Weekly Threat Landscape Digest – Week 18

This week’s threat landscape underscores the increasing sophistication of cyber adversaries, who are actively exploiting newly disclosed and unpatched vulnerabilities. With the rise of zero-day exploits and highly targeted phishing operations, their tactics are becoming more precise and damaging. To counter these evolving threats, organizations must implement a multi-layered defense strategy—prioritizing rapid vulnerability remediation, continuous threat monitoring, and advanced detection mechanisms. Just as vital is cultivating a security-aware culture, reinforced by up-to-date threat intelligence, regular training, and a clearly structured incident response framework to limit the impact of potential breaches.

  1. Security Updates – Google Chrome (CVE-2025-4096, CVE-2025-4050, CVE-2025-4051, CVE-2025-4052)

Google has released a stable channel update for Chrome version 136 across Windows, Mac, Linux, Android, and iOS platforms, addressing eight security vulnerabilities. The most severe of these is CVE-2025-4096—a high-severity heap buffer overflow vulnerability in the HTML rendering engine. Successful exploitation may allow arbitrary code execution and system compromise. Other addressed issues involve out-of-bounds memory access and insufficient input validation within DevTools, affecting browser stability and data integrity.

Key Details:

  • CVE-2025-4096 (High): Heap buffer overflow in HTML rendering engine.
    • Impact: Arbitrary code execution; potential system takeover.
  • CVE-2025-4050 (Medium): Out-of-bounds memory access in DevTools.
  • CVE-2025-4051 (Medium): Insufficient input validation in DevTools.
  • CVE-2025-4052 (Low): Inappropriate implementation in DevTools.

Affected Platforms and Fixed Versions:

  • Windows & Mac: Chrome 136.0.7103.48/49 (Stable)
  • Linux: Chrome 136.0.7103.59 (Stable)
  • Android: Chrome 136 (136.0.7103.60)
  • iOS: Chrome 136 (136.0.7103.56)

Recommendations:

  • Upgrade to the latest Chrome version on all platforms.
  • Monitor endpoint behavior for any post-exploitation activity, especially following prior Chrome crashes or memory violations.
  • Review browser extension policies and enforce security best practices.
  • Enable automatic updates where feasible to maintain timely patching.

References:

 

  1. Security Updates – Mozilla Products (CVE-2025-2817, CVE-2025-4082, CVE-2025-4083, CVE-2025-4084, CVE-2025-4091~4093)

Mozilla has released critical security patches for Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR to address multiple vulnerabilities, including privilege escalation, memory corruption, and sandbox escape risks.

Key Vulnerabilities:

  • CVE-2025-2817 (High): Privilege escalation via manipulation of Firefox’s updater file-locking mechanism. Affected all products.
    Patched in: Firefox 138, Firefox ESR 115.23/128.10, Thunderbird 138/128.10
  • CVE-2025-4082 (High): WebGL shader memory corruption (macOS only), leading to potential privilege escalation when chained.
  • CVE-2025-4083 (High): Sandbox bypass via javascript: URIs in cross-origin frames, allowing unauthorized content execution.
  • CVE-2025-4084 (Moderate): Command injection in Windows through the “Copy as cURL” feature due to improper escaping.
  • CVE-2025-4091, 4092, 4093: Memory safety bugs that could lead to arbitrary code execution across Firefox and Thunderbird.

Recommendations:

  • Immediately update to Firefox 138, Thunderbird 138, and respective ESR versions (115.23 / 128.10).
  • Avoid using developer features like “Copy as cURL” on untrusted sites until updated.
  • Monitor endpoints for unusual memory access patterns or privilege escalation attempts.
  • Educate users on avoiding risky browser actions on suspicious websites.

References:

 

  1. Security Updates – Huawei HarmonyOS & EMUI (Multiple CVEs)

Huawei has released its May 2025 security update addressing critical and high-severity vulnerabilities across HarmonyOS and EMUI systems. These flaws span proprietary modules (like App Lock, Contacts, Kernel) and third-party libraries, posing significant risk of remote code execution, data exposure, and system instability.

Key Vulnerabilities in HarmonyOS 5.0.0:

  • CVE-2025-46584 (High): File system authentication flaw allowing unauthorized access to sensitive files.
  • CVE-2025-46585 (High): Kernel out-of-bounds read/write leading to crashes or denial-of-service.
  • CVE-2025-46586 to CVE-2025-46590 (Medium): App Lock, Media Library, Network Search, and USB driver flaws enabling data exposure, permission bypass, and instability.
  • CVE-2024-58252 (Medium): Media metadata exposure due to weak protections.

Third-Party Vulnerabilities (Affecting HarmonyOS 2.0–4.3 and EMUI 12–14):

  • Critical:
    • CVE-2025-22423, CVE-2025-26416, CVE-2025-0084 – May allow full device compromise or remote code execution.
  • High Severity:
    • Includes CVEs like CVE-2024-49730, CVE-2025-0082/0083, CVE-2025-22422/22427, targeting privilege escalation, info leaks, and DoS.
  • Low Severity:
    • CVE-2025-27248, CVE-2025-25052, etc. – Lower risk but still important to patch.

Recommendations:

  • Immediately apply the latest OTA (Over-the-Air) update for all Huawei devices running HarmonyOS or EMUI.
  • Ensure enterprise fleet management includes patching schedules for mobile assets.
  • Monitor for signs of kernel crashes, unexpected media access, or privilege misuse post-update.

Reference:

https://consumer.huawei.com/en/support/bulletin/2025/5/ 

 

  1. Security Updates – Chrome OS (Multiple High-Severity CVEs)

Google has released a Long Term Support (LTS) security update for ChromeOS addressing several high-severity vulnerabilities. This update enhances system stability and protection against memory-related exploitation.

Key Vulnerabilities Addressed:

  • CVE-2025-3620 (High): Use-after-free vulnerability in USB component.
  • CVE-2025-2476 (High): Use-after-free vulnerability in Google Lens integration.
  • Additional CVEs Patched:
    • CVE-2024-50066
    • CVE-2024-53141
    • CVE-2024-50264
    • CVE-2024-53057

Impact:

Successful exploitation could lead to:

  • Unauthorized system access
  • Browser crashes or instability
  • Data leakage or compromise of user privacy

Fixed Version:

  • ChromeOS LTS Version: 132.0.6834.222
  • Platform Version: 16093.104.0

Recommendations:

  • Apply the latest LTS ChromeOS update immediately across all enterprise and personal devices.
  • Monitor for abnormal device behavior post-update.
  • Educate users to restart their devices to ensure updates are applied effectively.

Reference:

 

  1. High-Severity Privilege Escalation Vulnerability in SUSE Rancher (CVE-2024-22031)

A critical namespace collision flaw has been identified in SUSE Rancher that allows unauthorized privilege escalation across Kubernetes clusters.

Vulnerability Details:

  • CVE ID: CVE-2024-22031
  • CVSS Score: 8.6 (High)
  • Description:
    Affected Rancher versions use project names as namespaces. When identical project names are created across clusters, this leads to namespace collisions, potentially allowing unauthorized access to resources in other projects.

Affected Versions:

  • Rancher versions prior to:
    • v2.11.1
    • v2.10.5
    • v2.9.9

Fixed Versions:

  • Rancher v2.11.1, v2.10.5, v2.9.9

Recommendations:

  • Upgrade Rancher installations to the fixed versions immediately.
  • Review current project naming practices across clusters to ensure uniqueness.
  • Monitor cluster access logs for unauthorized cross-project activity.

Reference:



  1. High-Severity Vulnerability in NVIDIA TensorRT-LLM (CVE-2025-23245)

A deserialization vulnerability in NVIDIA’s TensorRT-LLM framework allows local attackers to execute arbitrary code or manipulate system behavior via the Python executor component.

Vulnerability Details:

  • CVE ID: CVE-2025-23245
  • Severity: High
  • CVSS v3.1 Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
  • CWE: CWE-502 – Deserialization of Untrusted Data
  • Description:
    The Python executor used for socket-based inter-process communication (IPC) is vulnerable to insecure deserialization, enabling local attackers to:
    • Execute arbitrary code
    • Leak sensitive information
    • Alter critical system states

Affected Versions:

  • All TensorRT-LLM versions prior to 0.18.2

Fixed Version:

  • TensorRT-LLM v0.18.2

Recommendations:

  • Upgrade to TensorRT-LLM v0.18.2 or later immediately.
  • Audit systems using affected versions for suspicious local IPC activity.
  • Restrict local access and enforce least privilege principles.

Reference:

 

  1. Critical Use-After-Free Vulnerability in Linux Kernel (CVE-2025-21756)

A critical UAF vulnerability in the Linux kernel’s vsock subsystem could allow local attackers to execute code with elevated privileges.

Vulnerability Details:

  • CVE ID: CVE-2025-21756
  • Severity: Critical
  • Description:
    A Use-After-Free (UAF) vulnerability in the vsock subsystem of the Linux kernel occurs due to improper handling of socket binding states during transport reassignment. This flaw can result in:
    • Privilege Escalation
    • Bypassing Kernel ASLR (kASLR)
    • Execution of arbitrary code in kernel context
  • Status: Public proof-of-concept (PoC) is available, increasing exploitation risk.

Affected Component:

  • Linux Kernel vsock subsystem

Recommendations:

  • Apply security patches and mitigation steps provided by your Linux distribution.
  • Monitor vendor advisories for updates and kernel fixes.
  • Audit kernel logs and monitor for exploitation attempts if running affected versions.

References:

 

  1. Actively Exploited Code Injection Vulnerability in Brocade Fabric OS (CVE-2025-1976)

An actively exploited code injection vulnerability has been identified in Broadcom’s Brocade Fabric OS, allowing local privilege escalation to root.

Vulnerability Details:

  • CVE ID: CVE-2025-1976
  • CVSS v4.0 Score: 8.6 (High)
  • Vector: AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
  • Description:
    Local authenticated admin users can inject and execute arbitrary code with root-level privileges due to improper input validation of IP addresses. This can lead to:
    • Full system compromise
    • Injection of malicious subroutines
    • Unauthorized Fabric OS modification

Affected Versions:

  • Impacted:
    • Brocade Fabric OS versions 9.1.0 to 9.1.1d6
  • Fixed:
    • Brocade Fabric OS version 9.1.1d7 and later
  • Not Affected:
    • Brocade Fabric OS 9.2.0+
    • Brocade ASCG and SANnav

Recommendations:

  • Upgrade to Fabric OS 9.1.1d7 or newer.
  • Restrict administrative access by enforcing Role-Based Access Control (RBAC).
  • Regularly audit IP input fields and admin activity logs for suspicious behavior.

References:

  

  1. Local Privilege Escalation Vulnerability in Epson Printer Drivers (CVE-2025-42598)

A local privilege escalation vulnerability has been identified in Epson printer drivers for non-English versions of Microsoft Windows.

Vulnerability Details:

  • CVE ID: CVE-2025-42598
  • Severity: High
  • Description:
    A local attacker can exploit a flaw in Epson printer drivers to overwrite specific DLL files with malicious code, gaining SYSTEM-level privileges on the host system.

Impact:

  • Unauthorized privilege escalation
  • Arbitrary code execution with elevated privileges

Affected Systems:

  • Operating Systems:
    • Windows XP / XP Professional x64 Edition
    • Windows Vista / Vista x64
    • Windows 7 / 8 / 8.1 / 10 / 11 (including x64 editions)
    • Windows Server 2003, 2008 / 2008 R2, 2016, 2019, 2022, and Server 2025

Recommendations:

  • Apply Patch:
    • Use Epson Software Updater or manually download and install the patch from Epson’s official support page.
  • Update Drivers:
    • Regularly update Epson drivers and firmware across all managed endpoints.
  • Network Security:
    • Isolate printers and IoT devices using network segmentation.
  • Monitor Activity:
    • Enable endpoint monitoring for DLL write attempts in Epson driver paths.

Reference:

 

  1. Security Updates – Apache Tomcat (CVE-2025-31650 & CVE-2025-31651)

The Apache Software Foundation has released urgent security updates to fix two vulnerabilities affecting multiple Apache Tomcat versions.

Vulnerability Details:

  1. CVE-2025-31650 – Denial of Service (DoS)
  • Severity: High
  • Impact: Memory leak due to improper handling of invalid HTTP/2 priority headers can trigger OutOfMemoryException, potentially crashing the server.
  • Affected Versions:
    • Tomcat 11.0.0-M2 to 11.0.5
    • Tomcat 10.1.10 to 10.1.39
    • Tomcat 9.0.76 to 9.0.102
  1. CVE-2025-31651 – Rewrite Rule Bypass
  • Severity: Low
  • Impact: Allows bypass of certain security rules under specific rewrite configurations.
  • Affected Versions:
    • Tomcat 11.0.0-M1 to 11.0.5
    • Tomcat 10.1.0-M1 to 10.1.39
    • Tomcat 9.0.0.M1 to 9.0.102

Fixed Versions:

  • Tomcat 11.0.6 or later
  • Tomcat 10.1.40 or later
  • Tomcat 9.0.104 or later

Recommendations:

  • Update Apache Tomcat to the respective patched versions.
  • Monitor application logs for signs of unusual memory consumption or rule bypass attempts.
  • Review HTTP/2 and rewrite rule configurations for additional hardening.

References:

  1. Security Updates – NVIDIA GPU Drivers & vGPU Software

NVIDIA has released security updates addressing multiple vulnerabilities in its GPU Display Drivers and vGPU software across Linux and Windows platforms. These flaws could enable local attackers to escalate privileges, execute arbitrary code, trigger denial of service (DoS), or access sensitive system resources.

Vulnerability Details:

  1. CVE-2025-23244 – High Severity
  • CVSS Score: 7.8
  • Description: A vulnerability in the Linux GPU Display Driver may allow local attackers to escalate privileges, execute arbitrary code, perform DoS attacks, or tamper with sensitive data.
  • Impact: Code execution, privilege escalation, DoS, information disclosure, data tampering
  1. CVE-2025-23245 – Medium Severity
  • CVSS Score: 5.5
  • Description: In the vGPU Manager, guest systems may access global resources and trigger denial of service.
  • Impact: Denial of service
  1. CVE-2025-23246 – Medium Severity
  • CVSS Score: 5.5
  • Description: Improper resource management in vGPU Manager may allow a guest to consume uncontrolled resources.
  • Impact: Denial of service

Affected Products:

  • NVIDIA GPU Display Driver (Linux):
    • GeForce, RTX, Quadro, NVS, Tesla (Driver branches: R535, R550, R570, R575)
  • NVIDIA vGPU Software (Windows & Linux):
    • Virtual GPU Manager for Citrix Hypervisor, VMware vSphere, RHEL KVM, Ubuntu, Microsoft Azure Local, and Windows Server
  • NVIDIA Cloud Gaming (Linux):
    • Guest driver and Virtual GPU Manager

Recommendations:

  • Upgrade to the latest fixed versions provided by NVIDIA.
  • Review and apply mitigation steps as recommended in the official bulletin.
  • Monitor systems for unusual GPU-related activity or resource exhaustion signs.

Reference:

 

  1. High-Severity Vulnerability in ConnectWise ScreenConnect

A critical vulnerability (CVE-2025-3935) has been identified in ConnectWise ScreenConnect that may allow remote code execution (RCE) on affected servers due to weaknesses in ASP.NET ViewState handling.

Vulnerability Details:

  • CVE ID: CVE-2025-3935
  • Severity: High
  • CVSS Score: 8.1
  • Description:
    The flaw resides in the handling of ASP.NET ViewState, where Base64-encoded data can be manipulated if the machine keys are compromised. With valid machine keys, an attacker can craft malicious ViewState payloads, resulting in arbitrary code execution on the ScreenConnect server.

Affected Versions:

  • On-Premises ScreenConnect: All versions ≤ 25.2.3

Fixed Version:

  • ScreenConnect version: 25.2.4 or later

Recommendations:

  • Upgrade to ScreenConnect version 25.2.4 or later immediately.
  • Rotate machine keys if compromise is suspected.
  • Restrict access to the management interface and monitor logs for unusual ViewState activity.

Reference:

  1. Critical SQL Injection Vulnerabilities in Siemens TeleControl Server Basic

Multiple critical SQL injection vulnerabilities have been identified in Siemens TeleControl Server Basic versions prior to V3.1.2.2, which could allow remote attackers to access or manipulate database content, execute code, or crash the application.

Vulnerability Overview:

  • Advisory: ICSA-25-112-01
  • Vulnerable Component: SQL handler in TeleControl Server Basic
  • Impact:
    • Remote code execution
    • Unauthorized data access and manipulation
    • System crash and service disruption

Associated CVEs (Critical and High Severity):

  • Critical (CVSS v3.1: 9.8 | v4: 9.3):
    • CVE-2025-27495
    • CVE-2025-27539
    • CVE-2025-27540
  • High (CVSS v3.1: 8.8 | v4: 8.7):
    • CVE-2025-29905, 30002, 30003, 30030, 30031, 30032
    • CVE-2025-31343, 31349, 31350, 31351, 31352, 31353

Affected Product:

  • Siemens TeleControl Server Basic – All versions prior to V3.1.2.2

Mitigation & Recommendations:

  • Update immediately to TeleControl Server Basic V3.1.2.2 or later.
  • Restrict access to TCP port 8000 to only trusted IPs.
  • Minimize network exposure and avoid exposing control systems directly to the internet.
  • Segment OT networks from the IT/business network.
  • Monitor systems for unusual queries or database access attempts.

Reference:



  1. Critical Vulnerabilities in Planet Technology Network Devices

Multiple critical vulnerabilities have been discovered in Planet Technology network devices, including industrial switches and the UNI-NMS-Lite management platform. These flaws allow for remote code execution, authentication bypass, and privilege escalation.

Key CVEs & Impacts:

  • CVE-2025-46271Command Injection (CVSS 9.1):
    Pre-auth RCE via UNI-NMS-Lite.
  • CVE-2025-46272Command Injection (CVSS 9.1):
    Post-auth RCE on WGS switches.
  • CVE-2025-46273Hardcoded MQTT Credentials (CVSS 9.8):
    “client:client” enables unauthorized full access.
  • CVE-2025-46274Hardcoded MongoDB Credentials (CVSS 9.8):
    “planet:123456” exposed in NMS database.
  • CVE-2025-46275Missing Authentication (CVSS 9.8):
    Unauthorized admin creation on WGS switches.

Affected Products:

  • UNI-NMS-Lite: v1.0b211018 and prior
  • NMS-500 / NMS-1000V: All versions
  • WGS-804HPT-V2: ≤ v2.305b250121
  • WGS-4215-8T2S: ≤ v1.305b241115

Mitigation Recommendations:

  • Patch Immediately: Apply all firmware/software updates from Planet Technology.
  • Change Default Credentials: Replace all hardcoded or default login information.
  • Restrict Interface Access: Limit NMS/admin interfaces to trusted IPs.
  • Segment the Network: Isolate OT and management networks.
  • Monitor Logs: Watch for unauthorized access attempts or new admin creation.
  • Disable Unused Services: Shut down remote management if not required.
  • Prepare IR Plan: Isolate affected systems and keep clean backups ready.

Reference:




  1. Multiple Vulnerabilities in Grafana

Multiple vulnerabilities in Grafana OSS and Grafana Enterprise that may allow unauthorized access, XSS injection, and data exposure.

Key Vulnerabilities:

  1. CVE-2025-3260Bypass Viewer and Editor Permissions
    • CVSS Score: 8.3 (High)
    • Users (including anonymous, if configured) can view/edit/delete dashboards they should not have access to due to permission bypass.
  2. CVE-2025-2703DOM XSS in XY Chart Plugin
    • CVSS Score: 6.8 (Medium)
    • Editors can inject arbitrary JavaScript which executes during panel rendering, bypassing CSP protections.
  3. CVE-2025-3454Authorization Bypass in Data Source Proxy API
    • CVSS Score: 5.0 (Medium)
    • Allows unauthorized read access by manipulating URL paths in Prometheus, Alertmanager, or similar data sources.

Affected Versions:

  • Grafana OSS and Enterprise: Versions from 8.x to 11.6.x

Fixed Versions:

  • 11.6.0+security-01
  • 11.5.3+security-01
  • 11.4.3+security-01
  • 11.3.5+security-01
  • 11.2.8+security-01
  • 10.4.17+security-01

Recommendations:

  • Update Immediately to a patched version listed above.
  • Audit dashboard permissions and anonymous access settings.
  • Restrict editor-level access to trusted users only.
  • Monitor for any unauthorized access to dashboards or API endpoints.

Reference:

 

  1. Critical Zero-Day Vulnerability in SAP NetWeaver

CVE ID: CVE-2025-31324
Severity: Critical (CVSS 10.0)
Component: SAP NetWeaver Visual Composer – MetadataUploader
Vulnerability Type: Unrestricted file upload (CWE-434)
Impact:

  • Remote unauthenticated attackers can upload and execute malicious JSP webshells.
  • Leads to full system compromise, even on fully patched systems.
  • Exploitation observed in enterprise and government environments.

Indicators of Compromise (IOCs):

  • Helper.jsp – SHA256: 1f72bd2643995fab4ecf7150b6367fa1b3fab17afd2abed30a98f075e4913087
  • Cache.jsp – SHA256: 794cb0a92f51e1387a6b316b8b5ff83d33a51ecf9bf7cc8e88a619ecb64f1dcf

Recommendations:

  • Apply SAP’s latest security patch immediately.
  • Restrict access to the MetadataUploader endpoint.
  • Ensure only authenticated users can upload files.
  • Monitor SAP systems for webshell activity and anomalous behavior.

Reference:
https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sapnetweaver-compromise

 

  1. Critical Vulnerability in ASUS Servers (BMC Firmware)

CVE ID: CVE-2024-54085
Severity: Critical (CVSS v4: 10.0)
Component: AMI MegaRAC BMC Firmware
Attack Surface: Redfish out-of-band management interface
Vulnerability Type: Remote code execution and firmware-level compromise
Affected Vendors: ASUS, Lenovo, HPE, ASRock, and others
Impact:

  • Full server takeover via BMC
  • Firmware tampering and persistent malware installation
  • Server bricking through voltage manipulation
  • Reboot loops and component disablement

Affected ASUS Models (with patched firmware):

  • PRO WS W790E-SAGE SE → v1.1.57
  • PRO WS W680M-ACE SE → v1.1.21
  • PRO WS WRX90E-SAGE SE → v2.1.28
  • PRO WS WRX80E-SAGE SE WIFI → v1.34.0

Recommendations:

  • Immediately upgrade to the listed BMC firmware versions for all affected ASUS servers.
  • Disable or firewall Redfish interface where not actively needed.
  • Monitor for unauthorized BMC access or anomalous server behavior.

Reference:
https://go.ami.com/hubfs/Security%20Advisories/2025/AMI-SA-2025003.pdf



  1. Critical Zero-Day Exploit Chain Targeting Craft CMS

Vulnerabilities:

  • CVE-2025-32432 (Craft CMS RCE) – CVSS 10.0: Unauthenticated attackers can inject code via a crafted return URL, saved in PHP session files.
  • CVE-2024-58136 (Yii Framework) – CVSS 9.0: Input validation flaw allows attackers to trigger PHP code execution with a malicious JSON payload.

Exploit Chain:

  1. Craft CMS flaw used to create a malicious session file.
  2. Yii flaw exploited to execute injected PHP code.
  3. Results in full remote access and webshell upload (e.g., filemanager.php).

Impact:

  • Full server compromise
  • Database exfiltration and config theft
  • Remote file uploads and webshell persistence
  • Public Metasploit module increases risk of mass exploitation

Patched Versions:

  • Craft CMS: 3.9.15 / 4.14.15 / 5.6.17
  • Yii Framework: 2.0.52

Recommendations:

  • Update to patched versions immediately.
  • Rotate all exposed credentials (DB, API keys, private keys).
  • Monitor logs and traffic for listed IOCs.
  • Implement WAF, strict input validation, and session security controls.

References:

https://www.yiiframework.com/news/709/please-upgrade-to-yii-2-0-52 

https://github.com/craftcms/cms/security/advisories/GHSA-f3gw-9ww9-jmc3 

 

  1. Phishing Campaigns Targeting Higher Education Institutions
    Ongoing phishing campaigns targeting U.S. universities since late 2022, with peaks around academic calendar milestones. Attackers are impersonating university communications to steal credentials and financial data.

Attack Methods:

  1. Google Forms Phishing Campaign
    • Malicious Google Forms hosted using compromised university domains.
    • Custom university branding used to trick users into sharing credentials and financial info.
    • Phishing forms are themed around:
      • Financial aid disbursement
      • Account verification/deactivation
      • Campus medical response
  2. Cloned Login Pages
    • Fake login portals redirect mobile users via JavaScript with hex-encoded payloads.
    • Redirect domains:
      • cutly[.]today
      • kutly[.]win
  3. Two-Step Attack Chain
    • Initial email phishes staff with fake raise/bonus notifications.
    • Compromised staff accounts are then used to phish students with fake job forms.

 

Payment Redirection (BEC) Tactics:

  • Attackers monitor internal communication to identify financial transactions.
  • Requests for payment detail changes are crafted using legitimate email threads.
  • Small incremental redirections (5–10%) used to avoid detection.
  • Common targets: FAFSA, payroll, grants, and vendor payments.

 

Mitigation Recommendations:

  • Enforce Multi-Factor Authentication (MFA) across all user types, including alumni.
  • Regular employee awareness training (focus: fake forms, urgent requests).
  • Implement strict payment change verification policies.
  • Use canary tokens to detect unauthorized scraping or cloning.
  • Deploy advanced email security tools (Safe Browsing, SPF/DKIM/DMARC, anomaly detection).
  • Limit outgoing email thresholds for standard users.
  • Monitor context-aware login behavior (geo/device anomalies).
  • Maintain a BEC-focused incident response plan.

 

Reference:
Phishing Targeting Higher Education – Google Cloud Threat Intelligence

 

  1. Targeted Threats Against SentinelOne

SentinelOne, a leading cybersecurity firm, has reported being the target of multiple advanced threat campaigns, including attacks by North Korean IT workers, ransomware groups, and Chinese state-sponsored actors. These campaigns aimed to exploit both human and technical elements of the organization, highlighting risks to the software supply chain and endpoint protection platforms.

 

Threat Highlights:

  • North Korean Job Application Fraud:
    SentinelOne received over 1,000 fake job applications from 360+ fraudulent personas posing as IT professionals. The objective was to infiltrate the company or gather intel on hiring processes. These actors are known to use fake identities to earn foreign income and access sensitive data.
  • Ransomware & Cybercrime Targeting:
    SentinelOne was targeted by cybercriminals aiming to evade security tools by:
    • Renting access from third-party brokers
    • Using stolen credentials or insider recruitment (offers up to $20,000)
    • Impersonating companies to acquire licenses for product testing
  • Risks of Console Access and Agent Exploitation:
    Threat actors attempted to abuse console or endpoint agent access to:
    • Disable protections
    • Suppress detections
    • Test malware effectiveness without triggering alerts
  • Chinese APT Campaign (PurpleHaze):
    Investigation of a logistics partner breach revealed reconnaissance attempts against SentinelOne and its clients by Chinese APTs. Although no secondary compromise was found, the incident exposed supply chain weaknesses.

 

Recommendations:

  • Implement enhanced vetting for job applicants and detect fraudulent personas
  • Monitor and audit all endpoint agent installations and administrative access
  • Enforce strict license provisioning and validate customer identities
  • Conduct continuous third-party risk assessments across the supply chain
  • Monitor for unauthorized or tampered usage of security tools within internal and external environments

 

Reference:

https://www.securityweek.com/sentinelone-targeted-by-north-korean-it-workers-ransomware-groups-chinese-hackers/amp/

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2025 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment