Cyber Threat Intelligence 11 April 2025
-
Vulnerabilities
- 100,000 WordPress Sites Affected By Administrative User Creation Vulnerability In SureTriggers WordPress Plugin
"On March 13th, 2025, we received a submission for an Unauthenticated Administrative User Creation vulnerability in SureTriggers, a WordPress plugin with more than 100,000 active installations. This vulnerability can be leveraged by attackers to create malicious administrator users when the plugin is not configured with an API key."
https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/
https://patchstack.com/articles/critical-suretriggers-plugin-vulnerability-exploited-within-4-hours/
https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-auth-bypass-hours-after-*disclosure/ - Juniper Networks Patches Dozens Of Junos Vulnerabilities
"Juniper Networks on Wednesday announced patches for dozens of vulnerabilities in Junos OS, Junos OS Evolved, and in third-party dependencies in Junos Space. Fixes were rolled out for 11 high-severity bugs in Junos OS, at least one of which also impacts Junos OS Evolved. Successful exploitation of these flaws could lead to denial-of-service (DoS) conditions. The security defects were identified in Junos OS components such as packet forwarding engine (pfe), flow daemon (flowd), routing protocol daemon (rpd), Anti-Virus processing, flexible PIC concentrator (FPC), jdhcpd daemon, web management interfaces, and syslog stream TCP transport."
https://www.securityweek.com/juniper-networks-patches-dozens-of-junos-vulnerabilities/ - DIVD-2024-00043 - CyberAudit-Web - SSRF And Authentication Bypass CVEs Registered
"CyberAudit-Web is a software suite for the CyberLock system, an electronic lock. Researchers of DIVD have found two vulnerabilities in the CyberAudit-Web suite, potentially allowing malicious actors to compromise CyberAudit-Web installations and the locks associated with it. The two vulnerabilities include a Server-Side Request Forgery vulnerability in older versions of the videx-legacy-ssl web service and an Authentication Bypass in CyberAudit-Web versions before 9.8.11, which are End-of-Maintance (EOM). Acknowledging the severity, Videx has made a patch available for both customers with and without support contract."
https://csirt.divd.nl/cases/DIVD-2024-00043/ - Nissan Leaf Hacked For Remote Spying, Physical Takeover
"Researchers have demonstrated that a series of vulnerabilities affecting the Nissan Leaf electric vehicle can be exploited to remotely hack the car, including for spying and the physical takeover of various functions. The research was conducted by PCAutomotive, a company that offers penetration testing and threat intelligence services for the automotive and financial services industries. The Nissan Leaf hacking was detailed last week at Black Hat Asia 2025."
https://www.securityweek.com/nissan-leaf-hacked-for-remote-spying-physical-takeover/ - Incomplete NVIDIA Patch To CVE-2024-0132 Exposes AI Infrastructure And Data To Critical Risks
"In September 2024, NVIDIA released several updates to address a critical vulnerability (CVE-2024-0132) in its NVIDIA Container Toolkit. If exploited, this vulnerability could expose AI infrastructure, data, or sensitive information. With a CVSS v3.1 rating of 9.0, all customers were advised to update their affected software immediately. Further research, however, uncovered that the patch was incomplete. While analyzing the patch in October 2024, we identified a related performance flaw affecting Docker on Linux. These issues could enable attackers to escape container isolation, access sensitive host resources, and cause severe operational disruptions."
https://www.trendmicro.com/en_us/research/25/d/incomplete-nvidia-patch.html
https://thehackernews.com/2025/04/incomplete-patch-in-nvidia-toolkit.html - SonicWall Patches Multi Vulnerabilities In NetExtender VPN Client
"SonicWall has issued a security advisory disclosing three newly identified vulnerabilities in its NetExtender Windows client, a popular VPN tool used by organizations for secure remote access to internal networks. SonicWall outlined three distinct vulnerabilities affecting NetExtender for Windows versions 10.3.1 and earlier:"
https://securityonline.info/sonicwall-patches-multi-vulnerabilities-in-netextender-vpn-client/
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0006
Malware
- Unraveling The U.S. Toll Road Smishing Scams
"Since the middle of Oct. 2024, Talos has seen ongoing smishing attacks impersonating U.S toll road automatic payment services (such as E-ZPass) with the intent of financial theft. The actors have so far sent SMS messages to individuals in about eight states in the U.S., including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois and Kansas. Talos identified these states via spoofed domains containing the states’ two-letter abbreviations that we observed in the SMS messages."
https://blog.talosintelligence.com/unraveling-the-us-toll-road-smishing-scams/ - Houthi Influence Campaign
"In early April, ClearSky’s team discovered a persistent Yemeni/Houthi influence campaign operating in Israel and the Gulf states. We first exposed the campaign in 2019. It continues to operate in a similar manner to what was uncovered in 2019. Between 2019 and 2022, the campaign mainly focused on Gulf countries, particularly Saudi Arabia and the UAE, and returned to focus on Israel from late 2024. We did not found any indication that that the campaign targeted Israel between 2019–2022."
https://www.clearskysec.com/houthi-influence-campaign/
https://www.clearskysec.com/wp-content/uploads/2025/04/Houthi-Influence-Campaign-april-2025.pdf - Amazon Gift Card Email Hooks Microsoft Credentials
"In today’s day and age, e-gift cards have become a popular substitute for traditional gifts. This is because they are instantly deliverable, require no wrapping, and allow the recipient the freedom to choose something they truly want or need. However, this convenience can sometimes recipients to overlook the legitimacy of the source. Threat actors are able to take advantage of this kind of behavior by sending fraudulent emails disguised as genuine gift cards from trusted sources. These scams are designed to manipulate emotions and trick victims into providing sensitive information under the guise of redeeming a gift."
https://cofense.com/blog/amazon-gift-card-email-hooks-microsoft-credentials - Atomic And Exodus Crypto Wallets Targeted In Malicious Npm Campaign
"Threat actors have been targeting the cryptocurrency community hard lately. The ReversingLabs (RL) research team is continuously tracking an ongoing battle in which cybercriminals and other threat actors use a variety of techniques to hijack popular, legitimate crypto packages and steal things from Web3 wallets to crypto funds."
https://www.reversinglabs.com/blog/atomic-and-exodus-crypto-wallets-targeted-in-malicious-npm-campaign
https://thehackernews.com/2025/04/malicious-npm-package-targets-atomic.html
https://www.darkreading.com/cloud-security/open-source-poisoned-patches-infect-local-software
https://hackread.com/npm-malware-atomic-exodus-wallets-hijack-crypto/ - Analysis Of Threat Actor Activity
"As a driving force in the evolution of cybersecurity, Fortinet has long been at the forefront of the industry in embracing and advocating for cybersecurity best practices. We are committed to being a role model for ethical product development and vulnerability disclosure, which includes embracing responsible transparency, holding ourselves to robust disclosure practices, and adhering to international and industry-recognized standards."
https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity - GOFFEE Continues To Attack Organizations In Russia
"GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modified Owowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing."
https://securelist.com/goffee-apt-new-attacks/116139/ - PlayPraetor Reloaded: CTM360 Uncovers a Play Masquerading Party
"CTM360 has now identified a much larger extent of the ongoing Play Praetor campaign. What started with 6000+ URLs of a very specific banking attack has now grown to 16,000+ with multiple variants. This research is ongoing, and much more is expected to be discovered in the coming days. As before, all the newly discovered play impersonations are mimicking legitimate app listings, deceiving users into installing malicious Android applications or exposing sensitive personal information. While these incidents initially appeared to be isolated, further investigation has revealed a globally coordinated campaign that poses a significant threat to the integrity of the Play Store ecosystem."
https://thehackernews.com/2025/04/playpraetor-reloaded-ctm360-uncovers.html
https://www.ctm360.com/reports/play-masquerading-party-report - Shuckworm Targets Foreign Military Mission Based In Ukraine
"Shuckworm’s relentless focus on Ukraine has continued into 2025, with the group targeting the military mission of a Western country based in the Eastern European nation. This first activity in this campaign occurred in February 2025, and it continued into March. The initial infection vector used by the attackers appears to have been an infected removable drive."
https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html
https://therecord.media/gamaredon-removable-drive-malware-western-military-mission-ukraine
https://www.bleepingcomputer.com/news/security/russian-hackers-attack-western-military-mission-using-malicious-drive/ - Observing Atlas Lion (part One): Why Take Control When You Can Enroll?
"We’ve recently observed an unusual attack technique that, while discussed in cybersecurity circles, we haven’t previously seen put into practice in the wild. This technique could go unnoticed under the right circumstances, allowing an attacker to stay undetected for longer, simply by hiding in plain sight. This is done by using stolen credentials to enroll new systems they control—mimicking normal workstations and servers within the targeted network’s infrastructure."
https://expel.com/blog/observing-atlas-lion-part-one/
https://therecord.media/atlas-lion-gift-card-cybercrime-hiding-virtual-machines - Newly Registered Domains Distributing SpyNote Malware
"Deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store to lure victims into downloading SpyNote, a potent Android remote access trojan (RAT) used for surveillance, data exfiltration, and remote control."
https://dti.domaintools.com/newly-registered-domains-distributing-spynote-malware/
https://www.infosecurity-magazine.com/news/spynote-malware-targets-android/
Breaches/Hacks/Leaks
- Physicians’ Billing And Revenue Management Firm Hit By LockBit
"DataBreaches should no longer be surprised to see threat actors claim to have hundreds of GB of files from medical entities, but it’s still concerning that entities can have so much data accessed and exfiltrated and yet not detect the attack. For today’s example, we point to Physicians Medical Billing, which was added to LockBit3.0’s leak site this week."
https://databreaches.net/2025/04/10/physicians-billing-and-revenue-management-firm-hit-by-lockbit/ - Major Data Breach Affects Multiple Dutch Ministries, Impact Still Unclear
"Several ministries have been affected by a major data breach. The Ministry of the Interior and Kingdom Relations refers to a ‘privacy problem’ that has their ‘full attention’. This was reported by BNR sources, after which confirmation from the government followed. In addition to the Ministry of the Interior and Kingdom Relations, the Ministry of Economic Affairs and the Ministry of Climate Policy and Green Growth have also been affected by the data breach. Other ministries may also have been affected by the incident, which is still being investigated. The exact impact and cause of the data breach are currently unclear."
https://www.techzine.eu/news/security/130478/major-data-breach-affects-multiple-dutch-ministries-impact-still-unclear/ - Oregon’s Environmental Agency Shuts Down Network After Cyberattack
"Officials at the Oregon Department of Environmental Quality (DEQ) were forced to shut down the organization’s network following a cyberattack on Wednesday. The regulatory agency, which regulates the quality of Oregon's air, land and water, said on Wednesday evening that vehicle inspection stations will be closed through Friday following the cyberattack. The agency is in the process of isolating servers and the network “until the attack is totally contained and potentially eradicated.”"
https://therecord.media/oregon-department-environmental-quality-cyberattack - South African Telecom Provider Serving 7.7 Million Confirms Data Leak Following Cyberattack
"South Africa’s fourth-largest mobile network operator, Cell C, has confirmed that its data was leaked on the dark web following a cyberattack last year. The hacker group responsible for the attack, RansomHouse, claimed to have breached 2TB of the company’s data. Cell C stated that the hackers gained unauthorized access to certain parts of its IT systems. While the exact number of individuals affected by the hack remains unclear, the company has acknowledged the compromise of sensitive customer information."
https://therecord.media/south-african-telecom-provider-discloses-data-breach-ransomware
General News
- March 2025 APT Group Trends (South Korea)
"AhnLab is monitoring Advanced Persistent Threat (APT) attacks in South Korea using its own infrastructure. This report covers the classification, statistics, and features of the APT attacks in South Korea that were identified in March 2025, as well as the attack types."
https://asec.ahnlab.com/en/87400/ - March 2025 Trends Report On Phishing Emails
"This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in March 2025. The following is a part of the statistics and cases included in the original report."
https://asec.ahnlab.com/en/87401/ - How To Find Out If Your AI Vendor Is a Security Risk
"One of the most pressing concerns with AI adoption is data leakage. Consider this: An employee logs into their favorite AI chatbot, pastes sensitive corporate data, and asks for a summary. Just like that, confidential information is ingested into a third-party model beyond your control. Even with data loss prevention (DLP) policies, AI data leaks are challenging to prevent. If the AI system is cloud-based and employees can access it externally, companies may never know when their data is compromised."
https://www.helpnetsecurity.com/2025/04/10/ai-vendor-risk/ - From Likes To Leaks: How Social Media Presence Impacts Corporate Security
"From a psychological standpoint, we all crave attention, and likes and comments fuel that need, encouraging us to share even more on social media. In the corporate world, this risk grows exponentially because it’s not just our personal information at stake, but the security of the entire company."
https://www.helpnetsecurity.com/2025/04/10/social-media-cybersecurity-risk-for-companies/ - Cyber Security Breaches Survey 2025
"The Cyber Security Breaches Survey is a research study on UK cyber resilience. It is primarily used to inform government policy on cyber security, making the UK cyberspace a secure place to do business. The study explores the policies, processes and approach to cyber security, for businesses, charities and educational institutions. It also considers the different cyber attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond. For this latest release, the quantitative survey and qualitative interviews were carried out between August and December 2024."
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2025/cyber-security-breaches-survey-2025
https://www.bankinfosecurity.com/ransomware-incidents-on-rise-in-uk-a-27971
https://www.infosecurity-magazine.com/news/40-uk-businesses-face-breaches/ - What Should The US Do About Salt Typhoon?
"Of the countless threat actors, state-sponsored and otherwise, that target the US private and public sectors, few have gained the wide cultural relevance of Salt Typhoon, the Chinese state-sponsored threat actor that has targeted major telecommunications providers in a far-reaching, ongoing espionage campaign."
https://www.darkreading.com/cyberattacks-data-breaches/what-should-us-do-salt-typhoon - Why Data Privacy Isn't The Same As Data Security
"When Connecticut Attorney General William Tong described granting the Department of Government Efficiency (DOGE) access to Treasury Department records as potentially the largest data breach in American history, the alarm wasn't just about yet another cybersecurity failure. It underscored a fundamental misunderstanding that continues to expose businesses and consumers to risk."
https://www.darkreading.com/cyber-risk/data-privacy-versus-data-security - Advanced Preparation Was Key To a Secure Paris Olympics
"The Olympic Games showcase sports to the world with an intensity and volume no other event can match, and securing the event requires extensive collaboration and advanced preparation. Last summer's 2024 Olympiad in Paris featured 329 events across 41 events and 41 sports, drew 500,000 spectators, and attracted 3.1 million tourist arrivals, making it France's largest-ever event. The scale of events and number of visitors also made it a prime target for skilled threat actors, more so than past Games."
https://www.darkreading.com/cybersecurity-operations/advanced-preparation-key-secure-paris-olympics - ThreatLabz 2025 VPN Report: Why 81% Of Organizations Plan To Adopt Zero Trust By 2026
"VPN technologies have long been a backbone of remote access — but according to new ThreatLabz research, the security risks and performance challenges of VPNs may be rapidly changing the status quo for enterprises. The Zscaler ThreatLabz 2025 VPN Risk Report with Cybersecurity Insiders draws on the insights of more than 600 IT and security professionals on the growing risks and operational challenges posed by VPNs. It reveals that enterprises are actively grappling with the security risks, performance challenges, and operational complexity of VPNs."
https://www.zscaler.com/blogs/security-research/threatlabz-2025-vpn-report-why-81-organizations-plan-adopt-zero-trust-2026 - Study Identifies 20 Most Vulnerable Connected Devices Of 2025
"Routers represent the riskiest devices in enterprise networks, containing the largest number of critical vulnerabilities, Forescout notes in a new report. According to the company’s ‘Riskiest Connected Devices of 2025’ report, device risk has increased 15% compared to the previous year, with routers accounting for more than half of the devices plagued by the most dangerous vulnerabilities. The report, which analyzes millions of devices in Forescout’s Device Cloud to identify the riskiest types across IT, IoT, OT, and Internet of Medical Things (IoMT), shows that computers have the largest number of bugs, but not the most dangerous ones."
https://www.securityweek.com/study-identifies-20-most-vulnerable-connected-devices-of-2025/
https://www.forescout.com/resources/riskiest-devices-2025-report/
อ้างอิง
Electronic Transactions Development Agency(ETDA)
- 100,000 WordPress Sites Affected By Administrative User Creation Vulnerability In SureTriggers WordPress Plugin
