Mandvi@Cyber Security News
//
CISA has added three critical Ivanti Endpoint Manager (EPM) flaws to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. The affected vulnerabilities are CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161. These flaws are absolute path traversal vulnerabilities that could allow remote, unauthenticated attackers to fully compromise vulnerable servers, potentially granting unauthorized access to sensitive information. Federal agencies have been given until March 31, 2025, to apply the necessary patches and mitigate these threats.
CISA urges all organizations, including those in the private sector, to prioritize timely remediation of these Ivanti EPM vulnerabilities. Security experts warn that delays in patching can lead to full domain compromise, credential theft, and lateral movement by malicious actors. Given the recent history of Ivanti vulnerabilities, proactive security measures and rapid patching are essential to defend against potential attacks. The large market share of Ivanti products makes them a prime target for malicious actors, emphasizing the importance of immediate patching and continuous hardening of systems. Recommended read:
References :
rohann@checkpoint.com@Check Point Blog
//
Blind Eagle, one of Latin America's most dangerous cyber criminal groups, has been actively targeting Colombian institutions and government entities since November 2024. According to Check Point Research (CPR), this advanced persistent threat (APT) group, also tracked as APT-C-36, is using sophisticated techniques to bypass traditional security defenses. They leverage trusted platforms like Google Drive, Dropbox, GitHub, and Bitbucket to distribute their malicious payloads, and have recently been seen using a variant of an exploit for a now-patched Microsoft Windows flaw, CVE-2024-43451. This allows them to infect victims with a high rate of success.
CPR has uncovered that Blind Eagle incorporated this exploit a mere six days after Microsoft released the patch. They use malicious .URL files distributed via phishing emails, and victims are often unaware they are triggering the infection. The final payload is often the Remcos RAT, a remote access trojan that grants attackers complete control over infected systems, allowing for data theft, remote execution, and persistent access. In one campaign in December 2024, over 1,600 victims were affected, highlighting the group's efficiency and targeted approach. Recommended read:
References :
Matan Mittelman@Cato Networks
//
The Ballista botnet is actively exploiting CVE-2023-1389, a remote code execution vulnerability in TP-Link Archer routers, to spread across the internet. Cato Networks' Cato CTRL researchers have uncovered this new IoT threat, linking it to an Italian threat actor due to IP addresses and Italian language strings found in the malware binaries. Since its detection in January 2025, Ballista has targeted organizations in the U.S., Australia, China, and Mexico, impacting sectors like manufacturing, healthcare, technology, and services.
This botnet leverages a vulnerability in TP-Link Archer AX-21 routers that allows unauthorized command execution through manipulated country parameters in router APIs. Despite patches being available, over 6,000 internet-exposed devices remain vulnerable, according to Censys. Once installed, the malware establishes a TLS-encrypted command-and-control (C2) channel on port 82, enabling full device control, DDoS attack execution, and shell command execution. The threat actor is also transitioning to Tor-based C2 domains to complicate tracking and takedowns. Recommended read:
References :
SC Staff@scmagazine.com
//
The Lazarus Group, a North Korean APT, is actively targeting developers through the npm ecosystem by publishing malicious packages. These packages are designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy backdoors. The attackers use typosquatting, mimicking legitimate library names to deceive developers into downloading the compromised versions. The packages contain BeaverTail malware and the InvisibleFerret backdoor and exhibit identical obfuscation techniques, cross-platform targeting, and command-and-control mechanisms consistent with previous Lazarus campaigns.
Six malicious npm packages have been identified, including postcss-optimizer, is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, and react-event-dependency. These packages have been collectively downloaded over 330 times and contain the BeaverTail malware, which functions as both an infostealer and a loader designed to steal login credentials, exfiltrate sensitive data, and deploy backdoors in compromised systems. The Lazarus Group also maintained GitHub repositories for five of the malicious packages, lending an appearance of open source legitimacy. Recommended read:
References :
MSSP Alert@MSSP feed for Latest
//
Apple has released emergency security updates to address a zero-day vulnerability in WebKit, identified as CVE-2025-24201. The company stated that this flaw was actively exploited in "extremely sophisticated" attacks targeting specific individuals. The vulnerability resided within the WebKit browser engine, which powers Safari and various other applications across macOS, iOS, and other platforms. Exploitation of this flaw allowed attackers to bypass the Web Content sandbox, a critical security feature designed to isolate web processes from the rest of the system, potentially leading to unauthorized actions.
Apple's swift response included patches for iOS 18.3.2, iPadOS 18.3.2, macOS Sequoia 15.3.2, visionOS 2.3.2, and Safari 18.3.1. The vulnerability impacted a wide range of Apple devices, including iPhone XS and later, iPad Pro models, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, as well as Macs running macOS Sequoia and Apple Vision Pro. The tech giant has so far not disclosed if its own researchers or others outside of the company discovered the vulnerability. Recommended read:
References :
@The DefendOps Diaries
//
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.
Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
The APT group SideWinder is expanding its attacks, now targeting maritime, nuclear, and IT sectors across Asia, the Middle East, and Africa. Previously focused on government, military, and diplomatic institutions, the group has shifted its attention to maritime infrastructure, logistics companies, nuclear power plants, and energy facilities. The attacks, observed by Kaspersky, have spread across multiple countries including Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam.
Kaspersky experts have noted an increase in attacks on nuclear power plants and energy generation facilities with the attackers utilizing spear-phishing emails and malicious documents containing industry-specific terminology to gain trust. The group exploits an older Microsoft Office vulnerability (CVE-2017-11882) to bypass detection systems and access operational data, research projects, and personnel data. According to Kaspersky researchers Giampaolo Dedola and Vasily Berdnikov, SideWinder constantly works to improve its toolsets, stay ahead of security software detections, extend persistence on compromised networks, and hide its presence on infected systems. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
CISA has added multiple vulnerabilities in Advantive VeraCore to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The five flaws impact both Advantive VeraCore and Ivanti Endpoint Manager (EPM) with agencies being urged to apply patches by March 31, 2025.
The VeraCore vulnerabilities, CVE-2024-57968 and CVE-2025-25181, are being exploited by the XE Group, a Vietnamese threat actor, to deploy reverse shells and web shells for persistent remote access. CVE-2024-57968 is an unrestricted file upload vulnerability, while CVE-2025-25181 is an SQL injection vulnerability. There are currently no public reports about how the three Ivanti EPM flaws are being weaponized in real-world attacks. Recommended read:
References :
do son@Cybersecurity News
//
A critical security vulnerability, CVE-2025-24813, has been identified in Apache Tomcat, potentially exposing servers to remote code execution (RCE) and data leaks. The vulnerability stems from a path equivalence issue related to how Tomcat handles filenames with internal dots, particularly when writes are enabled for the default servlet and partial PUT support is enabled. This flaw could allow attackers to execute malicious code, disclose sensitive information, or inject malicious content into uploaded files.
Users of Apache Tomcat versions 11.0.0-M1 through 11.0.2, 10.1.0-M1 through 10.1.34, and 9.0.0.M1 through 9.0.98 are advised to upgrade immediately to versions 11.0.3, 10.1.35, or 9.0.99 respectively, which include the necessary fixes. The vulnerability exists if an application uses Tomcat's file-based session persistence with the default storage location and includes a library susceptible to deserialization attacks, potentially leading to remote code execution. COSCo Shipping Lines DIC and sw0rd1ight are credited with discovering and reporting the vulnerability. Recommended read:
References :
Thomas Brewster,@Thomas Fox-Brewster
//
Bybit, a cryptocurrency exchange, suffered a massive loss of $1.5 billion due to North Korean hackers, marking a record-breaking heist. Investigations revealed the breach stemmed from a compromised account on a free digital storage service, highlighting the vulnerabilities even established crypto platforms face. Law enforcement agencies are now engaged in a cat-and-mouse game to recover the stolen cryptocurrency before it is converted into untraceable currency.
This incident underscores the growing threat of sophisticated cyberattacks targeting the cryptocurrency sector. North Korean hackers, specifically the Lazarus Group, are believed to be responsible for the attack. Concerns remain about the security measures implemented by cryptocurrency exchanges and the need for stronger protocols to safeguard user funds from these types of breaches. Recommended read:
References :
Dissent@DataBreaches.Net
//
New York Attorney General Letitia James has filed a lawsuit against Allstate Insurance and National General Insurance for allegedly failing to protect the personal information of New York residents. The lawsuit stems from data breaches in 2020 and 2021 that exposed the driver's license numbers of over 165,000 New Yorkers. The Attorney General's office claims that National General's online auto insurance quoting tools were intentionally designed to display consumers' full driver's license numbers in plain text, making them easily accessible to attackers.
The breaches occurred because the company failed to adequately encrypt and secure databases containing personal information. Attackers exploited vulnerabilities in Allstate's National General business unit's websites. The first breach went undetected for two months, and the company allegedly failed to notify affected consumers or relevant state agencies. A second, larger breach occurred due to continued security weaknesses. Attorney General James seeks penalties and an injunction to prevent further violations. Recommended read:
References :
Sunny Yadav@eSecurity Planet
//
References:
securityaffairs.com
, thehackernews.com
,
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.
The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats. Recommended read:
References :
@cyberalerts.io
//
Davis Lu, a 55-year-old software developer from Houston, Texas, has been convicted in federal court for sabotaging the computer systems of his former employer, Eaton Corp, after a demotion in 2018 led to reduced responsibilities and system access. Lu, who worked for the company from November 2007 to October 2019, introduced malicious code onto the company's production systems starting in August 2019. This code included "infinite loops" designed to exhaust Java threads, causing system crashes and preventing user logins. Lu also wrote code to delete coworker profile files and implemented a "kill switch" that would lock out all users if his credentials in the company's active directory were disabled.
The "kill switch," named "IsDLEnabledinAD" (abbreviating "Is Davis Lu enabled in Active Directory"), was automatically activated upon his termination on Sept. 9, 2019, impacting thousands of company users globally. Additional code was named "Hakai," meaning "destruction" in Japanese, and "HunShui," meaning "sleep" or "lethargy" in Chinese. On the day he was directed to turn in his company laptop, Lu deleted encrypted data and his internet search history revealed that he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions. Lu now faces a maximum penalty of 10 years in prison for causing intentional damage to protected computers. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
Cybersecurity experts are warning of a mass exploitation of a critical PHP vulnerability, CVE-2024-4577. This flaw allows attackers to remotely execute code on vulnerable servers using Apache and PHP-CGI. GreyNoise data has confirmed that the exploitation extends far beyond initial reports, with attack attempts observed across multiple regions. Notable spikes have been detected in the United States, Singapore, Japan, and other countries throughout January 2025, signaling a broad campaign targeting this vulnerability.
Cisco Talos has discovered an active exploitation of CVE-2024-4577. The attacker gains access to victim machines and carries out post-exploitation activities. The attempted exploitation has escalated across the U.S., Japan, Singapore, and other parts of the world. GreyNoise detected over 1,000 attacks globally. Experts urge organizations to apply the necessary patches and monitor for suspicious activity to mitigate the risk of compromise. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
References:
thecyberexpress.com
, research.kudelskisecurity.com
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.
The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws. Recommended read:
References :
Samarth Mishra@cysecurity.news
//
A malicious Python package named 'set-utils' has been discovered on the Python Package Index (PyPI) repository. This package is designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a utility for Python sets, the package mimics popular libraries, tricking developers into installing it. Since its appearance, 'set-utils' has been downloaded over 1,000 times, posing a significant threat to Ethereum users and developers, particularly those working with Python-based wallet management libraries. The Python security team has removed the malicious package from PyPI.
The 'set-utils' package operates by silently modifying standard Ethereum wallet creation functions. The private keys are exfiltrated within blockchain transactions via the Polygon RPC endpoint to resist traditional detection efforts. The stolen keys are encrypted using an attacker-controlled RSA public key before transmission, making detection challenging. Even if the package is uninstalled, any Ethereum wallets created while it was active remain compromised. To mitigate these risks, developers should employ regular dependency audits and automated scanning tools to detect malicious behaviors in third-party packages. Recommended read:
References :
Lily Hay@WIRED
//
Cybercriminals have allegedly stolen over $635,000 worth of Taylor Swift concert tickets by exploiting a loophole in an offshore ticketing system. Two individuals, Tyrone Rose, 20, and Shamara Simmons, 31, have been arrested and charged with grand larceny and computer tampering. The scheme involved stealing URLs for nearly 1,000 tickets to various events, including Taylor Swift's Eras Tour, Ed Sheeran concerts, Adele concerts, NBA games, and the US Open Tennis Championships, before reselling them for substantial profit.
Between June 2022 and July 2023, Rose and Simmons allegedly stole the tickets through an offshore ticket vendor and then resold them on StubHub in the US for significant profit. Rose, an employee of Sutherland Global Services, a third-party contractor for StubHub Jamaica, is accused of abusing his access to the network to find a backdoor. Prosecutors say the pair stole the tickets by allegedly intercepting approximately 350 orders from StubHub. The investigation is ongoing to determine if the Swift ticket scam was part of a wider operation. Recommended read:
References :
Mandvi@Cyber Security News
//
References:
Cyber Security News
, WeLiveSecurity
,
A critical zero-day vulnerability, dubbed EvilLoader, has been discovered in Telegram for Android by security researcher 0x6rss. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to unauthorized malware installations on users' devices. The vulnerability exploits Telegram's file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files, even though the file is not a video file.
When a user attempts to play these crafted "videos," Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software. For the attack to succeed, users must click the embedded link multiple times, disable Android’s security restriction on installing apps from unknown sources, and proceed with the installation. The file facilitating this attack has been available for sale on underground hacker forums. Recommended read:
References :
Veronika Telychko@SOC Prime Blog
//
An undocumented "backdoor," which is really undocumented commands, has been discovered in the ESP32 microchip, a product of the Chinese manufacturer Espressif. This chip is a cornerstone in the Internet of Things (IoT) ecosystem, providing essential Bluetooth and Wi-Fi connectivity. It is widely used in over a billion devices as of 2023. The "backdoor," as it is referred to, could be leveraged for attacks including spoofing trusted devices, unauthorized data access, and pivoting to other devices on the network.
This discovery was made by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, who presented their findings at RootedCON. Their research underscores the critical need for robust security measures in IoT devices. The potential impact could be extensive, considering the chip’s widespread usage. This discovery raises concerns about the security of numerous devices and systems that rely on the ESP32 for their operations. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
A critical command injection vulnerability, identified as CVE-2025-1316, impacting the Edimax IC-7100 IP camera is currently being exploited by botnet malware to compromise devices. This flaw allows attackers to achieve remote command execution, potentially leading to denial-of-service. Mirai-based botnets are actively exploiting this zero-day vulnerability.
Unpatched Edimax IP cameras are now prime targets in ongoing botnet attacks. Security researchers at Akamai discovered the flaw and reported it to the U.S. Cybersecurity & Infrastructure Agency (CISA), who attempted to contact the Taiwanese vendor. Users are strongly advised to apply any available patches to prevent their devices from being compromised and enlisted into these botnets. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.
Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness. Recommended read:
References :
Bill Toulas@BleepingComputer
//
The Akira ransomware group has been observed employing a novel attack technique, weaponizing unsecured IoT devices to bypass traditional security measures. Cybersecurity researchers at S-RM discovered that Akira exploited a vulnerable webcam to circumvent Endpoint Detection and Response (EDR) systems and encrypt systems within a target’s network. This allowed the ransomware to mount Windows Server Message Block (SMB) network shares of other devices on the network.
Akira ransomware successfully encrypted network shares over SMB, effectively working around the EDR defenses. Attackers mounted writable network shares from the webcam’s environment, while EDR solutions often ignore SMB traffic from IoT devices. The attackers demonstrated how unsecured IoT devices can bypass enterprise-grade defenses, highlighting that perimeter defense alone is insufficient in modern network environments. Recommended read:
References :
Thomas Brewster,@Thomas Fox-Brewster
//
Federal investigators have linked the 2022 LastPass data breach to a $150 million cryptocurrency theft from a Ripple XRP wallet in January 2024. Authorities believe the hackers exploited stolen master passwords to gain unauthorized access to the wallet. The stolen XRP, initially valued at $150 million, is now worth an estimated $716 million due to fluctuations in the cryptocurrency market.
U.S. law enforcement has seized over $23 million in cryptocurrency connected to the theft. The U.S. Secret Service and FBI are actively investigating the case and working to recover the remaining stolen funds. Security researchers had previously identified a pattern of similar crypto heists linked to the LastPass breach, suggesting a broader impact of the password manager vulnerability. The incident highlights the significant risks associated with compromised password management systems. Recommended read:
References :
|