Cyber Threat Weekly – #70
The week of March 17th through March 23rd, around 389 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin, cybersecurity risk is business risk.
A business impact analysis provides the ‘why’ of your cybersecurity program and the ‘what’ to focus on. For example, by understanding the daily revenue loss caused by a ransomware attack multiplied by a couple of weeks for recovery you understand why. Mapping your critical business processes and their dependencies, you can focus resources where they make the biggest impact.
Let’s start with the FBI warns about fake online document converters. GitHub Actions supply chain attack. Malware code-signed with trusted Microsoft signing service. Threat actor claims breach of Oracle Cloud federated SSO login servers.
Researchers reveal a .LNK file bug that abuses hidden command execution. Ransomware affiliate abuses new Betruger backdoor. Fortinet auth bypass bug actively exploited. Veeam patched a critical bug in its backup & replication product.
Infostealer data is an attacker’s goldmine. OAuth attack campaigns are in full swing. New RAT malware discovered. SocGholish used for RansomHub initial access.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – March 17th to March 23rd:
CVE-2025-30066 – tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability:
Allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
CVE-2025-24472 – Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability:
Allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
CVE-2017-12637 – SAP NetWeaver Directory Traversal Vulnerability:
Allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.
CVE-2024-48248 – NAKIVO Backup and Replication Absolute Path Traversal Vulnerability:
Enables an attacker to read arbitrary files.
CVE-2025-1316 – Edimax IC-7100 IP Camera OS Command Injection Vulnerability:
Allows an attacker to achieve remote code execution via specially crafted requests.
The affected product appears to be end-of-life, technical debt can be a huge risk.
File Converting Tools Abused by Threat Actors – FBI
Another social engineering tactic, abusing free file conversion tools to deploy malware. They can be online or downloadable tools. These tools are used by unsuspecting people all the time; hence, they are easy to abuse. Due diligence is important before using free online tools.
Targeted GitHub Actions Attack Turns Widespread
Security best practices help minimize the impact of an attack such as this. The good news, most of the secrets exposed were short term, once the workflow is completed or 24 hours. Only 218 repositories were affected, could’ve been much worse.
https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html
https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/
https://www.endorlabs.com/learn/blast-radius-of-the-tj-actions-changed-files-supply-chain-attack
https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup
Criminals Abuse Microsoft Trusted Signing Service
Yet another legit service abused by threat actors, nothing is sacred. The good news, they are valid for a short three days. The bad news, the certificates may still work until they are revoked and it’s a manual process to find and revoke them.
Possibly Breached Oracle Cloud Federated SSO Servers
This one is for tracking purposes at the moment. A threat actor claims to have breached the Oracle servers and is selling alleged stolen data on the dark web. We’ll see how this one plays out.
Nation States Abusing Microsoft .LNK File Bug
Researchers observe threat actors abusing a bug that allows hidden command execution in a .LNK file. By tricking the victim into thinking it’s a legit file, the threat actor can execute hidden commands leading to compromise.
https://cyberscoop.com/microsoft-windows-zero-day-exploits-nation-states/
https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
New Betruger Backdoor Abused by Ransomware Affiliate
The key here is it appears to tied to affiliates, not the operation itself. This is important, affiliates can use multiple ransomware-as-a-service operations simultaneously or change affiliation quickly. Ransomware affiliates that have been active for a long time have an abundance of resources at their disposal.
Actively Exploited Fortinet Auth Bypass Bug
This bug is added to the CISA known exploited vulnerability catalog and tied to ransomware. VPNs, RDP, and exposed login panels are massive attack vectors. Even if secure today, you never know when a software bug changes the game.
Veeam Fixes Remote Code Execution Bug
Exploitation can be conducted via an authenticated local user. Backup servers added to the Active Directory domain are at increased risk. The bug comes from an incomplete patch for a previous bug. Veeam is a huge target of ransomware affiliates.
Threat Actors Abuse Infostealer Malware to Drive Cyberattacks
Legit credentials and other secrets allowed threat actors to evade security controls, laterally move, and more while flying under the radar. Social engineering fuels infostealer deployment, helping attackers reach their goals.
https://cyberscoop.com/infostealers-cybercrime-surged-2024-flashpoint/
Multiple OAuth Campaigns Abusing Legit Brands
GitHub hit with an OAuth app cloaked as a ‘security alert’. Credential phishing via a fake DocuSign app. Adobe Acrobat and Adobe Drive logos on OAuth apps leading to malware or Microsoft credential phishing sites.
https://www.darkreading.com/application-security/oauth-attacks-target-microsoft-365-github
Researchers Analyze New StilachiRAT
Not yet widely distributed, this malware uses sophisticated evasion techniques. With infostealer capabilities and reconnaissance capabilities, the tool also utilizes sophisticated persistence mechanisms.
RansomHub Initial Access via SocGholish
Researchers analyze SocGholish and provide insights into backdoor components that lead to RansomHub ransomware.
https://www.darkreading.com/cyberattacks-data-breaches/ransomhub-fakeupdates-government-sector
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
