Cyber Threat Weekly – #74

The week of April 14^th through April 20^th, around 374 cyber news articles were reviewed.  A light amount of cyber threat trends and adversarial behavior news to share.  Been thinkin about security control validation. 

How do you know your security controls are working as expected?  It feels like we do a lot of hope and assumption-based security.  We purchase and implement security controls, assume they are working correctly, and hope we don’t get pwned. 

Let’s start with a new credit card stealing NFC relay Android malware.  Public exploits available for Erlang/OTP SSH bug.  Another ClickFix campaign, this time from Interlock ransomware threat actors. 

CISA releases an advisory on the alleged Oracle Cloud breach.  VPNs are a huge target, SonicWall SMA bug actively exploited.  Microsoft NTLM credentials flaw actively exploited.  Multiple nation state threat groups trying the ClickFix technique.

Another example of abusing legitimate services.  Working the blind spots, threat actors continue to thrive.

Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!

Known exploited software flaws are one of the top 5 initial access vectors.  We continue to share n-day vulnerabilities being actively exploited.  You can prioritize starting with the CISA known exploited vulnerability (KEV) catalog. 

A close #2 priority is flaws with weaponized proof of concept (PoC) code available.  Exploit chances are higher with weaponized PoC code available.  If you do nothing else with patching, have an emergency 24-to-48-hour patching process for exploited and weaponized PoC code available vulnerabilities.

You should consider what is exposed to the Internet.  Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices exposed to the Internet.

CISA Known Exploited Vulnerabilities – April 14^th to April 20^th:

CVE-2021-20035 – SonicWall SMA100 Appliances OS Command Injection Vulnerability:
Allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution.

CVE-2025-24054 – Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability:
Allows an unauthorized attacker to perform spoofing over a network.

CVE-2025-31201 – Apple Multiple Products Arbitrary Read and Write Vulnerability:
Allows an attacker to bypass Pointer Authentication.  Apple iOS, iPadOS, macOS, and other Apple products are affected.

CVE-2025-31200 – Apple Multiple Products Memory Corruption Vulnerability:
Allows for code execution when processing an audio stream in a maliciously crafted media file.  Apple iOS, iPadOS, macOS, and other Apple products are affected.

SuperCard X Malware-as-a-Service Platform – NFC Relay

Distributed through social engineering tactics and tricking victims into installing malware and tapping their credit cards.  A campaign currently targeting Italy has been observed.  As more affiliates onboard, that will most likely extend to many regions. 

https://therecord.media/new-payment-card-scam-involves-malware-tap

https://www.cleafy.com/cleafy-labs/supercardx-exposing-chinese-speaker-maas-for-nfc-relay-fraud-operation

Critical SSH Bug in Erlang/OTP with Public Exploits Available

Multiple exploits available for CVE-2025-32433 SSH vulnerability.  As an industry, we need to minimize what we expose to the Internet.  Architecture and zero trust network access can provide the access needed without unnecessary exposure.

https://www.bleepingcomputer.com/news/security/public-exploits-released-for-critical-erlang-otp-ssh-flaw-patch-now/

https://www.openwall.com/lists/oss-security/2025/04/16/2

https://www.shodan.io/search?query=%22Erlang%2FOTP%22

Imitated IT Tools Abused in Ransomware ClickFix Attacks

The Interlock ransomware gang is using the popular social engineering tactic to dupe victims into installing malware.  Stolen credentials then lead to lateral movement.  The ransom note focuses on the legal aspects of a data breach. 

https://www.bleepingcomputer.com/news/security/interlock-ransomware-gang-pushes-fake-it-tools-in-clickfix-attacks/

https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/

Probable Oracle Cloud Breach, CISA Advisory Released

Stolen credentials and secrets pose a significant threat to organizations.  The Cybersecurity and Infrastructure Security Agency (CISA) released guidance to minimize the impact of the alleged breach.

https://www.darkreading.com/cloud-security/cisa-alleged-oracle-cloud-breach

https://www.cisa.gov/news-events/alerts/2025/04/16/cisa-releases-guidance-credential-risks-associated-potential-legacy-oracle-cloud-compromise

Nearly Four-Year-Old SonicWall SMA VPN Bug Exploited

Seemingly actively exploited since January, CVE-2021-20035 was fixed September 2021.  This week SonicWall updated the security advisory and expanded the impact to include remote code execution.  VPNs continue to be a risky ingress security control.

https://www.bleepingcomputer.com/news/security/sonicwall-sma-vpn-devices-targeted-in-attacks-since-january/

https://arcticwolf.com/resources/blog/credential-access-campaign-targeting-sonicwall-sma-devices-potentially-linked-to-exploitation-of-cve-2021-20035/

Actively Exploited Microsoft NTLM Credentials Bug

The bug tracked as CVE-2025-24054 allows an attacker to perform spoofing over a network leading to leaked credentials.  New Technology Lan Manager (NTLM) is a legacy technology that was deprecated last year. 

https://thehackernews.com/2025/04/cve-2025-24054-under-active.html

https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/

Popular ClickFix Technique Tested by Multiple Nation State Threat Actors

Usually associated with cyber criminals, the technique is gaining traction from multiple threat groups.  ClickFix is a social engineering technique that tricks victims into installing malware by following instructions under the guise of fixing an issue.

https://thehackernews.com/2025/04/state-sponsored-hackers-weaponize.html

https://www.proofpoint.com/us/blog/threat-insight/around-world-90-days-state-sponsored-actors-try-clickfix

The Abusing Legitimate Services Trend Continues

Threat actors will continue to do what works.  The abuse of legitimate services and websites is nothing new, but very popular.  Not only adding legitimacy, but also defense evasion to attack campaigns.

https://thehackernews.com/2025/04/ai-powered-gamma-used-to-host-microsoft.html

https://abnormal.ai/blog/multi-stage-phishing-attack-gamma-presentation

https://www.microsoft.com/en-us/security/blog/2025/04/16/cyber-signals-issue-9-ai-powered-deception-emerging-fraud-threats-and-countermeasures/

Chinese Threat Actors Aren’t the Only Ones Working the Blind Spots

While we seemed to be focused on China and for good reason, other threat actors are abusing the blind spots as well.  Lack of network visibility, IoT devices, and the cloud are being abused to fly under the radar.  The use of open-source and dual use tools makes attribution difficult. 

https://thehackernews.com/2025/04/chinese-hackers-target-linux-systems.html

https://sysdig.com/blog/unc5174-chinese-threat-actor-vshell/

https://www.darkreading.com/threat-intelligence/chinese-apt-exploit-edr-visibility-gap-cyber-espionage