Cyber Threat Intelligence 13 March 2025
-
Industrial Sector
- ICS Patch Tuesday: Advisories Published By CISA, Schneider Electric, Siemens
"Industrial giants Siemens and Schneider Electric have released their March 2025 Patch Tuesday ICS security advisories. The cybersecurity agency CISA has also published two advisories. Schneider Electric has published three new advisories to inform customers about three vulnerabilities affecting EcoStruxure products. The most serious is a critical issue in Power Automation System User Interface and Microgrid Operation Large that can be exploited by an attacker to execute commands when the default password has not been changed."
https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-cisa-schneider-electric-siemens/ - China’s Volt Typhoon Hackers Dwelled In US Electric Grid For 300 Days
"ICS/OT security firm Dragos on Wednesday published a case study describing an intrusion attributed to the notorious Chinese threat actor Volt Typhoon into the US electric grid. The target was Littleton Electric Light and Water Departments (LELWD), a small public power utility in Massachusetts that serves Littleton and Boxborough. The utility had been in the process of implementing Dragos operational technology (OT) security solutions when the intrusion was detected, which led to an expedited deployment. The case study published by Dragos focuses on the benefits of its solutions, including how they can be used to detect such intrusions and protect OT organizations against threats."
https://www.securityweek.com/chinas-volt-typhoon-hackers-dwelled-in-us-electric-grid-for-300-days/
https://www.dragos.com/wp-content/uploads/2025/03/Dragos_Littleton_Electric_Water_CaseStudy.pdf
https://therecord.media/volt-typhoon-hackers-utility-months
https://www.darkreading.com/cyberattacks-data-breaches/volt-typhoon-strikes-massachusetts-power-utility
https://www.theregister.com/2025/03/12/volt_tyhoon_experience_interview_with_gm/
https://hackread.com/chinese-volt-typhoon-hackers-infiltrated-us-electric-grid/
New Tooling
- NetBird: Open-Source Network Security
"NetBird is an open-source solution that integrates a configuration-free peer-to-peer private network with centralized access control, providing a single platform to build secure private networks for your organization or home."
https://www.helpnetsecurity.com/2025/03/12/netbird-open-source-network-security/
https://github.com/netbirdio/netbird
Vulnerabilities
- Zoom Patches 4 High-Severity Vulnerabilities
"Zoom informed customers on Tuesday that it has patched five vulnerabilities in its applications, including four rated ‘high severity’. The high-severity vulnerabilities are tracked as CVE-2025-27440, CVE-2025-27439, CVE-2025-0151 and CVE-2025-0150. Three of them have been described as memory-related issues that can be exploited for privilege escalation via network access. Authentication is required for exploitation."
https://www.securityweek.com/zoom-patches-4-high-severity-vulnerabilities/ - Fortinet Patches 18 Vulnerabilities
"Fortinet on Tuesday informed customers about more than a dozen vulnerabilities found and patched in its products. The company has published 17 new advisories describing 18 vulnerabilities affecting FortiOS, FortiProxy, FortiPAM, FortiSRA, FortiAnalyzer, FortiManager, FortiAnalyzer-BigData, FortiSandbox, FortiNDR, FortiWeb, FortiSIEM and FortiADC."
https://www.securityweek.com/fortinet-patches-18-vulnerabilities/ - CISA Adds Six Known Exploited Vulnerabilities To Catalog
"CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2025-24984 Microsoft Windows NTFS Information Disclosure Vulnerability
CVE-2025-24985 Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability
CVE-2025-24991 Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability
CVE-2025-24993 Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability
CVE-2025-26633 Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/11/cisa-adds-six-known-exploited-vulnerabilities-catalog
https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-windows-kernel-zero-day-exploited-since-2023/
https://securityaffairs.com/175298/hacking/u-s-cisa-adds-six-microsoft-windows-flaws-to-its-known-exploited-vulnerabilities-catalog.html - Facebook Discloses FreeType 2 Flaw Exploited In Attacks
"Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. FreeType is a popular open-source font rendering library used to display text and programmatically add text to images. It provides functionality to load, rasterize, and render fonts in various formats, such as TrueType (TTF), OpenType (OTF), and others."
https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-2-flaw-exploited-in-attacks/
https://www.facebook.com/security/advisories/cve-2025-27363 - Bypassing Picklescan: Sonatype Discovers Four Vulnerabilities
"Sonatype has discovered and disclosed four vulnerabilities in picklescan, a tool designed to help developers scan Python pickle files for malicious content. Pickle files, used for serializing and deserializing Python AI/ML models, can be a security risk as they allow for arbitrary code execution during the deserialization process."
https://www.sonatype.com/blog/bypassing-picklescan-sonatype-discovers-four-vulnerabilities
https://hackread.com/picklescan-vulnerabilities-bypass-ai-security-checks/
Malware
- Could The Belsen Group Be Associated With ZeroSevenGroup?
"KELA explores a possible link between the Belsen Group and ZeroSevenGroup, two cybercriminal entities with ties to Yemen. The Belsen Group surfaced in January 2025, leaking Fortinet data and selling network access, while ZeroSevenGroup had been active earlier, breaching companies and monetizing stolen data. Notably, both groups share similarities in writing style and post formatting. While these overlaps are not conclusive, they suggest a possible connection."
https://www.kelacyber.com/blog/could-the-belsen-group-be-associated-with-zerosevengroup/
https://www.securityweek.com/are-threat-groups-belsen-and-zerosevengroup-related/ - CISA And Partners Release Cybersecurity Advisory On Medusa Ransomware
"Today, CISA—in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC)—released joint Cybersecurity Advisory, #StopRansomware: Medusa Ransomware. This advisory provides tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity."
https://www.cisa.gov/news-events/alerts/2025/03/12/cisa-and-partners-release-cybersecurity-advisory-medusa-ransomware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
https://www.bleepingcomputer.com/news/security/cisa-medusa-ransomware-hit-over-300-critical-infrastructure-orgs/
https://therecord.media/medusa-ransomware-targeting-critical-infrastructure-orgs - Lookout Discovers New Spyware By North Korean APT37
"Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium confidence to the North Korean APT group ScarCruft (also known as APT37), is a relatively new family with early samples going back to March 2022. The most recent samples were acquired in March 2024."
https://www.lookout.com/threat-intelligence/article/lookout-discovers-new-spyware-by-north-korean-apt37
https://therecord.media/north-korea-malware-android-apps-kospy-apt37-scarcruft
https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/ - Ghost In The Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers
"In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device."
https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers
https://www.bleepingcomputer.com/news/security/chinese-cyberspies-backdoor-juniper-routers-for-stealthy-access/
https://thehackernews.com/2025/03/chinese-hackers-breach-juniper-networks.html
https://therecord.media/china-continues-attacks-routers-juniper
https://www.darkreading.com/cyberattacks-data-breaches/china-hackers-backdoor-carrier-grade-juniper-mx-routers
https://www.bankinfosecurity.com/chinese-cyberespionage-group-tied-to-juniper-mx-router-hacks-a-27696
https://www.securityweek.com/mandiant-uncovers-custom-backdoors-on-end-of-life-juniper-routers/
https://hackread.com/chinese-group-unc3886-backdoor-juniper-routers/
https://www.infosecurity-magazine.com/news/chinese-backdoor-malware-juniper/
https://www.theregister.com/2025/03/12/china_spy_juniper_routers/
https://securityaffairs.com/175308/apt/china-linked-apt-unc3886-targets-eol-juniper-routers.html - Email Threat Radar - March 2025
"Over the last month, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world, including: Extortion attempts impersonating Clop ransomware, New attacks by the evasive and highly adaptive LogoKit phishing platform, A phishing campaign leveraging SVG image file attachments"
https://blog.barracuda.com/2025/03/12/email-threat-radar-march-2025 - New SSRF Exploitation Surge Serves As a Reminder Of 2019 Capital One Breach
"GreyNoise has observed Grafana path traversal attempts preceding the coordinated SSRF surge on March 9, indicating attackers may be using Grafana as a foothold for deeper exploitation. While direct attribution is unclear, the timing suggests a multi-phase attack strategy, where attackers first map exposed infrastructure before escalating their attacks."
https://www.greynoise.io/blog/new-ssrf-exploitation-surge
https://thehackernews.com/2025/03/over-400-ips-exploiting-multiple-ssrf.html - GO Language Based Ebyte Ransomware – A Brief Analysis
"At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and organizations. This report provides a concise analysis of EByte Ransomware, highlighting its techniques, impact, and potential risks."
https://www.cyfirma.com/research/go-language-based-ebyte-ransomware-a-brief-analysis/
General News
- Burnout In Cybersecurity: How CISOs Can Protect Their Teams (and Themselves)
"Cybersecurity is a high-stakes, high-pressure field in which CISOs and their teams constantly battle threats, compliance requirements, and business expectations. The demand for 24/7 vigilance, sophisticated attacks, and a shortage of skilled professionals have led to a burnout epidemic in the industry. For CISOs, this isn’t just a personal issue, it’s a business risk. A burned-out team is less effective, more prone to errors, and more likely to leave, creating knowledge gaps that further strain security operations. So, what can CISOs do to protect their teams and themselves from burnout? Here’s a structured approach."
https://www.helpnetsecurity.com/2025/03/12/cybersecurity-burnout-ciso/ - Incident Response Analyst Report 2024
"Kaspersky provides rapid and fully informed incident response services to organizations, ensuring impact analysis and effective remediation. Our annual report shares anonymized data about the investigations carried out by the Kaspersky Global Emergency Response Team (GERT), as well as statistics and trends in targeted attacks, ransomware and adversaries’ tools that our experts observed throughout the year in real-life incidents that required both comprehensive IR unit support and consulting services aimed at assisting organizations’ in-house expert teams."
https://securelist.com/kaspersky-incident-response-report-2024/115873/ - Zut Alors! Cyberattacks Targeting France Surged In 2024
"France playing host to the Olympics resulted in a surge of cyberattacks requiring intervention of the state cybersecurity agency, it said in an annual report also flagging an uptick in attacks levied against network edge devices. The French National Agency for Information Systems Security - ANSSI for its French acronym - said Tuesday its responded with varying levels of engagement to more than 4,300 incidents during 2024, a 15% increase in incidents over the previous year."
https://www.bankinfosecurity.com/zut-alors-cyberattacks-targeting-france-surged-in-2024-a-27704
https://www.cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-004/ - The CISO As Business Resilience Architect
"It's been a tough few years for the CISO. Regulations across the globe have now made those holding the role of chief information security officer personally accountable in the event of a breach, from the Securities and Exchange Commission (SEC) demanding to know management's role in assessing and managing material risks to the European Union's NIS2 regulations, which can see C-level execs suspended. It's created a culture of blame, and the year ended with 77% of CISOs wondering if the next data breach will cost them their jobs."
https://www.darkreading.com/vulnerabilities-threats/ciso-business-resilience-architect - NIST Finalizes Guidelines For Evaluating ‘Differential Privacy’ Guarantees To De-Identify Data
"How can we glean useful insights from databases containing confidential information while protecting the privacy of the individuals whose data is contained within? Differential privacy, a way of defining privacy in a mathematically rigorous manner, can help strike this balance. Newly updated guidelines from the National Institute of Standards and Technology (NIST) are intended to assist organizations with making the most of differential privacy’s capabilities."
https://www.nist.gov/news-events/news/2025/03/nist-finalizes-guidelines-evaluating-differential-privacy-guarantees-de
https://csrc.nist.gov/pubs/sp/800/226/final
https://github.com/usnistgov/PrivacyEngCollabSpace/tree/master/tools/de-identification/NIST-SP-800-226-SupplementalMaterial/
https://www.darkreading.com/data-privacy/nist-finalizes-differential-privacy-rules-to-protect-data - NIST Selects HQC As Fifth Algorithm For Post-Quantum Encryption
"Last year, NIST standardized a set of encryption algorithms that can keep data secure from a cyberattack by a future quantum computer. Now, NIST has selected a backup algorithm that can provide a second line of defense for the task of general encryption, which safeguards internet traffic and stored data alike."
https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption
https://www.helpnetsecurity.com/2025/03/12/nist-hqc-post-quantum-encryption-algorithm/ - The Rise Of AI-Driven Cyber Attacks: How LLMs Are Reshaping The Threat Landscape
"The cyberattack lifecycle has been supercharged by generative AI. It is faster, more effective, and more dangerous than ever before. Large Language Models (LLMs) are being leveraged for malicious purposes, aiding in recon, crafting highly convincing phishing campaigns, generating proof-of-concept (PoC) exploits, and even assisting in malware development. As these capabilities continue to grow in sophistication, AI will reshape the threat landscape, posing significant challenges for cybersecurity professionals."
https://www.deepinstinct.com/blog/the-rise-of-ai-driven-cyber-attacks-how-llms-are-reshaping-the-threat-landscape - The Rising Threat Of API Attacks: How To Secure Your APIs In 2025
"API attacks are constantly on the rise, with a recent alarming study showing that 59% of organizations give out ‘write’ access to at least half of their APIs, which leads to unauthorized access by hackers. API interfaces help with smooth communication but are usually not focused on digital protection. The risk of hackers accessing and altering data via APIs makes them prime targets for data theft, account takeover, and various harmful attacks."
https://hackread.com/rising-threat-of-api-attacks-how-to-secure-apis-2025/ - Goodbye Passwords? Enterprises Ramping Up Passkey Adoption
"87% of companies have, or are in the midst of, rolling out passkeys with goals tied to improved user experience, enhanced security, and compliance, according to the FIDO Alliance. Enterprises understand the value of passkeys for workforce sign-ins. Most decision makers (87%) report deploying passkeys at their companies. Of these, 47% report rolling out a mix of device-bound passkeys (on physical security keys and/or cards) and synced passkeys (synced securely across the user’s devices)."
https://www.helpnetsecurity.com/2025/03/12/enterprise-passkey-adoption/ - Machine Identities Outnumber Humans Increasing Risk Seven-Fold
"A surge in machine identities, faster threat detection and a significant drop in vulnerabilities are shaping the future of cloud security, according to a new report published by Sysdig today. Machine identities now outnumber human users by 40,000 to 1 and present 7.5 times more risk, according to the report. Managing these identities has become increasingly difficult as organizations expand their cloud operations."
https://www.infosecurity-magazine.com/news/machine-identities-outnumber/ - The Dark Side Of Sports Betting: How Mirror Sites Help Gambling Scams Thrive
"Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception. In recent years, shady betting companies have found a clever way to bypass regulations and continue their operations through mirror sites—duplicate versions of their main website that allow them to evade bans, deceive users, and rake in massive profits."
https://www.malwarebytes.com/blog/personal/2025/03/the-dark-side-of-sports-betting-how-mirror-sites-help-gambling-scams-thrive - A Guide To Security Investments: The Anatomy Of a Cyberattack
"NAC, SDN, SASE, CASB, IDaaS, PAM, IGA, SIEM, TI, EDR, MDR, XDR, CTEM—the list goes on. If this “alphabet soup” sounds familiar, it is because organizations worldwide are deploying an array of security tools, all promising protection against data breaches. Global spending on information security is projected to reach $212 billion in 2025, a 15.1% increase from 2024, according to a recent Gartner forecast."
https://www.securityweek.com/a-guide-to-security-investments-the-anatomy-of-a-cyberattack/ - Beware Of DeepSeek Hype: It’s a Breeding Ground For Scammers
"In recent months, DeepSeek, an advanced AI large language model from China, has garnered significant attention as a strong contender to ChatGPT. Its sudden rise is attracting not only legitimate users and developers but also malicious actors and scammers. Per recent reports, scammers have begun deceiving individuals and organizations by employing different tactics and capitalizing on the public’s curiosity and lack of familiarity with the technology. Let’s understand in more detail how scammers are exploiting the DeepSeek hype."
https://www.securityweek.com/beware-of-deepseek-hype-its-a-breeding-ground-for-scammers/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - ICS Patch Tuesday: Advisories Published By CISA, Schneider Electric, Siemens