Cyber Threat Weekly – #72

The week of March 31^st through April 6^th, around 384 cyber news articles were reviewed.  A moderate-ish amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about the ransomware economy. 

From initial access brokers to malware-as-a-service, cybercriminals have an arsenal of tools at their disposal.  While as an industry we are paying the ransom less, we are still feeding the beast.  The continued rise of data exfiltration only attacks is the next step.  Just because you didn’t get encrypted, do you still pay the extortion fee?

Let’s start with criminals using PyPI as a distribution outlet.  Possible new threat group going after crypto.   Huge surge of credential stuffing attacks on Australian pension funds.  Apache Parquet critical remote execution flaw released.

Ransomware gang Hunters International switches to data exfil only attacks.  Limited exploitation of critical Ivanti bug.  Still no public admission, Oracle quietly informs select customers of the Cloud and healthcare data breaches.

Possible Samsung data breach via old login credentials.  North Korean IT Workers going global.  Resurgence of Gootloader malware.  The 2025 Sophos Active Adversary Report.  The Cisco Talos 2024 Year in Review report.

Massive wave of scanning for Palo Alto Global Protect VPNs.  North Korean APT switches to ClickFix. 

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

CISA Known Exploited Vulnerabilities – March 31^st to April 6^th:

CVE-2024-20439 – Cisco Smart Licensing Utility Static Credential Vulnerability:
Allows an unauthenticated, remote attacker to log in to an affected system and gain administrative credentials.

CVE-2025-24813 – Apache Tomcat Path Equivalence Vulnerability:
Allows a remote attacker to execute code, disclose information, or inject malicious content via a partial PUT request.

CVE-2025-22457 – Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability:
Allows a remote unauthenticated attacker to achieve remote code execution.

Obvious Malicious PyPI Package Abusing PyPI Distribution

Couple of thoughts here, first the sophistication of criminals continues to rise.  Digging into the package, it allowed scammers to mimic credit card transactions appearing like legit traffic.  Second, hiding in plain sight abusing legitimate resources for distribution, something we continue to see.

https://www.bleepingcomputer.com/news/security/carding-tool-abusing-woocommerce-api-downloaded-34k-times-on-pypi/

https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-with-automated-carding-attacks

Researchers Link Troy Hunt Phish and SendGrid Crypto Phish

The end goal is account takeovers on major mailing systems to send phishing emails targeting crypto wallets.  The abuse of legit accounts allows criminals to fly under the radar, bypassing email security.  We shared a sample from Bleeping Computer a few weeks ago.

https://www.bleepingcomputer.com/news/security/poisonseed-phishing-campaign-behind-emails-with-wallet-seed-phrases/

https://www.silentpush.com/blog/poisonseed/

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tricks-users-with-fake-wallet-migration/

Credential Stuffing is Continuing at High Velocity

The current target is Australian pension funds, but credential stuffing has caused a ton of problems.  The Snowflake breaches and network edge devices to name a few.  Phishing resistant multifactor authentication is no longer an option.

https://www.bleepingcomputer.com/news/security/australian-pension-funds-hit-by-wave-of-credential-stuffing-attacks/

Critical Remote Code Execution Flaw in Apache Parquet

No known exploitation yet, the bug CVE-2025-30065 is rated a 10.0 CVSS score.  Apache is a massive threat actor target, with Apache Parquet used by big data.  In addition, researchers found another campaign targeting Apache.

https://thehackernews.com/2025/04/critical-flaw-in-apache-parquet-allows.html

https://www.endorlabs.com/learn/critical-rce-vulnerability-in-apache-parquet-cve-2025-30065---advisory-and-analysis

https://www.aquasec.com/blog/new-campaign-against-apache-tomcat/

Shifting from Ransomware to Data Exfiltration Only

We’ve seen this quite a bit in recent months, the shift from ransomware to data exfil only operations.  Ransomware-as-a-service is expensive to operate and draws law enforcement attention.  Data exfil only on the other hand is much more cost effective, profitable, and quiet.  In Q4 2024 victims paid ransomware gangs 25% of the time and ‘data exfil only’ 41% of the time according to Coveware.

https://www.bleepingcomputer.com/news/security/hunters-international-rebrands-as-world-leaks-in-shift-to-data-extortion/

https://www.group-ib.com/blog/hunters-international-ransomware-group/

https://www.coveware.com/blog/2025/1/31/q4-report

Fixed Critical Ivanti Bug Actively Exploited

The critical bug was fixed and deemed low risk.  Threat actors started limited exploitation, Ivanti reassessed CVE-2025-22457 and gave it a 9 out of 10 CVSS score.  This threat actor loves to exploit Ivanti bugs.

https://www.darkreading.com/vulnerabilities-threats/china-linked-threat-group-exploits-ivanti-bug

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability

https://www.rapid7.com/blog/post/2025/04/03/etr-ivanti-connect-secure-cve-2025-22457-exploited-in-the-wild/

Oracle Quietly Informs Select Customers of Data Breach

A class-action lawsuit later and Oracle still hasn’t publicly acknowledged the data breach.  The claim that it impacts Oracle classic is even suspect, with the alleged 140,000 tenants affected.  The same claim was made about Oracle healthcare.  Oracle provided a lesson in how NOT to handle a data breach.

https://www.csoonline.com/article/3953644/oracle-quietly-admits-data-breach-days-after-lawsuit-accused-it-of-cover-up.html

https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incident-from-customers-in-oracle-saas-service-9231c8daff4a

Possible 270,000 Customer Records Leaked via Samsung Breach

Two observations here, first identity is arguably the #1 initial access vector, understand your stale credentials and their access.  Second, Samsung demonstrated the proper way to handle a possible data breach scenario, with transparency.

https://www.csoonline.com/article/3952979/hacker-steals-customer-data-from-samsung-germany.html

https://www.infostealers.com/article/samsung-tickets-data-leak-infostealers-strike-again-in-massive-free-dump/

Now a Global Threat, North Korean IT Workers

In previous newsletters we shared how North Koreans are using fake identities to get jobs, earn money for North Korea, steal data, and extort employers.  They are now moving to Europe and other countries. 

https://www.darkreading.com/threat-intelligence/dprk-it-workers-europe-employment

https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-expanding-scope-scale

Researchers Observe New Gootloader Campaign

A familiar target, legal documents, but with a twist.  The threat actor is now using malvertising as the delivery method.  Google Ads allows targeting victims, and they are using their own infrastructure to deliver the malware.

https://www.darkreading.com/cyberattacks-data-breaches/gootloader-malware-google-ads-legal-docs

https://gootloader.wordpress.com/2025/03/31/gootloader-returns-malware-hidden-in-google-ads-for-legal-documents/

The 2025 Sophos Active Adversary Report

It’s interesting to see the difference between incident response and managed detection response data sets.  Compromised credentials led the root cause dataset.  Second was exploited vulnerabilities. 

https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/

The Cisco Talos 2024 Year in Review

A common theme, identity attacks led the way in 2024 for initial access.  It’s great to correlate multiple reports such as this one to ascertain threat trends across diverse vendors and customer sets.

https://www.csoonline.com/article/3952041/malicious-actors-increasingly-put-privileged-identity-access-to-work-across-attack-chains.html

https://blog.talosintelligence.com/content/files/2025/03/2024YiR-report.pdf

https://www.cyber.gov.au/sites/default/files/2024-09/PROTECT-Detecting-and-Mitigating-Active-Directory-Compromises.pdf

Possible Attack – Massive Scanning for PAN Global Protect VPNs

Researchers detected a swell in scanning activity targeting the VPNs management interface.  Almost 24,000 unique IPs, a small subset flagged as malicious.  The vast majority targeted systems in the United States.

 https://www.darkreading.com/perimeter/scans-pan-globalprotect-vpns-attacks

https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity

The ClickFix Attack Method Continues to be Popular

North Korea APT group Lazarus is now using the ClickFix technique to target less technically inclined job seekers.  When the victim goes to enable their camera for the interview, they get an error and the ClickFix technique is employed.

https://www.darkreading.com/cyberattacks-data-breaches/lazarus-apt-clickfix-bandwagon-attacks

https://blog.sekoia.io/clickfake-interview-campaign-by-lazarus/