CyberSecurity Newsletter March 24th , 2025
In this week’s news: Oracle denies it was breached though threat actor shares proof, North Korea is allegedly operating a dedicated facility for cybercrime with a focus on artificial intelligence, Coinbase was the primary target in a recent GitHub Actions, spyware Graphite, developed by the Israeli firm Paragon Solutions used to target high-profile individuals through WhatsApp, Chinese espionage group Fishmonger linked to contractor indicted by DOJ, Cybercriminals are abusing Microsoft's Trusted Signing platform, RaaS backdoor Betruger is a "rare example of a multi-function backdoor" and malicious VSCode Marketplace extensions were found deploying in-development ransomware.
Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers. "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company told BleepingComputer. This statement comes after a threat actor known as rose87168 released multiple text files yesterday containing a sample database, LDAP information, and a list of the companies that they claimed were stolen from Oracle Clouds' SSO platform. As further proof that they had access to Oracle Cloud servers, the threat actor shared https://web.archive.org/web/20250301161517/http:/login.us2.oraclecloud.com/oamfed/x.txt?x
showing an Internet Archive URL that indicates they uploaded a .txt file containing their ProtonMail email address to the login.us2.oraclecloud.com server.
https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/
The government of North Korea is allegedly operating a dedicated facility for cybercrime with a focus on artificial intelligence. The North Korea-focused outlet Daily NK reported that the reclusive state opened a new facility dubbed "Research Center 227." The facility is said to be operating 24 hours a day and coordinating with the government’s Reconnaissance Generation Bureau (RGB).
https://www.scworld.com/news/north-korea-launches-hacking-hub-focused-on-artificial-intelligence
Researchers have determined that Coinbase was the primary target in a recent GitHub Actions cascading supply chain attack that compromised secrets in hundreds of repositories. According to new reports from Palo Alto Unit 42 and Wiz, the attack was carefully planned and began when malicious code was injected into reviewdog/action-setup@v1 GitHub Action. It is unclear how the breach occurred, but the threat actors modified the action to dump CI/CD secrets and authentication tokens into GitHub Actions logs.
https://www.bleepingcomputer.com/news/security/coinbase-was-primary-target-of-recent-github-actions-breaches/
Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named Graphite, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp. Their investigation reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.
https://hackread.com/israeli-spyware-graphite-hit-whatsapp-0-click-exploit/
A Chinese cyber-espionage group known as FishMonger has been directly linked to I-SOON, a technology contractor recently indicted by the US Department of Justice (DOJ) for its role in global cyber-attacks.
https://www.infosecurity-magazine.com/news/fishmonger-apt-group-linked-isoon/
Russian zero-day broker Operation Zero is looking for exploits for the popular messaging app Telegram, offering up to $4 million for them.
https://securityaffairs.com/175709/hacking/operation-zero-offers-4m-for-telegram-exploits.html
Cybercriminals are abusing Microsoft's Trusted Signing platform to code-sign malware executables with short-lived three-day certificates. Threat actors have long sought after code-signing certificates as they can be used to sign malware to appear like they are from a legitimate company.
https://www.bleepingcomputer.com/news/security/microsoft-trust-signing-service-abused-to-code-sign-malware/
The UK's National Cyber Security Centre (NCSC) has published specific timelines on migrating to post-quantum cryptography (PQC), dictating that critical organizations should complete migration by 2035.
https://www.bleepingcomputer.com/news/security/uk-urges-critical-orgs-to-adopt-quantum-cryptography-by-2035/
A newly identified custom backdoor deployed in several recent ransomware attacks has been linked to at least one RansomHub ransomware-as-a-service (RaaS) operation affiliate. Symantec researchers who named this malware Betruger describe it as a "rare example of a multi-function backdoor" that was likely engineered for use in ransomware attacks.
https://www.bleepingcomputer.com/news/security/ransomhub-ransomware-uses-new-betruger-multi-function-backdoor/
Veeam released security patches for a critical Backup & Replication vulnerability that could let attackers remotely execute code.
https://securityaffairs.com/175674/slider/veeam-critical-backup-replication-vulnerability.html
Two malicious VSCode Marketplace extensions were found deploying in-development ransomware, exposing critical gaps in Microsoft's review process. The extensions, named "ahban.shiba" and "ahban.cychelloworld," were downloaded seven and eight times, respectively, before they were eventually removed from the store.
https://www.bleepingcomputer.com/news/security/vscode-extensions-found-downloading-early-stage-ransomware/
Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account. The CSLU Windows application allows admins to manage licenses and linked products on-premises without connecting them to Cisco's cloud-based Smart Software Manager solution.
https://www.bleepingcomputer.com/news/security/critical-cisco-smart-licensing-utility-flaws-now-exploited-in-attacks/
A data breach at the Pennsylvania State Education Association exposed the personal information of over 500,000 individuals. The Pennsylvania State Education Association (PSEA) suffered a data breach that impacted 517,487 individuals. PSEA is a labor union representing teachers, education support professionals, and other school employees in Pennsylvania.
https://securityaffairs.com/175681/data-breach/pennsylvania-state-education-association-data-breach.html
A critical vulnerability in American Megatrends International’s (AMI) MegaRAC Baseboard Management Controller (BMC) software allows attackers to remotely hijack and potentially brick vulnerable servers. This impacts numerous server vendors, posing a significant threat to enterprise businesses.
https://dailysecurityreview.com/security-spotlight/critical-megarac-bug-lets-attackers-hijack-and-brick-servers/
Two known threat activity clusters codenamed Head Mare and Twelve have likely joined forces to target Russian entities, new findings from Kaspersky reveal. "Head Mare relied heavily on tools previously associated with Twelve. Additionally, Head Mare attacks utilized command-and-control (C2) servers exclusively linked to Twelve prior to these incidents," the company said. "This suggests potential collaboration and joint campaigns between the two groups."
https://thehackernews.com/2025/03/kaspersky-links-head-mare-to-twelve.html
A component of CheckPoint’s ZoneAlarm antivirus software is being exploited by threat actors in malicious campaigns to bypass Windows security measures. Nima Bagheri, an Austin-based security researcher and founder of Venak Security, shared details of a new Bring Your Own Vulnerable Driver (BYOVD) attack in a March 20 report.
https://www.infosecurity-magazine.com/news/cybercriminals-exploit-checkpoint/
Valve has removed from its Steam store the game title 'Sniper: Phantom's Resolution' following multiple users reporting that the demo installer infected their systems with information stealing malware. The game, published under the developer name 'Sierra Six Studios,' was supposed to be an early preview of the title with a release planned in the coming months.
https://www.bleepingcomputer.com/news/security/steam-pulls-game-demo-infecting-windows-with-info-stealing-malware/
Malwarebytes researchers have spotted a campaign consisting of a slew of malicious ads shown by Googe Search when users look for Semrush. “Each ad uses a unique domain name which does a redirect to more static domains dedicated to the fake Semrush and Google account login pages,” MalwareBytes researcher Jérôme Segura explained.
https://www.helpnetsecurity.com/2025/03/21/malicious-ads-target-semrush-users-to-steal-google-account-credentials/
ServiceNow vulnerability alert: Hackers are actively exploiting year-old flaws (CVE-2024-4879, CVE-2024-5217, CVE-2024-5178) for database access. Learn how to protect your systems. Security researchers at threat intelligence firm GreyNoise have issued a warning regarding a significant increase in malicious activity targeting three previously disclosed vulnerabilities within ServiceNow- a cloud-based platform that helps organizations automate and manage their digital workflows.
https://hackread.com/attacks-exploit-servicenow-flaws-israel-hit-hardest/
The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. Elastic Security Labs said it observed a Medusa ransomware attack that delivered the encryptor by means of a loader packed using a packer-as-a-service (PaaS) called HeartCrypt.
https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.html
The U.S. Department of Treasury announced today that it has removed sanctions against Tornado Cash, a cryptocurrency mixer used by North Korean Lazarus hackers to launder hundreds of millions stolen in multiple crypto heists. The Department's Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash in August 2022 for helping launder over $7 billion since its creation in 2019.
https://www.bleepingcomputer.com/news/security/us-removes-sanctions-against-tornado-cash-crypto-mixer/