Zyxel says it won’t fix actively exploited flaws in legacy CPE series devices, urges users to upgrade
Zyxel has issued a security advisory warning that it will not address several actively exploited vulnerabilities(CVE-2024-40891, CVE-2025-0890, 2024-40890) in its CPE (Customer Premises Equipment) Series devices reported last month. According to network scanning engines such as FOFA and Censys, over 1,500 Zyxel CPE Series devices remain exposed to the internet.
In other news, the US Cybersecurity and Infrastructure Security Agency (CISA) has added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-45195 (Apache OFBiz Forced Browsing Vulnerability), CVE-2024-29059 (Microsoft .NET Framework Information Disclosure Vulnerability), CVE-2018-9276 (Paessler PRTG Network Monitor OS Command Injection Vulnerability), CVE-2018-19410 (Paessler PRTG Network Monitor Local File Inclusion Vulnerability).
Additionally, the agency flagged another five vulnerabilities as actively exploited. They include CVE-2024-21413, a critical Microsoft Outlook remote code execution (RCE) vulnerability, CVE-2025-0411 (7-Zip Mark of the Web Bypass Vulnerability), CVE-2022-23748 (Dante Discovery Process Control Vulnerability), CVE-2020-29574 (CyberoamOS (CROS) SQL Injection Vulnerability), CVE-2020-15069 (Sophos XG Firewall Buffer Overflow Vulnerability)
Netgear has resolved two security vulnerabilities that affect several WiFi router models. The company is urging users to update their devices with the latest firmware immediately. The vulnerabilities impact various WiFi 6 access points (WAX206, WAX214v2, and WAX220) as well as Nighthawk Pro Gaming router models (XR1000, XR1000v2, XR500).
Trimble, a US-based provider of construction, geospatial, and transportation technology solutions, has warned customers about a vulnerability in its Cityworks product that has been actively exploited. The zero-day flaw, tracked as CVE-2025-0994 is a deserialization flaw that enables external attackers to execute remote code on the target’s Microsoft Internet Information Services (IIS) web server.
Hackers are exploiting vulnerabilities in SimpleHelp RMM (Remote Monitoring and Management) software to target clients, creating administrator accounts, deploying backdoors, and setting the stage for potential ransomware attacks. The flaws, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, are being leveraged to compromise systems. Cybersecurity researchers also observed signs of Akira ransomware activity in these attacks, though there isn't enough evidence for a definitive attribution.
Ukrainian organizations targeted in a SmokeLoader campaign abusing 7-Zip zero-day
A zero-day vulnerability in the popular open-source file archiver tool 7-Zip has been actively exploited by Russia-linked threat actors in a targeted malware campaign against Ukrainian entities. The flaw, tracked as CVE-2025-0411, allows malicious actors to bypass the Windows Mark-of-the-Web (MotW) security feature, which is designed to prevent the automatic execution of files downloaded from the internet. At least nine Ukrainian organizations have been targeted in this ongoing campaign. Among the affected entities are several government institutions, including the Ministry of Justice, the Kyiv Public Transportation Service, the Kyiv Water Supply Company, and the City Council.
Separately, Ukraine’s law enforcement has warned that Russian intelligence services are recruiting Ukrainian citizens for terrorist attacks through messaging apps and online forums, offering quick financial rewards. Vulnerable groups, such as young people, the unemployed, and those leading antisocial lifestyles, are particularly targeted. However, many of those recruited end up being killed or imprisoned by Russia after completing their missions. While officials did not specify which apps or forums are used, it’s noted that Telegram has been a platform for Russian intelligence to recruit individuals for disinformation campaigns or cyberattacks in the past. Additionally, Russia utilizes Telegram to amplify conflicts involving Ukrainian military personnel, promote pro-Russian narratives, and create division within Ukrainian society.
XE Group cybercrime op shifts from credit card skimming to data theft using 0Day exploits
The XE Group cybercrime syndicate, active since 2013 and believed to operate from Vietnam, has pivoted from focusing on e-skimming web store operations to exploiting zero-day vulnerabilities for network breaches. According to a joint report from Intezer and Solis, XE Group has leveraged at least two zero-day vulnerabilities in VeraCore, a widely used supply chain management software, to enhance its attacks. The vulnerabilities tracked as CVE-2024-57968 (Upload Validation Vulnerability) and CVE-2025-25181 (SQL Injection), allowed the group to maintain unauthorized access through web shells and other malicious tools.
North Korean 'Contagious Interview' campaign targets job seekers via FERRET malware
North Korean threat actors responsible for the ‘Contagious Interview’ campaign have been observed deploying a collection of Apple macOS malware strains, dubbed FERRET, through a deceptive job interview process. The attack method, which targets both job seekers and unsuspecting individuals, is designed to compromise devices and harvest sensitive data.
Romanian cybersecurity firm Bitdefender detailed an attack by North Korea’s Lazarus Group involving LinkedIn job offers in the cryptocurrency and travel sectors to infect systems running Windows, macOS, and Linux. The scam begins with a message promising remote work and good pay. Victims are then directed to a GitHub or Bitbucket link to review a supposed decentralized exchange project, which contains an obfuscated script. This script downloads a cross-platform JavaScript stealer that collects data from cryptocurrency wallets and serves as a loader for a Python-based backdoor, allowing the attackers to monitor clipboard content, maintain remote access, and install more malware.
In another campaign, a North Korea-linked hacking group Kimsuky, launched spear-phishing attacks using a malware called forceCopy. The attacks involve phishing emails containing a Windows shortcut (LNK) file disguised as a Microsoft Office or PDF document. Opening the attachment triggers PowerShell or mshta.exe, which downloads and executes further malicious payloads. The attacks deploy the PEBBLEDASH trojan, a custom Remote Desktop utility (RDP Wrapper), and proxy malware for persistent external network communication. Kimsuky also uses a PowerShell-based keylogger and the forceCopy malware to steal files from web browser directories.
Silent Lynx cyber spies target embassies and banks in Kyrgyzstan and Turkmenistan
A threat actor, dubbed ‘Silent Lynx’, has been linked to a series of sophisticated cyberattacks targeting key entities in Kyrgyzstan and Turkmenistan, including embassies, government-backed banks, lawyers, and think tanks. The group is believed to originate from Kazakhstan, with a medium level of confidence, and has been linked to previous attacks against Eastern European and Central Asian governmental institutions. Seqrite Labs said it observed several tactical overlaps between Silent Lynx and YoroTrooper, a known cyber threat actor also associated with attacks targeting CIS (Commonwealth of Independent States) countries.
New malware linked to DaggerFly espionage group targets Linux-based network devices
Cybersecurity researchers at FortiGuard Labs have uncovered a new malware strain, identified as ELF/Sshdinjector.A!tr, which has been linked to the notorious DaggerFly espionage group. The sophisticated threat has been used as part of the Lunar Peek campaign, targeting Linux-based network appliances and specializing in data exfiltration.
The Lunar Peek campaign, attributed to the DaggerFly espionage group, primarily targets Linux-based network appliances, which are often used in enterprise environments. By infecting these appliances, the attackers gain access to sensitive internal networks, providing them with the ability to carry out further malicious activities or steal valuable data.
Malicious software supply chain attack targeting Go ecosystem
Researchers with cybersecurity firm Socket have spotted a sophisticated software supply chain attack affecting the Go programming language ecosystem. The attack involves a malicious package, disguised as a legitimate database module, that allows threat actors to remotely access infected systems. The malicious package, named ‘github.com/boltdb-go/bolt’, is a typosquatted version of the authentic BoltDB database module (github.com/boltdb/bolt). Once the backdoored package is installed, it grants the attacker remote access to the victim's system, enabling them to execute arbitrary commands.
Coyote banking trojan now targets over 70 financial institutions
FortiGuard Labs has observed a sophisticated new attack chain involving malicious Windows Shortcut (LNK) files designed to deploy the notorious Coyote banking malware. The trojan primarily targets users in Brazil, specifically aiming to steal sensitive data from over 70 financial applications and a variety of websites. The files contain PowerShell commands and initiate a series of operations that ultimately lead to the installation of the trojan on victim systems. Coyote is capable of executing a range of malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal user credentials.
In a separate report, Morphisec researchers detailed a series of attacks that utilize bogus websites posing as Google Chrome downloads used to distribute a remote access trojan (RAT) called ValleyRAT. Discovered in 2023, ValleyRAT is attributed to a threat actor known as Silver Fox, who has previously targeted Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China. The latest attacks involve fake Google Chrome sites tricking victims into downloading a ZIP file with a malicious "Setup.exe" installer. Once executed, the installer checks for administrator rights and downloads additional payloads, including a legitimate Douyin (Chinese TikTok) executable that helps load the ValleyRAT malware. The attacks focus on high-value positions, particularly in finance, accounting, and sales departments, to target sensitive data.
At least 17 e-shops, including Casio UK, found to contain credit card skimmers
Researchers have uncovered a new web skimming attack targeting at least 17 e-commerce sites, including Casio UK's online store, with the malware potentially compromising customers' credit card information. The skimming malware was likely introduced through vulnerable components within the Magento e-commerce platform, which powers numerous online retail sites. The attack involved two stages: a skimmer loader that appeared on the homepage of affected websites and a second-stage payload hosted on a Russian server.
BeyondTrust December 2024 breach linked to compromised infrastructure API key
Intelligent identity and access security provider BeyondTrust has concluded its investigation into a cybersecurity incident that targeted certain instances of its Remote Support Software-as-a-Service (SaaS) platform. The breach, first spotted on December 5, 2024, involved the use of a compromised API key to gain unauthorized access to 17 customer accounts. The breach was traced back to a third-party application vulnerability that allowed a threat actor to gain access to a BeyondTrust AWS account. From there, they obtained an infrastructure API key, which was then used to reset local application passwords and access Remote Support SaaS instances. BeyondTrust said no other products outside of its Remote Support SaaS were affected by the incident.
In a separate report, Microsoft said it detected limited activity from an unattributed threat actor using a publicly available, static ASP.NET machine key to inject malicious code and deploy the Godzilla post-exploitation framework. Following this, Microsoft identified over 3,000 publicly disclosed keys that could be exploited for similar attacks, known as ViewState code injection attacks. Unlike previous ViewState attacks, which typically involved compromised or stolen keys sold on dark web forums, publicly disclosed keys are more concerning because they are accessible in various code repositories and may have been integrated into development code without modification, the company warned.
WhatsApp claims Israeli spyware targeted journalists and civil society members
Meta-owned messaging app WhatsApp said that nearly 100 journalists and civil society members had been targeted by Israeli-made spyware, allegedly operated by Paragon Solutions, an Israeli firm known for creating hacking software. The platform said that the attack was a “zero-click” operation. The spyware in question, known as Graphite, is capable of granting full access to an infected phone, allowing the operator to read encrypted messages from apps such as WhatsApp and Signal. Experts suggest that the attack vector, or the method through which the spyware was delivered, was a malicious PDF sent to individuals who had been added to group chats.
In a statement, the Italian government said that victims in Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, Netherlands, Portugal, Spain and Sweden were targeted as part of this cyber espionage campaign.
Suspected ‘Natohub’ hacker behind attacks on US Army, UN and NATO databases arrested in Spain
A hacker responsible for multiple cyberattacks on government institutions in Spain and the US was arrested by Spanish National Police. The individual, who has not been named, is accused of breaching systems belonging to the US Army, the United Nations, NATO, and various Spanish government bodies. Spanish police, in collaboration with the Civil Guard, apprehended the suspect in Calpe. The hacker faces charges including illegal access to computer systems, disclosure of secrets, computer damage, and money laundering. The arrested individual is also linked to attacks on key Spanish institutions such as the Ministry of Defense and several universities.
In addition, French authorities apprehended a 24-year-old man, suspected of hacking the South Korean cryptocurrency platform Coinrail in 2018 and stealing the equivalent of 210 million euros. During the theft, 26 million euros were taken, but with the rise in cryptocurrency values, the loss is now estimated at 210 million euros. The man's name first appeared in 2021 during another investigation into the hacking of the Gatehub platform. French authorities made the connection between the two hacks, and three suspects have been questioned, with one located in Morocco.
In other news, from September 23-27, 2024, Nigerian law enforcement, with support from INTERPOL and AFRIPOL, conducted a major operation leading to the arrest of 36 individuals and the seizure of assets worth $3 million. The majority of arrests were linked to cyber-enabled fraud, with most suspects under 35 years old. Crimes uncovered included "romance baiting," cryptocurrency scams, and celebrity impersonation scams. Additionally, three arrests were made for sextortion, where suspects extorted money by threatening to release explicit content.
