Recently patched PAN OS firewall bug actively exploited in the wild
Palo Alto Networks has confirmed that a recently patched critical vulnerability in its PAN-OS firewall, CVE-2025-0108, is being actively exploited by attackers. The flaw, disclosed on February 12, allows unauthenticated users to bypass authentication and gain access to the firewall's management interface. Exploitation attempts have been observed by Palo Alto Networks, with attackers chaining this vulnerability alongside two others, CVE-2024-9474 and CVE-2025-0111, to target unpatched PAN-OS web management interfaces.
Threat intelligence firm GreyNoise reported the first exploitation attempts on February 13, and by February 18, attacks were detected from nearly 30 unique IP addresses. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0108 to its Known Exploited Vulnerabilities catalog. On Thursday, the agency updated the list of exploited flaws to add an RCE vulnerability in Craft CMS (CVE-2025-23209).
In other news, Citrix rolled out security updates for an improper privilege management vulnerability (CVE-2024-12284) affecting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.
Russian hackers increasingly target Signal, WhatsApp and Telegram for espionage
Google's Threat Intelligence Group (GTIG) has reported an increase in efforts by Russian state-aligned threat actors targeting Signal Messenger accounts, particularly individuals of interest to Russian intelligence. A novel tactic identified involves exploiting Signal's "linked devices" feature, which typically requires scanning a QR code to allow access on multiple devices. Malicious actors have been creating fake QR codes to link victims’ Signal accounts to attacker-controlled devices, enabling real-time eavesdropping without compromising the victim's device.
These QR codes have been used in phishing attacks disguised as legitimate group invites, security alerts, or device-pairing instructions from Signal.
In the meantime, Volexity researchers have uncovered a series of sophisticated spear-phishing and social-engineering campaigns conducted by Russian threat actors. The campaigns involve a method known as Device Code Authentication phishing used to compromise Microsoft 365 (M365) accounts. The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions, including officials from the United States Department of State, the Ukrainian Ministry of Defense, and the European Union Parliament. Additionally, research institutions were targeted as part of this operation.
Cisco has confirmed that a Chinese hacker group, known as Salt Typhoon, exploited a known vulnerability (CVE-2018-0171) and used stolen login credentials to launch a targeted attack on major US telecommunications companies. The group demonstrated advanced persistence, maintaining access to networks for extended periods, including one instance lasting over three years. Despite some reports suggesting other vulnerabilities (CVE-2023-20198 and CVE-2023-20273) were involved, Cisco found no evidence of the exploitation. The group also attempts to steal credentials through device configurations and by cracking weak passwords.
China-linked Winnti Group behind RevivalStone campaign targeting Japanese key industries
The China-linked cyber espionage group known as Winnti has been linked to a sophisticated new campaign, dubbed RevivalStone, targeting Japanese companies across key industries, including manufacturing, materials, and energy. Recent attacks, spanning from November 2023 to October 2024, leveraged vulnerabilities in public-facing applications like IBM Lotus Domino to deliver various types of malware, including the Deathlotus, Shadowgaze, and Cunningpigeon backdoors, the Unapimon defense evasion utility, the PrivatelogDeploylog loader, as well as the Windjammer rootkit.
Orange, Symantec, and Trend Micro released separate reports detailing Chinese APT malware in ransomware attacks spanning 15 countries. The malware includes updated versions of the PlugX and Shadowpad backdoors that have been utilized by Chinese APT groups for over ten years. The malware strains were placed on compromised networks before the ransomware was deployed. The attackers gained access through remote network breaches, exploiting weak passwords and bypassing multi-factor authentication. Ransomware attacks were confirmed at two companies in Europe and a software company in South Asia. The ransomware payloads used in these incidents included RA World and a newly identified strain, NailaoLocker.
ESET has released a report detailing North Korea’s ongoing "fake interview" campaign, known as DeceptiveDevelopment, which primarily targets freelancers, programmers, and crypto developers. First documented by Phylum and Unit 42 in 2023, the campaign has also been referred to as Contagious Interview and DEV#POPPER. The deceptive tactic involves fake job offers to lure victims into downloading malware.
In addition, cybersecurity firm Kandji released a deep dive into the DriverEasy app linked to the Contagious Interview campaign.
PAN Unit 42's team linked the Stately Taurus APT group to the Bookworm trojan, a sophisticated espionage tool that has been in use for over a decade. Stately Taurus, known for employing DLL sideloading to execute payloads, has consistently used the PubLoad malware family, which Unit 42 associates uniquely with this group.
New XCSSET malware variant discovered targeting macOS users
Microsoft Threat Intelligence discovered a new and more sophisticated variant of XCSSET, a modular macOS malware that has been targeting developers and users via infected Xcode projects. This variant has only been observed in limited attacks so far, Microsoft noted.
A malware campaign distributing the XLoader malware has been observed using the DLL side-loading technique through a legitimate Eclipse Foundation application. The attack leverages jarsigner, a tool used for signing JAR files, which is part of the Eclipse IDE package. According to AhnLab Security Intelligence Center (ASEC), the malware is spread via a ZIP archive containing both the legitimate jarsigner executable and DLL files that are sideloaded to initiate the malware.
The Darcula phishing-as-a-service (PhaaS) platform is launching its third major version "Darcula Suite," which introduces several key features, including the ability for users to create custom phishing kits targeting any brand, removing previous restrictions on targeting scope. The release, currently in beta, also simplifies the process by eliminating the need for advanced technical skills. Additional features include a user-friendly admin dashboard, IP and bot filtering, campaign performance tracking, and automation for credit card theft and digital wallet loading.
BlackBasta's chat logs leak online
An anonymous individual, known as ExploitWhispers, has leaked what they claim to be internal Matrix chat logs from the Black Basta ransomware operation. The logs were first uploaded to MEGA but were removed, and now they've been shared on a dedicated Telegram channel. It's unclear whether ExploitWhispers is a security researcher or a disgruntled insider. Cyber threat intelligence company PRODAFT suggests that the leak may be connected to Black Basta's recent attacks on Russian banks. Since early 2025, the gang has been largely inactive due to internal conflicts, with some of its operators scamming victims by taking ransom payments without providing decryptors.
The leaked archive spans from September 18, 2023, to September 28, 2024, and includes sensitive data such as phishing templates, victim credentials, cryptocurrency addresses, and tactics used by the group. The leak also reveals the identities of several key members of the Black Basta gang, including Lapa (an admin), Cortes (linked to Qakbot), YY (the main administrator), and Oleg Nefedov aka ‘Trump’ believed to be the group's boss.
Earlier this week, the US security agencies issued a warning about cybercriminals using Ghost ransomware to breach organizations worldwide. The attacks, that began in early 2021, have affected over 70 countries, including sectors like healthcare, government, education, technology, and manufacturing. Ghost ransomware exploits vulnerabilities in outdated software and firmware, particularly targeting internet-facing services. Ghost ransomware attackers have primarily focused on exploiting security flaws in widely used software and services. The group has frequently targeted vulnerabilities in Fortinet (CVE-2018-13379), ColdFusion (CVE-2010-2861, CVE-2009-3960), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) products.