Cybersec Feeds Overview, Apr 7 - Apr 13, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Microsoft’s April 2025 Patch Tuesday addressed 126 vulnerabilities across numerous products. This included 11 critical flaws, primarily RCEs affecting LDAP, RDS, and Hyper-V. A significant CLFS EoP zero-day (CVE-2025-29824) was actively exploited in ransomware campaigns.

• Numerous vulnerabilities disclosed across Fortinet products (FortiAnalyzer, FortiClient EMS, FortiOS, FortiSwitch, FortiWeb etc.). The most severe could allow remote code execution. A new post-exploitation technique uses malicious files created via older flaws (CVE-2024-21762, CVE-2023-27997, CVE-2022-42475) for read-only file system access.

• CISA released multiple advisories detailing vulnerabilities in Industrial Control Systems (ICS). Affected vendors include Siemens (multiple products), Rockwell Automation (Arena), Subnet Solutions (PowerSYSTEM Center), and ABB (Arctic Wireless Gateways). Flaws range from RCE and EoP to information disclosure and DoS.

• Phishing remains a prevalent threat vector. Attackers use techniques like Device Code Phishing to bypass MFA (Storm-2372), QR codes in attachments, malicious Google Ads for credential theft (QuickBooks), and leveraging compromised social media accounts. SMS phishing campaigns (Smishing Triad) targeting toll fees are resurging.

• AI security remains a significant concern. Vulnerabilities exist in AI tools (Perplexity AI, BentoML, Langflow AI), and AI models are being used maliciously (AkiraBot spam generation, VibeScamming). AI-hallucinated package dependencies (‘slopsquatting’) create new supply chain risks. Defending AI with AI is seen as critical.

Critical Vulnerabilities #

• Gladinet CentreStack suffers critical vulnerability (CVE-2025-30406, CVSS 9.0). Hardcoded cryptographic key allows RCE. Actively exploited, added to CISA KEV. Update to patched version 16.4.10315.56368 or rotate machineKey.

• Ivanti Endpoint Manager contains multiple vulnerabilities (CVE-2025-22461 SQLi, CVE-2025-22458 DLL hijacking, XSS). Most severe allows RCE via SQL injection for authenticated admins. Other flaws allow privilege escalation and DoS. Update to 2024 SU1 or 2022 SU7.

• Google Chrome Use-After-Free vulnerability (CVE-2025-3066) in Site Isolation. Could allow arbitrary code execution. Affects versions prior to 135.0.7049.84/.85 (Win/Mac) and 135.0.7049.84 (Linux). Update Chrome browser.

• Rsync daemon contains multiple vulnerabilities (versions <= 3.3.0). Includes heap buffer overflow (CVE-2024-12084) and info leak (CVE-2024-12085) enabling RCE with anonymous read access. Other flaws allow file leakage (CVE-2024-12086) and path traversal (CVE-2024-12087, CVE-2024-12088). Update Rsync.

• Rockwell Automation Arena simulation software (<= 16.20.08) has multiple vulnerabilities. Includes Use-of-Uninitialized-Variable, Out-of-Bounds Write/Read, Stack Buffer Overflow (CVE-2025-2285, CVE-2025-2286, CVE-2025-2287). Exploitation via malicious DOE file can lead to RCE.

• Critical RCE vulnerability in BentoML (v1.3.8–1.4.2) AI framework (CVE-2025-27520, CVSS 9.8). Unauthenticated attackers can exploit insecure deserialization via crafted HTTP requests. Update to v1.4.3.

• WhatsApp for Windows prior to 2.2450.6 vulnerable (CVE-2025-30401). Attachment MIME type spoofing allows potential RCE when user opens crafted file. Update application immediately.

Major Incidents #

• U.S. Treasury’s Office of the Comptroller of the Currency (OCC) classified a February email system breach as a ‘major incident’. Hackers accessed ~150,000 emails from ~100 regulators, dating back to June 2023. Highly sensitive financial institution data was compromised.

• INC ransomware targeted The State Bar of Texas, accessing sensitive member data. Rhysida ransomware hit the Port of Seattle, exposing data of ~90,000 individuals. RansomHub targeted The Lower Sioux Indian Community, disrupting healthcare, government, and casino systems.

• Europcar Mobility Group confirmed a cyber-attack breaching GitLab repositories. Source code for mobile apps and SQL backups potentially stolen. A dark web user claims to have data affecting 50k-200k clients, including names and emails.

• MorphoBlue DeFi platform lost $2.6 million due to a frontend vulnerability exploit. The attacker front-ran a transaction, causing MORPH token price volatility and impacting related DeFi assets. Incident highlights risks in DeFi smart contract interactions.

Emerging Threats #

• ToddyCat APT exploits ESET software vulnerability (CVE-2024-11859) for DLL proxying. Loads malicious ‘version.dll’ (TCESB tool) to execute payloads stealthily within trusted security solution context. Highlights risks in security software vulnerabilities.

• Attackers distribute miner and ClipBanker trojan via SourceForge. Malicious project ‘officepackage’ uses legitimate lookalike domain (officepackage.sourceforge[.]io) for distribution. Exploits user trust in SourceForge for malware delivery.

Regulatory and Policy Updates #

• Bank of Thailand (BOT) and Bank Negara Malaysia (BNM) sign MoU. Deepens collaboration on cybersecurity and digital fraud prevention. Focuses on information sharing, joint capacity building, and improved incident response.

• US Congressman demands briefing from CISA on planned personnel cuts. Concerns raised over potential impact on CISA’s mission given the rumored 40% staff reduction. Transparency sought regarding justification and execution plan.

• ROUTERS Act advances in US House committee. Mandates Commerce Dept. study on national security risks from routers/modems controlled by adversaries (China, Russia etc.). Aims to safeguard communication networks.

• Concerns raised over legacy CALEA wiretapping law’s security implications. Experts argue mandated access points in telecom infrastructure create vulnerabilities. These could be exploited by threat actors like Salt Typhoon for espionage.

Security Operations #

• Post-quantum cryptography (PQC) transition requires planning. Quantum computers threaten current asymmetric encryption (RSA, ECC). Prepare by inventorying cryptographic assets and developing migration strategy to NIST-standardized PQC algorithms.

• TIBER-EU framework emphasizes threat intelligence for effective red teaming. Simulates real adversary TTPs against critical financial infrastructure. Relies on intelligence for realistic scenario scoping and adversary emulation.

• Ethical hacking and penetration testing remain crucial for vulnerability discovery. White-hat hackers simulate real-world attacks within legal boundaries. Helps organizations proactively identify and remediate security weaknesses.

• Attackers exploit domain controllers in ransomware campaigns. Compromising DCs provides high-privilege accounts (e.g., dumping NTDS.dit) and central access. Enables rapid, widespread ransomware deployment across the network.

Wins #

• Operation Endgame follow-up leads to arrests of Smokeloader botnet customers. Five individuals detained across Europe. Demonstrates law enforcement focus on disrupting cybercrime ecosystem buyers, not just operators, using seized backend data.

• Scattered Spider associate ‘King Bob’ (Noah Michael Urban) pleads guilty. Admitted to SIM swapping fraud and cryptocurrency theft totaling $800k. Agrees to forfeit assets and pay $13M restitution.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created by BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.