Cybersec Feeds Overview, Apr 14 - Apr 20, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• The potential disruption and subsequent temporary extension of funding for MITRE’s management of the CVE program dominated discussions. Multiple sources highlighted the program’s critical role as foundational infrastructure for global vulnerability management, tracking, and communication. The 11-month funding extension by CISA averted an immediate crisis, but concerns about long-term stability persist, leading to the formation of the CVE Foundation and other initiatives exploring alternative or supplementary models.

• Multiple sources highlighted the active exploitation of vulnerabilities, emphasizing the need for prompt patching. Key examples include Apple iOS zero-days (CVE-2025-31200, CVE-2025-31201) used in targeted attacks, a critical Erlang/OTP SSH RCE (CVE-2025-32433) with public exploits, a Windows NTLM flaw (CVE-2025-24054) exploited via .library-ms files, and an older SonicWall SMA RCE (CVE-2021-20035) being leveraged since January 2025. Additionally, CISA released numerous advisories for critical ICS vulnerabilities across various vendors.

• The use of AI in both cyberattacks and defense continues to be a major focus. Attackers leverage AI for sophisticated phishing, deepfakes, and fraud campaigns. Code generation AI tools introduce supply chain risks through ‘package hallucinations.’ Conversely, defenders are exploring AI for enhanced threat detection, prediction (like Broadcom’s Incident Prediction), security posture management (CSPM), and automating SOC tasks. Governance and managing risks associated with AI adoption, including ‘Shadow AI,’ are key challenges for CISOs.

• Espionage-focused campaigns by state-sponsored actors remain prominent. APT29 (Russia) targeted European diplomats with phishing emails using wine-tasting lures and new malware (GRAPELOADER, WINELOADER). IronHusky (China) deployed updated MysterySnail RAT variants against Russian/Mongolian government targets. UNC5174 (China) used open-source tools (VShell RAT, WebSockets) for stealth. Billbug (China) targeted Southeast Asia with custom tools. Slow Pisces (North Korea) targeted crypto developers via LinkedIn.

• Industrial Control Systems (ICS) remain a significant target area, with numerous vulnerabilities disclosed by CISA across multiple vendors including Schneider Electric, Yokogawa, Siemens, Delta Electronics, ABB, Lantronix, National Instruments, and Growatt. These flaws often carry high severity ratings (CVSS 9.0+) and could allow for remote code execution, authentication bypass, denial-of-service, or data compromise, impacting critical infrastructure sectors like manufacturing, energy, and water.

Critical Vulnerabilities #

• Apple released patches for two critical zero-day vulnerabilities (CVE-2025-31200, CVE-2025-31201) affecting iOS, iPadOS, macOS, tvOS, and visionOS. These vulnerabilities, involving memory corruption in CoreAudio and a Pointer Authentication bypass, were reportedly exploited in sophisticated, targeted attacks, potentially allowing arbitrary code execution. CISA added both to its Known Exploited Vulnerabilities (KEV) catalog, mandating patching for federal agencies.

• A critical unauthenticated remote code execution vulnerability (CVE-2025-32433, CVSS 10.0) was disclosed in the Erlang/OTP SSH server implementation. The flaw allows command execution before authentication due to improper handling of SSH protocol messages. Public proof-of-concept exploits are available, increasing the risk of widespread attacks. Patches are available for supported OTP versions (27.3.3, 26.2.5.11, 25.3.2.20) and should be applied immediately.

• Microsoft addressed CVE-2025-24054, a Windows NTLM hash disclosure spoofing vulnerability, in its March 2025 patches. However, Check Point Research observed active exploitation starting March 19th, targeting government and private institutions in Poland and Romania via malspam campaigns distributing malicious .library-ms files. CISA added this vulnerability to its KEV catalog. The flaw requires minimal user interaction to trigger.

• An older SonicWall SMA 100 series vulnerability (CVE-2021-20035), initially rated medium and patched in 2021, is now classified as high severity (CVSS 7.2) and confirmed to be actively exploited for RCE. Arctic Wolf observed attacks leveraging this flaw since January 2025, potentially combined with default credentials (admin@LocalDomain:password). CISA added it to the KEV catalog, requiring federal agencies to patch by May 7th.

• Multiple vulnerabilities (CVE-2025-0285, -0286, -0287, -0288, -0289) were identified in the BioNTdrv.sys driver used by Paragon Software’s Hard Disk Manager products. These flaws, including arbitrary memory mapping/write and insecure resource access, allow local privilege escalation (LPE) and DoS. Microsoft observed CVE-2025-0289 being exploited in Bring Your Own Vulnerable Driver (BYOVD) ransomware attacks to gain SYSTEM privileges. Paragon has patched affected products, and Microsoft added vulnerable driver versions to its blocklist.

• Oracle released its April 2025 Critical Patch Update (CPU), addressing 171 CVEs with 378 security updates across 32 product families. The update includes 40 critical patches affecting products like SQL Developer, Hyperion, Secure Backup, and Communications. Many vulnerabilities are remotely exploitable without authentication, posing significant risks like remote code execution.

• Multiple vulnerabilities have been identified in Fortinet FortiGate devices, particularly affecting the SSL VPN component (sslvpnd). These include out-of-bounds write (FG-IR-24-015), heap buffer overflows (FG-IR-23-097, FG-IR-22-398). Attackers are exploiting these, using a symlink technique to maintain read-only access even post-patching. Fortinet and ACSC urge immediate patching.

Major Incidents #

• CISA issued guidance following reports of potential unauthorized access to a legacy Oracle Cloud environment. The incident poses risks related to credential exposure, reuse, and hardcoding. Organizations are advised to reset passwords for affected users, review code for embedded credentials, enforce phishing-resistant MFA, and monitor authentication logs for anomalies.

• Hertz Corporation disclosed a data breach impacting customers of Hertz, Dollar, and Thrifty brands. The breach resulted from a ransomware attack by the CL0P gang exploiting a zero-day vulnerability in Cleo’s Managed File Transfer (MFT) solution used by Hertz. Exposed data includes names, contact information, driver’s licenses, and potentially SSNs for a small number of individuals.

• Ahold Delhaize USA, parent company of supermarket chains like Stop & Shop and Hannaford, confirmed data theft occurred during a November 2024 cyberattack that disrupted operations. The INC ransomware group claimed responsibility, alleging the exfiltration of 6 terabytes of data from internal US business systems. The company is investigating the extent of the data impact.

• The infamous imageboard 4chan experienced significant downtime, accompanied by alleged leaks of backend source code and moderator/janitor PII (email addresses) on social media. While the exact cause is unconfirmed, speculation points towards a potential cyberattack or hacking incident coinciding with the outage.

• The dark web marketplace BidenCash performed another large data dump, leaking nearly one million credit card records (number, expiry, CVV) onto the XSS forum. The platform framed the leak as part of its ‘Anti-Public System’ to ensure data freshness and penalize vendors selling duplicate data, while simultaneously serving as a marketing tactic.

• A widespread issue caused numerous Microsoft Entra ID (formerly Azure AD) user accounts across multiple organizations to be locked out. Reports suggest this was triggered by false positives during the rollout of a new Microsoft feature/application called ‘MACE Credential Revocation,’ designed to detect leaked credentials. Affected administrators confirmed the issue with Microsoft support.

• Airport retail company Paradies Shops agreed to a $6.9 million class-action settlement following a 2020 REvil ransomware attack. The breach exposed personal information, including names and Social Security numbers, of approximately 76,000 current and former employees. The lawsuit alleged negligence in data protection and delayed notification.

Emerging Threats #

• State-sponsored threat actors are increasingly adopting techniques previously associated with cybercriminals to enhance stealth and effectiveness. North Korean (TA427), Iranian, and Russian actors were observed using the ‘ClickFix’ social engineering tactic, tricking users into executing malicious commands. Chinese actors (UNC5174) are leveraging open-source tools like VShell RAT and WebSockets C2 alongside custom malware (SNOWLIGHT) to blend in with less sophisticated threats.

• AI poses new security risks, particularly in software supply chains and data security. Code-generating LLMs can ‘hallucinate’ non-existent software packages, creating opportunities for attackers to publish malicious packages with the same names (package confusion attacks). Additionally, the widespread use of ‘Shadow AI’ (employees using personal GenAI accounts) leads to significant leakage of sensitive corporate data (source code, PII, customer data) into these external models.

• Novel Android malware strains targeting financial data are emerging. ‘SuperCard X’, offered as a MaaS, uses social engineering and NFC relay attacks to bypass security for fraudulent POS/ATM transactions. ‘Gorilla’, written in Kotlin, intercepts SMS messages to steal OTPs, particularly targeting banking and Yandex users, while using techniques to evade detection.

• Chinese APT group Billbug (aka Lotus Blossom) conducted a campaign against multiple organizations in Southeast Asia (government, telco, construction, air traffic control) between August 2024 and February 2025. The attacks utilized new custom tools including loaders, Chrome credential stealers (ChromeKatz, CredentialKatz), a reverse SSH tool, and variants of the Sagerunex backdoor. Techniques included DLL sideloading via legitimate Trend Micro and Bitdefender binaries and use of the Zrok P2P tool.

• Credential stuffing attacks are evolving, using headless browsers (like Puppeteer, Playwright) to mimic legitimate user traffic and CAPTCHA-solving services (like 2Captcha, Anti-Captcha) to bypass anti-automation measures. These attacks exploit password reuse across platforms, as seen in the 23andMe breach where compromised credentials from other sites were used.

• Attackers are misusing legitimate tools and protocols for stealth. Microsoft’s mavinject.exe utility is being used for DLL injection (T1218.013), potentially bypassing EDR detection due to the tool’s trusted status. Additionally, threat actors are increasingly using standard communication protocols like WebSockets (seen with MysteryMonoSnail RAT and Gorilla malware) and abusing public file-sharing services (like gofile.io) for C2 and data exfiltration, blending malicious traffic with legitimate activity.

• Threat actors are exploiting trust in legitimate platforms and services. A sophisticated phishing scam leverages Google Sites to host fake login pages and bypasses email security checks by exploiting Google’s infrastructure, making emails appear signed and sent by Google. Separately, AI presentation tool ‘Gamma’ is being used in phishing attacks, abusing the legitimacy of the platform to host malicious content or redirect users.

Regulatory and Policy Updates #

• The potential expiration of MITRE’s contract to manage the CVE program caused significant industry concern, highlighting its critical role. CISA secured an 11-month funding extension, averting immediate disruption. However, the incident spurred discussions about long-term stability, leading to initiatives like the non-profit CVE Foundation aiming for a more resilient, community-driven future for vulnerability tracking.

• NIST released an initial public draft update (1.1) of its Privacy Framework (PFW), aiming for closer integration with the recently updated Cybersecurity Framework (CSF 2.0). Key changes include realignment with CSF core functions and the addition of a new section addressing privacy risks associated with Artificial Intelligence (AI). The update seeks to help organizations manage the full spectrum of privacy and cybersecurity risks cohesively. Public comments are open until June 13, 2025.

• The US government is increasing focus on data protection and election security. The Department of Justice is implementing a program to prevent foreign adversaries (China, Russia, Iran cited) from accessing sensitive US government and personal data for espionage or military purposes. Concurrently, President Trump issued an executive order targeting former CISA Director Chris Krebs, revoking his security clearance and ordering an investigation into CISA’s activities related to the 2020 election and alleged censorship, leading to Krebs’ resignation from SentinelOne.

• Legislation impacting cybersecurity information sharing is under review. A bipartisan bill has been introduced in the US Senate to reauthorize the Cybersecurity Information Sharing Act (CISA) of 2015 for another 10 years before its scheduled expiration in September 2025. The act provides crucial liability protections for organizations sharing cyber threat information with the government and each other.

• Emerging regulations and guidelines are addressing specific sectors and technologies. The European Commission is consulting on its action plan for hospital and healthcare provider cybersecurity. France’s CNIL held consultations on securing electronic patient records. Singapore released draft guidance on medical device cybersecurity best practices. These efforts reflect growing regulatory attention on securing sensitive health data and critical medical technologies.

• Concerns are rising about data privacy related to AI training data. Meta announced plans to use public posts from EU users to train its AI models, relying on an opt-out mechanism despite previous regulatory pushback regarding consent under GDPR. This highlights the ongoing tension between AI development needs and stringent data privacy regulations like GDPR.

• Global regulations and standards bodies are working to secure emerging technologies. ETSI published baseline cybersecurity requirements for AI models and systems, developed in collaboration with UK NCSC/DSIT. Concurrently, the US government is intensifying efforts to control the export of sensitive technologies, like advanced AI chips (Nvidia GPUs), particularly to China, amid concerns about their use by companies like DeepSeek with alleged state ties.

Security Operations #

• Organizations are struggling with vulnerability remediation timelines and coverage. Pentesting reports reveal less than half of discovered vulnerabilities are resolved, with high-risk flaws taking a median of 67 days, far exceeding typical 14-day SLAs. Furthermore, assessment of AI-related risks lags behind adoption, with only 66% assessing GenAI security despite 98% usage, and only 21% of GenAI app flaws being resolved.

• Guidance and frameworks for improving security posture are being updated and promoted. CISA released multiple ICS advisories with technical details and mitigations. Microsoft emphasized its Secure Future Initiative (SFI) aligning with Secure by Design principles. NIST updated its Privacy Framework for better integration with the Cybersecurity Framework. Implementing frameworks like MITRE ATT&CK and adopting structured vulnerability/exposure management workflows are highlighted as key operational improvements.

• Automating threat intelligence enrichment and log correlation are crucial for effective SOC operations. Integrating platforms like MISP with SIEM systems using Python scripts (for batch or real-time enrichment) enhances alert context and speeds up triage. Correlating diverse log sources (web, network, endpoint) is vital for detecting complex attacks like credential theft by identifying patterns and anomalies across the cyber kill chain.

• New security features and updates aim to bolster endpoint and cloud defenses. Android devices will soon auto-restart after 3 days of being locked to enhance security by clearing memory contents. Windows updates created a protective ‘inetpub’ folder related to CVE-2025-21204, which should not be deleted. Kubernetes 1.33 introduced enhancements like in-place pod scaling and OCI image volumes, improving workload management and security configurations.

• Incident response readiness remains crucial, especially for ransomware and Active Directory compromises. Experts emphasize the need for tested AD recovery plans, as AD is a prime target. Recommendations following potential compromises, like the alleged Oracle Cloud incident, include immediate password resets, code reviews for embedded credentials, MFA enforcement, and diligent log monitoring.

• Advanced security tooling continues to evolve. Metasploit introduced efficiency improvements like PIPE_FETCH for smaller fetch payloads and added new exploits for BentoML and Langflow AI RCE vulnerabilities. New open-source tools like xorsearch.py (with YARA/regex support) aid analysis, while techniques leveraging Frida for mobile app interception (e.g., Flutter) are being explored. Community tools for tracking AWS documentation changes and aggregating bug bounty programs also emerged.

• Security teams must address data quality and governance issues, especially with the rise of AI. A ‘data confidence gap’ exists where executives overestimate data readiness for AI, while practitioners see significant quality problems. Poor data governance and rushing AI projects without proper data preparation can lead to inaccurate AI outputs and flawed decision-making. Establishing clear data strategies, enhancing transparency, and ensuring data pipelines are robust are critical.

Wins #

• Efforts to secure the CVE program’s future resulted in CISA extending MITRE’s management contract for 11 months. This last-minute action prevented a potentially damaging disruption to the global vulnerability tracking ecosystem. Additionally, the incident prompted the formation of the CVE Foundation, aiming to establish a more resilient, community-driven governance model for the program.

• Law enforcement actions continue against malware operators. An alleged operator of the SmokeLoader malware, known as “scrublord,” is facing federal charges in Vermont for stealing personal information and passwords from over 65,000 victims using the malware loader. This follows broader actions by Europol under Operation Endgame targeting SmokeLoader infrastructure and users.

• A security researcher successfully identified and reported a vulnerability (CVE-2025-43929) in a markdown editor, contributing to the coordinated disclosure process by obtaining a CVE ID from MITRE.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created by BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.