Anomali Cyber Watch: Scattered Spider Hacking Spree, Iranian Cyber Threats, PDF Phishing Campaigns, and More


This edition of Anomali Cyber Watch covers threat intelligence related to the following topics: Scattered Spider, Iranian cyber threats, Chrome V8 vulnerabilities, Living Off the Land (LOTL) techniques, PDF phishing campaigns, Vercel's v0 AI tool, Cisco vulnerabilities, Chinese hackers, Sudo vulnerabilities, and NightEagle APT. The IoCs related to these stories are referenced below and can be used by Anomali ThreatStream users to check for potential malicious activity.
Scattered Spider Hacking Spree Continues With Airline Sector Attacks
(published: June 30, 2025)
A wave of cyberattacks is hitting the airline industry, disrupting not just carriers but also their third-party vendors. Recent breaches at Hawaiian Airlines and WestJet reveal a broader campaign targeting aviation services, with attackers exploiting social engineering to bypass security protocols. According to an FBI alert, attackers use vishing, deepfakes, and impersonation tactics to deceive help desks and gain unauthorized access, often sidestepping MFA protections. Industry partners like Mandiant and Palo Alto Networks report similar activity across the sector, highlighting a coordinated effort to undermine operational infrastructure. The campaign’s focus on identity manipulation and supply chain access suggests a strategic pivot to exploit vulnerabilities in airline workflows and vendor relationships.
Analyst Comment: The focus on airlines and their suppliers highlights how attackers are exploiting operational dependencies, not just technical weaknesses. Help desks and third-party vendors often represent overlooked entry points, and Scattered Spider is capitalizing on that gap with convincing impersonation tactics. To mitigate this, organizations should implement strict identity verification for support requests, reduce standing vendor access, and regularly audit help desk procedures.
MITRE ATT&CK: T1566.004 - Phishing: Spearphishing Voice | T1588.002 - Obtain Capabilities: Tool | T1556.006 - Modify Authentication Process: Multi-Factor Authentication | T1656 - Impersonation
U.S. Warns of Iranian Cyber Threats on Critical Infrastructure
(published: June 30, 2025)
U.S. cybersecurity agencies, including CISA, FBI, NSA, and DoD’s DC3 have issued a joint advisory warning that Iran-affiliated cyber actors and hacktivist groups may exploit unpatched systems, default passwords, and exposed industrial control devices to target critical infrastructure, particularly in the Defense Industrial Base and systems connected to Israeli research or defense firms. While no coordinated Iranian cyber campaign in the U.S. has been detected to date, recent incidents, such as the 2023 breach of a Pennsylvania water treatment facility via unsecured PLCs, underscore the urgency. The agencies recommend disconnecting OT/ICS assets from the public internet, reviewing CISA’s fact sheet, and implementing basic cyber hygiene and hardening measures.
Analyst Comment: Iranian-linked actors continue to exploit basic lapses, unpatched systems, exposed PLCs, and weak credentials, particularly in OT environments. These are not sophisticated attacks, but they’re effective against overlooked assets. The targeting of critical infrastructure shows intent to disrupt, even without a large-scale campaign. Defenders should focus on the essentials, isolate OT from public networks, enforce strong authentication, and monitor for early signs of intrusion. Addressing these gaps offers the most immediate protection.
MITRE ATT&CK: T1078 - Valid Accounts | T1110 - Brute Force | T1110.003 - Brute Force: Password Spraying | T1190 - Exploit Public-Facing Application | T1082 - System Information Discovery | T1041 - Exfiltration Over C2 Channel | T1499 - Endpoint Denial Of Service
Chrome V8 Type‑Confusion Zero‑Day (CVE‑2025‑6554)
(published: July 1, 2025)
Google has released emergency patches for a critical zero‑day vulnerability (CVE‑2025‑6554) in its Chrome browser's V8 JavaScript and WebAssembly engine. A “type confusion” flaw enabled remote attackers to achieve arbitrary memory read/write via a crafted HTML page. Disclosed by Clement Lecigne of Google’s Threat Analysis Group on June 25, the vulnerability was escalated with a configuration change on June 26 and fully patched by July 1 in Chrome 138.x.xxxxx for Windows, macOS, and Linux. Google confirmed active exploitation and urged immediate updates. This marks the fourth actively exploited Chrome zero‑day this year, following CVEs 2783, 4664, and 5419.
Analyst Comment: With this being the fourth Chrome zero-day this year, it highlights how browser exploits remain a reliable entry point for attackers. V8 engine flaws are particularly risky given how easily they can be triggered through web content. While Google’s response was fast, defenders must act just as quickly. Ensure automatic updates are enabled, confirm patch compliance across endpoints, and consider browser isolation or exploit mitigation tools for added protection, especially for high-risk users.
MITRE ATT&CK: T1203 - Exploitation For Client Execution | T1611 - Escape To Host
Living Off the Land: 84% of High-Severity Attacks Exploit Legitimate Tools
(published: July 1, 2025)
An analysis of over 700,000 cybersecurity incidents has revealed that 84% of high-severity attacks involved Living Off the Land (LOTL) techniques, where adversaries abuse legitimate system tools already present on endpoints. The most frequently exploited was netsh.exe, observed in roughly one-third of critical intrusions, followed by PowerShell, wscript, cscript, and deprecated tools like WMIC. These utilities allow attackers to operate with stealth, often evading traditional detection methods by mimicking administrative behavior.
Analyst Comment: The misuse of legitimate tools like netsh.exe and PowerShell highlights a core defense challenge, spotting malicious activity that blends in with routine operations. Rather than blocking these tools, organizations should monitor for abnormal usage patterns, apply strict access controls, and disable outdated utilities like WMIC where possible. The focus should be on context-aware detection that distinguishes misuse from legitimate administration.
MITRE ATT&CK: T1059.001 - Command and Scripting Interpreter: Powershell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1047 - Windows Management Instrumentation | T1218 - Signed Binary Proxy Execution | T1036 - Masquerading
Hackers Using PDFs to Impersonate Microsoft, DocuSign, and More in Callback Phishing Campaigns
(published: July 2, 2025)
Cybersecurity researchers warn of rising phishing campaigns using PDF attachments that impersonate trusted brands to prompt victims into calling attacker-controlled phone numbers. Cisco Talos analyzed threats from May 5–June 5, 2025, finding Microsoft and DocuSign are most frequently spoofed, followed by NortonLifeLock, PayPal, and Geek Squad. This "callback phishing" or Telephone-Oriented Attack Delivery (TOAD) lures recipients via social engineering tactics; once they dial the number, threat actors attempt to steal credentials or perform fraud. Attackers exploit PDFs’ perceived safety, embedding malicious links, QR codes, or login prompts, a trend corroborated by past reports from McAfee and Trustwave on PDF weaponization. TOAD campaigns bypass email filters by avoiding executable attachments, relying instead on social pressure and trust in brand logos.
Analyst Comment: This campaign highlights how attackers exploit trusted file formats and brands to sidestep technical controls through phone-based social engineering. By shifting the interaction offline, they evade filters and rely on human error. Mitigation should combine email filtering, phishing simulations that include callback lures, and clear policies for verifying unexpected requests. A culture of caution and verification remains key to reducing risk.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1566.002 - Phishing: Spearphishing Link | T1566.004 - Phishing: Spearphishing Voice | T1204.002 - User Execution: Malicious File | T1204.001 - User Execution: Malicious Link
Vercel’s v0 AI Tool Weaponized by Cybercriminals to Rapidly Create Fake Login Pages at Scale
(published: July 2, 2025)
Unknown threat actors have been leveraging Vercel’s recently released generative AI tool, v0, to produce convincing phishing pages that replicate legitimate brand login portals. According to Okta Threat Intelligence, attackers can now generate fully functional sign-in pages—complete with logos and branding—by inputting simple textual prompts. These phishing sites are hosted on Vercel's own infrastructure, lending them legitimacy and making them harder to detect. Vercel has since blocked access following responsible disclosure. The quick creation and hosting bypass the technical barriers traditionally associated with phishing, and the proliferation of open-source clones increases the risk. Analysts warn this marks a significant shift in phishing tactics: generative AI is now enabling low-skilled criminals to conduct high-quality, scalable deception campaigns.
Analyst Comment: The abuse of Vercel’s v0 tool shows how generative AI is lowering the bar for phishing, enabling attackers to create polished fake login pages with minimal effort. This calls for a shift from user-focused defenses to stronger technical controls. Phishing-resistant authentication, domain binding, and device posture checks should be prioritized.
MITRE ATT&CK: T1566 - Phishing | T1583.001 - Acquire Infrastructure: Domains | T1585 - Establish Accounts
Critical Cisco Vulnerability Grants Remote Root Access via Hard-Coded SSH Credentials
(published: July 2, 2025)
A critical flaw (CVE‑2025‑20309; CVSS 10.0) has been identified in Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (SME) ES versions 15.0.1.13010‑1 to 15.0.1.13017‑1. The vulnerability stems from a hard‑coded root SSH account meant for development, which cannot be altered or removed, allowing unauthenticated attackers to log in remotely as root and execute arbitrary commands. Cisco discovered the flaw during internal testing, with no evidence of exploitation so far. Indicators of compromise include root login entries in /var/log/active/syslog/secure. The only resolution is applying the patch CSCwp27755 or upgrading to release 15SU3; no workaround exists. Security teams are advised to immediately patch, restrict SSH access to trusted networks, audit logs, and segment management interfaces.
Analyst Comment: The static nature of these credentials significantly simplifies the task for potential attackers, making this vulnerability particularly dangerous. Although not yet exploited, the ease of abuse warrants immediate attention. Organizations reliant on Unified CM must quickly assess their environments, prioritize vulnerable systems, and expedite patch deployment. Given the severity, this incident also underscores the importance of proactive internal security assessments for uncovering similar latent risks before they become actively exploited threats.
MITRE ATT&CK: T1210 - Exploitation Of Remote Services | T1078 - Valid Accounts | T1059 - Command And Scripting Interpreter
Chinese Hackers Exploit Ivanti CSA Zero-Days to Breach French Networks
(published: July 3, 2025)
A Chinese-linked hacking group known as Houken, potentially overlapping with Mandiant’s UNC5174, weaponized three zero‑day vulnerabilities in Ivanti Cloud Services Appliance (CSA) — CVE‑2024‑8963, CVE‑2024‑8190, and CVE‑2024‑9380. Targets included French government, finance, telecoms, media, and transport sectors. Attackers chained these flaws to bypass authentication, steal credentials via web shells, and install a rootkit kernel module for persistence. They also patched the exploited bugs afterward to block rival intrusion attempts. The U.S. CISA and FBI confirmed similar exploit chains, urging upgrades and detection efforts.
Analyst Comment: The attackers’ decision to patch Ivanti CSA vulnerabilities after exploitation is notable, reflecting a deliberate effort to maintain exclusive control and prevent competing threat groups from gaining entry. By closing the exploited entry points, Houken effectively blocked rival intrusions, highlighting a strategic evolution in adversary tradecraft. Organizations must respond by rapidly patching known Ivanti vulnerabilities, verifying the integrity of existing installations, and monitoring closely for unauthorized patches or modifications.
MITRE ATT&CK: T1071.001 - Application Layer Protocol: Web Protocols | T1068 - Exploitation For Privilege Escalation | T1552.001 - Unsecured Credentials: Credentials In Files | T1505.003 - Server Software Component: Web Shell | T1548.003 - Abuse Elevation Control Mechanism: Sudo And Sudo Caching | T1564.002 - Hide Artifacts: Hidden Users | T1595.002 - Active Scanning: Vulnerability Scanning | T1219 - Remote Access Software
Critical Sudo Vulnerabilities Let Local Users Gain Root Access
(published: July 4, 2025)
Cybersecurity researchers have uncovered two vulnerabilities in the widely used Sudo utility that allow local users on Linux and Unix-like systems to escalate privileges to root. CVE-2025-32462 exploits the “‑h/--host” option, enabling commands allowed on one host to be executed on another when host-based rules are in use. This flaw has existed since 2013 and affects versions 1.8.8–1.9.17 p1 (CVSS 2.8). CVE-2025-32463, however, is a critical flaw (CVSS 9.3) introduced in version 1.9.14 involving the “‑R/--chroot” option, allowing arbitrary library loading via a crafted /etc/nsswitch.conf, resulting in full root access. Both issues were responsibly disclosed on April 1, 2025, and fixed in Sudo 1.9.17 p1. Major distributions, including Ubuntu, Debian, Red Hat, SUSE, Alpine, Amazon Linux, and more, have released updates. Administrators are strongly advised to update immediately and audit any use of host or chroot options.
Analyst Comment: These Sudo flaws show how long-standing, low-visibility features can introduce serious risk. CVE-2025-32463, in particular, allows root access via a simple misconfiguration. Apply patches immediately, audit use of host and chroot options, and disable legacy features that aren’t essential. Proactive config reviews are key to reducing exposure.
MITRE ATT&CK: T1548.003 - Abuse Elevation Control Mechanism: Sudo And Sudo Caching
NightEagle APT Exploits Microsoft Exchange Flaw to Spy on China’s High-Tech and Military Sectors
(published: July 4, 2025)
Cybersecurity researchers from QiAnXin’s RedDrip Team have disclosed a previously unknown threat actor, NightEagle, also known as APT‑Q‑95, that is actively exploiting a Microsoft Exchange zero‑day vulnerability to infiltrate organizations in China’s military, semiconductor, AI, quantum technology, and government sectors. The attackers deploy a custom .NET loader into the Exchange Server’s IIS service, extract the machineKey, and deserialize the server to implant a trojan capable of harvesting mailbox data. Once inside, they also install a modified Go‑based Chisel tunneling tool, configured to auto‑execute every four hours, to create hidden SOCKS connections for lateral movement. NightEagle’s infrastructure rotates rapidly, and its operations are timed to Beijing’s nighttime (9 p.m.–6 a.m.), suggesting a North American West Coast origin
Analyst Comment: NightEagle appears to be a disciplined and well-equipped, possibly new APT group. Its reported targeting, tooling, and tightly scoped operations point to long-term strategic objectives rather than opportunistic attacks. While the technical threat is significant, particularly for organizations running on-prem Exchange, the more pressing concern is that NightEagle may possibly mark the emergence of a new major player in the APT landscape. Security teams should harden mail infrastructure, monitor for persistence mechanisms, and establish baselines to catch subtle tunneling behavior. Just as importantly, keep an eye on future ACW reports, as we’ll be tracking NightEagle’s activity as it develops.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1053.005 - Scheduled Task/Job: Scheduled Task | T1572 - Protocol Tunneling | T1114.002 - Email Collection: Remote Email Collection | T1090.001 - Proxy: Internal Proxy | T1027 - Obfuscated Files Or Information
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
