Sign up for this weekly newsletter
SubscribeQilin's new wave of attacks
Qilin has taken credit for attacks on a large Japanese hospital, the Houston Symphony, the health ministry of the Pacific island of Palau and Lee Enterprises, a large American media company owning 350 local magazines. The Lee incident led to the exfiltration of 350G data and disrupted the operations of 75 newspapers. Qilin is a prolific Russian ransomware group who recently pivoted to vulnerability exploitation and leveraged notorious flaws in Citrix (CVE-2023-4966), Veeam (CVE-2023-27532) and Fortinet.
China spied on Belgium through a Barracuda vulnerability
Cyberespionage Chinese state actors have breached into Belgium’s State Security Service (VSSE) and maintained persistence for over two years (2021-2023). The hackers gained initial access by leveraging a zero-day in Barracuda Email Security Gateway (ESG) appliances (CVE-2023-2868). Around 10% of the emails sent and received by VSSE during this period were eventually intercepted. Following the vulnerability disclosure in May 2023, the Belgian intelligence services stopped using Barracuda and chose another vendor. It is possible that UNC4841 is the group behind the campaign, as it extensively used Barracuda vulnerabilities in 2023 to access organizations in the government and technology sectors.
Mitigate it
Apply Checkpoint NGFW signature IDs 0BB29FE1D, 0C688486B and 0A44B817D; and Cisco Firepower signature ID 1.61918.2
Citrix vulnerability leveraged against an IVF company
The Termite ransomware has leveraged a vulnerability in a Citrix server to gain initial access and exfiltrate data from Genea, one of Australia’s largest fertility and IVF companies. Termite is a relatively new Russian ransomware group, which last December claimed to have compromise the supply chain management Saas Blue Yonder.
Tata Technologies breached
Hunters International has exfiltrated 1.4TB data from Tata, the Indian technology giant. The group is a Russian cybercrime known for its recent hack of ICBC and AutoCanada, and which usually gains initial access through phishing and RDP vulnerabilities.
XSS vulnerability utilized in a large scam campaign
Attackers leveraging a cross-site scripting(XSS) vulnerability in Krpano (CVE-2020-24901) have abused more than 350 websites in a spam campaign. Krpano is a popular software for panoramic images, allowing to create VR environments and “virtual tours”. Users were redirected to websites promoting adult content, gambling or hacking services. Among the affected organizations are Fortune 500 companies, well-known media outlets, universities and government agencies.
A Microsoft driver flaw exploited in a BYOVD campaign
A zero-day in a Microsoft-signed Paragon Partition Manager BioNTdrv.sys driver (CVE-2025-0289) has been exploited in BYOVD attacks by ransomware groups and used to elevate to SYSTEM privileges in Windows.
Mitigate it
Check if the Vulnerable Driver Blocklist is enabled (Settings → Privacy→ Windows Security → Device security → Core isolation → Microsoft Vulnerable Driver Blocklist)
Three VMware vulnerabilities impact ESXi, Workstation, and Fusion
Three VMware vulnerabilities are under active exploitation, affecting VMware ESXi, Workstation, and Fusion. The first (CVE-2025-22224) allows executing arbitrary code at the hypervisor level, the second (CVE-2025-22225) lets running code in ESXi kernel and the third (CVE-2025-22226) is an information disclosure flaw. The three require prior admin privileges and were leveraged in post-compromise phase. They might be used to escape sandbox and eventually get access to a targeted host. While they can be leveraged individually, VMware warned about attackers chaining these vulnerabilities for a more effective operation.
Chaining vulnerabilities becomes trendy
A new report shows that attackers’ growing focus on chaining vulnerabilities complicates prioritization efforts, as it undermines severity-based scoring systems (such as CVSS) and requires deeper analysis which results in “patching fatigue”. Moreover, the research reveals that threat groups are increasingly abusing legitimate software features after leveraging vulnerabilities, exploiting deep knowledge of specific systems, and taking advantage of patches that fail to fully resolve security issues. Beyond that, breakout times (between gaining access and initiating lateral movement) plummeted to an unprecedented 48 minutes; attackers continue to exploit network devices as key entry points; and activity related to Chinese threat groups increased by 150%.
Vulnerability exploitation is booming
Another report demonstrates that in 2024, 29 CVEs have been exploited before being added to CISA Known Exploited Vulnerabilities (KEV) list; and that 28% of CISA KEV vulnerabilities have been linked to ransomware activities. Additionally, the most exploited flaws in 2024 laid in home routers (due to the formation of widescale botnets) and 40% of exploited CVEs were at least three years old.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
