🚨Week 11 Debrief: MS Patches Zero-Day Exploits, X Hit by "Massive" Cyberattack, CISA Warns of Medusa Ransomware, US FCC Forms China Tech Council...

China-Nexus Espionage Group Targets Juniper Routers with Custom Malware A China-nexus espionage group, UNC3886, has been discovered deploying custom TINYSHELL-based backdoors on Juniper Networks' Junos OS routers. These backdoors, identified in mid-2024, enable long-term access to victim networks by bypassing security measures like Veriexec through process injection. UNC3886 leveraged legitimate credentials to gain initial access and used techniques to disable logging mechanisms, emphasizing stealth and persistence. The affected routers were often running end-of-life hardware and software. Organizations are urged to upgrade their Juniper devices and implement robust security measures to mitigate this threat.

Key Takeaways:

• UNC3886, a China-nexus group, is actively targeting Juniper routers.

• They are using custom malware based on TINYSHELL with varied capabilities.

• The attackers are employing process injection techniques to bypass Veriexec protection.

• Their goal is to achieve long-term, stealthy access to networks, primarily targeting defense, technology, and telecommunications in the US and Asia.

• Upgrading Juniper devices and enhancing security measures are crucial to defend against these attacks.

💻 Malware and Vulnerabilities

Microsoft Patches Six Actively Exploited Zero-Day Vulnerabilities: Microsoft's Patch Tuesday update for March 2025 addresses 56 security vulnerabilities, a significant number of which include six actively exploited zero-day flaws. These critical bugs affect various products like Windows, Office, Azure, and NTFS, allowing attackers to perform actions such as privilege escalation, information disclosure, and code execution. Notably, one zero-day (CVE-2025-24983) has been exploited since March 2023, targeting even unsupported Windows versions. Users are urged to apply these crucial updates promptly.

New Malware Uses API Hooking to Hide Threats: A sophisticated malware campaign, OBSCURE#BAT, employs heavily obfuscated code and API hooking to deliver a persistent rootkit. This rootkit, "r77," can hide files, registry entries, and running processes from standard Windows tools, making detection challenging. The campaign uses social engineering lures and targets English-speaking users. Vigilance against fake updates and reviewing batch files are recommended for mitigation.

CISA Issues Alert on Medusa Ransomware: A joint advisory from CISA, FBI, and MS-ISAC details Medusa ransomware, a RaaS variant active since 2021. Affecting over 300 victims across critical sectors, Medusa employs a double extortion model encrypting data and threatening its release. The advisory outlines Medusa's TTPs, IOCs, and urges organizations to implement listed mitigations like patching, network segmentation, and strong authentication to reduce risk.

ScarCruft APT Unveils New Android Spyware KoSpy A North Korea-linked APT group, ScarCruft (APT37), has been found using a new Android spyware dubbed KoSpy to target Korean and English-speaking individuals. Researchers have linked KoSpy's infrastructure to other North Korean threat groups like APT43, suggesting a broader cyber-espionage operation. This previously undetected surveillance tool expands the arsenal of known North Korean state-sponsored cyber activities.

📈 Breaches and Incidents

TFE Hotels Addressing Cyber Incident: TFE Hotels, encompassing brands like Adina, Vibe, and Travelodge, is currently recovering from a disclosed cyber incident that impacted its networks. While some systems are being restored, hotel teams are still able to serve guests, with some processes being handled manually. External experts are assisting in the investigation and restoration of all backend systems.

Meta Loses Appeal in South Korea Over User Data Sharing: South Korea's top court upheld a $4.6 million fine against Meta for sharing the personal information of 3.3 million users with third parties without their consent between 2012 and 2018. The court rejected Meta's claim that the sharing was based on user agreement. The data included information about users' Facebook friends, such as academic background and marital status. The data protection watchdog (PIPC) will now enforce corrective measures.

Google Purges 180 Malicious Apps in Massive Ad Fraud Crackdown: Google removed over 180 apps from the Play Store, impacting 56 million downloads, due to a large ad fraud scheme. These deceptive "vapor apps," disguised as popular tools, tricked advertisers and bombarded users with unwanted ads, harming user experience and the integrity of the Play Store. Google, with help from IAS, is now taking steps to prevent such apps in the future.

🚨 Threat Intel & Info Sharing

US Seizes Crypto Linked to LastPass Hacks: U.S. authorities have seized over $23 million in cryptocurrency traced to the 2022 LastPass breaches. Investigators believe hackers used stolen private keys from cracked LastPass vaults to pilfer $150 million from a Ripple crypto wallet. While LastPass states they have no conclusive evidence linking the breaches to crypto thefts, law enforcement tracked the seized funds through multiple exchanges, with WhiteBIT even returning funds to the FBI. This highlights the ongoing repercussions of the LastPass security incidents.

Ukraine Under Cyber Attack: Notaries and Industrial Firms Targeted: Ukrainian authorities report two distinct cyber campaigns. Hackers-for-hire, identified as UAC-0173, are targeting notaries with phishing and the DarkCrystal backdoor to potentially manipulate state registries for financial reward. Separately, the group UAC-0212, linked to Russia's Sandworm, is attacking industrial enterprises and their suppliers, likely aiming to compromise critical infrastructure.

X Hit by Alleged "Massive" Cyberattack: Social media platform X experienced widespread outages, with CEO Elon Musk attributing it to a "massive cyberattack", suggesting involvement of a large coordinated group or a nation-state. Internet monitor Netblocks reported the outages as being among the longest tracked, consistent with a denial-of-service (DDoS) attack. A group called Dark Storm Team claimed responsibility for the attacks, offering DDoS services for a fee and citing politically motivated actions. This incident follows past claims by Musk regarding cyberattacks on the platform.

Cyber Information Sharing Protections at Risk: Business groups are expressing concern that the elimination of the Critical Infrastructure Partnership Advisory Council (CIPAC) and the potential expiration of the 2015 Cybersecurity Information Sharing Act (CISA) could negatively impact cyber threat information sharing. These mechanisms provide crucial legal protections and facilitate the exchange of sensitive information between industry and government.

Disgruntled Developer's "Kill Switch" Attack Cripples Former Employer: A software developer, Davis Lu, was found guilty of sabotaging his former employer, Eaton Corp, after being demoted. He deployed custom malware and a "kill switch" that locked out thousands of employees when his account was disabled upon termination. The company suffered hundreds of thousands of dollars in damages due to his actions.

⚖️ Laws, Policies and Regulations

NIST Adds Backup for Post-Quantum Encryption: NIST has chosen HQC as its fifth algorithm for post-quantum encryption, serving as a backup to the main algorithm ML-KEM which was standardized last year. This additional layer of security, based on different math, will protect internet traffic and stored data from future quantum computers in case a vulnerability is found in ML-KEM. NIST plans to release a draft standard for HQC in about a year, with the finalized standard expected in 2027.

Spain Targets AI Mislabeling with Hefty Fines: Spain's government has approved a draft law proposing fines up to €35 million for AI companies that fail to properly label AI-generated content to combat "deepfakes". The legislation also bans other practices like subliminal manipulation and discriminatory classification based on sensitive personal data. The aim is to focus AI on positive uses like medical research.

DHS Shuts Down Advisory Panels, Halts Telecom Hack Inquiry: The Department of Homeland Security (DHS) has terminated all its advisory committees, including the Cyber Safety Review Board. This action abruptly ends the Board's investigation into a Chinese-linked hack of U.S. telecom companies, described as a devastating breach that compromised the data of many Americans and officials. Acting Secretary Huffman stated the move aligns with eliminating resource misuse and prioritizing national security.

FCC Forms National Security Council to Counter China Tech Threat: The FCC is establishing a national security council to combat cyber threats from China and secure U.S. leadership in critical technologies like AI, quantum computing, and 6G. This move responds to a narrowing technological gap and the urgency to counter Chinese cyberattacks and espionage. The council will also address supply chain vulnerabilities.

Abu Dhabi Enhances Healthcare Cybersecurity: Faced with rising cyberattacks, Abu Dhabi has updated its ADHICS strategy to strengthen cybersecurity across its healthcare sector. The guidelines aim to protect sensitive data and ensure operational resilience for hospitals, insurers, and medical device makers. This initiative provides a potential model for the wider UAE and Middle East region.

EU Reaffirms Commitment to US Data Transfers: A key European commissioner, Michael McGrath, stated the EU intends to continue the Transatlantic Data Privacy Framework with the U.S.. This 2023 agreement facilitates cross-border data flows and underpins significant transatlantic trade. McGrath received assurances of support from FTC Chair Ferguson, easing concerns raised by changes to the Privacy and Civil Liberties Oversight Board (PCLOB).

⚖️ Cybersecurity Start Ups and VCs

Omni raises $69M to design tools that help companies better analyze their data.

AI maker: Anthropic raised a $3.5 billion Series E led by Lightspeed Venture Partners at a $61.5 billion post-money valuation.

AI partner: Turing, which contributes to the building of LLMs, raised a $111 million Series E led by Malaysia’s sovereign wealth fund Khazanah Nasional Berhad at a $2.2 billion valuation.

📊 Trends, Reports, Analysis

Fortinet Identifies Malicious Packages in the Wild: Insights and Trends from November 2024 Onward.

This is the second Targeting Scams Report produced by the National Anti-Scam Centre since its establishment on 1 July 2023. This report provides insight into the scams targeting Australians in 2024 and highlights the impact of combined efforts by government, law enforcement, community sector and industry to combat these financial crimes.

📅 Upcoming Events

🚀 Join us for an exclusive virtual event in APril, where AI and cybersecurity experts will discuss how AI and Machine Learning are revolutionizing cyber defense. This session will feature expert panel discussions exploring AI-driven threat detection, automated response strategies, and the future of intelligent security.

This is a limited virtual event tailored for CISOs and executives. It is free to join so register today Form

We hope you enjoyed our email briefing! ☕🥮If you want to sponsor our next edition or advertise on our site, drop us an email [email protected].

Thank you for being a part of our newsletter community and you can be part of the community by joining our LinkedIn Group.