Cybersec Feeds Overview, Feb 24 - Mar 2, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Gov Feeds #

• CISA issued advisories for Schneider Electric, Rockwell Automation, and Dario Health products, highlighting vulnerabilities in industrial control systems that could be exploited to disrupt operations (Schneider Electric Communication Modules for Modicon M580 and Quantum Controllers, CISA Releases Two Industrial Control Systems Advisories, Rockwell Automation PowerFlex 755).

• CISA cataloged two new known exploited vulnerabilities, providing awareness of active threats that could be targeted by malicious actors (CISA Adds Two Known Exploited Vulnerabilities to Catalog, CISA Adds Two Known Exploited Vulnerabilities to Catalog).

• A significant cyber-espionage campaign by Chinese hackers targeted Belgium’s State Security Service, exploiting vulnerabilities in American cybersecurity software to intercept emails (Belgian intelligence loses private data to Chinese hackers).

• Healthcare cybersecurity remains a growing concern in 2025, with ransomware and third-party breaches identified as the most dominant threats faced by the sector (Healthcare Cyberattacks Continue to Escalate in 2025, Health-ISAC Finds Ransomware & Third-Party Breaches Dominate 2025 Threats).

• The European Union updated its cybersecurity framework to enhance crisis coordination, emphasizing preparedness and shared situational awareness among EU actors (Commission launches new cybersecurity blueprint to enhance EU cyber crisis coordination).

• ASIO reported ongoing cyber exploration by foreign nation-state actors targeting Australia’s critical infrastructure, potentially laying groundwork for future intrusions (ASIO Director-General’s Annual Threat Assessment 2025).

• Emerging technologies face cyber threats from drones, which can conduct espionage and disrupt communications, posing new challenges for information security (Drones as a new cyber threat - How companies can protect themselves).

• The UK and India expanded their collaboration in areas of telecom, AI, and digital security, establishing Centers of Excellence for telecom cybersecurity (India expands collaboration with UK in key areas of telecom, AI, and other emerging technologies).

Vendor Feeds #

• A significant MySCADA MyPro Manager credential harvesting module has been designed to exploit vulnerabilities CVE-2025-24865 and CVE-2025-22896, allowing attackers to obtain usernames and passwords (Metasploit Weekly Wrap-Up: 02/28/2025).

• Check Point reports the Infini digital banking platform suffered a high-profile breach, with an attacker using compromised private keys to escalate roles and siphon $50 million from the protocol (How an Attacker Drained $50M from a DeFi Protocol Through Role Escalation).

• A new malware campaign called “Winos 4.0” targets Taiwanese organizations, disguising itself as official communications to gain unauthorized access and install malware (Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan).

• SOCRadar’s analysis highlights significant issues within the dark web economy, emphasizing the sale of zero-day exploits ranging from $100 to $200,000, indicating high demand for vulnerabilities targeting key systems (Inside the Dark Web Economy: Key Insights from SOCRadar’s Annual Dark Web Report 2024).

• Recent reports highlight a spike in identity-based cyber-attacks with AI involvement, which allows attackers to enhance their efficiency and sophistication in executing attacks such as phishing and malware development (The Adversarial Misuse of AI: How Threat Actors Are Leveraging AI for Cyber Operations).

• Auto-color, a new and evasive Linux backdoor, has been detected. This malware uses advanced techniques to hide its network communication and employs proprietary encryption, making detection and removal challenging (Auto-Color: An Emerging and Evasive Linux Backdoor).

• Check Point Research attributes a major hack involving a theft of $1.5 billion from the ByBit platform to North Korea’s Lazarus Group, exploiting a cryptocurrency wallet vulnerability (24th February – Threat Intelligence Report).

• Security researchers have discovered a breach in the background check provider DISA, which exposed data of over 3 million individuals, highlighting potential vectors for identity-based attacks (Background check provider data breach affects 3 million people who may not have heard of the company).

News Feeds #

• A campaign exploiting a vulnerability in Krpano’s VR software led to the “360XSS” attack, affecting over 350 high-profile sites, including governmental and educational domains. Attackers leveraged an XSS vulnerability to inject malicious scripts, manipulate search engine rankings, and distribute spam ads (Over 350 High-Profile Websites Hit by 360XSS Attack).

• The Termite ransomware group claimed a cyberattack on Australia’s Genea company, stealing sensitive patient data and leaking 700GB on the Dark Web. The breach reportedly affected 27 servers, exposing medical records and personal data (Cyberattack on Australia’s Genea: Stolen Patient Data Hits the Dark Web).

• Microsoft disclosed a hacking group named Storm-2139 using stolen API keys to exploit Azure AI services. The operation involved individuals from Iran, China, Vietnam, and the UK and led to harmful content creation using manipulated AI tools (Microsoft IDs developers behind alleged generative AI hacking-for-hire scheme, Microsoft Disrupts Storm-2139 for LLMjacking and Azure AI Exploitation).

• Google plans to discontinue SMS for two-step verification, transitioning to QR codes to reduce interception risks associated with text message codes. This move reflects an industry trend favoring more secure authentication methods (Here’s what Google is (and isn’t) planning with SMS account verification, Why Gmail is replacing SMS codes with QR codes - and what it means for you).

• A cyberattack on Cleveland Municipal Court led to a multi-day shutdown due to disruptions in internal systems, reflecting a broader trend of local government cyber incidents across the US (Cleveland Municipal Court Remains Closed After Cyber Incident, Cleveland Municipal Court Remains Closed Due to Ongoing Cybersecurity Incident).

• Serbian police used a zero-day vulnerability in Cellebrite’s tool to unlock Android devices, highlighting concerns over zero-day exploits and law enforcement access to digital evidence (Serbian police used Cellebrite zero-day hack to unlock Android phones).

• Ransomware groups are exploiting a Paragon Partition Manager bug in Bring Your Own Vulnerable Driver (BYOVD) attacks, illustrating an ongoing trend in ransomware tactics (Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks).

• The arrest of an army soldier attempting to sell sensitive data highlights the risks at the intersection of cybercrime and national security threats, with potential espionage undertones (Army soldier linked to Snowflake attack spree allegedly tried to sell data to foreign spies).

Personal Feeds #

• Attackers stole over $10 million through 9 incidents, notably exploiting the Starknet chain via the zkLend hack. Attackers used EVM chain bridges for fund laundering but platforms like Railgun flagged and returned the transactions (BlockThreat - Week 7, 2025).
• Leaked internal chats from the BlackBasta ransomware gang reveal insight into their operations. BlackBasta remains a top-tier gang impacting numerous organizations, including critical infrastructure in North America, Europe, and Australia (BlackBasta Leaks: Lessons from the Ascension Health attack).
• Microsoft’s unveiling of the Majorana chip indicates significant advances in quantum computing, which may threaten current cryptographic standards. Organizations are urged to prepare for quantum threats by reviewing cryptographic assets and transitioning to post-quantum algorithms (Quantum Fortress: Defending Your Kingdom in the Age of Quantum Computing).
• Notorious bulletproof hosting provider Prospero is now routing through Kaspersky Lab networks. Prospero is associated with malware and ransomware operations targeting international victims (Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab).
• Cybercriminals are using fake cybersecurity audits to infiltrate and compromise corporate systems. Such scams are growing, requiring increased vigilance from organizations (Warning issued as hackers offer firms fake cybersecurity audits to break into their systems).
• Paragon Partition Manager BioNTdrv.sys driver zero-day vulnerabilities are being actively exploited in ransomware attacks. Patching to the latest software version is crucial to mitigate exploit risks (Ransomware gangs exploit a Paragon Partition Manager BioNTdrv.sys driver zero-day).
• Microsoft’s legal actions disrupted a cybercrime ring abusing Azure OpenAI Services to create harmful content. They exposed four key individuals and took measures to prevent further misuse (Microsoft disrupted a global cybercrime ring abusing Azure OpenAI Service).
• Hackers demonstrated vulnerabilities in smart solar systems, posing risks to national power grids. Exploitation can lead to remote control over systems and potential blackouts (Attackers could hack smart solar systems and cause serious damages).
• Enhanced versions of the Vo1d botnet are using sophisticated techniques to grow rapidly, exploiting vulnerabilities in Android devices and evading detection (Enhanced capabilities sustain the rapid growth of Vo1d botnet).

Community Feeds #

• Paragon Partition Manager contains multiple memory vulnerabilities in its BioNTdrv.sys driver that allow privilege escalation and denial-of-service attacks. The vulnerabilities are exploitable via the “Bring Your Own Vulnerable Driver” (BYOVD) technique, even if the software is not installed. Patches have been released (VU#726882).

• Internet tunneling protocols (IPIP, GRE, 4in6, 6in4) lack authentication and encryption, leading to exploitation for spoofing, access control bypass, and potential DoS amplification attacks. Numerous systems accepting unauthenticated traffic render them vulnerable (VU#199397).

• The US Department of Defense has halted cyber operations targeting Russia, following standing-down orders purportedly related to strategic shifts in cybersecurity operations (US Department of Defense orders its cyber arm to stop operations against Russia, Trump’s Defense Secretary Hegseth Orders Cyber Command to ‘Stand Down’ on All Russia Operations).

• Njrat malware abuses Microsoft Dev Tunnels for command-and-control communications, effectively bypassing conventional network defenses by operating over developer-targeted services (Njrat Campaign Using Microsoft Dev Tunnels).

• A $1.5 billion hack on Bybit was traced to a Safe Wallet web app vulnerability that involved injecting a JavaScript payload, highlighting risks in web wallet applications (Bybit $1.5b hack was a Safe Wallet web app JS payload injection).

• Over 35,000 websites were affected by a full-page hijack redirecting users to a Chinese-language gambling scam, demonstrating large-scale exploitation tactics targeting web platforms (Over 35,000 Websites Targeted in Full-Page Hijack Linking to a Chinese-Language Gambling Scam).

• OpenID Connect deployments are susceptible to key mixing errors, exposing systems to unauthorized access due to improper key management practices (Mixing up Public and Private Keys in OpenID Connect deployments).

• A significant vulnerability, “Wallbleed,” in the Great Firewall of China involves unintended memory disclosures, impacting both network integrity and security posture (Wallbleed: A Memory Disclosure Vulnerability in the Great Firewall of China).

Disclaimer #

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created with BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.