Cybersecurity Weekly Recap: Fortinet Exploits, RedLine Clipjack, NTLM Crack, Copilot Attack & More
In the ever-evolving landscape of cybersecurity, the boundary between routine updates and critical incidents continues to blur. Systems once deemed secure are now vulnerable to relentless advancements in technology. The proliferation of artificial intelligence, interconnected devices, and automation has expanded the attack surface, often outpacing the defensive measures of security teams. This week’s developments underscore how minor oversights or concealed services can escalate into significant breaches.
A discernible pattern emerges from recent events: automation is being weaponized against its creators. Adversaries are repurposing existing systems rather than developing new ones, enabling them to operate at a pace that often outstrips organizational patching and response capabilities. From subtle code vulnerabilities to adaptive malware, the focus of attacks has shifted towards stealth and sustained control.
For those safeguarding connected infrastructures—be it developer tools, cloud platforms, or internal networks—this edition highlights the trajectory of emerging threats, offering insights into future attack vectors rather than revisiting past incidents.
Threat of the Week:
Critical Fortinet Flaw Under Active Exploitation
A critical vulnerability in Fortinet’s FortiSIEM has been identified and is currently being exploited in the wild. Designated as CVE-2025-64155 with a CVSS score of 9.4, this flaw permits unauthenticated attackers to execute arbitrary code or commands via specially crafted TCP requests. Horizon3.ai’s technical analysis reveals two primary issues:
1. An unauthenticated argument injection vulnerability leading to arbitrary file writes, culminating in remote code execution with administrative privileges.
2. A file overwrite privilege escalation vulnerability that grants root access, resulting in complete system compromise.
The vulnerability resides within the phMonitor service, an internal component of FortiSIEM that operates with elevated privileges and is integral to system health monitoring. Due to its deep integration, successful exploitation provides attackers with full control over the appliance.
Top News:
VoidLink Linux Malware Facilitates Persistent Access
A newly discovered cloud-native Linux malware framework, named VoidLink, targets cloud environments by offering attackers a suite of custom loaders, implants, rootkits, and plugins designed for stealth, reconnaissance, privilege escalation, and lateral movement within compromised networks. This sophisticated framework emphasizes long-term access and data collection over immediate disruption. Operated via a web-based dashboard localized for Chinese users, VoidLink automates evasion tactics by profiling the Linux environment and selecting optimal strategies to remain undetected. Notably, if signs of tampering or analysis are detected, it can self-delete and employ anti-forensic measures to erase activity traces. Its extensive feature set includes rootkit capabilities, an in-memory plugin system for enhanced functionality, and adaptive runtime evasion based on detected security products. VoidLink draws inspiration from Cobalt Strike, an adversary simulation framework that has been repurposed for malicious activities.
RedLineCyber Deploys Clipboard Hijacking Malware
A threat actor known as RedLineCyber has been observed leveraging the notoriety of the RedLine information stealer to distribute an executable named Pro.exe (or peeek.exe). This Python-based clipboard hijacking trojan continuously monitors the Windows clipboard for cryptocurrency wallet addresses, replacing them with addresses controlled by the attacker to facilitate cryptocurrency theft. CloudSEK reports that the actor exploits trust within Discord communities focused on gaming, gambling, and cryptocurrency streaming. Distribution occurs through direct social engineering, where the actor builds relationships with potential victims, particularly cryptocurrency streamers and influencers, over extended periods before introducing the malicious payload as a security tool or streaming utility.
Fake Shipping Documents Deliver Remcos RAT
A new phishing campaign employs shipping-themed lures to deceive recipients into opening malicious Microsoft Word documents. These documents exploit a longstanding security flaw in Microsoft Office (CVE-2017-11882) to deliver a new variant of Remcos RAT executed directly in memory. Fortinet’s analysis indicates that successful exploitation triggers the download of a Visual Basic Script, which executes Base64-encoded PowerShell code to download and launch a .NET DLL loader module responsible for deploying the RAT and establishing persistence via scheduled tasks. Remcos RAT (version 7.0.4 Pro) offers comprehensive data gathering capabilities, including system management, surveillance, networking, communication, and agent control.
NTLM Hash Cracking Achieves New Milestone
Researchers have achieved a significant breakthrough in cracking NTLM (NT LAN Manager) hashes, a protocol used for authentication in Windows environments. By leveraging advanced hardware and optimized algorithms, they successfully cracked an eight-character NTLM hash in under two hours. This development underscores the vulnerability of NTLM hashes to brute-force attacks and highlights the necessity for organizations to adopt more secure authentication methods, such as Kerberos or multi-factor authentication, to protect sensitive information.
Copilot Attack Exploits AI Code Assistants
A novel attack vector, termed the Copilot Attack, targets AI-powered code assistants like GitHub Copilot. By injecting malicious code snippets into public repositories, attackers can manipulate these AI tools to suggest insecure or harmful code to developers. This method exploits the trust developers place in AI-generated code, potentially leading to the inadvertent inclusion of vulnerabilities in software projects. The incident emphasizes the importance of code review and the need for developers to critically assess AI-generated suggestions.
Conclusion
The cybersecurity landscape is witnessing a paradigm shift where automation and AI are not only tools for defenders but also weapons for adversaries. The rapid adoption of new technologies has expanded the attack surface, making it imperative for organizations to stay vigilant and proactive. Regular updates, comprehensive security training, and the implementation of robust authentication mechanisms are essential steps in mitigating these evolving threats. As attackers continue to innovate, so must our defenses, ensuring that security measures evolve in tandem with emerging risks.
