WEEKLY TOP TEN: March 10, 2025, 16:00 GMT
- Akamai Discovers Command Injection Vulnerability is Active Exploited by BotNets
According to Akamai researchers, botnet malware is actively exploiting a critical command injection vulnerability (CVE-2025-1316) in the Edimax IC-7100 IP camera. Despite attempts by Akamai and the U.S. Cybersecurity & Infrastructure Agency (CISA) to contact Edimax, the vendor has stated that the IC-7100 model is end-of-life and will not receive further updates. This leaves the devices unpatched and vulnerable to ongoing attacks. - Microsoft Took Down GitHub Repositories Used in Massive Malvertising Campaign
Microsoft has dismantled several GitHub repositories used in a large-scale malvertising campaign that affected nearly one million devices globally. The campaign, active since early December 2024, involved attackers embedding malicious ads within videos on pirated streaming websites. These ads redirected users through multiple malicious sites, ultimately leading to GitHub repositories controlled by the attackers. Once accessed, these repositories delivered malware capable of system discovery, data collection, and deployment of additional malicious payloads. - Threat Actors Use PHP-CGI RCE Flaw to Exploit Multiple Japanese Industries
A critical remote code execution (RCE) vulnerability, identified as CVE-2024-4577, in the PHP-CGI implementation on Windows has been actively exploited by threat actors targeting various sectors in Japan since January 2025. According to a report by Cisco Talos, attackers leveraged this flaw to gain initial access, subsequently deploying PowerShell scripts to execute Cobalt Strike reverse HTTP shellcode for persistent remote access. - Over 37,000 VMware ESXi Servers at Risk of an Actively Exploited Vulnerability
Over 37,000 internet-exposed VMware ESXi servers remain vulnerable to CVE-2025-22224, a critical out-of-bounds write flaw actively exploited in the wild. This vulnerability allows local attackers with administrative privileges on a virtual machine guest to escape the sandbox and execute code on the host as the VMX process. Despite Broadcom’s warning on March 4, 2025, about this and two other zero-day vulnerabilities (CVE-2025-22225 and CVE-2025-22226), according to a recent report by the Shadowserver Foundation, only 4,500 servers have been patched since. - BadBox Android Malware Botnet Disrupted, Protecting 500,000 Infected Devices
Collaboration between the HUMAN’s Satori Threat Intelligence team and Google, Trend Micro, and The Shadowserver Foundation disrupted the BadBox Android malware botnet, which has grown to over one million infections across 222 countries, primarily in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%). The collaboration effort included sinkholing the C2 domain and removing 24 Android apps from the Google Play store that were used to spread the BadBox malware. The Botnet operated by turning compromised Android devices into residential proxies, generating fake ad impressions, redirecting users to low-quality domains, and using individuals’ IP addresses to create fake accounts and perform credential-stuffing attacks. - Phishing Campaign Spreads ConnectWise RAT via Spoofed LinkedIn InMail Messages
Cybersecurity researchers at Cofense have uncovered a sophisticated phishing campaign that distributes the ConnectWise remote access trojan (RAT) via spoofed LinkedIn InMail notifications. These fraudulent emails, mimicking outdated LinkedIn templates, appear to come from a fabricated sales director seeking product or service quotes, aiming to create urgency and prompt recipients to respond. Clicking embedded buttons like “Read More” or “Reply To” initiates the download of the ConnectWise RAT installer. The emails fail Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) authentication checks, indicating they were not sent from legitimate LinkedIn servers. Despite these red flags, the emails have successfully bypassed existing security measures, highlighting the need for heightened vigilance among users. - Polyglot Malware Targets Aviation, Satellite Communication, and Transportation Organizations
A previously undocumented polyglot malware, delivering the backdoor ‘Sosano,’ has been detected targeting aviation, satellite communication, and critical transportation organizations in the United Arab Emirates. Discovered by Proofpoint in October 2024, the campaign, attributed to the threat actor ‘UNK_CraftyCamel,’ employs advanced techniques reminiscent of Iranian-aligned groups TA451 and TA455, with a distinct focus on cyber-espionage. Polyglot malware consists of files crafted to be interpreted differently by various applications, allowing attackers to stealthily deliver malicious payloads and evade security measures. - CISA Warns About Actively Exploited Vulnerabilities Exploited in-the-wild
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified vulnerabilities in certain Cisco VPN routers and Microsoft Windows systems as actively exploited in the wild. The first, CVE-2023-20118, affects Cisco RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers, allowing attackers with valid administrative credentials to execute arbitrary commands. This can be exacerbated by combining it with CVE-2023-20025, an authentication bypass that grants root privileges. The second, CVE-2018-8639, is a Win32k elevation of privilege flaw in Windows that enables local attackers to run arbitrary code in kernel mode, potentially leading to data alteration or the creation of rogue accounts with full user rights. - Chinese Zhong Stealer Uses Customer Support to Infect Fintech Organizations
Zhong Stealer, a new malware of Chinese origin, is infiltrating fintech companies by exploiting customer support channels. Attackers initiate interactions through new, unverified support tickets, often using broken language to create urgency and confusion. They persuade support agents to open malicious ZIP file attachments, which activate the Zhong Stealer malware, compromising systems and potentially extracting sensitive information. - EncryptHub OPSEC Failures Expose Their Infrastructure
EncryptHub, a cybercriminal group, has exposed aspects of its malware operations due to significant operational security (OPSEC) failures. Researchers from Outpost24’s KrakenLabs uncovered that EncryptHub’s infrastructure inadvertently revealed directory listings, stored stolen data alongside malware, and exposed configurations for Telegram bots used in their campaigns. Their multi-stage attacks utilize PowerShell scripts to gather system information, deploy additional malware, and employ tactics like disguising malicious software as legitimate applications, including trojanized versions of QQ Talk, WeChat, and Microsoft Visual Studio 2022.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: