Cybersecurity Newsletter 28th April, 2025
In this week’s news: Dragonforce ransomware gang re-organizing with branding model and white labelling, Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector, North Korean hackers posed as crypto companies, using AI and fake job interviews to distribute malware, LLMs are producing insecure code by default, A new rootkit called "Curing" has been released by the company ARMO. This rootkit leverages io_uring, a feature built into the Linux kernel, to perform malicious activities, Microsoft warned that Exchange 2016 and Exchange 2019 will reach the end of support in October and Veritaco CEO Jeffrey Bowie faces charges for allegedly installing malware on hospital computers.
The ransomware scene is re-organizing, with one gang known as DragonForce working to gather other operations under a cartel-like structure. DragonForce is now incentivizing ransomware actors with a distributed affiliate branding model, providing other ransomware-as-a-service (RaaS) operations a means to carry out their business without dealing with infrastructure maintenance cost and effort. A group's representative told BleepingComputer that they’re purely financially motivated but also follow a moral compass and are against attacking certain healthcare organizations.
https://www.bleepingcomputer.com/news/security/dragonforce-expands-ransomware-model-with-white-label-branding-scheme/
Microsoft has revealed that a threat actor it tracks as Storm-1977 has conducted password spraying attacks against cloud tenants in the education sector over the past year. "The attack involves the use of AzureChecker.exe, a Command Line Interface (CLI) tool that is being used by a wide range of threat actors," the Microsoft Threat Intelligence team said in an analysis.
https://thehackernews.com/2025/04/storm-1977-hits-education-clouds-with.html
Silent Push reveals a complex scheme where North Korean hackers posed as crypto companies, using AI and fake job interviews to distribute malware. Known as Contagious Interview, which has a link to the notorious Lazarus Group. Reportedly, Contagious Interview has been tricking people looking for jobs in the crypto world through three different fake cryptocurrency companies: BlockNovas LLC, Angeloper Agency, and SoftGlide LLC. Their goal? To lure job aspirants into downloading harmful software onto their computers.
https://hackread.com/north-korean-hackers-fake-crypto-firms-job-malware-scam/
Some of the world’s most popular large language models (LLMs) are producing insecure code by default, according to a new analysis by Backslash Security. The findings demonstrate the security risks relating to software developers using generative AI tools to create code, particularly using simple, “naïve” prompts. Even prompts that specify general or specific security requirements often result in code containing common vulnerabilities.
https://www.infosecurity-magazine.com/news/llms-vulnerable-code-default/
Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights. The adversary is impersonating officials from European countries and contact targets through WhatsApp and Signal messaging platforms. The purpose is to convince potential victims to provide Microsoft authorization codes that give access to accounts, or to click on malicious links that collect logins and one-time access codes.
https://www.bleepingcomputer.com/news/security/hackers-abuse-oauth-20-workflows-to-hijack-microsoft-365-accounts/
Blue Shield of California, a major health insurance provider, has announced that the private information of about 4.7 million of its members was exposed to Google’s advertising and analytics services. This happened over nearly three years, from April 2021 to January 2024.
https://hackread.com/blue-shield-leaked-millions-patient-info-google-years/
At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea's software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in November 2024.
https://thehackernews.com/2025/04/lazarus-hits-6-south-korean-firms-via.html
A new rootkit called "Curing" has been released by the company ARMO. This rootkit leverages io_uring, a feature built into the Linux kernel, to perform malicious activities stealthily without being detected by many current detection solutions on the market. The issue lies in the heavy reliance on monitoring system calls, a method favored by many cybersecurity providers. Attackers can bypass these monitored calls by using io_uring, allowing them to establish network connections or manipulate files without triggering the usual alarms. The rootkit's code is available on GitHub.
https://www.cyberhub.blog/article/4688-new-linux-rootkit-curing-exploits-iouring-for-stealthy-attacks
WhatsApp Inc. v. NSO Group Technologies Limited
https://www.courtlistener.com/docket/16395340/whatsapp-inc-v-nso-group-technologies-limited/?order_by=desc
Western New Mexico University (WNMU) in Silver City, New Mexico, has been severely impacted by a ransomware attack launched by the Russian-linked Qilin hacking group. The attack, detected on April 13, 2025, paralyzed the university's website, phone systems, and other digital infrastructure.
https://dysruptionhub.com/qilin-ransomware-attack-wnmu/
Microsoft warned that Exchange 2016 and Exchange 2019 will reach the end of support six months from now, on October 14. The Exchange Server Engineering Team also shared guidance for admins who need to decommission outdated servers until then, cautioning that Exchange 2016 and Exchange 2019 servers will be exposed to attacks since they'll no longer receive security patches and bug fixes.
https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and-2019-reach-end-of-support-in-six-months/
American business services giant and government contractor Conduent disclosed today that client data was stolen in a January 2025 cyberattack. Conduent is a business services company that provides digital platforms and solutions for government and commercial clients in transportation, healthcare, customer experience, and human resources. The company has over 33,000 employees and provides services to half of Fortune 100 companies and over 600 government and transportation agencies.
https://www.bleepingcomputer.com/news/security/govtech-giant-conduent-confirms-client-data-stolen-in-january-cyberattack/
Researchers identified a new malware, named DslogdRAT, deployed after exploiting a now-patched flaw in Ivanti Connect Secure (ICS).The vulnerability, tracked as CVE-2025-0282 (CVSS score: 9.0), is a stack-based buffer overflow that impacts Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3. An unauthenticated attacker can exploit the flaw to achieve remote code execution. A local authenticated attacker can trigger the vulnerability to escalate privileges.
https://securityaffairs.com/177002/malware/jpcert-warns-of-dslogdrat-malware-deployed-in-ivanti-connect-secure.html
Veritaco CEO Jeffrey Bowie faces charges for allegedly installing malware on hospital computers, violating Oklahoma’s Computer Crimes Act. Jeffrey Bowie, CEO of the cybersecurity firm Veritaco, is facing two counts of violating Oklahoma’s Computer Crimes Act for allegedly infecting employee computers at the Oklahoma City St. Anthony Hospital.
https://securityaffairs.com/177020/cyber-crime/ceo-of-cybersecurity-firm-charged-with-installing-malware-on-hospital-systems.html
New Android spyware is targeting Russian military personnel on the front lines. Trojanized mapping app steals users' locations, contacts, and more. The malware is hidden inside a modified app for Alpine Quest mapping software, which is used by, among others, hunters, athletes, and Russian personnel stationed in the war zone in Ukraine.
https://arstechnica.com/security/2025/04/russian-military-personnel-on-the-front-lines-targeted-with-new-android-spyware/
New research by cybersecurity firm Panaseer has found that US companies paid out a total of $155m in class action lawsuits related to data breaches over the last six months. In an examination of all data breach class action filings from ClassActions.org and settlements from Top Class Actions between August 2024 and February 2025, the company found that 43 lawsuits were filed, and 73 settlements were reached.
https://www.infosecurity-magazine.com/news/lawsuits-total-155m-cybersecurity/
German software company SAP has finally disclosed and fixed a highly critical vulnerability in the NetWeaver Visual Composer development server after evidence of exploitation in the wild. NetWeaver Visual Composer is SAP’s web-based modelling tool that allows business process experts and developers to build business application components without requiring manual coding.
https://www.infosecurity-magazine.com/news/sap-fixes-critical-vulnerability/
British retailer giant Marks & Spencer (M&S) has suspended online orders while working to recover from a recently disclosed cyberattack. The multinational retailer operates over 1,400 stores, employs 64,000 employees globally, and sells various products, including clothing, food, and home goods.
https://www.bleepingcomputer.com/news/security/marks-and-spencer-pauses-online-orders-after-cyberattack/
Baltimore City Public Schools notified tens of thousands of employees and students of a data breach following an incident in February when unknown attackers hacked into its network. Established in 1829, the public school district provides primary and secondary education to 76,841 enrolled students through 164 schools and programs.
https://www.bleepingcomputer.com/news/security/baltimore-city-public-schools-data-breach-affects-over-31-000-people/
Interlock ransomware group claims it stole 20TB of sensitive patient data from DaVita Healthcare. While the group has leaked 1.5TB; it is offering the rest of the data for a price which includes the personal details of millions of patients.
https://hackread.com/interlock-ransomware-stole-davita-healthcare-data/
A recent Windows security update that creates an ‘inetpub’ folder has introduced a new weakness allowing attackers to prevent the installation of future updates. After people installed this month's Microsoft Patch Tuesday security updates, Windows users suddenly found an "inetpub" folder owned by the SYSTEM account created in the root of the system drive, normally the C: drive.
https://www.bleepingcomputer.com/news/microsoft/windows-inetpub-security-fix-can-be-abused-to-block-future-updates/
A record-breaking botnet composed of 1.33 million internet-connected devices has been used to launch large-scale DDoS attacks, as global attack volumes continue to rise sharply. Security researchers say the size of the network rivals the population of small countries and highlights a growing threat stemming from outdated, unsecured devices—especially across developing nations.
https://dailysecurityreview.com/security-spotlight/massive-1-33-million-device-botnet-drives-unprecedented-ddos-attacks-surge-in-q1-2025/
On January 27, 2025, Frederick Health Medical Group detected a ransomware attack on its IT systems. The health system immediately alerted law enforcement and retained a third-party forensic firm to assess the breach. Investigators confirmed that an unauthorized actor accessed their network and copied files from a shared server on the same day.
https://dailysecurityreview.com/security-spotlight/frederick-health-data-breach-impacts-934326-patients/
Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS. The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN).
https://thehackernews.com/2025/04/toymaker-uses-lagtoy-to-sell-access-to.html