CyberSecurity Newsletter 21st April, 2025
In this week’s news: The FBI warns that scammers impersonating FBI Internet Crime Complaint Center, remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances, a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, ASUS has disclosed a critical security flaw impacting routers with AiCloud enabled, ClickFix attacks are gaining traction among threat actors and HP Inc has agreed to pay $4 million to settle a class-action lawsuit.
The FBI warns that scammers impersonating FBI Internet Crime Complaint Center (IC3) employees offer to "help" fraud victims recover money lost to other scammers. Over the last two years, between December 2023 and February 2025, the FBI said it has received over 100 reports of fraudsters using this tactic.
https://www.bleepingcomputer.com/news/security/fbi-scammers-pose-as-fbi-ic3-employees-to-help-recover-lost-funds/
Threat actors have been actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025. Arctic Wolf researchers warn that threat actors actively exploit a vulnerability, tracked as CVE-2021-20035 (CVSS score of 7.1), in SonicWall Secure Mobile Access (SMA) since at least January 2025.
https://securityaffairs.com/176706/security/attackers-exploited-sonicwall-sma-appliances-since-january-2025.html
Cybersecurity researchers are warning of a "widespread and ongoing" SMS phishing campaign that's been targeting toll road users in the United States for financial theft since mid-October 2024.
https://thehackernews.com/2025/04/chinese-smishing-kit-behind-widespread.html
Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organizations using upgraded MysterySnail remote access trojan (RAT) malware. Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) spotted the updated implant while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word document, which downloaded second-stage payloads and gained persistence on compromised systems.
https://www.bleepingcomputer.com/news/security/chinese-hackers-target-russian-govt-with-upgraded-rat-malware/
Cisco has released security updates for a high-severity Webex vulnerability that allows unauthenticated attackers to gain client-side remote code execution using malicious meeting invite links. Tracked as CVE-2025-20236, this security flaw was found in the Webex custom URL parser and can be exploited by tricking users into downloading arbitrary files, which lets threat actors execute arbitrary commands on systems running unpatched software in low complexity attacks.
https://www.bleepingcomputer.com/news/security/cisco-webex-bug-lets-hackers-gain-code-execution-via-meeting-links/
In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins. The attacker leveraged Google’s infrastructure to trick recipients into accessing a legitimate-looking “support portal” that asks for Google account credentials. The fraudulent message appeared to come from “no-reply@google.com” and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different.
https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/
The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER.
https://thehackernews.com/2025/04/apt29-deploys-grapeloader-malware.html
Midnight Blizzard (APT29/Cozy Bear) targets European embassies and Ministries of Foreign Affairs with sophisticated phishing emails disguised as wine tasting invitations. Learn about the new GrapeLoader malware and the updated WineLoader backdoor deployed in this campaign.
https://hackread.com/cozy-bear-wine-lure-wineloader-malware-eu-diplomats/
A new malware-as-a-service (MaaS) platform named 'SuperCard X' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data. SuperCard X is linked to Chinese-speaking threat actors and shows code similarities with the open-source project NFCGate and its malicious spawn, NGate, which has facilitated attacks in Europe since last year.
https://www.bleepingcomputer.com/news/security/supercard-x-android-malware-use-stolen-cards-in-nfc-relay-attacks/
ASUS has disclosed a critical security flaw impacting routers with AiCloud enabled that could permit remote attackers to perform unauthorized execution of functions on susceptible devices. The vulnerability, tracked as CVE-2025-2492, has a CVSS score of 9.2 out of a maximum of 10.0.
https://thehackernews.com/2025/04/asus-confirms-critical-flaw-in-aicloud.html
A vulnerability previously thought to be a low-priority was cast into the spotlight thanks to a newly revealed exploit in the wild. Administrators were advised to test and install Microsoft’s March security fixes to prevent exploitation of the flaw. Researchers with security vendor CheckPoint report finding active exploits in the wild targeting the Microsoft flaw designated as CVE-2025-24054.
https://www.scworld.com/news/alarms-sound-over-attacks-via-microsoft-ntlm-vulnerability
Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE. These alerts and lockouts began last night, with some admins believing they were false positives as the accounts have unique passwords that are not used on any other sites or applications.
https://www.bleepingcomputer.com/news/microsoft/widespread-microsoft-entra-lockouts-tied-to-new-security-feature-rollout/
ClickFix attacks are gaining traction among threat actors, with multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia adopting the technique in recent espionage campaigns. ClickFix is a social engineering tactic where malicious websites impersonate legitimate software or document-sharing platforms. Targets are lured via phishing or malvertising and shown fake error messages that claim a document or download failed.
https://www.bleepingcomputer.com/news/security/state-sponsored-hackers-embrace-clickfix-social-engineering-tactic/
Microsoft has revealed that nearly 80% of human-operated cyberattacks involve compromised domain controllers, according to a recent blog post published on Wednesday. Alarmingly, in over 30% of these incidents, attackers use the domain controller—a central system in corporate IT networks—to spread ransomware across the organization.
https://www.cysecurity.news/2025/04/majority-of-human-operated-cyberattacks.html
Thousands of 4chan users reported outages Monday night amid rumors on social media that the edgy anonymous imageboard had been ransacked by an intruder, with someone on a rival forum claiming to have leaked its source code, moderator identities, and users' IP addresses.
https://www.theregister.com/2025/04/15/4chan_breached
HP Inc has agreed to pay $4 million to settle a class-action lawsuit in the US that alleged it used deceptive pricing tactics on its website, including fake discounts and misleading limited-time offers.
https://www.theregister.com/2025/04/19/hp_deceptive_pricing_lawsuit
CVE-2025-31161 is a critical authentication bypass vulnerability that affects CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to the file transfer system, potentially leading to complete system compromise.
https://www.zerodaily.me/blog/2025-04-13-crushftp-vulnerability
On April 16, 2025, a critical remote code execution (RCE) vulnerability in Erlang’s SSH library was publicly disclosed. Tracked as CVE-2025-32433, this vulnerability received the maximum possible CVSS score of 10.0, signaling how severe and exploitable it is, especially in environments relying on Erlang/OTP for SSH access.
https://www.upwind.io/feed/cve-2025-32433-critical-erlang-otp-ssh-vulnerability-cvss-10
Tool to decrypt App-Bound encrypted keys in Chrome 127+, using the IElevator COM interface with path validation and encryption protections.
https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption