Cyber Threat Intelligence Report

This week, we briefed our clients on a new ransomware group called Warlock, and a new attack technique called DOM-based extension clickjacking.

 KEY TAKEAWAYS 

• New ransomware group Warlock exploiting SharePoint for initial access. Learn their TTPs so you can protect your organization.

• Clickjacking method presented at DefCon 33 can be used to steal credentials from password managers.

• Critical and high-severity vulnerabilities in Cisco FMC, Commvault, Microsoft Windows, and Zoom, plus updates to CISA KEV, patch now!

New Kid on the Block: Warlock Ransomware TTPs

Ransomware continues to be one of the biggest cybersecurity threats facing organizations today. While several groups such as Akira, Lockbit, and Dragonforce have practically become household names, newer groups are constantly forming and quickly making a name for themselves. Warlock is one such group, first appearing in June 2025. Since then, they have claimed multiple victims in North America, Europe, Asia, and Africa, impacting a wide range of industry verticals. In their latest attack wave, this ransomware-as-a-service (RaaS) group exploited the SharePoint ToolShell vulnerability to gain initial access and wreak havoc on their victims. The following sections will review recent TTPs in the Warlock attack chain reported by Trend Micro, so organizations can be better prepared to detect and prevent these attacks. 

Initial Access

Warlock gains initial access through unpatched public-facing on-premises SharePoint servers, leveraging a pair of vulnerabilities known as "ToolShell". Successful exploitation allows the attacker to fully compromise the server, and use it as a beachhead to further enumerate and pivot into the victim's network. 

Discovery

One of the first actions observed after Warlock compromised the SharePoint server, is the downloading and renaming the "cloudflared" tool to the host. This allows Warlock to create an encrypted tunnel from the victim's network to Cloudflare. Once established, Warlock begins network discovery, starting with using nltest to discover trust relationships between Active Directory domains. They then use common, basic CLI commands to identify information about the host they are on, such as hostname, ipconfig /all, whoami, and tasklist /svc. Warlock was observed using WMI to identify installed applications. Finally, they were observed using the net command to enumerate privileged accounts, domain computers, and domain controllers:

• cmd /c net group "domain admins"
• cmd /c net group "domain computers"
• cmd /c net group "domain controllers"
• cmd /c quser 

Private Escalation

Warlock was observed activating built-in "guest" accounts on Windows devices, changing the password, and then adding the account to the local "administrators" group, giving them administrative privileges on the host. Warlock was also observed creating new GPO policies in order to elevate privileges and establish persistence. And like many ransomware groups today, Warlock was observed using Mimikatz to dump credentials from memory, as well as tools like CrackMapExec or SecretsDump in order to retrieve password hashes from the SAM and SECURITY hives in Windows. 

Lateral Movement

Warlock heavily leverages Server Message Block (SMB) to copy and move payloads and tools across the network. They were also observed enabling Remote Desktop Protocol (RDP).

Execution

Warlock leverages Windows Command Shell to run premade script files and batch jobs to automate many of their tasks. Using the CLI, they copy their tools from a remote share to the Public folder on the compromised host. A batch file is then run to identify and terminate running processes that may hinder their attack, such as AV or EDR tools.

Evasion

Among the files brought into the victim environment by Warlock is a file named vmtools.exe is also used to enumerate and terminate EDR tools. Additionally, in a bring-your-own-vulnerable-driver (BYOVD) style attack, it downloads a driver called googleApiUtil64.sys into the C:\programdata directory, and creates a service called googleApiUtil64 that attempts to kill EDR processes every two seconds for ten minutes. A full list of targeted processes can be found here.

Exfiltration

To facilitate exfiltration of data from the victim's network, Warlock uses a popular tool of choice for ransomware groups known as rclone. This is a legitimate open-source tool that is commonly abused in ransomware attacks. In the attack observed by Trend Micro, the rclone binary was renamed to "TrendSecurity.exe" to help evade detection. As with all double-extortion ransomware groups, large quantities of data are exfiltrated from the victim before the encryption event.

How to Protect Your Organization

As with many modern-day threat actors, throughout the entire attack chain, no actual malware was used (other than the ransomware encryptor itself). Groups like Warlock exploit known vulnerabilities, then use "living off the land" techniques to blend in with regular network activities. This type of attack chain can render traditional AV tools completely ineffective. Organizations must leverage modern EDR tools in conjunction with application and network monitoring to detect deviations from normal behavior.

• Patching is still one of the most effective ways to prevent attacks from most ransomware groups. While there are other methods of initial access such as social engineering, so many of these attacks begin with simple exploitation of unpatched internet-facing systems. Groups like Warlock will consistently target this low-hanging fruit.
• Minimize the Attack Surface - Only expose assets to the internet that are absolutely necessary for the function of the business. Use firewall policies to block traffic to ports and services that are not needed.
• Disable Unused Accounts - Disable default accounts or at least rotate passwords. Delete old or unnecessary accounts so they cannot be activated by the threat actor.
• Multi-factor Authentication - MFA is a fundamental security control. This should be applied to all accounts wherever possible.
• Application Controls - Ideally, organizations should have an enforced allow list for only pre-approved applications. In scenarios where this is not possible, full visibility into network traffic with tools such as Packetwatch are a great way to identify remote access tools and data exfiltration tools. Organizations must know which processes are allowed to be used in the network so that any deviation from this can be immediately identified and remediated.
• Endpoint Protection - Fully up-to-date EDR should be deployed to every possible endpoint and server. Modern EDR tools focus on behavior and heuristics and can identify suspicious use of processes.
• Maintain Immutable Offline Backups - Modern ransomware groups like to target backup servers to inflict maximum damage during encryption. Immutable offline backups will prevent these threat actors from destroying data backups.

Resources:

• https://www.trendmicro.com/en_us/research/25/h/warlock-ransomware.html
• https://www.bleepingcomputer.com/news/security/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale/

Popular Password Managers Vulnerable to Data Theft Technique

At DEF CON 33 in Las Vegas earlier in August, security researcher Marek Tóth presented a technique he calls Document Object Model (DOM)-based extension clickjacking, which can be used to steal account credentials, two-factor authentication codes, and credit card details. Clickjacking is an attack where the user is tricked into clicking on an element of a webpage that is either invisible or disguised as another benign element. Attackers can abuse this by compromising websites with either cross-site scripting (XSS) vulnerabilities or subdomain takeovers. 

In the proof-of-concepts shown by Tóth, a malicious script is injected into the compromised website that manipulates the UI elements of the web page that browser extensions inject into the DOM (i.e., auto-fill prompts). These malicious scripts make these elements invisible to the user by setting the opacity to zero. The user then thinks they are clicking something benign, when in reality, the password manager is tricked into auto-filling the credentials into the "invisible" web page object.

Tóth's research tested 11 different password managers, including LastPass, Bitwarden, and 1Password. The response from the different password manager companies has been mixed, and multiple password managers still do not have a fix:

Figure 1: Impacted Password Managers + Fixes | Source: TheHackerNews

Until fixes are available, users are strongly encouraged to disable the auto-fill function of the password managers and use copy/paste only. In Chromium-based browsers, this can be configured by setting site access to "on click" in the extension settings.

It should also be noted that while this attack is of concern, password managers are still one of the best ways to manage passwords securely.

Resources:

• https://marektoth.com/blog/dom-based-extension-clickjacking/
  
• https://socket.dev/blog/password-manager-clickjacking
  
• https://thehackernews.com/2025/08/dom-based-extension-clickjacking.html
  
• https://www.imperva.com/learn/application-security/clickjacking/

Vulnerability Roundup

Cisco FMC Maximum Severity Vulnerability

On August 14, Cisco issued a security advisory for a maximum severity (CVSS 10.0) vulnerability in the RADIUS subsystem implementation of the Cisco Secure Firewall Management Center (FMC). The vulnerability allows for an unauthenticated remote attacker to inject arbitrary shell commands that can be executed at high privilege levels. Per the advisory, in order for the vulnerability to be successfully exploited, "the devices must be configured for RADIUS authentication for the web-based management interface, SSH management, or both".  The vulnerability affects Cisco Secure FMC Software releases 7.0.7 and 7.7.0 with RADIUS authentication enabled. Administrators are urged to patch as soon as possible. In addition to applying the patch, this vulnerability can be mitigated by using another type of authentication on the device, such as local user accounts, external LDAP authentication, or SAML single sign-on (SSO).

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-radius-rce-TNBKf79
  
• https://thehackernews.com/2025/08/cisco-warns-of-cvss-100-fmc-radius-flaw.html

Multiple Vulnerabilities in Commvault

Last week, security researchers at watchTowr Labs published detailed findings of 4 vulnerabilities in Commvault, an enterprise data backup and recovery solution, that can be used in two pre-authenticated exploit chains to achieve remote code execution. The vulnerabilities, tracked as CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, and CVE-2025-57791, affect Commvault versions 11.32.0 - 11.32.101, 11.36.0 - 11.36.59, and 11.38.20 - 11.38.25. Fixed versions are 11.32.102, 11.36.60, and 11.38.32. It should be noted the Commvault SaaS solution is not affected. Administrators are urged to patch as soon as possible, as vulnerability details and proof-of-concept exploit code are in the wild.

• https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
  
• https://thehackernews.com/2025/08/pre-auth-exploit-chains-found-in.html
  
• https://documentation.commvault.com/securityadvisories/?ref=labs.watchtowr.com

Zero Click Microsoft NTLM Credential Leakage

As part of the August Patch Tuesday from Microsoft, a fix was released for CVE-2025-50154. Per research shared by Cymulate, the vulnerability allows for specially crafted .LNK files to trick Windows into sending NTLM hashes to a remote SMB share. Successful exploitation does not require any user interaction with the file. The threat actor simply needs to get the malicious file onto the victim's host, either through social engineering or drive-by downloads. In addition to leaking credential hashes, the technique could also be used to silently download entire malicious binaries onto the target system. Proof of concept code is in the wild. Administrators are urged to patch as soon as possible.

• https://cymulate.com/blog/zero-click-one-ntlm-microsoft-security-patch-bypass-cve-2025-50154/
• https://cybersecuritynews.com/windows-0-click-ntlm-credential-leakage/
  
• https://github.com/rubenformation/CVE-2025-50154

Zoom Windows Client Privilege Escalation Vulnerability

Zoom recently disclosed a critical "untrusted search path" vulnerability for the Zoom Client for Windows. The vulnerability, tracked as CVE-2025-49457, allows an unauthenticated user to elevate privileges via network access. The vulnerability is due to improper handling of DLL search paths. Because the Zoom Client for Windows did not specify absolute paths, when the application is run, it uses Microsoft Windows standard search order which includes the application's directory, system directories, and others. If an attacker is able to place a malicious DLL file in a location that is searched by this process, the Zoom client is effectively tricked into executing the malicious code with the privileges of the Zoom client. The vulnerability affects versions below 6.3.10. Administrators are urged to apply the patch as soon as possible.

• https://www.zoom.com/en/trust/security-bulletin/zsb-25030/?lang=en-US
  
• https://zeropath.com/blog/cve-2025-49457-zoom-untrusted-search-path-summary

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-43300 - Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
• CVE-2025-54948 - Trend Micro Apex One OS Command Injection Vulnerability
• CVE-2025-8875 - N-able N-Central Insecure Deserialization Vulnerability
• CVE-2025-8876 - N-able N-Central Command Injection Vulnerability
• CVE-2013-3893 - Microsoft Internet Explorer Resource Management Errors Vulnerability
• CVE-2007-0671 - Microsoft Excel Remote Code Execution Vulnerability
• CVE-2025-8088 - RARLAB WinRAR Path Traversal Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.