This Week in Issue

North Korean hackers weaponized Calendly links to deliver malware, signaling a shift in social engineering tactics. Over 100,000 WordPress sites were exposed through a vulnerable plugin, highlighting ongoing CMS security risks. A dismantled infostealer ring with 20,000+ malicious IPs and a new Anubis ransomware kit featuring a data wiper raise serious concerns for endpoint defenses. Meanwhile, a Microsoft zero-day is being actively exploited by Stealth Falcon APT in Middle East espionage campaigns. And no, the so-called “16 billion credentials leak” isn’t a new breach but the reuse problem remains dangerously real.

CYBER NEWS ROUNDUP

Nexus-Dragon Cybersecurity Roundup: News Articles from Around the Web Relevant to the SMB

North Korean Hackers Using Weaponized Calendly Links
APT groups linked to North Korea are abusing Calendly—a popular scheduling tool—to deploy malware via fake event invitations. These phishing campaigns are increasingly difficult to detect, targeting professionals with convincing pretexts and clean URLs. Nexus-Dragon highlights this as a critical concern for SMBs, as attackers are exploiting everyday tools to bypass traditional defenses.
Read more: North Korean Hackers Using Weaponized Calendly Links

100,000 WordPress Sites Exposed Through Plugin Flaws
Over 100,000 WordPress sites are at risk due to critical vulnerabilities in the Bricks Builder plugin, enabling unauthenticated remote code execution. Attackers are exploiting these flaws to inject malware, steal data, or hijack websites. SMBs running WordPress should act quickly—Nexus-Dragon urges prompt patching and continuous plugin auditing to protect brand and customer trust.
Read more: 100,000 WordPress Sites Exposed

(ISC)² Report Reveals Cybersecurity Hiring Trends for 2025
The latest (ISC)² report forecasts high demand for cybersecurity professionals, with SMBs struggling to compete against enterprise salaries and benefits. There's a growing skills gap, especially in incident response, cloud security, and compliance roles. Nexus-Dragon stresses this insight for SMBs: investing in training and outsourcing security talent may be the only viable path forward.
Read more: (ISC)² Report 2025 Cybersecurity Hiring Trends

ClickFix Malware Ends with a Ransomware Bill
What starts as a fake “click-to-fix” prompt ends in full ransomware deployment, as attackers exploit user impatience with stealthy loaders. Once inside, threat actors encrypt files and demand payment, often weeks after initial compromise. Nexus-Dragon flags this as a warning for SMBs to improve employee awareness and endpoint detection response strategies.
Read more: Stories from the SOC: ClickFix and Chill? Now Here's the Ransomware Bill

Anubis Ransomware-as-a-Service Now Includes Data Wiper
The Anubis RaaS kit has been updated to include a built-in wiper, destroying data even if a ransom is paid. This raises the stakes for SMBs who rely on backups or assume restoration is possible post-attack. Nexus-Dragon stresses that recovery plans must include offline backups and tested incident response playbooks.
Read more: Anubis Ransomware-as-a-Service Kit Adds Data Wiper

Inside a Dark AdTech Empire Fed by Fake CAPTCHAs
A massive ad fraud operation has been uncovered, using deceptive CAPTCHA pages to generate fake clicks and harvest user data. The infrastructure spans over 1,000 domains and has siphoned revenue from advertisers while exposing users to malware. SMBs using online ads or hosting forms must scrutinize third-party scripts—Nexus-Dragon warns of growing risks in digital marketing ecosystems.
Read more: Inside a Dark AdTech Empire Fed by Fake CAPTCHAs

20,000 Malicious IPs Linked to Infostealer Ring Busted
Law enforcement dismantled a cybercriminal network running a vast infostealer campaign, leveraging over 20,000 IPs and targeting browser-stored credentials. The stolen data was sold in dark markets, affecting businesses of all sizes. Nexus-Dragon encourages SMBs to regularly purge browser-saved passwords and deploy credential monitoring tools.
Read more: Infostealer Ring Bust: 20,000 Malicious IPs

Researcher Finds Flaw to Discover Phone Numbers on Threads
A privacy flaw in Threads allowed researchers to uncover linked phone numbers via the app’s API, potentially exposing users to doxxing or scams. Although not maliciously exploited yet, the vulnerability underscores the importance of API hardening and privacy-by-design. Nexus-Dragon urges SMBs to evaluate partner APIs and educate staff on oversharing risks.
Read more: Researcher Found Flaw to Discover Phone Numbers on Threads

Stealth Falcon APT Exploits Microsoft Zero-Day
Stealth Falcon, a Middle Eastern APT group, is exploiting a new Microsoft RCE vulnerability to conduct surveillance operations. The attack is sophisticated and targeted, leveraging malware-laced documents to gain access. Nexus-Dragon flags this for SMBs with diplomatic, NGO, or legal exposure—patch aggressively and use threat intelligence feeds to stay ahead.
Read more: Stealth Falcon APT Exploits Microsoft RCE Zero-Day

No, the “16 Billion Credentials Leak” Isn’t a New Breach
Headlines claiming a 16-billion-record breach are misleading—this is an aggregation of old data from prior leaks. However, the threat is real due to password reuse, as attackers compile these records into searchable databases. Nexus-Dragon advises SMBs to mandate unique credentials and implement strong password policies immediately.
Read more: No, the 16 Billion Credentials Leak Is Not a New Data Breach

Why This matters

This week’s developments reveal a stark reality: cyber threats are becoming more targeted, deceptive, and destructive. From North Korean operatives weaponizing everyday tools like Calendly to mass exploitation of WordPress plugins and ad fraud campaigns leveraging fake CAPTCHAs, attackers are shifting toward stealthy, trust-based infiltration methods. The resurgence of infostealers and the evolution of ransomware-as-a-service kitsnow bundling destructive data wipers signal a dangerous escalation aimed at long-term damage, not just fast ransom payouts. Meanwhile, critical zero-day vulnerabilities exploited by APTs like Stealth Falcon, and recent CISA advisories on exploited ICS and enterprise software, highlight growing risks to public infrastructure and SMBs alike.

Nexus-Dragon sees a clear message for the small and mid-sized business sector: cybercriminals are no longer just targeting the enterprise. They’re going after the vulnerable, the distracted, and the underprepared. SMBs must now treat cybersecurity as a continuous operational imperative investing in endpoint visibility, patch management, employee training, and threat intelligence isn’t optional; it’s essential for survival in today’s asymmetric threat landscape.

Cyber Hygiene Tips – Week of June 23, 2025

• Block Calendar Invites from Unknown Senders
  North Korean attackers are using fake Calendly invites to deliver malware—disable auto-accept and inspect links in event requests before clicking.

• Patch WordPress Plugins Immediately
  Over 100,000 WordPress sites were exposed through a plugin flaw—update all plugins regularly and remove unused or unverified ones.

• Disable Browser-Based Password Storage
  An infostealer ring compromised credentials from browser storage—enforce password managers with encryption and disable autofill in enterprise environments.

• Verify and Harden All Public-Facing APIs
  A flaw in Threads exposed linked phone numbers via API—review and secure all APIs to prevent unauthorized data queries.

• Conduct Ransomware Response Drills Quarterly
  Anubis ransomware now includes a data wiper—test your backups, validate restoration processes, and ensure key systems can be rebuilt from offline copies.

• Inspect and Limit Third-Party Advertising Scripts
  Fake CAPTCHAs used in ad fraud schemes are delivering malware—audit all embedded marketing scripts and use script-blocking technologies where possible.

• Apply Microsoft Zero-Day Patches Without Delay
  Stealth Falcon APT is exploiting a Microsoft RCE flaw—enable auto-updates, and monitor for suspicious document activity across endpoints.

• Segment Internal Networks to Contain Malware Spread
  ClickFix malware leads to delayed ransomware deployment—use VLANs or firewalls to restrict lateral movement and isolate infected systems.

• Filter Event-Based Phishing with Custom Rules
  Social engineering campaigns now mimic trusted tools like Calendly—update email filters with event-based phishing patterns and inspect shortened URLs.

• Enforce Unique Credentials Across All Accounts
  Despite no new breach, 16 billion stolen credentials are circulating—use tools to detect reused passwords and enforce multi-factor authentication for all users.

Government advisories

CISA Releases Cybersecurity Advisory on SimpleHelp RMM Vulnerability
https://www.cisa.gov/news-events/alerts/2025/06/12/cisa-releases-cybersecurity-advisory-simplehelp-rmm-vulnerability

CISA Releases Five Industrial Control Systems Advisories
https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-releases-five-industrial-control-systems-advisories

CISA Adds One Known Exploited Vulnerability to Catalog
https://www.cisa.gov/news-events/alerts/2025/06/17/cisa-adds-one-known-exploited-vulnerability-catalog

THREAT FOCUS INFORMATION

Threat Intelligence Brief: Rare Red Flags Cisco Talos Identifies Scarcity Signals in Cyber-Espionage Campaigns

Overview
Token Theft in Microsoft Cloud Environments: A Silent Threat
Nation-state actors are exploiting OAuth and stolen tokens to silently access Microsoft 365 and Azure AD environments—bypassing traditional defenses and remaining undetected for months. This campaign targets high-trust sectors like government contractors and MSPs, using rogue app registrations and consent phishing. SMBs relying on Microsoft cloud tools must urgently audit app permissions, enforce MFA, and monitor sign-in logs to prevent long-term compromise.

Why This Matters:
Your cloud identity is now a primary attack surface treat it like a firewall.

Source:

Deep Dive: Fake Social Security Statement Emails Trick Users into Installing Remote Tool

Technical Summary
A phishing campaign tracked by the community as Molatori is actively distributing fake Social Security Administration (SSA) emails to lure recipients into downloading ScreenConnect, a legitimate remote administration tool. The emails claim to provide access to a Social Security statement but instead link to payloads that execute ScreenConnect under deceptive names such as SSAStatementDocument.exe. Once installed, this grants attackers remote access to the victim’s machine, enabling data theft, lateral movement, and potential deployment of additional malware.

Recent Exploitation and Indicators
This campaign is currently active, and AlienVault OTX reports widespread scanning and delivery through email-based social engineering. Attackers use realistic email templates and host download links on compromised infrastructure or temporary file sharing services.

Sample IOCs (defanged for safety):

• hxxps://ssastatement[.]com/download/SSAStatementDocument[.]exe

• File Hash (SHA256): 91c4b3c5b52f5f4d39f3b7ecbb3d65f5c4e24f2f515b24e4f3f19f9a5249bcb7

• IP address: 185[.]225[.]69[.]20

Note: These IOCs represent raw threat intelligence and should be verified and tested in sandbox environments before deploying detection logic.

Why This Threat Matters
This attack is particularly dangerous because it leverages a trusted government theme, exploits user trust in social systems, and uses a legitimate remote support tool, which can evade many endpoint defenses. For small to mid-sized businesses (SMBs), such attacks can easily bypass untrained users and result in a breach that extends beyond the initially compromised endpoint. The use of tools like ScreenConnect allows threat actors to maintain stealthy persistence and execute high-impact intrusions without sophisticated malware.

Defensive Recommendations

1. Block known malicious IOCs and domains at the firewall and endpoint levels.

2. Monitor for unexpected installations of remote administration tools such as ScreenConnect or AnyDesk.

3. Implement email filtering and sandboxing to detect fake SSA or other government-themed phishing emails.

4. Train employees to identify phishing tactics using spoofed government communications.

5. Use application allowlisting to prevent execution of unauthorized remote tools.

6. Audit all remote access sessions regularly, especially from tools not part of normal IT workflows.

Reference:
Fake Social Security Statement emails trick users into installing remote tool

CURRENT THREATS DEEP DIVE”
CVE-2024-44000 – Authentication Bypass in WordPress LiteSpeed Cache Plugin

Summary
CVE-2024-44000 is a critical authentication bypass vulnerability in the widely used LiteSpeed Cache plugin for WordPress, affecting versions prior to 6.5.0.1. This flaw arises from insufficient credential protection when the plugin's Debug Log feature is enabled, leading to unauthenticated account takeover via cookie leakage. With an EPSS score of 92.01%, the vulnerability has a high likelihood of exploitation in the wild, and active scanning has been observed since at least September 19, 2024.

Adversary TTPs and Exploit Behavior
The exploitation path observed in the wild closely matches the following MITRE ATT&CK techniques:

• T1557.002 – Adversary-in-the-Middle: ARP Cache Poisoning (if used in proximity attacks)

• T1552.001 – Unsecured Credentials: Credentials in Files

• T1539 – Steal Web Session Cookie

• T1078 – Valid Accounts

• T1190 – Exploit Public-Facing Application

Exploitation occurs when an attacker accesses the exposed debug.log file, which logs sensitive HTTP cookie data. The stolen session token can then be replayed to authenticate as an admin without needing credentials.

Using Open Source, telemetry logs, and Pastebin monitoring, Nexus-Dragon identified a cluster of IP addresses associated with known malicious infrastructure scanning for CVE-2024-44000. These IPs are concentrated within the 185.177.72.0/24 subnet.

Defensive Recommendations

1. Immediately update LiteSpeed Cache to version 6.5.0.1 or later

2. Disable Debug Log if not in active use; purge existing logs that may contain session data

3. Monitor web server logs for requests targeting wp-content/debug.log

4. Implement Web Application Firewall (WAF) rules to block known scanner IPs and prevent access to log files

5. Rotate administrator session cookies and passwords if exposure is suspected

6. Deploy file integrity monitoring to detect unauthorized changes in WordPress core and plugin files

7. Harden directory permissions to prevent read access to logs or other sensitive files

Why this Matters

If your website uses WordPress, there’s a good chance it runs on LiteSpeed Cache which is installed on over 6 million sites. A vulnerability such as this can put these sites at serious risk, especially if your IT provider hasn’t updated the plugin or turned off certain features. This flaw could let hackers take over your site, steal data, ruin your search rankings, or demand ransom to restore access. Taking a few minutes now could save your business from major disruption and reputational damage.

Ask your MSP or IT provider today:
“Have we patched LiteSpeed Cache to version 6.5.0.1 or newer, and is the debug logging feature securely configured or turned off?”

Disclaimer
This report is based on open-source intelligence and field telemetry collected by Nexus-Dragon. It is intended for security professionals and operational defenders. SMB IT personnel should validate all recommendations and perform due diligence before making changes to production environments.

References
Critical Account Takeover in LiteSpeed Cache Plugin – Patchstack
WordPress LiteSpeed Cache Plugin – Unauthenticated Cookie Leak Vulnerability
NVD Entry – CVE-2024-44000

Discover the Nexus-Dragon Ecosystem

Explore Everything at Nexus-Dragon.com. Your Launchpad for Elite Cybersecurity Training and Business-Grade Protection

Comprehensive Learning Subscription (CLS)
The CLS program is more than just certification prep it’s a full-spectrum, 4-year guided learning pathway for professionals committed to mastering information security and gaining long-term expertise in the field.

Included in CLS:

• Full prep and resources for CISSP, CEH, CASP+, GBK, and Cyber Training certifications

• Access to interactive cloud security labs, recorded workshops, and scheduled mentorship

• Built-in progress tracking, skill assessments, and a structured roadmap to job-ready proficiency

• Complimentary access to our Basic Cyber Operations (BCO) course for foundational knowledge in network security and incident response

Dragon Armor Cybersecurity Suite
Tailored for small and mid-sized businesses, Dragon Armor delivers serious protection without the complexity of big-ticket enterprise tools. It’s everything you need to secure your environment designed to scale as you grow.

Included with Dragon Armor:

• AI-driven threat detection, endpoint security, and real-time response

• Built-in alignment with HIPAA, NIST Cybersecurity Framework (CSF), and ISO 27001

• Guided onboarding and a full cybersecurity risk assessment to identify gaps

• Multi-year price lock and flexible plans that grow with your organization’s needs

Stay Ahead of Cyber Threats with Curated Threat Intelligence

Nexus-Dragon’s Curated Threat Intelligence Service delivers real-time, tailored insights focused on your risks, your industry, and your assets. We cut through the noise to give you high-confidence IOCs, mapped MITRE ATT&CK techniques, and strategic recommendations—so you can act fast and stay protected.

Get intelligence built for action.
www.nexus-dragon.com

NEW SERVICE NOW ONLINE!

Dragon Armor Advisors (DAA): We Handle the Hiring You Get the Cyber Experts

Dragon Armor Advisors (DAA) by Nexus-Dragon takes the hassle out of hiring by recruiting, vetting, and managing elite cybersecurity professionals for you. From analysts to compliance leads, our mission-ready experts many from NSA, DoD, and CISA integrate seamlessly into your team with zero long-term risk.

Fill your security gaps fast.
www.nexus-dragon.com

Sponsor Spotlight

Sponsor Spotlight: Tenable

Tenable Nessus® Expert is the gold standard for vulnerability assessment—built for security teams facing limited resources and a fast-changing threat landscape. It automates point-in-time assessments to help you quickly find, prioritize, and remediate vulnerabilities across operating systems, devices, and applications.
Discover how Nessus Expert can strengthen your defenses.

Sponsor Spotlight: Optery
Optery helps businesses and individuals automatically remove their private information from hundreds of data broker websites—reducing exposure to phishing, identity theft, and targeted attacks. It’s a powerful privacy protection platform ideal for SMBs looking to safeguard executives, employees, or clients.
Learn more →

Ready to move forward?
For full details, customized walkthroughs, or to begin onboarding, contact our team at:

[email protected]
Or explore our solutions directly at:

Meet the Nexus-Dragon

TELL US HOW WE’RE DOING!

Your feedback is VERY valuable! Let us know how we can improve future issues.

🔗 Submit Feedback

Legal Disclaimer

The information provided is for general purposes only and is accurate to the best of our knowledge. We do not guarantee its accuracy or reliability and are not responsible for any outcomes resulting from its use. This post contains affiliate links, meaning we may earn a commission if you purchase through them, at no additional cost to you. Written with the help of our little A.I!

All trademarks belong to their respective owners.

CONTACT US

📞 850-684-0278