Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

A China-linked threat actor known as Chaya_004 has been actively exploiting a critical vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, since at least April 29, 2025, according to a report by Forescout Vedere Labs. The flaw is a deserialization vulnerability in SAP NetWeaver Visual Composer 7.x that allows remote code execution by uploading web shells via a vulnerable endpoint. The attacks targeted manufacturing environments. So far, 13 unique IP addresses have been linked to these exploitation attempts.

Threat actors associated with the Play ransomware group have exploited a zero-day vulnerability in Microsoft Windows (CVE-2025-29824) to escalate privileges and deploy malware in a recent attack on a US entity. The vulnerability, affecting the Common Log File System (CLFS) driver, was patched by Microsoft in April 2025. While Play ransomware was not deployed in this attack, the attackers, identified as the Balloonfly group, used the Grixba infostealer, customized malware linked to the threat actor’s operations.

SonicWall has urged users to update their Secure Mobile Access (SMA) appliances to address three security vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821). When chained together, these vulnerabilities allow attackers to execute remote code as root. Affected models include SMA 200, 210, 400, 410, and 500v, with fixes available in firmware version 10.2.1.15-81sv and later. According to Rapid7, CVE-2025-32819 may have already been exploited in the wild.

The vulnerability (CVE-2024-7399) in Samsung's MagicINFO content management system remains exploitable despite the release of official patches. The flaw, caused by improper input sanitization, enables unauthenticated attackers to upload and execute malicious code with system-level privileges. Although a fix was announced in August 2024, researchers from Huntress confirmed that the latest version (21.1050.0) is still vulnerable and being actively exploited. Users are advised to take systems offline from the internet until a working patch is released.

Proofpoint has uncovered a new financially motivated threat actor, tracked as TA2900, engaging in business email compromise (BEC) fraud. The threat actor targets French-speaking individuals in France and occasionally Canada by sending emails in French that impersonate rental companies. The messages claim that a rent payment is overdue and instruct recipients to send payments to a new bank account, providing fraudulent IBAN details. The bank accounts are typically low-cost branches of major French banks and change frequently, with each being used for only a few campaigns. Victims are also asked to respond to freemail accounts (e.g., Gmail, Outlook) with proof of payment or authorization for automatic future payments. Proofpoint has linked TA2900 to over 50 campaigns and nearly two dozen different IBANs.

Another Proofpoint’s report details a widespread phishing campaign that is targeting individuals and organizations across Japan, using a sophisticated toolkit called CoGUI to steal login credentials and payment information. Researchers attribute the attacks to Chinese-speaking threat actors and reported tracking 172 million phishing messages in January alone. The campaign primarily impersonates Amazon but also mimics banks, payment systems, major retailers, and Japan’s tax agency. CoGUI enables attackers to evade detection and gather detailed information about victims’ devices, such as browser type, IP address, and device characteristics.

Cisco Talos has identified a phishing campaign targeting Brazilian companies, leveraging the country’s electronic invoice system (NF-e) as bait. The attackers trick victims into installing remote access tools by abusing free trial periods of legitimate remote monitoring and management (RMM) software, including ScreenConnect, N-able, and PDQ Connect.

Cybersecurity researchers from SentinelOne and Validin have uncovered a massive crypto phishing operation named FreeDrain, which has been active for several years. The campaign uses SEO manipulation, free web hosting services, and redirect techniques to lure users searching for crypto wallet information. Victims are led to convincing fake wallet sites where their seed phrases are stolen, compromising their digital assets. So far, over 38,000 phishing subdomains have been identified, hosted on cloud platforms like Amazon S3 and Azure, and designed to closely resemble real cryptocurrency wallet interfaces.

Socket researchers have spotted three malicious npm packages targeting the macOS version of Cursor, an AI-powered code editor. The packages pose as developer tools advertising access to a low-cost Cursor API but are actually designed to steal user credentials. Once installed, they download an encrypted payload from attacker-controlled servers, overwrite the editor’s main.js file, and disable automatic updates to ensure ongoing control over the compromised system.

In an unrelated case, researchers have discovered three malicious Go modules containing obfuscated code capable of fetching destructive payloads designed to render Linux systems permanently unbootable.

VIGINUM, the French government agency focused on countering foreign disinformation, has released a detailed report on the major Russian disinformation network Storm-1516. The network, active since March 2023, has conducted 77 influence operations, primarily targeting Ukraine and key Western elections. The group is allegedly coordinated by Yury Khoroshenky, a suspected GRU officer, and works alongside other Russian propaganda actors, including former operatives from troll farms and fake news sites. The operations often involve deepfakes and conspiracy theories aimed at undermining pro-Ukrainian sentiment and destabilizing democratic discourse.

The Russia-linked disinformation campaign Operation Overload (aka Matryoshka and Storm-1679) aimed at manipulating public opinion on the war in Ukraine and destabilizing democratic societies intensified between January and March 2025. It targeted 10 countries, with a focus on Germany, France, and Ukraine. The operation used AI-generated content to impersonate trusted sources like media outlets, universities, and law enforcement to spread false narratives, particularly undermining NATO support for Ukraine. Tactics included falsely accusing Ukraine of cyberattacks and corruption, and portraying Ukrainian refugees as criminals. Major outlets such as Deutsche Welle and the BBC were frequently imitated.

A new cyber-espionage campaign by the Russia-aligned threat actor Coldriver has been deploying a previously unknown malware strain dubbed ‘LOSTKEYS. Active since late 2023 and observed in targeted attacks as recently as April 2025, LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes. Victims include current and former Western government advisors, journalists, NGOs, think tanks, and individuals linked to Ukraine.

An unknown hacker has breached the dark web portal of the LockBit ransomware gang, leaking its backend database. The exposed data includes Bitcoin addresses, backend user information, and victim communications. The attack targeted version 4 of LockBit's portal, which was launched after authorities took down the previous version. Clues suggest the hacker may be the same individual who recently infiltrated the Everest ransomware group.

The FBI released a report detailing how threat actors are exploiting known vulnerabilities in outdated routers to gain unauthorized access. The report highlights the use of Anyproxy and 5Socks, popular proxy services leveraged by cybercriminals. It also provides Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) related to these threats.

Cybersecurity firm Resecurity has discovered a new phishing kit that appears to be the offshoot of the infamous Chinese cybercriminal group known as the Smishing Triad. The operation first came to light in August 2023, and since its initial exposure, the Smishing Triad has become stealthier, upgrading its tools, tactics, and procedures. The group operates under a “Crime-as-a-Service” model, offering its smishing kits to other threat actors. This has allowed a vast network of associates to scale operations across international borders, often targeting unsuspecting victims through SMS, Apple iMessage, and Google RCS. The group is capable of sending up to 2 million smishing messages per day equating to 60 million potential victims per month or 720 million annually.

Two sophisticated cybercrime groups, dubbed ‘Reckless Rabbit’ and ‘Ruthless Rabbit’, have been linked to large-scale investment scams that exploit fake celebrity endorsements and advanced traffic cloaking techniques. The groups operate through spoofed platforms advertised primarily on social media, including fake cryptocurrency exchanges. Victims are lured by ads linking to fraudulent news articles featuring fabricated celebrity support that lead to phishing pages that collect personal information through embedded web forms.

A coordinated supply chain attack has come to light, compromising between 500 and 1,000 e-commerce stores globally through backdoored Magento extensions, according to cybersecurity researchers at Sansec. The malware campaign, which affects 21 Magento extensions from at least four vendors, like Tigren, Meetanshi, and MGS, includes victims ranging from small online retailers to a multinational corporation valued at $40 billion.

Microsoft has warned that threat actors are targeting misconfigured Apache Pinot instances in Kubernetes environments, exploiting insecure default settings to access sensitive user data. The analysis revealed multiple real-world incidents where attackers took advantage of vulnerabilities in these instances. In many cases, applications within Kubernetes clusters either lacked authentication or used weak, predefined credentials, making them easy targets for exploitation.

Cybersecurity experts pointed out risks related to the use of the open-source software package easyjson, which is widely used across US government systems and critical sectors like finance, healthcare, and technology. Research by security firm Hunted Labs reveals that the tool is maintained by developers based in Moscow, many of whom work for VK Group, a major Russian internet company controlled by state-owned entities. The CEO of VK, Vladimir Kiriyenko, is under US and EU sanctions due to his ties to the Kremlin. While no malicious code has been found in the current version, experts warn that its Russian ties and widespread use could make it a target for supply chain attacks.

Polish authorities have arrested four individuals suspected of operating a global network of DDoS-for-hire services, used to launch thousands of cyberattacks against organizations around the world. The coordinated operation, supported by law enforcement agencies from four countries and Europol, also saw the United States seize nine domains associated with the illicit platforms.

Law enforcement authorities from Ukraine and Czechia have dismantled a scheme that was stealing electronic accounts from EU residents. As a result of joint efforts, four fraudsters were detained in Zakarpattia, Ukraine. They used malicious software to steal cryptocurrency and bank account details of foreign citizens. The perpetrators set up an underground call center, involving at least 70 operators aged 19 to 27. They posed as investment consultants, persuading foreigners to invest in “promising” cryptocurrency projects. Simultaneously, IT specialists within the call center created fake advertisements for investment platforms. They encouraged victims to register on a website, which allowed the criminals to hack into their devices. Once accessed, the fraudsters transferred stolen funds from cryptocurrency wallets and banking apps to their own accounts.

US authorities indicted a Yemeni national on three felony charges for allegedly orchestrating a widespread ransomware campaign that targeted thousands of computer systems worldwide, including critical institutions in the United States. Rami Khaled Ahmed, 36, also known by the alias “Black Kingdom,” is accused of developing and deploying the eponymous Black Kingdom ransomware to infiltrate networks of businesses, schools, and healthcare organizations. Authorities believe he currently resides in Sana’a, Yemen.

Israeli-based spyware developer NSO Group has been ordered to pay more than $167 million in damages to WhatsApp for a 2019 hacking campaign using a spyware tool called ‘Pegasus’ that compromised the accounts of over 1,400 users. After a five-year courtroom battle, a jury ruled that NSO Group must pay $167,254,000 in punitive damages and approximately $444,719 in compensatory damages to the Meta-owned messaging platform. The decision marks a significant victory for WhatsApp, which filed suit against the surveillance firm in 2019.

Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025