Cyber Bakery Chronicles

Keeping Up with Cybersecurity News with CyberBakery.net....Your Weekly Update.

Cyber Bakery Chronicles

Your Weekly Cybersecurity Update (20 December 2024)

  • Mobile Spear Phishing Targets Executive Teams
  • Year-Long Attack Steals Credentials from Security Researchers and Hackers
  • Australia Leads the Way in Quantum-Resistant Cryptography
  • U.S. Weighs Ban on Chinese-Made Router in Millions of American Homes
  • APT29’s Sophisticated Attack Tactics

Mobile Spear Phishing Targets Executive Teams

The blog explores the increasing threat of mobile spear phishing targeting executive teams. These attacks exploit executives’ reliance on mobile devices, bypassing traditional email security measures. Attackers impersonate trusted brands (like DocuSign), embed malicious links in documents, and use compromised domains to appear legitimate. Techniques such as CAPTCHA and mobile-specific behaviour further evade detection. To counter this evolving threat landscape, organisations must adopt robust mobile threat defence solutions, enhancing detection and protection across devices.

The technical analysis revealed a complex multi-stage attack infrastructure designed to effectively target unsuspecting users.

  1. Initial Delivery: The attack commenced with the delivery of a phishing link that was distributed via a seemingly legitimate domain: clickme[.]thryv[.]com. This domain belongs to a recognized sales and marketing platform, which added a layer of authenticity to the phishing attempt. By using a reputable service, the attackers aimed to obscure the true origin of the malicious activity, making it more challenging for users to detect any malicious intent.
  2. Redirection: Upon clicking the link, users were redirected to a high-reputation domain—a compromised university website, <REDACTED>…college[.]gov[.]bd. The attackers cleverly leveraged the credibility and trust associated with this educational institution, exploiting its reputation to evade detection by security systems and users alike. This tactic not only facilitated the ongoing phishing scheme but also increased the chances of deceiving victims into divulging sensitive information.

In the course of our investigation into the compromised domain, our research team identified a creation record that is dated “1999-05-20 00:00:00.” This domain is registered under the name “Ministry of Posts, Telecommunications and Information Technology, Government of the People’s Republic of Bangladesh.” The historical aspect of this domain can be strategically leveraged by attackers to evade various detection systems that rely on domain reputation or creation dates to determine whether a site is deemed risky or legitimate. By using a domain with a long-standing history, attackers can create a façade that misleads both automated systems and manual reviewers.

  1. Advanced Evasion Techniques (Multiple Redirects): To further complicate the detection process, attackers have incorporated CAPTCHA verification into their schemes. This tactic effectively prevents automated detection systems, such as bots, from successfully analysing the website's nature, thereby allowing malicious activities to occur under the radar.
  2. Mobile-Specific Targeting (Mishing):** The attackers also took advantage of mobile technology through device fingerprinting. This method allows them to tailor the attack paths specifically for users who access links via mobile devices, a strategy that is becoming increasingly sophisticated in contemporary phishing campaigns targeting mobile users. When a phishing link is accessed from a desktop or laptop device, the attack is programmed to abandon the effort to avoid detection.

In the case of desktop or laptop users, the attackers redirect them to authentic Google sites, such as “support.google.com,” “mail.google.com,” “drive.google.com,” and other legitimate domains. These sites create an illusion of safety, thereby dissuading users from suspecting any malicious activity. However, when accessing the link via a mobile device, the attackers have set up a more complex set of redirections designed to discern the nature of the platform being used. If it is confirmed that the link is accessed through a mobile device, users are then redirected to a cloned Google sign-in page.

This deceptive page is designed specifically to capture users' credentials, thereby facilitating unauthorised access to their accounts. This dual-layer approach, using both legitimate sites and malicious clones, highlights the increasing sophistication of phishing tactics in today’s digital landscape. 


Year-Long Attack Steals Credentials from Security Researchers and Hackers

that has lasted

A sophisticated cyberespionage campaign that has lasted over a year has compromised hundreds of systems belonging to security researchers, penetration testers, and potentially even malicious actors. Datadog Security Labs discovered the campaign, which is believed to be carried out by a threat actor tracked as MUT-1244.

Over 390,000 WordPress credentials and sensitive data were stolen in a large-scale campaign targeting cybersecurity professionals.

Fake Exploits and Phishing Lured Victims

The attackers used a two-pronged approach:

  1. Trojanized Repositories: They created fake repositories on GitHub containing malicious code disguised as proof-of-concept exploits for known vulnerabilities. Security professionals searching for exploit code unknowingly downloaded and executed the malware.

Phishing Emails: Phishing emails trick victims into installing fake kernel updates that are malware.

Stolen Data Included SSH Keys and AWS Credentials

The malware targeted valuable data, including:

  • WordPress credentials (over 390,000 stolen)
  • SSH private keys
  • AWS access keys
  • Command history

Attackers Exploited Trust Within Security Community

The use of fake repositories on trusted platforms like GitHub allowed the attackers to exploit trust within the cybersecurity community. Additionally, some of the stolen credentials likely belonged to attackers who were using a tool called "yawpp" to validate stolen credentials. This suggests the attackers were targeting both legitimate security professionals and malicious actors.

Hundreds Still at Risk as Campaign Continues

Researchers believe hundreds of systems remain compromised, and the campaign is still ongoing. Security professionals and researchers are advised to be cautious when downloading code from untrusted sources and to be wary of unsolicited emails, even those seemingly related to security updates.


Australia Leads the Way in Quantum-Resistant Cryptography

The Australian Signals Directorate (ASD) has announced plans to phase out traditional cryptographic algorithms like SHA-256, RSA, ECDSA, and ECDH in high-assurance cryptographic equipment by 2030. This move aims to proactively address the potential threat posed by quantum computing advances, which could render current encryption methods obsolete.

Australia's Cyber Security Agency Accelerates Transition to Post-Quantum Cryptography

The Quantum Threat:

Quantum computers, once fully realized, have the potential to break current cryptographic standards, compromising sensitive data and systems. To mitigate this risk, the US National Institute of Standards and Technology (NIST) has developed new quantum-resistant algorithms.

Australia's Proactive Approach:

While NIST has set a 2035 deadline for transitioning to quantum-resistant cryptography, Australia is taking a more aggressive stance, aiming to complete the transition five years earlier for high-assurance systems. This proactive approach demonstrates Australia's commitment to cybersecurity and its recognition of the potential impact of quantum computing.

Challenges of the Transition:

The transition to post-quantum cryptography presents significant challenges, including:

  • Technical Complexity: Implementing new cryptographic algorithms requires careful planning and technical expertise.
  • Interoperability: Ensuring compatibility with existing systems and standards is crucial.
  • Security Risks: A poorly executed transition could introduce new vulnerabilities.

The Road Ahead:

As quantum computing technology continues to advance, it is essential for organisations to stay informed about the latest developments and to plan for a smooth transition to quantum-resistant cryptography. By taking proactive steps to adopt new standards, organisations can protect their sensitive data and systems from future threats.


The U.S. government is investigating TP-Link, a Chinese company that dominates 65% of the U.S. router market, over national security, cybersecurity vulnerabilities, and anti-competitive pricing concerns.

Key Concerns
1. Cybersecurity Threats:
TP-Link routers have been linked to vulnerabilities that could be exploited by state-sponsored hackers, raising fears of data breaches, espionage, and network manipulation.
2. National Security: The U.S. is wary of foreign tech being used as “digital backdoors,” similar to concerns surrounding Huawei and ZTE.
3. Antitrust Practices: TP-Link’s pricing strategies—selling routers below production costs—are under scrutiny for undermining U.S.-based competitors.

Impact of a Potential Ban
• National Security: Enhanced protection of critical infrastructure and reduce cyber risks.
• Consumer Costs: Prices for routers may rise, impacting small businesses and households that rely on TP-Link’s affordability.
• Geopolitical Tensions: The ban could escalate U.S.-China tech disputes, impacting global trade.

What Consumers Should Do
• Update router firmware regularly.
• Secure networks with strong passwords and encryption.
• Explore alternatives like Netgear or Linksys for enhanced security.

The U.S. investigation into TP-Link routers reflects growing concerns over cybersecurity, national security, and anti-competitive business practices. While the potential ban aims to safeguard critical infrastructure and reduce foreign tech risks, it also raises challenges for consumers and small businesses reliant on affordable devices.

This situation highlights the delicate balance between national security and economic convenience in an interconnected world. As the U.S. pursues greater control over its supply chains and digital infrastructure, the decisions made now will shape the future of tech security and market competition.

For consumers, staying vigilant and adopting secure networking practices is essential, regardless of the investigation’s outcome.


APT29’s Sophisticated Attack Tactics

APT29, a well-known Russian state-sponsored group, is targeting high-value victims, including government entities, research institutions, and think tanks. The attackers use malicious RDP (Remote Desktop Protocol) connections to gain access to sensitive systems, leveraging the open-source tool PyRDP.

How It Works:

  1. Rogue RDP Servers: Victims are tricked into connecting to compromised RDP servers via spear-phishing campaigns.
  2. Stealth Tactics: APT29 avoids using custom malware, making the attack harder to detect. Instead, it relies on TOR networks and residential proxies for anonymisation, evading traditional monitoring tools.
  3. Access and Control: Once connected, attackers gain visibility into sessions, exfiltrate data, deploy scripts, and manipulate system settings.

Why It Matters:

This attack highlights a shift toward stealthy, fileless techniques. By avoiding malware and directly compromising RDP usage, detection becomes significantly more challenging for organisations.

Mitigation Strategies:

Monitor RDP Connections: Audit all RDP activity for unusual or unauthorized connections.

Phishing Awareness: Train teams to recognise spear-phishing attempts.

Network Vigilance: Implement tools to detect anomalous behaviour and enforce strong access controls.

APT29’s focus on high-value targets emphasizes the need for proactive cybersecurity strategies. Ensure systems are monitored, credentials are secure, and access controls are reviewed regularly.


Quick favour: Let’s spread the value! If you find this newsletter useful, don’t keep it to yourself. 👉 Share it with friends and colleagues who could benefit from it.

Remember, one share could spark insight, ignite inspiration, or lead to a breakthrough for someone else.

Let’s make 2024 the year of shared knowledge and community growth