Agentic AI with Social Engineering, JavaScript Stealer and the Silent Lynx

Notable security news for the week of Feb 2nd – Feb 8th,  2025. This week’s editor is Lior from F5 SIRT. The cybersecurity world is changing quickly. Organizations are facing more advanced threats and vulnerabilities on different attack surfaces. Critical security flaws, like the recently patched Cisco ISE vulnerabilities, highlight the risks posed by privilege escalation and remote code execution exploits. Meanwhile, advanced threat actors like Silent Lynx are using multiple cyberattacks using PowerShell, GoLang, and C++ loaders to get into government and financial institutions. This shows that they are more and more focused on spying. Cybercriminals are using AI to automate phishing, malware creation, and large-scale fraud. This is making it harder for Security Operations Center (SOC) analysts to keep up with the number of alerts and manual processes. To counter these challenges, organizations are increasingly adopting AI-driven security solutions to improve efficiency, automate threat detection, and strengthen their overall cyber resilience. The arms race between attackers and defenders continues, making proactive security strategies more critical than ever.

 

Application SecurityHow Agentic AI will be Weaponized for Social Engineering Attacks

 "How Agentic AI will be Weaponized for Social Engineering Attacks" discusses the escalating threat of social engineering attacks enhanced by advancements in artificial intelligence (AI), particularly agentic AI. Agentic AI refers to AI systems capable of autonomous actions and decision-making, enabling them to execute complex tasks without human intervention.

Key Points:

  1. Personalized Phishing: AI algorithms can analyze data from social media and open-source intelligence (OSINT) to craft highly personalized and convincing spear-phishing attacks. By understanding an individual's background, interests, employment, and connections, AI can generate tailored messages that increase the likelihood of deceiving the target.
  2. Contextual Content Creation: Tools like ChatGPT and Copilot assist in drafting phishing emails that are grammatically correct, contextually appropriate, and translatable into any local language. AI can mimic specific writing styles or tones, making fraudulent communications appear legitimate and trustworthy.
  3. Realistic Deepfakes: Threat actors utilize deepfake technology to create convincing virtual personas and audio clones of senior executives or trusted business partners. These deepfakes can deceive employees into sharing sensitive information, transferring funds, or granting access to organizational networks.
  4. Multi-Stage Campaigns: Agentic AI can orchestrate complex, multi-stage social engineering attacks. For instance, an initial phishing attempt might gather minor information from a target, which the AI then uses to inform subsequent actions, creating a dynamic and evolving attack strategy.

The article emphasizes that as AI continues to evolve, particularly with the rise of agentic AI capable of autonomous decision-making, the sophistication and effectiveness of social engineering attacks are likely to increase. Organizations must remain vigilant and adopt advanced security measures to counter these evolving threats.

https://www.securityweek.com/how-agentic-ai-will-be-weaponized-for-social-engineering-attacks/

 

Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign

The article "Cross-Platform JavaScript Stealer Targets Crypto Wallets in New Lazarus Group Campaign" highlights a sophisticated phishing operation by the North-Korea-linked Lazarus Group, targeting professionals in the cryptocurrency and travel sectors.

Attack Overview:

  1. Initial Contact: The attackers initiate contact through professional networks like LinkedIn, offering enticing job opportunities with promises of remote work, flexible hours, and attractive compensation.
  2. Data Collection: Once the target shows interest, the attackers request personal information such as resumes or GitHub repository links, under the pretense of the recruitment process.
  3. Malicious Code Deployment: The attackers then share a link to a GitHub or Bitbucket repository containing a supposed decentralized exchange (DEX) project. Within this code lies an obfuscated script designed to download a JavaScript-based information stealer from a remote server.

Malware Capabilities:

  • Data Harvesting: The JavaScript stealer is engineered to extract information from various cryptocurrency wallet extensions installed in the victim's browser.
  • Secondary Payload Delivery: Beyond data theft, the stealer functions as a loader, deploying a Python-based backdoor that monitors clipboard activity, maintains persistent remote access, and facilitates the installation of additional malware.

Technical Insights:

Bitdefender's analysis shows that this campaign shares similarities with a known attack cluster dubbed "Contagious Interview," which employs a JavaScript stealer named BeaverTail and a Python implant called InvisibleFerret. The evolving tactics and malware variants suggest that the threat actors are continuously refining their methods to enhance effectiveness.

Conclusion:

This campaign underscores the increasing sophistication of social engineering attacks, particularly those targeting individuals in the cryptocurrency sector. Professionals are advised to exercise caution when approached with unsolicited job offers and to scrutinize any shared code repositories for malicious content.

https://thehackernews.com/2025/02/cross-platform-javascript-stealer.html

 

Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc

Cisco has released updates to address two critical vulnerabilities in its Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands and elevate privileges on affected devices.

Vulnerabilities:

  1. CVE-2025-20124 (CVSS score: 9.9): An insecure Java deserialization vulnerability in a Cisco ISE API could permit an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device.
  2. CVE-2025-20125 (CVSS score: 9.1): An authorization bypass vulnerability in a Cisco ISE API could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node.

Use these flaws by sending a crafted Java object or an HTTP request to an unknown API endpoint. This will cause privileges to be increased and code to be executed.

https://thehackernews.com/2025/02/cisco-patches-critical-ise.html 

 

Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks

The article "Silent Lynx Using PowerShell, Golang, and C++ Loaders in Multi-Stage Cyberattacks" discusses a previously undocumented threat actor, dubbed Silent Lynx, targeting entities in Kyrgyzstan and Turkmenistan.

Key Points:

  • Targeted Entities: Silent Lynx has been linked to attacks on embassies, lawyers, government-backed banks, and think tanks in Eastern Europe and Central Asia, particularly those involved in economic decision-making and the banking sector.
  • Attack Vectors: The group employs spear-phishing emails containing RAR archive attachments to deliver malicious payloads.
    • Campaign 1: Detected on December 27, 2024, this campaign uses a RAR archive that launches an ISO file containing a malicious C++ binary and a decoy PDF. The executable runs a PowerShell script that utilizes Telegram bots for command execution and data exfiltration.
    • Campaign 2: This approach involves a malicious RAR archive with a decoy PDF and a GoLang executable, which establishes a reverse shell to an attacker-controlled server.
  • Tactics and Tools: Silent Lynx demonstrates a sophisticated multi-stage attack strategy using ISO files, C++ loaders, PowerShell scripts, and GoLang implants. They rely on Telegram bots for command and control and employ decoy documents to facilitate their operations.
  • Regional Focus: The group's activities highlight a focus on espionage in Central Asia and SPECA (Special Programme for the Economies of Central Asia) nations.

Seqrite Labs has observed some tactical overlaps between Silent Lynx and YoroTrooper (aka SturgeonPhisher), another threat actor targeting Commonwealth of Independent States (CIS) countries using PowerShell and Golang tools.

This analysis underscores the evolving tactics of threat actors in the region and the importance of robust cybersecurity measures to counter such sophisticated multi-stage attacks.

https://thehackernews.com/2025/02/silent-lynx-using-powershell-golang-and.html

 

SOC Analysts - Reimagining Their Role Using AI

Security Operations Center (SOC) analysts are facing increasing challenges, from overwhelming alert volumes to advanced AI-driven cyber threats. Many analysts experience burnout due to repetitive tasks and alert fatigue, leading to high turnover rates. Meanwhile, attackers are using AI for phishing, malware development, and automated vulnerability exploitation. To combat these threats, modern SOCs are integrating AI-powered solutions to automate triage, streamline workflows, and enhance overall cybersecurity resilience.

https://thehackernews.com/2025/01/soc-analysts-reimagining-their-role.html

 

Cyber Insights 2025: OT Security

The article "Cyber Insights 2025: OT Security" from SecurityWeek delves into the evolving landscape of Operational Technology (OT) cybersecurity, emphasizing the heightened risks and unique challenges associated with OT systems.

Key Highlights:

  1. Distinct Nature of OT Systems: OT encompasses hardware and software that manage physical devices in industrial settings, including ICS, SCADA systems, IoT devices, programmable logic controllers, and Human-Machine Interfaces (HMIs). These systems are integral to critical infrastructure sectors, making their security paramount.
  2. Elevated Risks Compared to IT: The article underscores that OT risks surpass those in traditional IT environments. Potential consequences of OT security breaches include social disruption, physical harm to individuals, economic damage, and threats to national security.
  3. Anticipated Trends for 2025:
    • Advancements in Defender Strategies: As legacy equipment is phased out and replaced with modern systems, default security measures are expected to improve, reducing vulnerabilities like easily compromised credentials.
    • Evolution of Attacker Tools: Concurrently, cyber adversaries are anticipated to enhance their tools and techniques. A successful breach could lead to sophisticated network implants, posing significant challenges for OT security teams.

In summary, the article highlights the dynamic and escalating challenges in OT cybersecurity, emphasizing the need for continuous adaptation and vigilance to safeguard critical infrastructure.

https://www.securityweek.com/cyber-insights-2025-ot-security/

 

Published Feb 11, 2025
Version 1.0
f5 sirt
security
twis
No CommentsBe the first to comment