Cyber Threat Intelligence 05 March 2025
-
Industrial Sector
- CISA Releases Eight Industrial Control Systems Advisories
"CISA released eight Industrial Control Systems (ICS) advisories on March 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-25-063-01 Carrier Block Load
ICSA-25-063-02 Keysight Ixia Vision Product Family
ICSA-25-063-03 Hitachi Energy MACH PS700
ICSA-25-063-04 Hitachi Energy XMC20
ICSA-25-063-05 Hitachi Energy UNEM/ECST
ICSA-25-063-06 Delta Electronics CNCSoft-G2
ICSA-25-063-07 GMOD Apollo
ICSA-25-063-08 Edimax IC-7100 IP Camera"
https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-releases-eight-industrial-control-systems-advisories - ICS/OT Security Budgets Increasing, But Critical Areas Underfunded: Report
"The SANS Institute and OPSWAT on Tuesday published the 2025 ICS/OT Cybersecurity Budget Report. The report, based on a survey of 180 individuals representing critical infrastructure sectors around the world, shows that over a quarter of organizations have experienced one or more security incidents involving OT or control systems in the past year. It’s worth noting that the actual percentage is likely higher considering that 11% were unsure and nearly 20% were unable to answer due to company policy."
https://www.securityweek.com/ics-ot-security-budgets-increasing-but-critical-areas-underfunded-report/
https://info.opswat.com/hubfs/OT - Assets/Survey_2025-ICS-OT-Budget.pdf
Vulnerabilities
- Vulnerabilities Patched In Qualcomm, Mediatek Chipsets
"Chip makers Qualcomm and Mediatek on Monday announced patches for many vulnerabilities, including five issues that were resolved with the latest Android fixes. Qualcomm’s March 2025 security bulletin details 14 security defects impacting proprietary software used in tens of chipset models, including seven issues rated ‘critical severity’. All critical flaws are described as memory corruption issues. According to Qualcomm, six of them impact the Automotive Software platform based on QNX, while the seventh affects Automotive Vehicle Networks."
https://www.securityweek.com/vulnerabilities-patched-in-qualcomm-mediatek-chipsets/ - Mozilla Foundation Security Advisory 2025-14
"Security Vulnerabilities fixed in Firefox 136"
https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/ - CISA Adds Four Known Exploited Vulnerabilities To Catalog
"CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/04/cisa-adds-four-known-exploited-vulnerabilities-catalog
https://therecord.media/vmware-exploited-vulnerabilities-esxi-workstation-fusion - Cisco Warns Of Webex For BroadWorks Flaw Exposing Credentials
"Cisco warned customers today of a vulnerability in Webex for BroadWorks that could let unauthenticated attackers access credentials remotely. Webex for BroadWorks integrates Cisco Webex's video conferencing and collaboration features with the BroadWorks unified communications platform. While the company has yet to assign a CVE ID to track this security issue, Cisco says in a Tuesday security advisory that it already pushed a configuration change to address the flaw and advised customers to restart their Cisco Webex app to get the fix."
https://www.bleepingcomputer.com/news/security/cisco-warns-of-webex-for-broadworks-flaw-exposing-credentials/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-credexp-xMN85y6 - Broadcom Fixes Three VMware Zero-Days Exploited In Attacks
"Broadcom warned customers today about three VMware zero-days, tagged as exploited in attacks and reported by the Microsoft Threat Intelligence Center. The vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) impact VMware ESX products, including VMware ESXi, vSphere, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform. Attackers with privileged administrator or root access can chain these flaws to escape the virtual machine's sandbox."
https://www.bleepingcomputer.com/news/security/broadcom-fixes-three-vmware-zero-days-exploited-in-attacks/
https://thehackernews.com/2025/03/vmware-security-flaws-exploited-in.html
https://www.darkreading.com/vulnerabilities-threats/vmware-zero-day-bugs-sandbox-escape
https://www.infosecurity-magazine.com/news/vmware-patch-exploited-zero-day/
https://www.securityweek.com/broadcom-patches-3-vmware-zero-days-exploited-in-the-wild/
https://www.theregister.com/2025/03/04/vmware_plugs_three_hypervisorhijack_holes/
https://securityaffairs.com/174911/security/vmware-fixed-three-actively-exploited-zero-days-in-esx-products.html - Exploiting DeepSeek-R1: Breaking Down Chain Of Thought Security
"Welcome to the inaugural article in a series dedicated to evaluating AI models. In this entry, we’ll examine the release of Deepseek-R1. The growing usage of chain of thought (CoT) reasoning marks a new era for large language models. CoT reasoning encourages the model to think through its answer before the final response. A distinctive feature of DeepSeek-R1 is its direct sharing of the CoT reasoning. We conducted a series of prompt attacks against the 671-billion-parameter DeepSeek-R1 and found that this information can be exploited to significantly increase attack success rates."
https://www.trendmicro.com/en_us/research/25/c/exploiting-deepseek-r1.html
Malware
- New Eleven11bot Botnet Infects 86,000 Devices For DDoS Attacks
"Our own Nokia Deepfield Emergency Response Team (ERT) shared today the discovery of a new hashtag#DDoS botnet dubbed hashtag#Eleven11bot, which we started seeing in hyper-volumetric attacks about 48 hours ago. GreyNoise Intelligence just provided additional insights on the IPs involved : https://lnkd.in/gY75XVmR The good news is that despite Eleven11bot’s exceptional size, Deepfield Defender customers are protected, thanks to active tracking of these bots and how our DDoS solution is designed."
https://www.linkedin.com/posts/jeromemeyer_new-ddos-botnet-discovered-over-30000-hacked-activity-7301383140806119424-luty/
https://www.bleepingcomputer.com/news/security/new-eleven11bot-botnet-infects-86-000-devices-for-ddos-attacks/ - Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware
"In fall 2024, UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano."
https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot
https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms/
https://thehackernews.com/2025/03/suspected-iranian-hackers-used.html
https://therecord.media/sosano-malware-targets-uae-iran-suspected
https://www.infosecurity-magazine.com/news/espionage-campaign-targets-uae/ - LLMjacking In The Wild: How Attackers Recon And Abuse GenAI With AWS NHIs
"LLMjacking is an emerging attack vector where threat actors hijack access to cloud-based AI models using stolen credentials. Unlike “traditional” breaches targeting human users and passwords, LLMjacking attacks focus on exploiting non-human identities (NHIs), the machine accounts and secrets that make generative AI (GenAI) services go round. Compromised NHIs like API keys allow cybercriminal groups to quietly abuse expensive large language models (LLMs), generate content, and even exfiltrate sensitive data, all at the victims’ expense."
https://entro.security/blog/llmjacking-in-the-wild-how-attackers-recon-and-abuse-genai-with-aws-nhis/ - LinkedIn InMail-Spoofing Email Delivers ConnectWise RAT
"The Cofense Phishing Defense Center (PDC) and Cofense Intelligence recently identified a LinkedIn-spoofing malware campaign delivering ConnectWise RAT. The email purports to be a notification for a LinkedIn InMail message, a feature for messaging LinkedIn members who are not connected to the sender. While not entirely accurate to current legitimate LinkedIn emails, the spoofed email from this campaign features heavy use of LinkedIn brand assets to make the email seem legitimate."
https://cofense.com/blog/linkedin-inmail-spoofing-email-delivers-connectwise-rat - Likely DPRK Network Backstops On GitHub, Targets Companies Globally
"Nisos is tracking a network of likely North Korean (DPRK)-affiliated IT workers posing as Vietnamese, Japanese, and Singaporean nationals with the goal of obtaining employment in remote engineering and full-stack blockchain developer positions in Japan and the United States. While the personas claim to be located in Asia, the network appears to be globally focused, aiming to obtain jobs both in and outside of Asia. The network appears to be using GitHub to create new personas and is reusing matured GitHub accounts and portfolio content from older personas to backstop their new personas."
https://nisos.com/research/dprk-github-employment-fraud/
https://www.darkreading.com/remote-workforce/north-korea-it-worker-scheme-nuclear-funds
https://www.infosecurity-magazine.com/news/north-korean-fake-it-workers-github/ - Snail Mail Fail: Fake Ransom Note Campaign Preys On Fear
"In early March 2025, GRIT received reports from multiple organizations regarding suspicious physical letters delivered by mail from US addresses to members of their executive team. These letters, which claim to be from the BianLian ransomware group, state that the recipient’s corporate IT network has been compromised and that sensitive data has been stolen. Mimicking the threats of a “true” ransomware ransom note, the letters state that the stolen data will be leaked 10 days after receipt of the letter unless a substantial ransom is paid."
https://www.guidepointsecurity.com/blog/snail-mail-fail-fake-ransom-note-campaign-preys-on-fear/
https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/ - New Chinese Zhong Stealer Infects Fintech Via Customer Support
"A new malware threat called Zhong Stealer has surfaced from China, and it’s already slipping into businesses through an unexpected entry point – customer support chats. This info-stealing malware is currently infiltrating fintech companies by exploiting support agents, but the bigger concern is its adaptability. Zhong Stealer can easily be repurposed to target any industry that relies on customer support teams – hospitality, healthcare, retail, and beyond. If your business has a customer-facing team, it could easily be the next target."
https://hackread.com/chinese-zhong-stealer-infects-fintech-customer-support/ - PayPal Scam Abuses Docusign API To Spread Phishy Emails
"PayPal scammers are using an old Docusign trick to enhance the trustworthiness of their phishing emails. We’ve received several reports of this recently, so we dug into how the scam works. The Docusign Application Programming Interface (API) allows “customers” to send emails that come from genuine Docusign accounts, and they can use templates to impersonate reputable companies."
https://www.malwarebytes.com/blog/news/2025/03/paypal-scam-abuses-docusign-api-to-spread-phishy-emails - Infostealer Campaign Against ISPs
"The Splunk Threat Research Team has identified a campaign targeting ISP infrastructure providers on the West Coast of the United States and the country of China. This mass exploitation campaign originates from Eastern Europe and uses simple tools that abuse victim’s computer processing power to install cryptomining payloads and binaries with diverse functions such as:"
https://www.splunk.com/en_us/blog/security/infostealer-campaign-against-isps.html
https://thehackernews.com/2025/03/over-4000-isp-networks-targeted-in.html
https://securityaffairs.com/174873/cyber-crime/massive-attack-deploy-info-stealers-crypto-miners.html - Dark Caracal Group Might Have Refreshed Its Malware, Researchers Say
"The hacker group Dark Caracal appears to be shifting to newer malware in an espionage campaign targeting individuals in Latin America, researchers said. Moscow-based cybersecurity firm Positive Technologies reported detecting 483 samples of Poco RAT in networks mostly in Venezuela, the Dominican Republic and Chile from June 2024 until February. Poco RAT shares distinct similarities with Bandook, the signature malware of Dark Caracal, the researchers said."
https://therecord.media/dark-caracal-hackers-poco-rat-bandook
Breaches/Hacks/Leaks
- Hunters International Ransomware Claims Attack On Tata Technologies
"The Hunters International ransomware gang has claimed responsibility for a January cyberattack attack on Tata Technologies, stating they stole 1.4TB of data from the company. Tata Technologies provides engineering and digital solutions for manufacturing industries worldwide. Founded in 1989 and based in Pune, it operates in 27 countries with over 12,500 employees, specializing in automotive, aerospace, and industrial sectors with product development and digital transformation services."
https://www.bleepingcomputer.com/news/security/hunters-international-ransomware-claims-attack-on-tata-technologies/
https://www.theregister.com/2025/03/05/tata_technologies_hiunters_international/
General News
- Building Cyber Resilience In Banking: Expert Insights On Strategy, Risk, And Regulation
"In this Help Net Security interview, Matthew Darlage, CISO at Citizens, discusses key strategies for strengthening cyber resilience in banks. He underlines that adherence to frameworks like NIST is essential for continuous improvement and that data protection measures are critical to safeguarding bank operations. Darlage further argues that third-party risk management and adaptable security practices are necessary for maintaining resilience."
https://www.helpnetsecurity.com/2025/03/04/matthew-darlage-citizens-banks-cyber-resilience/ - CISO Vs. CIO: Where Security And IT Leadership Clash (and How To Fix It)
"The dynamic between CISOs and CIOs has always been complex. While both roles are essential to an organization’s success, their priorities often put them at odds. The CIO focuses on IT efficiency, innovation, and business enablement, while the CISO prioritizes security, risk management, and compliance. These differing objectives can lead to friction, but with the right strategies, they can be aligned to create a stronger, more resilient organization."
https://www.helpnetsecurity.com/2025/03/04/ciso-vs-cio/ - Ransomware Attacks Appear To Keep Surging
"Hopes for a lull in ransomware attacks have dissipated amid a wave of record-setting attacks launched despite apparent turnover in the criminal underground. Cybersecurity firm NCC Group counted 590 new victims in January, a 3% bump from the previous, also record-setting month. Threat-intelligence firm Cyble counted 518 newly disclosed victims in January, rising to 599 for the first 27 days of February, of which two-thirds targeted U.S.-based organizations. Other ransomware monitors also tracked increases in the overall quantity of victims over the past two months."
https://www.bankinfosecurity.com/ransomware-attacks-appear-to-keep-surging-a-27638
https://insights.nccgroup.com/review-of-jan-2025-threat-pulse - Technology Alone Isn’t The Answer To Cyber Threats: Time To Rethink Security Culture
"Technology-based defenses have undoubtedly grown sophisticated over the years, proving absolutely essential in fending off new and emerging attacks. But despite the growing sophistication of the tech tools at our disposal, why are breaches and cyber threats growing?"
https://www.group-ib.com/blog/technology-alone-isn-t-the-answer-to-cyber-threats-time-to-rethink-security-culture/ - Prioritizing Data And Identity Security In 2025
"To say that the cybersecurity landscape has grown more complex over the past several years would be a dramatic understatement. Attackers have more resources at their fingertips than ever, and data breaches have become almost a daily occurrence. For both businesses and individuals, the need for stronger data protection has never been clearer—but many aren’t sure where to begin. That’s a real problem, especially at a time when the cost of a breach is at an all-time high and regulators are increasingly looking to penalize businesses that don’t treat security and compliance with the seriousness they deserve."
https://www.helpnetsecurity.com/2025/03/04/improving-data-identity-security/ - CISO Liability Risks Spur Policy Changes At 93% Of Organizations
"Nearly all (93%) organizations have introduced policy changes over the past 12 months to address rising CISO personal liability risks, according to new research by cloud service provider Fastly. This includes 41% of organizations increasing CISO participation in strategic decisions at the board level. Additionally, 38% of respondents promised “increased scrutiny of security disclosure documentation from supervisory agencies.”"
https://www.infosecurity-magazine.com/news/ciso-liability-risks-policy-changes/ - Half Of Online Gambling Firms Lose 10% Of Revenue To Fraud
"The European online gambling (iGaming) sector is suffering multibillion-euro losses to fraud each year, according to new research from Sumsub. The identity verification firm revealed that nearly half (47%) of the compliance professionals it asked lost over 10% of their revenue to fraud last year. Given the sector accounts for 40% (€55bn, $58bn) of the regulated European gambling market, this could amount to losses of over €5bn ($5.2bn) annually. An additional 15% of respondents to Sumsub’s survey said they lost more than 20% of revenue to fraud last year."
https://www.infosecurity-magazine.com/news/half-online-gambling-lose-10/ - Digital Nomads And Risk Associated With The Threat Of Infiltred Employees
"Companies face the risk of insider threats, worsened by remote work. North Korean hackers infiltrate firms via fake IT hires, stealing data. Stronger vetting is key."
https://securityaffairs.com/174898/security/digital-nomads-and-risk-associated-with-the-threat-of-infiltred-employees.html - North Koreans Finish Initial Laundering Stage After More Than $1 Billion Stolen From Bybit
"The suspected North Korean hackers behind the theft of more than $1 billion from crypto platform Bybit have completed the initial stage of laundering the funds. Experts from multiple blockchain security companies said Monday that the hackers were able to move all of the stolen ETH coins to new addresses — the first step taken before the funds can be laundered further. Ari Redbord, a senior official at TRM Labs, told Recorded Future News that the laundering process relied heavily on decentralized finance (DeFi) tools that helped obscure the origins of the stolen assets."
https://therecord.media/north-koreans-initial-laundering-bybit-hack
อ้างอิง
Electronic Transactions Development Agency(ETDA) - CISA Releases Eight Industrial Control Systems Advisories