@zdnet.com
//
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.
Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.
Recommended read:
References :
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
- www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
- Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
- be4sec: Medusa Ransomware is Targeting Critical Infrastructure
- be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
- aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
- www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
- cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
- Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
- techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
- Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
- eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
- Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
- thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
- www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
- www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
- Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
- The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
- www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer
@The DefendOps Diaries
//
Microsoft's March 2025 Patch Tuesday has addressed 57 flaws, including seven zero-day vulnerabilities that were already being actively exploited. These zero-day flaws highlight the importance of applying security updates in a timely manner. Three critical vulnerabilities were remote code execution vulnerabilities, posing a high risk that could lead to full system compromise if exploited. One notable zero-day vulnerability is the Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability (CVE-2025-24983), which could allow attackers to gain SYSTEM privileges through a race condition.
Microsoft has also announced that it will drop support for the Remote Desktop app, available through the Microsoft Store, on May 27th. The current app will be replaced with the new Windows App, designed for work and school accounts. Microsoft is encouraging users to review the known issues and limitations of the Windows App to understand any feature gaps that may create challenges during migration. The Windows App is intended to connect to Azure Virtual Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs.
Recommended read:
References :
- isc.sans.edu: Microsoft Patch Tuesday: March 2025, (Tue, Mar 11th)
- The DefendOps Diaries: Microsoft's March 2025 Patch Tuesday: Addressing Critical Vulnerabilities
- BleepingComputer: Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws
- CyberInsider: Microsoft March 2025 ‘Patch Tuesday’ Updates Fix Six Actively Exploited Flaws
- Tenable Blog: Microsoft’s March 2025 Patch Tuesday Addresses 56 CVEs (CVE-2025-26633, CVE-2025-24983, CVE-2025-24993)
- bsky.app: Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities.
- krebsonsecurity.com: Microsoft: 6 Zero-Days in March 2025 Patch Tuesday
- Blog RSS Feed: March 2025 Patch Tuesday Analysis
- Threats | CyberScoop: Microsoft patches 57 vulnerabilities, including 6 zero-days
- The Register - Software: Choose your own Patch Tuesday adventure: Start with six zero-day fixes, or six critical flaws
- hackread.com: March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days
- www.kaspersky.com: Main vulnerabilities from Microsoft's March Patch Tuesday | Kaspersky official blog
- Rescana: Microsoft March 2025 Patch Tuesday: Zero-Day Exploitation Analysis in WinDbg, ASP.NET Core, and Remote Desktop
- socradar.io: March 2025 Patch Tuesday: Microsoft Fixes 6 Critical & 6 Exploited Security Vulnerabilities
- Security | TechRepublic: Microsoft's March 2025 Patch Tuesday includes six actively exploited zero-day vulnerabilities. Learn about the critical vulnerabilities and why immediate updates are essential.
- Davey Winder: Microsoft has confirmed that no less than six zero-day vulnerabilities are exploiting Windows users in the wild. Here’s what you need to know and do.
- : Microsoft Patches a Whopping Seven Zero-Days in March
- Blog: As part of its monthly Patch Tuesday event, Microsoft has fixed 57 vulnerabilities. Among them are six actively exploited zero-day vulnerabilities
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- Talkback Resources: Microsoft's Patch Tuesday reports 6 flaws already under fire [app] [sys]
- ESET Research: has discovered a zero day exploit abusing -2025-24983 vulnerability in the Windows kernel 🪟 to elevate privileges ( ).
- The DefendOps Diaries: Understanding the Impact of CVE-2025-24983: A Critical Windows Kernel Vulnerability
- BleepingComputer: Microsoft patches Windows Kernel zero-day exploited since 2023
- PCWorld: Big March patch fixes dozens of security flaws in Windows and Office
- securityaffairs.com: Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days
- www.threatdown.com: The March 2025 Patch Tuesday update contains an unusually large number of zero-day vulnerabilities that are being actively exploited.
- Arctic Wolf: Microsoft Patch Tuesday: March 2025
- www.computerworld.com: For March’s Patch Tuesday, 57 fixes — and 7 zero-days
Bill Mann@CyberInsider
//
Multiple state-backed hacking groups, including those from North Korea, Iran, Russia, and China, have been exploiting a Windows zero-day vulnerability since 2017 for data theft and cyber espionage. The vulnerability lies in malicious .LNK shortcut files rigged with commands to download malware, effectively hiding malicious payloads from users. Security researchers at Trend Micro's Zero Day Initiative discovered nearly 1,000 tampered .LNK files, though they believe the actual number of attacks could be much higher.
Microsoft has chosen not to address this vulnerability with a security update, classifying it as a low priority issue not meeting their bar for servicing. This decision comes despite the fact that the exploitation avenue has been used in an eight-year-long spying campaign, relying on hiding commands using megabytes of whitespace to bury the actual commands deep out of sight in the user interface. Dustin Childs of the Zero Day Initiative told *The Register* that while this is one of many bugs used by attackers, its unpatched status makes it a significant concern.
Recommended read:
References :
- The Hacker News: An unpatched security flaw impacting Microsoft Windows has been exploited by 11 state-sponsored groups from China, Iran, North Korea, and Russia as part of data theft, espionage, and financially motivated campaigns that date back to 2017.
- ZDI: Published Advisories: ZDI-25-148: (0Day) Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability
- The Register - Security: Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
- securityaffairs.com: State-Sponsored Actors and Cybercrime Gangs Abuse Malicious .lnk Files for Espionage and Data Theft
- CyberInsider: Microsoft has acknowledged that its latest Windows update has unintentionally uninstalled the Copilot app from some Windows 11 devices.
- BleepingComputer: New Windows zero-day exploited by 11 state hacking groups since 2017
- The DefendOps Diaries: Exploiting Windows Zero-Day Vulnerabilities: The Role of State-Sponsored Hacking Groups
- securityonline.info: Hidden Threat: Zero-Day Windows Shortcut Exploited by Global APT Networks
- www.it-daily.net: Critical Windows security vulnerability discovered
- socradar.io: Windows Shortcut Zero-Day (ZDI-CAN-25373) Exploited by State-Backed Threat Actors Since 2017: Overview of Key Details
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Tech Monitor: Windows shortcut exploit used as zero-day in global cyber espionage campaigns
- www.ghacks.net: Windows has an 8-year-old security issue that is exploited and known by Microsoft for some time
- www.cybersecuritydive.com: A vulnerability that allows for malicious payloads to be delivered via Windows shortcut files has not yet been addressed by Microsoft and has been under active attack for eight years.
- www.techradar.com: An unpatched Windows zero-day flaw has been exploited by 11 nation-state attackers
- Security Risk Advisors: 🚩APT Groups Exploit Unpatched Windows Shortcut Vulnerability for Espionage and Data Theft
- hackread.com: 11 Nation-State Hackers Exploit Unpatched Windows Flaw Since 2017
- : Windows Shortcut Flaw Exploited by 11 State-Sponsored Groups
- Blog: Microsoft reluctant to patch Windows zero-day exploited by nation-state hackers
- Virus Bulletin: Trend Micro ZDI's Peter Girnus & Aliakbar Zahravi describe how researchers uncovered both state-sponsored and cybercriminal groups extensively exploiting ZDI-CAN-25373, a Windows .lnk file vulnerability that enables hidden command execution.
- Sam Bent: Windows Shortcut Zero-Day Used by Nation-States
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- Threats | CyberScoop: Trend Micro researchers discovered and reported the eight-year-old defect to Microsoft six months ago. The company hasn’t made any commitments to patch or remediate the issue.
- Jon Greig: Researchers Trend Micro's Zero Day Initiative said they have identified multiple campaigns from nation-state groups in North Korea, China and Russia exploiting an issue impacting .lnk files Microsoft said the report "does not meet the bar for immediate servicing"
- www.trendmicro.com: ZDI-CAN-25373: Windows Shortcut Exploit Abused as Zero-Day in Widespread APT Campaigns
- Logpoint: Windows Shell Link Vulnerability ZDI-CAN-25373: Detecting Hidden Commands
- SecureWorld News: Nation-State Hackers Exploit Windows Shortcut Zero-Day Vulnerability
- Information Security Buzz: Windows Shortcut Zero-Day Under Active Attack
- borncity.com: Windows shortcut exploit used by state hackers as a 0-day since 2017
- Help Net Security: APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
- securityboulevard.com: Microsoft Won’t Fix This Bad Zero Day (Despite Wide Abuse)
- aboutdfir.com: Microsoft isn’t fixing 8-year-old shortcut exploit abused for spying An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there’s no sign of a fix from Microsoft, which apparently considers this a low priority.
@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
- Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
- Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
- blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
- Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
- Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.
Microsoft Threat@Microsoft Security Blog
//
An ongoing phishing campaign impersonating Booking.com is targeting hospitality employees with credential-stealing malware. Microsoft Threat Intelligence has identified the campaign, which began in December 2024 and is ongoing as of February 2025. Cybercriminals are sending malicious emails to employees likely to work with Booking.com, in North America, Oceania, South and Southeast Asia, and Europe, using a social engineering technique called ClickFix to deliver the malware. This campaign aims to conduct financial fraud and theft by compromising employee credentials.
The ClickFix technique involves fake error messages and prompts that instruct users to fix issues by copying and pasting commands, leading to malware downloads. The phishing emails vary in content, referencing negative guest reviews, requests from prospective guests, online promotion opportunities, and account verification to induce clicks. The threat actor, tracked as Storm-1865, has evolved its tactics to bypass security measures.
Recommended read:
References :
- krebsonsecurity.com: Booking.com Phishers May Leave You With Reservations
- Source Asia: Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware
- The DefendOps Diaries: Understanding the ClickFix Phishing Threat to the Hospitality Industry
- The Hacker News: Microsoft Warns of ClickFix Phishing Campaign Targeting Hospitality Sector via Fake Booking[.]com Emails
- : ‘ClickFix’ Phishing Scam Impersonates Booking.com to Target Hospitality
- The Record: Cybercriminals are sending malicious emails to hospitality employees who are likely to work with Booking.com
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- The Register - Security: That 'angry guest' email from Booking.com? It's a scam, not a 1-star review
- www.techradar.com: Microsoft warns about a new phishing campaign impersonating Booking.com
- TARNKAPPE.INFO: ClickFix-Phishing: Neue Kampagne richtet sich gegen die Hotellerie
- bsky.app: Microsoft is warning that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Virus Bulletin: Microsoft researchers identified a phishing campaign (Storm-1865) that uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft.
- BleepingComputer: Microsoft warns that an ongoing phishing campaign impersonating Booking.com is using ClickFix social engineering attacks to infect users with various malware, including infostealers and RATs.
- Email Security - Blog: "ClickFix" Phishing Impersonation Campaign Targets Hospitality Sector
- eSecurity Planet: Phishing Campaign Impersonates Booking.com, Plants Malware
- Security Risk Advisors: 🚩Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix� to Deliver Credential-Stealing Malware
- Blog: Phishing campaign impersonates Booking.com, plants malware
- Davey Winder: Booking.com CAPTCHA attack impacts customers—but systems not breached, a spokesperson has said.
- www.computerworld.com: Description of the ClickFix phishing campaign targeting the hospitality industry via fake Booking.com emails.
- www.cysecurity.news: A phishing campaign impersonates Booking.com, targeting organizations in hospitality, using the ClickFix method to spread credential-stealing malware.
- www.cybersecurity-insiders.com: Malware Impersonating Booking.com Targets Hospitality Sector
- thecyberexpress.com: Microsoft Detects Ongoing Phishing Impersonation of Booking.com Using “ClickFix” to Deliver Credential-Stealing Malware
- securityonline.info: Booking.com Impersonated in Phishing Campaign Delivering Credential-Stealing Malware
- gbhackers.com: Microsoft Threat Intelligence has identified an ongoing phishing campaign that began in December 2024, targeting organizations in the hospitality industry by impersonating the online travel agency Booking.com. The campaign, tracked as Storm-1865, employs a sophisticated social engineering technique called ClickFix to deliver credential-stealing malware designed to conduct financial fraud and theft. This attack specifically targets
- Metacurity: The attackers are impersonating Booking.com to deliver credential-stealing malware.
- Talkback Resources: Storm-1865 Impersonates Booking.com in Phishing Scheme
- Blog: Storm-1865 leverages ‘ClickFix’ technique in new phishing campaign
@cyberalerts.io
//
The FBI has issued a warning about the rising trend of cybercriminals using fake file converter tools to distribute malware. These tools, often advertised as free online document converters, are designed to trick users into downloading malicious software onto their computers. While these tools may perform the advertised file conversion, they also secretly install malware that can lead to identity theft, ransomware attacks, and the compromise of sensitive data.
The threat actors exploit various file converter or downloader tools, enticing users with promises of converting files from one format to another, such as .doc to .pdf, or combining multiple files. The malicious code, disguised as a file conversion utility, can scrape uploaded files for personal identifying information, including social security numbers, banking information, and cryptocurrency wallet addresses. The FBI advises users to be cautious of such tools and report any instances of this scam to protect their assets.
The FBI Denver Field Office is warning that they are increasingly seeing scams involving free online document converter tools and encourages victims to report any instances of this scam. Malwarebytes has identified some of these suspect file converters, which include Imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com and convertscloud.com. The agency emphasized the importance of educating individuals about these threats to prevent them from falling victim to these scams.
Recommended read:
References :
- Talkback Resources: FBI warns of malware-laden websites posing as free file converters, leading to ransomware attacks and data theft.
- gbhackers.com: Beware! Malware Hidden in Free Word-to-PDF Converters
- www.bitdefender.com: Free file converter malware scam “rampant� claims FBI
- Malwarebytes: Warning over free online file converters that actually install malware
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- bsky.app: @bushidotoken.net has dug up some IOCs for the FBI's recent warning about online file format converters being used to distribute malware
- Help Net Security: FBI: Free file converter sites and tools deliver malware
- www.techradar.com: Free online file converters could infect your PC with malware, FBI warns
- bsky.app: Free file converter malware scam "rampant" claims FBI.
- Security | TechRepublic: Scam Alert: FBI ‘Increasingly Seeing’ Malware Distributed In Document Converters
- securityaffairs.com: The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware.
- The DefendOps Diaries: FBI warns against fake file converters spreading malware and stealing data. Learn how to protect yourself from these cyber threats.
- PCMag UK security: PSA: Be Careful Around Free File Converters, They Might Contain Malware
- www.bleepingcomputer.com: FBI warnings are true—fake file converters do push malware
- www.techradar.com: FBI warns some web-based file management services are not as well-intentioned as they seem.
- www.csoonline.com: Improvements Microsoft has made to Office document security that disable macros and other embedded malware by default has forced criminals to up their innovation game, a security expert said Monday.
- www.itpro.com: Fake file converter tools are on the rise – here’s what you need to know
- Cyber Security News: The FBI Denver Field Office has warned sternly about the rising threat of malicious online file converter tools. These seemingly harmless services, often advertised as free tools to convert or merge files, are being weaponized by cybercriminals to install malware on users’ computers. This malware can have devastating consequences, including ransomware attacks and identity theft. […]
Pierluigi Paganini@securityaffairs.com
//
A new ransomware group named Arkana Security is claiming responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers. Arkana Security also claims the hack of US telco provider WideOpenWest (WOW!). This nascent ransomware gang’s breach purportedly compromised over 403,000 WOW! user accounts, pilfering data, including full names, usernames, salted passwords, email addresses, login histories, and security questions and answers.
The attackers boast of full backend control and have even created a music video montage to demonstrate their level of access. Additionally, they claim to have exfiltrated a separate CSV file with 2.2 million records, including names, addresses, phone numbers, and devices. While WOW! has yet to acknowledge Arkana Security's claims, threat researchers traced the attack's origins to an infostealer infection in September last year that enabled access to WOW!'s critical systems.
Recommended read:
References :
- Cyber Security News: The largest US internet provider, WideOpenWest (WOW!), is allegedly compromised by Arkana Security, a recently discovered ransomware group.
- securityaffairs.com: Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!), stealing customer data.
- www.scworld.com: WideOpenWest purportedly breached by nascent ransomware gang
- CyberInsider: Arkana ransomware group has claimed responsibility for breaching WideOpenWest (WOW!), one of the largest U.S. cable and broadband providers.
- BleepingComputer: The new ransomware group Arkana Security claims to have hacked US telecom provider WOW!, stealing customer data.
- Information Security Buzz: A new ransomware gang, Arkana Security, is claiming responsibility for an enormous breach at WideOpenWest (WoW), one of the largest cable operators and ISPs in the US. The malicious actors boasted they had full backend control and even put a music video montage together to illustrate exactly how much access they had.
- DataBreaches.Net: A cyber-crime ring calling itself Arkana has made a cringe music video to boast of an alleged theft of subscriber account data from Colorado-based cableco WideOpenWest (literally, WOW!)
- PCMag UK security: Hacking group Arkana Security gives WideOpenWest (WOW!) until 5 p.m. PST today to pay a ransom, or it will sell customer data to the highest bidder. WOW! says it's investigating.
- The Register - Security: Cyber-crew claims it cracked American cableco, releases terrible music video to prove it
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy.
Recommended read:
References :
- bsky.app: Socket Security has discovered a malicious PyPI package that created a botnet to pirate songs from music streaming service Deezer The package was named automslc and had been downloaded over 100,000 since its release in 2019
- BleepingComputer: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- Talkback Resources: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads [app] [mal]
- socket.dev: Malicious PyPI Package Exploits Deezer API for Coordinated Music Piracy
- bsky.app: A malicious PyPi package named 'automslc'Â has been downloaded over 100,000 times from the Python Package Index since 2019, abusing hard-coded credentials to pirate music from the Deezer streaming service.
- The Hacker News: Malicious PyPI Package "automslc" Enables 104K+ Unauthorized Deezer Music Downloads
- Sucuri Blog: Injecting malware via a fake WordPress plugin has been a common tactic of attackers for some time. This clever method is often used to bypass detection as attackers exploit the fact that plugins are not part of the core files of a WordPress site, making integrity checks more difficult.
- gbhackers.com: A critical security vulnerability in the Essential Addons for Elementor plugin, installed on over 2 million WordPress websites, has exposed sites to script injection attacks via malicious URL parameters. The flaw, tracked as CVE-2025-24752 and scoring 7.1 (High) on the CVSS scale, allowed attackers to execute reflected cross-site scripting (XSS) attacks by exploiting insufficient input sanitization in the plugin’s password reset
- bsky.app: Microsoft has removed two popular VSCode extensions, 'Material Theme - Free' and 'Material Theme Icons - Free,' from the Visual Studio Marketplace for allegedly containing malicious code.
- gbhackers.com: VS Code Extension with 9 Million Installs Attacks Developers with Malicious Code
- aboutdfir.com: VSCode extensions with 9 million installs pulled over security risks
- bsky.app: Microsoft has removed two VSCode theme extensions from the VSCode Marketplace for containing malicious code.
- Techzine Global: Visual Studio Code extensions with 9 million downloads removed for security risks
Pierluigi Paganini@Security Affairs
//
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
Recommended read:
References :
- Cyber Security News: GitVenom Campaign Exploits Thousands of GitHub Repositories to Spread Infections
- gbhackers.com: The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware and steal cryptocurrency.
- Talkback Resources: Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials through fraudulent repositories, resulting in the attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024.
- Talkback Resources: Open-source code has a significant impact on software development, but developers should be cautious of the GitVenom campaign involving threat actors creating fake projects on GitHub to distribute malicious code and steal sensitive information.
- The Hacker News: GitVenom Malware Steals $456K in Bitcoin Using Fake GitHub Projects to Hijack Wallets
- securityaffairs.com: GitVenom campaign targets gamers and crypto investors by posing as fake GitHub projects
- The Register - Security: Reports that more than 200 GitHub repos are hosting fake projects laced with malicious software.
- BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
- Talkback Resources: Malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
- Help Net Security: Hundreds of GitHub repos served up malware for years
- bsky.app: Bluesky post about the malware campaign GitVenom.
- BleepingComputer: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers.
- aboutdfir.com: GitVenom attacks abuse hundreds of GitHub repos to steal crypto
- bsky.app: A malware campaign dubbed GitVenom uses hundreds of GitHub repositories to trick users into downloading info-stealers, remote access trojans (RATs), and clipboard hijackers to steal crypto and credentials.
Field Effect@Blog
//
A sophisticated cyber threat is rapidly evolving, exploiting user familiarity with CAPTCHAs to distribute malware through social engineering tactics. The ClearFake malicious JavaScript framework now utilizes 'ClickFix' techniques to trick users into executing malicious PowerShell commands, often disguised as fake reCAPTCHA or Cloudflare Turnstile verifications. This framework injects a fraudulent CAPTCHA on compromised websites, enticing visitors to unknowingly copy and paste malicious commands that lead to malware installation.
https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three-easy-steps/
This 'ClickFix' attack redirects victims to malicious webpages delivering fake CAPTCHA verifications, ultimately deploying information-stealing malware such as Lumma Stealer and Vidar Stealer. Over 100 car dealerships have already been impacted by a supply-chain attack involving injected malicious code, and Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry using the same 'ClickFix' technique. Security experts advise users to exercise extreme caution with unsolicited instructions, especially those prompting system commands.
Recommended read:
References :
- Blog: Microsoft has identified an ongoing Storm-1865 phishing campaign targeting the hospitality industry by masquerading as Booking.com communications. Initiated in December 2024, this campaign leverages a social engineering tactic known as ClickFix to disseminate credential-stealing malware.
- Malware ? Graham Cluley: A security researcher has discovered that the websites of over 100 car dealerships have been compromised in a supply-chain attack that attempted to infect the PCs of internet visitors.
- www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
- : Attackers are exploiting user familiarity with CAPTCHAs to distribute the Lumma Stealer RAT via malicious PowerShell commands, according to HP
- gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
- securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites
- www.bleepingcomputer.com: Steam pulls game demo infecting Windows with info-stealing malware
Sergiu Gatlan@BleepingComputer
//
Microsoft has identified a North Korean hacking group known as Moonstone Sleet, previously tracked as Storm-1789, deploying Qilin ransomware in limited attacks. This represents a shift for the group, as they have historically used custom-built ransomware. The adoption of Qilin ransomware signifies a move towards Ransomware-as-a-Service (RaaS), where they utilize ransomware developed by external operators rather than relying solely on their own tools.
Moonstone Sleet's move to RaaS marks a new era in cyber threats, primarily driven by financial motivations, a departure from previous espionage-focused operations. They have been observed demanding ransoms as high as $6.6 million in Bitcoin. The group has also been known to use creative tactics, including fake companies, trojanized software, and even a malicious game to infiltrate targets, showcasing their adaptability and resourcefulness.
Recommended read:
References :
- gbhackers.com: North Korean Moonstone Sleet Uses Creative Tactics to Deploy Custom Ransomware
- The DefendOps Diaries: Moonstone Sleet's Shift to Ransomware-as-a-Service: A New Era in Cyber Threats
- BleepingComputer: Microsoft: North Korean hackers join Qilin ransomware gang
- Cyber Security News: North Korean Moonstone Sleet Deploys Custom Ransomware with Creative Tactics
- securityaffairs.com: Microsoft researchers reported that North Korea-linked APT tracked as Moonstone Sleet has employed the Qilin ransomware in limited attacks.
- www.scworld.com: Moonstone Sleet was previously reported to have been behind a FakePenny ransomware attack.
Dhara Shrivastava@cysecurity.news
//
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.
Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.
Recommended read:
References :
- cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
- The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
- iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
- The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
- blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
- DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.
Dissent@DataBreaches.Net
//
Recent data breaches have affected multiple organizations, exposing sensitive information and highlighting the importance of robust security measures. SOCRadar's Dark Web Team has uncovered several significant threats, including a breach at AUTOSUR, a French vehicle inspection company, where approximately 10.7 million customer records were leaked. The exposed data includes customer names, emails, phone numbers, hashed passwords, home addresses, vehicle information, and license plate numbers. This breach poses significant risks such as identity theft, phishing attacks, and financial fraud.
Unauthorized access to shipping portals associated with Lenovo and HP has also been detected, targeting shipment tracking activities in India. This breach could expose sensitive supply chain information. Furthermore, cybercriminals are actively exploiting the gaming and entertainment sectors, utilizing tools such as a Disney+ credential checker and exploiting a leaked FiveM database. A massive dataset of crypto and forex leads is also up for sale, creating risks of fraud and financial scams. Additionally, Cardiovascular Consultants Ltd. (CVC) in Arizona experienced a ransomware attack, impacting 484,000 patients, with data later appearing on a clear net IP address associated with “WikiLeaksV2." The breach at Sunflower and CCA impacted 220,968 individuals according to a filing with the Maine Attorney General's Office.
Recommended read:
References :
- socradar.io: AUTOSUR Breach, FiveM Database Leak, Disney+ Account Checker, Crypto Leads & Forex Scams Exposed
- www.cysecurity.news: Sunflower and CCA Suffer Data Breaches, Exposing Hundreds of Thousands of Records
- Security - Troy Hunt: Inside the "3 Billion People" National Public Data Breach
- securityaffairs.com: California Cryobank, the largest US sperm bank, disclosed a data breach
- MSSP feed for Latest: Data Breach Hits California Cryobank
- infosec.exchange: Okay, this is not good: "Executive Summary On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys."
- research.kudelskisecurity.com: Oracle Cloud SSO, LDAP Records Dumped, 140k+ Tenants Affected
@cyberalerts.io
//
The Splunk Threat Research Team has revealed a widespread cyber campaign specifically targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IP addresses were explicitly targeted. This mass exploitation campaign involves the deployment of information stealers and crypto miners on compromised systems.
The attack leverages brute-force tactics to exploit weak credentials, gaining initial access to the targeted networks. Once inside, the attackers deploy cryptomining and info-stealing malware. This campaign is believed to have originated from Eastern Europe, highlighting the global nature of cyber threats and the importance of robust security measures for critical infrastructure providers.
Recommended read:
References :
- Virus Bulletin: The Splunk Threat Research Team has identified a campaign targeting ISP infrastructure providers. This mass exploitation campaign led to cryptomining and infostealer payloads. The main vector & initial access is driven by using well known weak credentials.
- securityaffairs.com: Mass exploitation campaign hit 4,000+ ISP networks to deploy info stealers and crypto miners
- thehackernews.com: Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers
- Information Security Buzz: The Splunk Threat Research Team has uncovered a widespread cyber campaign targeting Internet Service Provider (ISP) infrastructure providers on the West Coast of the United States and in China. Over 4,000 ISP-related IPs were explicitly targeted in this campaign.
- securityaffairs.com: Mass exploitation campaign hit 4,000+ ISP networks to deploy info stealers and crypto miners
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow, a widely used cloud-based platform, are being actively exploited by hackers, resulting in escalated attacks. Security researchers at GreyNoise have observed a resurgence of malicious activity targeting three year-old, but previously patched, flaws: CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178. These vulnerabilities can lead to unauthorized access and potentially full database compromise if left unpatched.
Organizations that failed to apply ServiceNow patches last year are now falling victim to these exploits. Israel has been significantly impacted, with over 70% of recent malicious activity directed at systems within the country. However, attacks have also been detected in Lithuania, Japan, and Germany. Security experts urge organizations to apply the necessary patches and monitor for unusual authentication attempts, unauthorized data access logs, and unexpected server behavior.
Recommended read:
References :
- www.itpro.com: Old ServiceNow vulnerabilities could cause havoc for unpatched customers
- Rescana: ServiceNow Vulnerabilities: Critical Exploits Impacting Israel and Global Systems
- www.scworld.com: Attacks involving ServiceNow vulnerabilities escalate
- hackread.com: New Attacks Exploit Year-Old ServiceNow Flaws – Israel Hit Hardest
Rescana@Rescana
//
Critical vulnerabilities in ServiceNow are being actively exploited, posing a significant threat, especially to systems in Israel. Three key flaws, CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178, have been identified and are under active attack. These vulnerabilities, some over a year old, were initially disclosed in early 2023 and patches were provided by ServiceNow. Despite the patches, exploitation activities have surged, particularly targeting Israeli systems.
These vulnerabilities allow threat actors to gain unauthorized access, potentially leading to data breaches and operational disruptions. CVE-2024-4879 is a template injection vulnerability allowing remote code execution. CVE-2024-5217 and CVE-2024-5178 involve input validation errors that can be exploited to manipulate data and bypass security controls, potentially granting full database access. Organizations that failed to apply ServiceNow patches last year are continuing to fall victim.
Recommended read:
References :
- hackread.com: Report of attacks exploiting year-old ServiceNow flaws, with Israel being the hardest hit.
- www.itpro.com: ServiceNow vulnerabilities and the impact on unpatched systems.
- Rescana: Details on the critical vulnerabilities in ServiceNow being exploited, particularly in Israel.
- www.scworld.com: The threat actors are exploiting three-year-old vulnerabilities in ServiceNow.
Sunny Yadav@eSecurity Planet
//
Cybersecurity experts are warning of a coordinated surge in Server-Side Request Forgery (SSRF) exploitation attempts across multiple platforms. Threat intelligence firm GreyNoise reported on March 9, 2025, that approximately 400 unique IP addresses were actively involved in exploiting multiple SSRF vulnerabilities simultaneously. These attacks span several countries, including the United States, Germany, Singapore, India, Japan, and Lithuania, targeting critical systems in cloud environments and enterprise infrastructures.
This alarming trend highlights the persistent risks organizations face from evolving attack methods. The SSRF vulnerabilities being exploited include critical flaws in widely used software platforms like Zimbra Collaboration Suite (CVE-2020-7796), VMware products (CVE-2021-21973 and CVE-2021-22054), and multiple CVEs in GitLab's CE/EE versions, along with targets in DotNetNuke and Ivanti Connect Secure. GreyNoise also observed Grafana path traversal attempts preceding the SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation.
Defenders should identify and disrupt early-stage activity by monitoring for reconnaissance behaviors, such as path traversal attempts, which may provide early warning signs before full-scale exploitation occurs. Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. The attacks reflect a shift from opportunistic scanning to more deliberate, coordinated campaigns that aim to breach internal systems and extract valuable data.
Recommended read:
References :
- securityaffairs.com: Experts warn of a coordinated surge in the exploitation attempts of SSRF vulnerabilities
- eSecurity Planet: SSRF Exploitation Surge Highlights Evolving Cyberthreats
- The GreyNoise Blog: Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
- GreyNoise: řŸš¨ 400+ Malicious IPs Targeting SSRF Vulnerabilities. We have detected a coordinated surge in SSRF exploitation, with attackers systematically targeting multiple CVEs across different platforms.
- Security Risk Advisors: Over 400 IPs Exploiting Multiple SSRF Vulnerabilities in Coordinated Cyber Attack
Bill Toulas@BleepingComputer
//
GitLab has released critical security updates for versions 17.9.2, 17.8.5, and 17.7.7 of both its Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities. The updates are aimed at rectifying authentication bypass risks and a Remote Code Execution (RCE) threat. Users with self-managed GitLab installations are strongly encouraged to upgrade immediately to one of these patched versions to mitigate potential exploits. GitLab.com is already running the patched version, and GitLab Dedicated customers will be notified once their instances have been updated.
Patches address critical vulnerabilities, most notably authentication bypasses in the SAML single sign-on (SSO) authentication mechanism. Specifically, CVE-2025-25291 and CVE-2025-25292 involve authentication bypass issues in the SAML SSO mechanism due to discrepancies in XML parsing within the ruby-saml library. The vulnerability could allow an attacker with a valid signed SAML document to authenticate as another user. Mitigation includes enabling two-factor authentication, disabling SAML two-factor bypass, and mandating admin approval for new users. Another significant high-severity vulnerability, CVE-2025-27407, involves remote code execution via the Ruby graphql library when transferring a malicious project.
Recommended read:
References :
- Security Risk Advisors: GitLab Releases Critical Patches for Multiple Vulnerabilities in Versions 17.9.2, 17.8.5, and 17.7.7
- securityaffairs.com: GitLab addressed critical auth bypass flaws in CE and EE
- socradar.io: GitLab Security Update: Critical Authentication & RCE Flaws Demand Immediate Action
- BleepingComputer: GitLab patches critical authentication bypass vulnerabilities
- Rescana: Comprehensive Report on GitLab Security Updates: Critical Vulnerability Mitigations for Versions 17.9.2, 17.8.5, and 17.7.7
@www.bleepingcomputer.com
//
Chinese APT groups are actively targeting U.S. telecom providers and European healthcare organizations using sophisticated cyberattacks. The attacks involve custom malware, such as JumbledPath used by Salt Typhoon to spy on U.S. telecom networks, and the exploitation of vulnerabilities like the Check Point flaw (CVE-2024-24919). These campaigns are characterized by the deployment of advanced tools like ShadowPad and NailaoLocker ransomware, indicating a blend of espionage and financially-motivated cybercrime.
These threat actors gain initial access through exploited vulnerabilities, then move laterally within the networks using techniques like RDP to obtain elevated privileges. The attackers then deploy ShadowPad and PlugX, before deploying the NailaoLocker ransomware in the final stages, encrypting files and demanding Bitcoin payments. These findings highlight the evolving tactics of Chinese APT groups and the challenges in attributing these attacks, given the blurring lines between state-sponsored espionage and financially driven operations.
Recommended read:
References :
- securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
- The Hacker News: Chinese-Linked Attackers Exploit Check Point Flaw to Deploy ShadowPad and Ransomware
- www.bleepingcomputer.com: Salt Typhoon uses JumbledPath malware to spy on US telecom networks
@www.bleepingcomputer.com
//
Critical security vulnerabilities have been patched in Juniper Networks Session Smart Routers and several Atlassian products. A critical authentication bypass vulnerability, identified as CVE-2025-21589, affects Juniper's Session Smart Router, Conductor, and WAN Assurance Managed Routers. Juniper Networks has released a patch to address this flaw, which could allow attackers to bypass authentication and gain control of affected Session Smart Router devices.
Australian software firm Atlassian has also released security patches to address 12 critical and high-severity vulnerabilities across its product suite, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. Among the most severe vulnerabilities fixed is CVE-2024-50379, which has a CVSS score of 9.8 and could lead to remote code execution. Users of these products are strongly advised to apply the available patches as soon as possible to mitigate potential risks.
Recommended read:
References :
- Anonymous ???????? :af:: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- securityaffairs.com: Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira. Software firm Atlassian released security patches to address 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira products. The most severe vulnerabilities addressed by the company are: CVE-2024-50379 – (CVSS score of 9.8) – RCE
cybernewswire@The Last Watchdog
//
SquareX has launched the "Year of Browser Bugs" (YOBB) project, a year-long initiative to spotlight the lack of security research on browser-based attacks. The project aims to address critical cybersecurity blind spots by focusing on application layer attacks delivered through websites and cloud data storage accessed via browsers. SquareX will disclose at least one critical web attack per month throughout 2025, revealing previously unknown attack vectors and architectural limitations of browsers.
The YOBB project was inspired by the Month of Bugs (MOB) cybersecurity initiative, which aimed to improve security practices through vulnerability disclosures. SquareX has already made major releases since 2024 and into the first two months of 2025: SquareX Discloses "Browser Syncjacking", a New Attack Technique that Provides Full Browser and Device Control, Putting Millions at Risk
SquareX Unveils Polymorphic Extensions that Morph Infosteal. Microsoft Secure, scheduled for April 9, offers a one-hour online event for security professionals to learn about AI innovations for the security lifecycle and maximizing current security tools. The event will cover securing data used by AI, AI apps, and AI cloud workloads, along with best practices to safeguard AI initiatives against emerging threats.
Recommended read:
References :
- Microsoft Security Blog: AI innovation requires AI security: Hear what’s new at Microsoft Secure
- The Last Watchdog: News alert: SquareX’s “Year of Browser Bugs� project exposes critical cybersecurity blind spots
@www.bleepingcomputer.com
//
A new JavaScript obfuscation technique has been discovered and is being actively used in phishing attacks. Juniper Threat Labs identified the technique targeting affiliates of a major American political action committee (PAC) in early January 2025. The method leverages invisible Unicode characters to represent binary values, effectively concealing malicious JavaScript code within seemingly harmless text.
This obfuscation technique was first demonstrated in October 2024, highlighting the speed with which such research can be weaponized in real-world attacks. The encoding uses two different Unicode filler characters, the Hangul half-width and Hangul full width, to represent the binary values 0 and 1. This allows attackers to hide entire payloads invisibly within a script, which is then executed through a Proxy get() trap. Security researchers have posted methods to decode this encoded JavaScript into readable form.
Recommended read:
References :
- blogs.juniper.net: Invisible obfuscation technique used in PAC attack
- bsky.app: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- BleepingComputer: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- Anonymous ???????? :af:: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- www.bleepingcomputer.com: A new JavaScript obfuscation method utilizing invisible Unicode characters to represent binary values is being actively abused in phishing attacks targeting affiliates of an American political action committee (PAC).
- Christoffer S.: Juniper Networks: Invisible obfuscation technique used in PAC attack Novel obfuscation technique observed in a phishing attack targeting affiliates of a political action committee (PAC) in January 2025.
Rescana@Rescana
//
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.
This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures.
In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance.
Recommended read:
References :
- Sam Bent: Critical Vulnerability Discovered in WP Ghost Plugin: Unauthenticated Remote Code Execution Possible
- Virus Bulletin: GoDaddy Security researchers have uncovered long-running malware operation DollyWay, which primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of TDS nodes hosted on compromised websites.
- Rescana: Critical CVE-2025-26909 Vulnerability in WP Ghost Plugin: Immediate Update Required for Over 200,000 Websites
- The DefendOps Diaries: Explore the critical CVE-2025-26909 vulnerability in WP Ghost plugin and learn how to mitigate its risks.
|
|