Bulletins //

NormCyber Threat Bulletin: 04th June 2025

9 Min Read

ConnectWise breached in cyber attack linked to nation-state hackers

ConnectWise, a prominent IT management software provider, has confirmed a cyber attack attributed to a sophisticated nation-state actor. The breach affected a limited number of customers using its ScreenConnect remote access tool. The company has engaged forensic experts from Mandiant to investigate the incident and is collaborating with law enforcement agencies.

Details of the Breach
The attack exploited two critical vulnerabilities in the ScreenConnect software:

  • CVE-2024-1709: An authentication bypass vulnerability
  • CVE-2024-1708: A path traversal vulnerability which may allow an attacker the ability to execute remote code or directly impact confidential data or critical systems.

These flaws allowed attackers to gain unauthorised access to systems, deploy malware, and potentially exfiltrate data. Security researchers observed various threat actors, including the LockBit ransomware gang, exploiting these vulnerabilities.

ConnectWise’s Response
Upon discovering the breach, ConnectWise promptly initiated an investigation and implemented enhanced monitoring across its network. The company has patched the identified vulnerabilities and is urging all on-premises customers to update their ScreenConnect installations to the latest version to mitigate potential risks.

Implications for Users
The exploitation of these vulnerabilities underscores the critical importance of timely software updates and robust cyber security practices. Organisations using ScreenConnect, especially those with on-premises deployments, should ensure they have applied the latest patches and review their security protocols to prevent unauthorised access.

Conclusion
This incident highlights the persistent threats posed by advanced cyber actors targeting widely used IT management tools. ConnectWise’s swift response and collaboration with cyber security experts aim to contain the breach and prevent further exploitation. Users are advised to stay vigilant, apply necessary updates, and monitor their systems for any unusual activity.

References:
ConnectWise breached in cyberattack linked to nation-state hackers (thebleepingcomputer.com)
The ConnectWise cyberattack just got a whole lot worse (techradar.com)
ConnectWise ScreenConnect critical CVE lures an array of threat actors(cybersecuritydrive.com)

TikTok Under Threat: Malware Campaigns Targeting Users

TikTok, the wildly popular short-form video platform, has become more than just a hub for viral dances and trends—it’s now a growing vector for cyber threats. Recent investigations by cyber security firms have uncovered a disturbing trend: cyber criminals are leveraging TikTok videos to distribute sophisticated malware, targeting unsuspecting users with phishing tactics and info-stealing payloads. This bulletin highlights the nature of the threat, the risks involved, and what users and organisations should do to stay safe.

Attack Details
According to reports from The Hacker News, Trend Micro, and Expel, attackers are embedding malicious links within TikTok video descriptions, comments, or profiles. These links often masquerade as free downloads, exclusive content, or trending tools. Once clicked, users are redirected to phishing sites or prompted to download malware-laced files.

One of the most concerning strains identified is Lactrodectus, a stealthy malware loader named after the black widow spider. As detailed by Expel, Lactrodectus can evade detection, establish persistence, and deliver secondary payloads such as information stealers. Trend Micro’s analysis further reveals that these campaigns are often disguised as legitimate promotions or giveaways, making them particularly effective at luring younger, less cyber aware audiences.

Risk
The risks are significant. Once infected, a user’s device can be compromised in several ways:

  • Credential Theft: Malware can harvest login details for banking, email, and social media accounts.
  • Data Exfiltration: Sensitive files and personal information can be silently extracted.
  • Device Control: Attackers may gain remote access, allowing them to spy, manipulate, or further infect the system.
  • Network Spread: In corporate environments, a single infected device can serve as a gateway to broader network compromise.

Given TikTok’s massive user base—especially amongst teens and young adults—this attack vector has the potential to scale rapidly.

Conclusion
This emerging threat underscores the evolving tactics of cyber criminals who are now exploiting social media platforms not just for scams, but for full-fledged malware distribution. TikTok users must exercise extreme caution when clicking on links, even if they appear in popular or verified accounts. Organisations should consider implementing DNS filtering, endpoint protection, and user awareness training focused on social media threats.

As attackers continue to innovate, so must our defences. Stay vigilant, stay informed—and think before you click.

References:
Hackers Use TikTok Videos to Distribute Vidar and StealC Malware via ClickFix Technique (thehackernews.com)
Following the spiders: Investigating Lactrodectus malware (expel.com)
TikTok Videos Promise Pirated Apps, Deliver Vidar and StealC Infostealers Instead (trendmicro.com)

D-Link Routers Under Threat: Hard-Coded Telnet Credentials Create Critical Security Backdoors

Recent revelations have once again put D-Link routers in the spotlight for critical security vulnerabilities, specifically those stemming from hard-coded Telnet credentials. This long-standing issue in networking hardware, where fixed login details are embedded directly into a device’s firmware, creates persistent backdoors that malicious actors can exploit to gain unauthorised control.

The Heart of the Problem: Hard-Coded Credentials
Hard-coded credentials are essentially “master keys” built into a device during manufacturing, often for debugging or factory testing. The critical flaw arises when these credentials are not removed or secured before the product ships to consumers. If discovered by attackers – often through reverse-engineering firmware or simply through leaked information – these credentials can allow unauthenticated access to the device’s command-line interface (CLI) via Telnet.

Telnet, being an unencrypted protocol, makes this even more dangerous. Any attacker who can access the router via Telnet can potentially intercept network traffic, change router settings, redirect users to malicious sites, or even use the router as a launchpad for further attacks on other devices within the network or beyond.

Affected Models and Recent Disclosures
While hard-coded credentials have plagued various D-Link models over the years (with some past instances dating back to 2013 and 2016 involving models like DIR-100, DIR-850L, and DWR-932B), new advisories issued in late 2024 and early 2025 highlight fresh concerns for their newer Wi-Fi 6 routers.

Specifically, critical and high-severity vulnerabilities related to hard-coded Telnet credentials have been identified, including:

  • CVE-2024-45697 (CVSS 9.8 – Critical): This flaw allows unauthorised remote attackers to log in and execute OS commands using hard-coded credentials when the Telnet service is enabled (often automatically when the WAN port is connected).
  • CVE-2024-45698 (CVSS 9.8 – Critical): Similarly, this involves hard-coded credentials in the Telnet service, allowing unauthenticated remote attackers to log in and execute arbitrary OS commands due to improper input validation.
  • CVE-2024-45696 (CVSS 8.8 – High): In some models, hidden functionality allows an attacker to forcibly enable the Telnet service by sending specific packets to the web service. Once enabled, hard-coded credentials can be used for login, though access may be limited to the local network.
  • CVE-2025-46176 (CVSS 6.5 – Medium): Affecting models like DIR-605L v2.13B01 and DIR-816L v2.06B01, this allows attackers to remotely execute arbitrary commands via firmware analysis due to hardcoded Telnet credentials.

These vulnerabilities specifically impact several D-Link Wi-Fi 6 router models, including:

  • D-Link DIR-X4860 (hardware revision Ax with firmware v1.04B04_Hot-Fix or below)
  • D-Link DIR-X5460 (hardware revision Ax with firmware v1.11B01_Hot-Fix or below)
  • Non-US D-Link COVR-X1870 (hardware revision Ax with firmware v1.02 or below)

The Exploit in Action
Attackers can leverage these hard-coded credentials to bypass standard authentication mechanisms. In some cases, the Telnet service might be hidden or disabled by default but can be remotely activated through specific triggers, such as connecting the WAN port or sending carefully crafted packets. Once Telnet is active and an attacker knows the hard-coded credentials, they gain powerful access to the router’s underlying operating system, potentially leading to a full compromise of the device and the network it controls.

Mitigation and Recommendations
D-Link has acknowledged these vulnerabilities and released security updates to address them. Users and administrators of affected D-Link routers are strongly advised to take immediate action:

  1. Update Firmware Immediately: This is the most crucial step. D-Link has released patched firmware versions (e.g., v1.04B05 for DIR-X4860, v1.11B04 for DIR-X5460, and v1.03B01 for COVR-X1870). Check D-Link’s official support website for the latest firmware specific to your model.
  2. Disable Telnet: If Telnet access is not strictly necessary for your network management, disable it. Always prefer secure alternatives like SSH (Secure Shell) if remote CLI access is required.
  3. Change Default Credentials: While the hard-coded credentials cannot be changed, ensure that the regular administrator password for your router’s web interface is strong and unique.
  4. Restrict Access: Configure your router’s firewall to block incoming Telnet requests from the internet (WAN side). Ideally, Telnet access should only be allowed from trusted devices within your local network, if at all.
  5. Network Segmentation: For businesses, consider segmenting your network to limit the potential damage if a router is compromised.
  6. Stay Informed: Regularly check D-Link’s official security advisories and trusted cyber security news sources for updates on new vulnerabilities.

A Persistent Problem
The repeated emergence of hard-coded credentials in D-Link products, spanning across different router generations, highlights a systemic issue that continues to pose a significant risk to users. These vulnerabilities serve as a stark reminder that even seemingly innocuous features or testing mechanisms can become critical security holes if not properly handled before a product’s release. For consumers and enterprises alike, maintaining vigilance and promptly applying security updates remains paramount in the ongoing battle against cyber threats.

References:
D-Link fixes critical RCE, hardcoded password flaws in WiFi 6 routers (bleepingcomputer.com)
CVE-2025-46176 : Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR (cvedetails.com)
D-Link Security Announcements (dlink.com)
CVE-2024-45696 (incibe.es)
MA-1160.102024: Critical Vulnerabilities in D-Link Routers (mycert.org)
CVE-2024-45698 (nvd.nist.gov)
CVE-2024-45697 (tenable.com)

Get Norm’s threat bulletin direct to your inbox

Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.

You can receive this bulletin for free, every fortnight, by entering your business email address below:

Insights //

More of the latest insights & articles.

Password image for the blog One Password Away from Collapse

One Password Away from Collapse: The Ransomware Threat and the Urgency of Cyber Resilience

Blog
NormCyber shortlisted for PICCASO Awards’ 2025 Cyber Security Team of the Year

NormCyber shortlisted for PICCASO Awards’ 2025 Cyber Security Team of the Year

News
NormCyber appoints Mark Lee as Sales Director to spearhead enterprise market expansion

NormCyber appoints Mark Lee as Sales Director to spearhead enterprise market expansion

News
Data Sharing under UK GDPR: Key Considerations for Internal and External Sharing

Data Sharing under UK GDPR: Key Considerations for Internal and External Sharing

Blog

NormCyber Threat Bulletin: 03rd July 2025

Fortinet Engage Partner Program

NormCyber Achieves Advanced Partner Status with Fortinet

News
See All Insights