Sign up for this weekly newsletter
Subscribe$1.5 billion worth crypto stolen by Lazarus
The North Korean Lazarus state actor has stolen an unprecedented amount of $1.46 billion in cryptocurrencies from Bybit, a crypto marketplace with 60 million users. The hackers got access through a vulnerability in the user interface of the smart contract wallet platform Safe.global, due to its reliance on externally generated signatures. The attackers manipulated multi-signature signers responsible for approving transactions after accessing their devices using social engineering or supply-chain compromise. The operation took place at the same time of a similar but smaller hack, stealing $69 million from the Phemex platform.
Black Basta exposed
An unknown person leaked 200K internal chats of BlackBasta. The infamous Russian threat actor was until recently among the most prominent ransomware groups globally. The internal messages provide details about various tactics used by the group and refer to at least 27 CVEs, including seven with confirmed successful exploitation - such as an RCE flaw in Zimbra Collaboration Suite (CVE-2022-27925), the widely exploited PAN-OS vulnerability (CVE-2024-3400) and a Linux Local Privilege Escalation flaw (CVE-2024-1086).
Palo Alto again
A new Palo Alto PAN-OS vulnerability (CVE-2025-0111) has been observed in the wild. The firm warned that the flaw allows “an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the ‘nobody’ user”. The vulnerability has apparently been chained with the flaw revealed last week (CVE-2025-0108) and with an older command injection flaw (CVE-2024-9474).
Mitigate it
Under Palo Alto’s Threat Prevention subscription, enable Threat IDs 510000/1
Salt Typhoon's campaign against Cisco escalates
Salt Typhoon’s campaign targeting Cisco devices appears to utilize a larger set of vulnerabilities than previously known. Beyond the reported exploitations of privilege escalation flaws in Cisco IOS XE (CVE-2023-20198, CVE-2023-20273),the Chinese sophisticated actor leveraged a command injection vulnerability in the CLI of Cisco NX-OS Software (CVE-2024-20399), which has been extensively used in mid-2024 by another Chinese state actor (Velvet Ant); and a vulnerability in the Smart Install feature of Cisco IOS XE (CVE-2018-0171), that allows an attacker to trigger a reload of an affected device. In a possibly related exploitation case, sophisticated hackers have recently leveraged a vulnerability in Cisco Small Business Routers (CVE-2023-20118) to deploy webshells and advanced backdoors.
Mitigate it
Detect with Qualys QID 317465; Disable the Smart Install Client feature or implement ACLs and Control Plane Policing (CoPP)
Chinese cybercrime is also targeting Checkpoint
A Chinese campaign named Green Nailao is targeting a vulnerability in Checkpoint gateways (CVE-2024-24919)against European healthcare organizations. The flaw is used to exfiltrate user credentials and to connect to the VPN through a legitimate account, providing initial access to the victim’s systems. The campaign consequently deploys the PlugX malware (and its successor ShadowPad), in some cases resulting in dropping the NailaoLocker ransomware. It is unclear which specific Chinese group is leveraging the vulnerability, that has been popular among threat actors in 2024. In any case, after Mustang Panda’s moonlighting as RA Ransomware as reported last week, the Green Nailao attacks are another case of a financially motivated Chinese campaign utilizing malware strains developed and managed by sophisticated state actors.
Mitigate it
In Cortex XDR, use the Behavioral Threat Protection, the Credential Gathering Protection and the Anti-Webshell Protection
Another Chinese cybercrime is focusing on known vulnerabilities
CISA and the FBI warned about Ghost (aka Cring), a financially motivated Chinese ransomware group which has compromised organizations in 70 countries since 2021. The group is getting initial access to its victims by exploiting known vulnerabilities, such as in FortiOS (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), SharePoint (CVE-2019-0604) and Microsoft Exchange (CVE-2021-34473,CVE-2021-34523, CVE-2021-31207). After gaining initial access, the group is quickly deploying a ransomware rather than focusing on achieving persistence.
China's accusations against the NSA
The PRC government and Chinese private cybersecurity firms are accusing the NSA of being behind a campaign targeting organizations in the country with 41 malware strains. Chinese sources claimed that the responsible threat group, APT-C-40, is affiliated to Equation - a nickname for NSA’s Tailored Access Operations (TAO) division. According to the Chinese claims, the attacks included the exploitation of zero-days in Oracle Solaris systems.
Quick-and-dirty Lockbit-based operations targets Atlassian Confluence
LockBit operators are currently compromising Windows servers through malicious crafted HTTP POST requests exploiting a critical RCE vulnerability in Atlassian Confluence servers (CVE-2023-22527). The campaign presents a significantly low Time-to-Ransom (TTR), as ransomware is being deployed in less than two hours after gaining initial access. The LockBit cybercrime group was dismantled one year ago by an US-led law enforcement operation, but other gangs have since then utilized LockBit’s ransomware for their own purposes.
Mitigate it
Apply Check Point NGFW “Atlassian Confluence Template Injection (CVE-2023-22527)” IPS rule; Palo Alto Threat ID 92195; And Trend Micro “HTTP: Atlassian Confluence Data Center and Server Template Injection Vulnerability” signature
An Oracle vulnerability is under attack
Threat actors are targeting a vulnerability Oracle Agile Product Lifecycle Management (PLM) software (CVE-2024-20953), patched last January. The flaw, allowing for authenticated users to execute code, has apparently been exploited in post-compromise stage. In November 2024, another Agile PLM vulnerability (CVE-2024-21287) was already reported as exploited in the wild.
Flaws exploited in website development platforms
Two RCE vulnerabilities in CMS (CVE-2025-23209, CVE-2024-56145), Craft Content Management System, are under current exploitation. Craft is a platform providing developers with the ability to create custom websites, used in tens of thousands of websites. In parallel, Microsoft patched an exploited vulnerability in Power Pages (CVE-2025-24989), Microsoft’s low-code SaaS platform used to create and manage business websites. The flaw allows attackers to bypass the user registration process and elevate privileges.
Mitigate it
For CMS: Delete old keys in '.env' files and generate new ones using the 'php craft setup/security-key' command
New Ivanti flaws are raising concerns
Concerns were raised after the release of a POC exploit for recently patched four vulnerabilities in Ivanti End Point Manager (CVE-2024-10811, CVE-2024-13159/60/61). By exploiting these flaws, an attacker might force the EPM server to connect to a remote UNC path and consequently add a machine account while providing it with delegation rights. It would result in the compromise of all the EPM clients as well.
DOGE's security issues
The website launched by Elon Musk’s DOGE suffered from various serious database vulnerabilities. The flaws were leveraged by different hacktivists to post provocative messages on the website, such as “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN”. In the meantime, under DOGE’s recommendation, the administration has decided to lay off 130 CISA employees.
61% of exploitations are weaponizing POC in less than 48 hours
A new report shows that in 61% of the cases observed in 2024, attackers were able to weaponize new exploit code within 48 hours. It also claims that 60% of the exploited vulnerabilities against the healthcare sector were in Microsoft Exchange (ProxyShell and ProxyLogon). Moreover, SSRF attacks surged in 2024, with AI lowering entry barriers and old SSRF vulnerabilities resurfacing, especially in Microsoft Exchange (CVE-2022-41040) and VMware vRealize (CVE-2021-21975).
Mitigate it
Mitigate it
Sources
