Uyghur software malware, DDoS jumps, 4chan back - Cybersecurity Headlines

Cyber Security Headlines: Detailed Summary

Podcast Title: Cyber Security Headlines
Host/Author: CISO Series
Episode: Uyghur Software Malware, DDoS Jumps, 4chan Back
Release Date: April 29, 2025

In this episode of Cyber Security Headlines hosted by Rich Stroffelino, listeners are presented with a comprehensive overview of the latest developments in the information security landscape. Covering a range of topics from sophisticated malware campaigns to significant infrastructure attacks, the episode offers valuable insights for cybersecurity professionals and enthusiasts alike.

1. Uyghur Language Software Hijacked to Deliver Malware

The episode opens with a troubling revelation about a targeted malware campaign against members of the World Uyghur Congress living in exile. Rich Stroffelino details how senior members received government-backed attack alerts via Google Drive in March 2025. These alerts were later forwarded to Citizen Lab, which uncovered a spear phishing campaign specifically designed to target this group.

At [00:06], Rich explains, "The campaign attempted to deliver a Trojanized version of an otherwise legitimate open-source Uyghur language text editor." This malicious application was not merely a simple infection vector; it included a backdoor designed to gather device information, communicate with command and control (C2) servers, and download additional malicious plugins. The registration data for the C2 server domains indicated that the planning for this campaign could have started as early as May 2024.

Despite the campaign's reliance on social engineering rather than technical sophistication, Rich emphasizes its effectiveness due to the attackers' deep understanding of the target community's nuances and behaviors.

2. Cloudflare Reports Significant Surge in DDoS Attacks

Transitioning to network security, Rich Stroffelino presents data from Cloudflare's Q1 DDoS report, highlighting a substantial increase in distributed denial-of-service (DDoS) attacks. Cloudflare mitigated 20.5 million DDoS attacks in Q1 2025, a stark rise from 21.3 million attacks mitigated throughout all of 2024. This represents a 358% increase year-over-year and nearly 200% growth compared to Q4 2024.

Notably, attacks targeting Cloudflare itself constituted 32% of the Q1 total, with over 6.6 million DDoS attacks as part of an 18-day campaign. Network layer attacks saw an unprecedented spike of 509% over the past year, with specific increases in connectionless lightweight directory access protocol (LDAP) floods and encapsulating security payload (ESP) floods. Additionally, Cloudflare addressed over 700 attacks with bandwidths exceeding 1 terabit per second, underscoring the escalating scale and intensity of these threats.

3. 4chan Returns Online After Security Breach

A significant development in online communities is the return of the infamous 4chan forum to the internet. After being offline since April 14, 2025, 4chan's boards and front page have been reinstated, although functionalities like posting and image uploads remain disabled. Rich recounts the site's first blog post in eight years, where its operators disclosed that a hacker from a UK IP address exploited an outdated software package on one of 4chan's servers via a fraudulent PDF upload.

This breach allowed the perpetrators to exfiltrate database tables and source code, after which they pivoted to vandalizing the site. Upon detection of the intrusion, moderators promptly took the servers offline. The vulnerability arose during a prolonged server migration to newer hardware, which inadvertently exposed the infrastructure.

4. Large-Scale Phishing Campaign Targets WooCommerce

The discussion shifts to e-commerce security with Rich highlighting a phishing campaign targeting WooCommerce, a popular content management system (CMS) platform. Patchstack researchers identified that threat actors were distributing phishing messages to WooCommerce sites, warning them of a non-existent unauthenticated administrative access vulnerability. These deceptive messages were crafted to entice site administrators into clicking through to a fake patch download site.

The phishing site masqueraded as a legitimate WooCommerce marketplace page, prompting users to install a malicious WordPress plugin. This plugin facilitated the creation of a new admin-level user, initiated HTTP GET requests to malicious servers containing account login credentials, and installed a NextStage payload. Subsequently, the plugin and the new admin user were concealed to avoid detection.

Once access was established, attackers could inject spam, redirect site visitors to malicious destinations, enroll the site into botnets, and extort site owners. This campaign underscores the critical importance of vigilance and verification in handling software updates and administrative access.

5. Iran Claims to Have Stopped a Major Infrastructure Attack

In international cybersecurity news, Rich Stroffelino reports that Iran has announced the prevention of one of the most extensive and complex cyberattacks against its infrastructure. Bezad Akbari, head of Iran's Telecommunications Infrastructure Company, stated to the Tasnim news agency at [timestamp not provided], "One of the most widespread and complex cyber attacks against the country's infrastructure was identified and preventive measures were taken over the weekend."

This statement follows a significant explosion at Iran's largest commercial port, although no direct link between the two events has been established. Historically, Iran experienced notable infrastructure attacks in 2021 and 2022, both attributed to the dissident group Predatory Sparrow. However, in this instance, no group has claimed responsibility, leaving the origins of the attack ambiguous.

6. Quantum Computing Readiness Remains Low Among Organizations

The episode also touches upon the burgeoning field of quantum computing and its implications for cybersecurity. Despite advancements suggesting that quantum computing may transition from laboratory settings to practical applications, organizational preparedness remains minimal. According to a recent survey by ISACA, a mere 5% of IT professionals reported that their organizations have a strategy to defend against quantum-enabled threats. Even more concerning, only 3% consider it a high business priority in the near future.

A staggering 59% of respondents admitted to having made no preparations for the advent of quantum computing, with 44% unaware of the National Institute of Standards and Technology's (NIST) quantum-resistant encryption standards. This lack of readiness highlights a significant vulnerability as quantum technologies become more prevalent.

7. Active Exploitation of Craft CMS Zero Day

Attention then shifts to a critical vulnerability in Craft CMS, as researchers from Orange Cyber Defense issued warnings about an actively exploited zero-day flaw. This vulnerability allows attackers to execute remote code by sending a crafted POST request to the image transformation endpoint, causing the server to interpret malicious data.

Exploitation began on February 10th, with over 300 deployments compromised to date. Craft CMS responded by releasing patches on April 10th to address the flaw. The severity of this zero-day underscores the importance of timely patch management and the relentless nature of cyber threats targeting popular content management systems.

8. FBI Seeks Public Assistance Against China-Linked Threat Actor Salt Typhoon

In a call to action, the Federal Bureau of Investigation (FBI) has released a public service announcement seeking assistance in tracking the China-linked threat actor group known as Salt Typhoon. This group was identified accessing US telecommunications companies as early as November of the previous year. Their activities included targeting the phones of staff for both major political parties and presidential campaigns.

The FBI is urging the public to provide any actionable intelligence regarding Salt Typhoon. Additionally, the U.S. Department of State's Reward for Justice program has announced rewards of up to $10 million for information leading to the identification of foreign state-linked threat actors who target US critical infrastructure. However, the absence of substantial rewards and resources presents a challenge in attracting cyber talent to these critical roles, especially within municipal cybersecurity frameworks.

Conclusion

The episode concludes by highlighting the ongoing challenges municipalities face in establishing robust cybersecurity measures amidst limited resources and increasing threats. Rich Stroffelino teases an upcoming episode that delves deeper into strategies for setting up municipal cybersecurity to thrive despite these obstacles.

For those seeking more in-depth coverage of these headlines, CISO Series directs listeners to visit cisoseries.com for full stories and additional insights.

This detailed summary captures the key discussions, insights, and conclusions presented in the April 29, 2025 episode of Cyber Security Headlines by CISO Series. Notable quotes and specific data points are included to provide a comprehensive overview for those who have not listened to the episode.

Transcript

CISO Series (0:00)

From the CISO series. It's Cybersecurity Headlines.

Rich Stroffelino (0:06)

These are the cybersecurity headlines for Tuesday, April 29, 2025. I'm Rich Stroffelino Uyghur Language software hijacked to deliver malware in March 2025, senior members of the World Uyghur Congress living in exile received government backed attack alerts from Google Drive. Members forwarded these to Citizen Lab, which identified a spear phishing campaign targeting the group. The campaign attempted to deliver a Trojanized version of an otherwise legitimate open source Uyghur language text editor. The malicious app included a backdoor to gather device information, Communicate with the C2 server and download further plugins. The registration information on the domains for the C2 servers showed this campaign could have been planned as far back as May 2024. The researchers say this campaign isn't technically complex, but instead relies on social engineering cues with a deep understanding of the target community Cloudflare sees big jump in DDoS attacks Cloudflare's Q1 DDoS report disclosed that the company mitigated 20.5 million DDoS attacks in Q1 compared to 21.3 million DDoS attacks it mitigated in all of 2024. The Q1 figure is up 358% on the year and up almost 200% compared to Q4. 2024 attacks on Cloudflare itself accounted for 32% of the Q1 figure. It saw just over 6.6 million DDoS attacks as part of an 18 day campaign. Network Layer attacks accounted for this huge spike, up 509% on the year. Within that number, attacks using connectionless lightweight directory access protocol and encapsulating security payload floods saw the biggest growth. Cloudflare also saw over 700 attacks with bandwidths of at least 1 terabit per second. 4chan back online if the last two weeks on the Internet felt a little bit less awful, that's because the infamous 4chan forum had been offline since April 14. The site's boards and front page are now back online, although posting and images remain down. In its first blog post in eight years, 4chan's operators explained that a hacker using a UK IP address exploited an out of date software package on one of 4chan's servers through a bogus PDF upload. From there, the threat actors exfiltrated database tables and source code before pivoting to vandalizing the site. Once that was detected, moderators took 4chan's servers offline, the post said. A prolonged server migration to newer hardware left its infrastructure exposed. WooCommerce hit with large scale phishing campaign Researchers at Patchstack warned of a campaign targeting the popular CMS platform. Threat actors send phishing messages to sites warning of a non existent unauthenticated administrative access vulnerability. The messages try to get click through to a phishing site to download a supposed patch. This actually leads them to a spoofed WooCommerce marketplace page that installs a WordPress plugin that then sets up a new admin level. User gets an HTTP get request to a server with the account login credentials, downloads a NextStage payload, and then hides the plugin and and the new admin user. Once gaining access to the site, the threat actors inject spam, do site redirects to other malicious sites, enroll the site into botnet and extort site owners. And now, thanks to Today's episode sponsor ThreatLocker ThreatLocker is a global leader in zero trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates a default deny approach to reduce the attack surface and mitigate potential cyber vulnerability. To learn more and start your free trial, visit threatlocker.com CISO that's T H R E A T L O c k e r.com CISO Iran claims it stopped infrastructure attack the head of Iran's Telecommunications Infrastructure Company Bezad Akbari, told the Tasnim news agency that one of the most widespread and complex cyber attacks against the country's infrastructure was identified as and preventive measures were taken over the weekend. Although he was otherwise light on details, this announcement came a day after a large explosion at Iran's largest commercial port, although there is no indication that these events are related. Just two kind of big things happening in Iran Iran suffered two notable infrastructure attacks in 2021 and 2022, both claimed by the dissident group Predatory Sparrow. But no group has come forward to take credit for this attack so far. A Look at Quantum Readiness in the past two years, we've seen some signs that quantum computing might someday move from the lab to production, with nist, notably putting out its first quantum resistant encryption algorithms. That hasn't translated to many organizations, it seems. According to a new survey by ISACA, only 5% of IT professionals said their organization has a strategy to defend against quantum enabled threats, with 3% saying it was a high business priority for the near future. 59% said they have done nothing to prepare for quantum computing at all and remember those nist standards well 7% of respondents said they had a strong understanding of them, while 44% said they had never heard of them. CMS Zero Day exploits hundreds of sites Researchers at Orange Cyber Defense issued a warning that a critical zero day impacting craft CMS is under active exploitation. This allows attackers to send a post request to the endpoint responsible for image transformation, and the data within the post would be interpreted by the server. In other words, remote code execution. Exploitation of the flaw began on February 10th with over 300 deployments subsequently compromised craft CMS released patches on April 10th the FBI wants your help with Salt Typhoon the Federal Bureau of Investigation released a public service announcement asking the public to come forward with any actionable intelligence about the China linked threat actor Salt Typhoon, which law enforcement discovered accessing US Telecommunications companies back in November. Among other things, the group targeted the phones of staff for both major parties presidential campaigns last year. In addition, the U.S. department of State's Reward for Justice program will offer up to $10 million reward for any information on foreign state linked threat actors who who target US Critical infrastructure. That's not limited to just Salt Typhoon. Less money, less resources and a giant target on your back isn't exactly a great pitch for recruiting cyber talent, but that's exactly the pitch municipalities have to make to their staff. So how can we set up municipal cybersecurities to succeed in what seems to be a thankless task? That's one of the things we're trying to answer on this week's episode of the CISO Series podcast. Look for the episode get all the challenges of cybersecurity and fewer resources wherever you get your podcasts. Reporting for the CISO Series, I'm Rich Stroffolino, reminding you to have a super sparkly day.