Weekly Threat Landscape Digest – Week 20

1. Security Updates – Microsoft
   Microsoft’s May 2025 Patch Tuesday includes over 70 fixes, with 5 actively exploited zero-days, 2 publicly disclosed zero-days, and several critical Azure-related vulnerabilities.

Actively Exploited Zero-Days:

• CVE-2025-30400, 32701, 32706, 32709 – Privilege escalation to SYSTEM via use-after-free flaws in Windows components.
• CVE-2025-30397 – Remote Code Execution (RCE) via Microsoft Scripting Engine (malicious web links).

Publicly Disclosed Zero-Days:

• CVE-2025-26685 – LAN-based spoofing in Microsoft Defender for Identity.
• CVE-2025-32702 – Command injection in Visual Studio.

Critical Azure & Power Apps Vulnerabilities:

• CVE-2025-29813 – Azure DevOps (CVSS 10.0)
• CVE-2025-29827 – Azure Automation (CVSS 9.9)
• CVE-2025-29972 – Azure Storage Resource Provider (CVSS 9.9)
• CVE-2025-30387 – Azure (CVSS 9.8)
• CVE-2025-47733 – Microsoft Power Apps (CVSS 9.1)

Recommendations:

• Update immediately across all Microsoft systems.
• Prioritize Azure, Edge/IE, and Defender deployments.
• Review: https://msrc.microsoft.com/update-guide/releaseNote/2025-May

2. Security Updates – Google Chrome

Google has released urgent security patches addressing multiple high-severity vulnerabilities, including one actively exploited in the wild.

Key Vulnerabilities:

• CVE-2025-4664 – Insufficient policy enforcement in Loader
  → May allow attackers to bypass security restrictions and leak data
• CVE-2025-4609 – Incorrect handle in Mojo IPC
  → Could enable privilege escalation or malicious behavior

Fixed Versions:

• Desktop: Chrome 136.0.7103.113/.114 (Windows, Mac), 136.0.7103.113 (Linux)
• Mobile: Chrome 136.0.7103.125 (Android)

Recommendations:

• Immediately update Chrome across all platforms
• Monitor systems for signs of exploitation or abnormal Chrome behavior

References:

• https://chromereleases.googleblog.com/2025/05/stable-channel-update-fordesktop_14.html
• https://chromereleases.googleblog.com/

3. Critical and High-Risk Vulnerabilities in Ivanti EPMM and Neurons

Ivanti has disclosed multiple security flaws in Endpoint Manager Mobile (EPMM) and Neurons for ITSM (On-Premises) that may allow unauthenticated remote code execution and administrative access.

Key Vulnerabilities:

Ivanti EPMM:

• CVE-2025-4427 – Authentication bypass (CVSS 5.3, Medium)
• CVE-2025-4428 – Remote Code Execution (CVSS 7.2, High)
• Exploitation: Limited confirmed cases
• Mitigation: Use Portal ACLs/WAF to restrict API access
• Patched Versions:
  • 11.12.0.5
  • 12.3.0.2
  • 12.4.0.2
  • 12.5.0.1

Ivanti Neurons for ITSM (On-Prem):

• CVE-2025-22462 – Admin access via authentication bypass (CVSS 9.8, Critical)
• Exploitation: None reported
• Mitigation: Apply May 2025 Security Patch from Ivanti Licensing System

Recommendations:

• Immediately patch affected versions of EPMM and Neurons
• Enforce ACLs and network segmentation for affected interfaces

References:

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Neurons-for-ITSM-onpremises-only-CVE-2025-22462
• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-MobileEPMM

4. Security Updates – Zoom

Zoom has released updates addressing multiple high and medium-severity vulnerabilities in Zoom Workplace and associated applications. These flaws may allow privilege escalation, memory exposure, DoS, or security control bypass.

Key Vulnerabilities:

• CVE-2025-30663 – TOCTOU race condition (High): Privilege escalation on all platforms
• CVE-2025-30668 – Integer underflow (Medium): May lead to crashes or code execution (Windows)
• CVE-2025-46786 / 46787 – Input injection (Medium): Malicious input injection on all platforms
• CVE-2025-46785 – Buffer over-read (Medium): Exposes sensitive memory (Windows)
• CVE-2025-30667 / 30665 / 30666 – NULL pointer dereference (Medium): May cause DoS or crashes
• CVE-2025-30664 – Input neutralization flaw (Medium): Bypass of security controls

Recommendations:

• Update Zoom Workplace apps across all platforms to the latest secure version.

Reference:

• https://www.zoom.com/en/trust/security-bulletin/ 

5. Critical Stack-Based Buffer Overflow in Fortinet Products

A critical vulnerability (CVE-2025-32756) has been identified and actively exploited in Fortinet products, including FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera. The flaw allows remote, unauthenticated attackers to execute arbitrary commands through crafted HTTP requests.

Key Details:

• CVE: CVE-2025-32756
• Component: GUI
• CVSS Score: 9.6 (Critical)
• Impact: Remote code execution, credential harvesting, log wiping, and malicious file installation
• Attack Surface: HTTP/HTTPS interface
• Exploitation: Confirmed in the wild, primarily targeting FortiVoice

Affected Versions (sample):

• FortiVoice: 6.4.0 to 6.4.10, 7.0.0 to 7.0.6, 7.2.0
• FortiMail: 7.0.0 to 7.0.8, 7.2.0 to 7.2.7, 7.4.0 to 7.4.4, 7.6.0 to 7.6.2
• FortiNDR, FortiRecorder, FortiCamera: Multiple legacy and recent versions

Fixed Versions:

• FortiVoice: 6.4.11+, 7.0.7+, 7.2.1+
• FortiMail: 7.0.9+, 7.2.8+, 7.4.5+, 7.6.3+
• FortiNDR, FortiRecorder, FortiCamera: Migrate or upgrade to respective patched versions

Recommendations:

• Immediately upgrade to the fixed versions or migrate to secure releases
• Disable HTTP/HTTPS GUI access until patches are applied
• Monitor systems for unauthorized cron jobs and suspicious file changes
• Use listed IPs to enhance detection rules and threat hunting

Reference:
https://www.fortiguard.com/psirt/FG-IR-25-254

6. Security Updates – Apple

Apple has released urgent security updates across iOS, iPadOS, macOS, watchOS, tvOS, visionOS, and Safari to address critical vulnerabilities that could allow remote code execution, privilege escalation, and data leakage.

Key Vulnerabilities Patched:

• CVE-2025-31214 (Baseband): May allow attackers with privileged network access to intercept traffic.
• CVE-2025-31222 (mDNSResponder): Allows privilege escalation via local processes.
• CVE-2024-8176 (libexpat): Memory handling flaws may lead to app crashes or remote code execution.
• CVE-2025-31258: Enables malicious apps to escape sandbox restrictions and access system-level resources.

Impacted Platforms & Latest Versions:

• iOS/iPadOS 18.5 – iPhone XS and later, iPads from 7th gen and up.
• iPadOS 17.7.7 – Older iPad Pro and iPad 6th gen.
• macOS Sequoia 15.5
• macOS Sonoma 14.7.6
• macOS Ventura 13.7.6
• watchOS 11.5 – Apple Watch Series 6 and newer.
• tvOS 18.5 – All Apple TV models.
• visionOS 2.5 – Apple Vision Pro.
• Safari 18.5 – Updated for Ventura and Sonoma.

Recommendations:

• Update all Apple devices and platforms to the latest versions immediately.
• Prioritize patching devices used for communication, sensitive data access, or administrative purposes.
• Monitor systems for suspicious app behavior or unauthorized access attempts.

Reference:
https://support.apple.com/en-us/100100

7. Command Injection Vulnerability in F5 BIG-IP

A high-severity command injection vulnerability (CVE-2025-31644) has been disclosed in F5 BIG-IP devices configured in Appliance mode. It allows authenticated admin users to execute arbitrary commands as root, bypassing shell restrictions.

Key Details:

• CVE-2025-31644
• CVSS Score: 8.7 (High)
• Impact: Root-level command execution via iControl REST API or TMSH CLI
• Exploitation: PoC available publicly; risk of active exploitation is high
• Attack Vector: file parameter in save command

Affected Versions:

• 17.x: 17.1.0 – 17.1.2 → Fixed in 17.1.2.2
• 16.x: 16.1.0 – 16.1.5 → Fixed in 16.1.6
• 15.x: 15.1.0 – 15.1.10 → Fixed in 15.1.10.7

Recommendations:

• Apply security patches immediately
• Restrict access to the iControl REST API and CLI via trusted networks
• Review logs for suspicious API calls or abnormal use of save with file parameters

Reference:
https://my.f5.com/manage/s/article/K000148591

8. Security Updates – VMware

VMware has released patches for multiple vulnerabilities affecting Aria Automation and VMware Tools. These issues could lead to access token theft or local file tampering.

Key Vulnerabilities:

• CVE-2025-22249 – DOM-Based XSS in Aria Automation
  • CVSS Score: 8.2 (High)
  • Impact: Attacker could steal access tokens via malicious URL
  • Affected Products: Aria Automation, Cloud Foundation, Telco Cloud Platform
  • Fixed Versions: Aria Automation 8.18.1 Patch 2
• CVE-2025-22247 – Insecure File Handling in VMware Tools
  • CVSS Score: 6.1 (Medium)
  • Impact: Privileged guest users may tamper with local files
  • Affected Products: VMware Tools 11.x.x, 12.x.x
  • Fixed Version: VMware Tools 12.5.2+

Recommendations:

• Apply all patches listed in the relevant advisories
• Ensure user awareness to avoid interacting with untrusted links

References:

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25683 
• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711 

9. Security Updates – Chrome OS

Google has released ChromeOS LTS version 132.0.6834.223 (Platform Version: 16093.105.0) with critical security updates. The update includes a fix for a high-severity vulnerability in the V8 JavaScript engine.

Key Vulnerability:

• CVE-2025-1920 – Type Confusion in V8
  • Severity: High (CVSS 8.8)
  • Impact: Remote code execution via malicious webpage
  • Risk: Compromise of browser process and potential broader system impact

Recommendations:

• Update ChromeOS devices to the latest LTS version
• Monitor for any suspicious browser activity or performance issues

Reference:

• https://chromereleases.googleblog.com/2025/05/long-term-support-channel-updatefor.html

10. Security Updates – F5 Products

F5 Networks has released critical and high-severity security updates for BIG-IP, BIG-IP Next, and F5OS products. These vulnerabilities impact iControl REST, TMSH, HTTP/2, SIP ALG, and more, potentially allowing command injection, privilege escalation, and service disruption.

Key High-Risk Vulnerabilities:

• CVE-2025-46265 – F5OS Appliance Mode (CVSS 8.8)
• CVE-2025-31644 – Authenticated command injection via iControl REST/TMSH (CVSS 8.7)
• CVE-2025-36546 – Appliance Mode privilege bypass (CVSS 9.2)
• CVE-2025-41399 / 36557 / 36504 / 41414 – BIG-IP HTTP/SCTP/HTTP/2 protocol issues (CVSS up to 8.7)
• CVE-2025-41433 – SIP ALG profile flaw (CVSS 8.7)
• CVE-2025-36525 / 35995 / 41431 – APM, PEM, and TMM vulnerabilities (CVSS 8.7)

Medium Severity:

• CVE-2025-43878 – File handling vulnerability in F5OS (CVSS 6.0)

Recommendations:

• Update to the fixed versions released by F5
• If patching is not feasible, apply official mitigations
• Restrict access to management interfaces and monitor logs for suspicious activity

Reference:

• https://my.f5.com/manage/s/article/K000151008

11. Critical Vulnerabilities in Jenkins Plugins

Jenkins has released a critical security advisory addressing multiple vulnerabilities in widely-used plugins. These include authentication bypass, stored XSS, CSRF flaws, SSL/TLS misconfigurations, and improper token validation—posing severe risks to Jenkins environments.

Key Vulnerabilities:

• CVE-2025-47884 – OpenID Connect Provider Plugin
  • Severity: Critical
  • Issue: Improper claim validation allowing ID token forgery
  • Fix: Update to version 111.v29fd614b_3617
• CVE-2025-47885 – Health Advisor by CloudBees Plugin
  • Severity: High
  • Issue: Stored XSS via unescaped server responses
  • Fix: Update to version 374.376.v3a_41a_a_142efe
• CVE-2025-47886 / 47887 – Cadence vManager Plugin
  • Severity: Medium
  • Issues: CSRF and permission bypass enabling unauthorized URL access
  • Fix: Update to version 4.0.1-288.v8804b_ea_a_cb_7f
• CVE-2025-47888 – DingTalk Plugin
  • Severity: Medium
  • Issue: SSL/TLS validation disabled; susceptible to MITM
  • Fix: Not yet available
• CVE-2025-47889 – WSO2 Oauth Plugin
  • Severity: Critical
  • Issue: Authentication bypass granting full access
  • Fix: Not yet available

Recommendations:

• Immediately update all plugins with available patches
• Disable or uninstall vulnerable plugins with no fix

Reference:

• https://www.jenkins.io/security/advisory/2025-05-14/

12. SAP Security Bulletin – May 2025

SAP’s May 2025 Patch Day addresses 16 new vulnerabilities and 2 updates, including CVE-2025-31324, a critical zero-day in SAP NetWeaver Visual Composer that is actively exploited in the wild, allowing unauthenticated remote code execution.

Key Vulnerabilities:

• CVE-2025-31324 – Missing Auth Check in Visual Composer
  • Product: SAP NetWeaver (VCFRAMEWORK 7.50)
  • Severity: Critical (CVSS 10)
  • Status: Actively exploited
• CVE-2025-42999 – Insecure Deserialization
  • Product: SAP NetWeaver (VCFRAMEWORK 7.50)
  • Severity: Critical (CVSS 9.1)
• CVE-2025-30018 and related (CVE-2025-30009 to CVE-30012) – Multiple issues in Live Auction Cockpit
  • Product: SAP SRM (SRM_SERVER 7.14)
  • Severity: High (CVSS 8.6)
• CVE-2025-43010 – Code Injection
  • Product: SAP S/4HANA (MDL)
  • Severity: High (CVSS 8.3)
• CVE-2025-43000 – Information Disclosure
  • Product: SAP Business Objects BI Platform
  • Severity: High (CVSS 7.9)
• CVE-2025-43011 – Missing Authorization Check
  • Product: SAP Landscape Transformation (DMIS/S4CORE)
  • Severity: High (CVSS 7.7)
• CVE-2024-39592 [Update] – Missing Authorization
  • Product: SAP PDCE (S4CORE 102-108)
  • Severity: High (CVSS 7.7)

Recommendations:

• Apply all SAP May 2025 patches immediately, prioritizing CVE-2025-31324 and CVE-2025-42999
• Monitor for IoCs linked to CVE-2025-31324
• Review SAP user roles and enforce least privilege

Reference:

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may2025.html

13. SSRF Vulnerability in SonicWall Firewalls

A high-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-40595) has been disclosed in SonicWall SMA1000 appliances, specifically targeting the Work Place interface. Remote unauthenticated attackers can exploit this flaw using encoded URLs to initiate unauthorized internal or external network requests.

Key Details:

• CVE ID: CVE-2025-40595
• Type: SSRF (CWE-918)
• CVSS Score: 7.2 (High)
• Impact: Unauthorized network access via crafted URLs
• Attack Vector: Remote, no authentication required
• Affected Versions: SMA1000 versions ≤ 12.4.3-02925
• Fixed Version: 12.4.3-02963 and later

Recommendations:

• Upgrade SonicWall SMA1000 appliances to version 12.4.3-02963 or later
• Monitor for unusual outbound traffic patterns

Reference:

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0010

14. Chromium Vulnerabilities Impacting Prisma Access Browser

Palo Alto Networks has addressed multiple high-severity Chromium vulnerabilities in the Prisma Access Browser. These flaws include use-after-free, heap buffer overflows, and improper input validation. Though no active exploitation has been reported, they pose a significant risk when exploited via crafted network traffic.

Key Details:

• Total CVEs Patched: 16
• CVSS Base Score: 9.4 (High)
• Attack Vector: Network
• Attack Complexity: Low
• User Interaction: Required
• Privileges Required: None

Fixed Versions:

• 135.16.8.96: CVE-2025-3066 through CVE-2025-3074, CVE-2025-3619, CVE-2025-3620
• 136.11.9.93: CVE-2025-4050 through CVE-2025-4052, CVE-2025-4096, CVE-2025-4372

Recommendations:

• Upgrade Prisma Access Browser to version 135.16.8.96 or 136.11.9.93
• Monitor user activity and restrict access to untrusted web content

Reference:

• https://security.paloaltonetworks.com/PAN-SA-2025-0009

15. Multiple Vulnerabilities in Schneider Electric Products

Schneider Electric has disclosed several vulnerabilities across its product line, which could allow remote attackers to execute code, bypass authentication, or gain unauthorized access to sensitive system resources.

Key Vulnerabilities:

• CVE-2025-32433 – Erlang/OTP SSH Server RCE
  • Critical unauthenticated RCE via crafted SSH messages.
  • Impact: Full system compromise if SSH daemon runs with elevated privileges.
  • Affected Products: Galaxy VS, Galaxy VL, Galaxy VXL.
• CVE-2023-4041 – Silicon Labs Gecko Bootloader Buffer Overflow
  • Improper buffer size validation in firmware file parser.
  • Impact: Code injection, authentication bypass, data compromise.
  • Affected Products: PrismaSet Active, Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket.
• CVE-2025-2875 – Controller Webserver Resource Access
  • Resource access via manipulated webserver URLs.
  • Impact: Unauthorized access and data exposure.

Recommendations:

• Apply the mitigation or workaround provided by Schneider Electric.
• Limit public exposure of affected interfaces and monitor for unusual access behavior.

References:

• • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-133-04&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-133-04.pdf 
  • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-133-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-133-02.pdf 
  • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-133-05&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-133-05.pdf 

• https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-133-01&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-133-01.pdf 

16. Critical RCE Vulnerability in OpenCTI Platform

A critical remote code execution (RCE) vulnerability has been disclosed in the OpenCTI Platform, a popular open-source threat intelligence platform. This vulnerability allows attackers to execute arbitrary commands on the host server, potentially leading to full root-level access, privilege escalation, and data exfiltration.

Key Details:

• CVE ID: CVE-2025-24977
• CVSS Score: 9.1 (Critical)
• Affected Version: 6.4.8
• Patched Version: 6.4.11
• Attack Vector: Remote
• Impact: Remote Code Execution, Privilege Escalation, Infrastructure Access
• Exploit Status: Public proof-of-concepts likely imminent

Recommendations:

• Upgrade OpenCTI to version 6.4.11 or later immediately
• Monitor system logs for signs of unauthorized access or command execution

Reference:

• https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mf88-g2wq-p7qm

17. Critical Vulnerabilities in ASUS DriverHub

ASUS DriverHub, a utility for managing driver updates on ASUS motherboards, contains critical security flaws that could allow remote attackers to spoof trusted communication or manipulate system behavior.

Key Details:

• CVE-2025-3462 – Insufficient Validation of HTTP Requests
  • CVSS v4 Score: 8.4 (High)
  • Impact: Internal spoofing and feature misuse
• CVE-2025-3463 – Remote System Manipulation via Crafted Requests
  • CVSS v4 Score: 9.4 (Critical)
  • Impact: Full remote manipulation of system behavior, potential motherboard compromise

Affected Versions:

• ASUS DriverHub prior to 1.0.6.0

Fixed Version:

• 1.0.6.0 or later

Recommendations:

• Upgrade ASUS DriverHub to the latest version (≥1.0.6.0)
• Monitor systems for unexpected configuration changes or anomalous network requests

Reference:

• https://www.asus.com/content/asus-product-security-advisory/

18. Critical Cloud Vulnerabilities in Microsoft Azure Services

Microsoft has remediated multiple critical vulnerabilities across Azure DevOps, Automation, Storage, and Power Apps services. Though not publicly exploited, these flaws posed risks such as privilege escalation, SSRF, and information disclosure. No customer action is required—platform-level fixes were applied before disclosure.

Key Vulnerabilities:

• CVE-2025-29813 – Azure DevOps Pipeline Token Hijack
  • CVSS: 10.0 (Critical)
• CVE-2025-29827 – Azure Automation Improper Authorization
  • CVSS: 9.9 (Critical)
• CVE-2025-29972 – Azure Storage SSRF Vulnerability
  • CVSS: 9.9 (Critical)
• CVE-2025-47733 – Microsoft Power Apps SSRF & Info Disclosure
  • CVSS: 9.1 (High)

Recommendations:

• No immediate action required – all vulnerabilities are patched by Microsoft
• Subscribe to Microsoft’s Security Update Guide for ongoing advisories
• Review Azure DevOps project permissions and enforce least privilege
• Monitor token usage and audit logs for anomalies

References:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29813
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-29827

19. Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day

Symantec has reported that Play Ransomware (aka Balloonfly/PlayCrypt) exploited CVE-2025-29824, a privilege escalation vulnerability in Windows CLFS, as a zero-day prior to its patch release.

Key Points:

• Exploit: CVE-2025-29824 (Use-after-free in CLFS driver)
• CVSS: Not officially assigned; critical due to zero-day status
• Target: U.S.-based organization
• Initial Access: Likely via exposed Cisco ASA; lateral movement followed
• Payloads Observed:
  • Grixba info-stealer disguised as “paloaltoconfig.exe/.dll”
  • Exploit dropped artifacts in C:\ProgramData\SkyPDF
  • DLL clssrv.inf injected into winlogon.exe, dropped two batch scripts

Post-Exploitation Activity:

• servtask.bat: escalates privileges, dumps registry hives, adds admin user “LocalSvc”
• cmdpostfix.bat: deletes traces
• Recon of Active Directory environment and machine enumeration

Notable Observations:

• No ransomware payload deployed—indicates pre-encryption reconnaissance
• Exploit potentially shared with other actors before patch
• Activity does not overlap with Microsoft-tracked Storm-2460 (PipeMagic malware)Recommendations:

• Apply Microsoft’s patch for CVE-2025-29824
• Monitor C:\ProgramData\SkyPDF, registry changes, and new user accounts
• Review EDR configuration against BYOI abuse scenarios
• Harden domain controllers and monitor lateral movement attempts

Reference:
🔗 https://thehackernews.com/2025/05/play-ransomware-exploited-windows-cve.html

20. Malicious npm Packages Infect Cursor Users with Backdoor

Key Highlights:

• Over 3,200 macOS Cursor users were affected by three malicious npm packages:
  • sw-cur (2,771 downloads)
  • sw-cur1 (307 downloads)
  • aiide-cur (163 downloads)
• Attack Flow:
  • Poses as tools offering “cheapest Cursor API”
  • Steals Cursor credentials
  • Fetches encrypted payload from t.sw2031[.]com or api.aiide[.]xyz
  • Overwrites Cursor’s main.js, disables auto-updates, restarts the app
  • Grants persistent backdoor access and executes arbitrary code
• Persistence: Survives even after npm package is uninstalled (patch-based compromise)

Additional Supply Chain Attacks:

1. Cryptocurrency Theft via BullX-Targeting Packages
   • pumptoolforvolumeandcomment (625 downloads)
   • debugdogs (119 downloads) – acts as a wrapper to deliver the first
   • Steals wallet data, keys, and sends to a Telegram bot
   • Targets macOS users
2. Compromise of rand-user-agent npm Package
   • Malicious versions: 2.0.83, 2.0.84, 1.0.110
   • Delivers a remote access trojan (RAT)
   • Commands: file upload, shell execution, directory change
   • Root cause: stolen automation token (no 2FA enabled)
   • Fix: Downgrade to safe version 2.0.82 (note: malware must still be manually removed)

Recommendations:

• Avoid installing npm packages with postinstall scripts or that modify files outside node_modules
• Use real-time dependency scanning and file-integrity monitoring
• Immediately remove affected packages and perform clean installs of impacted software
• Audit developer systems for unauthorized file modifications and network activity

Reference: https://thehackernews.com/2025/05/malicious-npm-packages-infect-3200.html 

21. Iranian APT Maintains 2-Year Access to Middle East CNI via VPN Exploits and Malware

Key Highlights:

• An Iranian state-sponsored APT group, Lemon Sandstorm (aka Pioneer Kitten, UNC757), maintained unauthorized access to a Middle East Critical National Infrastructure (CNI) network from May 2023 to February 2025.
• Initial Access was gained via SSL VPN credential abuse (Fortinet, Pulse Secure, Palo Alto) and web shell deployment.
• Attack Timeline:
  • May 2023 – Apr 2024: Deployed backdoors – Havoc, HanifNet, and HXLibrary
  • May – Nov 2024: Lateral movement using tools like Plink, Ngrok, NeoExpressRAT
  • Nov – Dec 2024: Drop of SystemBC, MeshCentral Agent; attempts at persistence
  • Dec 2024 – Present: Used ZKTeco BioTime exploits (CVE-2023-38950 to 38952) and phishing targeting M365 users
• Custom Malware and Tools:
  • HXLibrary, HanifNet, RecShell, NeoExpressRAT, CredInterceptor, DropShell, RemoteInjector
  • C2 domains: apps.gist.githubapp[.]net, gupdate[.]net
• TTPs:
  • Use of chained proxy tools for segmentation bypass
  • OT-adjacent segments were breached; no confirmed OT system compromise
  • Activities were hands-on-keyboard, involving multiple operators

Recommendations:

• Review access logs for long-term VPN session abuse
• Audit for presence of custom web shells and backdoors
• Patch known vulnerabilities (e.g., Fortinet SSL VPN, ZKTeco BioTime)
• Implement strict segmentation for OT environments and monitor proxy chaining

Reference: https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.html 

22. ClickFix: New Social Engineering Tactic Infects Windows Systems

Key Highlights:

• ClickFix is a social engineering tactic used to trick users into executing malicious PowerShell scripts under the guise of fixing system issues.
• First observed in early 2024, with widespread exploitation in 2025, the attack requires no software vulnerabilities—only user interaction.

Attack Workflow:

1. Fake pop-ups or alerts (e.g., “CAPTCHA failed”, “Document error”) appear on malicious websites.
2. User is prompted to copy a “fix” command, which is actually a malicious PowerShell script.
3. User is instructed to open the Run dialog (Win + R) or search bar, paste the script, and execute it.
4. Malware is downloaded/executed under the user’s privileges.

Common Lure Variants:

• Fake browser updates
• Missing plugin errors for Word/PDF files
• Email attachment preview errors
• Fake Zoom/Google Meet call errors
• CAPTCHA validation tricks

Mitigation Recommendations:

Technical Controls:

• Restrict PowerShell usage via AppLocker or WDAC
• Apply constrained language mode for PowerShell
• Block or monitor Win + R usage via Group Policy
• Implement web/email filtering for suspicious HTML attachments
• Use EDR to detect user-initiated script execution

User Awareness:

• Train employees to avoid manually running scripts prompted by web alerts
• Promote a culture of incident reporting
• Update acceptable use policies to ban execution of unsolicited commands

Reference: https://www.kaspersky.com/blog/what-is-clickfix/53348