Cyber Threat Weekly – #75
The week of April 21st through April 27th, around 383 cyber news articles were reviewed. A light-ish amount of cyber threat trends and adversarial behavior news to share. Been thinkin about network segmentation and complexity.
Everything on the network does not have to be segmented. Focusing on critical business processes and their dependencies will allow you to optimize security for what matters most and apply best effort to everything else. The goal, minimize business impact should you encounter a cyber attack.
Let’s start with the ransomware model expanding with white-label service. Once again, password spray attacks in the news. Social engineering and homograph attacks are still working. Observing an initial access broker.
Another suspected initial access broker exploiting a zero-day. The M-Trends 2025 Report. New state of cybercrime toolkits is coming. Intelligence Insights: April 2025. The 2025 Verizon DBIR Report. VulnCheck bug exploitation trends Q1 2025.
FBI’s Internet Crime Report 2024. GreyNoise Resurgent Vulnerability Report. Optiv 2025 Cybersecurity Threat and Risk Management Report.
Broken Record Alert: Don’t get pwned by N-day vulnerabilities!!!
Known exploited software flaws are one of the top 4 initial access vectors and have increased sharply in recent months. We continue to share n-day vulnerabilities being actively exploited. Priority #1, start with the CISA known exploited vulnerability (KEV) catalog. If it’s in the catalog, it should be patched.
A close #2 priority is flaws with weaponized proof of concept (PoC) code available. Exploit chances are higher with weaponized PoC code available. If you do nothing else with patching, have an emergency 24-to-48-hour patching process for actively exploited and weaponized PoC code available vulnerabilities.
You should consider what is exposed to the Internet. Architecture and zero trust network access (ZTNA) can go a long way to minimizing the number of devices and services exposed to the Internet.
Distributed White Label Ransomware Model
For 20% of paid ransoms, DragonForce, calling itself a ‘ransomware cartel’ offers its infrastructure to other Ransomware-as-a-Service (RaaS) operations as well as affiliates. They will maintain the encryptor, data leak site, etc., greatly reducing costs of operating a RaaS service. This allows affiliates and other RaaS services to create or maintain their own brand. DragonForce’s goal is to manage unlimited brands.
There are pros and cons to this model. With a lot of RaaS services under one infrastructure, it could be a hot target for law enforcement. Anubis offers three different operating models.
https://www.secureworks.com/blog/ransomware-groups-evolve-affiliate-models
Password Spray Attacks Continue to Work
In this case, the attacks targeted cloud tenants. Regardless of targeting, the use of multi-factor authentication will stop brute force attacks, including password spraying. With today’s available tech, there is little reason to get hit by brute force attacks.
https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
Social Engineering Method and Lure to Watch for
In this case it was WordPress WooCommerce users targeted. The method was a domain using a homograph attack technique. The lure, download a patch for an actively targeted vulnerability. The key here, this method and lure can be used for any security and non-security technology.
Researchers Shed Light on an Initial Access Broker
Financially motivated threat actor dubbed ToyMaker chooses to scan for vulnerable systems, deploy custom malware, and sell access to other threat actors. Other post exploitation activities have been observed including persistence and long-term access.
https://thehackernews.com/2025/04/toymaker-uses-lagtoy-to-sell-access-to.html
https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-broker/
Suspected Initial Access Broker Exploits Zero-Day in SAP
This bug is actively exploited. The defect lies in the Visual Composer module in NetWeaver. The threat actor is deploying back-door's that can or have been sold to ransomware affiliates. The downside, the back-doors don’t restrict usage, anyone can use them.
https://cyberscoop.com/sap-netweaver-zero-day-exploit-cve-2025-31324/
https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
M-Trends 2025 Report
Some notables from the report; top initial access vector was exploits, global median dwell time to detection was 11 days, down considerably from 2019 at 56 days. Looking at ransomware related, top initial access vector, brute force.
https://www.securityweek.com/m-trends-2025-state-sponsored-it-workers-emerge-as-new-global-threat/
https://services.google.com/fh/files/misc/m-trends-2025-en.pdf
Cybercrime Phishing Toolkit Gets Generative AI
The Darcula phishing kit got an upgrade to simplify the creation of phishing templates. You can plan on more criminals adding AI capabilities to their phishing and malware as a service toolkits, making detection even harder.
Intelligence Insights: April 2025 – Top 10 Observed Threats
Red Canary tracks prevalent threats across unique client environments over time. Comparing this data month over month they track trends. This month Amber Albatross was top threat followed by Scarlet Goldfinch, Impacket, LummaC2, and Tangerine Turkey round out the top 5.
https://redcanary.com/blog/threat-intelligence/intelligence-insights-april-2025/
The 2025 Verizon DBIR Report
On a similar note, exploiting vulnerabilities for initial access increased 34%, led by zero-day exploits targeting edge devices, up nearly 8x over last year. We are seeing the exploited vulnerability for initial access trend across various reports.
https://therecord.media/ransomware-in-half-of-all-data-breaches-verizon
https://www.verizon.com/business/resources/reports/dbir/
Vulnerability Exploitation Trends Q1 2025
VulnCheck saw vulnerabilities being exploited in 1 day after disclosure 28.3% of the time. Maintaining their own known exploited vulnerability catalog, VulnCheck flagged 159 CVEs as exploited in the wild, disclosed from 50 different sources.
https://thehackernews.com/2025/04/159-cves-exploited-in-q1-2025-283.html
https://vulncheck.com/blog/exploitation-trends-q1-2025
FBI’s Internet Crime Report 2024
The bad news, record losses totaling a disturbing $16.6 billion. Fraud represented the bulk of losses at $13.7 billion. Ransomware is still the most persistent threat to critical infrastructure, up 9% compared to 2023.
https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
GreyNoise Resurgent Vulnerability Report
This is an interesting report showcasing how old bugs become new again often times sporadically. The macro view in the report shows a clear rise in resurgent bugs since 2017. Edge devices are heavily targeted by resurgent bugs.
Optiv 2025 Cybersecurity Threat and Risk Management Report
A survey style report offering insights from cybersecurity practitioners perspective. Some highlights include challenged visibility, more outsourcing, incidents continue to rise, and organizations are adopting SASE and SOAR.
31337 InfoSec - Cyber Threat Weekly - Derek Krein Newsletter
Join the newsletter to receive the latest updates in your inbox.
Comments
Sign in to join the conversation.
Just enter your email below to receive a login link.
