Cyber Threat Intelligence Report

This week, we briefed our clients on a fake Microsoft Teams malware campaign that lures users to spoofed download sites with malvertising & SEO poisoning.

 KEY TAKEAWAYS 

• Fake MS Teams malware campaign delivering Oyster backdoor. Learn how to protect your organization against these threats.

• Shields up – Increased scanning activity against Palo Alto Networks devices.

• Critical and high-severity vulnerabilities in Oracle, Cisco, sudo, and SolarWinds, plus updates to CISA KEV, patch now!

Fake Microsoft Teams Malware Campaign

Fake software downloads continue to be one of the most pervasive threats facing organizations today. In recent months,  we have covered fake updates by SocGholish and fake PDF software distributing infostealers. In late September, researchers at Blackpoint detailed a new campaign that is delivering fake Microsoft Teams applications that deliver malware known as the Oyster backdoor.

The malware campaign leverages malvertising and SEO poisoning to boost its rankings in search engines. When a user searches for something as innocuous as "Microsoft Teams download", oftentimes they will be served malicious links in the search results that direct the user to the fake download sites.

Fig. 1 – Malicious search result   Source: Blackpoint

When the user visits the malicious link, they are taken to a spoofed site that looks like a legitimate Microsoft download page and are prompted to download the fake "MSTeamsSetup.exe" file. Once this file is downloaded, it places a malicious DLL file "CaptureService.dll" in a randomly named folder in the %APPDATA%\Roaming path, and then creates a scheduled task named "CaptureService" which regularly calls the DLL file, which in turn provides persistence on the compromised host.

A Widespread Campaign

 Using Validin to pivot off certain website metadata attributes, we can see a fairly comprehensive timeline of this campaign. The same website attributes were first used in January 2025 on the site microsoft-msteams[.]com. This site was attributed in April to a ClickFix campaign that ultimately led to Interlock ransomware distribution. Then, in early May, several other sites using the same attributes were created, also leveraging Microsoft Teams-related domains. As the graph below shows, the campaign has steadily added more fake sites throughout the summer and into October.

Fig. 2 - Fake Teams Download site distribution timeline   Source: Validin

How to Protect Your Organization

There are several steps organizations can take to detect and prevent these types of attacks:

• User Awareness Training - These types of malware campaigns target the end-user. They rely on users not being mindful of the links they are clicking, and trick them into downloading the fake software files. Educate users on these types of risks, and give them guidance on what to look for when reviewing search engine results.
• Restrict End-User Privileges - Ideally, regular end users should not be allowed to install software on their own. A regular end user does not need full administrative rights on their workstation. Additionally, using strict application control, administrators can configure endpoints and user roles to only allow pre-approved software to be installed and executed on a host.
• Deploy EDR on all possible endpoints - Ensure every workstation has a fully up-to-date EDR solution installed and that they are set to not only detect, but prevent or block execution of malicious files.
• Network Monitoring - Network monitoring tools such as PacketWatch can be leveraged to identify abnormal web traffic to suspicious domains, particularly domains with uncommon TLDs such as .top, .icu, etc.

See the Appendix below for PacketWatch and CrowdStrike hunts to detect this threat. 

Resources:

• https://blackpointcyber.com/blog/malicious-teams-installers-drop-oyster-malware/
• https://www.validin.com

Surge in Scans Against Palo Alto Networks Login Portals

Over the weekend, researchers at GreyNoise reported a 500% increase in scanning activity against Palo Alto Networks login portals. On October 5th, they clarified that they have so far found no evidence of compromise from the scanning activity. However, while this is not always an indicator of a future attack, there has been strong historical correlation of increased scanning activity preceding a 0-day or N-day attack. Just last month, GreyNoise reported an increase in scanning activity of Cisco ASA devices, and two weeks later there were reports of two 0-days in those devices being actively exploited.

Administrators should ensure all Palo Alto edge devices are fully patched and restrict the management interface to only explicitly allowed IP addresses. This helps reduce the attack surface in the case of a 0-day. In the coming days, monitor Palo Alto edge devices for any sign of suspicious activity such as new account creation or suspicious logons.

Resources:

• https://www.greynoise.io/blog/palo-alto-scanning-surges
  

• https://www.bleepingcomputer.com/news/security/massive-surge-in-scans-targeting-palo-alto-networks-login-portals/
  

• https://www.bleepingcomputer.com/news/security/surge-in-networks-scans-targeting-cisco-asa-devices-raise-concerns/
  

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/

Vulnerability Roundup

Critical Vulnerability in Oracle E-Business Suite

 Oracle has released a patch for what is believed to be a 0-day vulnerability in their E-Business Suite. The vulnerability, tracked as CVE-2025-61882, can be exploited over a network without the need for a username or password and can lead to remote code execution. Affected Oracle E-Business Suite versions are 12.2.3-12.2.14. This vulnerability has also been tied to the recent data theft and extortion campaign from Cl0p. Victims of this campaign are sent emails from Cl0p claiming to have breached the victim's Oracle E-Business Suite environment. Oracle published IOCs in their CVE disclosure. See Appendix B for the PacketWatch query.

• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
  
• https://www.cvedetails.com/cve/CVE-2025-61882/
  
• https://www.cybereason.com/blog/oracle-ebs-extortion-cl0p
  
• https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/
  
• https://www.bleepingcomputer.com/news/security/clop-extortion-emails-claim-theft-of-oracle-e-business-suite-data/ 

Cisco Fixes Two Actively Exploited 0-Days

Cisco released fixes for two vulnerabilities in their Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices that are under active exploitation. The first vulnerability, tracked as CVE-2025-20333, allows for authenticated, remote attackers to execute arbitrary code. The second vulnerability, tracked as CVE-2025-20362, enables remote attackers to access restricted URL endpoints without authentication. Administrators are strongly encouraged to apply the patches as soon as possible. Administrators can check here and here for patch links and guidance on determining if a device is vulnerable. 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB
  

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
  

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/

Privilege Escalation Vulnerability in sudo Actively Exploited

CISA recently added a vulnerability in sudo to their Known Exploited Vulnerabilities catalog. The sudo command ("superuser do") is used in Unix-like operating systems that allows users to run programs or commands with security privileges of another user, typically root. Typically, users or groups with sudo permissions are placed in the "sudoers" file. This vulnerability, tracked as CVE-2025-32463, allows an attacker to use sudo's -R (--chroot) command to run arbitrary commands as root, even if they are not in the "sudoers" file. This vulnerability affects sudo versions 1.9.14 through 1.9.17. Administrators are urged to patch as soon as possible. 

• https://www.sudo.ws/security/advisories/
• https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-linux-sudo-flaw-exploited-in-attacks/ 

SolarWinds Web Help Desk RCE

Researchers at Trend Micro Zero Day Initiative reported a critical vulnerability in SolarWinds Web Help Desk. Tracked as CVE-2025-26399, this critical vulnerability allows an unauthenticated attacker to run commands on the host machine. The vulnerability affects the latest version, 12.8.7. It should also be noted that this CVE is a bypass of a previous patch for CVE-2024-28988, which was a fix for a patch bypass of CVE-2024-28986. A hotfix that addresses this vulnerability has been issued by SolarWinds. Please visit the SolarWinds Documentation page here for guidance on applying the hotfix. 

• https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm
• https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-patch-to-fix-web-help-desk-rce-bug/

CISA KEV Additions

The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:

• CVE-2025-4008 - Smartbedded Meteobridge Command Injection Vulnerability
• CVE-2025-21043 - Samsung Mobile Devices Out-of-Bounds Write Vulnerability
• CVE-2015-7755 - Juniper ScreenOS Improper Authentication Vulnerability
• CVE-2017-1000353 - Jenkins Remote Code Execution Vulnerability
• CVE-2014-6278 - GNU Bash OS Command Injection Vulnerability
• CVE-2021-21311 - Adminer Server-Side Request Forgery Vulnerability
• CVE-2025-20352 - Cisco IOS and IOS XE Software SNMP Denial of Service and Remote Code Execution Vulnerability
• CVE-2025-10035 - Fortra GoAnywhere MFT Deserialization of Untrusted Data Vulnerability

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.