Cyber Threat Intelligence 12 March 2025
-
Industrial Sector
- Optigo Networks Visual BACnet Capture Tool/Optigo Visual Networks Capture Tool
"Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, gain control over the products, or impersonate the web applications."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-070-02 - Schneider Electric Uni-Telway Driver
"Successful exploitation of this vulnerability could allow an attacker to perform a denial of service."
https://www.cisa.gov/news-events/ics-advisories/icsa-25-070-01
Vulnerabilities
- Microsoft March 2025 Patch Tuesday Fixes 7 Zero-Days, 57 Flaws
"Today is Microsoft's March 2025 Patch Tuesday, which includes security updates for 57 flaws, including six actively exploited zero-day vulnerabilities. This Patch Tuesday also fixes six "Critical" vulnerabilities, all remote code execution vulnerabilities."
https://www.bleepingcomputer.com/news/microsoft/microsoft-march-2025-patch-tuesday-fixes-7-zero-days-57-flaws/
https://www.darkreading.com/application-security/whopping-number-microsoft-zero-days-under-attack
https://blog.talosintelligence.com/march-patch-tuesday-release/
https://www.tripwire.com/state-of-security/march-2025-patch-tuesday-analysis
https://cyberscoop.com/microsoft-patch-tuesday-march-2025/
https://www.securityweek.com/patch-tuesday-microsoft-patches-57-flaws-flags-six-active-zero-days/
https://www.theregister.com/2025/03/12/patch_tuesday/ - Apple Fixes WebKit Zero-Day Exploited In ‘extremely Sophisticated’ Attacks
"Apple has released emergency security updates to patch a zero-day bug the company describes as exploited in "extremely sophisticated" attacks. The vulnerability is tracked as CVE-2025-24201 and was found in the WebKit cross-platform web browser engine used by Apple's Safari web browser and many other apps and web browsers on macOS, iOS, Linux, and Windows. "This is a supplementary fix for an attack that was blocked in iOS 17.2," the iPhone maker said in security advisories issued on Tuesday. "Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.""
https://www.bleepingcomputer.com/news/apple/apple-fixes-webkit-zero-day-exploited-in-extremely-sophisticated-attacks/
https://support.apple.com/en-us/122281
https://www.securityweek.com/apple-ships-ios-18-3-2-to-fix-already-exploited-webkit-flaw/
https://cyberscoop.com/apple-zero-day-patch-march-2025-cve-2025-24201/
https://securityaffairs.com/175269/hacking/apple-third-zero-day-2025.html - Patch Tuesday: Critical Code-Execution Bugs In Acrobat And Reader
"Software maker Adobe on Tuesday released fixes for at least 35 security flaws in a wide range of products, including serious code-execution bugs in the widely deployed Acrobat and Reader applications. As part of its scheduled Patch Tuesday rollout, the San Jose, Calif. company called immediate attention to a high-severity bulletin documenting at least nine security defects in Adobe Acrobat and Reader for Windows and macOS."
https://www.securityweek.com/patch-tuesday-critical-code-execution-bugs-in-acrobat-and-reader/ - SAP Patches High-Severity Vulnerabilities In Commerce, NetWeaver
"Enterprise software maker SAP on Tuesday announced the release of 21 new and three updated security notes on its March 2025 security patch day. The company included five high-priority security notes in its advisory, namely three new notes that address vulnerabilities in Commerce, NetWeaver, and Commerce Cloud, and two updated notes that resolve flaws in Approuter and PDCE. The most severe of these issues are CVE-2025-27434 and CVE-2025-26661 (CVSS score of 8.8), described as a cross-site scripting (XSS) bug in Commerce and a missing authorization check in NetWeaver."
https://www.securityweek.com/sap-patches-high-severity-vulnerabilities-in-commerce-netweaver/ - Edimax Says No Patches Coming For Zero-Day Exploited By Botnets
"Taiwan-based networking solutions provider Edimax says it’s aware of reports that a vulnerability affecting some of its cameras has been exploited in the wild, but it cannot release patches due to the product being discontinued more than a decade ago."
https://www.securityweek.com/edimax-says-no-patches-coming-for-zero-day-exploited-by-botnets/ - Moxa Issues Fix For Critical Authentication Bypass Vulnerability In PT Switches
"Taiwanese company Moxa has released a security update to address a critical security flaw impacting its PT switches that could permit an attacker to bypass authentication guarantees. The vulnerability, tracked as CVE-2024-12297, has been assigned a CVSS v4 score of 9.2 out of a maximum of 10.0. "Multiple Moxa PT switches are vulnerable to an authentication bypass because of flaws in their authorization mechanism," the company said in an advisory released last week."
https://thehackernews.com/2025/03/moxa-issues-fix-for-critical.html
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-241408-cve-2024-12297-frontend-authorization-logic-disclosure-vulnerability-identified-in-pt-switches - MINJA Sneak Attack Poisons AI Models For Other Chatbot Users
"AI models with memory aim to enhance user interactions by recalling past engagements. However, this feature opens the door to manipulation. This hasn't been much of a problem for chatbots that rely on AI models because administrative access to the model's backend infrastructure would be required in previously proposed threat scenarios."
https://www.theregister.com/2025/03/11/minja_attack_poisons_ai_model_memory/
Malware
- Lazarus Strikes Npm Again With New Wave Of Malicious Packages
"North Korea’s Lazarus Group continues to infiltrate the npm ecosystem, deploying six new malicious packages designed to compromise developer environments, steal credentials, extract cryptocurrency data, and deploy a backdoor. In this campaign, Socket researchers uncovered BeaverTail malware embedded within seemingly benign packages — is-buffer-validator, yoojae-validator, event-handle-package, array-empty-validator, react-event-dependency, and auth-validator — each closely mirroring tactics previously documented in Lazarus (Contagious Interview) operations. These findings align with the Socket Threat Research Team’s January 2025 report on the Lazarus APT group’s ongoing supply chain compromises."
https://socket.dev/blog/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages
https://www.bleepingcomputer.com/news/security/north-korean-lazarus-hackers-infect-hundreds-via-npm-packages/
https://hackread.com/lazarus-group-backdoor-fake-npm-packages-attack/ - Captain MassJacker Sparrow: Uncovering The Malware’s Buried Treasure
"Cryptojacking malware—a type of malware that tries to steal cryptocurrencies from users on infected machines. Curiously, this kind of malware isn’t nearly as famous as ransomware or even infostealer malware. We found this kind of strange since cryptocurrencies have been a popular subject in recent years, so you would think that malware that dabbles in the field would make some more headlines."
https://www.cyberark.com/resources/threat-research-blog/captain-massjacker-sparrow-uncovering-the-malwares-buried-treasure
https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-000-wallets-to-steal-cryptocurrency/ - Microsoft Copilot Spoofing: A New Phishing Vector
"Many companies around the world have grown to rely on the Microsoft environment for their day-to-day workflow. However, this widespread adoption comes with risks, including the potential for spoofing attacks. The PDC has seen a campaign of phishing emails delivered to multiple customers, targeting Microsoft Copilot. This service functions as a type of Generative AI assistant, similar to many of the functions performed by OpenAI's ChatGPT."
https://cofense.com/blog/microsoft-copilot-spoofing-a-new-phishing-vector - Bitdefender Warns Of Fake Energy Scams Using SMS Messages And Elon Musk's Likeness
"Bitdefender has identified a malicious SMS campaign targeting the United States, taking advantage of the recent surge in visibility of Elon Musk, to sell a worthless device that will supposedly help people save money on electricity bills."
https://www.bitdefender.com/en-gb/blog/hotforsecurity/fake-energy-scams-elon
https://hackread.com/sms-scam-elon-musks-sell-fake-energy-devices-usa/ - Remote Monitoring And Management (RMM) Tooling Increasingly An Attacker’s First Choice
"More threat actors are using legitimate RMM tools in email campaigns as a first-stage payload for cyberattacks. RMM software is used legitimately in enterprises for information technology (IT) administrators to remotely manage fleets of computers. When abused, such software has the same capabilities as remote access trojans (RATs) and financially motivated threats are delivering RMM tools more often via email."
https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice - DCRat Backdoor Returns
"Since the beginning of the year, we’ve been tracking in our telemetry a new wave of DCRat distribution, with paid access to the backdoor provided under the Malware-as-a-Service (MaaS) model. The cybercriminal group behind it also offers support for the malware and infrastructure setup for hosting the C2 servers."
https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-by-maas/115850/ - Cato CTRL
Threat Research: Ballista – New IoT Botnet Targeting Thousands Of TP-Link Archer Routers
"Over the years, major IoT botnets like Mirai and Mozi have proven how easily routers can be exploited and threat actors have taken note. Two key issues have played in their favor: the fact that users rarely deploy new firmware to their routers, coupled with the lack of regard for security by router vendors. As a result, router vulnerabilities may persist in the wild for much longer than initially expected, even after patches are published publicly."
https://www.catonetworks.com/blog/cato-ctrl-ballista-new-iot-botnet-targeting-thousands-of-tp-link-archer-routers/
https://thehackernews.com/2025/03/ballista-botnet-exploits-unpatched-tp.html
https://therecord.media/ballista-botnet-tp-link-archer-routers
https://www.securityweek.com/new-ballista-iot-botnet-linked-to-italian-threat-actor/ - Steganography Explained: How XWorm Hides Inside Images
"Inside the most innocent-looking image, a breathtaking landscape, or a funny meme, something dangerous could be hiding, waiting for its moment to strike. No strange file names. No antivirus warnings. Just a harmless picture, secretly concealing a payload that can steal data, execute malware, and take over your system without a trace. This is steganography, a cybercriminal's secret weapon for concealing malicious code inside harmless-looking files. By embedding data within images, attackers evade detection, relying on separate scripts or processes to extract and execute the hidden payload."
https://thehackernews.com/2025/03/steganography-explained-how-xworm-hides.html - AI-Assisted Fake GitHub Repositories Fuel SmartLoader And LummaStealer Distribution
"Cybercriminals are using fake GitHub repositories that make heavy use of AI for its lures to distribute malware, deceiving users with seemingly legitimate tools while evading detection. The Trend Micro Threat Hunting team identified an ongoing campaign that uses these repositories to deploy SmartLoader, which is then subsequently used to deliver other malware such as Lumma Stealer, an information stealer being distributed via the Malware-as-a-Service (MaaS) model by its creators (which we track as Water Kurita). These malicious repositories are disguised as non-malicious tools, including game cheats, cracked software, and cryptocurrency utilities."
https://www.trendmicro.com/en_us/research/25/c/ai-assisted-fake-github-repositories.html - A Deep Dive Into Strela Stealer And How It Targets European Countries
"The Strela Stealer (rus. Cтрела, lit. 'Arrow') is an infostealer that exfiltrates email log-in credentials and has been in the wild since late 2022. Strela Stealer is a precisely focused malware, targeting two email clients — Mozilla Thunderbird and Microsoft Outlook — on systems located in chosen European countries. Through the years, attackers have delivered Strela Stealer to thousands of email users through a number of large-scale phishing campaigns, primarily targeting Spain, Italy, Germany, and Ukraine. The social engineering techniques used in the phishing campaigns have evolved. Recently, the threat actor behind Strela Stealer started forwarding legitimate emails containing invoices, but instead of the original invoice attachment, a ZIP archive containing the Strela Stealer malware loader was sent to unwitting victims."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries/
Breaches/Hacks/Leaks
- PowerSchool Previously Hacked In August, Months Before Data Breach
"PowerSchool has published a long-awaited CrowdStrike investigation into its massive December 2024 data breach, which determined that the company was previously hacked over 4 months earlier, in August, and then again in September. PowerSchool is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytics, and finance solutions."
https://www.bleepingcomputer.com/news/security/powerschool-previously-hacked-in-august-months-before-data-breach/ - Thousands Of Records, Including PII, Exposed Online In Healthcare Marketplace Connecting Facilities And Nurses Data Leak
"Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to Website Planet about a non-password-protected database that contained over 86,000 records belonging to ESHYFT — a New-Jersey-based HealthTech company that operates in 29 states. It offers a mobile app platform that connects healthcare facilities with healthcare workers, including Certified Nursing Assistants (CNAs), Licensed Practical Nurses (LPNs), and Registered Nurses (RNs)."
https://www.websiteplanet.com/news/eshyft-report-breach/
https://www.theregister.com/2025/03/11/uber_for_nurses_exposes_86k/
General News
- Cracking The Code: How To Identify, Mitigate, And Prevent BIN Attacks
"Threat actors with financial motivations often leverage BIN attacks when targeting financial services or eCommerce victims. BIN attacks involve threat actors systematically testing card numbers stemming from a Bank Identification Number (BIN) to find valid card details. BIN values are assigned to card issuers and form the first 6-8 digits on payment cards. These values are published to merchants, payment processors, and other service providers to facilitate transactions and are publicly available."
https://www.cybereason.com/blog/identifying-and-preventing-bin-attacks - February 2025’s Malware Spotlight: AsyncRAT Emerges, Targeting Trusted Platforms
"Check Point’s latest threat index highlights a new campaign involving the malware, AsyncRAT, a remote access trojan targeting Windows systems since 2019. The fourth most prevalent malware of the month, AsyncRAT, enables data theft, command execution, and system compromise. The latest attacks utilized TryCloudflare tunnels and malicious Python packages, starting with phishing emails that contained Dropbox URLs. This led to a multi-step infection chain involving LNK, JavaScript, and BAT files, culminating in an obfuscated AsyncRAT payload deployment."
https://blog.checkpoint.com/security/february-2025s-malware-spotlight-asyncrat-emerges-targeting-trusted-platforms/ - Cyble Sensors Detect Exploit Attempts On WordPress Plugins, Network Devices
"Cyble honeypot sensors have detected dozens of vulnerabilities targeted in attack attempts in recent weeks, including some known to be targeted by advanced persistent threat (APT) groups. WordPress plugins, network devices and firewalls have been some of the targets detailed in the threat intelligence company’s weekly sensor intelligence reports to clients."
https://cyble.com/blog/cyble-sensors-wordpress-plugins-network-devices/ - Balancing Cybersecurity Accountability & Deregulation
"As the US transitions into a new administration, deregulation — or perhaps even outright abolishing certain agencies and functions — is set to be a defining theme of 2025. While federal agencies across sectors like labor, education, and transportation are expected to be slashed in an effort to cut red tape and fuel economic growth, cybersecurity regulations will be consolidated within agencies like the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Administration (CISA). Simultaneously, they will tighten regulations to protect national security."
https://www.darkreading.com/vulnerabilities-threats/balancing-cybersecurity-accountability-deregulation - Democratizing Security To Improve Security Posture
"Small to midsize (SMB) businesses suffer highly disruptive cyberattacks that can lead to expensive fallouts and force some doors to close permanently. However, the evolving trend of cybersecurity democratization aims to assist SMBs by providing more cost-effective security tools that don't require a large or dedicated security team to deploy or maintain."
https://www.darkreading.com/cybersecurity-operations/democratizing-cybersecurity-improve-security-posture - How To Spot And Avoid AI-Generated Scams
"As AI technology advances, cybercriminals create more personalized and convincing scams. This includes mimicking voices, deepfake videos, and highly convincing phishing emails that are difficult to spot. Phishing, deepfakes, and voice cloning are among the most common AI-driven techniques used by cybercriminals."
https://www.helpnetsecurity.com/2025/03/11/how-to-spot-ai-generated-scams/ - Smart Cybersecurity Spending And How CISOs Can Invest Where It Matters
"CISOs face mounting pressure to spend wisely on security. Yet, many organizations remain vulnerable due to misplaced priorities and inefficient budgeting. This article explores common pitfalls and offers strategies to strengthen cybersecurity."
https://www.helpnetsecurity.com/2025/03/11/ciso-smart-cybersecurity-spending/ - How Remote Work Strengthens Cybersecurity Teams
"The global transition to remote work has reshaped traditional workplace dynamics, introducing challenges and opportunities for cybersecurity teams. For CISOs and security professionals, embracing a remote workforce can be a strategic advantage, enhancing team capabilities and driving the modernization of security practices."
https://www.helpnetsecurity.com/2025/03/11/remote-work-cybersecurity-teams/ - 95% Of Data Breaches Tied To Human Error In 2024
"Human error contributed to 95% of data breaches in 2024, driven by insider threats, credential misuse and user-driven errors, according to a new study by Mimecast. A small fraction of employees contributed disproportionately to these security incidents, with just 8% of staff accounting for 80% of incidents. The report highlighted several high-profile incidents in the past year that were linked to human error. This included the Change Healthcare ransomware attack, in which an employee’s credentials were compromised through a phishing email, enabling the threat actors to gain access to the network."
https://www.infosecurity-magazine.com/news/data-breaches-human-error/ - Cybersecurity Challenges In Cross-Border Data Transfers And Regulatory Compliance Strategies
"The digital revolution has enabled organizations to operate seamlessly across national boundaries, relying on cross-border data transfers to support e-commerce, cloud computing, artificial intelligence, and financial transactions. However, as data moves across multiple jurisdictions, it becomes subject to varying national cybersecurity policies and data protection laws. This divergence presents a significant challenge for global businesses, which must navigate complex regulatory environments while safeguarding sensitive data from cyber threats."
https://securityaffairs.com/175223/security/cybersecurity-challenges-in-cross-border-data-transfers-and-regulatory-compliance-strategies.html - UK Government Report Calls For Stronger Open Source Supply Chain Security Practices
"A UK government analysis of current best practices for OSS and supply chain risk management finds weaknesses in current standards and makes five recommendations to improve matters. The Department for Science, Innovation & Technology (DSIT) has published a report (PDF) titled Open source software best practice and supply chain risk management. It finds weaknesses in current practices and makes recommendations on how to improve things."
https://www.securityweek.com/uk-government-report-calls-for-stronger-open-source-supply-chain-security-practices/
https://assets.publishing.service.gov.uk/media/661ff8b83771f5b3ee757fc5/Open_Source_Software_Best_Practices_and_Supply_Chain_Risk_Management.pdf
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Optigo Networks Visual BACnet Capture Tool/Optigo Visual Networks Capture Tool