Cyber Threat Intelligence 14 March 2025
-
Healthcare Sector
- Philips Intellispace Cardiovascular (ISCV)
"Successful exploitation of these vulnerabilities could allow an attacker to replay the session of the logged in ISCV user and gain access to patient records."
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-072-01 - CISOs, Are Your Medical Devices Secure? Attackers Are Watching Closely
"The adoption of connected medical devices, collectively called the Internet of Medical Things (IoMT), has transformed patient care. However, this technological advancement has also introduced cybersecurity challenges to safeguard patient safety and uphold organizational security."
https://www.helpnetsecurity.com/2025/03/13/secure-medical-devices/
Industrial Sector
- CISA Releases Thirteen Industrial Control Systems Advisories
"CISA released thirteen Industrial Control Systems (ICS) advisories on March 13, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-25-072-01 Siemens Teamcenter Visualization and Tecnomatrix Plant Simulation
ICSA-25-072-02 Siemens SINEMA Remote Connect Server
ICSA-25-072-03 Siemens SIMATIC S7-1500 TM MFP
ICSA-25-072-04 Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP
ICSA-25-072-05 Siemens SINAMICS S200
ICSA-25-072-06 Siemens SCALANCE LPE9403
ICSA-25-072-07 Siemens SCALANCE M-800 and SC-600 Families
ICSA-25-072-08 Siemens Tecnomatix Plant Simulation
ICSA-25-072-09 Siemens OPC UA
ICSA-25-072-10 Siemens SINEMA Remote Connect Client
ICSA-25-072-11 Siemens SIMATIC IPC Family, ITP1000, and Field PGs
ICSA-25-072-12 Sungrow iSolarCloud Android App and WiNet Firmware
ICSMA-25-072-01 Philips Intellispace Cardiovascular (ISCV)"
https://www.cisa.gov/news-events/alerts/2025/03/13/cisa-releases-thirteen-industrial-control-systems-advisories
Vulnerabilities
- Juniper Patches Bug That Let Chinese Cyberspies Backdoor Routers
"Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. This medium severity flaw (CVE-2025-21590) was reported by Amazon security engineer Matteo Memelli and is caused by an improper isolation or compartmentalization weakness. Successful exploitation lets local attackers with high privileges execute arbitrary code on vulnerable routers to compromise the devices' integrity."
https://www.bleepingcomputer.com/news/security/juniper-patches-bug-that-let-chinese-cyberspies-backdoor-routers-since-mid-2024/
https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-Bulletin-Junos-OS-A-local-attacker-with-shell-access-can-execute-arbitrary-code-CVE-2025-21590?language=en_US - Sign In As Anyone: Bypassing SAML SSO Authentication With Parser Differentials
"GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, among which two critical severity ruby-saml library authentication bypass flaws. All flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2, while all versions before those are vulnerable. GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, but users who maintain self-managed installations on their own infrastructure will need to apply the updates manually."
https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentication-with-parser-differentials/
https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released/
https://thehackernews.com/2025/03/github-uncovers-new-ruby-saml.html
https://www.bleepingcomputer.com/news/security/gitlab-patches-critical-authentication-bypass-vulnerabilities/
https://securityaffairs.com/175370/security/gitlab-addressed-critical-flaws-in-ce-and-ee.html - Cisco Patches 10 Vulnerabilities In IOS XR
"Cisco on Wednesday announced patches for 10 vulnerabilities in IOS XR, including five that could be exploited to cause denial-of-service (DoS) conditions. The most severe of the DoS flaws are CVE-2025-20142 and CVE-2025-20146, high-severity issues that impact the IPv4 access control list (ACL) feature, quality of service (QoS) policy, and the Layer 3 multicast feature of ASR 9000 series, ASR 9902, and ASR 9903 routers."
https://www.securityweek.com/cisco-patches-10-vulnerabilities-in-ios-xr/
https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75548 - CISA Adds Two Known Exploited Vulnerabilities To Catalog
"CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-24201 Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
CVE-2025-21590 Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability"
https://www.cisa.gov/news-events/alerts/2025/03/13/cisa-adds-two-known-exploited-vulnerabilities-catalog
https://securityaffairs.com/175381/security/u-s-cisa-adds-apple-juniper-junos-os-flaws-known-exploited-vulnerabilities-catalog.html - Miniaudio And Adobe Acrobat Reader Vulnerabilities
"Cisco Talos’ Vulnerability Discovery & Research team recently disclosed a Miniaudio and three Adobe vulnerabilities. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy."
https://blog.talosintelligence.com/miniaudio-and-adobe-acrobat-reader-vulnerabilities/ - Car Exploit Allows You To Spy On Drivers In Real Time
"Researchers have demonstrated how to plant spyware in someone's car using a third-party in-vehicle infotainment system (IVI). The Pioneer DMH-WT7600NEX is a thousand-dollar aftermarket IVI, typically used to zhuzh up head units in 2010s-era consumer vehicles. But it carries a kind of bring-your-own-device (BYOD) risk to the family SUV."
https://www.darkreading.com/vulnerabilities-threats/car-exploit-spy-drivers-real-time
Malware
- New Ransomware Operator Exploits Fortinet Vulnerability Duo
"Between late January and early March, Forescout Research – Vedere Labs identified a series of intrusions based on two Fortinet vulnerabilities. It began with the exploitation of Fortigate firewall appliances — culminating in the deployment of a newly discovered ransomware strain we have dubbed SuperBlack."
https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/
https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-exploits-fortinet-auth-bypass-flaws/ - The Rise Of XWorm RAT: What Cybersecurity Teams Need To Know Now
"XWorm Remote Access Trojan (RAT) is one of the more commonly seen RATs, along with the well-known Async RAT, Remcos RAT, and jRAT. However, XWorm RAT is significantly more advanced than most other commonly seen RATs. It was originally a Malware as a Service (MaaS) which had tiered functionality based on the subscription rate. Higher subscription tiers enabled the RAT to perform additional actions on top of basic RAT functionality, such as performing DDoS attacks, stealing additional information, and unlocking various other functionalities."
https://cofense.com/blog/the-rise-of-xworm-rat-what-cybersecurity-teams-need-to-know-now - Analyzing OBSCURE#BAT: Threat Actors Lure Victims Into Executing Malicious Batch Scripts To Deploy Stealthy Rootkits
"The Securonix Threat Research team has been tracking a stealthy malware campaign leveraging social engineering and deceptive file downloads to trick users into executing heavily obfuscated code. This infection ultimately deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and maintain persistence."
https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits/
https://www.darkreading.com/vulnerabilities-threats/obscurebat-malware-highlights-api-hooking
https://hackread.com/new-obscurebat-malware-targets-users-fake-captchas/ - AI: Advent Of Agents Opens New Possibilities For Attackers
"The introduction of AI agents may provide further opportunities for exploitation by attackers. A year ago, when we briefed organizations on the risks posed by AI, we said that while the existing Large Language Model (LLM) AIs are already being put to use by attackers, they are largely passive and could only assist in performing tasks such as creating phishing materials or even writing code. At the time, we predicted that agents would eventually be added to LLM AIs and that they would become more powerful as a result, increasing the potential risk."
https://www.security.com/threat-intelligence/ai-agent-attacks
https://www.darkreading.com/threat-intelligence/openai-operator-agent-proof-concept-phishing-attack - Head Mare And Twelve Join Forces To Attack Russian Entities
"In September 2024, a series of attacks targeted Russian companies, revealing indicators of compromise and tactics associated with two hacktivist groups: Head Mare and Twelve. Our investigation showed that Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents. This suggests potential collaboration and joint campaigns between the two groups."
https://securelist.com/head-mare-twelve-collaboration/115887/ - Phishing Campaign Impersonates Booking .com, Delivers a Suite Of Credential-Stealing Malware
"Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware in order to conduct financial fraud and theft. As of February 2025, this campaign is ongoing."
https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/
https://www.bleepingcomputer.com/news/security/clickfix-attack-delivers-infostealers-rats-in-fake-bookingcom-emails/
https://thehackernews.com/2025/03/microsoft-warns-of-clickfix-phishing.html
https://therecord.media/booking-phishing-hotels-malware-campaign
https://www.securityweek.com/microsoft-warns-of-hospitality-sector-attacks-involving-clickfix/
https://www.infosecurity-magazine.com/news/clickfix-phishing-scam-booking/
https://www.theregister.com/2025/03/13/bookingdotcom_phishing_campaign/ - Investigating Scam Crypto Investment Platforms Using Pyramid Schemes To Defraud Victims
"Unit 42 researchers discovered a campaign distributing thousands of fraudulent cryptocurrency investment platforms via websites and mobile applications. This article describes how threat actors systematically create, promote and potentially profit from these scams, highlighting the techniques used to deceive victims and the potential scale of the operation. The campaign impersonates well-known brands, cryptocurrency platforms and popular organizations to lure victims. The consistent design of the websites and mobile apps suggests the use of a standardized toolkit for developing these platforms at scale."
https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/ - Abusing With Style: Leveraging Cascading Style Sheets For Evasion And Tracking
"Cascading Style Sheets (CSS) specify how HTML materials are rendered and displayed to recipients. In a legitimate context, CSS is mainly used to adjust an email’s content to fit the screen resolution of the recipient. However, we will discuss how CSS can be abused by threat actors to stay under the radar and track recipients at a minimum. The features available in CSS allow attackers and spammers to track users’ actions and preferences, even though several features related to dynamic content (e.g., JavaScript) are restricted in email clients compared to web browsers. In what follows, we provide examples of CSS abuse we've identified in the wild for both evading detection and tracking users. These examples have all been observed from the second half of 2024 up until February 2025."
https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/
General News
- February 2025 Infostealer Trend Report
"This report provides statistics, trends, and case information on the distribution quantity, distribution methods, and disguise techniques of Infostealer collected and analyzed during February 2025. Below is a summary of the report."
https://asec.ahnlab.com/en/86766/ - February 2025 Threat Trend Report On Ransomware
"This report provides statistics on the number of new ransomware samples, number of targeted systems, and targeted companies collected in February 2025, as well as major Korean and international ransomware issues worth noting. Below are the summarized details."
https://asec.ahnlab.com/en/86763/ - ClickFix: The Social Engineering Technique Hackers Use To Manipulate Victims
"Since August 2024, the Group-IB Threat Intelligence (TI) team has researched and actively monitored the ClickFix technique in the wild. This technique has gained significant traction and widespread adoption among threat actors due to its surprising effectiveness. It is tracked by cybersecurity researchers and firms under the names ClickFix and ClearFix."
https://www.group-ib.com/blog/clickfix-the-social-engineering-technique-hackers-use-to-manipulate-victims/ - Red Report 2025: Unmasking a 3X Spike In Credential Theft And Debunking The AI Hype
"Cybercriminals have turned password theft into a booming enterprise, malware targeting credential stores jumped from 8% of samples in 2023 to 25% in 2024, a threefold increase. This alarming surge is one of many insights from the newly released Red Report 2025 by Picus Labs, which analyzed over 1 million malware samples to identify the tactics hackers rely on most. The findings read like a blueprint for a “perfect heist,” revealing how modern attackers combine stealth, automation, and persistence to infiltrate systems and plunder data without detection."
https://www.bleepingcomputer.com/news/security/red-report-2025-unmasking-a-3x-spike-in-credential-theft-and-debunking-the-ai-hype/
https://www.picussecurity.com/resource/report/red-report-2025 - Patch It Up: Old Vulnerabilities Are Everyone’s Problems
"Let's pick up where we left off in my last newsletter. Please mark your calendars: The free support for Windows 10 will end on October 14, 2025. When a software loses vendor support, it no longer receives patches or updates. As highlighted in my previous newsletter, the top method for initial access in the last quarter of 2024 was exploiting vulnerabilities in public-facing applications. While Windows 10 isn't typically (or shouldn't be) a public-facing application, unpatched client systems become prime targets for bad actors as they progress through the stages of an attack: Execution, Privilege Escalation, Defense Evasion, Credential Access, and Lateral Movement."
https://blog.talosintelligence.com/patch-it-up-old-vulnerabilities-are-everyones-problems/ - Salt Typhoon: A Wake-Up Call For Critical Infrastructure
"The Salt Typhoon cyberattacks marked a sobering milestone in the evolution of large-scale cyber threats. These sophisticated intrusions targeted critical infrastructure across the United States, specifically US Internet service provider (ISP) networks, thus disrupting essential services in sectors that include energy, transportation, and healthcare. Leveraging advanced tactics like zero-day exploits and obfuscation, the attackers not only caused operational downtime and financial losses but also evaded detection with alarming precision."
https://www.darkreading.com/cyberattacks-data-breaches/salt-typhoon-wake-up-call-critical-infrastructure - Bitdefender Threat Debrief | March 2025
"Ransomware is a moving target, constantly changing its tactics, and our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) – things like news reports and research – with data we gather by analyzing Data Leak Portals (DLPs), websites where ransomware groups post details about their victims. It’s important to remember that we can't independently verify all of these claims, but we can feel quite confident in the trends we see over time."
https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-march-2025
https://hackread.com/ransomware-attacks-hit-record-high-in-february-2025/ - DeepSeek Deep Dive Part 1: Creating Malware, Including Keyloggers And Ransomware
"As generative artificial intelligence (GenAI) has increased in popularity since the launch of ChatGPT, cybercriminals have become quite fond of GenAI tools to aid in their various activities. However, most traditional GenAI tools have various guardrails in place to combat attempts to use them for malicious purposes. In fact, cybercriminal usage of tools like OpenAI’s ChatGPT and Google’s Gemini have been documented by both OpenAI (“Disrupting malicious uses of AI by state-affiliated threat actors”) and Google (“Adversarial Misuse of Generative AI”). OpenAI recently removed accounts of Chinese and North Korean users caught using ChatGPT for malicious purposes."
https://www.tenable.com/blog/deepseek-deep-dive-part-1-creating-malware-including-keyloggers-and-ransomware
https://www.securityweek.com/deepseeks-malware-generation-capabilities-put-to-test/
https://www.theregister.com/2025/03/13/deepseek_malware_code/ - Security Maturity Models: Leveraging Executive Risk Appetite For Your Secure Development Evolution
"Amid the government-led push toward more secure software design, developers and executives are focusing on established software security models, which can guide companies toward embedding secure development best practices as part of routine operations. Organizations can align their processes with one of two global industry standards for self-assessment and security maturity—the Building Security In Maturity Model, known as BSIMM (pronounced “bee-sim”) and the Open Worldwide Application Security Project’s Software Assurance Maturity Model, aka OWASP SAMM."
https://www.securityweek.com/security-maturity-models-leveraging-executive-risk-appetite-for-your-secure-development-evolution/ - 4 Key Steps To Prevent Subdomain Takeovers
"Adversaries don’t need to force their way in when they can slip through an organization’s overlooked assets. Subdomain takeovers are a prime example of how attackers exploit misconfigured or abandoned DNS records to gain access, launch phishing campaigns, distribute malware, or take other malicious actions — all while operating under the guise of a legitimate corporate domain."
https://www.crowdstrike.com/en-us/blog/4-steps-to-prevent-subdomain-takeovers/
อ้างอิง
Electronic Transactions Development Agency(ETDA) - Philips Intellispace Cardiovascular (ISCV)