecting not only the 140,000 listed organizations but also SaaS users relying on Oracle Cloud.

Recommendations:

• Reset and rotate Oracle SSO and LDAP credentials.

• Enforce strong password policies and enable MFA.

• Update Oracle authentication methods, including regenerating SASL/MD5 hashes or migrating to a more secure system.

Read the full article HERE

Who: Threat actors are compromising widely used websites across various industries, embedding a fake CAPTCHA challenge to deliver malware.

What: Victims visiting these compromised sites are presented with a CAPTCHA challenge or redirected to another site with instructions. This process triggers PowerShell code execution, leading to the installation of information-stealing malware. Affected sites include HEP2go (a physical therapy video site) and several auto dealership websites.

Impact: Users who interact with the fake CAPTCHA risk having their systems compromised by malware that can steal sensitive information. Arctic Wolf has implemented detections for this attack and urges users to remain cautious.

Recommendations:

• Avoid websites with suspicious CAPTCHA challenges. If a CAPTCHA asks you to copy and paste a command into the Windows Run dialog, the site is likely compromised.

• Install Arctic Wolf Agent & Sysmon to detect post-compromise activity (visit link below for details).

• Implement security awareness training to help users recognize and report suspicious activity.

Read the full article HERE

Who

Cybercriminals are leveraging a new AI-powered tool, OpenAI Operator, to automate credential stuffing attacks at scale. This innovation makes it easier for attackers to exploit stolen credentials across multiple web applications.

What

Credential stuffing, already a leading attack vector, is becoming more dangerous with AI-driven automation. Operator, a "Computer-Using Agent" (CUA), interacts with websites like a human, bypassing traditional automation defenses. Unlike past tools, it requires no custom coding, making attacks scalable and accessible to low-skilled hackers.

Impact

This advancement significantly lowers the barrier to large-scale credential attacks, increasing the risk of systemic breaches. Organizations relying on traditional defenses like CAPTCHA and rate limiting may find them less effective. To mitigate risks, businesses must proactively secure identities, enforce MFA, and monitor for compromised credentials before attackers exploit them.

Read the full article HERE