Week 16

April 13 - 19

Apr 19, 2025

Trends

ransomware

The ransomware landscape is evolving with the emergence of new groups and tactics. Recent reports highlight the activities of NanoCrypt, Crypto24, and the reemergence of LockBit as LockBit v4, each employing different strategies to target victims. Particularly, the CrazyHunter group is focusing on critical sectors in Taiwan using open-source tools. These developments underscore the increasing diversity and sophistication of ransomware operations, posing significant threats to various industries.

Follow-up source

cveprogram

The cybersecurity community is closely monitoring changes in the CVE program managed by MITRE, following concerns over funding and operational continuity. CISA has extended MITRE's contract to manage the CVE database, amidst fears of a potential lapse in services. This development reflects the critical importance of the CVE program in vulnerability tracking and the need for sustainable funding models to ensure its future stability and effectiveness.

Follow-up source

darkwebintel

A trend is emerging where threat intelligence firms are purchasing verified accounts on hacking forums to gain deeper insights into cybercrime operations. This approach aims to enhance visibility into the dark web and improve threat intelligence capabilities. While this raises ethical considerations, it demonstrates the lengths to which firms are going to preemptively understand and counteract cyber threats.

Follow-up source

awsvulnerabilities

AWS security vulnerabilities are under scrutiny with recent discussions around leaked credentials, path traversal, and SSRF bugs. These issues highlight the challenges in maintaining cloud security and the potential for exploitation by threat actors. Organizations leveraging AWS services must remain vigilant and adopt robust security practices to protect against emerging threats.

Follow-up source

intrusion

A convergence of sophisticated malware campaigns is emerging, targeting a wide array of technologies and platforms. Recent incidents involve a malvertising campaign leveraging Node.js to target crypto users with fake Binance and TradingView installers, as well as ransomware actors focusing on domain controllers for swift network compromise. These attacks highlight a trend where threat actors are increasingly targeting both individual users and critical network infrastructure. The involvement of major organizations such as Microsoft, Binance, and TradingView underscores the broad impact and potential industry disruption of such threats. IT professionals must prioritize securing domain controllers and educating users about the risks of malvertising and phishing to mitigate these evolving threats.

Follow-up source

https://thehackernews.com/2025/04/nodejs-malware-campaign-targets-crypto.html

phishing

The cybersecurity landscape is witnessing a rise in the use of unconventional file types for phishing attacks. The recent technical report by Sublime Security on the TROX Stealer and the increasing abuse of SVG files in phishing campaigns highlight this trend. SVG files, commonly used for vector graphics, are being exploited due to their ability to execute scripts, making them ideal for bypassing traditional security filters. This signifies a shift in phishing tactics, posing a significant threat to email security. Organizations need to enhance their email filtering systems and train employees to recognize and handle suspicious emails to prevent data breaches.

Follow-up source

https://sublime.security/blog/trox-stealer-a-deep-dive-into-a-new-malware-as-a-service-maas-attack-campaign/

Directives

goffee

The threat actor known as Paper Werewolf has been deploying new malware called Goffee, specifically targeting flash drives. This threat actor has also been using a malware implant named PowerModul in cyberattacks on Russian sectors, posing significant security risks. This affects users and businesses that rely on flash drive technology for data storage and transfer, raising concerns about the vulnerability of these devices to malware. The industry-wide implication is the increased need for organizations to adopt stringent security measures to protect portable storage devices against such advanced threats.

Follow-up source

patch

A critical security flaw has been identified in tools used for GPU-accelerated containers, specifically affecting NVIDIA processors. This vulnerability, which impacts AI workloads, necessitates the immediate application of a secondary patch to mitigate risks. Organizations relying on NVIDIA technology are at a heightened risk of exposure, potentially affecting AI models and critical infrastructure. The broader industry implication is the urgency for companies leveraging GPU technologies to prioritize software patching and system updates to prevent exploitation.

Follow-up source

https://www.darkreading.com/cloud-security/buggy-nvdia-patch-exposes-ai-models-critical-infrastructure

ntlm

A flaw in Microsoft's NTLM protocol has been actively exploited by multiple threat groups, leading to ongoing attacks even after patches were released. This vulnerability, identified as CVE-2025-24054, is being used to target government and private institutions in Poland and Romania, with attackers stealing NTLM credentials during file downloads. Organizations using Microsoft Windows need to be vigilant in monitoring for suspicious activities and ensure their systems are updated with the latest patches to protect against these ongoing threats.

Follow-up source

brickstorm

Chinese-linked Advanced Persistent Threats (APTs) have been exploiting backdoors, known as Brickstorm, on European networks targeting critical infrastructure. These APTs leverage gaps in Endpoint Detection and Response (EDR) visibility to conduct cyber espionage. Network administrators need to implement additional security measures to detect and prevent these backdoors, thereby safeguarding vital infrastructure. The industry implication highlights the critical importance of enhancing network visibility and closing security gaps to counter sophisticated cyber threats.

Follow-up source

nist

The National Institute of Standards and Technology (NIST) has updated its Privacy Framework to better align with the Cybersecurity Framework. This update integrates AI and governance revisions aimed at enhancing privacy risk management strategies. Organizations are encouraged to review and incorporate these changes to bolster their privacy protection measures, ensuring a more robust defense against potential data privacy breaches.

Follow-up source

clearance

The resignation of Chris Krebs from SentinelOne following the revocation of his security clearance by the Trump administration raises concerns about the targeting of cybersecurity professionals. This incident underscores the need for organizations to monitor potential threats and ensure robust security measures are in place to protect against politically motivated pressures and security clearance revocations that could impact their operations and personnel.

Follow-up source

android

Malware targeting crypto wallets on Android devices is a growing threat, with attackers swapping wallet addresses to steal cryptocurrency. Some Chinese Android phones come preloaded with fake WhatsApp and Telegram apps, further increasing the risk for crypto users. Regular updates and malware scans are essential, and users should rely on trusted sources for app downloads and verify wallet addresses before transactions to mitigate theft risks.

Follow-up source

roller

A critical vulnerability in Apache Roller allows adversaries to maintain persistent access through unauthorized session persistence and password resets. IT professionals should ensure that Apache Roller is updated to the latest version to patch this vulnerability and should actively monitor for any unauthorized access to prevent exploitation.

Follow-up source

cleo

The Hertz Corporation has disclosed a data breach stemming from a zero-day vulnerability in Cleo-managed file-transfer products, exploited by the Clop ransomware gang. This breach has compromised customer data, including credit card and driver's license information. Retail companies using Cleo products should urgently update their systems to address these vulnerabilities and enhance their data protection measures to prevent similar incidents.

Follow-up source

bots

Bad bots are becoming increasingly difficult to detect due to AI advancements that enable them to mimic human behaviors and employ complex evasion techniques. Organizations should implement advanced bot detection mechanisms capable of distinguishing between legitimate and malicious activities to protect against bot-driven threats. This trend highlights the necessity for enhanced security measures to address the evolving sophistication of bot technologies.

Follow-up source

fortinet

A zero-day vulnerability in Fortinet devices allows for arbitrary code execution, with threat actors maintaining remote access even after patches are applied. Organizations should immediately update their Fortinet systems to the latest firmware to mitigate these risks and prevent exploitation. Continuous monitoring is also essential to detect and respond to any unauthorized access.

Follow-up source

erlang

A maximum-severity remote code execution flaw has been discovered in Erlang/OTP's SSH implementation, allowing unauthenticated code execution. IT professionals should update their Erlang/OTP installations to the latest version to mitigate this critical security risk. This vulnerability underscores the importance of timely software updates to protect systems from potential exploitation.

Follow-up source

apple

Apple has released security updates for iOS to address two zero-day vulnerabilities actively exploited in targeted attacks. These vulnerabilities also affect macOS, tvOS, and visionOS. Users should immediately update their devices to the latest versions to protect against exploitation and ensure the security of sensitive data.

Follow-up source

poland

Russian cyberattacks are escalating in Poland as the presidential election approaches, with hacktivists also targeting Finland's election through DDoS attacks on political party websites. Government agencies in Poland should enhance their cybersecurity defenses and implement threat intelligence sharing mechanisms to stay informed about potential threats and protect against escalating cyber threats.

Follow-up source

law

A UK law firm has been fined Â£60,000 by the Information Commissioner's Office for leaking customer information during a brute-force attack. This highlights the need for law firms to strengthen their cybersecurity posture by implementing multi-factor authentication and encryption measures to safeguard sensitive customer data.

Follow-up source

ukraine

Ukraine has enacted a new cyber defense law aimed at bolstering national cybersecurity. This legislative move comes in the wake of recent arrests of hackers who breached government systems using hacking technologies. The law is expected to enhance the resilience of Ukrainian organizations against cyber threats. Businesses and users are urged to align their cybersecurity practices with this law, implement incident response plans, and collaborate with government agencies to strengthen national cyber defense.

Follow-up source

southafrica

South Africa has mandated that companies report data breaches via an official eServices portal. This follows a significant data leak impacting Dutch ministries and the financial firm Adyen, which has prompted government investigation and data protection notifications. Organizations in South Africa should establish breach reporting procedures, ensure timely notifications to authorities, and conduct regular security assessments to proactively detect and mitigate potential breaches.

Follow-up source

aptclickfix

Advanced Persistent Threat (APT) groups are using a new tactic called ClickFix for initial payload delivery in their campaigns. This technique, revealed by Proofpoint, is being used in state-sponsored hacking activities. Organizations are advised to strengthen email security protocols, conduct employee training on phishing awareness, and deploy advanced threat detection mechanisms to counteract these threats.

Follow-up source

mustangpanda

The Mustang Panda APT group has been using new malware strains such as ToneShell, StarProxy, and PAKLOG in targeted attacks, particularly focusing on Myanmar. Security teams are advised to update their defenses to detect and block these new malware strains and tactically enhance their security measures to combat these threats effectively.

Follow-up source

https://www.securityweek.com/chinese-apt-mustang-panda-updates-expands-arsenal/

sonicwall

A vulnerability in SonicWall Secure Mobile Access (SMA) devices, specifically a command injection flaw, is being actively exploited by threat actors. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged this security flaw, urging users to apply patches to prevent exploitation. Organizations using these devices should act promptly to mitigate the risk.

Follow-up source

langflowai

A critical vulnerability in Langflow AI (CVE-2025-3248) is being exploited for remote code execution. Organizations using this technology should apply the necessary patches immediately and monitor for any unusual activity that may indicate exploitation of the vulnerability.

Follow-up source

centrestack

A critical remote code execution (RCE) vulnerability in Gladinet CentreStack (CVE-2025-30406) has been identified, with a severity rating of 9.8. Organizations using this product are advised to immediately apply vendor-recommended mitigations and monitor for exploitation attempts.

Follow-up source

https://www.cybersecuritydive.com/news/attackers-exploit-zero-day-gladinet-centrestack-file-sharing/745407/

4chanhack

4chan has experienced a breach where hackers exposed PHP source code and administrator email addresses, exploiting vulnerabilities due to lack of maintenance and patching. Organizations should prioritize regular system maintenance and patching to prevent similar vulnerabilities from being exploited.

Follow-up source

tlsreduction

The CA/Browser Forum has announced a reduction in TLS certificate validity to 47 days by 2029, starting in phases next year. IT professionals are advised to prepare for shorter validity periods and ensure timely renewal and replacement to comply with these new regulations.

Follow-up source

https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/

davitaransomware

The DaVita dialysis provider in the US has been disrupted by a ransomware attack, encrypting parts of its network. Healthcare IT teams are urged to enhance cybersecurity measures, including regular backups and employee training, to prevent and respond to such attacks.

Follow-up source

resolverrat

A phishing campaign using ResolverRAT is targeting the healthcare and pharmaceutical sectors, employing DLL side-loading techniques. Organizations in these sectors should bolster email security measures and educate employees on the risks associated with suspicious attachments.

Follow-up source

CTI Reports for IT Operatives

Discussion about this post

Ready for more?