Healthcare Sector
Balancing Data Protection And Clinical Usability In Healthcare"In this Help Net Security interview, Aaron Weismann, CISO at Main Line Health, discusses the growing ransomware threat in healthcare and why the sector remains a prime target. He explains the difficulties of protecting patient information, securing legacy systems, and maintaining cybersecurity without disrupting care. Weismann also shares practical steps for improving incident response and strengthening defenses with limited resources."
https://www.helpnetsecurity.com/2025/04/02/aaron-weismann-main-line-health-healthcare-data-protection/ For Healthcare Orgs, Disaster Recovery Means Making Sure Docs Can Save Lives During Ransomware Infection
"When IT disasters strike, it can become a matter of life and death for healthcare organizations – and criminals know it. We’re not exaggerating the risks: In 2024 a successful ransomware attack on a Texas trauma hospital saw it turn away ambulances - and that was just one of hundreds of known ransomware infections at US hospitals."
https://www.theregister.com/2025/04/02/disaster_recovery_healthcare/
New Tooling
BlueToolkit: Open-Source Bluetooth Classic Vulnerability Testing Framework"BlueToolkit is an open-source tool that helps find security flaws in Bluetooth Classic devices. It runs known and custom exploits to test if a device is vulnerable. Right now, it includes 43 different exploits. Some are public, and others were made specifically for this toolkit. “The framework allows you to reuse PoCs of different attacks and connect your own hardware with minimal code/configuration needed. The concept is simple and known – vulnerability scanners make use of it, but there was no Bluetooth Classic vulnerability scanner and BlueToolkit solves this problem,” the creator of BlueToolkit told Help Net Security."
https://www.helpnetsecurity.com/2025/04/02/bluetoolkit-open-source-bluetooth-classic-vulnerability-testing-framework/
https://github.com/sgxgsx/BlueToolkit
Vulnerabilities
Chrome 135, Firefox 137 Patch High-Severity Vulnerabilities"Google and Mozilla on Tuesday announced the release of Chrome 135 and Firefox 137 to the stable channel with patches for nearly two dozen vulnerabilities, including high-severity memory safety bugs. Chrome 135 was promoted to the stable channel with 14 security fixes, including nine for defects reported by external researchers. The most severe of these is CVE-2025-3066, a high-severity use-after-free flaw in Navigations."
https://www.securityweek.com/chrome-135-firefox-137-patch-high-severity-vulnerabilities/ CISA Adds One Known Exploited Vulnerability To Catalog
"CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-24813 Apache Tomcat Path Equivalence Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/04/01/cisa-adds-one-known-exploited-vulnerability-catalog
https://securityaffairs.com/176129/security/u-s-cisa-adds-apache-tomcat-flaw-known-exploited-vulnerabilities-catalog.html Hacking The Call Records Of Millions Of Americans
"Imagine if anyone could punch in a phone number from the largest U.S. cell carrier and instantly retrieve a list of its recent incoming calls—complete with timestamps—without compromising the device, guessing a password, or alerting the user. Now imagine that number belongs to a journalist, a police officer, a politician, or someone fleeing an abuser. This capability wasn’t a hypothetical."
https://evanconnelly.github.io/post/hacking-call-records/
https://www.bleepingcomputer.com/news/security/verizon-call-filter-api-flaw-exposed-customers-incoming-call-history/ In Localhost We Trust: Exploring Vulnerabilities In Cortex.cpp, Jan’s AI Engine
"A recent Andreessen report shows a growing trend in self-hosted AI, jumping from 42% to 75% year-over-year. It demonstrates the notion among developers that on-premise is inherently more secure, but it still comes fraught with danger if you're not hyper-focused on security in addition to the AI. This came into play recently as the Snyk Security Labs team identified vulnerabilities within Cortex.cpp powering Jan AI, a customizable local AI platform created by Menlo Research, an R&D lab for the robotics industry. With vulnerabilities ranging from missing CSRF protection of state-changing endpoints to command injection, an attacker can leverage these to take control of a self-hosted server or issue drive-by attacks against LLM developers."
https://snyk.io/articles/in-localhost-we-trust-exploring-vulnerabilities-in-cortex-cpp-jans-ai-engine/
https://www.securityweek.com/vulnerabilities-expose-jan-ai-systems-to-remote-manipulation/ Cisco Meraki MX And Z Series AnyConnect VPN Denial Of Service Vulnerability
"A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device."
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vNRpDvfb Cisco Enterprise Chat And Email Denial Of Service Vulnerability
"A vulnerability in chat messaging features of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper validation of user-supplied input to chat entry points. An attacker could exploit this vulnerability by sending malicious requests to a messaging chat entry point in the affected application. A successful exploit could allow the attacker to cause the application to stop responding, resulting in a DoS condition. The application may not recover on its own and may need an administrator to manually restart services to recover."
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-dos-tC6m9GZ8
Malware
The Beginning Of The End: The Story Of Hunters International"At the end of 2023 and throughout 2024, the Ransomware-as-as-Service (RaaS) ecosystem was negatively impacted by several seismic events affecting the cybercrime supply chain. This included the arrests of criminals and law enforcement operations such as the Operations Endgame, Morpheus and Magnus conducted against botnet and stealer infrastructure, resources commonly used by ransomware groups’ affiliates to gain initial access to organizations’ networks, as well as to perform malicious actions during the post exploitation."
https://www.group-ib.com/blog/hunters-international-ransomware-group/
https://www.theregister.com/2025/04/02/hunters_international_rebrand/ FIN7 Deploys Anubis Backdoor To Hijack Windows Systems Via Compromised SharePoint Sites
"The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan of the same name) that can grant them remote access to compromised Windows systems. "This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine," Swiss cybersecurity company PRODAFT said in a technical report of the malware."
https://thehackernews.com/2025/04/fin7-deploys-anubis-backdoor-to-hijack.html
https://catalyst.prodaft.com/public/report/anubis-backdoor/overview
https://securityaffairs.com/176134/malware/new-advanced-fin7s-anubis-backdoor-allows-to-gain-full-system-control-on-windows.html Counterfeit Android Devices Found Preloaded With Triada Malware
"A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up. Kaspersky researchers report that this campaign mainly impacts Russian users, with at least 2,600 confirmed infections from March 13 to 27, 2025, based on visibility from its mobile protection tools. The security researchers noted that Triada was found on counterfeit versions of popular smartphone models sold at online stores at discounted prices to attract the interest of unsuspecting buyers."
https://www.bleepingcomputer.com/news/security/counterfeit-android-devices-found-preloaded-with-triada-malware/ The Weaponization Of PDFs : 68% Of Cyber Attacks Begin In Your Inbox, With 22% Of These Hiding In PDFs
"Over 400 billion PDF files were opened last year, and 16 billion documents were edited in Adobe Acrobat. Over 87% of organizations use PDFs as a standard file format for business communication, making them ideal vehicles for attackers to hide malicious code. Malicious PDFs have been cyber criminals’ favorite gateways for years but have now become even more popular."
https://blog.checkpoint.com/research/the-weaponization-of-pdfs-68-of-cyberattacks-begin-in-your-inbox-with-22-of-these-hiding-in-pdfs/ More Than Music: The Unseen Cybersecurity Threats Of Streaming Services
"As our daily lives become increasingly dependent on the internet for services, attackers are finding new and innovative ways to steal personal information from unconventional platforms. Many users use streaming services like Spotify and Apple Music for their convenience, often sharing their listening habits and preferences with friends or followers. Unfortunately, cybercriminals are highly aware of these popular platforms and culturally relevant trends, and they exploit users' trust in these services to deceive them into compromising their accounts."
https://cofense.com/blog/more-than-music-the-unseen-cybersecurity-threats-of-streaming-services Gootloader Returns: Malware Hidden In Google Ads For Legal Documents
"The threat actor behind the Gootloader malware has once again changed their tactics, but also reverted to some of their old ways. Just like with the previous infection method, we are seeing Google Ads being used to target victims. But this time it is using a familiar lure. The threat actor is advertising legal templates, mainly around agreements. If this sounds familiar, for a very long period, Gootloader had over 5 million legal terms poisoned on compromised WordPress blogs. Now it looks like they have stood up their own infrastructure to deliver the malware. Let me walk you through the infection process."
https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/
https://www.darkreading.com/cyberattacks-data-breaches/gootloader-malware-google-ads-legal-docs RolandSkimmer: Silent Credit Card Thief Uncovered
"Web-based credit card skimming remains a widespread and persistent threat, known for its ability to adapt and evolve over time. FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named after the unique string “Rol@and4You” found embedded in its payload. This threat actor targets users in Bulgaria and represents a new wave of credit card skimming attacks leveraging malicious browser extensions across Chrome, Edge, and Firefox."
https://www.fortinet.com/blog/threat-research/rolandskimmer-silent-credit-card-thief-uncovered TookPS: DeepSeek Isn’t The Only Game In Town
"In early March, we published a study detailing several malicious campaigns that exploited the popular DeepSeek LLM as a lure. Subsequent telemetry analysis indicated that the TookPS downloader, a malware strain detailed in the article, was not limited to mimicking neural networks. We identified fraudulent websites mimic official sources for remote desktop and 3D modeling software, alongside pages offering these applications as free downloads."
https://securelist.com/tookps/116019/ Outlaw Linux Malware: Persistent, Unsophisticated, And Surprisingly Effective
"OUTLAW is a persistent yet unsophisticated auto-propagating coinminer package observed across multiple versions over the past few years [1], [2], [3], [4]. Despite lacking stealth and advanced evasion techniques, it remains active and effective by leveraging simple but impactful tactics such as SSH brute-forcing, SSH key and cron-based persistence, and manually modified commodity miners and IRC channels. This persistence highlights how botnet operators can achieve widespread impact without relying on sophisticated techniques."
https://www.elastic.co/security-labs/outlaw-linux-malware
https://thehackernews.com/2025/04/outlaw-group-uses-ssh-brute-force-to.html Stripe API Skimming Campaign: Additional Victims And Insights
"A recently discovered web skimming campaign has introduced a novel technique that leverages a legacy Stripe API to validate stolen payment details before exfiltrating them. This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect. Our research team investigated and found additional victims. Those results, along with some additional insights, are presented here."
https://jscrambler.com/blog/stripe-api-skimming-campaign
https://www.infosecurity-magazine.com/news/stripe-api-skimming-campaign-new/ Qilin Affiliates Spear-Phish MSP ScreenConnect Admin, Targeting Customers Downstream
"Late in January 2025, a Managed Service Provider (MSP) administrator received a well-crafted phishing email containing what appeared to be an authentication alert for their ScreenConnect Remote Monitoring and Management (RMM) tool. That email resulted in Qilin ransomware actors gaining access to the administrator’s credentials—and launching ransomware attacks on the MSP’s customers."
https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/ Smoked Out - Emmenhtal Spreads SmokeLoader Malware
"We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal (sic! - this spelling refers to the HTA component of this loader, hence slightly unorthodox spelling "EmmenHTAl) also referred to by Google as Peaklight. This loader has been active since early 2024 and is primarily used by financially motivated threat actors to distribute commodity infostealers such as CryptBot and Lumma. In this campaign, we have observed that Emmenhtal Loader has been chained together with SmokeLoader malware, allowing threat actors to leverage its modular capabilities for deploying additional malware dynamically."
https://www.gdatasoftware.com/blog/2025/03/38160-emmenhtal-smokeloader-malware
Breaches/Hacks/Leaks
Royal Mail Investigates Data Leak Claims, No Impact On Operations"Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company's systems. When asked to confirm the authenticity of the leaked data, a Royal Mail spokesperson told BleepingComputer that the British postal service is aware of an incident at Spectos GmbH, a third-party data collection and analytics service provider."
https://www.bleepingcomputer.com/news/security/royal-mail-investigates-data-leak-claims-no-impact-on-operations/
https://hackread.com/hacker-leaks-royal-mail-group-data-supplier-spectos/
https://www.infosecurity-magazine.com/news/royal-mail-investigates-data/ Native Tribe In Minnesota Says Cyber Incident Knocked Out Healthcare, Casino Systems
"The Lower Sioux Indian Community warned residents on Wednesday that a cyberattack caused disruptions for the local healthcare facility, government center and casino. After days of reported technology outages, the federally-recognized Indian tribe located in south central Minnesota said it was forced to activate incident response protocols following a cybersecurity incident that was discovered on some systems connected to Jackpot Junction, the local casino controlled by the tribe."
https://therecord.media/native-minnesota-tribe-says-cyber-incident-disrupted-healthcare-casino
General News
Only 1% Of Malicious Emails That Reach Inboxes Deliver Malware"99% of email threats reaching corporate user inboxes in 2024 were response-based social engineering attacks or contained phishing links, according to Fortra. Only 1% of malicious emails that reached user inboxes delivered malware. This shows that while common pre-delivery email defenses are effective at stopping malware, they are far less capable of blocking high risk threats like business email compromise and credential phishing."
https://www.helpnetsecurity.com/2025/04/02/email-attacks-social-engineering/ Your Smart Home May Not Be As Secure As You Think
"The Internet of Things (IoT) has become a major part of daily life. Smartphones, smart thermostats, security cameras, and other connected devices make tasks easier and improve comfort, efficiency, and productivity. But as the number of devices grows, so do security risks. In this article, we explore the security challenges of smart IoT devices in the home, potential threats like hacking and privacy breaches, and measures users can take to ensure the security of their connected devices."
https://www.helpnetsecurity.com/2025/04/02/smart-home-devices-security/ How An Interdiction Mindset Can Help Win War On Cyberattacks
"It often seems like the cybersecurity industry is fighting a losing battle. Cyberattacks continue to worsen, whether via ransomware or business email compromise; destructive ransomware groups keep making headlines; and attack severity is skyrocketing. Despite our best efforts, we remain locked in a defensive struggle against attackers who adapt faster than we can react."
https://www.darkreading.com/cyberattacks-data-breaches/how-interdiction-mindset-cyberattacks Visibility, Monitoring Key To Enterprise Endpoint Strategy
"If security teams want to understand the state of their organizations' security posture, they must understand the state of their endpoints. The latest Dark Reading report, "EDR, SIEM, SOAR, and MORE: How to Determine the Right Endpoint Strategy for Your Enterprise," delves into how to ensure security teams get the visibility and monitoring they need for their organizations."
https://www.darkreading.com/endpoint-security/visibility-monitoring-key-to-enterprise-endpoint-strategy Threat Spotlight: The Good, The Bad, And The ‘gray Bots’ – The Gen AI Scraper Bots Targeting Your Web Apps
"Bots are automated software programs designed to carry out online activities at scale. There are good bots — such as search engine crawler bots, SEO bots, and customer service bots — and bad bots, designed for malicious or harmful online activities like breaching accounts to steal personal data or commit fraud. In the space between them you will find what Barracuda calls “gray bots.” Generative AI scraper bots are gray bots designed to extract or scrape large volumes of data from websites, often to train generative AI models. Other examples of gray bots are web scraper bots and automated content aggregators that collect web content such as news, reviews, travel offers, etc."
https://blog.barracuda.com/2025/04/02/threat-spotlight-gray-bots-gen-ai-scraper-bots-targeting-web-apps
https://www.infosecurity-magazine.com/news/gray-bots-generative-ai-scraper/ Bybit Heist Fuels Record Crypto-Theft Surge, Says CertiK
"Crypto theft is on the rise, with the first quarter of 2025 reportedly breaking the record for the highest amount of digital assets stolen in history, according to CertiK. The blockchain security firm released its Hack3d: Q1 2025 Report on April 2, 2025. The report revealed that hackers stole over $1.67bn in digital assets across 197 security incidents in the first quarter of 2025, marking a staggering 303% increase from the previous quarter."
https://www.infosecurity-magazine.com/news/record-crypto-theft-certik-bybit/ AI Giving Rise Of The ‘Zero-Knowledge’ Threat Actor
"Artificial intelligence is a double-edged sword. On one side, AI empowers people to do their jobs better and faster while on the other, it enables people with malicious intent to become scammers, hacktivists and cyber criminals."
https://www.securityweek.com/ai-giving-rise-of-the-zero-knowledge-threat-actor/ Google DeepMind Unveils Framework To Exploit AI’s Cyber Weaknesses
"Strong defense comes from attacking the enemy’s weak points. Google DeepMind has developed an evaluation framework that highlights the areas where adversarial AI is weakest, allowing defenders to prioritize their defensive strategies. DeepMind works at the cutting edge of AI – what it calls Frontier AI. This includes the path toward AGI (artificial general intelligence) where AI becomes able to reason for itself. In a new report (PDF), DeepMind analyzes the use of current AI in cyberattacks, and the common frameworks used in evaluating such attacks – and finds them to be lacking. This will only worsen as the capabilities of AI and adversarial use of emerging AI improves."
https://www.securityweek.com/google-deepmind-unveils-framework-to-exploit-ais-cyber-weaknesses/
https://arxiv.org/pdf/2503.11917 Global Crackdown On Kidflix, a Major Child Sexual Exploitation Platform With Almost Two Million Users
"Kidflix, one of the largest paedophile platforms in the world, has been shut down in an international operation against child sexual exploitation. The investigation was supported by Europol and led by the State Criminal Police of Bavaria (Bayerisches Landeskriminalamt) and the Bavarian Central Office for the Prosecution of Cybercrime (ZCB). Over 35 countries worldwide participated in the operation."
https://www.europol.europa.eu/media-press/newsroom/news/global-crackdown-kidflix-major-child-sexual-exploitation-platform-almost-two-million-users
https://therecord.media/csam-platform-kidflix-shut-down-europol
https://www.bleepingcomputer.com/news/security/police-shuts-down-kidflix-child-sexual-exploitation-platform/
https://hackread.com/dark-web-largest-child-abuse-network-kidflix-busted/ The Overlooked Six | AWS Security Blind Spots
"In this post, we’ll dig into six of what I like to call “AWS security blind spots” – those often overlooked controls, techniques, or risks related to our cloud infrastructure. We’ll explore why they’re so easy to miss, why they matter, and, most importantly, how to address them. From the intricacies of Service Control Policies in multi-account strategies to the often-neglected principle of infrastructure immutability, we’ll cover ground that goes beyond the usual top ten misconfigurations."
https://www.sentinelone.com/blog/the-overlooked-six-aws-security-blind-spots/
อ้างอิง
Electronic Transactions Development Agency(ETDA) 499ecf94-460f-4004-adb7-a990d2c15e08-image.png