CyberSecurity Newsletter March 31st, 2025
In this week’s news: Russian authorities arrested three suspects for developing Mamont, OPKSSH officially open-sourced, OpenAI now pays researchers 100k for critical vulnerabilities, A breach at Oracle Health impacts multiple US healthcare organizations and hospitals, 46 new security flaws in products from three solar inverter vendors and Threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock.
Russian authorities arrested three suspects for developing Mamont, a newly identified Android banking trojan. Russian authorities arrested three suspects in Saratov for developing Mamont (Russian for mammoth), a recently discovered Android banking trojan.
https://securityaffairs.com/175935/cyber-crime/russian-authorities-arrest-three-suspects-behind-mamont-android-banking-trojan.html
OPKSSH was officially open-sourced under the umbrella of the OpenPubkey project. While OpenPubkey itself became a Linux Foundation open-source initiative in 2023, OPKSSH remained closed-source until now. Originally developed and maintained by BastionZero (now part of Cloudflare), Cloudflare has gifted the code for OPKSSH to the OpenPubkey project, marking a milestone for open identity-based authentication in infrastructure access.
https://www.helpnetsecurity.com/2025/03/28/opkssh-sso-ssh/
Artificial intelligence company OpenAI has announced a fivefold increase in the maximum bug bounty rewards for "exceptional and differentiated" critical security vulnerabilities from $20,000 to $100,000. OpenAI says its services and platforms are used by 400 million users across businesses, enterprises, and governments worldwide every week. "We are significantly increasing the maximum bounty payout for exceptional and differentiated critical findings to $100,000 (previously $20,000),"
https://www.bleepingcomputer.com/news/security/openai-now-pays-researchers-100-000-for-critical-vulnerabilities/
A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed that patient data was stolen in the attack.
https://www.bleepingcomputer.com/news/security/oracle-health-breach-compromises-patient-data-at-us-hospitals/
Windows devices have been targeted with attacks involving the novel CoffeeLoader malware that masquerades as Taiwanese computer hardware firm ASUS's Armoury Crate utility to covertly distribute the Rhadamanthys information-stealing malware and other malicious payloads
https://www.scworld.com/brief/new-coffeeloader-malware-spoofs-utility-to-deliver-infostealers
Cybersecurity researchers have disclosed 46 new security flaws in products from three solar inverter vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.
https://thehackernews.com/2025/03/researchers-uncover-46-critical-flaws.html
Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that's designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader.
https://thehackernews.com/2025/03/coffeeloader-uses-gpu-based-armoury.html
Google’s fixing of CVE-2025-2783, a Chrome zero-day vulnerability exploited by state-sponsored attackers, has spurred Firefox developers to check whether the browser might have a similar flaw – and they found it. There’s currently no indication that the Firefox bug (CVE-2025-2857) is under active exploitation, but this should not be surprising: according to Statcounter, Chrome is used by 66.3% of internet users worldwide and Firefox only by 2.62%.
https://www.helpnetsecurity.com/2025/03/28/critical-firefox-tor-browser-sandbox-escape-flaw-fixed-cve-2025-2857/
A recent analysis published by Infoblox reveals a sophisticated phishing operation, dubbed Morphing Meerkat, actively exploiting DNS vulnerabilities for years to conduct highly effective phishing campaigns. According to researchers, this operation utilizes a phishing-as-a-service (PhaaS) platform, enabling both technical and non-technical cybercriminals to launch targeted attacks.
https://hackread.com/morphing-meerkat-phishing-kit-dns-spoof-brands/
In what's an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract configuration files, credentials, as well as the history of commands executed on the server.
https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html
A data leak involving a whopping 2.87 billion Twitter (X) users has surfaced on the infamous Breach Forums. According to a post by a user named ThinkingOne, the leak is the result of a disgruntled X employee who allegedly stole the data during a period of mass layoffs. If true, this would be the largest social media data leak in history, but surprisingly, neither X nor the broader public appears to be aware of it.
https://hackread.com/twitter-x-of-2-8-billion-data-leak-an-insider-job/
Three security bypasses have been discovered in Ubuntu Linux’s unprivileged user namespace restrictions, which could be enable a local attacker to exploit vulnerabilities in kernel components. The issues allow local unprivileged users to create user namespaces with full administrative capabilities and impact Ubuntu versions 23.10, where unprivileged user namespaces restrictions are enabled, and 24.04 which has them active by default.
https://www.bleepingcomputer.com/news/security/new-ubuntu-linux-security-bypasses-require-manual-mitigations/
The Walmart-owned membership warehouse club chain Sam’s Club is investigating claims of a Cl0p ransomware security breach.
https://securityaffairs.com/175999/cyber-crime/sams-club-investigates-alleged-cl0p-ransomware-breach.html
A hacker going by the alias “GHNA” has dumped a staggering 270,000 customer tickets from Samsung Germany online, completely free of charge. The data, which appears to be sourced from samsung-shop.spectos.com, didn’t come from some sophisticated zero-day exploit or insider betrayal. No, this breach traces back to credentials stolen by infostealers way back in 2021. Credentials that cybercrime intelligence firm, Hudson Rock, has had in its database for years.
https://www.infostealers.com/article/samsung-tickets-data-leak-infostealers-strike-again-in-massive-free-dump/
The U.S. DOJ seized over $8.2 million in USDT stolen through ‘romance baiting’ scams, where victims are tricked into fake investments promising high returns.
https://securityaffairs.com/175990/cyber-crime/fbi-and-doj-seize-8-2-million-in-romance-baiting-crypto-fraud-scheme.html
Grandoreiro Banking Trojan resurfaces, targeting users in Latin America and Europe in new phishing campaigns. Forcepoint X-Labs researchers warn of new phishing campaigns targeting Latin America and Europe in new phishing campaigns. The Trojan has been active since 2016, it initially targeted Brazil but expanded to Mexico, Portugal, and Spain since 2020.
https://securityaffairs.com/175964/malware/crooks-are-reviving-the-grandoreiro-banking-trojan.html
The new Android trojan Crocodilus exploits accessibility features to steal banking and crypto credentials, mainly targeting users in Spain and Turkey. ThreatFabric researchers discovered a new Android trojan called Crocodilus, which exploits accessibility features to steal banking and crypto credentials.
https://securityaffairs.com/175976/malware/new-sophisticate-crocodilus-mobile-banking-trojan.html
Microsoft has removed the 'BypassNRO.cmd' script from Windows 11 preview builds, which allowed users to bypass the requirement to use a Microsoft Account when installing the operating system.
https://www.bleepingcomputer.com/news/microsoft/microsofts-killing-script-used-to-avoid-microsoft-account-in-windows-11/
PoC for CVE-2025-0282: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit