Cyber Threat Intelligence 07 March 2025
-
Industrial Sector
- Hitachi Energy Relion 670/650/SAM600-IO
"Successful exploitation of this vulnerability could allow anyone with user credentials to bypass the security controls enforced by the product."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-065-02 - Hitachi Energy PCU400
"Exploitation of these vulnerabilities could allow an attacker to access or decrypt sensitive data, crash the device application, or cause a denial-of-service condition."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-065-01
Vulnerabilities
- Elastic Releases Urgent Fix For Critical Kibana Vulnerability Enabling Remote Code Execution
"Elastic has rolled out security updates to address a critical security flaw impacting the Kibana data visualization dashboard software for Elasticsearch that could result in arbitrary code execution. The vulnerability, tracked as CVE-2025-25012, carries a CVSS score of 9.9 out of a maximum of 10.0. It has been described as a case of prototype pollution. "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests," the company said in an advisory released Wednesday."
https://thehackernews.com/2025/03/elastic-releases-urgent-fix-for.html
https://discuss.elastic.co/t/kibana-8-17-3-security-update-esa-2025-06/375441
https://securityaffairs.com/174999/security/elastic-kibana-critical-flaw.html - Unauthenticated Arbitrary File Upload Vulnerability In Chaty Pro Plugin
"The Chaty Pro plugin, which according to our research has around 18,000 installations,is the Premium version of the Chaty plugin.It provides a chat button to communicate with customers and allows you to chat with your website visitors via your preferred channels like WhatsApp chat, Facebook Messenger, and more."
https://patchstack.com/articles/unauthenticated-arbitrary-file-upload-vulnerability-patched-in-chaty-pro-plugin/
https://www.infosecurity-magazine.com/news/flaw-chaty-pro-plugin-18k/ - Over 37,000 VMware ESXi Servers Vulnerable To Ongoing Attacks
"Over 37,000 internet-exposed VMware ESXi instances are vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw that is actively exploited in the wild. This massive exposure is being reported by threat monitoring platform The Shadowserver Foundation, which reported a figure of around 41,500 yesterday. Today, ShadowServer now reports that 37,000 are still vulnerable, indicating that 4,500 devices were patched yesterday."
https://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/
https://www.securityweek.com/exploited-vmware-esxi-flaws-put-many-at-risk-of-ransomware-other-attacks/
Malware
- Phantom-Goblin: Covert Credential Theft And VSCode Tunnel Exploitation
"A newly identified malware strain is being distributed through RAR attachments, using social engineering techniques to deceive users into executing a malicious LNK file disguised as a legitimate document. Once executed, this LNK file triggers a PowerShell command that retrieves additional payloads from a GitHub repository, allowing the malware to perform various malicious activities while operating stealthily."
https://cyble.com/blog/phantom-goblin-covert-credential-theft/ - Camera Off: Akira Deploys Ransomware Via Webcam
"While the S-RM team encountered more threat actors than ever before last year, one group was responsible for more incidents than any other. Akira, a well-established ransomware group, accounted for 15% of the incidents we responded to in 2024, and deployed some novel techniques for evading cyber defences along the way. In this article, our team details how Akira was able to compromise an unsecured webcam in order to circumvent an Endpoint Detection and Response (EDR) tool and deploy ransomware."
https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam
https://www.bleepingcomputer.com/news/security/akira-ransomware-encrypted-network-from-a-webcam-to-bypass-edr/ - Malvertising Campaign Leads To Info Stealers Hosted On GitHub
"In early December 2024, Microsoft Threat Intelligence detected a large-scale malvertising campaign that impacted nearly one million devices globally in an opportunistic attack to steal information. The attack originated from illegal streaming websites embedded with malvertising redirectors, leading to an intermediary website where the user was then redirected to GitHub and two other platforms. The campaign impacted a wide range of organizations and industries, including both consumer and enterprise devices, highlighting the indiscriminate nature of the attack. GitHub was the primary platform used in the delivery of the initial access payloads and is referenced throughout this blog post; however, Microsoft Threat Intelligence also observed one payload hosted on Discord and another hosted on Dropbox."
https://www.microsoft.com/en-us/security/blog/2025/03/06/malvertising-campaign-leads-to-info-stealers-hosted-on-github/
https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-campaign-impacted-1-million-pcs/ - New PyPI Malware ‘set-Utils’ Exfiltrates Ethereum Private Keys Through Blockchain Transactions
"The Socket Research Team has discovered a malicious PyPI package, set-utils, designed to steal Ethereum private keys by exploiting commonly used account creation functions. Disguised as a simple utility for Python sets, the package mimics widely used libraries like python-utils (712M+ downloads) and utils (23.5M+ downloads). This deception tricks unsuspecting developers into installing the compromised package, granting attackers unauthorized access to Ethereum wallets."
https://socket.dev/blog/new-pypi-malware-exfiltrates-ethereum-private-keys
https://www.bleepingcomputer.com/news/security/ethereum-private-key-stealer-on-pypi-downloaded-over-1-000-times/ - Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension
"Imagine that your AI transcriber tool shapeshifts into your password manager, then your crypto wallet and finally into your banking app — all without your knowledge. This is exactly what polymorphic extensions can do. SquareX’s research team discovered a way for malicious extensions to silently impersonate any extension installed on the victim’s browser. The polymorphic extensions create a pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension. These credentials can then be used by attackers to access all the sensitive information, credentials and financial assets stored in the victim’s account."
https://labs.sqrx.com/polymorphic-extensions-dd2310006e04
https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-can-spoof-password-managers-in-new-attack/
https://hackread.com/squarex-unveils-polymorphic-extensions-that-morph-infostealers-into-any-browser-extension-password-managers-wallets-at-risk/ - Unmasking The New Persistent Attacks On Japan
"Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines. The attacker utilizes plugins of the publicly available Cobalt Strike kit "TaoWu" for-post exploitation activities."
https://blog.talosintelligence.com/new-persistent-attacks-japan/
https://www.infosecurity-magazine.com/news/attackers-japan-cobalt-strike/ - Unveiling EncryptHub: Analysis Of a Multi-Stage Malware Campaign
"EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. Through a series of operational security (OPSEC) missteps, EncryptHub inadvertently exposed critical elements of their ecosystem, allowing us to map their tactics with unprecedented depth."
https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/
https://www.darkreading.com/threat-intelligence/encrypthub-opsec-failures-ttps-big-plans
https://thehackernews.com/2025/03/encrypthub-deploys-ransomware-and.html - Trojans Disguised As AI: Cybercriminals Exploit DeepSeek’s Popularity
"Among the most significant events in the AI world in early 2025 was the release of DeepSeek-R1 – a powerful reasoning large language model (LLM) with open weights. It’s available both for local use and as a free service. Since DeepSeek was the first service to offer access to a reasoning LLM to a wide audience, it quickly gained popularity, mirroring the success of ChatGPT. Naturally, this surge in interest also attracted cybercriminals. While analyzing our internal threat intelligence data, we discovered several groups of websites mimicking the official DeepSeek chatbot site and distributing malicious code disguised as a client for the popular service."
https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115801/ - Thousands Of Websites Hit By Four Backdoors In 3rd Party JavaScript Attack
"While analyzing threats targeting WordPress frameworks, we found an attack where a single 3rd party JavaScript file was used to inject four separate backdoors into 1,000 compromised websites using cdn.csyndication[.]com/. Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed. A unique case we haven’t seen before. Which introduces another type of attack made possibly by abusing websites that don’t monitor 3rd party dependencies in the browser of their users."
https://cside.dev/blog/thousands-of-websites-hit-by-four-backdoors-in-3rd-party-javascript-attack
https://thehackernews.com/2025/03/over-1000-wordpress-sites-infected-with.html - The Next Level: Typo DGAs Used In Malicious Redirection Chains
"We have uncovered a new campaign in which an attacker leverages newly registered domains (NRDs) and introduces a new variant of domain generation algorithms (DGAs) potentially designed to avoid detection. We found this through our novel graph-intelligence based pipeline. The system infers attack campaigns by correlating domain registrations with hosting infrastructure, passive DNS and WHOIS data. This campaign used over 6,000 NRDs that redirected to similar paths on domains resembling those generated by dictionary-based DGAs. Dictionary DGAs are a DGA variant that combines dictionary words to create domain names resembling legitimate ones, thus hindering detection by security systems."
https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/ - YouTube Warns Of AI-Generated Video Of Its CEO Used In Phishing Attacks
"YouTube warns that scammers are using an AI-generated video featuring the company's CEO in phishing attacks to steal creators' credentials. The attackers are sharing it as a private video with targeted users via emails claiming YouTube is changing its monetization policy. "We're aware that phishers have been sharing private videos to send false videos, including an AI generated video of YouTube’s CEO Neal Mohan announcing changes in monetization," the online video sharing platform warned in a pinned post on its official community website."
https://www.bleepingcomputer.com/news/security/youtube-warns-of-ai-generated-video-of-its-ceo-used-in-phishing-attacks/
https://www.darkreading.com/remote-workforce/deepfake-videos-youtube-phish-creators
Breaches/Hacks/Leaks
- Thousands Of Public School Workers Impacted By Cyberattack On Retirement Plan Administrator
"A December 2024 cyberattack on a prominent administrator for retirement plans has exposed the information of thousands of public school teachers and employees across the U.S. Dozens of public schools across the country reported data breaches to regulators in Maine, Massachusetts, Vermont and several other states this week, warning that sensitive data was stolen through Carruth Compliance Consulting — a company that provides third-party administrative services to public school districts and non-profit organizations for their 403(b) and 457(b) retirement savings plans."
https://therecord.media/thousands-of-public-school-workers-impacted-data-breach - Russia Claims Ukraine Hacked State Youth Organizations To Recruit Minors
"A Russian security agency has accused Ukraine of hacking two Kremlin-backed youth military-patriotic organizations to gather student data for potential recruitment in espionage or terrorist activities. In a statement on Thursday, the Federal Security Service (FSB) said it had thwarted a cyber operation targeting Avangard and Yunarmiya, pro-government youth organizations established to promote patriotism, military values and national pride among young people in Russia."
https://therecord.media/russia-claims-ukraine-hacked-kremlin-backed-youth-organizations - Qilin Ransomware Gang Claims The Hack Of The Ministry Of Foreign Affairs Of Ukraine
"The Russian-speaking Qilin Ransomware group claims responsibility for an attack on the Ministry of Foreign Affairs of Ukraine. The group stated that it stole sensitive data such as private correspondence, personal information, and official decrees. The ransomware group declared that they had already sold some of the alleged stolen information to third parties."
https://securityaffairs.com/175025/cyber-crime/qilin-ransomware-ministry-of-foreign-affairs-of-ukraine.html
General News
- 89% Of Enterprise AI Usage Is Invisible To The Organization
"Organizations have zero visibility into 89% of AI usage, despite security policies according to a LayerX report. 71% of connections to GenAI tools are done using personal non-corporate accounts. Among logins using corporate accounts, 58% of connections are done without Single-Sign On (SSO). These interactions bypass organizational identity and access management (IAM) systems, leaving security teams blind to how GenAI tools are used and what data is being shared."
https://www.helpnetsecurity.com/2025/03/06/ai-usage-visibility-in-organizations/ - US Seizes Domain Of Garantex Crypto Exchange Used By Ransomware Gangs
"The U.S. Secret Service has seized the domain of the sanctioned Russian cryptocurrency exchange Garantex in collaboration with the Department of Justice's Criminal Division, the FBI, and Europol. Other law enforcement authorities involved in this action include the Dutch National Police, the German Federal Criminal Police Office, the Frankfurt General Prosecutor's Office, the Estonian National Criminal Police, and the Finnish National Bureau of Investigation."
https://www.bleepingcomputer.com/news/security/us-seizes-domain-of-garantex-crypto-exchange-used-by-ransomware-gangs/
https://therecord.media/garantex-crypto-exchange-taken-down-law-enforcement-operation
https://www.theregister.com/2025/03/06/international_cops_seize_ransomware_gangs/ - Cybersecurity's Future Is All About Governance, Not More Tools
"The past 10 years have been defined by unprecedented growth in cybersecurity procurement. Organizations poured considerable resources into expanding their toolsets to meet the requirements outlined in the NIST Cybersecurity Framework and catch up with ever-growing, sophisticated threats. Budgets swelled as layer upon layer of solutions were added to the technology stack. According to a Panaseer report, organizations deployed an average of 76 different security tools in 2022, a jump from 64 tools deployed in 2019."
https://www.darkreading.com/cyber-risk/cybersecurity-future-governance-not-more-tools - ENISA NIS360 2024
"The NIS360 is a new ENISA product that assesses the maturity and criticality of sectors of high criticality under the NIS2 Directive, providing both a comparative overview and a more in-depth analysis of each sector. The NIS360 is designed to assist Member States and national authorities in identifying gaps and prioritising resources. Our analysis is based on data from national authorities with a horizontal or sectorial mandate, data from companies within the in-scope sectors, and insights from EU-level sources such as Eurostat."
https://www.enisa.europa.eu/publications/enisa-nis360-2024
https://www.enisa.europa.eu/sites/default/files/2025-03/ENISA - NIS360 - 2024_0.pdf
https://www.infosecurity-magazine.com/news/critical-infrastructure-sectors/ - How Social Engineering Sparked a Billion-Dollar Supply Chain Cryptocurrency Heist
"Last week’s $1.4 billion cryptocurrency heist was the result of a multi-pronged attack that combined social engineering, stolen AWS session tokens, MFA bypasses, and a seemingly benign JavaScript file. That’s the conclusion from forensics experts at Mandiant called in to figure out how North Korea’s Lazarus hacking crew was able to compromise ByBit’s Ethereum cold wallet system in the biggest documented cryptocurrency theft ever."
https://www.securityweek.com/how-social-engineering-sparked-a-billion-dollar-supply-chain-cryptocurrency-heist/ - Medusa Ransomware Activity Continues To Increase
"Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023. Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024."
https://www.security.com/threat-intelligence/medusa-ransomware-attacks
https://thehackernews.com/2025/03/medusa-ransomware-hits-40-victims-in.html - Survey: Women Comprise 22% Of The Cybersecurity Workforce
"The shortage of skills and qualified personnel has long been reported as a top risk to the cybersecurity profession. Until recently, protecting the investment in these teams has, in part, sheltered cybersecurity teams from the full extent of reductions during economically challenging times. However, the most recent ISC2 Cybersecurity Workforce Study revealed that even cybersecurity teams are now being impacted by workforce reductions like other parts of the business. This is affecting the ability to hire and retain all cybersecurity professionals, as well as affecting their happiness and career outlook."
https://www.isc2.org/insights/2025/03/women-comprise-22-percent-of-the-cybersecurity-workforce
https://www.darkreading.com/remote-workforce/women-cyber-cutbacks-2024
https://www.infosecurity-magazine.com/news/cybersecurity-job-satisfaction/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Hitachi Energy Relion 670/650/SAM600-IO