Cybersec Feeds Overview, Mar 3 - Mar 9, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Gov Feeds #

• CISA added nine known exploited vulnerabilities to its catalog over multiple updates. These additions highlight active vulnerabilities that threat actors may exploit, necessitating immediate attention from security teams (CISA Adds Four Known Exploited Vulnerabilities to Catalog, CISA Adds Five Known Exploited Vulnerabilities to Catalog).

• CISA issued 11 advisories regarding industrial control systems, indicating various vulnerabilities found in different products such as Hitachi Energy systems, GMOD Apollo, and Delta Electronics CNCSoft-G2. These advisories are critical for protecting infrastructure (CISA Releases Three Industrial Control Systems Advisories, CISA Releases Eight Industrial Control Systems Advisories).

• The FBI warned about a data extortion scam targeting corporate executives. This threat can result in sensitive information being exposed, highlighting the need for enhanced protective measures against such scams (FBI Warns of Data Extortion Scam Targeting Corporate Executives).

• Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion were identified, allowing potential local code execution. These vulnerabilities require immediate patching to prevent exploitation (Multiple vulnerabilities in VMware ESXi, Workstation, and Fusion).

• NCSC highlighted the effectiveness of external attack surface management (EASM) in improving cyber defense. Enhanced visibility of digital footprints allows for better asset protection and threat management (NCSC Summary).

• The Canadian Centre for Cyber Security reported an upsurge in the use of generative AI for election interference globally. Between 2023-2024, there were 102 incidents across 41 elections, which could impact election integrity (Cyber Threats to Canada’s Democratic Process: 2025 Update).

• ENISA’s report highlighted the prevalence of social engineering in financial sector attacks, pointing at phishing, smishing, and vishing as common tactics. These attacks target individuals and financial institutions, leading to fraud and data breaches (ENISA Threat Landscape: Finance Sector).

Vendor Feeds #

• A zero-day vulnerability, CVE-2025-22224, affecting VMware ESXi and Workstation, allows local administrative users to execute arbitrary code on the host system through a time-of-check time-of-use (TOCTOU) issue, leading to a critical out-of-bounds write condition (VMware Security Alert, Rapid7).

• Security researchers identified a new phishing campaign exploiting vulnerabilities in PHP-CGI, tracked as CVE-2024-4577, and predominantly targeting organizations in Japan, with activity observed in the US, Singapore, and other countries, indicating a wider exploitation pattern demanding immediate action (Bug affecting PHP scripts demands ‘immediate action from defenders globally’).

• Multiple vulnerabilities were found in the ICONICS SCADA system, including CVE-2024-1182, allowing elevation of privileges, and CVE-2024-7587, with incorrect default permissions leading to possible data tampering or denial-of-service (DoS) conditions (Multiple Vulnerabilities Discovered in a SCADA System).

• Medusa ransomware continues to increase activity, with a significant data breach reported from British healthcare provider HCRG Care Group, involving approximately 50TB of stolen data (Medusa Ransomware Activity Continues to Increase, 3rd March – Threat Intelligence Report).

• Any.run enhanced its threat coverage, adding 314 new Suricata rules and expanding its YARA rule database, alongside the release of detailed APT and malware threat intelligence reports (Here is How We Improved ANY.RUN’s Threat Coverage in February).

• Cobalt Strike piracy usage reportedly decreased by 80% following coordinated global efforts to take down unauthorized versions of the software often used maliciously by cybercriminals (Malicious use of Cobalt Strike down 80% after crackdown, Fortra says).

• GitHub and Microsoft reported a significant malvertising campaign involving over one million globally impacted devices, redirecting users from illegal streaming websites to GitHub-hosted malware (Malvertising campaign leads to info stealers hosted on GitHub).

• A collaborative effort by cybersecurity firms and governmental agencies continued to highlight the tactics of the Ghost (Cring) ransomware group, which exploits known vulnerabilities in internet-facing systems to demand ransoms (Dark Web Profile: Ghost (Cring) Ransomware).

News Feeds #

• BianLian group impersonators are targeting corporate executives with physical extortion letters, threatening data leaks for ransoms up to $500,000. The FBI highlights inconsistencies suggesting it is a scam and not linked to the actual ransomware group (Ransomware poseurs are trying to extort businesses through physical letters, FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives).

• Silk Typhoon, a Chinese state-backed group, has shifted focus to IT supply chain attacks, exploiting unpatched vulnerabilities and leveraging stolen credentials for further access into networks (Silk Typhoon shifted to specifically targeting IT management companies, Chinese nationals indicted for espionage attacks, Silk Typhoon Expands Cyber Espionage Tactics to Target IT Supply Chain).

• A significant vulnerability in Kibana, CVE-2025-25012, allows remote code execution via prototype pollution attacks. This affects versions 8.15.0 to 8.17.2 and requires urgent updates to mitigate exploitation risk (Elastic Issues Urgent Update for Critical Kibana Vulnerability Exposing Remote Code Execution Risk).

• Ransomware attacks hit a record high in February 2025, driven by the CL0P group’s exploitation of Cleo MFT vulnerabilities. The trend raises concerns about increasing ransomware activity (Ransomware Attacks Set Records in February: Cyble).

• A typosquatting campaign targeting developers has been discovered, delivering malware to Linux and macOS through compromised Go packages. These malicious packages mimic popular libraries and execute hidden scripts to install malware (Malware Infects Linux and macOS via Typosquatted Go Packages).

• Cybercriminal groups, particularly Silk Typhoon and government-backed actors, are exploiting unpatched internet-facing systems and leveraging zero-day vulnerabilities for espionage activities targeting high-value sectors globally (Silk Typhoon targets IT supply chain, Silk Typhoon Expands Cyber Espionage Tactics to Target IT Supply Chain).

• A new campaign, Phantom Goblin, uses social engineering and trusted tools like PowerShell to install information-stealing malware, focusing on extracting credentials from browsers and developer tools (Phantom Goblin: A New Threat in Credential Theft and Remote System Access).

• U.S. and European authorities have dismantled Garantex, a cryptocurrency exchange implicated in laundering billions, reflecting ongoing global efforts to combat illicit cryptocurrency activities (Russian crypto exchange Garantex seized in international law enforcement operation).

• The rapid pace of cybercrime is highlighted by attackers’ increased efficiency, with breakout times for intrusions now averaging 48 minutes. This trend emphasizes the challenge defenders face in detecting and responding to threats (Cybercriminals picked up the pace on attacks last year).

Personal Feeds #

• North Korean threat actors compromised Safe’s infrastructure and Bybit’s cold storage wallet, stealing and laundering funds through various exchanges and DeFi protocols, with Mantle’s mETH protocol leading the response (BlockThreat - Week 9, 2025, BlockThreat - Week 8, 2025).

• The Akira ransomware gang exploited unsecured webcams to bypass EDR systems and encrypt files, highlighting the need for monitoring IoT network traffic (Akira ransomware gang used an unsecured webcam to bypass EDR).

• The U.S. Secret Service and FBI confirmed a $150 million crypto heist linked to cracked master passwords stolen from LastPass, underscoring the persistent risks from the 2022 LastPass breach (Feds Link $150M Cyberheist to 2022 LastPass Hacks).

• CISA identified five new exploited vulnerabilities, including flaws in Windows and Cisco products, which are actively being targeted without further disclosure on exploitation details (CISA Identifies Five New Vulnerabilities Currently Being Exploited).

• A hidden feature in the Espressif ESP32 microchip could serve as a backdoor for impersonation attacks on IoT devices, affecting billions of units globally (Undocumented hidden feature found in Espressif ESP32 microchip).

• Japanese telecom giant NTT experienced a data breach exposing information of nearly 18,000 corporate customers, involving unauthorized access to their Order Information Distribution System (Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies).

• Black Basta ransomware group faced internal strife leading to a leak of internal communications, exposing details about its operations and potentially dismantling its efforts (Black Basta Chat Leak - Organization and Infrastructures).

• BitLaunch, a UK-based hosting provider, has been linked to hosting C2 servers for cybercriminal activities, raising concerns over potential deceitful collaborations with threat actors (Investigating Anonymous VPS services used by Ransomware Gangs).

• The U.S. Department of Justice plans to charge 12 Chinese nationals for state-linked cyber operations, marking a significant development in international cybercrime enforcement (Security Affairs newsletter Round 514 by Pierluigi Paganini – INTERNATIONAL EDITION).

Community Feeds #

• Paragon Partition Manager contains five memory vulnerabilities in its BioNTdrv.sys driver, allowing local attackers to escalate privileges and cause denial-of-service attacks. Microsoft has reported ransomware attacks exploiting these vulnerabilities via the Bring Your Own Vulnerable Driver (BYOVD) method. Patches and a vulnerable driver blocklist have been released (VU#726882: Paragon Partition Manager contains five memory vulnerabilities within its BioNTdrv.sys driver that allow for privilege escalation and denial-of-service (DoS) attacks).

• A massive malware campaign leveraging GitHub services has reportedly infected 1 million devices, as noted by Microsoft. The specifics of how GitHub was involved in the propagation of malware were not detailed, but the scale indicates the significant impact and reach of these types of attacks (Microsoft Says GitHub-Boosted Malware Campaign Infected 1 Million Devices).

• Undocumented commands discovered in a widely used Bluetooth chip affect potentially over a billion devices. These commands could be leveraged by attackers to gain unauthorized access or control over affected devices (Undocumented commands found in Bluetooth chip used by a billion devices.).

• Sitecore has been identified with a critical deserialization vulnerability (CVE-2025-27218) that could be exploited for remote code execution. This highlights ongoing issues with unsafe deserialization practices affecting enterprise software (Sitecore: Unsafe Deserialisation Again! (CVE-2025-27218)).

• New methods exploiting Rails for remote code execution have been disclosed, focusing on unsafe reflection and deserialization linked to particular gadget chains in SQLite usage, indicating an area for concern in web framework security (New Method to Leverage Unsafe Reflection and Deserialisation to RCE on Rails).

• Scans for webshells and secrets files like .env files continue to rise, with attackers frequently targeting exposed web applications. These are significant as webshells often facilitate deeper attacks beyond initial compromise (Commonly Probed Webshell URLs, (Sun, Mar 9th)).

• A Romanian distillery network has been identified as conducting scans for SMTP credentials, likely indicating a compromised system used for malicious credential harvesting activities (Romanian Distillery Scanning for SMTP Credentials, (Tue, Mar 4th)).

Disclaimer #

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created with BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.