Malware Activity
How Sophisticated Attacks Undermine Modern Security Measures
Recent security research reveals that even robust Multi-Factor Authentication (MFA) systems can be compromised through tactics like MFA fatigue, session hijacking, and man-in-the-middle attacks. Exploiting protocol vulnerabilities and user behavior to bypass protections. Cybercriminals increasingly manipulate users into revealing authentication codes or intercepting session tokens. This renders MFA less effective and highlights the need for more advanced, context-aware authentication methods. Additionally, a new Android attack called TapTrap utilizes deceptive UI overlays to trick users into granting permission or clicking malicious links without awareness. It leverages Android's UI layering to mask malicious prompts. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: The MFA You Trust Is Lying to You article
- BleepingComputer: New Android TapTrap Attack Fools Users with Invisible UI Trick article
Threat Actor Activity
Gold Melody IAB Gaining Unauthorized Access via Exposed ASP.NET Machine Keys
The Initial Access Broker (IAB), known as Gold Melody, has been linked to a campaign exploiting leaked ASP.NET machine keys to gain unauthorized access to organizations. This activity is tracked by Palo Alto Networks Unit 42 as TGR-CRI-0045, with the group also known as Prophet Spider and UNC961. Gold Melody has targeted sectors in Europe and the U.S., including financial services, manufacturing, and logistics, using opportunistic approaches. Microsoft first documented the abuse of ASP.NET machine keys in February 2025, identifying over 3,000 keys that can be weaponized for ViewState code injection attacks, leading to arbitrary code execution. The attacks were initially detected in December 2024, when a static ASP.NET machine key was used to inject malicious code and deliver the Godzilla post-exploitation framework. Unit 42's analysis indicates that TGR-CRI-0045 employs these leaked keys for ASP.NET ViewState deserialization, allowing malicious payloads to execute directly in server memory. This technique minimizes on-disk presence and forensic artifacts, bypassing many legacy EDR solutions. Organizations relying on file integrity monitoring or antivirus signatures may miss such intrusions, underscoring the need for behavioral detections based on anomalous IIS request patterns. A spike in activity was noted between late January and March 2025, with post-exploitation tools such as port scanners and bespoke C# programs deployed for local privilege escalation. The attacks typically involve command shell execution from IIS web servers, using tools like ysoserial.net for payload generation. These payloads bypass ViewState protections, executing .NET assemblies in memory. Gold Melody's approach to the ViewState exploitation involves loading a single, stateless assembly, requiring repeated exploitation for each command execution. This campaign highlights cryptographic key exposure threats. CTIX analysts recommend identifying and remediating compromised Machine Keys to strengthen application security and identity protection strategies.
Vulnerabilities
Unpatched Ruckus vSZ and RND Vulnerabilities Expose Enterprise Wireless Networks to Full Compromise
Multiple critical vulnerabilities affecting Ruckus Wireless' Virtual SmartZone (vSZ) and Network Director (RND) remain unpatched, putting large-scale wireless infrastructures at severe risk of compromise. Discovered by Claroty's Team82 and disclosed by Carnegie Mellon's CERT/CC, the flaws include authentication bypass, remote code execution (RCE), hardcoded SSH keys and JWT secrets, and weak password encryption (many of which can be chained for more devastating attacks). vSZ, capable of managing up to 10,000 access points, and RND, used for cluster management, are widely deployed in high-value environments like hospitals, schools, and smart cities. Notable CVEs include CVE-2025-44957, which enables administrator access via maliciously crafted HTTP headers and API keys; CVE-2025-44954, which allows root access using hardcoded SSH keys; and CVE-2025-44955, which provides a root-level jailbreak through a weak password. CERT/CC warns that attackers with network access could achieve a complete compromise yet attempts to engage Ruckus or parent company CommScope have gone unanswered. With no patches available, CTIX analysts urge administrators to isolate these systems and enforce secure, limited access until fixes are released.
- Bleeping Computer: Ruckus Wireless vSZ & RND Vulnerabilities Article
- Security Week: Ruckus Wireless vSZ & RND Vulnerabilities Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
