CyberDudeBivash Breaking Threat Intel

 


1) FireWood Linux Backdoor — new variant with stealthier startup + targeted exfil

What happened: Intezer reports a fresh FireWood build (Linux RAT tied to long-running “Project Wood”), refactoring its init flow, simplifying C2 into a tight loop, and expanding exfil/exec commands. IOCs include multiple SHA256 samples. Intezer
Why it matters: Focused on persistence + espionage against Linux fleets; uses kernel-module hiding and TEA-based crypto. Intezer
Detections / TTPs: Look for unusual reads of /etc/issue → fallback /etc/issue.net; creation of hidden .kde-root paths; continuous failed/successful outbound retries; kernel module loads (usbdev.ko). (MITRE: T1059, T1071, T1041, T1564.1) Intezer
Immediate actions:

  • Block/alert on known hashes; hunt for listed file paths; monitor LKMs; egress controls on suspicious C2. Intezer

2) HTTP/2 “MadeYouReset” — new DDoS vector bypassing Rapid Reset mitigations

What happened: Researchers disclosed a protocol-level DoS technique (“MadeYouReset”) that abuses HTTP/2 control-frame handling; multiple implementations/libs impacted (e.g., Netty CVE-2025-55163; vendor advisories rolling out). CERT Coordination CenterGitHubSecurityWeek
Why it matters: Enables massive request floods despite server stream-limit defenses; affects stacks behind countless apps/CDNs. The Hacker News
Immediate actions:

  • Patch/mitigate per vendor (Tomcat/Netty/F5/Red Hat guidance); enforce upstream WAF/anti-DDoS; rate-limit/connection caps; observe anomalous RST/CONTROL frame patterns. Red Hat Customer PortalThe Cloudflare Blog

3) Xerox FreeFlow Core — XXE + Path Traversal → unauth RCE (PoC)

What happened: Horizon3.ai disclosed CVE-2025-8355 (XXE) & CVE-2025-8356 (path traversal) enabling unauthenticated RCE on FreeFlow Core; Xerox fixed in v8.0.5 (Aug 8). Horizon3.aiNVD
Why it matters: Print orchestration platforms sit deep in enterprise workflows; compromise = lateral movement + data exposure. Horizon3.ai
Immediate actions:

  • Upgrade to 8.0.5 immediately; restrict management ports (e.g., JMF client on 4004); review web roots for dropped webshells per vendor write-up. Horizon3.ai

4) Canada House of Commons breach — Microsoft flaw exploited; employee data stolen

What happened: Canada’s lower house is probing a breach after a threat actor accessed a device-management DB and stole staff data; officials say a recent Microsoft vulnerability was leveraged (specific CVE not yet named). BleepingComputer
Why it matters: Government target + identity data → impersonation and follow-on intrusions. BleepingComputer
Immediate actions:

  • If you’re on SharePoint/Exchange hybrids, prioritize patching CVE-2025-53770/53786; monitor for anomalous M365 token use and directory changes. BleepingComputer

5) Android banking threats surge — NFC relay “PhantomCard” + SpyBanker (India)

What happened: New wave targets banking via NFC relay fraud (“PhantomCard”) in Brazil; parallel SpyBanker campaign in India hijacks call-forwarding and steals SMS/notification data. The Hacker NewsK7 Labs
Why it matters: Bypasses normal risk signals (transactions look “device-native”); call-hijack aids social-engineering & OTP theft. The Hacker News
Immediate actions (orgs & users):

  • Enforce device-attestation, step-up auth on NFC/card-not-present flows; warn users vs. fake help-desk APKs; block sideloading; detect abnormal call-forwarding settings. K7 Labs

6) Critical infrastructure: Poland foils attack on major city water supply

What happened: Poland’s deputy PM says a cyberattack that could’ve cut water to a large city was stopped in time; attribution not disclosed; context: rising hostile activity due to Poland’s Ukraine role. Reuters
Why it matters: Reinforces water sector exposure worldwide; validates tabletop exercises and segmented OT networks.

Rapid Detections You Can Deploy Now

  • ESXi pre-ransomware: use Splunk TR detections (SSH enabled, VIB acceptance changes, external root logins, ESXCLI recon). Splunk

  • HTTP/2 edge: enable vendor hotfixes; watch for abnormal bursts of server-reset/priority frames (per CERT/CC + vendor notes). CERT Coordination CenterGitHub

  • Linux FireWood hunt: sweep for .kde-root/*, unexpected rc.local edits, and hashes/paths listed by Intezer; alert on persistent ConnectToSvr()-like retry patterns. Intezer

  • Android fraud: flag device profile changes + call-forwarding alterations; add behavioral rules for NFC relay patterns. The Hacker NewsK7 Labs

CyberDudeBivash Action Plan (ready to post)

  1. Advisory posts (with tricolor banners) for: FireWood, MadeYouReset, Xerox FreeFlow RCE, Canada HoC breach, Android NFC/SpyBanker, and Poland CI alert.

  2. Playbook snippets:

  • Linux: IOC sweep + LKM checks

  • Edge/API: HTTP/2 rate-limits + vendor patches

  • ESXi: ship syslog to SIEM + enable Splunk detections

  • Mobile banking: user alert + fraud rules

If you want, I’ll immediately generate six LinkedIn banners (tricolor + logo) and a long-form blog edition from this report.

Sources

FireWood analysis & IOCs (Intezer). Intezer
HTTP/2 MadeYouReset overviews & vendor notes (CERT/CC, Cloudflare, SecurityWeek, Netty GH advisory). CERT Coordination CenterThe Cloudflare BlogSecurityWeekGitHub
Xerox FreeFlow Core RCE details + patch. Horizon3.aiNVD
Canada House of Commons breach (BleepingComputer). BleepingComputer
Android NFC “PhantomCard” + SpyBanker (The Hacker News, K7 Labs). The Hacker NewsK7 Labs
Poland water-supply cyberattack foiled (Reuters). Reuters

Comments

Post a Comment