Daily Brief

Cybersecurity researchers identified two malicious npm packages, ethers-provider2 and ethers-providerz, which target the locally installed 'ethers' npm package for modifications to facilitate further malware attacks. ethers-provider2, downloaded 73 times, modifies 'ethers' by injecting a file that launches a reverse shell, allowing hackers to control the infected system remotely. Even after the removal of ethers-provider2, the malicious modifications within the 'ethers' library persist, potentially leading to re-infection if the original library is not thoroughly cleaned or reinstalled. The attack involves multiple stages, with the initial payload downloading and executing further malicious content from a remote server, designed to hide traces by deleting temporary files post-execution. The threat maintains a presence on compromised systems by continuously monitoring and modifying the 'ethers' library whenever it is present or re-installed. Despite the limited number of downloads, the impact of such packages is significant due to their ability to maintain persistence and control over affected systems. This incident highlights the sophistication of software supply chain attacks and underscores the importance of thorough verification and handling of third-party open-source packages.

Two harmful npm packages, 'ethers-provider2' and 'ethers-providerz,' were uncovered, containing code that patches other legitimate packages to introduce backdoors. The malicious packages exploit legitimate local installations by inserting a reverse shell backdoor, ensuring persistence even after the original malware is removed. Reversing Labs identified the attack during a routine security review, noting the sophisticated nature of the threat due to its covert operations and persistence mechanisms. The reverse shell patches legitimate files within the npm ecosystem, with 'ethers-provider2' targeting the 'ssh2' package and 'ethers-providerz' aiming at the @ethersproject/providers. Even if the original malicious package is uninstalled, the patched legitimate package retains the malware, continuing to compromise the system. Some earlier versions of these packages contained flaws that prevented full functionality, but corrections and reintroductions seem likely in the future. Reversing Labs also developed a YARA rule to aid developers in scanning their environments for remnants of these and related threats. General advice given includes stringent verification of package legitimacy and scrutiny of package code for any suspicious elements like obfuscated commands or external calls.

Ransomware attacks progress through stages, each offering a crucial window for detection and prevention. Most organizations miss early indicators, such as shadow copy deletion and process injections, allowing attackers to escalate their efforts quietly. Continuous ransomware validation is essential, simulating attacks to ensure systems detect and respond appropriately before actual ransom demands occur. The three stages of a ransomware attack include pre-encryption groundwork, encryption lockout, and the post-encryption ransom demand. Key indicators of compromise (IOCs) to monitor include shadow copy deletion, mutex creation, process injection, and service termination. Automated security validation tools can seamlessly integrate into security workflows, reducing the burden on IT teams while ensuring defenses are robust against evolving threats. Regular, continuous testing is critical as annual testing is insufficient against the fast-evolving ransomware tactics.

The UK's National Cyber Security Centre (NCSC) has employed popular social media influencers to promote two-factor authentication (2FA) as a part of its Stop! Think Fraud campaign. Influencers from various backgrounds, including comedy and personal finance, are creating content to demonstrate the effectiveness of 2FA in preventing unauthorized access. One skit by thesquidvids humorously illustrates how cybercriminals are thwarted by 2FA, showcasing its importance in securing accounts. This approach aims to reach a broader audience and enhance public awareness about the benefits of enabling strong account protections. NCSC's initiative reflects a broader strategy, which includes podcasts, blog posts, and other social media engagements, to bolster national cybersecurity. The campaign is supported by Action Fraud and the National Crime Agency (NCA) to combat fraud, which has been described as a life-ruining crime. This marks the second instance where NCSC has utilized influencer marketing, following a previous campaign about Christmas scams.

Insider threats pose significant financial and reputational risks to organizations, often leading to serious data breaches. Privileged Access Management (PAM) is crucial in controlling and monitoring access to sensitive systems, effectively mitigating insider risks. Insider incidents, especially those involving privileged accounts, are among the most costly, averaging USD 4.99 million per attack. Advanced PAM solutions automate the discovery and management of privileged accounts, reducing the opportunity for insider abuse. Implementing PAM practices like least privilege and just-in-time access can drastically limit unauthorized access and potential damage. PAM technologies ensure that remote access and third-party interactions are secure, minimizing risks from external collaborators. The combination of user activity monitoring and automated responses is effective in detecting and mitigating insider threats promptly. Beyond preventing insider threats, PAM enhances overall operational efficiency, compliance, and security of organizational systems.

Threat actors are using a cybercrime tool named Atlantis AIO Multi-Checker to perform automated credential stuffing on over 140 platforms. Atlantis AIO enables cybercriminals to test millions of stolen credentials rapidly, which are typically acquired through data breaches or underground forums. This tool differentiates from brute-force attacks by using stolen username and password combinations to access accounts on various platforms without prior authorization. Atlantis AIO is designed with pre-configured modules, which assist attackers in targeting a wide range of platforms, including email services, e-commerce sites, and financial institutions. The tool boasts features that maintain user anonymity and security, promising high success rates and customer satisfaction. Credential stuffing facilitated by Atlantis AIO can lead to account takeovers, fraud, data theft, and the sale of access credentials on dark web marketplaces. To combat these threats, it is recommended for organizations to enforce strong password policies and implement multi-factor authentication that is resistant to phishing attempts.

Google recently addressed a severe zero-day vulnerability in Chrome, tracked as CVE-2025-2783, exploited for espionage against Russian entities. The vulnerability allowed attackers to escape the browser's sandbox and deploy sophisticated malware during cyber-espionage attacks. The exploit was discovered by researchers at Kaspersky, who found it actively used to redirect users as part of Operation ForumTroll. This campaign targeted Russian organizations through phishing attacks that simulated emails from a legitimate scientific forum. Besides the initial exploit, attackers used a second vulnerability enabling remote code execution; however, details on this remain undisclosed. Google rolled out patches quickly in the Stable Desktop channel for Windows users, with immediate availability upon checking for updates. Researchers recommend updating Chrome to mitigate the risk and disrupt the exploit chain used in the attacks. This incident marks the first Chrome zero-day patched in 2025, following ten zero-days addressed by Google in the previous year.

Google has issued an out-of-band update for a high-severity Chrome vulnerability, CVE-2025-2783, exploited in targeted attacks in Russia. The flaw involves incorrect handling in Chrome's Mojo IPC libraries on Windows, enabling attackers to bypass sandbox protections. The exploited zero-day is attributed to advanced state-sponsored cyber-espionage activities, specifically targeting media, educational, and government entities in Russia. This vulnerability marks the first actively exploited Chrome zero-day of the year, having been discovered and reported by Kaspersky researchers on March 20, 2025. Victims were infected through phishing emails linked to a legitimate scientific forum, with no further action required post-click for the malware deployment. The exploit chain for CVE-2025-2783 appears highly sophisticated, possibly involving an additional, undiscovered exploit for executing remote code. Google has remediated the issue in Chrome version 134.0.6998.177/.178 for Windows, urging users to update their browsers immediately. The attack, dubbed Operation ForumTroll by Kaspersky, indicates a high level of customization in phishing links and emails to ensure successful infiltration and espionage.

Broadcom has released patches for a serious security flaw in VMware Tools for Windows, identified as CVE-2025-22230 with a CVSS score of 7.8, allowing for authentication bypass. The vulnerability specifically impacts non-administrative users allowing them to perform high-privilege actions within Windows guest VMs on affected VMware Tools versions 11.x.x and 12.x.x. No workaround is available for this VMware issue; updating to version 12.5.1 is required to mitigate the risk. Another unrelated flaw has surfaced in CrushFTP versions 10 and 11, enabling unauthenticated HTTP(S) port access, though it’s not actively being exploited in the wild as per current reports. The CrushFTP vulnerability, which hasn't been assigned a CVE identifier yet, can be controlled by activating the DMZ function, which prevents exploitation. Both vulnerabilities are critical as previous security weaknesses in VMware Tools and CrushFTP have been known to be exploited by malicious parties. Organizations using VMware Tools and CrushFTP are advised to apply the security updates promptly to avoid potential breaches and unauthorized access.

CrushFTP advised users to patch servers due to an unauthenticated HTTP(S) port access vulnerability immediately to prevent attackers from exploiting unpatched servers exposed on the internet. The vulnerability specifically impacts all versions of CrushFTP v11, contradicting initial reports that only version 10 was affected, following correction from cybersecurity company Rapid7. A temporary workaround involves activating the DMZ (demilitarized zone) feature as a protection measure until updates can be applied. Over 3,400 online instances of CrushFTP might be vulnerable to attacks, creating potential security risks. The flaw was addressed in the latest patch, CrushFTP v11.3.1+, which resolves the unauthenticated access issue. Previous vulnerabilities, including a zero-day exploit in April 2024 and a critical RCE in November 2023, have been exploited by ransomware gangs and politically motivated intelligence campaigns. CrushFTP remains a high-value target for cyberattacks due to its role in delivering enterprise file transfer capabilities.

Cloudflare's R2 service and related functionalities experienced a 1-hour, 7-minute outage, notably affecting global write and partial read capabilities. The disruption was due to improper deployment of new credentials to a development instead of production environment, triggered by missing a critical command-line flag. The oversight resulted in the Cloudflare backend losing authentication access upon deletion of old credentials, a mistake realized only after a delay due to gradual metric declines. Despite no data loss, the incident severely impacted the service availability, prompting an internal review and procedural changes at Cloudflare. To prevent future errors, Cloudflare has enhanced credential logging, verification processes, and mandated automated deployment tools. The company has also revised its standard operating procedures, including a requirement for dual validation of critical operations to enhance service reliability. This event marks another significant human error-related outage at Cloudflare this year, following a similar incident in February due to improper handling of an abuse report.

Broadcom issued security patches for a critical authentication bypass vulnerability in VMware Tools for Windows. The flaw, identified as CVE-2025-22230, enables attackers with low-level access to perform high-privilege operations without user interaction. The vulnerability was spotted by Sergey Bliznyuk from Positive Technologies, a Russian firm previously accused of distributing hacking tools. This alert follows the patching of three zero-day vulnerabilities in VMware systems earlier in the month, which were actively exploited. The Shadowserver platform detected over 37,000 VMware ESXi instances vulnerable to these zero-day attacks across the internet. VMware vulnerabilities are a prime target for ransomware groups and nation-state actors due to their broad use in managing sensitive corporate operations. Broadcom's recent advisories have also detailed exploitation of VMware tools by Chinese state hackers, including the deployment of advanced persistent backdoors.

A new zero-day vulnerability in Windows leaks NTLM hashes when users view malicious files via Windows Explorer. The vulnerability impacts all Windows versions from Windows 7 to Windows 11 and includes Server versions from 2008 R2 to Server 2025. ACROS Security discovered the vulnerability and provided free, unofficial micropatches through their 0Patch service. Attackers exploit this vulnerability by tricking users to open or view malicious files, leading to potential unauthorized access and lateral movement across networks. Although the vulnerability's criticality varies based on network configuration and external factors, it has been utilized in real-world attacks. Microsoft has been notified but has not yet released an official fix; details of the vulnerability are withheld until then to mitigate risks. This vulnerability disclosure follows multiple other reports by 0patch, some of which remain unpatched by Microsoft.

Oracle Cloud is contesting allegations of a security breach, despite claims by a hacker, rose87168, and confirmation from infosec researchers that stolen data is genuine. Rose87168 allegedly accessed Oracle's login servers using a known vulnerability and extracted around six million records, including customer security keys and encrypted credentials. Alon Gal of Hudson Rock confirmed with customers that the data sample provided by the hacker was legitimate and originated from Oracle's production environment. The leaked data includes sensitive information that could enable supply chain and ransomware attacks if misused. Experts suggest affected organizations should change their SSO and LDAP credentials and enforce strict password policies and multi-factor authentication. Oracle maintains that there was no breach and that the credentials published are unrelated to Oracle Cloud systems. The breach's legitimacy gains credibility due to the difficulty of fabricating such a large and structured volume of leaked information.

EncryptHub, an established threat actor, has exploited a newly discovered Windows zero-day vulnerability, CVE-2025-26633, affecting the Microsoft Management Console. The vulnerability allows attackers to bypass Windows file reputation checks, enabling unsolicited MSC file executions without user warnings. Microsoft issued an advisory and a patch for this vulnerability as part of its recent Patch Tuesday updates, urging users to update their systems promptly. The attacks involving this vulnerability were first documented by Trend Micro, who noted that EncryptHub used it to deploy various malicious payloads such as backdoors and data stealers. EncryptHub has a history of cyber-attacks, having previously been linked to breaches of over 618 organizations worldwide through spear-phishing and social engineering. The threat group also affiliates with ransomware operations, using stolen data to leverage ransom negotiations after encrypting victims' files. Researchers observed the technical evolution of EncryptHub's campaign, signifying ongoing development and sophistication in their attack methods. Overall, this series of attacks highlights the continual threat posed by skilled cyber adversaries and the critical importance of timely vulnerability management and cyber defense strategies.