Cybersec Feeds Overview, Mar 24 - Mar 30, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Gov Feeds #

• A security vulnerability in CrushFTP could allow unauthorized access, posing a potential risk to organizations using this software (A Vulnerability in CrushFTP Could Allow for Unauthorized Access).

• A vulnerability in Google Chrome could enable arbitrary code execution, highlighting a critical need for timely updates to protect systems (A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution).

• The UK National Cyber Security Centre published new principles for privileged access workstations to help secure organizational networks against cyber threats (CTO at NCSC Summary: week ending March 30th).

• The UK National Crime Agency’s National Strategic Assessment for 2025 notes the fragmentation of the ransomware market due to law enforcement actions, with an increased threat from younger UK-based cybercriminals (CTO at NCSC Summary: week ending March 30th).

• Action Fraud, the National Cyber Security Centre, and the National Crime Agency launched a campaign promoting the use of two-step verification to better secure personal accounts (CTO at NCSC Summary: week ending March 30th).

• FS-ISAC has released guidance on the future application of generative AI in financial services, addressing potential impacts and security considerations within the sector (FS-ISAC Releases Guidance on the Future State of Generative AI in Financial Services).

Vendor Feeds #

• New security vulnerabilities have been identified in Ingress NGINX Controller for Kubernetes, with CVE-2025-1974 being the most critical, allowing remote code execution and potential full cluster compromise. Other serious CVEs in this disclosure include configuration injection vulnerabilities. Patches have been issued, and systems should be updated immediately (Ingress Nightmare, Multiple vulnerabilities in Ingress NGINX Controller for Kubernetes).

• Mozilla and Google have issued urgent updates for Firefox and Chrome to patch critical vulnerabilities. The flaws can allow sandbox escapes and remote code execution if unpatched. These updates follow similar vulnerabilities being discovered recently, highlighting ongoing exploitation risks (Mozilla Responds to Critical Vulnerability: Urgent Firefox Update, Operation ForumTroll: APT attack with Google Chrome zero-day exploit chain).

• A critical vulnerability, CVE-2025-29927, affecting the Next.js middleware has been discovered, potentially allowing attackers to bypass authorization checks in applications built using the framework. Organizations are urged to investigate their middleware reliance and apply any available patches (Notable vulnerabilities in Next.js (CVE-2025-29927), Next.js Middleware Vulnerability (CVE-2025-29927)).

• Oracle Cloud has reportedly suffered a data breach executed by a hacker known as “rose87168,” who claims to have compromised 6 million records. Oracle denies the breach, despite reported ranks of sensitive data, including encrypted passwords, appearing on forums (Everything You Need to Know About Oracle Cloud Security Incident by rose87168).

• New phishing campaigns and ransomware attacks continue to emerge. Notably, sophisticated pretexting techniques are being used, such as fake Booking.com emails targeting hotels. Additionally, a new ransomware threat actor, Arkana, has targeted WideOpenWest, marking their debut with considerable impact (Arkana Ransomware Attack on WideOpenWest, Booking.com phish uses fake CAPTCHAs to trick hotel staff into downloading malware).

• The FBI and other federal entities are increasingly using Zero Trust security models; meanwhile, prominent sectors continue to face threats from botnets like GorillaBot and evasive malware such as Stealc, signaling a need for increased vigilance in monitoring and defensive practices (GorillaBot: Technical Analysis and Code Similarities with Mirai, Stealc: Malware Overview).

• Cyberattacks on infrastructure sectors remain significant, with transportation and logistics sectors being continuously targeted. These attacks expose vulnerabilities that could cause systemic operational disruptions if not adequately safeguarded (Major Cyber Attacks Targeting Transportation & Logistics Industry).

• Recent findings outline a rise in threat actors targeting cloud environments, especially focusing on exploiting IAM vulnerabilities to gain unauthorized access to internal systems and data exfiltration. Organizations must bolster their cloud defenses accordingly (Cloud Threats on the Rise: Alert Trends Show Intensified Attacker Focus on IAM, Exfiltration).

News Feeds #

• New vulnerabilities in the Ingress NGINX Controller for Kubernetes are exposing more than 40% of cloud environments to potential account takeover. Five vulnerabilities, including a critical remote code execution vulnerability, have been discovered, urging Kubernetes administrators to patch urgently to protect against possible exploits (String of defects in popular Kubernetes component puts 40% of cloud environments at risk, Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise).

• A phishing-as-a-service operation is exploiting DNS-over-HTTPS to evade detection. This sophisticated campaign enables cybercriminals to spoof over 100 brands using dynamic DNS records to tailor phishing pages for victims, significantly increasing the risk of credential theft (Phishing-as-a-service operation uses DNS-over-HTTPS for evasion, New Morphing Meerkat Phishing Kit Exploits DNS to Spoof 100+ Brands).

• OpenAI has increased its bug bounty rewards to $100,000 as part of a broader initiative to enhance AI security and encourage researchers to identify and disclose vulnerabilities. This move signifies a significant investment in securing AI models and infrastructure (OpenAI now pays researchers $100,000 for critical vulnerabilities, OpenAI Bug Bounty Program Increases Top Reward to $100,000).

• The U.S. Commerce Department plans to impose sanctions on nearly 20 Chinese and Taiwanese companies to restrict their access to American cloud, AI, and quantum technologies. This action aims to curb the use of U.S. technologies in enhancing adversary military capabilities (Commerce limits 19 Chinese, Taiwanese companies from buying U.S. tech).

• The U.S. seized $8.2 million in cryptocurrency linked to “Romance Baiting” scams. These scams target victims emotionally to defraud them of cryptocurrency, representing a growing trend of crypto-based social engineering attacks (U.S. seized $8.2 million in crypto linked to ‘Romance Baiting’ scams).

• The CISA has issued urgent alerts for vulnerabilities impacting Schneider Electric, Chrome, and Sitecore. These vulnerabilities could enable remote code execution and require immediate patching to prevent exploitation (CISA Issues Urgent Security Alerts: Critical Vulnerabilities in Schneider Electric, Chrome, and Sitecore).

• The Tor Project released an emergency update to address a critical vulnerability in Tor Browser for Windows 7, 8, and 8.1, addressing a sandbox escape vulnerability actively exploited in the wild (Tor Browser 13.5.14 Update Fixes Critical Security Flaw for Windows 7, 8, and 8.1).

• RedCurl cyber threat group has shifted tactics to include ransomware attacks targeting hypervisors using a new strain called QWCrypt. This group raises concern due to its past focus on espionage and now expanding into disruptive operations (RedCurl Uses New QWCrypt Ransomware in Hypervisor Attacks).

• A significant data leak from 2.87 billion Twitter (X) profiles has been reported, allegedly due to an insider’s actions. This breach includes profile metadata but notably does not contain email addresses, raising concerns over profiling, identity theft, and targeted spam (Twitter (X) Hit by 2.8 Billion Profile Data Leak in Alleged Insider Job).

Personal Feeds #

• Traditional SOCs struggle with alert overload and outdated procedures. There is a growing interest in SOC-less models and autonomic security operations to reduce manual handling and improve threat detection. (The Return of the Baby ASO)

• Several successful cyber heists highlight ongoing vulnerabilities in crypto platforms, with over $8.6 million stolen this week, primarily due to private key compromises and server breaches. (BlockThreat)

• A phishing campaign mimicking legitimate websites is being used to collect personal information from individuals opposing Russia’s actions in Ukraine. These phishing sites are promoted through manipulated search engine results. (When Getting Phished Puts You in Mortal Danger)

• CISA warns of RESURGE malware exploiting a vulnerability in Ivanti Connect Secure appliances. The malware facilitates credential harvesting and persistent access via web shells. Ivanti has issued patches, but the vulnerability has already been exploited in targeted attacks. (CISA warns of RESURGE malware exploiting Ivanti flaw)

• The U.S. DOJ seized over $8.2 million in USDT from a ‘romance baiting’ crypto fraud scheme, where victims were lured into fake investment platforms. This underscores the growing threat of complex laundering methods in crypto fraud. (FBI and DOJ seize $8.2 Million in romance baiting crypto fraud scheme)

• The new Crocodilus Android trojan exploits accessibility features to steal banking and crypto credentials, initially targeting users in Spain and Turkey. Its advanced features include remote control and data harvesting capabilities. (Experts warn of the new sophisticate Crocodilus mobile banking Trojan)

• The Grandoreiro banking trojan has resurfaced, targeting users in Latin America and Europe through phishing campaigns. The malware uses advanced techniques like keylogging and command execution. (Crooks are reviving the Grandoreiro banking trojan)

• Citizen Lab reports on Paragon’s spyware operations, detailing infrastructure linked to its Graphite tool. Potential connections to Canadian authorities and other international deployments were identified. (Report on Paragon Spyware)

• Recent incidents include a phishing attack against a notable cybersecurity expert, resulting in the compromise of a Mailchimp mailing list. This incident highlights the effectiveness of well-crafted phishing schemes. (A Sneaky Phish Just Grabbed my Mailchimp Mailing List)

Community Feeds #

• Paragon Partition Manager’s BioNTdrv.sys driver contains multiple memory vulnerabilities including arbitrary kernel memory mapping and a null pointer dereference that allow local attackers to escalate privileges or cause denial-of-service. Threat actors have exploited these using the BYOVD technique in ransomware attacks. Updates have been made by Paragon and Microsoft to patch and block vulnerable driver versions (VU#726882).

• CVE-2025-29927 in Next.js poses a threat via middleware bypass, allowing attackers to execute unauthorized actions. Tools and methodologies are being developed to detect and address this issue efficiently (Detect NetxJS CVE-2025-29927 efficiently, Next.js and the corrupt middleware, Doing the Due Diligence).

• A deserialization vulnerability in Sitecore (CVE-2025-27218) allows remote code execution without authentication through the “thumbnailsaccesstoken” header. Sitecore has issued a patch, but exploit attempts continue to be observed in the wild (Sitecore “thumbnailsaccesstoken” Deserialization Scans).

• Ingress NGINX vulnerabilities enable remote code execution, posing a significant risk to Kubernetes environments. These vulnerabilities highlight the need for constant patching and configuration review to mitigate potential exploitation (Remote Code Execution Vulnerabilities in Ingress NGINX).

• Blacklock ransomware continues to evolve with increased sophistication and stealth capabilities, penetrating threat actor infrastructure to gain intelligence on attack methodologies and defense evasion strategies (Blacklock Ransomware).

• HTML smuggling techniques like “smugglo” are being used to bypass email attachment restrictions, demonstrating the ongoing shift towards more deceptive methods to deliver malicious payloads undetected (smugglo).

• A recent X-Wiki vulnerability (CVE-2024-3721) involves OS command injection via the search feature, presenting opportunities for exploitation in wiki platforms relying on consistent patching and monitoring (X-Wiki Search Vulnerability exploit attempts).

Disclaimer #

The summaries in this brief are generated autonomously by the OpenAI LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created with BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.