Cyber Threat Intelligence 11 March 2025
-
Government/Law/Policy
- Swiss Critical Sector Faces New 24-Hour Cyberattack Reporting Rule
"Switzerland's National Cybersecurity Centre (NCSC) has announced a new reporting obligation for critical infrastructure organizations in the country, requiring them to report cyberattacks to the agency within 24 hours of their discovery. According to the NCSC announcement, this new requirement is introduced as a response to the increasing number of cybersecurity incidents and their impact on the country."
https://www.bleepingcomputer.com/news/security/swiss-critical-sector-faces-new-24-hour-cyberattack-reporting-rule/
https://www.infosecurity-magazine.com/news/switzerland-mandates-cyber/
New Tooling
- Hetty: Open-Source HTTP Toolkit For Security Research
"Hetty is an open-source HTTP toolkit designed for security research, offering a free alternative to commercial tools like Burp Suite Pro. Built with the needs of penetration testers, security professionals, and bug bounty hunters in mind, Hetty provides a set of features for HTTP interception, analysis, and manipulation."
https://www.helpnetsecurity.com/2025/03/10/hetty-open-source-http-toolkit-security-research/
https://github.com/dstotijn/hetty
Vulnerabilities
- CISA Adds Five Known Exploited Vulnerabilities To Catalog
"CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-25181 Advantive VeraCore SQL Injection Vulnerability
CVE-2024-57968 Advantive VeraCore Unrestricted File Upload Vulnerability
CVE-2024-13159 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
CVE-2024-13160 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
CVE-2024-13161 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/10/cisa-adds-five-known-exploited-vulnerabilities-catalog
Malware
- GreyNoise Detects Mass Exploitation Of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign
"Cisco Talos recently uncovered a sophisticated attack campaign targeting Japanese organizations through CVE-2024-4577, a critical PHP-CGI remote code execution flaw with 79 exploits available. While Talos focused on victimology and attacker tradecraft, GreyNoise telemetry reveals a far wider exploitation pattern demanding immediate action from defenders globally."
https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerability-cve-2024-457
https://www.securityweek.com/mass-exploitation-of-critical-php-vulnerability-begins/
https://securityaffairs.com/175198/hacking/experts-warn-of-mass-exploitation-of-critical-php-flaw-cve-2024-4577.html - X Hit By ‘massive Cyberattack’ Amid Dark Storm’s DDoS Claims
"The Dark Storm hacktivist group claims to be behind DDoS attacks causing multiple X worldwide outages on Monday, leading the company to enable DDoS protections from Cloudflare. While X owner Elon Musk did not specifically state that DDoS attacks were behind the outages, he did confirm that it was caused by a "massive cyberattack.". "There was (still is) a massive cyberattack against X," Musk posted on X."
https://www.bleepingcomputer.com/news/security/x-hit-by-massive-cyberattack-amid-dark-storms-ddos-claims/
https://therecord.media/cyberattack-twitter-musk-massive-outages
https://www.bankinfosecurity.com/x-social-media-platform-hit-by-apparent-ddos-a-27676
https://www.securityweek.com/elon-musk-claims-x-being-targeted-in-massive-cyberattack-as-service-goes-down/
https://www.malwarebytes.com/blog/news/2025/03/x-users-report-login-troubles-as-dark-storm-claims-cyberattack
https://securityaffairs.com/175209/hacking/elon-musk-x-ddos-attack-dark-dark-storm-team.html - Analysis Of Lazarus Group’s Attack On Windows Web Servers
"AhnLab SEcurity intelligence Center (ASEC) has identified attack cases of the Lazarus group breaching a normal server and using it as a C2. Attacks that install a web shell and C2 script on South Korean web servers continue to occur. Additionally, there are cases where LazarLoader malware and privilege escalation tools are identified."
https://asec.ahnlab.com/en/86687/ - The Growing Danger Of Blind Eagle: One Of Latin America’s Most Dangerous Cyber Criminal Groups Targets Colombia
"Cyber criminals move quickly, but Blind Eagle (APT-C-36) is proving just how fast. The notorious advanced persistent threat (APT) group, known for targeting Colombia’s justice system, government institutions, and private organizations, has launched a new campaign that demonstrates how attackers can weaponize security patches against their targets."
https://blog.checkpoint.com/research/the-growing-danger-of-blind-eagle-one-of-latin-americas-most-dangerous-cyber-criminal-groups-targets-colombia/
https://www.darkreading.com/cyberattacks-data-breaches/apt-blind-eagle-targets-colombian-government - Trump Cryptocurrency Delivers ConnectWise RAT
"An email campaign spoofing Binance claims to deliver an opportunity to claim recently created TRUMP coins. If victims follow the instructions and download “Binance Desktop” in order to get TRUMP coins they instead install ConnectWise RAT. The threat actors behind this campaign are eagerly monitoring infections and can connect to infected computers in under 2 minutes."
https://cofense.com/blog/trump-cryptocurrency-delivers-connectwise-rat
https://therecord.media/email-scam-spoofs-binance-offers-trump-coin-connectwise-rat
https://www.securityweek.com/trump-coins-used-as-lure-in-malware-campaign/ - SideWinder Targets The Maritime And Nuclear Sectors With An Updated Toolset
"Last year, we published an article about SideWinder, a highly prolific APT group whose primary targets have been military and government entities in Pakistan, Sri Lanka, China, and Nepal. In it, we described activities that had mostly happened in the first half of the year. We tried to draw attention to the group, which was aggressively extending its activities beyond their typical targets, infecting government entities, logistics companies and maritime infrastructures in South and Southeast Asia, the Middle East, and Africa. We also shared further information about SideWinder’s post-exploitation activities and described a new sophisticated implant designed specifically for espionage."
https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nuclear-sector/115847/
https://www.darkreading.com/cyberattacks-data-breaches/sidewinder-intensifies-attacks-maritime-sector
https://www.theregister.com/2025/03/10/sidewinder_tactics_shift/ - The Evolution Of SIM Swapping Fraud: How Fraudsters Bypass Security Layers
"Despite security measures implemented by telecom providers and regulatory bodies to prevent SIM swapping fraud, criminals continue to find new ways to exploit vulnerabilities. SIM swapping remains one of the most dangerous techniques in terms of its impact on victims. Such attacks not only lead to significant financial losses but can also result in the complete theft of personal data, accounts, and even unauthorized loan applications in the victim’s name."
https://www.group-ib.com/blog/the-evolution-of-sim-swapping-fraud-how-fraudsters-bypass-security-layers/
https://www.infosecurity-magazine.com/news/sim-swapping-fraud-surges-middle/ - Fake CAPTCHA Websites Hijack Your Clipboard To Install Information Stealers
"There are more and more sites that use a clipboard hijacker and instruct victims on how to infect their own machine. I realize that may sound like something trivial to steer clear from, but apparently it’s not because the social engineering behind it is pretty sophisticated. At first, these attacks were more targeted at people that could provide cybercriminals a foothold at a targeted company, but their popularity has grown so much that now anyone can run into one of them."
https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers - Desert Dexter. Attacks On Middle Eastern Countries
"In February, the Threat Intelligence Department team at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious campaign targeting the Middle East and North Africa and active since September 2024. To distribute malware, the attackers create fake news groups on social media and publish advertisements containing links to a file-sharing service or Telegram channel. These links lead to a version of the AsyncRAT malware, modified to look for cryptocurrency wallets and communicate with a Telegram bot. A similar campaign was described by Check Point in 2019, but some of the techniques used in the kill chain have evolved since then."
https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/desert-dexter-attacks-on-middle-eastern-countries
https://thehackernews.com/2025/03/desert-dexter-targets-900-victims-using.html
Breaches/Hacks/Leaks
- 560,000 People Impacted Across Four Healthcare Data Breaches
"More than 560,000 people were impacted across four data breaches disclosed last week to authorities by the healthcare organizations Hillcrest Convalescent Center, Gastroenterology Associates of Central Florida, Community Care Alliance, and Sunflower Medical Group. The biggest of the breaches in terms of the number of impacted individuals was disclosed by Kansas-based healthcare services provider Sunflower Medical Group."
https://www.securityweek.com/560000-people-impacted-across-four-healthcare-data-breaches/
https://therecord.media/kansas-healthcare-provider-data-breach
https://www.bankinfosecurity.com/rhysida-hacking-group-strikes-more-healthcare-providers-a-27677
https://www.theregister.com/2025/03/10/rhysida_healthcare/ - RansomHouse Gang Claims The Hack Of The Loretto Hospital In Chicago
"The RansomHouse gang announced the hack of Loretto Hospital in Chicago, the groups claims to have stolen 1.5TB of sensitive data. The Loretto Hospital is a not-for-profit, community-focused health care provider. They provide healthcare services including: primary care, geriatric medicine, vision care, behavioral health services, pediatrics, womens health, pediatric medicine, family planning and dental services. The hospital was founded in 1939 and is headquartered in Chicago, Illinois."
https://securityaffairs.com/175187/cyber-crime/ransomhouse-gang-claims-the-hack-of-the-loretto-hospital-in-chicago.html
General News
- US Govt Says Americans Lost Record $12.5 Billion To Fraud In 2024
"The U.S. Federal Trade Commission (FTC) said today that Americans lost a record $12.5 billion to fraud last year, a 25% increase over the previous year. Consumers reported that investment scams resulted in the highest losses, totaling around $5.7 billion with a median loss of over $9,000 and exceeding all other fraud categories. The second largest reported loss was linked with imposter scams, amounting to $2.95 billion in 2024. Younger people have also reported losing money to fraud more often than people over 70, as 44% of all reports filed last year came from consumers between 20 and 29."
https://www.bleepingcomputer.com/news/security/us-govt-says-americans-lost-record-125-billion-to-fraud-in-2024/ - Vulnerability Reward Program: 2024 In Review
"In 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs."
https://security.googleblog.com/2025/03/vulnerability-reward-program-2024-in.html
https://www.bleepingcomputer.com/news/security/google-paid-12-million-in-bug-bounties-last-year-to-security-researchers/
https://www.darkreading.com/vulnerabilities-threats/google-pays-nearly-12m-2024-bug-bounty-program
https://www.securityweek.com/google-paid-out-12-million-via-bug-bounty-programs-in-2024/ - Trends Report On Phishing Emails In February 2025
"This report provides statistics, trends, and case details on the distribution volume and attachment threats of phishing emails collected and analyzed in February 2025. The following is a part of the statistics and cases included in the original report."
https://asec.ahnlab.com/en/86685/ - When Seconds Count: How To Survive Fast-And-Furious DDoS Microbursts
"Picture this: You're on a critical Monday morning video call with your team, delving into crucial project milestones. Suddenly, the call drops, everyone is disconnected, and your voice-over-IP (VoIP) system goes haywire. By the time you scramble to check the firewall logs, everything appears normal again. No red flags, no massive traffic anomalies — just a brief but devastating interruption."
https://www.darkreading.com/cyberattacks-data-breaches/survive-fast-furious-ddos-microbursts - Fortinet Identifies Malicious Packages In The Wild: Insights And Trends From November 2024 Onward
"FortiGuard Labs has analyzed malicious software packages detected from November 2024 to the present, identifying various techniques used to exploit system vulnerabilities. This analysis provides insights into the evolving threat landscape and emerging attack methods. FortiGuard Labs leverages our proprietary, AI-driven OSS malware detection system to track and examine these threats. By reviewing the tactics observed—such as low-file-count packages designed to evade detection, command overwrite techniques, and typosquatting—this report outlines key trends and their potential impact on system security."
https://www.fortinet.com/blog/threat-research/fortinet-identifies-malicious-packages-in-the-wild-insights-and-trends
https://hackread.com/malicious-packages-exploiting-open-source-platforms/
https://www.infosecurity-magazine.com/news/malicious-software-packages/ - How To Safely Dispose Of Old Tech Without Leaving a Security Risk
"Every year, millions of old tech are thrown away due to age, malfunctions, or to make way for new ones, which creates security risks related to the data on these devices. The data can often still be recovered if devices are erased without proper tools and procedures. Here’s why securely disposing of old tech is crucial."
https://www.helpnetsecurity.com/2025/03/10/old-tech-dispose-security-risk/ - How NOT To f-Up Your Security Incident Response
"Experiencing a ransomware infection or other security breach ranks among the worst days of anyone's life — but it can still get worse. Like if you completely and utterly stuff up the incident response investigation and that snafu adds millions of dollars more in damages costs to the overall bill. In one such incident, Jake Williams, VP of research and development and cybersecurity consulting biz Hunter Strategy, says he was called in to clean up a client's hot mess of a forensics report, prompting a frustrated social media post "imploring" companies: "This is NOT something you can just DIY.""
https://www.theregister.com/2025/03/10/incident_response_advice/ - What Happens When Push Notifications Go Malicious?
"Push notifications are a common feature that many websites use to keep users engaged. However, what happens when these notifications turn malicious? Renée Burton, Vice President of Threat Intel at Infoblox, recently shared her firsthand experience with this alarming trend. Here’s a look at how scammers exploit push notifications to deliver scams, including fake gift cards and sweepstakes."
https://hackread.com/what-happens-when-push-notifications-go-malicious/ - Achilles Email: Defending The Eternal Attack Surface
"The Anti-Phishing Working Group (APWG) observed 932,923 phishing attacks in Q3 2024. If you think your company is safe from these attacks, you’re wrong. Email continues to be the number one point of vulnerability for businesses and the managed service providers (MSPs) that support them. New research from the Acronis Threat Research Unit showed that 31.4% of all emails received in the second half of 2024 were spam, and almost 50% of users were attacked at least once via email by phishing or direct malware. Social engineering attacks were up 7% compared to the first half of the same year."
https://www.infosecurity-magazine.com/blogs/achilles-email-eternal-attack/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Swiss Critical Sector Faces New 24-Hour Cyberattack Reporting Rule