Mar 28 2025
Welcome toย Gone Phishing, your weekly cybersecurity newsletter that wonders whether itโs hackers behind Daylight Savings Hour ๐จ๐ปโ๐ป๐ค๐ย
Patch of the Week!ย ๐ฉน
First thingโs first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs itโฆ ๐ณย
Congrats to Google, the cybercriminals are no matchโฆ for your patch! ๐ฉน
๐จ Chrome Zero-Day Under Attack! Update Now! ๐ฅ
Google just rushed out an emergency fix for CVE-2025-2783, a high-severity zero-day exploit hitting Windows usersโand it's already being used in attacks! ๐ฏ
๐ฅ What's happening?
Exploit targets Chrome's Mojo IPC system ๐ฅ๏ธ
Used in sophisticated phishing attacks ๐ฃโvictims got tricked into clicking a malicious link, which instantly infected their devices! ๐ฑ
Targets?ย Russian media, education, and government organizations ๐ท๐บ
Kaspersky is calling it "Operation ForumTroll" ๐ต๏ธโโ๏ธ
๐ง Fix? Update Chrome to version 134.0.6998.177/.178 NOW! โณ
๐ข Using Edge, Brave, or Opera? Theyโre based on Chromium, so updates should be coming soonโstay alert! โ ๏ธ
With state-backed hackers on the loose, don't risk itโupdate immediately! ๐
Now, on to this weekโs hottest cybersecurity news stories:ย
๐ JavaScript injection promoting gambling sites infects 150k sites โฃ๏ธ
โ ๏ธ CISA warning! Active exploits hit Next.js and DrayTek devices ๐ฑ
๐พ Raspberry Robin malware linked to almost 200 unique C2 domains ๐จ๐ปโ๐ป
A massive JavaScript injection campaign has compromised 150,000+ websites, redirecting visitors to Chinese-language gambling platforms.
๐ฅ How the Attack Works
๐น Malicious JavaScript injected into legitimate sites ๐
๐น Hijacks browsers, replacing content with a gambling page
๐น Uses iframe overlays to mimic real betting sites (e.g., Bet365) ๐ญ
๐น Obfuscates code to evade detection ๐ต๏ธโโ๏ธ
๐จ Scale & Evolution
โ 135,800+ sites still actively infected
โ Redirects via five domains (e.g., "zuizhongyj[.]com")
โ Constantly updated with new tactics
๐ Tied to Larger Cybercrime Networks
๐น Similar tactics used by DollyWay malware, which has compromised 20,000+ WordPress sites since 2016
๐น Uses Traffic Direction Systems (TDS) to funnel visitors to scam sites
๐น Monetized through networks like VexTrio & LosPollos
๐ก๏ธ How to Stay Safe
โ Website admins: Regularly scan for unauthorized JavaScript injections
โ Keep WordPress & plugins updated to prevent exploitation
โ Users: Avoid unfamiliar gambling pop-ups & redirectsย
With thousands of sites compromised and millions exposed, this attack highlights the growing risk of web-based threatsโstay cautious and proactive! ๐ง
Business news explained in plain English
Straight facts, zero fluff, & plenty of puns
100% free
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old vulnerabilities in Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) list, citing active exploitation.
๐ฅ The Vulnerabilities
๐น CVE-2019-9874 (CVSS 9.8) โ Allows unauthenticated remote code execution via deserialization attack ๐
๐น CVE-2019-9875 (CVSS 8.8) โ Allows authenticated remote code execution via deserialization attack
๐ Federal agencies must patch by April 16, 2025 to secure their networks.
โ ๏ธ Other Exploited Vulnerabilities
๐ธ Next.js CVE-2025-29927 (CVSS 9.1) โ Authorization bypass lets attackers bypass middleware security & access sensitive resources ๐
๐ธ DrayTek Router Flaws (CVE-2020-8515, CVE-2021-20123, CVE-2021-20124) โ Used for remote code execution & file theft ๐ก
๐ Attack Hotspots
๐น Sitecore & Next.js flaws actively probed worldwide
๐น DrayTek router exploits detected in Indonesia, U.S., Hong Kong, Lithuania, & Singapore
๐ก๏ธ How to Stay Protectedย
โ Apply patches for all impacted systems ASAP
โ Monitor logs for unusual activity & exploit attempts
โ Restrict public access to vulnerable applications
With older flaws still being actively exploited, staying updated is critical to prevent cyber intrusions! ๐ง
Thereโs a reason Morning Brew is the gold standard of business newsโitโs the easiest and most enjoyable way to stay in the loop on all the headlines impacting your world.
Tech, finance, sales, marketing, and everything in betweenโweโve got it all. Just the stuff that matters, served up in a fast, fun read.
Lookโover 4 million professionals start their day with Morning Brewโs daily newsletter, and it only takes 5 minutes to read. Sign up for free and see for yourself!
๐จ Raspberry Robin Malware Expands with 200+ C2 Domains ๐พ
A new investigation has uncovered nearly 200 command-and-control (C2) domains linked to Raspberry Robin, a fast-evolving malware used by Russian-linked cybercriminals and nation-state hackers for initial access into victim networks.
๐ฅ Key Findings
๐น New C2 domains (180+) discovered via QNAP device relay ๐ก
๐น Uses โfast fluxโ to rotate domains & evade takedowns ๐
๐น Top TLDs: .wf, .pm, .re, .nz, .eu, .tw ๐
๐น C2 infrastructure tied to niche registrars & Bulgarian hosting provider
๐ต๏ธ How Raspberry Robin Spreads
โ USB-Based Propagation โ Infects devices via compromised USB drives
โ Discord-Based Delivery โ Archives & Windows Script Files spread malware ๐ญ
โ Exploiting One-Day Vulnerabilities โ Gains privilege escalation before public disclosure
๐ดโโ ๏ธ Linked to Major Threat Actors
๐ธ Used by Russian APT Cadet Blizzard for initial access ๐ถ๏ธ
๐ธ Distributes malware for LockBit, Dridex, SocGholish, & FIN11
๐ธ Possibly operates as a Pay-Per-Install (PPI) botnet
๐ก๏ธ How to Stay Safeย
โ Disable autorun on USB devices ๐ซ
โ Monitor network traffic for unusual domain activity ๐
โ Use endpoint protection to detect malware loaders ๐ก๏ธ
โ Restrict access to QNAP & NAS devices from external networks
With Russian threat actors leveraging Raspberry Robin for large-scale intrusions, defensive measures are critical to prevent data breaches and ransomware infections. ๐จ
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตCrypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!
