Cyber Threat Weekly – #67

The week of February 24^th through March 2^nd, around 348 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about our approach to securing our environments.

It feels like we keep doing the same things over and over again expecting a different result.  Change a vendor, but don’t change the approach to solving the challenge.  Even some of the latest tools use the same old approach in a different package.

Let’s start with “bring your own vulnerable driver”, it’s still popular with cybercriminals.  Legitimate Google and PayPal infrastructure abused.  Threat actors pretend to be government officials and offer a free security audit.  2025 Global Threat Report. 

Researchers analyze stealthy backdoor malware.  2024 operational technology (OT) threat trends.  2024 Malicious Infrastructure Report.  New highly evasive Linux backdoor discovered.  Massive password spray attack on Microsoft 365.

Researchers find cybercriminals intentionally disrupt business.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet. 

CISA Known Exploited Vulnerabilities – February 24^th to March 2^nd:

CVE-2024-20953 – Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability:
Allows a low-privileged attacker with network access via HTTP to compromise the system.

CVE-2017-3066 – Adobe ColdFusion Deserialization Vulnerability:
Allows for arbitrary code execution.

CVE-2023-34192 – Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability:
Allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function.

CVE-2024-49035 – Microsoft Partner Center Improper Access Control Vulnerability:
Allows an attacker to escalate privileges.

Ransomware Gangs Still Abuse “Bring Your Own Vulnerable Driver” Attacks

This time it’s a Paragon Partition Manager BioNTdrv.sys driver.  The interesting thing is the software doesn’t have to be installed for threat actors to abuse vulnerable drivers, they simply bring the driver with them.  They use this technique to escalate privileges and kill endpoint protection.

https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/

Tech Support Scammers Abuse Google Ads and PayPal

The trend continues, using legitimate infrastructure to trick victims into taking an action.  In this case, it’s to call the scammers to ask for help.  PayPal’s ‘no-code checkout’ feature allows the scammers to create a legitimate PayPal page and customize it.

https://www.malwarebytes.com/blog/scams/2025/02/paypals-no-code-checkout-abused-by-scammers

Free Security Audit Abused to Access Corporate Systems

Let’s hope this doesn’t become prevalent.  Yet another social engineering attack.  Small businesses with little or no security staff are more susceptible.  Cybercriminals are posing as government officials and offering a free security audit. 

https://www.tripwire.com/state-of-security/beware-fake-cybersecurity-audits-cybercriminals-use-scams-breach-corporate

2025 Global Threat Report – CrowdStrike

Speed and adaptability define eCrime in 2024, average breakout time was 48 minutes, the fastest 51 seconds.  Hands-on-keyboard activity and stealth behavior with 79% of detection malware-free.  Social engineering on a tear with a 442% increase in vishing operations between the first and second half of 2024. 

https://www.crowdstrike.com/explore/2025-global-threat-report

https://www.crowdstrike.com/explore/2025-global-threat-report/2025-global-threat-report-infographic

Stealthy Modular Backdoor Malware Analyzed

The threat actor is suspected Chinese nation backed.  This malware is designed for stealth using rarely seen behavior to hide under the radar.  Yesterday’s nation state attack is tomorrow’s commodity attack.  Probably worth a quick look.

https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/

2025 OT/ICS Cybersecurity Report

There were 9 active OT specific threat groups in 2024.  In addition, Dragos tracked 80 ransomware groups targeting industrial systems.  Ransomware attacks increased 87% over the previous year. There were two new threat groups added. 

https://www.securityweek.com/nine-threat-groups-active-in-ot-operations-in-2024-dragos/

https://hub.dragos.com/hubfs/312-Year-in-Review/2025/Dragos-2025-OT-Cybersecurity-Report-A-Year-in-Review.pdf

2024 Malicious Infrastructure Report

Malware-as-a-Service (MaaS) infostealers abuse grew, led by LummaC2.  Traffic distribution systems (TDS) continued the trend of enhancing cybercrime efficiency, and the abuse of legitimate infrastructure to stay stealthy continued.

https://go.recordedfuture.com/hubfs/reports/cta-2025-0228.pdf

Highly Evasive Auto-Color Linux Backdoor Malware

If root privileges are available, persistence mechanisms run, if not, the malware runs without persistence.  Custom encryption obfuscates the command-and-control server addresses, config data, network traffic, and the encryption key dynamically changes.

https://www.bleepingcomputer.com/news/security/new-auto-color-linux-backdoor-targets-north-american-govts-universities/

https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/

Large-Scale Password Spray Attacks Against Microsoft365

A newly discovered botnet is conducting brute force attacks against accounts targeting non-interactive sign-ins that use Basic-Authentication.  Non-interactive sign-ins are commonly used for service-to-service auth, legacy protocols, and automated processes.    

https://www.bleepingcomputer.com/news/security/botnet-targets-basic-auth-in-microsoft-365-password-spray-attacks/

Cybercriminals Ramp Up Pressure with Business Disruption

Intentional disruption to business is growing.  Disruption operations including removing systems, destroying data, and harassing customers and partners apply extra pressure to pay.  This is a worrying trend, let’s hope it doesn’t grow.

https://cyberscoop.com/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks/

https://www.paloaltonetworks.com/engage/unit42-2025-global-incident-response-report