Mar 14 2025
Welcome to Gone Phishing, your weekly cybersecurity newsletter that’s treating cybercriminals like Trump’s tariffs are treating the stock market 📉📉📉
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Mozilla & Microsoft, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patches 🐣🐣
🚨 Firefox Add-on Trouble Incoming? Update Now! 🔥
Mozilla is urging all Firefox users to update ASAP to avoid issues with add-ons, DRM content, and security features due to an expiring root certificate on March 14, 2025. 🛑
What’s the fix?
✅ Update to Firefox 128+ (or ESR 115.13+ for long-term users).
✅ Applies to Windows, macOS, Linux, and Android (but not iOS/iPadOS).
✅ Tor Browser users should update as well.
Without this update, add-ons may disable themselves, security alerts may stop working, and some DRM content won’t play. Don't risk it—update now! 🚀
🛡️ Microsoft Patch Tuesday: 57 Bugs Squashed, 6 Zero-Days Exploited! 💀
Microsoft just patched 57 security flaws, including 6 actively exploited zero-days! ⚠️
Key risks include:
Win32 Kernel flaw (CVE-2025-24983) used by malware to gain SYSTEM privileges.
NTFS & FAT file system bugs allowing attackers to steal data or execute malicious code.
Microsoft Management Console bypass (CVE-2025-26633) helping attackers evade security checks.
The U.S. CISA has added these to its Known Exploited Vulnerabilities (KEV) list, requiring agencies to patch by April 1, 2025. If you haven't updated yet, do it now to stay protected! 🔒
Now, on to this week’s hottest cybersecurity news stories:
⛩️ Japan-attack: PHP-CGI RCE flaw exploited in attacks galore 👨🏻💻
🌐 Juniper networks beware! Chinese hackers are out en masse 👨👨👧👧
🎭 Fake Play Store scam targets global users: PlayPraetor Trojan 🐴
A mystery hacking group has been exploiting CVE-2024-4577, a remote code execution (RCE) flaw in PHP-CGI on Windows, to infiltrate Japanese companies across tech, telecom, education, e-commerce, and entertainment sectors since January 2025.
🔥 How the Attack Works
🔹 Exploits PHP-CGI vulnerability for initial access
🔹 Deploys Cobalt Strike (TaoWu plugins) via PowerShell for remote control 📡
🔹 Moves laterally using privilege escalation tools (JuicyPotato, RottenPotato, SweetPotato)
🔹 Hides traces by deleting event logs (wevtutil commands)
🔹 Steals passwords & NTLM hashes using Mimikatz 🛑
🛠️ Hacker Toolset (Exposed on Alibaba Cloud)
🔹 BeEF – Executes browser-based attacks 🍖
🔹 Viper C2 – Runs remote commands & reverse shell payloads 🐍
🔹 Blue-Lotus – Web shell framework for XSS, cookie theft & CMS hijacking 🌐
🕵️ What’s Their Goal?
Researchers suspect more than just credential theft—the attackers are gaining SYSTEM privileges and setting up persistence, suggesting long-term espionage or future attacks.
🔐 How to Stay Protected
✅ Patch PHP-CGI (CVE-2024-4577) immediately 🔄
✅ Monitor for unusual PowerShell activity & log deletions 📊
✅ Restrict execution of privilege escalation tools 🚫
✅ Strengthen defenses against Cobalt Strike & web shell attacks 🛡️
With sophisticated tactics and stealthy tools, these hackers pose a serious threat—stay alert and secure your systems! 🚨
This is the easiest way for a busy person wanting to learn AI in as little time as possible:
Sign up for The Rundown AI newsletter
They send you 5-minute email updates on the latest AI news and how to use it
You learn how to become 2x more productive by leveraging AI
The China-backed hacking group UNC3886 is infiltrating outdated Juniper MX routers, deploying custom TinyShell-based backdoors to spy on networks and evade detection.
🎯 Who’s Affected?
🔹 Defense, telecom, and tech sectors in the U.S. & Asia
🔹 Organizations using end-of-life Juniper routers
🔥 How the Attack Works
⚠️ Gains privileged access via compromised credentials
⚠️ Injects malware into legitimate Junos OS processes 🛠️
⚠️ Disables logging before executing commands, then restores logs 🕵️♂️
⚠️ Uses rootkits & SSH hijacking tools to maintain persistence
🛠️ Custom Backdoors & Implants
🔹 appid, to – Remote control via SOCKS proxy & command execution
🔹 irad – Stealthy packet sniffer for extracting commands
🔹 lmpad – Memory injection tool to disable logging
🔹 jdosd – UDP-based remote shell for file transfer
🔹 oemd – TCP backdoor for executing commands
🛑 How to Defend Against UNC3886
✅ Upgrade Juniper routers to patched versions 🛡️
✅ Monitor for unusual system modifications & log tampering 📊
✅ Restrict administrative access & enforce MFA 🔑
✅ Deploy forensic tools to detect passive backdoors 🔍
UNC3886’s stealth tactics & deep system knowledge make these attacks highly persistent—organizations must act fast to secure their networks! 🚧
Cybercriminals are tricking users with fake Google Play Store pages to distribute PlayPraetor, a powerful malware that steals banking credentials, logs keystrokes, and hijacks cryptocurrency transactions. Over 6,000 fraudulent pages have been uncovered by cybersecurity firm CTM360.
🎭 How the Scam Works
🔹 Fake Google Play Pages – Lookalike sites distribute malicious APKs
🔹 Trojanized Apps – Malware disguises as legitimate apps 🕵️♂️
🔹 Dangerous Permissions – Gains control via Accessibility Services
🔹 Banking Fraud – Targets banking & crypto apps, intercepting MFA codes 🔑
🛠️ PlayPraetor’s Attack Strategy
CTM360’s Scam Navigator outlines six key stages:
1️⃣ Fake Domains – Mimic Google Play & government sites
2️⃣ Phishing Traps – Victims lured via ads, SMS, & social media
3️⃣ Malware Distribution – Trojanized apps infect devices
4️⃣ Credential Theft – Keyloggers & clipboard monitoring steal data
5️⃣ Monetization – Stolen accounts sold on the dark web 💰
6️⃣ Botnet Operations – Infected devices used for ad fraud & cybercrime
🛡️ How to Protect Yourself
✅ Download apps ONLY from official stores (Google Play, Apple App Store)
✅ Verify app developers & read user reviews
✅ Deny unnecessary permissions, especially Accessibility Services
✅ Use mobile security software to block malware
✅ Stay informed on emerging threats
With over 6,000 fraudulent pages detected, PlayPraetor is one of the most widespread mobile scams ever—stay vigilant! ⚠️
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!
