Cyber threats in early 2025 continue to adapt rapidly, presenting complex challenges for cybersecurity professionals around the world. January and February have already witnessed new and creative tactics by malicious actors, demonstrating that traditional security approaches alone are no longer sufficient. Attackers are leveraging common platforms like Microsoft Teams and legitimate services such as archive.org and Google Sites, making it increasingly difficult for organizations to distinguish harmful activities from everyday digital interactions. In this blog post, we’ll explore recent developments and examine how these innovative cyberattacks pose substantial risks to individuals, businesses, and even national security.

Techniques

Teams Phishing

In 2024, a phishing campaign was identified as part of a Black Basta operation (a splinter group from the famous Conti syndicate), where targets were flooded with thousands of benign SPAM emails. Following the large volume of SPAM emails, the adversary calls the victim pretending to be from the organisations IT department. They offer to fix the issue for the user by convincing them to install a remote support tool, or leverage the Windows Quick Assist tool, to provide remote control of the user’s device. From here, they run malicious scripts to install various payloads to exfiltrate data (including unprotected credentials cached on the device) and provide persistent access for the adversary. Targets of these attacks were often senior in the organisation, where a contact number was available online, or were targeted using PII that had been previously leaked.

A new widespread variation of this attack has been identified, where instead of calling the victim after delivering the spam they will instead contact the victim via Teams chat. The malicious actors will use accounts created on specifically named Entra tenants such as ‘supportadmin.onmicrosoft.com’, with accounts using generic helpdesk names in an attempt to confuse their target into providing remote access. ReliaQuest, a US based cybersecurity company, has found in their investigation of this campaign that most of the malicious activity originates from tenants set to the Moscow time zone, which lines up with the previous ties Black Basta has to other Russian advanced persistent threat (APT) groups.

The change to using Teams based engineering provides a greater surface for these attacks, as the malicious parties are no longer reliant on access to the victim’s phone number, which provides malicious actors with a far wider range of possible targets. This issue is exacerbated by the settings in Teams, where the only way to granularly control which organisations can contact your users is via allow/block lists – a setting many organisations leave wide open to reduce overhead.

Image Embedded Malware, Hosted on Legitimate Sites

Security researchers at HP Wolf have issued a warning about large email campaigns delivering the VIP Keylogger and 0bj3ctivityStealer hidden inside images. These campaigns use steganography to hide malicious code in images uploaded to archive.org (a legitimate file hosting website), with an identical .NET loader being used to install the final payloads in both instances. The campaigns involve sending emails posing as invoices and purchase orders, containing links to the legitimately hosted malicious images, with the identified hosted images having over 29,000 page visits combined.

The use of a legitimate hosting site helps attackers bypass network security measures such as web proxies and firewalls that rely on reputation checks, and the steganography techniques provide an additional challenge for security tooling to identify the obscured malicious code. The VIP Keylogger records keystrokes and exfiltrates credentials from various sources, including apps and clipboard data, while 0bj3ctivityStealer targets account credentials and credit card data.

Happenings

[Global] Google Ads Accounts Targeted via Malicious Google Ads

In a somewhat comical turn of events, malicious actors have been using Google Ads to push fake ads with the intention of stealing credentials to Google Ads accounts. The stolen accounts are then sold on blackhat forums to other malicious parties or used to further enhance their phishing campaigns.

The campaigns use ads that will often populate to the top of search results to direct users to a fake Google Ads homepage hosted on Google Sites, which function as a front page and contains sign-in links that lead to phishing credential capture portals. The use of Google Sites allows the malicious attackers to abuse the use of the root domain for Google Sites (sites.google.com) to bypass a rule that blocks users from impersonating domains in ads and allows them to create their advertisements displaying the correct Google Ads domain (ads.google.com). Once the credentials have been captured, the malicious actors will often create additional administrative users and reduce security settings to maintain persistence and attempt to obfuscate their access.

The spate of malicious Google Ads and abuse of the Google Sites domain to display misleading URLs in ads have been attributed to at least 2 separate groups who appear to be working individually. Researchers at Malwarebytes have identified the separate phishing kits utilised in these campaigns and based on the inline comments, they believe that there are both Mandarin and Portuguese (although believed to be located in Brazil) speaking groups utilising malicious Google Ads in this way.  

[East-Asia] Cloudflare Mitigate 5.6tbps DDoS

Cloudflare have once again mitigated the largest distributed-denial-of-service (DDoS) attack, peaking at 5.6 terabits per second, targeting an unnamed Eastern Asia Internet Service Provider (ISP). The 80 second attack occurred in late October 2024, and was automatically detected and mitigated by Cloudflare, with the target remaining unimpacted. Cloudflare have reported quarter-to-quarter increases in these hyper volumetric DDoS attacks, which are increasing in both attack volume and frequency. These massive scale DDoS attacks are often short lived. Due to the nature of these short duration attacks, it is often impossible for humans to intervene before the attack has concluded – showing the importance of having automated detection and mitigation technology in place to block these attacks.

Traditionally, DDoS attacks have been longer in duration and intended to cause medium term service disruption, which in some historical cases have lasted weeks. Many Cyber Security researchers believe these hyper volumetric attacks to be geopolitical in nature and may be simple posturing on the world stage.

In their Q4 2024 report, Cloudflare also identified that the Telecommunications, Service Providers and Carriers have now taken the top spot as the most targeted industry by cyber criminals (up from third place in the previous quarter), and the country of Taiwan has jumped from the tenth most targeted country to the second spot.

[China] DeepSeek Database Exposure – Chat History, Secret Keys & Back End Details

Researchers at cloud security company Wiz identified two publicly accessible databases exposed through a ClickHouse (a database management application) instance belonging to the company. The databases were found to accept arbitrary SQL queries from a web interface, without requiring any authentication. Wiz enumerated the database and found plain text user prompts, keys used to authenticate API calls and internal infrastructure / operational information. Although Wiz limited their queries to enumeration for ethical reasons, depending on the configuration of the ClickHouse server, this exposure may have also provided access to local files, and the ability to push changes to the databases. While it is unknown if any other parties independently discovered and abused the availability of this information, it was promptly disclosed to DeepSeek who resolved the issue prior to the public announcement.

DeepSeek have not publicly stated if they have rotated the API keys within scope for this breach, which may leave the tech startup with a significant risk of LLMjacking – LLMjacking is a relatively new technique driven by the current high cost of AI compute, where malicious actors will use stolen credentials to access AI compute resources, with the victim footing the bill.

Visual Studio Code Tunnel

Google’s AI has been found to be capable of breaching high profile name suppression orders put in place by New Zealand Courts. The issue has been identified with the Google Overview AI assistant that populates generated content at the top of Google search results and within the AI powered ‘People Also Search For’ (PASF) feature that suggests queries based on your previous search.

The breaches by Google’s AI appear to be made possible by a combination of the AI’s ability to make inferences from disparate pieces of data, and its ability to surface information that may be challenging for humans to locate – the AI can analyse vast amounts of publicly available information and draw connections that might not be immediately obvious to humans.

For example, the AI might piece together information from various sources, such as news articles, social media posts, and other publicly accessible data, to infer the identity of individuals with name suppression. This process can inadvertently lead to the disclosure of suppressed names.

[SK] South Korea Accuse DeekSeek of Sharing Data, App Store Suspension  

South Korea’s data regulator, the Personal Information Protection Commission (PIPC) has found that DeepSeek have been providing user data to a third party Bytedance, the owners of social media giant TikTok. The PIPC released a public statement confirming the data sharing, but that the organisation are unsure exactly what data was shared, and the extent of the sharing. The South Korean government implemented a temporary ban of the application in the Apple App Store and the Google Play store, as South Korea’s personal Information Protection Act mandates that explicit consent is required for third-party data sharing, while they found no evidence of this consent being gathered

The technical audit uncovered critical security flaws, including a function where the DeekSeek iOS application globally disables ATS (App Transport Security), a security feature that enforces HTTPS, and the use of a symmetric encryption algorithm (3DES) deprecated by NIST in 2016 due to vulnerabilities, with the symmetric keys being hardcoded into the app. The audit also raised data sovereignty concerns

DeepSeek responded by acknowledging that shortcomings in considering local data protection laws, while assigning a new representative in South Korea to actively cooperate with the PIPC to address the shortcomings, but did not provide an explanation as to why ATS is disabled, or why 3DES was chosen over contemporary protocols such as AES-256 – although the establishment of AES256 as a standard by an American federal agency (NIST) may go some way to explaining this decision.