Security Affairs.

"Chinese APT Weaver Ant infiltrates a telco in Asia for over four years."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 24 March 2025, 2159 UTC.

Content and Source:  Email subscription via https://feedly.com.

Please check link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

 Security Affairs

71K followers26 articles per week

#security#tech

21

Today

Chinese APT Weaver Ant infiltrated a telco in Asia for over four years

by Pierluigi Paganini / 44min

China-linked APT Weaver Ant infiltrated the network of a telecommunications services provider for over four years. The China-linked threat actor Weaver Ant infiltrated the network of a telecom provider in Asia for over four years. During a forensic investigation, Sygnia researchers observed multiple alerts that revealed a re-enabled threat actor account by a service account from an unidentified s

Medusa ransomware uses malicious Windows driver ABYSSWORKER to disable security tools

3 TTPs

•

by Pierluigi Paganini / 6h

Medusa ransomware uses a malicious Windows driver ABYSSWORKER to disable security tools, making detection and mitigation more difficult. Elastic Security Labs tracked a financially driven MEDUSA ransomware campaign using a HEARTCRYPT-packed loader and a revoked certificate-signed driver, ABYSSWORKER, to disable EDR tools. The attackers used a 64-bit Windows PE driver named smuol.sys, disguised as

Attackers can bypass middleware auth checks by exploiting critical Next.js flaw

CVE-2025-29927

•

by Pierluigi Paganini / 9h

A critical flaw in the Next.js React framework could be exploited to bypass authorization checks under certain conditions. Maintainers of Next.js React framework addressed a critical vulnerability tracked as CVE-2025-29927 (CVSS score of 9.1) with the release of versions versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3. “Next.js version 15.2.3 has been released to address a security vulnerability ( C

Yesterday

FBI warns of malicious free online document converters spreading malware

FBI warns of malware in converters

•

by Pierluigi Paganini / 12h

The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. The FBI warns that threat actors use malicious online document converters to steal users’ sensitive information and infect their systems with malware. “The FBI Denver Field Office is warning that agents are increasingly seeing a scam involving free online document converter too

Cloak ransomware group hacked the Virginia Attorney General’s Office

8 TTPs

•

by Pierluigi Paganini / 13h

•

Cloak ransomware attacks Virginia Attorney General

The Cloak ransomware group claims responsibility for a cyberattack on the Virginia Attorney General’s Office that occurred in February. The ransomware group Cloak has claimed responsibility for a February cyberattack on the Virginia Attorney General Office . A cyberattack on the Virginia Attorney General’s Office forced officials to shut down IT systems, including email and VPN, and revert to pap

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 38

by Pierluigi Paganini / 1d

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Decrypting Encrypted files from Akira Ransomware (Linux/ESXI variant 2024) using a bunch of GPUs Jaguar Land Rover Breached by HELLCAT Ransomware Group Using Its Infostealer Playbook—Then a Second Hacker Strikes ClearFake’s New Widespread Variant: Increased Web3 Ex

Security Affairs newsletter Round 516 by Pierluigi Paganini – INTERNATIONAL EDITION

by Pierluigi Paganini / 1d

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. U.S. Treasury removed sanctions against the crypto mixer service Tornado Cash Zero-day broker Operation Zero offers up to $4 million for Telegram exploits

UAT-5918 ATP group targets critical Taiwan

IoC > 29 hashes

•

by Pierluigi Paganini / 1d

•

19 TTPs

•

UAT-5918 targets Taiwan's critical infrastructure

Cisco Talos found UAT-5918, active since 2023, using web shells and open-source tools for persistence, info theft, and credential harvesting. Cisco Talos uncovered UAT-5918, an info-stealing threat actor active since 2023, using web shells and open-source tools for persistence and credential theft. The APT UAT-5918 targets Taiwan, exploiting N-day vulnerabilities in unpatched servers for long-ter

Mar 22, 2025

U.S. Treasury removed sanctions against the crypto mixer service Tornado Cash

Coinbase criticizes Treasury over Tornado Cash

•

by Pierluigi Paganini / 2d

The U.S. Treasury is lifting sanctions on Tornado Cash, a crypto mixer accused of helping North Korea’s Lazarus Group launder illicit funds. The U.S. Treasury Department removed sanctions against the cryptocurrency mixer service Tornado Cash . In August 2022, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by North Korea

Mar 21, 2025

Zero-day broker Operation Zero offers up to $4 million for Telegram exploits

Russian firm offers $4M Telegram exploits

•

by Pierluigi Paganini / 2d

Russian zero-day broker Operation Zero is looking for exploits for the popular messaging app Telegram, offering up to $4 million for them. Operation Zero, a Russian zero-day broker, is offering up to $4 million for Telegram exploits, the news was first reported by Tech Crunch. The Russian firm seeks up to $500K for one-click RCE, $1.5M for zero-click RCE, and $4M for a full-chain exploit that cou

RansomHub affiliate uses custom backdoor Betruger

17 TTPs

•

by Pierluigi Paganini / 3d

Symantec researchers linked a custom backdoor, called Betruger, found in recent ransomware attacks to an affiliate of the RansomHub operation. Symantec’s Threat Hunter team has identified a custom backdoor, named Betruger, linked to a RansomHub affiliate. Designed for ransomware attacks, Betruger combines multiple functions into a single tool to minimize detection. It enables screenshot capture,

Cisco Smart Licensing Utility flaws actively exploited in the wild

Collection (Enterprise TA0009)

•

by Pierluigi Paganini / 3d

Experts warn of the active exploitation of two recently patched security vulnerabilities affecting Cisco Smart Licensing Utility. Cisco disclosed two vulnerabilities in its Smart Licensing Utility: CVE-2024-20439, a static credential backdoor, and CVE-2024-20440, an information disclosure flaw. Attackers can exploit the backdoor to access sensitive log files. While no active exploitation was init

Mar 20, 2025

Pennsylvania State Education Association data breach impacts 500,000 individuals

2 TTPs

•

by Pierluigi Paganini / 3d

•

Pennsylvania State Education Association data

A data breach at the Pennsylvania State Education Association exposed the personal information of over 500,000 individuals. The Pennsylvania State Education Association (PSEA) suffered a data breach that impacted 517,487 individuals. PSEA is a labor union representing teachers, education support professionals, and other school employees in Pennsylvania. It advocates for public education, negotiat

Veeam fixed critical Backup & Replication flaw CVE-2025-23120

2 TTPs

•

by Pierluigi Paganini / 4d

•

CVE-2025-23120

Veeam released security patches for a critical Backup & Replication vulnerability that could let attackers remotely execute code. Veeam addressed a critical security vulnerability, tracked as CVE-2025-23120 (CVSS score of 9.9), impacting its Backup & Replication software that could lead to remote code execution. The vulnerability impacts 12.3.0.310 and all earlier version 12 builds, it was fixed

U.S. CISA adds Edimax IC-7100 IP Camera, NAKIVO, and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog

by Pierluigi Paganini / 4d

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Edimax IC-7100 IP Camera, NAKIVO, and SAP NetWeaver AS Java flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog : CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vul

CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT

8 TTPs

•

by Pierluigi Paganini / 4d

•

Signal exploited for targeted malware attacks

CERT-UA warns of a cyber campaign using Dark Crystal RAT to target Ukraine’s defense sector, including defense industry employees and Defense Forces members. The Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a new cyber espionage campaign targeting employees of defense-industrial complex enterprises and representatives of the Defense Forces of Ukraine with Dark Crystal RAT . In

Mar 19, 2025

WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware

by Pierluigi Paganini / 4d

WhatsApp fixed a zero-click, zero-day vulnerability used to install Paragon’s Graphite spyware on the devices of targeted individuals. WhatsApp has addressed a zero-click, zero-day vulnerability exploited to install Paragon’s Graphite spyware on the devices of targeted individuals. WhatsApp blocked a spyware campaign by Paragon targeting journalists and civil society members after reports of the

California Cryobank, the largest US sperm bank, disclosed a data breach

California Cryobank data breach reported

•

by Pierluigi Paganini / 5d

California Cryobank, the largest US sperm bank, suffered a data breach exposing customer information. California Cryobank (CCB) is the largest sperm bank in the U.S., providing frozen donor sperm and reproductive services, including egg and embryo storage. It operates in all 50 states and over 30 countries worldwide, helping individuals and couples with fertility treatments. The company disclosed

Rules File Backdoor: AI Code Editors exploited for silent supply chain attacks

4 TTPs

•

by Pierluigi Paganini / 5d

•

AI code editors vulnerable to attack

The Rules File Backdoor attack targets AI code editors like GitHub Copilot and Cursor, making them inject malicious code via a supply chain vulnerability. Pillar Security researchers uncovered a dangerous new supply chain attack vector called ‘ Rules File Backdoor.’ Threat actors could use the technique to silently compromise AI-generated code by injecting malicious code. The attack targets AI co

Mar 18, 2025

U.S. CISA adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog

8 TTPs

•

by Pierluigi Paganini / 5d

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Fortinet FortiOS/FortiProxy and GitHub Action flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog : CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerab

Nation-state actors and cybercrime gangs abuse malicious .lnk files for espionage and data theft

5 TTPs

•

by Pierluigi Paganini / 6d

•

Windows zero-day exploited by states

11 state-sponsored APTs exploit malicious .lnk files for espionage and data theft, with ZDI uncovering 1,000 such files used in attacks. At least 11 state-sponsored threat groups have been abusing Windows shortcut files for espionage and data theft, according to an analysis by Trend Micro’s Zero Day Initiative (ZDI). Trend ZDI researchers discovered 1,000 malicious .lnk files used by nation-state

End of feed