Weekly Top 10: 04.14.2025: Exploitation of CLFS Zero-Day Leads to Ransomware Activity, Unraveling the U.S. Toll Road Smishing Scams, Shuckworm Targets Foreign Military Mission Based in Ukraine, and More.

WEEKLY TOP TEN: April 14, 2025, 16:00 GMT

1. Exploitation of CLFS Zero-Day Leads to Ransomware Activity
   
   Microsoft discovered exploitation of a Windows CLFS zero-day vulnerability (CVE-2025-29824) leading to ransomware attacks against organizations in IT, real estate, financial, and retail sectors. The vulnerability allowed Storm-2460 threat actors to deploy PipeMagic malware and escalate privileges. Post-exploitation activity included credential theft through LSASS dumps and ransomware deployment that added random extensions to encrypted files. The vulnerability was patched on April 8th with additional protection provided by Windows 11 version 24H2’s enhanced security controls.
2. Unraveling the U.S. Toll Road Smishing Scams
   
   An ongoing smishing campaign targeting US toll road users across eight states has been observed since October 2024. Attackers send SMS messages claiming recipients owe small amounts (under $5) with threats of $35 late fees, directing victims to spoofed domains that steal credit card information. Campaign infrastructure uses typosquatted domains resolving to specific IP addresses (45.152.115.161, 82.147.88.22, 43.156.47.209) with new domains constantly being registered. Multiple threat actors are leveraging smishing kits developed by “Wang Duo Yu,” who promotes these kits through Telegram channels.
3. Mining in Plain Sight: The VS Code Extension Cryptojacking Campaign
   
   Ten malicious VS Code extensions masquerading as popular development tools accumulated over one million installations while secretly deploying an XMRig cryptominer. These extensions, published after April 4th by three different authors (primarily “Mark H”), download a PowerShell script from asdf11[.]xyz that disables Windows security services and establishes persistence through a scheduled task named “OnedriveStartup.” The extensions install legitimate versions of the tools they impersonate to avoid raising suspicion while the malware communicates with the c2 to download mining payloads. The most successful fake extension, “Discord Rich Presence,” gained 189K installations alone.
4. WinRAR Flaw Bypasses Windows Mark of the Web Security Alerts
   
   A vulnerability in WinRAR (CVE-2025-31334) allowed attackers to bypass Windows Mark of the Web security warnings when opening symbolic links to executable files. The medium-severity flaw affected all WinRAR versions before 7.11 and could enable arbitrary code execution through specially crafted symlinks. Japanese security researcher Shimamine Taihei reported the vulnerability through IPA, with disclosure coordinated by Japan’s CSIRT. WinRAR has patched the issue in version 7.11, noting in the changelog that “if symlink pointing at an executable was started from WinRAR shell, the executable Mark of the Web data was ignored.”
5. Vulnerability in FortiSwitch Allows Unauthenticated Attackers to Change Admin Passwords
   
   ​Fortinet patched a critical vulnerability (CVE-2024-48887) in FortiSwitch GUI that allowed unauthenticated attackers to change admin passwords via specially crafted requests. The vulnerability, discovered internally and rated with a 9.8 CVSS score, affected multiple versions including FortiSwitch 6.4.0 through 7.6.0. Censys observed 864 exposed FortiSwitch instances online, though not all are necessarily vulnerable to this exploit. Updates are available in versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1, with Fortinet recommending disabling HTTP/HTTPS access from administrative interfaces as a temporary workaround.
6. Shuckworm Targets Foreign Military Mission Based in Ukraine
   
   Russia-linked Shuckworm (aka Gamaredon) has targeted a Western country’s military mission in Ukraine since February 2025 using an updated PowerShell version of its GammaSteel infostealer. The infection began via a removable drive containing malicious LNK files that deployed obfuscated VBScript code to establish contact with C2 servers including 107.189.19.218 and 3.73.33.225. The malware exfiltrates documents with specific file extensions while using write.as web service and Tor with cURL for stealthy data transmission. This campaign shows increased sophistication with the group transitioning from VBS scripts to PowerShell-based tools with extensive obfuscation techniques.
7. Centrestack RCE Exploited as Zero-Day to Breach File Sharing Servers
   
   ​A deserialization vulnerability in Gladinet CentreStack (CVE-2025-30406) has been exploited as a zero-day since March 2025 to breach file sharing servers. The flaw stems from a hardcoded machineKey in the web.config file that allowed attackers to craft malicious serialized payloads leading to remote code execution. Gladinet released patches for versions 16.4.10315.56368, 16.3.4763.56357 (Windows), and 15.12.434 (macOS) on April 3, 2025. CISA has added the vulnerability to its Known Exploited Vulnerability catalog with a remediation deadline of April 29, 2025.
8. 100,000 WordPress Sites Affected by Administrative User Creation Vulnerability in SureTriggers WordPress Plugin
   
   ​The SureTriggers WordPress plugin, installed on over 100,000 sites, contains an Unauthenticated Administrative User Creation vulnerability that can be exploited on unconfigured installations. The flaw exists because the permission check only compares the secret key from the header with the stored key but fails to perform an empty value check, allowing attackers to create administrator accounts when both values are empty. Wordfence Premium users received a firewall rule on April 1, 2025, with free users getting protection on May 1. The vulnerability was patched in version 1.0.79 on April 3, 2025, following responsible disclosure by researcher mikemyers.
9. Hackers Lurked in Treasury OCC’s Systems Since June 2023 Breach
   
   ​Attackers who breached the Treasury’s Office of the Comptroller of the Currency in June 2023 gained access to over 150,000 emails by compromising an email system administrator’s account. The banking regulator initially claimed the breach affected “a limited number of accounts” but later revealed it was a “major information security incident” involving approximately 100 bank regulators’ emails. The unauthorized access included highly sensitive information relating to the financial condition of federally regulated institutions used in examination and supervisory processes. The OCC notified Congress on April 8 that the compromised administrative account was disabled on February 12, 2025, one day after the breach was discovered.
10. Fortinet: Hackers Retain Access to Patched Fortigate VPNs Using Symlinks
    
    ​Fortinet warns that threat actors are maintaining persistent read-only access to previously compromised FortiGate VPN devices by creating symbolic links in language files folders to the root file system. The technique, used in attacks dating back to early 2023, allows attackers to maintain access through the publicly accessible SSL-VPN web panel even after the original vulnerabilities (including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762) are patched. CERT-FR describes this as part of a “massive campaign” affecting numerous devices in France since early 2023. Fortinet advises immediate upgrades to the latest FortiOS versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) and review of device configurations for unexpected changes.