Weekly Threat Landscape Digest – Week 15

1. Microsoft April 2025 Patch Tuesday Addresses 134 Vulnerabilities Including Actively Exploited Zero-Day (CVE-2025-29824)

Microsoft has released its April 2025 Patch Tuesday security updates, addressing a total of 134 vulnerabilities across multiple products. The update includes eleven Critical-rated remote code execution vulnerabilities and a zero-day (CVE-2025-29824) actively exploited in the wild by the RansomEXX ransomware group.

Key Details:

• CVE ID: CVE-2025-29824
• Severity: Critical (Zero-Day Exploited)
• Vulnerability Type: Local Privilege Escalation in Windows Common Log File System (CLFS) Driver
• Exploited By: RansomEXX ransomware via PipeMagic malware loader
• Impact: Privilege Escalation to SYSTEM, Ransomware Deployment, Lateral Movement
• Affected Systems: Windows Server and Windows 11 (Windows 10 patch pending)
• Attack Vector: Local

Vulnerability Breakdown:

• 49 Elevation of Privilege Vulnerabilities
• 9 Security Feature Bypass Vulnerabilities
• 31 Remote Code Execution Vulnerabilities
• 17 Information Disclosure Vulnerabilities
• 14 Denial of Service Vulnerabilities
• 3 Spoofing Vulnerabilities

Recommendations:

• Apply all available updates from the April 2025 Patch Tuesday, especially for Windows Server and Windows 11.
• Prioritize patching CVE-2025-29824 on affected systems.
• Monitor for Windows 10 patch release and apply once available.
• Ensure all Microsoft products are updated to mitigate all 134 vulnerabilities.

References:

https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr

2. Multiple Vulnerabilities in Ivanti Endpoint Manager (EPM)

Ivanti has disclosed multiple vulnerabilities in its Endpoint Manager (EPM) product, affecting versions 2022 SU6 and earlier, and 2024 prior to SU1. These include privilege escalation, remote code execution, SQL injection, and XSS flaws.

Key Details:

• CVE-2025-22458 – DLL Hijacking → SYSTEM Privilege Escalation
• CVE-2025-22461 – SQL Injection → Remote Code Execution (Admin Access Required)
• CVE-2025-22466 – Reflected XSS → Admin Privilege Escalation (User Interaction)
• Other CVEs – Denial-of-Service, Improper Certificate Validation, JavaScript Execution via XSS

Impact:

• SYSTEM-level access
• Remote code execution
• Admin takeover
• Man-in-the-Middle (MITM) attack
• Denial-of-Service (DoS)

Affected Versions:

• Ivanti Endpoint Manager 2022 SU6 and earlier
• Ivanti Endpoint Manager 2024 prior to SU1

Fixed Versions:

• 2022 SU7
• 2024 SU1

Recommendations:

• Upgrade to the latest patched versions immediately
• Review access controls and server logs
• Validate SSL certificates configuration
• Restrict admin panel exposure

Reference:

https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EPM-2024-andEPM-2022-SU6?language=en_US&_gl=1*10zbgk3*_gcl_au*NDM4ODA2NzI5LjE3NDE3MDI4ODA 

3. Critical Vulnerability in FortiSwitch Products (CVE-2024-48887)

Fortinet has disclosed a critical vulnerability (CVE-2024-48887) in multiple versions of FortiSwitch, allowing remote attackers to change administrative passwords without authentication via the web GUI. Successful exploitation can lead to full administrative access and complete device takeover.

Key Details:

• CVE ID: CVE-2024-48887
• Severity: Critical
• CVSS Score: 9.3
• Vulnerability Type: Unverified Password Change (CWE-620)
• Impact: Unauthorized administrative access → Full device compromise
• Authentication Required: No
• Attack Vector: Remote via HTTP/HTTPS GUI

Affected Versions:

• FortiSwitch 7.6.0 → Fixed in 7.6.1
• FortiSwitch 7.4.0 to 7.4.4 → Fixed in 7.4.5
• FortiSwitch 7.2.0 to 7.2.8 → Fixed in 7.2.9
• FortiSwitch 7.0.0 to 7.0.10 → Fixed in 7.0.11
• FortiSwitch 6.4.0 to 6.4.14 → Fixed in 6.4.15

Recommendations:

• Upgrade FortiSwitch devices to the latest fixed versions immediately
• If patching is not possible:
  • Disable HTTP/HTTPS GUI access
  • Restrict management access to trusted IPs
  • Monitor logs for abnormal password changes
  • Segment management network from public access

Reference:

https://fortiguard.fortinet.com/psirt/FG-IR-24-435

4. Remote Code Execution Vulnerability in WhatsApp Desktop for Windows (CVE-2025-30401)

A high-severity remote code execution vulnerability (CVE-2025-30401) has been discovered in WhatsApp Desktop for Windows. Attackers can exploit this flaw by sending malicious file attachments that appear as harmless files (like images) but execute malicious code when opened.

Key Details:

• CVE ID: CVE-2025-30401
• Severity: High
• Vulnerability Type: File Attachment Spoofing → Remote Code Execution
• Impact: Arbitrary code execution, unauthorized access, data theft
• Attack Vector: Remote (via WhatsApp message attachments)
• Affected Versions: WhatsApp Desktop for Windows v0.0.0 to v2.2450.5
• Fixed In: v2.2450.6

Recommendations:

• Update WhatsApp Desktop for Windows to version 2.2450.6 or later
• Avoid opening attachments from unknown or unexpected sources
• Verify file extensions before opening any received file
• Educate users about the risks of unsolicited attachments in messaging platforms

Reference:

https://www.facebook.com/security/advisories/cve-2025-30401

5. Security Updates – Android 

Google has released critical security updates for Android devices addressing 62 vulnerabilities, including two actively exploited high-severity flaws and multiple critical vulnerabilities. Immediate patching is recommended to prevent exploitation.

Key Details:

• Total Vulnerabilities Patched: 62
• Exploited in the Wild: 2 High-Severity Flaws

Actively Exploited Vulnerabilities:

• CVE-2024-53150 – Out-of-bounds flaw in USB Kernel → Information Disclosure (CVSS 7.8)
• CVE-2024-53197 – Privilege Escalation in USB Kernel → Elevated Privileges (CVSS 7.8)

Other Critical Vulnerabilities in System Component:

• CVE-2025-22429
• CVE-2025-26416
• CVE-2025-22423
• CVE-2024-45551

Impact of Critical Flaws:

• Remote privilege escalation
• No user interaction required
• Full device compromise possible

Recommendations:

• Update Android devices to the latest security patch immediately
• Enable automatic security updates where available
• Monitor Google’s Android Security Bulletin regularly

Reference:

https://source.android.com/docs/security/bulletin/2025-04-01

6. Security Updates – Samsung Mobile 

Samsung Mobile has released its April 2025 Security Maintenance Release (SMR), addressing multiple vulnerabilities across its flagship models. The update includes patches from Google, Samsung Semiconductor, and Samsung-specific Vulnerabilities and Exposures (SVE).

Key Details:

• Total Vulnerabilities Fixed: Multiple (Critical, High, Moderate)

Critical Vulnerabilities:

• SVE-2024-1795 (CVE-2025-20936) – Improper access control in HDCP trustlet → Privilege escalation to root
• CVE-2025-22429 – Android Framework → Remote Code Execution

High-Severity Vulnerabilities:

• SVE-2024-1695 (CVE-2025-20935) – ClipboardService permission flaw → Access system files
• CVE-2025-22377 – Samsung Semiconductor products → Privilege escalation or data exposure

Moderate-Severity Vulnerabilities:

• SVE-2024-1920 – SamsungContacts → Improper access control
• SVE-2024-2403 – InputManager → Improper permission handling
• SVE-2025-0255 – Galaxy Watch Bluetooth pairing flaw

Recommendations:

• Apply the latest Samsung Security Maintenance Release (April 2025) immediately
• Enable automatic updates for Samsung devices
• Monitor devices for any abnormal activity post-update

Reference:

https://security.samsungmobile.com/securityUpdate.smsb

7. Critical Vulnerabilities in pgAdmin 4 (CVE-2025-2945 & CVE-2025-2946)

Two critical vulnerabilities have been disclosed in pgAdmin 4, a popular PostgreSQL administration tool. Successful exploitation could allow remote attackers to execute arbitrary code or perform cross-site scripting (XSS) attacks, leading to full server compromise or session hijacking.

Key Details:

• CVE-2025-2945 – Remote Code Execution (RCE) (CVSS 9.9)
• CVE-2025-2946 – Cross-Site Scripting (XSS) (CVSS 9.1)

Impact:

• Full server compromise
• Unauthorized data access
• Lateral movement within the network
• Session hijacking & credential theft

Exploitation Details:

• CVE-2025-2945 – Injects malicious code via vulnerable parameters in POST requests passed to Python’s eval() function
• CVE-2025-2946 – Executes malicious JavaScript or HTML payloads in query results

Affected Versions:

• pgAdmin 4 prior to version 9.2

Fixed Version:

• pgAdmin 4 version 9.2 or later

Recommendations:

• Upgrade pgAdmin 4 to version 9.2 or higher immediately
• Restrict access to pgAdmin from trusted networks only
• Monitor logs for suspicious query activity

Reference:

https://github.com/pgadmin-org/pgadmin4/issues/8602

8. Critical Vulnerability in Apache Parquet (CVE-2025-30065)

A critical remote code execution (RCE) vulnerability (CVE-2025-30065) has been disclosed in Apache Parquet, a widely used open-source data storage format. Attackers can exploit this flaw by importing malicious Parquet files, leading to complete system compromise.

Key Details:

• CVE ID: CVE-2025-30065
• Severity: Critical
• CVSS Score: 10.0
• Vulnerability Type: Unsafe Deserialization → Remote Code Execution
• Impact: Arbitrary code execution, data theft, ransomware deployment, disruption of data services

Affected Versions:

• Apache Parquet versions up to and including 1.15.0

Fixed Version:

• Apache Parquet 1.15.1 or later

Recommendations:

• Upgrade Apache Parquet to version 1.15.1 or higher immediately
• Avoid processing untrusted or external Parquet files without validation
• Implement strict input validation and sandboxing for data pipelines
• Monitor systems for unusual activity related to Parquet file processing

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2025-30065

9. Security Updates – Google Chrome (CVE-2025-3066)

Google has released security updates for the Chrome browser addressing multiple vulnerabilities, including a high-severity flaw (CVE-2025-3066) that could allow remote attackers to exploit memory corruption and execute arbitrary code.

Key Details:

• CVE ID: CVE-2025-3066
• Severity: High
• Vulnerability Type: Use-After-Free in Site Isolation
• Impact: Arbitrary code execution, memory corruption, security breaches
• Attack Vector: Crafted malicious HTML pages

Fixed Versions:

• Chrome 135.0.7049.84/.85 for Windows, Mac
• Chrome 135.0.7049.84 for Linux
• Chrome 135.0.7049.79 for Android
• Chrome 135.0.7049.83 for iOS
• Extended Stable: Chrome 134.0.6998.196 for Windows and Mac

Recommendations:

• Update Google Chrome to the latest stable version immediately
• Enable automatic updates for all Chrome installations
• Avoid visiting untrusted websites or clicking on suspicious links

References:

https://chromereleases.googleblog.com/2025/04/stable-channel-update-fordesktop_8.html
https://chromereleases.googleblog.com/

10. Denial of Service Vulnerability in OpenVPN Servers (CVE-2025-2704)

A denial of service (DoS) vulnerability (CVE-2025-2704) has been disclosed in OpenVPN servers running versions 2.6.1 to 2.6.13 with the –tls-crypt-v2 feature enabled. Attackers can crash the server by sending a mix of valid and malformed packets during the TLS handshake.

Key Details:

• CVE ID: CVE-2025-2704
• Severity: High
• Vulnerability Type: Assertion Failure → Denial of Service
• Impact: Server crash during TLS handshake
• Affected Versions: OpenVPN 2.6.1 to 2.6.13 (only with –tls-crypt-v2 enabled)
• Attack Vector: Network (requires valid tls-crypt-v2 key or packet injection)

Unaffected Versions:

• OpenVPN <2.6.1
• OpenVPN 2.6.14 and above
• OpenVPN 2.4.x and 2.5.x
• OpenVPN 2.6.x servers without –tls-crypt-v2

Recommendations:

• Upgrade OpenVPN servers to version 2.6.14 or later
• Disable –tls-crypt-v2 if not required until the update is applied
• Monitor logs for any abnormal connection attempts or handshake errors

Reference:

https://community.openvpn.net/openvpn/wiki/CVE-2025-2704

11. Vulnerability in GNOME Yelp (CVE-2025-3155)

A medium-severity vulnerability (CVE-2025-3155) has been identified in Yelp, the GNOME user help application pre-installed on Ubuntu and other GNOME-based Linux distributions. Successful exploitation could allow attackers to disclose sensitive files or execute malicious code.

Key Details:

• CVE ID: CVE-2025-3155
• Severity: Medium
• CVSS Score: 6.5
• Vulnerability Type: Arbitrary File Disclosure & Remote Code Execution (RCE)
• Impact: Sensitive file access, arbitrary code execution via crafted .page files
• Affected Software: Yelp (GNOME Help Viewer)
• Affected Platforms: Ubuntu Desktop, GNOME-based Linux distributions

Exploitation Details:

• Exploits improper handling of ghelp:// URI and XInclude/XSLT in .page files
• Access sensitive files like ~/.ssh/id_rsa or /etc/passwd
• Execute injected malicious scripts using WebKitGtk rendering

Recommendations:

• Apply security updates released by Linux distributions
• Avoid opening untrusted .page files
• Monitor systems for unauthorized access attempts
• Review and restrict help viewer usage in sensitive environments

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2025-3155

12. Critical Code Injection Vulnerabilities in SAP (CVE-2025-27429, CVE-2025-31330, CVE-2025-30016)

SAP’s April 2025 Security Patch Day addressed 18 vulnerabilities, including three critical issues that could allow attackers to inject code or bypass authentication, impacting the integrity and security of enterprise systems.

Key Details:

• CVE-2025-27429 (CVSS 9.9) – SAP S/4HANA
  → ABAP code injection by authenticated users, bypassing authorization checks.
  → Affected: S4CORE 102–108
• CVE-2025-31330 (CVSS 9.9) – SAP Landscape Transformation (SLT)
  → ABAP code injection risk impacting data replication processes.
  → Affected: DMIS 2011_1_700, 710, 730, 731
• CVE-2025-30016 (CVSS 9.8) – SAP Financial Consolidation
  → Authentication bypass allowing attackers to access Admin account.
  → Affected: FINANCE 1010

Impact:

• Arbitrary ABAP code execution
• Data theft & manipulation
• System takeover & lateral movement
• Unauthorized Admin access

Recommendations:

• Apply SAP April 2025 Security Notes immediately
• Prioritize patching of affected components (S/4HANA, SLT, Financial Consolidation)
• Regularly review and monitor SAP system activity

Reference:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april2025.html

13. Security Updates – MediaTek Chipsets (CVE-2025-20654 & Others)

MediaTek has disclosed multiple vulnerabilities affecting its chipsets used in smartphones, tablets, AIoT devices, smart displays, OTT platforms, audio devices, TVs, and more. The most critical flaw (CVE-2025-20654) enables unauthenticated Remote Code Execution (RCE) in WLAN service.

Key Details:

• CVE-2025-20654 (Critical) – Out-of-bounds write in WLAN
  → Impact: Remote Code Execution without user interaction
  → Affected: MT6890, MT7622, MT7915, MT7916, MT7981, MT7986
  → SDK Affected: ≤7.4.0.1 / 7.6.7.0 / OpenWrt 19.07 & 21.02
• Other High Severity Vulnerabilities:
  → CVE-2025-20655 to CVE-2025-20658
  → Impact: Local Privilege Escalation (EoP), Information Disclosure
• Medium Severity Vulnerabilities:
  → CVE-2025-20659 to CVE-2025-20664
  → Impact: Denial of Service (DoS), Local EoP, Remote Info Disclosure

Recommendations:

• Update all MediaTek-powered devices to the latest firmware provided by OEMs
• Monitor vendor security advisories regularly
• Implement network segmentation to reduce WLAN exposure
• Restrict physical access to vulnerable devices

Reference:

https://corp.mediatek.com/product-security-bulletin/April-2025#CVE_2025_20655

14. High-Severity Vulnerability in Dell PowerProtect Data Domain (CVE-2025-29987)

A high-severity vulnerability has been discovered in Dell PowerProtect Data Domain systems, allowing authenticated users from trusted remote clients to execute arbitrary commands with root privileges, potentially leading to complete system compromise.

Key Details:

• CVE-2025-29987 (CVSS 8.8 – High)
  → Vulnerability Type: Insufficient Granularity of Access Control
  → Impact: Remote Command Execution with root privileges
  → Risk: Data Breach, Data Manipulation, Denial of Service

Affected Products:

• Dell PowerProtect Data Domain Series Appliances
• Dell PowerProtect Data Domain Virtual Edition
• Dell APEX Protection Storage

Affected Versions:

• DD OS versions prior to 8.3.0.15
• 7.13.1.0 through 7.13.1.20
• 7.10.1.0 through 7.10.1.50

Fixed Versions:

• 8.3.0.15 or later
• 7.13.1.25 or later
• 7.10.1.60 or later

Recommendations:

• Apply the latest patches provided by Dell
• Review user access policies for Data Domain systems
• Monitor for unauthorized access or privilege escalation attempts
• Implement network restrictions for trusted remote clients

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2025-29987

15. High-Severity Vulnerability in MinIO (CVE-2025-31489)

A high-severity vulnerability has been identified in MinIO, an open-source object storage platform compatible with Amazon S3. This flaw allows unauthorized object uploads to buckets due to incomplete signature validation, posing serious risks to data integrity and access control.

Key Details:

• CVE-2025-31489 (CVSS – High)
  → Vulnerability Type: Incomplete Signature Validation
  → Impact: Unauthorized object uploads, potential data compromise
  → Exploit Prerequisites: Valid access key, bucket name, WRITE permissions

Affected Version:

• RELEASE.2023-05-18T00-05-36Z

Fixed Version:

• RELEASE.2025-04-03T14-56-28Z

Recommendations:

• Immediately upgrade to the patched MinIO version
• Review and rotate access keys if exposure is suspected
• Audit bucket WRITE permissions and monitor object upload activity

Reference:

https://github.com/minio/minio/security/advisories/GHSA-wg47-6jq2-q2hh

16. Multiple Vulnerabilities in Juniper Networks (JSA96455, JSA96469, JSA96470, JSA96471, JSA96449, JSA96466, JSA96459)

Juniper Networks has released security updates addressing multiple vulnerabilities in Junos OS and Junos OS Evolved. Successful exploitation could lead to Denial of Service (DoS), memory leaks, unauthorized access, or network disruption.

Key Details:

• Impacted Products: SRX Series, MX Series, MX240, MX480, MX960 with SPC3
• Vulnerability Type: Denial of Service, Memory Leak, Process Crash, Unauthorized Access
• Exploitation Impact: Network downtime, device crash, packet processing failure

High Severity Vulnerabilities:

• CVE-2025-30645: SRX – flowd crash via DS-Lite control traffic
• CVE-2025-30658: SRX – Memory leak via malicious Anti-Virus traffic
• CVE-2025-30659: SRX – Crash via vector routing traffic
• CVE-2025-30660: MX – PFE reset via specific GRE packets
• CVE-2025-21594: MX – Port block via crafted IPv4 traffic
• CVE-2025-30656: MX, SRX – FPC crash via SIP INVITE
• CVE-2025-30649: MX – CPU DoS via specific packets on SPC3

Recommendations:

• Apply the latest security updates released by Juniper Networks
• Review device configurations involving DS-Lite, NAT, Anti-Virus, GRE, SIP, and Vector Routing
• Monitor for unusual device behavior, high CPU usage, or unexpected crashes

Reference:

https://supportportal.juniper.net/s/globalsearch/%40uri?language=en_US#sort=%40sfcec_community_publish_date_formula__c%20descending&f:ctype=[Security%20Advisories]

17. Multiple Vulnerabilities in SonicWall NetExtender Windows Client (CVE-2025-23008, CVE-2025-23009, CVE-2025-23010)

SonicWall has released security updates addressing multiple vulnerabilities in its NetExtender Windows Client. Successful exploitation could allow attackers to gain elevated privileges, modify system settings, or disrupt device availability.

Key Details:

• Affected Product: SonicWall NetExtender Windows Client (32 and 64-bit)
• Vulnerability Type: Privilege Escalation, Improper Privilege Management, File Access Control Flaws
• Maximum CVSS Score: 7.2 (High)

Vulnerabilities:

• CVE-2025-23008 – Improper Privilege Management (CVSS 7.2)
• CVE-2025-23009 – Local Privilege Escalation (CVSS 5.9)
• CVE-2025-23010 – Improper Link Resolution Before File Access (CVSS 6.5)

Affected Versions:

• NetExtender Windows Client ≤ 10.3.1

Fixed Version:

• NetExtender Windows Client 10.3.2 and later

Recommendations:

• Upgrade NetExtender Windows Client to version 10.3.2 or higher
• Limit local administrative rights on endpoints
• Regularly monitor and audit endpoint privilege changes

Reference:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0006

18. Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways

Palo Alto Networks has warned of ongoing brute-force login attempts targeting PAN-OS GlobalProtect gateways. The activity, observed since March 17, 2025, has involved a coordinated effort to scan and identify vulnerable systems.

Key Details:

• Attack Type: Password-related brute-force login attempts
• Target: PAN-OS GlobalProtect gateways
• Observation Peak: 23,958 unique IP addresses involved
• Targeted Regions: U.S., U.K., Ireland, Russia, Singapore
• Not a vulnerability exploitation — purely brute-force attack attempts.

Impact:

• Potential account compromise if weak or reused passwords exist
• Increased exposure risk for internet-facing GlobalProtect portals

Recommendations:

• Ensure PAN-OS is updated to the latest version
• Enforce Multi-Factor Authentication (MFA) for all GlobalProtect users
• Configure security policies to detect and block brute-force attempts
• Limit exposure of GlobalProtect portals to only necessary IP ranges
• Monitor logs for unusual login attempts or failed authentications

Reference:

https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.html

19. Tax-Related Phishing Attacks Using URL Shorteners & QR Codes

Cybercriminals are increasingly leveraging tax-themed phishing campaigns to target individuals and organizations, using advanced techniques like URL shorteners and QR codes to evade security controls.

Key Details:

• Attack Type: Phishing attacks using tax refund/audit themes
• Delivery Methods:
  • URL Shorteners for redirection
  • QR codes embedded in PDF attachments
• Targeted Sectors: Individuals, CPAs, Accounting Firms, IT, Engineering, Consulting sectors (primarily in the U.S.)

Attack Techniques:

• Emails impersonating IRS or tax officials with fake refund or audit alerts
• PDF attachments containing personalized QR codes
• QR codes redirect to phishing pages mimicking Microsoft 365 login (RaccoonO365 PhaaS infrastructure)
• URL parameters include victim’s email ID for tracking
• Multi-stage attack flow to establish trust before malware delivery

Payloads Delivered:

• Remote Access Trojans (RATs)
• Information Stealers
• BruteRatel C4 for post-exploitation

Notable Observations:

• Campaign targeted over 2,300 organizations between February 12 – 28, 2025
• High success rate due to use of QR codes which bypass traditional email security tools
• Attacker domains mimicking Microsoft:
  • shareddocumentso365cloudauthstorage[.]com

Recommendations:

• Implement phishing-resistant Multi-Factor Authentication (MFA)
• Enable Zero-hour auto purge (ZAP) in email security tools
• Educate users about risks of scanning QR codes from unknown emails
• Block known malicious domains and URLs using threat intelligence feeds
• Monitor for signs of credential compromise or unusual login activity

Reference:

https://cybersecuritynews.com/hackers-leveraging-url-shorteners-qr-codes/

20. Surge in Weaponized PDF-based Email Attacks

Cybercriminals are increasingly leveraging PDF attachments in phishing and malware campaigns, accounting for 22% of all malicious email attachments, according to CheckPoint Research.

Key Details:

• 68% of all malicious attacks are delivered via email
• PDF-based attacks now contribute to 22% of those attacks
• PDFs are preferred due to wide usage, complexity, and ability to evade detection
• Over 400 billion PDF files were opened last year globally

Attack Techniques:

• Embedded malicious links within PDFs leading to phishing or malware sites
• Use of legitimate redirect services like Bing, LinkedIn, Google AMP to bypass URL reputation checks
• Embedding QR codes in PDFs to avoid URL scanners
• Social engineering tricks prompting users to call phone numbers (bypassing URL-based detection)
• Obfuscation using encryption, filters, indirect objects in PDFs
• Machine Learning evasion using text within images or invisible text to confuse detection tools

Why PDFs Are Hard to Detect:

• Complex file structure (ISO 32000 standard ~1000 pages)
• PDF files can look completely normal to the user
• CAPTCHA-like effect for security tools trying to analyze them

Recommendations:

• Verify sender identity before opening PDF attachments
• Avoid clicking links or scanning QR codes from unknown PDFs
• Hover over links to inspect URLs
• Disable JavaScript in PDF viewers where possible
• Keep all software and security tools updated
• Use advanced email security solutions capable of deep PDF analysis

Reference:

https://cybersecuritynews.com/weaponized-pdf-based-attacks/

21. PoisonSeed Campaign Targets CRM & Bulk Email Providers in Supply Chain Phishing Attack

A sophisticated phishing campaign dubbed PoisonSeed has been identified, targeting CRM platforms and bulk email service providers like Mailchimp and SendGrid to launch highly convincing phishing attacks against cryptocurrency users.

Key Details:

• Attack Method: Supply Chain Phishing via compromised email infrastructure
• Target Audience: Cryptocurrency wallet holders, especially Ledger users
• Delivery Method: Fraudulent emails sent from trusted bulk email providers
• Primary Goal: Stealing crypto wallet recovery seed phrases
• Impact: Complete takeover of victim’s crypto assets upon successful seed phrase theft

Attack Techniques:

• Initial Access by compromising bulk email providers (Mailchimp, SendGrid)
• Use of phishing domains like:
  • mailchimp-sso[.]com
  • hubservices-crm[.]com
  • mysrver-chbackend[.]com
  • iosjdfsmdkf[.]com
• Fake Ledger “Upgrade Firmware” pages prompting users to enter their recovery seed phrases
• JavaScript validation to ensure accurate seed phrases
• Data exfiltration to attacker-controlled servers

Why It’s Critical:

• Bypasses traditional security filters due to trusted email sources
• Focus on seed phrase theft = irreversible financial loss
• Advanced phishing infrastructure mimicking official crypto wallet platforms
• Demonstrates a growing trend of supply chain-based phishing attacks targeting financial assets

Recommendations:

• Organizations using CRM or bulk email services must enforce MFA and access controls
• Conduct regular security reviews of connected third-party services
• Users should avoid clicking on upgrade links received via email, especially for crypto wallets
• Crypto users should only enter recovery phrases on verified official websites or apps
• Monitor for suspicious email activity originating from trusted platforms

Reference:

https://cybersecuritynews.com/new-poisonseed-attacking-crm-bulk-email-providers/

22. Outlaw Linux Malware Targets Weak SSH Credentials for Persistence & Crypto Mining

A new Linux malware campaign named Outlaw has been detected actively targeting internet-facing Linux servers using SSH brute-force attacks to gain unauthorized access and maintain persistence through cron jobs and SSH key manipulation.

Key Details:

• Malware Name: Outlaw
• Attack Vector: SSH brute-forcing using weak or default credentials
• Target: Linux servers worldwide
• Objective: Persistence, cryptocurrency mining, and expanding botnet

Infection Chain:

1. SSH brute-force attack for initial access
2. Download & execution of payload dota3.tar.gz
3. Multi-stage malware execution to:
   • Install cryptocurrency miners
   • Maintain persistence
   • Spread laterally within networks

Persistence Techniques:

• Creation of multiple cron jobs to restart malware components periodically and after reboot
• Injection of attacker-controlled SSH keys into ~/.ssh/authorized_keys
• Use of chattr +ia to make SSH key files immutable, preventing removal
• Scanning local subnet for further SSH brute-force attacks to propagate malware

Indicators of Compromise (IoCs):

• Presence of unusual cron jobs executing binaries like upd, sync, aptitude
• Unauthorized SSH key files in ~/.ssh/ directory
• Immutable attributes applied on SSH key files
• High CPU usage due to crypto mining activity

Recommendations:

• Disable SSH access or enforce strong SSH credentials
• Implement fail2ban or similar SSH brute-force protection tools
• Regularly monitor and audit cron jobs
• Check for unauthorized SSH keys and immutable files
• Update and patch Linux servers regularly
• Implement network segmentation to limit lateral movement

Reference:

https://cybersecuritynews.com/new-outlaw-linux-malware-leveraging-ssh-brute-forcing/ 

23. Attackers Exploit JavaScript & CSS Styling to Steal User Browsing History

Recent research highlights a privacy concern where attackers are abusing web technologies like JavaScript and CSS to infer users’ browsing history by detecting visual differences in visited links.

Key Details:

• Attack Method: Abuse of CSS :visited pseudo-class
• Target: User browsing history through style detection
• Techniques Used:
  • JavaScript-based style analysis
  • Timing attacks to measure rendering time differences
  • Pixel color-based attacks to detect visual changes
  • Advanced exploitation using SpectreJS for internal data access

Privacy Risks:

• Browsing history is highly unique to each user (97-99% fingerprint accuracy)
• Attackers can infer sensitive data such as:
  • Health information
  • Financial activity
  • Political or religious interests
  • Cryptocurrency or investment habits

New Browser Defense – Partitioning:

Google Chrome (Version 132+) introduced a new feature to mitigate these attacks:

• Partitioning of visited link history based on:
  • Link URL
  • Top-level site domain
  • Frame origin

This ensures links are only styled as visited if accessed from the same domain and frame, preventing cross-site history leaks.

Recommendations:

• Use Private or Incognito browsing modes regularly
• Clear browsing history frequently
• Disable or limit JavaScript execution from untrusted websites
• Update browsers to the latest versions
• Enable advanced privacy settings when available (like Chrome’s #partition-visited-link-database-with-self-links flag)

Reference:

https://cybersecuritynews.com/attackers-leverages-javascript-and-css-style-changes/

24. Malicious NPM Packages Targeting PayPal Users Discovered

FortiGuard Labs has identified a series of malicious NPM packages targeting PayPal users. These packages were designed to steal sensitive system information and exfiltrate it to attacker-controlled servers, posing serious risks to developers and organizations.

Key Details:

• Threat Actor: Identified as tommyboy_h1 and tommyboy_h2
• Attack Method:
  • Malicious NPM packages uploaded with PayPal-related names (e.g., oauth2-paypal, buttonfactoryserv-paypal)
  • Exploited NPM preinstall hook to auto-execute malicious scripts
• Information Collected:
  • System usernames
  • Directory paths
  • Hostnames
• Data Obfuscation:
  • Information encoded in hexadecimal and split for stealth
• Data Exfiltration:
  • Sent to attacker-controlled dynamic domains

Affected Packages:

• Examples include:
  • oauth2-paypal
  • buttonfactoryserv-paypal
  • compliancereadserv-paypal
  • tommyboytesting

Detection:

• Fortinet AntiVirus detects this malware as Bash/TommyBoy.A!tr
• Indicators of Compromise (IOCs) include multiple malicious file hashes and domains

Recommendations:

• Audit and remove suspicious NPM packages containing “paypal” in the name
• Check for unusual NPM install behaviors or unknown external connections
• Reset and rotate any potentially exposed credentials
• Keep all development tools and security software updated
• Enable network monitoring for anomalous traffic to unknown domains

Reference:

https://www.fortinet.com/blog/threat-research/malicious-npm-packages-targeting-paypal-users