Skip to content

Cyber Threat Weekly – #70

Derek Krein
5 min read

The week of March 17th through March 23rd, around 389 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin, cybersecurity risk is business risk.

A business impact analysis provides the ‘why’ of your cybersecurity program and the ‘what’ to focus on.  For example, by understanding the daily revenue loss caused by a ransomware attack multiplied by a couple of weeks for recovery you understand why.  Mapping your critical business processes and their dependencies, you can focus resources where they make the biggest impact. 

Let’s start with the FBI warns about fake online document converters.  GitHub Actions supply chain attack.  Malware code-signed with trusted Microsoft signing service.  Threat actor claims breach of Oracle Cloud federated SSO login servers.

Researchers reveal a .LNK file bug that abuses hidden command execution.  Ransomware affiliate abuses new Betruger backdoor.  Fortinet auth bypass bug actively exploited.  Veeam patched a critical bug in its backup & replication product.

Infostealer data is an attacker’s goldmine.  OAuth attack campaigns are in full swing.  New RAT malware discovered.  SocGholish used for RansomHub initial access.


Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities – March 17th to March 23rd:

CVE-2025-30066 – tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability:
Allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.

CVE-2025-24472 – Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability:
Allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.

CVE-2017-12637 – SAP NetWeaver Directory Traversal Vulnerability:
Allows a remote attacker to read arbitrary files via a .. (dot dot) in the query string.

CVE-2024-48248 – NAKIVO Backup and Replication Absolute Path Traversal Vulnerability:
Enables an attacker to read arbitrary files.

CVE-2025-1316 – Edimax IC-7100 IP Camera OS Command Injection Vulnerability:
Allows an attacker to achieve remote code execution via specially crafted requests.
The affected product appears to be end-of-life, technical debt can be a huge risk.


File Converting Tools Abused by Threat Actors – FBI

Another social engineering tactic, abusing free file conversion tools to deploy malware.  They can be online or downloadable tools.  These tools are used by unsuspecting people all the time; hence, they are easy to abuse.  Due diligence is important before using free online tools.

https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-file-converters-do-push-malware/


Targeted GitHub Actions Attack Turns Widespread

Security best practices help minimize the impact of an attack such as this.  The good news, most of the secrets exposed were short term, once the workflow is completed or 24 hours.  Only 218 repositories were affected, could’ve been much worse.

https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html

https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/

https://www.endorlabs.com/learn/blast-radius-of-the-tj-actions-changed-files-supply-chain-attack

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup


Criminals Abuse Microsoft Trusted Signing Service

Yet another legit service abused by threat actors, nothing is sacred.  The good news, they are valid for a short three days.  The bad news, the certificates may still work until they are revoked and it’s a manual process to find and revoke them.

https://www.bleepingcomputer.com/news/security/microsoft-trusted-signing-service-abused-to-code-sign-malware/


Possibly Breached Oracle Cloud Federated SSO Servers

This one is for tracking purposes at the moment.  A threat actor claims to have breached the Oracle servers and is selling alleged stolen data on the dark web.  We’ll see how this one plays out.

https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/


Nation States Abusing Microsoft .LNK File Bug

Researchers observe threat actors abusing a bug that allows hidden command execution in a .LNK file.  By tricking the victim into thinking it’s a legit file, the threat actor can execute hidden commands leading to compromise.

https://cyberscoop.com/microsoft-windows-zero-day-exploits-nation-states/

https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html


New Betruger Backdoor Abused by Ransomware Affiliate

The key here is it appears to tied to affiliates, not the operation itself.  This is important, affiliates can use multiple ransomware-as-a-service operations simultaneously or change affiliation quickly.  Ransomware affiliates that have been active for a long time have an abundance of resources at their disposal.

https://www.bleepingcomputer.com/news/security/ransomhub-ransomware-uses-new-betruger-multi-function-backdoor/


Actively Exploited Fortinet Auth Bypass Bug

This bug is added to the CISA known exploited vulnerability catalog and tied to ransomware.  VPNs, RDP, and exposed login panels are massive attack vectors.  Even if secure today, you never know when a software bug changes the game. 

https://www.darkreading.com/cyberattacks-data-breaches/critical-fortinet-vulnerability-draws-fresh-attention


Veeam Fixes Remote Code Execution Bug

Exploitation can be conducted via an authenticated local user.  Backup servers added to the Active Directory domain are at increased risk.  The bug comes from an incomplete patch for a previous bug.  Veeam is a huge target of ransomware affiliates.

https://www.csoonline.com/article/3850731/critical-remote-code-execution-flaw-patched-in-veeam-backup-servers.html

https://www.veeam.com/kb4724

https://labs.watchtowr.com/by-executive-order-we-are-banning-blacklists-domain-level-rce-in-veeam-backup-replication-cve-2025-23120/


Threat Actors Abuse Infostealer Malware to Drive Cyberattacks

Legit credentials and other secrets allowed threat actors to evade security controls, laterally move, and more while flying under the radar.  Social engineering fuels infostealer deployment, helping attackers reach their goals.

https://cyberscoop.com/infostealers-cybercrime-surged-2024-flashpoint/


Multiple OAuth Campaigns Abusing Legit Brands

GitHub hit with an OAuth app cloaked as a ‘security alert’.  Credential phishing via a fake DocuSign app.  Adobe Acrobat and Adobe Drive logos on OAuth apps leading to malware or Microsoft credential phishing sites. 

https://www.darkreading.com/application-security/oauth-attacks-target-microsoft-365-github


Researchers Analyze New StilachiRAT

Not yet widely distributed, this malware uses sophisticated evasion techniques.  With infostealer capabilities and reconnaissance capabilities, the tool also utilizes sophisticated persistence mechanisms.

https://www.bleepingcomputer.com/news/security/microsoft-new-rat-malware-used-for-crypto-theft-reconnaissance/

https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/


RansomHub Initial Access via SocGholish

Researchers analyze SocGholish and provide insights into backdoor components that lead to RansomHub ransomware. 

https://www.darkreading.com/cyberattacks-data-breaches/ransomhub-fakeupdates-government-sector

https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #71

The week of March 24th through March 30th, around 395 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the need for principle-based security. We moved away from the principle of least privilege long ago.  With today’s

Members Public

Cyber Threat Weekly – #69

The week of March 10th through March 16th, around 364 cyber news articles were reviewed.  Minimal cyber threat trends and adversarial behavior news stories are shared this week, storms knocked the power out from Friday night until Monday mid-morning. Let’s start with newly tracked ransomware actors exploiting patched Fortinet

Members Public

Cyber Threat Weekly – #68

The week of March 3rd through March 9th, around 390 cyber news articles were reviewed.  A moderate-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the complexity of attack surface management.  We don’t have to like it, but it’s often little things