Cybersecurity Newsletter 17th March 2025
In this week’s news: Decryptor for the Linux variant of Akira ransomware released, Scammers continue to impersonate high profile ransomware gangs, Alleged Lockbit developer arrested and Lazarus Group campaign using malicious npm packages.
Security researcher Yohanes Nugroho has released a decryptor for the Linux variant of Akira ransomware, which utilizes GPU power to retrieve the decryption key and unlock files for free. Nugroho developed the decryptor after being asked for help from a friend, deeming the encrypted system solvable within a week, based on how Akira generates encryption keys using timestamps. The project ended up taking three weeks due to unforeseen complexities, and the researcher spent $1,200 on GPU resources to crack the encryption key, but eventually, he succeeded.
https://www.bleepingcomputer.com/news/security/gpu-powered-akira-ransomware-decryptor-released-on-github/
Fraudsters have been observed impersonating the Clop ransomware gang to extort businesses, researcher from Barracuda Networks have found. The incident is part of a trend of scammers impersonating high-profile ransomware actors and claiming to have exfiltrated sensitive data in order to extort payments from targets.
https://www.infosecurity-magazine.com/news/fraudsters-clop-ransomware-extort/
Security researchers have uncovered a sophisticated cyberattack campaign orchestrated by the Lazarus Group, a notorious North Korean state-sponsored hacking group. The campaign involved the deployment of six malicious packages to the npm (Node Package Manager) registry, a widely used repository for JavaScript developers.The malicious packages, downloaded a total of 330 times, were designed to steal credentials, install backdoors, and exfiltrate sensitive cryptocurrency information.
https://dailysecurityreview.com/security-spotlight/lazarus-group-north-korean-hackers-infect-hundreds-via-malicious-npm-packages/
Forescout Research – Vedere Labs observed a threat actors exploiting two Fortinet vulnerabilities to deploy the SuperBlack ransomware. The experts attribute the attacks to a threat actor named “Mora_001” which using Russian-language artifacts and exhibiting a unique operational signature. The experts speculate Mora_001 could be linked to the LockBit ecosystem, reflecting the growing complexity of ransomware operations.
https://securityaffairs.com/175402/cyber-crime/superblack-ransomware-exploited-fortinet-firewall-flaws.html
A 51-year-old dual Russian and Israeli national who is alleged to be a developer of the LockBit ransomware group has been extradited to the United States, nearly three months after he was formally charged in connection with the e-crime scheme. Rostislav Panev was previously arrested in Israel in August 2024. He is said to have been working as a developer for the ransomware gang from 2019 to February 2024, when the operation's online infrastructure was seized in a law enforcement exercise.
https://thehackernews.com/2025/03/alleged-israeli-lockbit-developer.html
The GSM Association (GSMA) has formally announced support for end-to-end encryption (E2EE) for securing messages sent via the Rich Communications Services (RCS) protocol, bringing much-needed security protections to cross-platform messages shared between Android and iOS platforms. To that end, the new GSMA specifications for RCS include E2EE based on the Messaging Layer Security (MLS) protocol via what's called the RCS Universal Profile 3.0.
https://thehackernews.com/2025/03/gsma-confirms-end-to-end-encryption-for.html
Cisco addressed a denial of service (DoS) vulnerability that allows attackers to crash the Border Gateway Protocol (BGP) process on IOS XR routers.
https://securityaffairs.com/175421/security/cisco-ios-xr-flaw-cve-2025-20115.html
Juniper Networks has released emergency security updates to patch a Junos OS vulnerability exploited by Chinese hackers to backdoor routers for stealthy access. This medium severity flaw (CVE-2025-21590) was reported by Amazon security engineer Matteo Memelli and is caused by an improper isolation or compartmentalization weakness. Successful exploitation lets local attackers with high privileges execute arbitrary code on vulnerable routers to compromise the devices' integrity.
https://www.bleepingcomputer.com/news/security/juniper-patches-bug-that-let-chinese-cyberspies-backdoor-routers-since-mid-2024/
Python vulnerability scanner designed to check for CVE-2025-0108, an authentication bypass vulnerability in Palo Alto Networks' PAN-OS. The tool works by sending specially crafted HTTP requests to URLs or a list of URLs to detect if they are vulnerable to the CVE-2025-0108 flaw. This vulnerability could allow an unauthenticated threat actor to bypass authentication on a vulnerable system.
https://github.com/sohaibeb/CVE-2025-0108
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a joint advisory revealing the significant impact of the Medusa ransomware operation.
https://dailysecurityreview.com/security-spotlight/cisa-reports-medusa-ransomware-attacks-over-300-critical-infrastructure-organizations/
GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE), fixing nine vulnerabilities, among which two critical severity ruby-saml library authentication bypass flaws. All flaws were addressed in GitLab CE/EE versions 17.7.7, 17.8.5, and 17.9.2, while all versions before those are vulnerable. GitLab.com is already patched, and GitLab Dedicated customers will be updated automatically, but users who maintain self-managed installations on their own infrastructure will need to apply the updates manually.
https://www.bleepingcomputer.com/news/security/gitlab-patches-critical-authentication-bypass-vulnerabilities/
Facebook issued a warning about a critical vulnerability affecting the widely used FreeType font rendering library. The vulnerability, tracked as CVE-2025-27363 and assigned a CVSS v3 score of 8.1 (“high”), allows for arbitrary code execution.
https://dailysecurityreview.com/security-spotlight/critical-freetype-vulnerability-exploited-in-attacks-urgent-update-required/
A recent report from Kaspersky reveals a massive malware campaign targeting millions of devices worldwide. The Infostealer malware, as its name suggests, is designed to steal sensitive information, including bank card details, passwords, and other credentials. Kaspersky estimates that a staggering 26 million devices have been compromised. The report highlights that 9 million devices were infected in 2024 alone, bringing the total number of compromised devices to 26 million since 2023. While only 1% of globally issued bank cards were leaked on the dark web during this period, a significant 95% of those leaked card numbers were deemed “technically valid” by Kaspersky.
https://dailysecurityreview.com/security-spotlight/infostealer-malware-infects-26-million-devices-steals-bank-card-data-and-passwords/
Vulnerable Edimax IP cameras affected by the critical command injection zero-day, tracked as CVE-2025-1316, have been targeted by numerous Mirai-based botnets since May, reports SecurityWeek.
https://www.scworld.com/brief/attacks-exploiting-edimax-ip-camera-zero-day-ongoing-for-nearly-a-year
A ransomware attack hit the Micronesian state of Yap, causing the health system network to go down.
https://securityaffairs.com/175445/cyber-crime/a-ransomware-attack-hit-the-micronesian-state-of-yap.html
Teenagers from Western English-speaking countries are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminals, the Network Contagion Research Institute (NCRI) has found.
https://www.infosecurity-magazine.com/news/nigerian-yahoo-boys-social-media/