Zyxel has announced that it will not be releasing patches for two actively exploited zero-day vulnerabilities, CVE-2024-40890 and CVE-2024-40891, affecting multiple legacy DSL CPE products. These vulnerabilities allow attackers to execute arbitrary commands. A Mirai botnet variant is exploiting CVE-2024-40891 in the wild. Zyxel recommends that users replace the end-of-life products with newer-generation devices for optimal protection.
The lack of patches for these exploited vulnerabilities in Zyxel devices poses a significant risk to users who continue to use them. This incident highlights the importance of vendors providing ongoing security support for their products, even after they reach end-of-life.
Trimble Cityworks, a GIS-centric asset management and permitting software, is affected by a zero-day vulnerability (CVE-2025-0994). This vulnerability has been actively exploited in attacks targeting local governments and utilities, potentially allowing the deployment of malware. The vulnerability allows attackers to exploit deserialization flaws, potentially leading to malware delivery or other malicious activity.
The Lazarus Group, a North Korean APT, employed a sophisticated LinkedIn recruiting scam to target a Bitdefender researcher, aiming to deliver malware and capture credentials. The campaign was detected and analyzed within a sandbox environment. Lazarus is known for its advanced social engineering techniques and focus on credential harvesting. This highlights the persistent threat of APTs targeting cybersecurity professionals for espionage or supply chain attacks. The group’s ability to adapt their tactics, such as leveraging professional networking platforms, demonstrates their evolving threat landscape.
A malicious package has been discovered in the Go ecosystem, imitating the BoltDB package. This package contains a backdoor, allowing remote code execution. The vulnerability exploits the Go Module Mirror’s caching mechanism, enabling the malware to persist undetected for an extended period. Developers who manually audited the package on GitHub did not find malicious code. The package’s strategic alteration of the git tag on GitHub further concealed the malware from manual review.
Ransomware payments significantly decreased in 2024, falling 35% to ~$813.55 million, as more victims refused to pay. Despite a higher number of victims being posted on ransomware gang leak sites, fewer organizations yielded to extortion demands. This shift indicates a growing resistance to paying ransoms, potentially driven by improved data recovery strategies and law enforcement efforts.
The report underscores the evolving landscape of ransomware attacks, with a focus on victim empowerment through refusal to pay. It also suggests that while the number of attacks may remain high, the financial success of ransomware operations is diminishing, signaling a potential change in attacker tactics.
The Kimsuky APT group is actively employing a custom-built RDP Wrapper and proxy tools to gain unauthorized access to infected machines, enabling persistent cyber espionage. This involves spear-phishing tactics and the distribution of malicious shortcut files disguised as legitimate documents. AhnLab’s ASEC team has released a blog post detailing additional malware used in these attacks. This highlights the group’s evolving tactics and persistent threat to organizations.
Cisco addressed two critical remote code execution flaws in its Identity Services Engine (ISE), tracked as CVE-2025-20124 (CVSS score of 9.9) and CVE-2025-20125 (CVSS score of 9.1). A remote attacker authenticated with read-only administrative privileges could exploit these vulnerabilities to gain unauthorized access and control over the affected system. These flaws could allow attackers to perform privilege escalation and system configuration changes.
Successful exploitation could allow attackers to execute arbitrary code, potentially leading to a full system compromise. Cisco has released software updates to address these vulnerabilities, and administrators are urged to apply the updates as soon as possible to mitigate the risk of exploitation.
Spanish authorities have arrested an individual for allegedly hacking several high-profile organizations, including NATO and the US Army. The hacker, known as “natohub,” is suspected of conducting over 40 cyberattacks throughout 2024, targeting both public institutions and private entities. Stolen data was then sold on BreachForums.
The arrest highlights the ongoing threat posed by malicious actors targeting government and military systems, and the importance of international cooperation in combating cybercrime.
Five Eyes cybersecurity agencies (UK, Australia, Canada, New Zealand, and the US) have jointly issued guidance urging makers of network edge devices and appliances to improve forensic visibility. The aim is to help defenders detect attacks and investigate breaches more effectively. This guidance emphasizes the importance of robust security measures for devices that form the perimeter of networks, such as firewalls, routers, and VPN gateways.
Network edge devices are often targeted by adversaries to infiltrate critical infrastructure networks and systems. Improving forensic visibility can enable quicker detection and response to security incidents, minimizing potential damage and downtime. The guidance is intended for both device manufacturers and critical infrastructure owners and operators.
A zero-click spyware attack, attributed to Israeli firm Paragon, targeted around 90 WhatsApp users, including journalists and civil society members. This attack did not require any user interaction, making it very dangerous. The spyware was delivered via malicious PDFs sent through WhatsApp groups. This campaign highlights how threat actors are constantly developing sophisticated techniques to compromise mobile devices using zero-click attacks and highlights the risk to journalists and activists. WhatsApp has taken steps to neutralize the attack and has notified all the victims.
Grubhub, a popular food-ordering and delivery platform, has confirmed a data breach affecting the personal information of both customers and drivers. An unauthorized third-party accessed Grubhub’s systems, compromising contact information and partial payment details for some users. The company is urging affected users to change their passwords.
The breach highlights the risks associated with third-party service providers and the importance of robust security measures to protect sensitive user data. It also underscores the need for users to be vigilant about their online security and to take steps to protect their personal information.
Nova Stealer, a modified variant of SnakeLogger, is being sold on hacking forums as Malware-as-a-Service (MaaS) for as low as $50. This malware is designed to steal sensitive information, including credentials and financial data, making it a significant threat to individuals and organizations. The malware’s affordability and ease of deployment contribute to its widespread use by cybercriminals, increasing the risk of data breaches and financial losses.