Threat Alerts

Lately, a novel Adversary-in-the-Middle (AiTM) phishing kit named “Sneaky 2FA” emerged, targeting Microsoft 365 accounts through phishing-as-a-service (PhaaS) operations. Distributed by the “Sneaky Log” service on Telegram, this kit employs sophisticated methods to bypass multi-factor authentication (MFA), leveraging compromised infrastructure and customized phishing pages. Its rapid adoption by cybercriminals highlights the evolving threat landscape, where attackers increasingly seek advanced, cost-effective tools to conduct credential theft and Business Email Compromise (BEC) attacks.

The Sneaky 2FA phishing kit automates the harvesting of credentials and session cookies through phishing pages that mimic Microsoft login portals. Using URL parameters, these pages autofill victims’ email addresses, streamlining the attack process. Anti-bot measures like Cloudflare Turnstile and obfuscated HTML and JavaScript code ensure evasion from security scans and analysis tools.

Upon luring a victim to interact with the phishing page, the credentials and MFA details are forwarded to the attacker’s server, which authenticates with Microsoft 365 APIs directly. This process mimics legitimate user activity but introduces anomalies, such as inconsistent User-Agent strings, which can be leveraged for detection.

Operated via Telegram, Sneaky Log offers a subscription-based model, granting customers access to the phishing kit and support through automated bots. It integrates cryptocurrency-based payment systems with obfuscation techniques, complicating transaction tracking. By adopting methods from older phishing kits like W3LL OV6, Sneaky 2FA represents a blend of innovation and code reuse. Its moderate but growing adoption underscores the need for vigilant monitoring of AiTM phishing kits, as attackers exploit these tools to bypass MFA protections and compromise sensitive accounts.

A sophisticated cyber campaign has been detected, targeting Fortinet FortiGate firewall devices, posing a security threat. By exploiting vulnerabilities to access the firewalls’ management interfaces, the attackers were able to make unauthorized configuration changes and exfiltrate credentials, potentially leading to further intrusions and data breaches.

While the details of the vulnerability exploited in this campaign are not yet disclosed, the pattern of exploitation suggests the likelihood of an unknown zero-day vulnerability being abused.

The methodical of the campaign becomes apparent as it is separated into four phases. Initially, the attackers conducted scans for exploitable entry points, using jsconsole sessions from non-standard IP addresses to potentially leverage a zero-day vulnerability within a constricted timeframe.

Next, the attackers move on to the reconnaissance phase, modifying configurations to solidify their presence. As the campaign advanced, the attackers methodically orchestrated SSL VPN configurations, creating new pathways into the network. This is achieved through both fabricated and compromised user accounts. In addition, they established VPN tunnels from IP addresses associated with VPS hosting providers, further entrenching their access and raising the stakes of the intrusion.

Microsoft’s January 2025 security update addresses a staggering 161 vulnerabilities, including three zero-day flaws that have been actively exploited in the wild. Among the updates, 11 vulnerabilities are rated as Critical, while 149 are deemed Important.

The three actively exploited zero-day vulnerabilities are associated with Windows Hyper-V NT Kernel Integration VSP. These include CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335, all carrying a CVSS score of 7.8. These flaws allow attackers to escalate privileges to SYSTEM level, making them particularly valuable in post-compromise scenarios to gain further control over compromised systems.

The update is also notable for addressing five Critical severity flaws. These include CVE-2025-21294 and CVE-2025-21295, both with a CVSS score of 8.1, which are remote code execution vulnerabilities in Microsoft Digest Authentication and the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, respectively. Additionally, CVE-2025-21298, CVE-2025-21307, and CVE-2025-21311, each with a CVSS score of 9.8, were patched. These vulnerabilities affect Windows Object Linking and Embedding (OLE), the Reliable Multicast Transport Driver (RMCAST), and NTLM V1, enabling remote code execution and elevation of privilege.

SAP has released patches to address two critical vulnerabilities in its NetWeaver application server, both carrying a CVSS score of 9.9. These vulnerabilities—CVE-2025-0070 and CVE-2025-0066—pose significant risks, including privilege escalation and unauthorized data access. CVE-2025-0070 stems from weak authentication checks in the ABAP platform, enabling attackers to escalate their privileges. On the other hand, CVE-2025-0066 allows unauthorized access to sensitive data by exploiting weak access controls in the Internet Communication Framework, jeopardizing the system’s privacy, reliability, and functionality.

Additional high-severity vulnerabilities were also patched, including CVE-2025-0063 (CVSS 8.8) and CVE-2025-0061 (CVSS 8.3). CVE-2025-0063 is an SQL injection flaw in the ABAP platform, which could enable attackers to compromise the Informix database and gain unauthorized access. Meanwhile, CVE-2025-0061 affects the BusinessObjects BI platform, allowing attackers to exploit flaws in session management and information disclosure to hijack sessions and modify application data, putting sensitive information at risk.

With SAP playing a pivotal role in managing critical business operations across various industries, unpatched systems could expose organizations to privilege escalation, data breaches, and significant operational disruptions.

A Python-based backdoor was recently identified by security researchers as a critical tool employed by ransomware affiliates to establish persistence and deploy encryptors across compromised networks. The malware demonstrates the use of advanced techniques like obfuscation and AI-assisted coding to evade detection. Its integration with known malware campaigns highlights its role as a second-stage payload in sophisticated, multi-phase attacks.

The attack begins with initial access achieved via SocGholish (FakeUpdate), a widely recognized malware. Within minutes of infection, the Python backdoor is deployed, utilizing obfuscated code to maintain stealth and persistence through scheduled tasks. The malware facilitates lateral movement via remote desktop protocols, dropping additional payloads on other systems. Functionally, it acts as a reverse proxy, creating a SOCKS5-like tunnel to hardcoded command-and-control (C&C) servers, enabling attackers to pivot within the network while bypassing security controls. Analysis of the backdoor’s code reveals AI-assisted development features, including polished structures, highly descriptive methods, and extensive error handling, which indicate an advanced approach aimed at scalability and operational efficiency.

Network traffic analysis revealed the use of tunneled connections to establish and maintain C&C communication. The malware’s behavior, including proxied traffic consistent with SOCKS5 tunneling, aligns with its role in enabling ransomware affiliates to maintain stealth and flexibility during operations.

Security researchers have identified six vulnerabilities in the widely used Rsync file synchronization tool for Unix systems. Some of these flaws could allow attackers to execute arbitrary code on a client and attackers controlling a malicious server can read and write arbitrary files on connected clients. Sensitive data, including SSH keys, may be exfiltrated, and malicious code could be executed.

The multiple vulnerabilities in Rsync, including one critical severity flaw. CVE-2024-12084 (CVSS score 9.8), is a heap-buffer overflow vulnerability caused by improper handling of checksum lengths, which can result in arbitrary code execution. Additionally, CVE-2024-12085 (CVSS score: 7.5) is an information disclosure vulnerability that allows leaking uninitialized stack contents.

Other vulnerabilities patched include CVE-2024-12086 (CVSS score: 6.1), which enables an Rsync server to leak arbitrary files from clients, and CVE-2024-12087 (CVSS score: 6.5), a path traversal flaw affecting the –inc-recursive option. CVE-2024-12088 (CVSS score: 6.5), involves a bypass of the –safe-links option that results in a path traversal vulnerability. Finally, CVE-2024-12747 (CVSS score: 5.6) is a symbolic-link race condition that may lead to privilege escalation.