Cyber Threat Weekly – #68

The week of March 3^rd through March 9^th, around 390 cyber news articles were reviewed.  A moderate-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the complexity of attack surface management. 

We don’t have to like it, but it’s often little things that cause big problems.  Threat actors are pivoting and taking advantage of what’s available to them in the environment.  Ransomware affiliates are getting good at their tradecraft.  How can we minimize business impact?

Let’s start with a flood of unpaid parking phishing texts.  Spike in PHP scripting language flaw exploitation.  Threat actors abusing Medusa ransomware increasing in frequency.  February, single-month record for ransomware attacks.

Ransomware actors abuse IoT to encrypt network.  VMware ESXi bugs actively exploited.  New behavior by Silk Typhoon threat actors observed.  Researchers share polymorphic Chrome extension attack mimicking legit extension.

Possible dictionary domain generation algorithm DGA.  New Phantom Goblin malware campaign abuses GitHub.  Looks like members of Black Basta moved to Cactus ransomware.  Another ClickFix type campaign, this time abusing Microsoft SharePoint. 

Encryption and virtualization obfuscate .NET malware.

Broken Record Alert: Please patch N-day bugs!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet. 

CISA Known Exploited Vulnerabilities – March 3^rd to March 9^th:

CVE-2024-4885 – Progress WhatsUp Gold Path Traversal Vulnerability:
Allows an unauthenticated attacker to achieve remote code execution.

CVE-2018-8639 – Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability:
Allows a local, authenticated privilege escalation. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

CVE-2022-43769 – Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability:
Allows an attacker to inject Spring templates into properties files, allowing for arbitrary command execution.

CVE-2022-43939 – Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability:
Enables an attacker to bypass authorization.

CVE-2023-20118 – Cisco Small Business RV Series Routers Command Injection Vulnerability:
Successful exploitation could allow an authenticated, remote attacker to gain root-level privileges and access unauthorized data.

CVE-2025-22226 – VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability:
Successful exploitation allows an attacker with administrative privileges to a virtual machine to leak memory from the vmx process.

CVE-2025-22225 – VMware ESXi Arbitrary Write Vulnerability:
Successful exploitation allows an attacker with privileges within the VMX process to trigger an arbitrary kernel write leading to an escape of the sandbox.

CVE-2025-22224 – VMware ESXi and Workstation TOCTOU Race Condition Vulnerability:
Successful exploitation enables an attacker with local administrative privileges on a virtual machine to execute code as the virtual machine's VMX process running on the host.

CVE-2024-50302 – Linux Kernel Use of Uninitialized Resource Vulnerability:
Allows an attacker to leak kernel memory via a specially crafted HID report.

Social Engineering via Unpaid Parking Text Messages

Similar to the unpaid toll road phishing messages.  The adversary uses a template designed to get results.  This is happening across many major US cities.  The kicker here, the attackers are using an open redirect on Google.com adding legitimacy.

https://www.bleepingcomputer.com/news/security/us-cities-warn-of-wave-of-unpaid-parking-phishing-texts/

Researchers Find Spike in PHP Script Flaw Exploitation

Multiple researchers are finding spikes in exploitation of CVE-2024-4577.  There have been a lot of unique IPs targeting this bug.  PHP script language is popular in web development and decades old now.  There are numerous known ways to exploit this flaw.

https://therecord.media/bug-affecting-php-scripts-global-issue

https://blog.talosintelligence.com/new-persistent-attacks-japan/

https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerability-cve-2024-457

Medusa Ransomware Threat Actors Pick Up the Pace

Consistent behavior indicates this group possibly doesn’t operate as a ransomware as a service operation.  The hallmarks include the use of remote management and monitoring tools, the bring your own vulnerable driver technique, and living off the land methodology.

https://www.darkreading.com/cyberattacks-data-breaches/spearwing-raas-cyber-threat-scene

https://www.security.com/threat-intelligence/medusa-ransomware-attacks

New Ransomware Record Set in February 2025

The number of victims claimed by ransomware groups skyrocketed more than 50% higher than the previous record.  The total number of victims claimed reached 821, eclipsing the previous record of 544 victims.  Let’s hope this isn’t a sign of what’s to come.

https://thecyberexpress.com/record-ransomware-attacks/

Ransomware Gang Uses Webcam to Encrypt Network Shares

Akira took an unusual approach to launch its encryptor.  Abusing an IoT device that was running the Linux operating system.  The threat actor pivoted after EDR blocked their encryptor on Windows systems.  Attack surface management and segmentation matters, architecture goes a long way to prevent this type of approach.

https://www.bleepingcomputer.com/news/security/ransomware-gang-encrypted-network-from-a-webcam-to-bypass-edr/

https://www.s-rminform.com/latest-thinking/camera-off-akira-deploys-ransomware-via-webcam

Actively Exploited VMware ESXi Bugs can Lead to Sandbox Escape

Three bugs CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226 were discovered as zero-days.  As concerning as these vulnerabilities are, more concerning is the fact that so many ESXi instances are exposed to the Internet. 

https://www.bleepingcomputer.com/news/security/over-37-000-vmware-esxi-servers-vulnerable-to-ongoing-attacks/

Shift in Behavior from the Notorious Silk Typhoon

Researchers observed the Chinese state-backed threat actors targeting third party IT services.  After successful compromise of an initial victim, they use stolen keys and credentials to conduct attacks against downstream customers.  Yesterday’s nation state attack is tomorrows commodity attack, this has held true for over a decade.

https://cyberscoop.com/silk-typhoon-targets-it-services/

https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/

Polymorphic Chrome Extension Morphs into Legitimate Extension

Researchers share a malicious Chrome extension attack that can mimic a legitimate extension.  The goal is credential phishing in a sneaky way that appears like the real deal.  The attack takes advantage of legitimate functionality. 

https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-can-spoof-password-managers-in-new-attack/

Researchers Find Possible Dictionary Domain Generation Algorithm (DGA)

This one is interesting, using a dictionary DGA to possibly evade detection.  Tracking newly registered domains, researchers found over 444,000 newly registered domains belonging to the same threat actor.  We should keep an eye out for more use of dictionary DGAs.

https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/

Phantom Goblin Malware Abuses Trusted Tools and Services

This malware uses tried and proven techniques like LNK files, PowerShell, Visual Studio Code tunnels, and Telegram to stay stealthy.  Malware is downloaded from GitHub.  The goals are browser data, persistence, and defense evasion.  Another example of the reuse of proven techniques that work.

https://thecyberexpress.com/phantom-goblin-malware/

Black Basta and Cactus Ransomware Share Similar Behavior

It appears members of the Black Basta group have moved over to the Cactus ransomware group. Similar social engineering initial access and malware called BackConnect have been observed by both groups since the first of the year. 

https://www.bleepingcomputer.com/news/security/microsoft-teams-tactics-malware-connect-black-basta-cactus-ransomware/

https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomware-backconnect.html

ClickFix and Havoc Command and Control (C2) Framework

Initial access is a ClickFix attack that embeds a fake error message in an attached .html document.  Microsoft Graph API is used in conjunction with a modified Havoc Demon to hide C2 communications.  Malware is stored in SharePoint.  This is another example of using legitimate services for legitimacy and defense evasion.

https://www.darkreading.com/cyberattacks-data-breaches/phishers-wreak-havoc-disguising-attack-inside-sharepoint

https://www.fortinet.com/blog/threat-research/havoc-sharepoint-with-microsoft-graph-api-turns-into-fud-c2

.NET Malware Concealed by Encryption and Virtualization

Researchers analyze fileless malware that is decrypted at runtime and injected straight into memory.  The use of AES encryption and KoiVM are designed to hide the malware and its intentions.  Sandbox and security evasion are the goal.

https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/