Weekly Threat Landscape Digest – Week 7

1. Microsoft February 2025 Patch Tuesday – 67 Vulnerabilities Fixed

Actively Exploited Zero-Day Vulnerabilities:

• CVE-2025-21391 – Windows Storage Elevation of Privilege Vulnerability
  • Allows attackers to delete targeted files, potentially disrupting services.
  • Does not expose confidential data but may cause system instability.
• CVE-2025-21418 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
  • Attackers can gain SYSTEM privileges, taking full control of the machine.
  • Privilege escalation could lead to a system takeover.

Publicly Disclosed Zero-Day Vulnerabilities:

• CVE-2025-21194 – Microsoft Surface Security Feature Bypass Vulnerability
  • Allows attackers to bypass UEFI protections and compromise the secure kernel.
  • Could impact virtual machines and disable security protections.
• CVE-2025-21377 – NTLM Hash Disclosure Spoofing Vulnerability
  • Exposes Windows user NTLM hashes, enabling remote impersonation.
  • Requires minimal user interaction with a malicious file to trigger.

Other Critical Vulnerabilities:

• CVE-2025-21198 – Microsoft High Performance Compute (HPC) Pack Remote Code Execution
  • Allows remote attackers to execute arbitrary code on systems running HPC Pack.
• CVE-2025-21376 – Windows LDAP Remote Code Execution Vulnerability
  • Could allow unauthenticated attackers to execute arbitrary code via LDAP.
  • Exploiting a race condition in LDAP could severely impact authentication services.
• CVE-2025-21381 – Microsoft Excel Remote Code Execution Vulnerability
  • Attackers can exploit malicious Excel files to execute arbitrary code.
  • Significant risk due to Excel’s widespread use.

Mitigation Recommendations:

• Apply Microsoft’s February 2025 security updates immediately.
• Restrict NTLM usage and enforce strong authentication mechanisms.
• Monitor for privilege escalation attempts and unusual file deletions.
• Disable unnecessary network services, such as LDAP, if not needed.
• Ensure endpoint security solutions are updated to detect exploitation attempts.

Reference:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Feb

2. PostgreSQL Terminal Tool Injection Vulnerability (CVE-2025-1094)

• CVE-2025-1094 affects PostgreSQL’s psql interactive terminal tool and allows SQL injection via improperly handled escaped input.
• The vulnerability is linked to CVE-2024-12356, a BeyondTrust Privileged Remote Access (PRA) RCE flaw.
• Attackers can inject SQL commands, prematurely terminate SQL statements, and execute operating system shell commands via psql’s meta-command functionality (!).
• The vulnerability has a CVSS 3.1 base score of 8.1 (High Severity).

Impact

• Allows unauthorized database access and execution of arbitrary SQL commands.
• Attackers can achieve full system compromise through shell command execution.
• A Metasploit module has been developed to exploit this vulnerability in BeyondTrust systems.

Affected Versions

• PostgreSQL versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19.

Mitigation Recommendations

• Upgrade PostgreSQL to the latest patched versions:
  • PostgreSQL 17.3
  • PostgreSQL 16.7
  • PostgreSQL 15.11
  • PostgreSQL 14.16
  • PostgreSQL 13.19
• Organizations using PostgreSQL should apply patches immediately and review security protocols to prevent future exploitation.

Reference:
https://www.postgresql.org/support/security/CVE-2025-1094/

3. TLS Vulnerability in CrowdStrike Falcon Sensor for Linux (CVE-2025-1146)

• CVE ID: CVE-2025-1146
• Vulnerability Type: TLS Validation Logic Error
• Severity Rating: High (CVSS 3.1 score of 8.1)
• Impact:
  • Potential for MiTM attacks
  • Interception and manipulation of communication between the Falcon Sensor and CrowdStrike cloud
  • Compromise of confidentiality and integrity of transmitted data

Affected Products

• Falcon Sensor for Linux (versions prior to 7.21)
• Falcon Kubernetes Admission Controller (versions prior to 7.21)
• Falcon Container Sensor (versions prior to 7.21)

Mitigation Recommendations

• Update all instances of Falcon Sensor for Linux, Falcon Kubernetes Admission Controller, and Falcon Container Sensor to version 7.21.
• Apply available hotfixes for supported and unsupported sensor versions through the Falcon console or binary downloads.

Reference:
https://www.crowdstrike.com/security-advisories/cve-2025-1146

4. Security Updates – Adobe Products

Adobe has released security updates addressing multiple vulnerabilities across various products, including Adobe Commerce, Illustrator, InCopy, InDesign, Photoshop Elements, and Substance 3D applications. These flaws could lead to unauthorized access, data exposure, remote code execution, and privilege escalation.

Key Vulnerabilities

• Adobe Commerce: Incorrect authorization, improper access control, XSS, path traversal, TOCTOU race conditions.
• Adobe Illustrator & InCopy: Use-after-free, integer underflow, buffer overflow.
• Adobe InDesign: Out-of-bounds write/read, heap overflow, NULL pointer dereference.
• Adobe Photoshop Elements & Substance 3D: Improper file permissions, out-of-bounds write.

Affected Versions

• Adobe Commerce: Versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, and earlier.
• Adobe Illustrator, InCopy, InDesign: Latest 2025/2024 versions and earlier.
• Adobe Photoshop Elements: Version 2025.0.
• Adobe Substance 3D Designer & Stager: Versions 14.0.2 and 3.1.0 and earlier.

Mitigation

• Apply Adobe’s latest security patches immediately.
• Refer to Adobe’s security bulletins for update instructions.

References:

• https://helpx.adobe.com/security/products/indesign/apsb25-01.html
• https://helpx.adobe.com/security/products/magento/apsb25-08.html
• https://helpx.adobe.com/security/products/substance3d_stager/apsb25-09.html
• https://helpx.adobe.com/security/products/incopy/apsb25-10.html

5. Security Updates – SAP

SAP has released February 2025 security patches, addressing 21 vulnerabilities, including six high-priority flaws affecting SAP NetWeaver AS Java, BusinessObjects, Supplier Relationship Management, Approuter, and HANA extended services.

High-Severity Vulnerabilities

• SAP NetWeaver AS Java – Cross-Site Scripting (CVE-2024-22126, CVSS 8.8).
• SAP BusinessObjects – Improper Authorization Check (CVE-2025-0064, CVSS 8.7).
• SAP Supplier Relationship Management – Path Traversal (CVE-2025-25243, CVSS 8.6).
• SAP Approuter – Authentication Bypass (CVE-2025-24876, CVSS 8.1).
• SAP Enterprise Project Connection – Multiple vulnerabilities (CVE-2024-38819, CVE-2024-38820, CVE-2024-38828, CVSS 7.5).
• SAP HANA extended application services – Open Redirect (CVE-2025-24868, CVSS 7.1).

Impact

• Unauthorized access, data breaches, and system disruption if exploited.

Mitigation

• Apply SAP’s February 2025 security patches immediately.

Reference:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/february2025.html

6. Apache Fineract SQL Injection Vulnerability (CVE-2024-32838)

A critical SQL injection vulnerability (CVE-2024-32838) has been discovered in Apache Fineract, impacting versions 1.4 through 1.9. This flaw allows authenticated attackers to inject malicious SQL queries, potentially compromising sensitive financial data.

Impact

• Data breaches and unauthorized access due to improper query sanitization.
• System instability in financial applications using Fineract.
• Fraud risks due to exploitation in core banking systems.

Affected Versions

• Apache Fineract 1.4 to 1.9.

Mitigation

• Upgrade to Apache Fineract 1.10.1, which introduces a SQL Validator to prevent injection attacks.
• Review logs for suspicious SQL queries.
• Implement application-layer firewalls for added protection.

Reference:
https://gbhackers.com/apache-fineract-sql-injection-vulnerability/

7. WinZip Vulnerability Allows Remote Code Execution (CVE-2025-1240)

A critical vulnerability (CVE-2025-1240) in WinZip allows remote attackers to execute arbitrary code by exploiting improper validation of 7Z file parsing.

Impact

• Out-of-bounds write leads to potential remote code execution (RCE).
• User interaction required, such as opening a malicious 7Z file.
• Full system compromise if successfully exploited.

Affected Versions

• WinZip versions prior to 29.0.

Mitigation

• Upgrade to WinZip 29.0 or later, which includes fixes for secure 7Z file handling.
• Avoid opening untrusted compressed files from unknown sources.

Reference:
https://gbhackers.com/winzip-vulnerability/

8. Security Updates – Fortinet Products

Fortinet has disclosed two high-severity vulnerabilities affecting FortiOS and FortiPortal, which could lead to privilege escalation and information disclosure.

Key Vulnerabilities

• CVE-2024-40591 – FortiOS Privilege Escalation (CVSS 8.0)
  • Impact: An authenticated admin can escalate privileges to super-admin by linking a FortiGate device to a malicious upstream FortiGate.
  • Affected Versions: FortiOS 7.6.0, 7.4.0–7.4.4, 7.2.0–7.2.9, 7.0.0–7.0.15, 6.4 (all versions).
  • Fixed Versions: FortiOS 7.6.1+, 7.4.5+, 7.2.10+, 7.0.16+ (migrate from 6.4).
• CVE-2025-24470 – FortiPortal Information Disclosure (CVSS 8.1)
  • Impact: Remote unauthenticated attackers can retrieve sensitive source code via crafted HTTP requests.
  • Affected Versions: FortiPortal 7.4.0–7.4.2, 7.2.0–7.2.6, 7.0.0–7.0.11.
  • Fixed Versions: FortiPortal 7.4.3+, 7.2.7+, 7.0.12+.

Mitigation

• Apply recommended updates immediately.
• Monitor systems for any signs of exploitation.

References:

• https://fortiguard.fortinet.com/psirt/FG-IR-24-302
• https://fortiguard.fortinet.com/psirt/FG-IR-25-015

9. Critical Vulnerabilities in Ivanti Products

Ivanti has released critical security updates for Connect Secure, Policy Secure, Secure Access Client, and Cloud Services Application, addressing vulnerabilities that could lead to remote code execution, arbitrary file writes, and unauthorized access.

Key Vulnerabilities

• CVE-2024-38657 – Arbitrary file write (CVSS 9.1, Critical) – Affects ICS, IPS.
• CVE-2025-22467 – Stack-based buffer overflow leading to RCE (CVSS 9.9, Critical) – Affects ICS.
• CVE-2024-10644 – Code injection leading to RCE (CVSS 9.1, Critical) – Affects ICS, IPS.
• CVE-2024-47908 – OS command injection allowing RCE (CVSS 9.1, Critical) – Affects CSA.
• CVE-2024-13813 – Insufficient permissions allow arbitrary file deletion (CVSS 7.1, High) – Affects ISAC.

Affected Versions & Fixes

• Ivanti Connect Secure (ICS) – 22.7R2.5 and below → Update to 22.7R2.6.
• Ivanti Policy Secure (IPS) – 22.7R1.2 and below → Update to 22.7R1.3.
• Ivanti Secure Access Client (ISAC) – 22.7R4 and below → Update to 22.8R1.
• Ivanti Cloud Services App (CSA) – 5.0.4 and prior → Update to 5.0.5.

Mitigation

• Apply patches immediately to prevent exploitation.

References:

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-ServicesApplication-CSA-CVE-2024-47908-CVE-2024-11771?language=en_US
• https://forums.ivanti.com/s/article/February-Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-and-Ivanti-Secure-Access-Client-ISAC-MultipleCVEs?language=en_US 

10. Critical Security Vulnerabilities in Zimbra Collaboration Software

Zimbra has released critical security updates to address multiple vulnerabilities affecting its Collaboration software, including SQL injection, stored XSS, and SSRF flaws.

Key Vulnerabilities

• CVE-2025-25064 – SQL Injection (CVSS 9.8)
  • Impact: Allows authenticated attackers to inject SQL queries and retrieve sensitive email metadata.
  • Affected Versions: All versions prior to 10.0.12 and 10.1.4.
  • Fix: Patched in 10.0.12 and 10.1.4.
• Stored Cross-Site Scripting (XSS) – No CVE Assigned
  • Impact: Attackers can inject malicious scripts to steal user session data.
  • Affected Versions: All versions prior to 9.0.0 Patch 44, 10.0.13, and 10.1.5.
  • Fix: Resolved in 9.0.0 Patch 44, 10.0.13, and 10.1.5.
• CVE-2025-25065 – Server-Side Request Forgery (SSRF) (CVSS 5.3)
  • Impact: Could allow attackers to redirect requests to internal network endpoints.
  • Affected Versions: All versions prior to 9.0.0 Patch 43, 10.0.12, and 10.1.4.
  • Fix: Patched in 9.0.0 Patch 43, 10.0.12, and 10.1.4.

Mitigation

• Apply the latest Zimbra security updates immediately.

Reference:
https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories

11. High-Severity Vulnerability in GitHub Enterprise (CVE-2025-23369)

A high-severity vulnerability (CVE-2025-23369, CVSS 7.6) in GitHub Enterprise Server (GHES) allows attackers to bypass SAML authentication, leading to unauthorized access and potential privilege escalation.

Impact

• Bypass SAML authentication to gain access to GitHub Enterprise accounts.
• Compromise private repositories and sensitive data.
• Escalate privileges within an organization’s GitHub environment.

Affected Versions

• GitHub Enterprise Server prior to 3.12.14, 3.13.10, 3.14.7, 3.15.2, and 3.16.0.

Mitigation

• Update to GitHub Enterprise Server versions 3.12.14, 3.13.10, 3.14.7, 3.15.2, or 3.16.0 or later.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-23369

12. Multiple Vulnerabilities in Cisco Products

Cisco has disclosed multiple vulnerabilities affecting various products, including Cisco Secure Web Appliance and Cisco Unified Communications Manager, which could lead to privilege escalation, remote code execution, and denial of service.

Key Vulnerabilities

• CVE-2025-14213 – Remote Code Execution (CVSS 8.8)
  • Impact: Allows attackers to execute arbitrary code via a crafted network packet.
  • Affected Products: Cisco Secure Web Appliance versions prior to 15.0.1.
  • Fix: Upgrade to Cisco Secure Web Appliance 15.0.1 or later.
• CVE-2025-19876 – Privilege Escalation (CVSS 8.1)
  • Impact: Local attackers can escalate privileges to gain administrative access.
  • Affected Products: Cisco Unified Communications Manager versions prior to 12.5.1.
  • Fix: Upgrade to Cisco Unified Communications Manager 12.5.1 or later.
• CVE-2025-25032 – Denial of Service (DoS) (CVSS 7.5)
  • Impact: Allows attackers to crash the affected service, causing system disruption.
  • Affected Products: Cisco AnyConnect Secure Mobility Client versions prior to 5.0.2.
  • Fix: Update to Cisco AnyConnect Secure Mobility Client 5.0.2 or later.

Mitigation

• Apply Cisco’s latest security patches immediately.
• Monitor network traffic for exploitation attempts.

Reference:
https://tools.cisco.com/security/center/publicationListing.x 

13. Zero-Day Vulnerability in Apple iOS and iPadOS (CVE-2025-24200)

Apple has released emergency security updates to address a zero-day vulnerability (CVE-2025-24200) that has been actively exploited in targeted attacks. This flaw allows attackers to disable USB Restricted Mode on a locked device, potentially granting unauthorized access to sensitive data.

Impact

• Bypasses USB Restricted Mode, allowing unauthorized data transfer.
• Attackers with physical access to a locked device can exfiltrate sensitive information.
• Exploited in highly sophisticated targeted attacks.

Affected Devices

• iPhone XS and later
• iPad Pro, iPad Air, iPad Mini, iPad (6th generation and later)

Mitigation

• Update to iOS 18.3.1 and iPadOS 18.3.1 to patch CVE-2025-24200.
• macOS, watchOS, and visionOS updates also released (No CVEs published).

Reference:
https://support.apple.com/en-ae/100100

14. Multiple Vulnerabilities in Progress LoadMaster and Multi-Tenant Hypervisor

Progress has released a security advisory addressing multiple vulnerabilities in LoadMaster and Multi-Tenant (MT) LoadMaster hypervisor that could allow remote attackers to execute arbitrary system commands or download sensitive files.

Key Vulnerabilities

• CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56135
  • Impact: Remote code execution (RCE) via malicious HTTP requests.
  • Fix: Input sanitization applied to prevent execution of arbitrary commands.
• CVE-2024-56134 – Unauthorized File Access
  • Impact: Attackers can download sensitive configuration files and credentials.
  • Fix: Enhanced input validation to prevent unauthorized file access.

Affected Versions & Fixes

• LoadMaster
  • 7.2.55.0 to 7.2.60.1 → Update to 7.2.61.0 (GA).
  • 7.2.49.0 to 7.2.54.12 → Update to 7.2.54.13 (LTSF).
  • 7.2.48.12 and earlier → Upgrade to LTSF or GA.
• Multi-Tenant LoadMaster
  • 7.1.35.12 and earlier → Update to 7.1.35.13 (GA).

Mitigation

• Apply the latest firmware updates immediately.
• Enable multi-factor authentication (MFA) for management access.
• Monitor network traffic for suspicious activity.

Reference:
https://community.progress.com/s/article/LoadMaster-Security-Vulnerability-CVE2024-56131-CVE-2024-56132-CVE-2024-56133-CVE-2024-56134-CVE-2024-56135

15. High-Severity Vulnerability in SolarWinds Platform (CVE-2024-52612)

A reflected cross-site scripting (XSS) vulnerability (CVE-2024-52612, CVSS 6.8) has been identified in the SolarWinds Platform, allowing authenticated attackers with high privileges to execute arbitrary scripts.

Impact

• Execution of unauthorized scripts within the SolarWinds interface.
• Session hijacking, potentially leading to unauthorized access.
• Exposure of sensitive information from the affected platform.

Affected Versions

• SolarWinds Platform 2024.2.1 and older versions.

Mitigation

• Update to SolarWinds Platform 2025.1 or later.

Reference:
https://www.solarwinds.com/trust-center/security-advisories/cve-2024-52612

16. Security Updates – Google Chrome

Google has released security updates to patch multiple high-severity vulnerabilities in the Chrome browser that could allow attackers to execute arbitrary code, escalate privileges, or crash the application.

Key Vulnerabilities

• CVE-2025-0995 – Use-after-free in V8 JavaScript engine, leading to heap corruption.
• CVE-2025-0996 – Browser UI spoofing, enabling phishing attacks.
• CVE-2025-0997 – Use-after-free in Navigation component, allowing arbitrary code execution.
• CVE-2025-0998 – Out-of-bounds memory access in V8, risking data leaks or crashes.

Fixed Versions

• Stable Channel Update:
  • Chrome 133.0.6943.98/.99 for Windows, Mac.
  • Chrome 133.0.6943.98 for Linux.
• Extended Stable Update:
  • Chrome 132.0.6834.207 for Windows and Mac.
• Android Update:
  • Chrome 133 (133.0.6943.89).

Mitigation

• Update Google Chrome to the latest version immediately.

References:

• https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_12.html 
• https://chromereleases.googleblog.com/

17. High-Severity Vulnerabilities in Palo Alto Networks PAN-OS

Palo Alto Networks has disclosed two high-severity vulnerabilities in PAN-OS, which could allow attackers to bypass authentication and execute arbitrary commands.

Key Vulnerabilities

• CVE-2025-0108 – Authentication Bypass (CVSS 7.8, High)
  • Impact: Allows unauthenticated attackers to bypass authentication via the PAN-OS web management interface, potentially exposing sensitive system functions.
  • Affected Versions: PAN-OS 11.2 (before 11.2.4-h4), 11.1 (before 11.1.6-h1), 10.2 (before 10.2.13-h3), 10.1 (before 10.1.14-h9).
  • Fix: Update to PAN-OS 11.2.4-h4, 11.1.6-h1, 10.2.13-h3, or 10.1.14-h9.
• CVE-2025-0110 – Command Injection (CVSS 7.3, High)
  • Impact: Authenticated administrators with gNMI access can inject and execute arbitrary commands in the OpenConfig plugin.
  • Affected Versions: OpenConfig plugin versions before 2.1.2.
  • Fix: Update OpenConfig plugin to version 2.1.2 or later.

Mitigation

• Apply PAN-OS updates immediately.
• Disable the OpenConfig plugin if not in use.
• Restrict management interface access to internal IP addresses.

References:

• https://security.paloaltonetworks.com/CVE-2025-0108
• https://security.paloaltonetworks.com/CVE-2025-0110

18. The BadPilot Campaign – Seashell Blizzard’s Global Cyber Operations

Microsoft Threat Intelligence has disclosed details on Seashell Blizzard, a Russian GRU-linked cyber threat actor, and its BadPilot campaign, which has conducted multiyear global cyber operations targeting critical infrastructure, military, and geopolitical entities.

Key Findings

• Targeted Sectors: Energy, oil & gas, telecommunications, shipping, arms manufacturing, and international governments.
• New Exploits Used:
  • ConnectWise ScreenConnect (CVE-2024-1709) – IT remote management vulnerability.
  • Fortinet FortiClient EMS (CVE-2023-48788) – Security software vulnerability.
• Geographical Expansion: Initially focused on Ukraine, Europe, and Central Asia; now targeting the U.S., UK, Canada, and Australia.

Tactics & Techniques

1. Use of Remote Monitoring & Management (RMM) Tools
   • Deploys Atera Agent and Splashtop Remote Services for persistence.
   • Uses Tor-based ShadowLink for covert access.
2. Web Shell Deployment for Persistence & C2
   • Exploits Microsoft Exchange (CVE-2021-34473) & Zimbra (CVE-2022-41352).
   • Deploys LocalOlive web shell for long-term access.
3. Credential Collection & Network Manipulation
   • Modifies OWA sign-in pages to steal credentials.
   • Alters DNS configurations for targeted entities.

Mitigation

• Patch vulnerable systems immediately (ScreenConnect, FortiClient, Exchange, Zimbra).
• Monitor for unauthorized RMM software installation.
• Restrict internet-facing infrastructure exposure.

Reference:
https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

19. Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores

Cybercriminals are abusing Google Tag Manager (GTM) to inject credit card skimmers into Magento-based e-commerce websites, allowing them to steal sensitive payment information.

Key Findings

• Attackers use GTM identifiers (GTM-MLHK2N68) to inject obfuscated JavaScript payloads into Magento stores.
• The malware is embedded within the Magento database table “cms_block.content”, making detection difficult.
• The script steals credit card details from checkout pages and transmits them to an attacker-controlled remote server.
• This follows previous abuse of GTM for malvertising campaigns (2018) and WordPress plugin vulnerabilities (2025).

Recent Developments

• U.S. Department of Justice (DoJ) has charged two Romanian nationals with payment card skimming operations.
• If convicted, they face up to 15 years in prison and a fine of $250,000 per count.

Mitigation

• Monitor GTM containers for unauthorized scripts.
• Audit Magento databases to detect unauthorized code injections.
• Ensure all plugins and software are updated to prevent exploitation.

Reference:
https://thehackernews.com/2025/02/hackers-exploit-google-tag-manager-to.html

20. BadPilot Campaign Expands Global Cyber Attacks

Microsoft has uncovered the BadPilot campaign, a multi-year cyber operation by Seashell Blizzard (linked to Russian GRU unit Sandworm), which has compromised internet-facing infrastructure across 15+ countries targeting critical industries and government entities.

Key Findings

• Targeted Sectors: Energy, oil & gas, telecommunications, shipping, arms manufacturing, and international governments.
• Geographical Reach: Affects North America, Europe, Asia, Middle East, and Africa.
• Exploited Vulnerabilities:
  • Microsoft Exchange (CVE-2021-34473, ProxyShell)
  • Zimbra (CVE-2022-41352)
  • Openfire (CVE-2023-32315)
  • JetBrains TeamCity (CVE-2023-42793)
  • Microsoft Outlook (CVE-2023-23397)
  • Fortinet FortiClient EMS (CVE-2023-48788)
  • ConnectWise ScreenConnect (CVE-2024-1709)

Mitigation

• Patch all vulnerable systems immediately (Exchange, FortiClient, Zimbra, ScreenConnect).
• Deploy IDS & continuous monitoring for unusual network activity.
• Enforce MFA for all remote access and authentication services.
• Monitor Indicators of Compromise (IoCs) via SIEM, EDR, and firewalls.

Reference:
https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/

21. RansomHub Revisited: Leading Ransomware-as-a-Service Threat

RansomHub has emerged as a dominant Ransomware-as-a-Service (RaaS) platform, gaining traction among cybercriminals, including former ALPHV (BlackCat) affiliates like ScatteredSpider. The ransomware group employs double extortion tactics, advanced reconnaissance, and Living-off-the-Land (LOTL) techniques using legitimate remote access tools to evade detection.

Key Findings

• Targeted Sectors: Critical infrastructure, financial, government, and healthcare.
• Operating Systems: Windows, Linux, ESXi, and NAS.
• Encryption Technique: Curve25519 encryption for data encryption and extortion.
• Tactics & Tools:
  • Phishing & Social Engineering for initial access.
  • Remote Access Tools: Atera, Splashtop for persistence and control.
  • Reconnaissance Tools: NetScan for device discovery.
  • Credential Theft Tools: SecretServerSecretStealer for decryption of passwords.
  • Lateral Movement & Exfiltration: Ngrok (proxy tool), Remmina (remote access), Rclone (SSH-based data transfer).
  • Double Extortion: Encrypting files with a 6-digit alphanumeric extension (e.g., “.293ac3”) and exfiltrating data.

Observed Attacks & Trends

• Attackers scan victim networks using SMB scanning (port 445) and reverse DNS sweeps.
• Unusual outbound connections detected to Splashtop, Atera, and external exfiltration servers (e.g., 38.244.145[.]85).
• Use of SSH Rclone for mass data exfiltration before encryption.

Mitigation Strategies

• Monitor network for unusual remote access connections (Splashtop, Atera, Ngrok).
• Restrict RDP and SMB access to authorized users only.
• Deploy behavior-based detection systems to identify anomalous activities.
• Monitor for the 6-digit alphanumeric extensions on encrypted files as an indicator of compromise.

Reference:
https://darktrace.com/blog/ransomhub-revisited-new-front-runner-in-the-ransomware-as-a-service-marketplace

22. North Korean IT Workers Infiltrate Global Companies to Install Backdoors

North Korean state-sponsored operatives are exploiting remote work opportunities to infiltrate international firms, posing as IT workers to install backdoors, steal sensitive data, and fund the heavily sanctioned regime.

Key Findings

• Fraudulent Hiring: Operatives forge credentials, use stolen identities, and secure IT jobs at Fortune 100 companies.
• Insider Threats: Once hired, they modify source code, install malware, and exfiltrate data for espionage and financial fraud.
• Use of Advanced Tools:
  • BeaverTail – An infostealer that collects credentials.
  • InvisibleFerret – A Python-based backdoor for persistence.
  • OtterCookie – A persistence tool to maintain long-term access.
• Malware Delivery: Operatives deploy job-themed phishing attacks and set up fake IT front companies on platforms like GitHub and Telegram to distribute malware.

Impact & Risks

• Corporate Espionage: Unauthorized access to intellectual property, trade secrets, and financial data.
• Regulatory & Legal Exposure: Hiring North Korean workers can result in sanctions violations and severe legal penalties.
• Extortion & Ransomware: Some operatives have resorted to blackmailing companies with stolen data.

Mitigation Strategies

• Stricter Identity Verification:
  • Require video interviews and notarized identity documents.
  • Implement hardware-based multifactor authentication (MFA).
• Monitor for Anomalies:
  • Audit remote workers’ access patterns.
  • Disable unauthorized remote desktop software.
• Regular Security Audits:
  • Conduct penetration testing to detect system backdoors.
  • Implement zero-trust security frameworks.

Reference:
https://gbhackers.com/north-korean-it-workers-penetrate-global-firms/

23. Chinese Hackers Breach US Telecoms via Unpatched Cisco Routers

Chinese state-sponsored hackers, tracked as Salt Typhoon (RedMike, FamousSparrow, UNC2286), are actively exploiting vulnerabilities in Cisco IOS XE devices to breach U.S. and global telecommunications providers.

Key Vulnerabilities Exploited

• CVE-2023-20198 – Privilege escalation flaw allowing attackers to gain full control over devices.
• CVE-2023-20273 – Web UI command injection enabling remote execution of malicious commands.

Targets & Impact

• Over 1,000 Cisco devices compromised between December 2024 and January 2025.
• More than 12,000 Cisco devices remain exposed online, increasing the risk of future attacks.
• Confirmed breaches in U.S., U.K., South Africa, Italy, and Thailand telecom firms.
• Attackers compromised private communications of U.S. government officials and accessed law enforcement wiretapping platforms.

Tactics & Persistence

• Attackers reconfigured Cisco routers to establish persistent access using Generic Routing Encapsulation (GRE) tunnels.
• Ongoing reconnaissance suggests selective targeting of high-value networks in telecoms and government agencies.
• First exploited as zero-day vulnerabilities in 2023, affecting more than 50,000 Cisco devices.

Mitigation & Recommendations

• Apply security patches immediately for Cisco IOS XE devices.
• Disable Web UI exposure to the internet and restrict remote access.
• Monitor for unauthorized configuration changes and GRE tunnel connections.
• Use network segmentation and firewalls to limit access to critical infrastructure.
• Review logs for indicators of compromise (IoCs) related to Salt Typhoon activities.

Reference:
https://www.bleepingcomputer.com/news/security/chinese-hackers-breach-more-us-telecoms-via-unpatched-cisco-routers/