Skip to content

Cyber Threat Weekly – #71

Derek Krein
5 min read

The week of March 24th through March 30th, around 395 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the need for principle-based security.

We moved away from the principle of least privilege long ago.  With today’s technology, attack surface complexity, and adversary tenacity, we need to get back to basics.  Network segmentation, identity and access management, and the principle of least privilege can go a long way to minimizing business impact.

Let’s start with researchers analyze the latest Apache Tomcat bug.  New Android banking malware Crocodilus spotted.  Evidence mounts; Oracle still denies cloud breach.  Another breach for Oracle, this time on the healthcare side.

DNS email records used to mimic 114 brands in phishing-as-a-service.  2025 Threat Detection Report.  Attackers continue to go after cloud resources.  New credential-stuffing-as-a-service platform scales brute force attacks.

Windows zero-day exploited by EncyptHub to deploy malware.  Possible cyber mercenaries known for cyberespionage now use ransomware.  Phishing-as-a-service platform abuses iMessage and Android Rich Communication Services.

Newly surfaced ransomware-as-a-service operation VanHelsing.


Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.


CISA Known Exploited Vulnerabilities – March 24th to March 30th:

CVE-2025-30154 – reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability:
Dumps exposed secrets to Github Actions Workflow Logs.

CVE-2019-9875 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability:
Allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

CVE-2019-9874 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability:
Allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

CVE-2025-2783 – Google Chromium Mojo Sandbox Escape Vulnerability:
Results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.


Apache Tomcat Bug CVE-2025-24813 Analysis

The good news, there are several conditions needed to achieve remote code execution or view sensitive files and inject content.  Some are disabled by default.  There are proof-of-concept exploits available, and exploitation is being attempted.

https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis


New Banking Malware Crocodilus Targets Android Devices

Multiple functions is the game with this malware.  Uses social engineering to request accessibility permissions and steal the victim’s wallet key via its accessibility logger.  Full remote access trojan capabilities round out this malware.

https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steals-android-users-crypto-wallet-keys/

https://www.threatfabric.com/blogs/exposing-crocodilus-new-device-takeover-malware-targeting-android-devices


Despite Evidence to the Contrary, Oracle Still Denies OCI Breach

Researchers have dug into a 10,000 line sample provided by the threat actor, it certainly appears credible.  The sample alone is 1,500 organizations.  Researchers validated the data with OCI customers, there is little doubt the breach happened, the question is what’s the total impact. 

https://www.darkreading.com/cyberattacks-data-breaches/oracle-still-denies-breach-researchers-persist

https://www.bleepingcomputer.com/news/security/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/

https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis

https://socradar.io/oracle-cloud-security-incident-by-rose87168/

https://blackkite.com/blog/oracle-cloud-breach-claims-denials-and-the-reality-of-cloud-security-risks-in-tprm/

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-spiderlabs-threat-review-alleged-oracle-compromise/


Patient Data Compromised in Oracle Healthcare Breach

This is interesting, the timing is suspect when looking at the Oracle Cloud breach.  Notices have been sent to customers, but Oracle has not publicly disclosed the breach.  Oracle is leaving hospitals to determine if the stolen data violates HIPAA and told them it is their responsibility to notify patients directly.  The lack of transparency from Oracle is not good for customers or the industry.

https://www.bleepingcomputer.com/news/security/oracle-health-breach-compromises-patient-data-at-us-hospitals/


Phishing Kit Morphing Meerkat Mimics 114 Brands using DNS

Researchers revealed a new phishing-as-a-service platform.  The automation is concerning, abusing DNS to target specific email service providers to dynamically serve fake login pages.  In addition, dynamic translation of over a dozen languages.

https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html

https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/


2025 Threat Detection Report – Red Canary

This report includes confirmed threats and the emerging trends of 2024.  ClickFix, identity attacks, VPN abuse, and cloud attacks are only some of the trends seen.  There are a lot of nuggets in this report, worth a look.

https://redcanary.com/threat-detection-report/trends/

https://resource.redcanary.com/rs/003-YRU-314/images/2025ThreatDetectionReport_RedCanary.pdf?version=0


Cloud Attacks Appear to be Trending Upward

Some not so cool stats shared by security researchers.  The trends lean into identity and access management and data exfiltration.  Attackers are focused on what works and legit credentials are all the rage.

https://unit42.paloaltonetworks.com/2025-cloud-security-alert-trends/


Automated Credential Stuffing Scales Brute Force Attacks

Atlantis AIO is a credential stuffing tool that can try stolen and common credentials across more than 140 platforms.  It contains three modules for email account testing, brute force attacks, and recovery modules.

https://www.bleepingcomputer.com/news/security/new-atlantis-aio-automates-credential-stuffing-on-140-services/

https://abnormalsecurity.com/blog/atlantis-aio-credential-stuffing-140-platforms


Now Fixed Windows Zero-Day Exploited by EncryptHub

The bug was exploited to deliver backdoor and infostealer malware.  Fixed during patch Tuesday, CVE-2025-26633 CVSS score 7.0 abuses Microsoft Management Console (MMC).  The treat actor has also developed custom malware.

https://thehackernews.com/2025/03/encrypthub-exploits-windows-zero-day-to.html

https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html


Cyberespionage Group RedCurl Turns to Ransomware

This threat actor is mysterious, has been in operation since 2018, yet little is known of their motivations and business model.  Researchers find cyberespionage consistently.  They deployed new ransomware targeting hypervisors.

https://www.bleepingcomputer.com/news/security/redcurl-cyberspies-create-ransomware-to-encrypt-hyper-v-servers/

https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive


Phishing Platform Lucid Abuses Mobile Messaging

Impersonating 169 organizations across 88 countries, the platform uses time sensitive realistic lures such as unpaid tolls or tax payment.  The goal, credit card theft.  Taking advantage of secure messaging such as iMessage and Android RCS to bypass security.

https://www.darkreading.com/threat-intelligence/lucid-phishing-exploits-imessage-android-rcs

https://catalyst.prodaft.com/public/report/lucid/overview


New Ransomware Operation VanHelsing

Multi-platform targeting Windows, ESXi, ARM, BSD, and Linux.  First promoted March 7, affiliates keep 80% of the ransom.  Already three victims appear on their extortion page.  Researchers noticed some errors in their encryptor, nevertheless this is one to watch.

https://www.bleepingcomputer.com/news/security/new-vanhelsing-ransomware-targets-windows-arm-esxi-systems/

https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/


Member Reactions
Reactions are loading...

Sign in to leave reactions on posts

Newsletter
Comments

Sign in to join the conversation.
Just enter your email below to receive a login link.


Related Posts

Members Public

Cyber Threat Weekly – #70

The week of March 17th through March 23rd, around 389 cyber news articles were reviewed.  A light-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin, cybersecurity risk is business risk. A business impact analysis provides the ‘why’ of your cybersecurity program and the ‘what’ to

Members Public

Cyber Threat Weekly – #69

The week of March 10th through March 16th, around 364 cyber news articles were reviewed.  Minimal cyber threat trends and adversarial behavior news stories are shared this week, storms knocked the power out from Friday night until Monday mid-morning. Let’s start with newly tracked ransomware actors exploiting patched Fortinet

Members Public

Cyber Threat Weekly – #68

The week of March 3rd through March 9th, around 390 cyber news articles were reviewed.  A moderate-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the complexity of attack surface management.  We don’t have to like it, but it’s often little things