Contents

Cookie-Bite Attacks: Emerging Threat to Cloud and MFA Security. 2

Lazarus Strikes Before You Update. 3

Hackers Exploit Cloudflare Tunnels to Infiltrate Systems. 4

R00TK1T’s TikTok Takedown. 5

Links

Cookie-Bite Attacks: Emerging Threat to Cloud and MFA Security

• Brief
  • The “Cookie-Bite” attack is a sophisticated cyber threat that enables attackers to bypass multi-factor authentication (MFA) and maintain persistent access to cloud environments. By hijacking authentication cookies, particularly those used by Azure Entra ID (formerly Azure Active Directory), attackers can impersonate users and access services like Microsoft 365 and Azure Portal without needing credentials.
• Details
  • Focuses on stealing ESTSAUTH and ESTSAUTHPERSISTENT cookies, which maintain authenticated sessions in Azure Entra ID.
    • ESTSAUTH: This is the session cookie. It keeps you logged in for your current session. If you close your browser or log out, this cookie typically goes away.
    • ESTSAUTHPERSISTENT: This is the persistent cookie. It remembers you even after you close your browser or restart your device. It allows for single sign-on (SSO) experiences without having to log in again, across sessions.
• Attack Types
  • Adversary-in-the-Middle (AITM) attacks using reverse proxy tools to intercept cookies in real-time.
  • Dumping browser process memory to extract decrypted cookies from active sessions.
  • Malicious browser extensions that access cookies directly within the browser’s security context.
    • Persistence: Once a malicious extension is installed, it continuously extracts fresh authentication cookies each time the user logs in, ensuring long-term unauthorized access even if passwords are changed or sessions are revoked.
  • Decrypting locally stored browser cookie databases.
• Defense
  • Monitor User Behavior: Continuously monitor for abnormal user behavior patterns and suspicious sign-ins.​
  • Leverage Risk Detection: Utilize Microsoft Risk detection capabilities during sign-in events to identify and respond to potential threats.
  • Enforce Conditional Access Policies: Configure CAPs that enforce login from compliant devices only, reducing the risk of unauthorized access.​
  • Restrict Browser Extensions: Implement Chrome policies to restrict browser extensions to an approved allowlist, preventing malicious extensions from being installed.​
  • Deploy Token Protection: Implement token protection mechanisms to detect and prevent token theft, ensuring that stolen tokens cannot be reused by attackers.​

Lazarus Strikes Before You Update

• Brief
  • The North Korean state-sponsored Lazarus APT group has launched a sophisticated cyberattack campaign targeting critical infrastructure and financial organizations across Asia, Europe, and North America. Since January 2025, they have been exploiting recently patched vulnerabilities—known as one-day vulnerabilities—before organizations can implement necessary updates. This strategy has allowed them to compromise networks in sectors such as financial services and energy infrastructure, resulting in estimated damages exceeding $14 million.
• Exploitation of One-Day Vulnerabilities: Lazarus targets vulnerabilities that have been publicly disclosed and patched but not yet widely implemented across vulnerable systems. This critical window between patch release and widespread deployment provides attackers with an opportunity to exploit systems while defenders scramble to update.
• Primary Infection Vector: The group exploits CVE-2025-1234, a critical vulnerability in a widely used enterprise VPN solution. They send a specially crafted HTTP request containing a malformed authentication packet, triggering a buffer overflow condition that allows remote code execution on the affected system.
• Post-Exploitation Activities:
  • Persistence: After gaining initial access, Lazarus deploys customized malware that establishes persistence through modified service entries and registry modifications that survive system reboots.
  • Lateral Movement: The malware begins lateral movement through the victim network, seeking to compromise additional systems.
  • Evasion Techniques: The malware employs advanced evasion techniques, including multi-stage loaders that decrypt and execute the main payload only after performing extensive environment checks to evade sandbox analysis.
  • Command-and-Control Communication: The malware communicates with command-and-control servers using encrypted HTTPS traffic with legitimate-appearing domains.
• Defense
  • Timely Patch Management: Implement a robust patch management process to ensure that all systems are updated promptly after patches are released.​
  • Network Segmentation: Segment your network to limit lateral movement opportunities for attackers.​
  • Monitor for Indicators of Compromise (IOCs): Regularly monitor for IOCs associated with Lazarus APT activities and update detection mechanisms accordingly.​
  • Employee Training: Educate employees about cybersecurity best practices to reduce the risk of initial compromise through phishing or other social engineering techniques.​
  • Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and effective response to any security incidents.

Hackers Exploit Cloudflare Tunnels to Infiltrate Systems

• Brief
  • Cybercriminals are increasingly exploiting Cloudflare’s tunneling infrastructure to deliver Remote Access Trojans (RATs) like AsyncRAT, Xworm, and VenomRAT. By leveraging the TryCloudflare service, attackers can create temporary, anonymous tunnels that bypass traditional security measures, enabling them to distribute malware and establish persistent access to compromised systems.
• Initial Access
  • Attackers send phishing emails with malicious attachments
    • disguised as invoices or orders.
  • the attachments typically use “application/windows-library+xml” file format
    • bypass email security gateways.
    • they establish a connection to a remote WebDav resource
      • hosted on the Cloudflare tunnel infrastructure.
• Multi-Stage Infection Chain:
  • The user interacts with a LNK file disguised as a PDF document.
  • This shortcut executes an HTA file from the remote server.
  • The HTA file runs a BAT script that installs Python and executes obfuscated Python code.
  • The code injects the next payload stage into “notepad.exe” processes.
• Persistence
  • the malware creates startup entries with VBS and BAT files in the Windows Startup folder.
• The final stage uses PowerShell to load a payload from a JPEG image with an embedded base64 payload, establishing a connection to the command-and-control server.
• Use of TryCloudflare: Attackers leverage domains with the “trycloudflare.com” suffix to host their malicious content, allowing them to bypass traditional security measures and maintain anonymity.
• Defense
  • Email Security: Implement advanced email filtering to detect and block phishing emails with malicious attachments.​
  • Endpoint Protection: Deploy robust endpoint detection and response (EDR) solutions to identify and mitigate malicious activities on user devices.​
  • Network Monitoring: Monitor network traffic for unusual patterns, such as connections to unfamiliar domains or IP addresses, especially those associated with TryCloudflare.​
  • User Training: Educate employees about the risks of phishing emails and the importance of not opening suspicious attachments or clicking on unknown links.​
  • Application Whitelisting: Implement application whitelisting to prevent unauthorized applications from executing on user devices.​
  • Regular Updates: Keep all systems and software up to date with the latest security patches to reduce vulnerabilities.

R00TK1T’s TikTok Takedown

• Brief
  • a hacking group known as R00TK1T claimed responsibility for a significant data breach affecting TikTok, allegedly exposing over 900,000 user credentials. The group released a sample of the compromised data, asserting that they had previously warned TikTok and its parent company, ByteDance, about existing security vulnerabilities but received no response. They further threatened to release more sensitive information in the future.
• R00TK1T claims to have accessed an insecure cloud server containing user credentials and platform code.​
• The hackers allegedly extracted usernames, passwords, and potentially other sensitive account details from TikTok’s backend systems.​
• A sample of 927,000 user records was released on a dark web forum as “proof of their vulnerabilities,”
  • threats of further disclosures.
• Defense
  • Change Your TikTok Password Immediately
    • Assume your password is compromised. Choose a strong, unique password — not something you reuse on other sites.
  • Enable Two-Factor Authentication (2FA)
    • Turn on 2FA inside TikTok settings. Even if someone has your password, they can’t easily get in without the second factor.
  • Be Cautious of Phishing Attempts
    • Attackers often use leaked data to craft convincing scam emails or DMs. Never click links or download attachments from unknown sources claiming to be TikTok-related.
  • Check If You’ve Been Pwned
    • Use sites like HaveIBeenPwned.com to see if your email or phone number linked to TikTok has been part of a breach.
  • Watch Your TikTok Account for Strange Activity
    • If your account is behaving oddly — like sending messages you didn’t write or showing videos you didn’t post — act fast: change your password and report it to TikTok.
  • Update Linked Accounts
    • If you signed into TikTok using Facebook, Google, or Apple, consider refreshing security settings or passwords on those services too. Sometimes the breach spills beyond one app.
  • Consider Using a Password Manager
    • Good managers (like Bitwarden, 1Password, etc.) help you create and store long, random passwords — much safer than anything you’d invent yourself.