Cybersec Feeds Overview, Apr 21 - Apr 27, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Vulnerabilities in Industrial Control Systems (ICS) and Operational Technology (OT) were frequently reported, with CISA releasing numerous advisories for products from vendors like Schneider Electric, Siemens, Johnson Controls, Planet Technology, and ABB. These advisories covered flaws ranging from RCE and DoS to information disclosure and authentication bypass, highlighting the ongoing risks to critical infrastructure sectors.

• Phishing and social engineering remain dominant attack vectors, employing increasingly sophisticated methods. Recent campaigns utilized malicious LNK files disguised as notices, fake CAPTCHA pages distributing Lumma Stealer, SVG image attachments hiding malicious scripts, fake security patches for WooCommerce backdooring sites, and impersonation tactics leveraging legitimate platforms like Google Sites and Zoom’s remote control feature.

• Artificial Intelligence (AI) continues to be a major focus, presenting both opportunities and risks for cybersecurity. Discussions covered AI’s role in enhancing security operations (threat detection, analysis, triage, prediction), the emergence of new threats like AI-powered phishing, deepfakes used in social engineering (job interviews, scams), AI geo-guessing capabilities raising privacy concerns, and the need for AI governance and safety frameworks (Microsoft AI Red Team taxonomy, Guillotine hypervisor concept).

• Ransomware remains a pervasive and costly threat, with attacks evolving and impacting organizations of all sizes. Reports highlighted significant financial damages, record ransom payouts ($75M to Dark Angels), and trends like attacks on edge devices, healthcare sector targeting (DaVita by Interlock), and food distribution (Ahold Delhaize by INC Ransom). Ransomware-as-a-Service models are also evolving, with groups like DragonForce offering white-label branding schemes.

• Exploitation of vulnerabilities, particularly zero-days in edge devices and widely used software, remains a primary initial access vector for attackers. Reports from Verizon, Mandiant, and VulnCheck highlighted a significant increase in vulnerability exploitation in 2024, with flaws in VPNs, firewalls, and platforms like SAP NetWeaver being actively targeted. This underscores the critical need for rapid patching and robust vulnerability management programs.

Critical Vulnerabilities #

• A critical unauthenticated file upload vulnerability (CVE-2025-31324, CVSS 10.0) in SAP NetWeaver Visual Composer’s Metadata Uploader is being actively exploited in the wild. Attackers are abusing the /developmentserver/metadatauploader endpoint to upload JSP webshells, enabling remote code execution and full system compromise. SAP has released an emergency out-of-band patch for VCFRAMEWORK version 7.50, which must be applied even if April’s standard patches were installed.

• A command injection vulnerability (CVE-2021-20035) in the SonicWall Secure Mobile Access (SMA) 100 series management interface is reportedly being actively exploited. The flaw allows a remote authenticated attacker to inject commands as the ’nobody’ user, potentially leading to RCE. SonicWall has upgraded the CVSS score to 7.2 (High) and recommends immediate patching for affected versions (10.2.1.0-17sv and earlier, 10.2.0.7-34sv and earlier, 9.0.0.10-28sv and earlier).

• Commvault Command Center (Innovation Release versions 11.38.0 to 11.38.19) is affected by a critical unauthenticated RCE vulnerability (CVE-2025-34028, CVSS 9.0/10.0). The flaw involves an SSRF in the ‘deployWebpackage.do’ endpoint combined with path traversal, allowing attackers to force the server to fetch and execute a malicious JSP file from an attacker-controlled server. Commvault has released patches (11.38.20 and 11.38.25) and users are urged to update immediately.

• An exploit chain involving two vulnerabilities (CVE-2025-32432 and CVE-2024-58136) in Craft CMS is being used in zero-day attacks. The RCE flaw (CVE-2025-32432) allows saving a malicious ‘return URL’ in a PHP session, while the Yii framework flaw (CVE-2024-58136) enables execution of this code via a malicious JSON payload. Attackers install PHP file managers post-exploitation. Craft CMS versions 3.9.15, 4.14.15, and 5.6.17 contain fixes.

• GitLab released patches (17.11.1, 17.10.5, 17.9.7 CE/EE) addressing five vulnerabilities, including three high-severity flaws in the Maven Dependency Proxy. These include two XSS vulnerabilities (CVE-2025-1763, CVE-2025-2443) exploitable via manipulated CSP directives or cache headers, and a Network Error Logging (NEL) header injection (CVE-2025-1908) potentially allowing browser activity tracking. Users are urged to update their self-managed instances.

• Multiple vulnerabilities were disclosed in Planet Technology network products, potentially allowing attackers to read/manipulate device data, gain admin privileges, or execute OS commands. Flaws include OS command injection (CVE-2025-46271 in UNI-NMS-Lite, CVE-2025-46272 in WGS switches), hard-coded credentials (CVE-2025-46273, CVE-2025-46274 in UNI-NMS-Lite), and missing authentication (CVE-2025-46275 in WGS switches). CISA advises updating affected products.

• A privilege escalation vulnerability dubbed ConfusedComposer impacted Google Cloud Platform’s (GCP) Cloud Composer service. An attacker with permission to edit a Composer environment could inject a malicious PyPI package. During the build process using Cloud Build, the package’s installation scripts could execute code and extract the highly privileged default Cloud Build service account token via the metadata API, potentially leading to project compromise. Google has fixed the vulnerability.

Major Incidents #

• Blue Shield of California inadvertently exposed the Protected Health Information (PHI) of nearly 4.7 million individuals for almost three years (April 2021 - Jan 2024). A misconfiguration in Google Analytics implementation on its websites caused sensitive data, including insurance details, location, gender, and search queries for doctors, to be transmitted to Google Ads, potentially for targeted advertising. Financial data and SSNs were reportedly not exposed.

• The official NPM package for the XRP Ledger (xrpl) was compromised in a supply chain attack. Malicious versions (4.2.1-4.2.4, 2.14.2) were published containing a backdoor designed to steal users’ private keys by sending them to an attacker-controlled domain (0x9cxyz) when a Wallet object was instantiated. Users are urged to update to clean versions (4.2.5, 2.14.3) immediately and consider any keys processed by affected versions as compromised.

• The FBI’s 2024 IC3 report revealed a record $16.6 billion in reported cybercrime losses, a 33% increase from 2023. Investment fraud ($6.5B, often crypto-related) and BEC ($2.7B) caused the largest losses, while phishing/spoofing was the most reported crime type. Individuals over 60 were the most frequent victims and suffered the highest losses ($4.8B).

• The Verizon 2025 Data Breach Investigations Report (DBIR) indicates a significant rise in vulnerability exploitation as an initial access vector, accounting for 20% of breaches (up 34% YoY). Exploits targeting edge devices (VPNs, firewalls) surged, representing 22% of CVE-related breaches compared to 3% previously. Ransomware was present in 44% of breaches, while third-party involvement doubled to 30%.

• British retailer Marks & Spencer suffered a cyberattack that disrupted services, including online order placement (which was paused), contactless payments in stores, and Click & Collect orders. The company took some systems offline as a precaution and is working with external experts to investigate and restore services. The nature of the attack and responsible party are currently unknown.

• Multiple US healthcare organizations reported ransomware attacks. DaVita, a major dialysis provider, confirmed an attack impacting systems and was later claimed as a victim by the Interlock ransomware group, alleging 20TB of data theft. Bell Ambulance (Wisconsin) and Alabama Ophthalmology Associates also reported attacks.

• Microsoft Entra ID experienced widespread, unexpected account lockouts starting around April 19th. Microsoft confirmed the issue stemmed from an internal logging problem related to short-lived refresh tokens being inadvertently invalidated, triggering false positive ’leaked credential’ alerts from the MACE (Microsoft Authenticator Compromised Credentials) feature. The logging issue has been corrected, and no security breach occurred.

Emerging Threats #

• Nation-state actors continue sophisticated campaigns. China-linked Billbug targeted Southeast Asian government, telecom, and construction entities using new custom tools (Sagerunex, ChromeKatz, CredentialKatz, reverse SSH) and DLL sideloading via legitimate Trend Micro/Bitdefender software. Lazarus APT (North Korea) conducted ‘Operation SyncHole’ against South Korean software, finance, and tech sectors using watering holes and updated malware variants (ThreatNeedle, Agamemnon). Slow Pisces (North Korea) targeted crypto developers with fake coding challenges distributing RN Loader/Stealer.

• North Korean IT workers are reportedly using deepfakes and synthetic identities during virtual job interviews to infiltrate organizations, particularly targeting cryptocurrency and tech firms. This represents an evolution of their tactics to bypass remote hiring verification processes. Organizations should enhance interview verification, use technical controls, and perform ongoing monitoring.

• Threat actors are exploiting the io_uring feature in the Linux kernel to bypass security tools that rely on system call monitoring. A proof-of-concept rootkit named ‘Curing’ demonstrates this evasion technique. While not providing initial access or privilege escalation, it allows malicious actions like network connections or file tampering to go undetected post-compromise. Detecting usage of the io_uring_setup syscall or blocking it via seccomp profiles are potential mitigations.

• Malware distribution continues through various channels. Raspberry Robin worm spreads via infected USB drives, using QNAP NAS for C2 and dropping payloads like LockBit. FormBook infostealer is delivered via phishing with malicious Word docs. Lumma Stealer uses fake CAPTCHA pages. A new Android malware, SuperCard X, uses NFC to steal payment card data, spread via smishing. The Triada Android trojan now infects firmware pre-sale, using modules to target apps like Telegram, WhatsApp, and TikTok.

• Threat actors are abusing legitimate services and features for malicious purposes. This includes using Google Sites and DKIM replay attacks for convincing phishing, leveraging Zoom’s remote control feature for malware installation (ELUSIVE COMET group), using Google Forms for scams, and exploiting DLL sideloading opportunities in legitimate software like Trend Micro and Bitdefender (Billbug APT).

• Systemic jailbreaks named “Inception” and “How Not To Reply” have been discovered affecting multiple major AI/LLM services including ChatGPT, Claude, Copilot, Gemini, Grok, and others. These jailbreaks allow bypassing safety guardrails through carefully crafted prompts involving imagined scenarios or instructions on how not to respond. This enables attackers to elicit illicit or harmful content generation, such as instructions for creating malware or phishing emails. Some vendors have reportedly implemented mitigations.

Regulatory and Policy Updates #

• The US Federal Trade Commission (FTC) published updated Children’s Online Privacy Protection Act (COPPA) rules, set to take effect June 23, 2025. The stricter rules enhance obligations for websites and apps regarding children’s data, mandating information security programs, stricter data deletion/retention policies, clearer disclosures about data collection/use, and separate parental consent for sharing data with third parties like advertisers.

• The UK’s communications regulator, Ofcom, is implementing stricter rules under the Online Safety Act to protect children online, effective July 2025. These include over 40 safeguards like filtering harmful content from social feeds via algorithms, robust age verification for high-risk services, and features giving children more control (e.g., declining group chat invites). Ofcom also immediately banned the leasing of ‘global titles’ by mobile operators, a practice exploited by criminals to intercept calls and texts.

• The US Department of Government Efficiency (DOGE), established by executive order, is facing scrutiny over data access practices. A whistleblower from the National Labor Relations Board (NLRB) alleged DOGE improperly accessed and exfiltrated gigabytes of sensitive case data using privileged accounts with limited logging. Further investigation linked code used during the incident to a DOGE employee. Concerns have also been raised about DOGE seeking access to IRS and Social Security Administration data.

• CISA issued Binding Operational Directive (BOD) 25-01, mandating US federal civilian executive branch agencies implement secure configuration baselines for Microsoft 365 based on the SCuBA project. Agencies must submit tenant inventories, deploy assessment tools by April 2025, and implement all mandatory configurations (covering Entra ID, Exchange Online, SharePoint Online, Teams) by June 20, 2025.

• The US House introduced the bipartisan GUARD Act (H.R. 2978) aimed at protecting seniors from financial fraud, including pig butchering scams. The act would allow federal grant funds for state/local/tribal investigations and authorize federal agencies to provide blockchain tracing tools and other technical assistance to aid these investigations.

• A US federal judge partially blocked President Trump’s executive order concerning election integrity. The ruling prevents the Election Assistance Commission from adding proof-of-citizenship requirements to federal voter registration forms. However, the judge did not block provisions related to federal data sharing with states for citizenship verification or conditions on election funding related to mail-in ballot deadlines.

Security Operations #

• AI is increasingly being integrated into security operations to enhance efficiency and speed. Federal agencies are using AI to accelerate analysis of compliance documents and network traffic. Security platforms are incorporating AI agents for automated alert triage, context gathering, and investigation (e.g., Sysdig Sage). AI is also being used for predictive security, aiming to anticipate attacker moves, although human oversight and responsible deployment remain crucial.

• Improving incident response (IR) effectiveness requires looking beyond speed metrics like MTTD and MTTR. Organizations should focus on metrics reflecting quality and completeness, such as incident reopen rates, playbook success rates, and root cause analysis accuracy. Building a mature incident readiness program involves regular risk assessments, well-defined IR plans and playbooks, tabletop exercises, post-incident analysis, and digital forensics capabilities, complemented by tools like XDR and effective vulnerability management.

• Vulnerability management remains a significant challenge, particularly reducing remediation time. Prioritizing vulnerabilities based solely on CVSS scores is insufficient, as many exploited vulnerabilities are not rated ‘Critical’. Classification systems like Tenable’s ‘Vulnerability Watch’, which use status-based terms (e.g., ‘weaponized’), can provide better context for prioritization. Aligning vulnerability management with business impact is crucial for effective exposure management.

• Microsoft continues its Secure Future Initiative (SFI), focusing on security culture, secure-by-design principles (e.g., new UX Toolkit), hardening identity security (Entra ID/MSA signing key protection via HSMs/confidential VMs), reducing lateral movement risk, and improving detection/response capabilities. This includes adding over 200 new detections for top TTPs and expanding vulnerability disclosure programs.

• Detection engineering practices involve analyzing real-world threats, developing robust rules (potentially using frameworks like DEBMM), leveraging automation, and integrating enrichments from various sources (e.g., AWS, Okta). Continuous evaluation of rule effectiveness through metrics and telemetry is essential. Tools like xorsearch.py can aid in generating ad-hoc YARA rules from various inputs (regex, hex, string) for rapid analysis.

• Best practices for cloud workload protection include continuous and contextualized vulnerability management, effective scanning methods like agentless scanning, runtime protection against active threats, robust identity security focusing on least privilege, and incorporating security into Infrastructure as Code (IaC) pipelines.

• Security Service Edge (SSE) adoption requires focusing on fundamentals like establishing a reliable data path before implementing advanced features. Defining a Minimum Viable Product (MVP) addressing key connectivity challenges (diverse environments, agent deployment, load balancing) is crucial for successful rollouts. Tools and features should support flexible connectivity and traffic routing.

Wins #

• Law enforcement agencies reported successes against cybercrime operations. The FBI highlighted 215 arrests made in 2024 through joint operations targeting tech support and government impersonation scams, a significant increase from the previous year. Additionally, Europol announced the disruption of the LabHost Phishing-as-a-Service platform, leading to password data being submitted to Have I Been Pwned.

• The CVE Program, a critical component of global vulnerability management infrastructure, averted a potential disruption. CISA clarified that a contract administration issue, not a funding problem, was resolved before any lapse occurred, ensuring the program’s continued operation and improvement.

• A bug bounty hunter successfully earned approximately $64,000 by developing automation to scan public GitHub repositories. The technique involved restoring deleted files, finding dangling blobs, and unpacking .pack files to uncover leaked secrets like API keys and credentials. This highlights the effectiveness of automated secret scanning, even in seemingly deleted code history.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM model based on the provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

This document is created by BlackStork and is based on the template available on GitHub.

Reach out if you have questions or suggestions.