Cybersecurity Threat Intelligence Update
This week’s cybersecurity landscape highlights a surge in SEO poisoning attacks compromising trusted tools, a severe remote code execution exploit in Call of Duty: WWII, and a landmark legal ruling against Google for unauthorized data collection.
SEO Poisoning Campaign Infects Thousands with Trojanized Admin Tools
A sophisticated SEO poisoning and malvertising campaign has been observed, targeting IT professionals and administrators by promoting malicious websites hosting trojanized versions of legitimate tools such as PuTTY and WinSCP. These fake sites, optimized to appear at the top of search engine results, trick users into downloading compromised installers. Upon execution, a backdoor known as Oyster (also referred to as Broomstick or CleanUpLoader) is installed. Persistence is achieved by creating a scheduled task that runs every three minutes, executing a malicious DLL (twain_96.dll) via rundll32.exe using the DllRegisterServer export function, indicating the use of DLL registration as part of the persistence mechanism. Notably, domains such as updaterputty[.]com and putty[.]run have been associated with this campaign.
Remote Code Execution Exploit in Call of Duty: WWII
A critical remote code execution (RCE) vulnerability has been identified in the PC version of Call of Duty: WWII, particularly affecting players accessing the game via Xbox Game Pass and the Microsoft Store. The exploit allows malicious actors to execute arbitrary code on other players' systems during online multiplayer sessions. Reports indicate that attackers have been able to open applications like Notepad, display inappropriate content, and even force system shutdowns on victims' machines. The root cause appears to be the game's reliance on peer-to-peer (P2P) networking for multiplayer matches, which lacks the security controls of dedicated servers. In response to these incidents, Activision has taken the PC version of the game offline to investigate the issue.
Google Fined $314 Million for Unauthorized Android Data Collection
A California jury has ordered Google to pay $314.6 million in damages after finding the company liable for collecting data from idle Android devices without user consent. The class-action lawsuit, representing approximately 14 million Californians, revealed that Android devices were transmitting data to Google servers even when not in active use, consuming users' cellular data plans without their knowledge. Evidence presented in court showed that a stationary Android device could send and receive data nearly 900 times in 24 hours, with 94% of the communications occurring between the device and Google. Google has announced plans to appeal the verdict, arguing that the data transmissions are essential for device functionality and are disclosed in their terms of service.