Cyber Threat Weekly – #69

The week of March 10^th through March 16^th, around 364 cyber news articles were reviewed.  Minimal cyber threat trends and adversarial behavior news stories are shared this week, storms knocked the power out from Friday night until Monday mid-morning.

Let’s start with newly tracked ransomware actors exploiting patched Fortinet flaws.  Phishing using legit domains continues.  Brute-force tool created by ransomware gang.  Riskiest external attack surface remains remote access infrastructure.

Another ClickFix phishing campaign.  Apple zero-day WebKit flaw.  Custom backdoors found on Juniper routers.  CISA releases a StopRansomware joint Cybersecurity Advisory on Medusa ransomware. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities – March 10^th to March 16^th:

CVE-2024-13161 – Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability:
Allows a remote unauthenticated attacker to leak sensitive information.

CVE-2024-13160 – Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability:
Allows a remote unauthenticated attacker to leak sensitive information.

CVE-2024-13159 – Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability:
Allows a remote unauthenticated attacker to leak sensitive information.

CVE-2024-57968 – Advantive VeraCore Unrestricted File Upload Vulnerability:
Allows a remote unauthenticated attacker to upload files to unintended folders via upload.apsx.

CVE-2025-25181 – Advantive VeraCore SQL Injection Vulnerability:
Allows a remote attacker to execute arbitrary SQL commands via the PmSess1 parameter.

CVE-2025-24993 – Microsoft Windows NTFS Heap-Based Buffer Overflow Vulnerability:
Allows an unauthorized attacker to execute code locally.

CVE-2025-24991 – Microsoft Windows NTFS Out-Of-Bounds Read Vulnerability:
Allows an authorized attacker to disclose information locally.

CVE-2025-24985 – Microsoft Windows Fast FAT File System Driver Integer Overflow Vulnerability:
Allows an unauthorized attacker to execute code locally.

CVE-2025-24984 – Microsoft Windows NTFS Information Disclosure Vulnerability:
Allows an unauthorized attacker to disclose information with a physical attack. An attacker who successfully exploited this vulnerability could potentially read portions of heap memory.

CVE-2025-24983 – Microsoft Windows Win32k Use-After-Free Vulnerability:
Allows an authorized attacker to elevate privileges locally.

CVE-2025-26633 – Microsoft Windows Management Console (MMC) Improper Neutralization Vulnerability:
Allows an unauthorized attacker to bypass a security feature locally.

CVE-2025-21590 – Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability:
Allows a local attacker with high privileges to inject arbitrary code.

CVE-2025-24201 – Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability:
May allow maliciously crafted web content to break out of Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

New Threat Actors Exploit Patched Fortinet Bugs Drop Ransomware

Researchers share observations of a new threat group dubbed Mora_001 dropping a variant of LockBit 3.0 called SuperBlack.  In addition to behavior, detection opportunities are shared.  The attack starts with firewalls, then persistence and lateral movement aided by firewall configurations.

https://www.csoonline.com/article/3846180/report-on-ransomware-attacks-on-fortinet-firewalls-also-reveals-possible-defenses.html

https://www.forescout.com/blog/new-ransomware-operator-exploits-fortinet-vulnerability-duo/

Fake Coinbase Wallet Migration Phishing Campaign

The email comes from a SendGrid IP address that resolves to legit Akamai domain, which passes spam filters on many accounts.  The trick here is there are no links or attachments, the email asks you to set up your new Coinbase wallet and provides the recovery phrases.  When you transfer your assets, the threat actors can then steal your funds.

https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tricks-users-with-fake-wallet-migration/

BlackBasta Created a Brute-Force Tool Dubbed BRUTED

Thanks to leaked chat logs, researchers discovered a tool that performs automated Internet scanning and credential stuffing attacks.  Many widely used network edge devices are targeted.  Automated brute forcing allows BlackBasta to scale operations.

https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creates-automated-tool-to-brute-force-vpns/

https://blog.eclecticiq.com/inside-bruted-black-basta-raas-members-used-automated-brute-forcing-framework-to-target-edge-network-devices

Insecure Remote Access Infrastructure Remains Highest Risk

A new report sheds light on exposed VPN and remote desktop software dominating the initial access vectors of ransomware attacks.  Stealer data is out of control, it’s far too easy to obtain a large dictionary of common or stolen passwords and use breach data to perform large scale brute force attacks. 

https://www.darkreading.com/cyber-risk/remote-access-infra-remains-riskiest-corp-attack-surface

Hospitality Sector Targeted with ClickFix Campaign

The emails impersonate Booking.com, either a link or a PDF with a link lead to a fake CAPTCHA page.  Various payloads have been observed including remote access trojans and infostealer malware.  ClickFix campaigns continue to be popular.

https://www.bleepingcomputer.com/news/security/clickfix-attack-delivers-infostealers-rats-in-fake-bookingcom-emails/

https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-impersonates-booking-com-delivers-a-suite-of-credential-stealing-malware/

Apple WebKit Zero-Day Flaw 

Not many details are available on the exploited bug other than Apple is aware of CVE-2025-24201being exploited targeting specific individuals.  The disclosure also noted an extremely sophisticated attack.

https://www.darkreading.com/mobile-security/apple-drops-another-webkit-zero-day-bug

End-of-Life Juniper Routers Targeted with Custom Backdoors

Variants of TinyShell malware have been found on Juniper routers.  Researchers observed initial access via CLI using compromised credentials.  End of life infrastructure that is no longer supported is a big risk for any organization. 

https://www.bleepingcomputer.com/news/security/chinese-cyberspies-backdoor-juniper-routers-for-stealthy-access/

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers/

CISA – StopRansomware: Medusa Ransomware (AA25-071A)

Known behavior and indicators of compromise are shared in this advisory.  Medusa actors typically recruit initial access brokers and use the living off the land methodology.  Legit tools like Advanced IP Scanner help with discovery.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a