BYOEDR, Undetectable backdoor, WhoFi, Cyberattack to airline, and Clickjacking vulnerability

Notable news for the week of July 27 - August 2, 2025. This week, your editor is Koichi from F5 Security Incident Response Team. In this edition, I have security news about BYOEDR, Undetectable backdoor, WhoFi, Cyberattack to airline, and Clickjacking vulnerability. In this edition, I would like to arrange the articles in the form of a word-association game.

Black Hat USA and DEFCON will be held next week. I won't be able to go, but if you are going, have fun.

We at F5 SIRT invest a lot of time to understand the frequently changing behavior of bad actors. Bad actors are a threat to your business, your reputation, your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency, please contact F5 SIRT.

 

BYOEDR  

"changing behavior of bad actors" reminds me of this news:

Security researchers Mike Manrod and Ezra Woods have unveiled a worrying new attack vector which is named as “Bring Your  Endpoint Detection and Response (BYOEDR)", and the attack method is to use free trial editions of EDRs to disable other security solutions which are already deployed on the target systems, so it can be used to evade antivirus detection. 

They demonstrated how Cisco Secure Endpoint (former AMP) could be successfully installed and configured to disable both CrowdStrike Falcon and Elastic Defend without triggering alerts or generating telemetry beyond the host going offline. This attack method appears against a backdrop of increasing Remote Management and Monitoring (RMM) abuse. The 2024 CrowdStrike Threat Hunting Report reveals a 70% year-over-year increase in such activities.

For mitigations, the article recommends implementing application control measures, custom IOAs (Indicators of Attack), and application-aware firewalls to block unauthorized RMM and EDR installations.

Source: Hackers Exploit EDR Free Trials to Bypass Protection and Disable Security Features

Source: Hackers Weaponizing Free Trials of EDR to Disable Existing EDR Protections

 

Undetectable backdoor  

"evade antivirus detection" reminds me of this news:

Security researchers have discovered a sophisticated Linux backdoor named “Plague” that has been found to completely evade detection by all anti-virus engines for over a year. The malware operates as a Pluggable Authentication Module (PAM), secretly bypassing system authentication to maintain persistent SSH access.

The most significant security concern is that the Plague has a ability to evade antivirus detection: despite multiple variants were uploaded to VirusTotal (online virus scanning services, which uses more than 60 antivirus software) between July 2024 and March 2025, not a single one of the 66 antivirus engines tested detected it as malicious.

The Plague uses evolving string obfuscation techniques that have progressed from simple XOR-based encryption to complex methods resembling Key Schedule Algorithm (KSA) and Pseudo-Random Generation Algorithm (PRGA) routines.  In the latest variant, Deterministic Random Bit Generator (DRBG) layer has been added to make the analysis more difficult.

To detect it, security researchers have developed specialized tools, a custom string de-obfuscation utility using the Unicorn emulation framework within IDA Pro, and YARA detection rules. 

This case underscores the importance of proactive threat hunting using behavioral analysis and specialized detection tools beyond traditional antivirus detection methods, for example DNN-Based Malware Detection.

Source: New Undetectable Plague Malware Targeting Linux Servers for Persistent SSH Access

Source: Plague: A Newly Discovered PAM-Based Backdoor for Linux

 

Identify a person via Wi-Fi Channel Signal Encoding (WhoFi)

"DNN" reminds me of this news:

Danilo Avola et al. presented a paper titled “WhoFi: Deep Person Re-Identification via Wi-Fi Channel Signal Encoding” which proves re-identification(re-ID) technology using Wi-Fi Channel State Information (CSI) signals and modular Deep Neural Network (DNN). The paper claims that it is possible to identify a person by CSI signals obtained at the physical layer of Wi-Fi. It can also be used to perform biometric authentication while protecting the person’s privacy. 

It is possible to acquire data of things in the path of the Wi-Fi signal propagation, because it changes physical characteristics in the radio waves. When radio waves reach a person's body, internal structures such as bones, organs, and body composition interact with the propagation. This creates a distortion of the person's unique signal that functions as a unique signature, which can be used as biometric authentication. It sounds similar to body scanners used at passenger screening in an airport.

In this paper, this phenomenon is used to authenticate users without relying on visual information. 
2 of the TP-Link N750 routers and the Pytorch framework model were used for POC and to try to identify 14 persons. The results showed that the Transformer-based encoder achieved 88.4% of mean Average Precision (mAP), which are excellent results and the paper claims this research establishes a valuable baseline for future research in CSI-based person re-identification.

Source: WhoFi: Deep Person Re-Identification via Wi-Fi Channel Signal Encoding

Source: (Japanese article) 

 

Cyber Attack Campaign Against Russian National Flag Carrier

"airport" reminds me of this news:

On July 28, Russia's state-owned airline Aeroflot, suffered massive damage from a cyberattack campaign conducted by 2 pro-Ukrainian hacker groups. The airline was forced to cancel 50 round-trip flights. The hacker groups Silent Crow and Belarusian Cyberpartisans claimed that the attack was the result of a year-long operation. They destroyed 7,000 servers and gained access to personal computers of employees, including senior managers. They threatened to release personal data of all Aeroflot passengers and intercepted communications from staff. As a result,  passengers were left stranded at Moscow’s Sheremetyevo Airport.

Of course the passengers were expressing frustration for the delay, however, a former Aeroflot pilot Andrei Litvinov told Reuters that more critical thing happens: “These are losses, huge losses for a state-owned company. If all the correspondence, all the corporate data is exposed - this can have very long-term consequences ... First the drones, and now they are blowing up this situation from the inside."

This cyberattack on Aeroflot stands as one of the most significant exploits in Russia since the Ukraine conflict began.

Source: Pro-Ukrainian hackers claim massive cyberattack on Russia's Aeroflot

 

Clickjacking vulnerability on Wi-Fi router

"TP-Link" reminds me of this news:

Japanese Information technology Promotion Agency (IPA) warns that a clickjacking vulnerability exists in the Archer C1200 which is a Wi-Fi router.
If a user who is logged into the product's admin console, he/she may be forced to perform an unintended operation by clicking on a hidden UI element.

As the Archer C1200 is no longer supported, the solution for this is to not use this product and  migrate to a supported products.

Source (Japanese): JVN39913189