Cyber Threat Weekly – #71
The week of March 24th through March 30th, around 395 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about the need for principle-based security.
We moved away from the principle of least privilege long ago. With today’s technology, attack surface complexity, and adversary tenacity, we need to get back to basics. Network segmentation, identity and access management, and the principle of least privilege can go a long way to minimizing business impact.
Let’s start with researchers analyze the latest Apache Tomcat bug. New Android banking malware Crocodilus spotted. Evidence mounts; Oracle still denies cloud breach. Another breach for Oracle, this time on the healthcare side.
DNS email records used to mimic 114 brands in phishing-as-a-service. 2025 Threat Detection Report. Attackers continue to go after cloud resources. New credential-stuffing-as-a-service platform scales brute force attacks.
Windows zero-day exploited by EncyptHub to deploy malware. Possible cyber mercenaries known for cyberespionage now use ransomware. Phishing-as-a-service platform abuses iMessage and Android Rich Communication Services.
Newly surfaced ransomware-as-a-service operation VanHelsing.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 5 initial access vectors. We continue to share n-day vulnerabilities being actively exploited. You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.
CISA Known Exploited Vulnerabilities – March 24th to March 30th:
CVE-2025-30154 – reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability:
Dumps exposed secrets to Github Actions Workflow Logs.
CVE-2019-9875 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability:
Allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
CVE-2019-9874 – Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability:
Allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
CVE-2025-2783 – Google Chromium Mojo Sandbox Escape Vulnerability:
Results from an incorrect handle being provided in unspecified circumstances. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.
Apache Tomcat Bug CVE-2025-24813 Analysis
The good news, there are several conditions needed to achieve remote code execution or view sensitive files and inject content. Some are disabled by default. There are proof-of-concept exploits available, and exploitation is being attempted.
https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis
New Banking Malware Crocodilus Targets Android Devices
Multiple functions is the game with this malware. Uses social engineering to request accessibility permissions and steal the victim’s wallet key via its accessibility logger. Full remote access trojan capabilities round out this malware.
Despite Evidence to the Contrary, Oracle Still Denies OCI Breach
Researchers have dug into a 10,000 line sample provided by the threat actor, it certainly appears credible. The sample alone is 1,500 organizations. Researchers validated the data with OCI customers, there is little doubt the breach happened, the question is what’s the total impact.
https://socradar.io/oracle-cloud-security-incident-by-rose87168/
Patient Data Compromised in Oracle Healthcare Breach
This is interesting, the timing is suspect when looking at the Oracle Cloud breach. Notices have been sent to customers, but Oracle has not publicly disclosed the breach. Oracle is leaving hospitals to determine if the stolen data violates HIPAA and told them it is their responsibility to notify patients directly. The lack of transparency from Oracle is not good for customers or the industry.
Phishing Kit Morphing Meerkat Mimics 114 Brands using DNS
Researchers revealed a new phishing-as-a-service platform. The automation is concerning, abusing DNS to target specific email service providers to dynamically serve fake login pages. In addition, dynamic translation of over a dozen languages.
https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html
https://blogs.infoblox.com/threat-intelligence/a-phishing-tale-of-doh-and-dns-mx-abuse/
2025 Threat Detection Report – Red Canary
This report includes confirmed threats and the emerging trends of 2024. ClickFix, identity attacks, VPN abuse, and cloud attacks are only some of the trends seen. There are a lot of nuggets in this report, worth a look.
https://redcanary.com/threat-detection-report/trends/
Cloud Attacks Appear to be Trending Upward
Some not so cool stats shared by security researchers. The trends lean into identity and access management and data exfiltration. Attackers are focused on what works and legit credentials are all the rage.
https://unit42.paloaltonetworks.com/2025-cloud-security-alert-trends/
Automated Credential Stuffing Scales Brute Force Attacks
Atlantis AIO is a credential stuffing tool that can try stolen and common credentials across more than 140 platforms. It contains three modules for email account testing, brute force attacks, and recovery modules.
https://abnormalsecurity.com/blog/atlantis-aio-credential-stuffing-140-platforms
Now Fixed Windows Zero-Day Exploited by EncryptHub
The bug was exploited to deliver backdoor and infostealer malware. Fixed during patch Tuesday, CVE-2025-26633 CVSS score 7.0 abuses Microsoft Management Console (MMC). The treat actor has also developed custom malware.
https://thehackernews.com/2025/03/encrypthub-exploits-windows-zero-day-to.html
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
Cyberespionage Group RedCurl Turns to Ransomware
This threat actor is mysterious, has been in operation since 2018, yet little is known of their motivations and business model. Researchers find cyberespionage consistently. They deployed new ransomware targeting hypervisors.
Phishing Platform Lucid Abuses Mobile Messaging
Impersonating 169 organizations across 88 countries, the platform uses time sensitive realistic lures such as unpaid tolls or tax payment. The goal, credit card theft. Taking advantage of secure messaging such as iMessage and Android RCS to bypass security.
https://www.darkreading.com/threat-intelligence/lucid-phishing-exploits-imessage-android-rcs
https://catalyst.prodaft.com/public/report/lucid/overview
New Ransomware Operation VanHelsing
Multi-platform targeting Windows, ESXi, ARM, BSD, and Linux. First promoted March 7, affiliates keep 80% of the ransom. Already three victims appear on their extortion page. Researchers noticed some errors in their encryptor, nevertheless this is one to watch.
https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.