27.05.25 Threat Report

This week’s threat report: a ransomware attack that disrupted a Scottish school network, cybercriminals weaponising TikTok trends, and a critical Cisco Webex vulnerability enabling remote code execution.

1. West Lothian School Network Crippled by Ransomware Attack

West Lothian Council confirmed a ransomware attack targeting a central IT system supporting multiple schools across the Scottish region. The incident, discovered in mid-May, forced parts of the school network offline and disrupted online services used by staff and pupils.

How the Attack Happened:

While specific ransomware details remain undisclosed, the attack targeted critical backend systems rather than individual schools directly. Forensic analysis and recovery efforts are ongoing, with external cyber experts brought in to assist.

Potential Impact:

• Temporary loss of access to lesson materials and internal school services.

• Delays to administrative operations, affecting staff productivity.

• Potential exposure of student or staff information, depending on affected systems.

Recommendation:

Ensure all endpoints have updated ransomware protection.
Back up educational and administrative data regularly, using both onsite and offsite solutions.
Limit access to centralised IT systems via least privilege principles.
Conduct staff cyber awareness sessions on phishing and credential hygiene.

2. Hackers Exploiting Trending TikTok Clips to Deliver Malware

A new malware campaign leverages the popularity of trending TikTok videos to spread malicious files. Cybercriminals embed trojans within downloadable clips shared on suspicious third-party websites or spoofed platforms, targeting users eager to access viral content offline.

Attack Details:

• Users searching for TikTok downloaders are redirected to malicious download links.

• Once executed, these downloads deploy a stealer trojan that exfiltrates browser-stored credentials, cookies, and cryptocurrency wallets.

• Campaigns use fake TikTok branding to establish legitimacy and entice downloads.

Potential Impact:

• Credential theft: especially sensitive if users reuse passwords for professional accounts.

• Lateral attacks on company infrastructure via compromised personal devices.

• Reputation risk if devices within a business environment are compromised via social media content.

Recommendation:

Educate staff and users about the dangers of downloading media from unofficial sources.
Restrict access to file-sharing and social media apps on company-owned devices.
Deploy browser isolation tools and endpoint protection that detect malicious downloads.
Enforce strong password policies and enable MFA across all services.

3. Cisco Webex Vulnerability (CVE-2024-20399) Enables Remote Code Execution

Cisco disclosed a high-severity vulnerability in its Webex Meetings suite, tracked as CVE-2024-20399, allowing unauthenticated remote attackers to execute arbitrary code on affected Android devices. The flaw lies in how Webex handles intents passed to the app.

Attack Mechanics:

• Exploiting the vulnerability requires tricking the user into opening a specially crafted URL.

• If successful, attackers can trigger remote code execution within the app’s context.

• Cisco confirmed versions prior to 43.3.0 for Android are affected.

Potential Impact:

• Full device compromise: enabling spyware installation or data theft.

• Business disruption during virtual meetings.

• Risk of lateral access to corporate networks if mobile devices are enrolled in MDM environments.

Recommendation:

Immediately update all Webex Meetings Android clients to version 43.3.0 or later.
Use Mobile Device Management (MDM) to enforce app patching policies.
Advise users to avoid clicking on suspicious meeting links, even from known contacts.
Monitor for signs of abnormal mobile device activity.