Daily Brief

On March 11, Microsoft issued patches including a fix for CVE-2025-24054, which was rated as low exploitability. Within just eight days, attackers had already weaponized the vulnerability to target entities in Poland and Romania. CVE-2025-24054 allows attackers to leak NTLM hash credentials, enabling them to impersonate users and access secured resources. Researchers identified that the initial attack vector was phishing emails containing a malicious Dropbox link to a ZIP file, which when opened leaked NTLM hashes. The leaked credentials were sent to SMB servers controlled by attackers across multiple countries, including Russia and Bulgaria. Security company Check Point emphasized the importance of quick patch application to prevent such rapid exploitation by attackers. Apple also released patches for two zero-day exploits observed in targeted attacks, enhancing security for iOS and iPadOS devices.

North Korean state-sponsored group Kimsuky employed the BlueKeep RDP vulnerability (CVE-2019-0708) to infiltrate systems in South Korea and Japan. The campaign, named Larva-24005, utilized phishing attacks and malware such as MySpy and RDPWrap to maintain access and escalate privileges. Security patches for the exploited vulnerabilities, including the critical BlueKeep flaw, had been released by Microsoft as early as May 2019. Attackers installed keyloggers, including KimaLogger and RandomQuery, to monitor and capture victim keystrokes. Victims primarily included entities within the software, energy, and financial sectors, indicating a strategic selection of targets. The operation signals ongoing cybersecurity risks posed by state-sponsored actors in the geopolitical landscape of East Asia. This incident underscores the importance of timely system updates and comprehensive cybersecurity defenses against complex threat vectors.

Microsoft recently confirmed that Entra account lockouts were due to improperly logged user refresh tokens. The issue started after a new enterprise application, "MACE Credential Revocation," was erroneously linked to the lockouts. Microsoft disclosed that it mistakenly logged actual account refresh tokens instead of just metadata, leading to unauthorized token invalidation. Alerts were triggered within Entra ID Protection, mistakenly indicating potential credential compromises. The mistaken logging and subsequent token invalidation occurred without any actual unauthorized access to the tokens. Affected users received instructions to mark their accounts as safe in Microsoft Entra to regain account access. Microsoft has rectified the internal logging error and plans to issue a Post Incident Review to all affected parties once their investigation is complete.

SuperCard X, a new Android malware-as-a-service, enables NFC relay attacks to facilitate contactless fraud at ATMs and PoS terminals. Cybercriminals use social engineering, including smishing and deceptive calls, urging victims to install malicious applications masquerading as security tools. The malware captures payment card data by tricking victims into bringing their payment cards near their infected mobile devices. Harvested card details are relayed to a threat actor-controlled device, allowing unauthorized transactions through emulated cards. The scheme involves custom-built "Reader" apps on victims' devices and "Tapper" apps on attackers’ devices, coordinating via HTTP for command and control. Communication security is enhanced via mutual TLS, with affiliates creating tailored malware versions for specific campaigns. Google is developing Android features to block installations from unknown sources and disable permissions to enhance security against such threats. The campaign poses a significant financial risk, targeting not just banking institutions but also payment providers and card issuers directly.

Traditional device management tools such as MDM and EDR provide essential security but are not sufficient alone due to their inability to manage unenrolled devices and gaps in operating system coverage. Unmanaged devices like personal laptops and contractor devices pose significant security risks as they often bypass organizational security policies and remain out of the security purview, making them prime targets for attackers. Device trust offers a more comprehensive approach by ensuring visibility and security compliance across all devices, including those not managed by the organization, using a privacy-preserving authenticator. Integration issues between device management tools and access management systems can lead to security lapses; device trust addresses this by incorporating real-time device risk assessments into access decisions. Misconfigurations in device management tools can create security vulnerabilities; device trust can help ensure these tools are properly configured and integrated, enhancing overall security defenses. Device trust provides broader coverage across multiple operating systems, including those less commonly supported by traditional MDM and EDR tools, improving security for diverse organizational environments. Adopting a device trust framework allows organizations to enforce stricter compliance and security measures, effectively mitigating advanced threats and reducing the risk of data breaches.

A recently identified Windows flaw, CVE-2025-24054, initially patched in a Microsoft update, has been actively exploited by threat actors to access NTLM hash passwords. Attackers leverage vulnerabilities in software like the ASUS system, Microsoft Windows, and various other platforms including Apple iOS and macOS systems, highlighting the week's critical security weaknesses. High-profile malware campaigns targeting systems in Ukraine and Colombia were linked to known hacking groups UAC-0194 and Blind Eagle. The article emphasizes the importance of timely software updates to mitigate risk, showcasing several newly discovered CVEs that pose potential threats to system security. Cybersecurity solutions are evolving to focus on zero trust architectures and AI-driven protection strategies to counteract sophisticated AI-powered threats. Practical advice for individual cybersecurity hygiene includes using burner emails to manage spam and track data breaches effectively. General cybersecurity recommendations include staying vigilant about minor security settings and endpoint management to prevent accidental breaches. The narrative concludes by underscoring that many cybersecurity breaches stem not from forceful attacks, but from exploiting overlooked or minor vulnerabilities.

Cybersecurity researchers identified a spike in malicious activities from Proton66, a Russian bulletproof hosting service, targeting global organizations since January 8, 2025. Proton66 IP addresses were involved in mass scanning, credential brute-forcing, and exploitation attempts, with some IPs previously inactive or unseen in malicious contexts. Malicious actors utilized the Proton66 network to host command-and-control servers for malware families such as GootLoader and SpyNote, and orchestrate phishing operations. Compromised WordPress sites linked to Proton66 redirected Android users to fake Google Play pages, tricking them into downloading malicious APK files targeting French, Spanish, and Greek speakers. Trustwave's analysis detailed the deployment of malware like XWorm, StrelaStealer, and WeaXor ransomware via phishing emails and malicious downloads from Proton66-linked IPs. Proton66 connections were also established with Chang Way Technologies, a Hong Kong-based provider, suggesting wider network implications. Organizations are advised to block CIDR ranges associated with Proton66 and associated entities to mitigate the threats.

Hackers conducted a phishing attack by misusing Google’s OAuth to send emails seemingly from Google’s own no-reply address. The phishing email passed the DomainKeys Identified Mail (DKIM) authentication, appearing legit but redirected recipients to a fraudulent Google account login page. Nick Johnson, ENS lead developer, identified the scam after noticing the support link directed to a sites.google.com URL rather than the official Google account page. The attackers utilized a clever ruse involving a registered domain, a Google Workspace account, and an application named with a deceptive message full of whitespace to hide true intentions. The email authenticated by Google due to valid DKIM signatures, was forwarded from the attacker’s address to potential victims, effectively bypassing typical email security checks. Similar phishing tactics were also attempted using PayPal accounts by manipulating the platform’s gift address feature to pass security verifications. Google has acknowledged the vulnerability after an initial dismissal and is currently working on a fix, while PayPal has not responded to inquiries.

ClickFix is a social engineering tactic where threat actors mimic legitimate platforms to execute malware via deceptive error messages and "Fix" buttons. Kimsuky, MuddyWater, APT28, and UNK_RemoteRogue—APT groups from North Korea, Iran, and Russia—have adopted ClickFix in recent espionage efforts. These attacks primarily utilized phishing or malvertising to lead targets to malicious sites, tricking them into manually executing harmful scripts. Notable incidents include MuddyWater targeting Middle Eastern organizations with fake Microsoft security updates and Kimsuky deceiving think tank members using emails posing as diplomatic correspondence from Japan. Russian group UNK_RemoteRogue targeted two firms linked to a major arms manufacturer with spoofed emails and a fake Microsoft Word interface to deploy JavaScript and PowerShell-based backdoors. APT28 impersonated Google Spreadsheet and reCAPTCHA interfaces to facilitate unauthorized remote access and control via custom SSH tunnels and Metasploit. General advice against such threats includes caution against running unsolicited commands, especially with administrator privileges, to prevent malware infection and unauthorized system access. Proofpoint and Microsoft's Threat Intelligence teams are actively monitoring these campaigns, highlighting the continued prevalence and success of ClickFix among nation-state actors.

APT29, a Russian state-sponsored threat actor, employs GRAPELOADER malware in phishing attacks aimed at European diplomatic entities. The campaign leverages wine-tasting event lures, sending malware-infected email attachments to diplomatic personnel. GRAPELOADER functions as an initial-stage tool for fingerprinting and delivering payloads, evolving from previous malware with enhanced anti-analysis capabilities. Associated malware, WINELOADER, identified for use in later stages, also spotted in campaign via sophisticated DLL side-loading techniques. The attacks focus primarily on Ministries of Foreign Affairs in various European countries and possibly target diplomats in the Middle East. GRAPELOADER facilitates persistent access to infected systems by modifying the Windows Registry, triggering malware launch at system reboot. The campaign's discovery correlates with heightened activities of Russian cyber operations across Europe.

Widespread account lockouts across various organizations following the rollout of a new security feature in Microsoft Entra ID. Microsoft Entra ID's "MACE Credential Revocation" app, intended for detecting leaked credentials, mistakenly locked users out. Administrators reported on Reddit that about a third of their accounts were affected, with protected accounts showing no prior signs of compromise. Lockouts triggered by false positive detections of credential leaks; leak notifications were not corroborated by services like Have I Been Pwned. An engineer attributed the issue to an error with the conditional access policy due to the MACE application's abrupt implementation. Microsoft has not publicly acknowledged the specific cause of the problem. Some admins were reassured after discussions with Microsoft support that the lockouts were due to a technical error rather than actual security breaches. High volume of false leak notifications reported by an MDR provider, affecting numerous customer accounts.

Cybersecurity researchers at Socket discovered three malicious npm packages pretending to be a popular Node.js Telegram bot API. These rogue packages, created to mimic 'node-telegram-bot-api', contain SSH backdoors and data exfiltration capabilities. The packages utilize a deceitful method known as 'starjacking' to boost perceived authenticity and trick developers into downloading them. Once installed, the malicious packages add SSH keys to Linux systems allowing attackers persistent, unauthorized remote access. In addition to SSH backdoor insertion, the scripts exfiltrate system usernames and IP addresses, maintaining contact with a C2 server. The impacted packages are still available for download, posing ongoing threats to unsuspecting users. Removing the malicious packages does not fully mitigate risks due to the persistently added SSH keys.

SuperCard X is a malware-as-a-service (MaaS) targeting Android through NFC relay attacks exploiting stolen payment card data. The malware is linked to Chinese-speaking cybercriminals and integrates techniques from NFCGate and its derivative, NGate. Distributed through Telegram, SuperCard X allows attackers to conduct fraudulent transactions at point-of-sale terminals and ATMs. Scams start with a fake message urging the victim to install a malicious "security" app, which then reads NFC payment data when a card is tapped on the phone. The malware remains undetected by antivirus tools on VirusTotal and avoids detection through minimal permission requests and lack of aggressive features. Payment data is securely transmitted to attackers using mutual TLS, enabling them to emulate the victim's card for small, seemingly legitimate transactions. Despite its evasion techniques, no apps containing SuperCard X have been found on Google Play, as per Google's response citing the protection measures of Google Play Protect.

Public exploits released for a critical SSH vulnerability in Erlang/OTP, enabling remote code execution by unauthenticated attackers. Vulnerability tracked as CVE-2025-32433 and recently disclosed by researchers at Ruhr University Bochum, affects all devices running the affected Erlang/OTP daemon. Erlang/OTP platform is notably used in telecommunications, databases, and high-availability systems, complicating immediate updates. Researchers and groups such as Zero Day Initiative and Horizon3 have developed functional exploits, highlighting ease of exploitation. PoC exploits circulating publicly on platforms like GitHub and Pastebin, raising the urgency for protective measures. High usage of SSH protocol in critical infrastructure makes this vulnerability particularly alarming, with potential targeting by nation state actors. Over 600,000 IP addresses possibly affected, with many related to CouchDB instances running on Erlang/OTP. Immediate patching of affected systems recommended to mitigate potential threats from widespread exploit availability.

Crosswalk buttons in various US cities were hacked to emit AI-generated voices of well-known billionaires like Jeff Bezos, Elon Musk, and Mark Zuckerberg. The audio messages, which included parodies and social commentary, caused disruptions especially for visually impaired pedestrians relying on standard audio cues. Simple and poorly secured access via a freely available mobile app allowed unauthorized users to manipulate the crosswalk systems. The default passcode, "1234," widely remained unchanged, making the systems susceptible to such pranks. Following the incidents, the mobile configuration app was removed from public app stores to prevent further unauthorized access. Cities are working to enhance security measures and changing default PINs to safeguard the crosswalk systems against future exploits. The manufacturer, Polara, clarified that their system's network was not compromised but unauthorized access was indeed gained using default or valid credentials. These pranks have highlighted the vulnerabilities associated with using default credentials in production environments and brought attention to potential cybersecurity oversights in public infrastructure.