Mar 17, 2025Ravie LakshmananCybersecurity / Hacking News

This week’s cybersecurity landscape is marked by the evolution of threats, from sophisticated nation-state campaigns to stealthy malware. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source repositories becoming a breeding ground for credential theft and hidden backdoors.

However, it’s not all bad news. Law enforcement is gaining ground on cybercriminal networks, with key ransomware figures facing extradition, and the security community is making strides in uncovering and dismantling active threats. Ethical hackers continue to expose critical flaws, and new decryptors offer a fighting chance against ransomware operators.

In this week’s recap, we delve into the latest attack techniques, emerging vulnerabilities, and defensive strategies to keep you ahead of the curve. Stay informed, stay secure.

⚡ Threat of the Week

UNC3886 Targets End-of-Life Juniper Networks MX Series Routers — UNC3886, a China-nexus hacking group, has targeted end-of-life MX Series routers from Juniper Networks as part of a campaign designed to deploy six distinct TinyShell-based backdoors. Less than 10 organizations have been targeted as part of the campaign. The backdoors had varying custom capabilities, including active and passive backdoor functions, as well as an embedded script that disables logging mechanisms on the target device. Further analysis by Juniper Networks has revealed that at least one security vulnerability (CVE-2025-21590) contributed to a successful attack that allowed the threat actors to bypass security protections and execute malicious code.

🔔 Top News

• Storm-1865 Uses ClickFix for Financial Fraud and Theft — A threat actor known as Storm-1865 has been observed leveraging the increasingly popular ClickFix strategy as part of a phishing campaign that uses Booking.com lures to direct users to credential-stealing malware. The campaign, ongoing since December 2024, has targeted a wide geographical area, including North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe.
• North Korea Targets Korean and English-Speaking Users with KoSpy — The North Korea-linked ScarCruft actor has uploaded bogus Android apps to the Google Play Store by passing them off as seemingly innocuous utility apps that, when installed, unleash a malware called KoSpy. It harbors features to collect SMS messages, call logs, location, files, audio, and screenshots via dynamically loaded plugins. The apps have since been removed from the app marketplace.
• SideWinder Goes After Maritime and Logistics Companies — The advanced persistent threat (APT) group dubbed SideWinder has been linked to attacks targeting maritime and logistics companies in South and Southeast Asia, the Middle East, and Africa using a modular post-exploitation toolkit called StealerBot to capture a wide range of sensitive information from compromised hosts.
• LockBit Developer Extradited to the U.S. to Face Charges — Rostislav Panev, a 51-year-old dual Russian and Israeli national, was extradited to the U.S. from Israel to face charges related to his alleged involvement as a developer of the LockBit ransomware group from 2019 to February 2024.
• Malicious PyPI Packages Conduct Credential Theft — A collection of 20 packages uncovered on the Python Package Index (PyPI) repository masqueraded as time- and cloud-related utilities but contained hidden functionality to steal sensitive data such as cloud access tokens. The packages were collectively downloaded over 14,100 times before they were removed from the PyPI repository.

‎️‍🔥 Trending CVEs

Attackers love software vulnerabilities—they’re easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week’s critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out.

This week’s list includes — CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 (Microsoft Windows), CVE-2025-24201 (Apple iOS, iPadOS, macOS Sequoia, Safari, and VisionOS), CVE-2025-25291, CVE-2025-25292 (ruby-saml), CVE-2025-27363 (FreeType), CVE-2024-12297 (Moxa PT switches), CVE-2025-27816 (Arctera InfoScale product), CVE-2025-24813 (Apache Tomcat), CVE-2025-27636 (Apache Camel), CVE-2025-27017 (Apache NiFi), CVE-2024-56336 (Siemens SINAMICS S200), CVE-2024-13871, CVE-2024-13872 (Bitdefender BOX v1), CVE-2025-20115 (Cisco IOS XR), CVE-2025-27593 (SICK DL100-2xxxxxxx), CVE-2025-27407 (graphql), CVE-2024-54085 (AMI), CVE-2025-27509 (Fleet), and CVE-2024-57040 (TP-Link TL-WR845N router).

📰 Around the Cyber World

• Google Pays $11.8 Million in 2024 Bug Bounty Program — Google paid almost $12 million in bug bounty rewards to 660 security researchers who reported security issues through the company’s Vulnerability Reward Program (VRP) in 2024.
• Security Flaws in ICONICS Suite Disclosed — Five high-severity security flaws have been disclosed in a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite – CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-9852, and CVE-2024-8300 – that allows an authenticated attacker to execute arbitrary code, elevate privileges, and manipulate critical files.
• Threat Actors Intensify Abuse of Remote Access Tools — Threat actors like TA583, TA2725, and UAC-0050 are increasingly using legitimate remote monitoring and management (RMM) tools such as ScreenConnect, Fleetdeck, Atera, and Bluetrait as a first-stage payload in email campaigns.

• Decryptor for Linux Variant of Akira Ransomware Released — A decryptor has been released for the Linux/ESXI variant of Akira ransomware released in 2024 by utilizing GPU power to retrieve the decryption key and unlock files for free.
• Volt Typhoon Hackers Dwelled in a U.S. Electric Company for Over 300 Days — Chinese hackers linked to the Volt Typhoon (aka Voltzite) campaign spent nearly one year inside the systems of a major utility company in Littleton, Massachusetts.
• Lazarus Group Drops LazarLoader Malware — The North Korea-linked Lazarus Group has been observed targeting South Korean web servers to install web shells and a downloader malware dubbed LazarLoader, which then is responsible for fetching an unspecified backdoor.
• YouTube Becomes Conduit for DCRat — A new wave of cyber attacks utilizing the Dark Crystal RAT (DCRat) backdoor has been targeting users since early 2025 through YouTube distribution channels.
• New Social Engineering Campaigns Aimed at Microsoft 356 Account Takeover — Proofpoint is warning of two ongoing, highly targeted campaigns that combine OAuth redirection mechanisms with brand impersonation techniques, malware proliferation, and Microsoft 365-themed credential phishing to facilitate account takeover (ATO) attacks.
• Wi-Fi Jamming Technique Enables Precision DoS Attack — New research has demonstrated a sophisticated Wi-Fi jamming technique that’s capable of disabling individual devices with millimeter-level precision by leveraging Reconfigurable Intelligent Surface (RIS) technology.
• Hash DoS Flaw in QUIC Implementations — Multiple Quick UDP Internet Connections (QUIC) protocol implementations have been found susceptible to a hash denial-of-service (DoS) attack.
• Exposed Jupyter Notebooks Become Cryptominer Targets — A new evasive campaign is targeting misconfigured Jupyter Notebooks installed on both Windows and Linux systems to deliver a cryptocurrency miner.
• ESP32 Chip Backdoor Claims Disputed — Espressif, the manufacturer of ESP32, a low-cost, low-power microcontroller with integrated Wi-Fi and dual-mode Bluetooth capabilities, has pushed back against claims of a backdoor in its products.
• Switzerland Makes it Mandatory to Disclose Critical Infra Attacks — The National Cyber Security Centre (NCSC) of Switzerland has announced that critical infrastructure organizations will be required to report cyberattacks to the NCSC within 24 hours of discovery starting April 1, 2025.
• Bugs in Microsoft’s Time Travel Debugging (TTD) Framework — Google-owned Mandiant has detailed its security analysis of the Time Travel Debugging (TTD) framework, a record-and-replay debugging tool for Windows user-mode applications.
• NIST Chooses HQC as Fifth Post-Quantum Crypto Algorithm — The U.S. National Institute of Standards and Technology (NIST) has selected HQC (short for Hamming Quasi-Cyclic) as backup algorithm as a “second line of defense” against the threat posed by a future quantum computer.
• Going from BYOVD to BYOTB to BYOVE — Bring Your Own Vulnerable Driver (BYOVD) is a known attack technique that involves a threat actor using a legitimate but vulnerable driver — that’s either already pre-installed on the host or introduced to a target environment — with the goal of gaining elevated privileges and perform malicious actions.

🎥 Cybersecurity Webinars

• Learn How to Eliminate Identity-Based Threats — Despite massive security investments, identity-based attacks like phishing and MFA bypass continue to thrive. Traditional methods accept breaches as inevitable—but what if you could eliminate these threats altogether?
• Discover AI-Driven Threats and Zero Trust Defense Before It’s Too Late — Artificial Intelligence (AI) is reshaping cybersecurity, amplifying threats, and outsmarting traditional defenses.
• Your AI is Outpacing Your Security: Here’s How to Keep Up — Hidden AI tools are quietly spreading across your environment, bypassing security controls until they become a real threat.

🔧 Cybersecurity Tools

• CVE Prioritizer — An advanced vulnerability assessment tool designed to streamline your patch management by intelligently combining CVSS scores, EPSS predictive insights, CISA’s Known Exploited Vulnerabilities (KEV), and VulnCheck’s enriched community data (NVD++, KEV).
• Fleet — An open-source security and IT platform helping teams at companies like Fastly and Gusto manage thousands of devices easily.
• ZeroProbe — A specialized enumeration and exploit-development toolkit for security researchers, penetration testers, and red teamers.

🔒 Tip of the Week

Detecting Threat Actors Early with Sysmon and Event ID 4688 — Attackers rely heavily on running unusual or malicious processes—such as encoded PowerShell commands, uncommon scripts, or tools like certutil.exe or rundll32.exe—to escalate privileges and evade detection.

For practical implementation, install Sysmon with a trusted, community-driven configuration (like SwiftOnSecurity’s config), and enable Windows process auditing through group policies or the command line. Then, automate detection and alerting using free SIEM solutions like Elastic Stack (ELK) or Graylog, easily integrating Sysmon and Windows logs for real-time visibility and rapid threat response.

Conclusion

Cyber threats aren’t just evolving—they’re adapting to security controls, exploiting human behavior, and weaponizing legitimate technologies. This week’s developments highlight a critical reality: outdated infrastructure isn’t just a liability, it’s an invitation.

Threat actors are shifting tactics faster than many defenses can keep up. They’re embedding malware in everyday tools, leveraging phishing beyond mere credential theft, and manipulating vulnerabilities that most organizations overlook. The lesson? Security isn’t about reacting to the breach—it’s about anticipating the next move.

As defenders, our edge isn’t just in patching vulnerabilities but in understanding the mindset of attackers. Every breach, every exploit, and every overlooked detail is a signal: the threat landscape doesn’t wait, and neither should our response. Stay proactive, stay skeptical, and stay ahead.