01 10 11

Table of Contents

  1. Phishing Attack Hides JavaScript Using Invisible Unicode Trick 
  2. Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability 
  3. CISA and FBI: Ghost Ransomware Breached Orgs in 70 Countries 
  1. A newly discovered JavaScript obfuscation technique leveraging invisible Unicode characters is being actively exploited in phishing attacks targeting affiliates of an American political action committee (PAC). Juniper Threat Labs detected the campaign in early January 2025, noting its sophisticated tactics, including personalized targeting with non-public information, advanced evasion techniques using debugger breakpoints and timing checks, and recursively wrapped Postmark tracking links to obscure the final phishing destination. Based on research disclosed by JavaScript developer Martin Kleppe in October 2024, the attack method demonstrates how quickly cybercriminals weaponize novel obfuscation strategies. The obfuscation technique replaces each binary digit in the JavaScript payload with invisible Hangul half-width (U+FFA0) and Hangul full-width (U+3164) characters, rendering the script visually empty. The malicious code is stored as a property within a JavaScript object and is retrieved using a JavaScript Proxy ‘get() trap’ that converts the invisible characters back into binary, reconstructing the original payload. Attackers further enhance concealment by encoding the script in base64 and deploying anti-debugging mechanisms that detect analysis environments and redirect to benign sites. This stealthy approach makes detection challenging for security tools, as the payload can be injected into legitimate scripts without raising suspicion. Juniper’s findings also link two domains used in this campaign to the Tycoon 2FA phishing kit, suggesting that a wider range of threat actors may soon adopt this obfuscation method. Organizations are advised to enhance script monitoring, employ heuristic-based analysis, and remain vigilant against emerging obfuscation techniques. 

 

  1. Microsoft has released security patches for two critical vulnerabilities affecting Bing and Power Pages, addressing significant security risks, including one actively exploited in real-world attacks. CVE-2025-21355, assigned a CVSS score of 8.6, is a remote code execution (RCE) flaw in Bing that stems from missing authentication for a critical function, allowing unauthorized attackers to execute arbitrary code over a network. Microsoft has mitigated this issue at the service level, eliminating the need for direct customer intervention. The second vulnerability, CVE-2025-24989, with a CVSS score of 8.2, affects Power Pages, a low-code web development platform for business websites. The flaw arises from improper access controls, enabling attackers to bypass user registration mechanisms and escalate privileges, potentially gaining unauthorized administrative access. Microsoft has confirmed that CVE-2025-24989 has been actively exploited but has not disclosed details regarding the attackers, the scale of the breaches, or specific targets. The company has already implemented mitigations and directly notified affected customers with instructions on reviewing their sites for potential compromises. Organizations that have not received direct alerts from Microsoft are not impacted. These vulnerabilities highlight the increasing risks associated with cloud-based services and the importance of rapid response measures. As attackers continue targeting web applications and cloud platforms, businesses must prioritize continuous monitoring, proactive patching, and access control audits to mitigate emerging threats. 

  1. Ghost ransomware has been actively targeting organizations across more than 70 countries since early 2021, with victims spanning critical infrastructure, healthcare, government, education, and various industries. The ransomware group, also known as Cring, exploits vulnerabilities in outdated internet-facing software and firmware, focusing on unpatched systems running Fortinet, ColdFusion, Microsoft Exchange, and SharePoint. Attackers gain access by leveraging publicly available code to exploit these weaknesses, then deploy ransomware payloads like Cring[.]exe, Ghost[.]exe, ElysiumO[.]exe, and Locker[.]exe to encrypt files and demand ransoms. While Ghost operators often threaten to leak stolen data, their primary objective is financial extortion through system encryption. The FBI, CISA, and MS-ISAC have released an advisory detailing Ghost ransomware’s tactics and urging organizations to bolster defenses. Indicators of compromise include network scans for vulnerable devices, administrator account manipulations, and unauthorized PowerShell executions. Organizations are advised to implement strict security measures to mitigate attacks, including regular off-site backups, immediate patching of known vulnerabilities, network segmentation, and phishing-resistant multi-factor authentication. The advisory emphasizes the growing risk posed by Ghost’s rapid exploitation of unpatched software, underscoring the need for proactive cybersecurity hygiene, vulnerability assessments, and heightened awareness to defend against this persistent global threat.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter. 
Monthly Wrap - January 2025
Overview The cybersecurity landscape in January 2025 exhibited a rapid evolution of attack techniques, increased supply chain compromises, and advanced AI-powered threats. Major threat actors, including state-sponsored advanced persistent threat (APT) groups and financially motivated cybercriminals, continued to exploit vulnerabilities in critical infrastructure, enterprise networks, and cloud environments. One of
Hunter StrategyWilliam Elchert